1 |
|
2 |
OpenSSL CHANGES |
3 |
_______________ |
4 |
|
5 |
This is a high-level summary of the most important changes. |
6 |
For a full list of changes, see the git commit log; for example, |
7 |
https://github.com/openssl/openssl/commits/ and pick the appropriate |
8 |
release branch. |
9 |
|
10 |
Changes between 1.0.2o and 1.0.2p [14 Aug 2018] |
11 |
|
12 |
*) Client DoS due to large DH parameter |
13 |
|
14 |
During key agreement in a TLS handshake using a DH(E) based ciphersuite a |
15 |
malicious server can send a very large prime value to the client. This will |
16 |
cause the client to spend an unreasonably long period of time generating a |
17 |
key for this prime resulting in a hang until the client has finished. This |
18 |
could be exploited in a Denial Of Service attack. |
19 |
|
20 |
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken |
21 |
(CVE-2018-0732) |
22 |
[Guido Vranken] |
23 |
|
24 |
*) Cache timing vulnerability in RSA Key Generation |
25 |
|
26 |
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to |
27 |
a cache timing side channel attack. An attacker with sufficient access to |
28 |
mount cache timing attacks during the RSA key generation process could |
29 |
recover the private key. |
30 |
|
31 |
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera |
32 |
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. |
33 |
(CVE-2018-0737) |
34 |
[Billy Brumley] |
35 |
|
36 |
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str |
37 |
parameter is no longer accepted, as it leads to a corrupt table. NULL |
38 |
pem_str is reserved for alias entries only. |
39 |
[Richard Levitte] |
40 |
|
41 |
*) Revert blinding in ECDSA sign and instead make problematic addition |
42 |
length-invariant. Switch even to fixed-length Montgomery multiplication. |
43 |
[Andy Polyakov] |
44 |
|
45 |
*) Change generating and checking of primes so that the error rate of not |
46 |
being prime depends on the intended use based on the size of the input. |
47 |
For larger primes this will result in more rounds of Miller-Rabin. |
48 |
The maximal error rate for primes with more than 1080 bits is lowered |
49 |
to 2^-128. |
50 |
[Kurt Roeckx, Annie Yousar] |
51 |
|
52 |
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64. |
53 |
[Kurt Roeckx] |
54 |
|
55 |
*) Add blinding to ECDSA and DSA signatures to protect against side channel |
56 |
attacks discovered by Keegan Ryan (NCC Group). |
57 |
[Matt Caswell] |
58 |
|
59 |
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we |
60 |
now allow empty (zero character) pass phrases. |
61 |
[Richard Levitte] |
62 |
|
63 |
*) Certificate time validation (X509_cmp_time) enforces stricter |
64 |
compliance with RFC 5280. Fractional seconds and timezone offsets |
65 |
are no longer allowed. |
66 |
[Emilia Käsper] |
67 |
|
68 |
Changes between 1.0.2n and 1.0.2o [27 Mar 2018] |
69 |
|
70 |
*) Constructed ASN.1 types with a recursive definition could exceed the stack |
71 |
|
72 |
Constructed ASN.1 types with a recursive definition (such as can be found |
73 |
in PKCS7) could eventually exceed the stack given malicious input with |
74 |
excessive recursion. This could result in a Denial Of Service attack. There |
75 |
are no such structures used within SSL/TLS that come from untrusted sources |
76 |
so this is considered safe. |
77 |
|
78 |
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz |
79 |
project. |
80 |
(CVE-2018-0739) |
81 |
[Matt Caswell] |
82 |
|
83 |
Changes between 1.0.2m and 1.0.2n [7 Dec 2017] |
84 |
|
85 |
*) Read/write after SSL object in error state |
86 |
|
87 |
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" |
88 |
mechanism. The intent was that if a fatal error occurred during a handshake |
89 |
then OpenSSL would move into the error state and would immediately fail if |
90 |
you attempted to continue the handshake. This works as designed for the |
91 |
explicit handshake functions (SSL_do_handshake(), SSL_accept() and |
92 |
SSL_connect()), however due to a bug it does not work correctly if |
93 |
SSL_read() or SSL_write() is called directly. In that scenario, if the |
94 |
handshake fails then a fatal error will be returned in the initial function |
95 |
call. If SSL_read()/SSL_write() is subsequently called by the application |
96 |
for the same SSL object then it will succeed and the data is passed without |
97 |
being decrypted/encrypted directly from the SSL/TLS record layer. |
98 |
|
99 |
In order to exploit this issue an application bug would have to be present |
100 |
that resulted in a call to SSL_read()/SSL_write() being issued after having |
101 |
already received a fatal error. |
102 |
|
103 |
This issue was reported to OpenSSL by David Benjamin (Google). |
104 |
(CVE-2017-3737) |
105 |
[Matt Caswell] |
106 |
|
107 |
*) rsaz_1024_mul_avx2 overflow bug on x86_64 |
108 |
|
109 |
There is an overflow bug in the AVX2 Montgomery multiplication procedure |
110 |
used in exponentiation with 1024-bit moduli. No EC algorithms are affected. |
111 |
Analysis suggests that attacks against RSA and DSA as a result of this |
112 |
defect would be very difficult to perform and are not believed likely. |
113 |
Attacks against DH1024 are considered just feasible, because most of the |
114 |
work necessary to deduce information about a private key may be performed |
115 |
offline. The amount of resources required for such an attack would be |
116 |
significant. However, for an attack on TLS to be meaningful, the server |
117 |
would have to share the DH1024 private key among multiple clients, which is |
118 |
no longer an option since CVE-2016-0701. |
119 |
|
120 |
This only affects processors that support the AVX2 but not ADX extensions |
121 |
like Intel Haswell (4th generation). |
122 |
|
123 |
This issue was reported to OpenSSL by David Benjamin (Google). The issue |
124 |
was originally found via the OSS-Fuzz project. |
125 |
(CVE-2017-3738) |
126 |
[Andy Polyakov] |
127 |
|
128 |
Changes between 1.0.2l and 1.0.2m [2 Nov 2017] |
129 |
|
130 |
*) bn_sqrx8x_internal carry bug on x86_64 |
131 |
|
132 |
There is a carry propagating bug in the x86_64 Montgomery squaring |
133 |
procedure. No EC algorithms are affected. Analysis suggests that attacks |
134 |
against RSA and DSA as a result of this defect would be very difficult to |
135 |
perform and are not believed likely. Attacks against DH are considered just |
136 |
feasible (although very difficult) because most of the work necessary to |
137 |
deduce information about a private key may be performed offline. The amount |
138 |
of resources required for such an attack would be very significant and |
139 |
likely only accessible to a limited number of attackers. An attacker would |
140 |
additionally need online access to an unpatched system using the target |
141 |
private key in a scenario with persistent DH parameters and a private |
142 |
key that is shared between multiple clients. |
143 |
|
144 |
This only affects processors that support the BMI1, BMI2 and ADX extensions |
145 |
like Intel Broadwell (5th generation) and later or AMD Ryzen. |
146 |
|
147 |
This issue was reported to OpenSSL by the OSS-Fuzz project. |
148 |
(CVE-2017-3736) |
149 |
[Andy Polyakov] |
150 |
|
151 |
*) Malformed X.509 IPAddressFamily could cause OOB read |
152 |
|
153 |
If an X.509 certificate has a malformed IPAddressFamily extension, |
154 |
OpenSSL could do a one-byte buffer overread. The most likely result |
155 |
would be an erroneous display of the certificate in text format. |
156 |
|
157 |
This issue was reported to OpenSSL by the OSS-Fuzz project. |
158 |
(CVE-2017-3735) |
159 |
[Rich Salz] |
160 |
|
161 |
Changes between 1.0.2k and 1.0.2l [25 May 2017] |
162 |
|
163 |
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target |
164 |
platform rather than 'mingw'. |
165 |
[Richard Levitte] |
166 |
|
167 |
Changes between 1.0.2j and 1.0.2k [26 Jan 2017] |
168 |
|
169 |
*) Truncated packet could crash via OOB read |
170 |
|
171 |
If one side of an SSL/TLS path is running on a 32-bit host and a specific |
172 |
cipher is being used, then a truncated packet can cause that host to |
173 |
perform an out-of-bounds read, usually resulting in a crash. |
174 |
|
175 |
This issue was reported to OpenSSL by Robert Święcki of Google. |
176 |
(CVE-2017-3731) |
177 |
[Andy Polyakov] |
178 |
|
179 |
*) BN_mod_exp may produce incorrect results on x86_64 |
180 |
|
181 |
There is a carry propagating bug in the x86_64 Montgomery squaring |
182 |
procedure. No EC algorithms are affected. Analysis suggests that attacks |
183 |
against RSA and DSA as a result of this defect would be very difficult to |
184 |
perform and are not believed likely. Attacks against DH are considered just |
185 |
feasible (although very difficult) because most of the work necessary to |
186 |
deduce information about a private key may be performed offline. The amount |
187 |
of resources required for such an attack would be very significant and |
188 |
likely only accessible to a limited number of attackers. An attacker would |
189 |
additionally need online access to an unpatched system using the target |
190 |
private key in a scenario with persistent DH parameters and a private |
191 |
key that is shared between multiple clients. For example this can occur by |
192 |
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very |
193 |
similar to CVE-2015-3193 but must be treated as a separate problem. |
194 |
|
195 |
This issue was reported to OpenSSL by the OSS-Fuzz project. |
196 |
(CVE-2017-3732) |
197 |
[Andy Polyakov] |
198 |
|
199 |
*) Montgomery multiplication may produce incorrect results |
200 |
|
201 |
There is a carry propagating bug in the Broadwell-specific Montgomery |
202 |
multiplication procedure that handles input lengths divisible by, but |
203 |
longer than 256 bits. Analysis suggests that attacks against RSA, DSA |
204 |
and DH private keys are impossible. This is because the subroutine in |
205 |
question is not used in operations with the private key itself and an input |
206 |
of the attacker's direct choice. Otherwise the bug can manifest itself as |
207 |
transient authentication and key negotiation failures or reproducible |
208 |
erroneous outcome of public-key operations with specially crafted input. |
209 |
Among EC algorithms only Brainpool P-512 curves are affected and one |
210 |
presumably can attack ECDH key negotiation. Impact was not analyzed in |
211 |
detail, because pre-requisites for attack are considered unlikely. Namely |
212 |
multiple clients have to choose the curve in question and the server has to |
213 |
share the private key among them, neither of which is default behaviour. |
214 |
Even then only clients that chose the curve will be affected. |
215 |
|
216 |
This issue was publicly reported as transient failures and was not |
217 |
initially recognized as a security issue. Thanks to Richard Morgan for |
218 |
providing reproducible case. |
219 |
(CVE-2016-7055) |
220 |
[Andy Polyakov] |
221 |
|
222 |
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 |
223 |
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to |
224 |
prevent issues where no progress is being made and the peer continually |
225 |
sends unrecognised record types, using up resources processing them. |
226 |
[Matt Caswell] |
227 |
|
228 |
Changes between 1.0.2i and 1.0.2j [26 Sep 2016] |
229 |
|
230 |
*) Missing CRL sanity check |
231 |
|
232 |
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 |
233 |
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use |
234 |
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. |
235 |
|
236 |
This issue only affects the OpenSSL 1.0.2i |
237 |
(CVE-2016-7052) |
238 |
[Matt Caswell] |
239 |
|
240 |
Changes between 1.0.2h and 1.0.2i [22 Sep 2016] |
241 |
|
242 |
*) OCSP Status Request extension unbounded memory growth |
243 |
|
244 |
A malicious client can send an excessively large OCSP Status Request |
245 |
extension. If that client continually requests renegotiation, sending a |
246 |
large OCSP Status Request extension each time, then there will be unbounded |
247 |
memory growth on the server. This will eventually lead to a Denial Of |
248 |
Service attack through memory exhaustion. Servers with a default |
249 |
configuration are vulnerable even if they do not support OCSP. Builds using |
250 |
the "no-ocsp" build time option are not affected. |
251 |
|
252 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
253 |
(CVE-2016-6304) |
254 |
[Matt Caswell] |
255 |
|
256 |
*) In order to mitigate the SWEET32 attack, the DES ciphers were moved from |
257 |
HIGH to MEDIUM. |
258 |
|
259 |
This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan |
260 |
Leurent (INRIA) |
261 |
(CVE-2016-2183) |
262 |
[Rich Salz] |
263 |
|
264 |
*) OOB write in MDC2_Update() |
265 |
|
266 |
An overflow can occur in MDC2_Update() either if called directly or |
267 |
through the EVP_DigestUpdate() function using MDC2. If an attacker |
268 |
is able to supply very large amounts of input data after a previous |
269 |
call to EVP_EncryptUpdate() with a partial block then a length check |
270 |
can overflow resulting in a heap corruption. |
271 |
|
272 |
The amount of data needed is comparable to SIZE_MAX which is impractical |
273 |
on most platforms. |
274 |
|
275 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
276 |
(CVE-2016-6303) |
277 |
[Stephen Henson] |
278 |
|
279 |
*) Malformed SHA512 ticket DoS |
280 |
|
281 |
If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a |
282 |
DoS attack where a malformed ticket will result in an OOB read which will |
283 |
ultimately crash. |
284 |
|
285 |
The use of SHA512 in TLS session tickets is comparatively rare as it requires |
286 |
a custom server callback and ticket lookup mechanism. |
287 |
|
288 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
289 |
(CVE-2016-6302) |
290 |
[Stephen Henson] |
291 |
|
292 |
*) OOB write in BN_bn2dec() |
293 |
|
294 |
The function BN_bn2dec() does not check the return value of BN_div_word(). |
295 |
This can cause an OOB write if an application uses this function with an |
296 |
overly large BIGNUM. This could be a problem if an overly large certificate |
297 |
or CRL is printed out from an untrusted source. TLS is not affected because |
298 |
record limits will reject an oversized certificate before it is parsed. |
299 |
|
300 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
301 |
(CVE-2016-2182) |
302 |
[Stephen Henson] |
303 |
|
304 |
*) OOB read in TS_OBJ_print_bio() |
305 |
|
306 |
The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is |
307 |
the total length the OID text representation would use and not the amount |
308 |
of data written. This will result in OOB reads when large OIDs are |
309 |
presented. |
310 |
|
311 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
312 |
(CVE-2016-2180) |
313 |
[Stephen Henson] |
314 |
|
315 |
*) Pointer arithmetic undefined behaviour |
316 |
|
317 |
Avoid some undefined pointer arithmetic |
318 |
|
319 |
A common idiom in the codebase is to check limits in the following manner: |
320 |
"p + len > limit" |
321 |
|
322 |
Where "p" points to some malloc'd data of SIZE bytes and |
323 |
limit == p + SIZE |
324 |
|
325 |
"len" here could be from some externally supplied data (e.g. from a TLS |
326 |
message). |
327 |
|
328 |
The rules of C pointer arithmetic are such that "p + len" is only well |
329 |
defined where len <= SIZE. Therefore the above idiom is actually |
330 |
undefined behaviour. |
331 |
|
332 |
For example this could cause problems if some malloc implementation |
333 |
provides an address for "p" such that "p + len" actually overflows for |
334 |
values of len that are too big and therefore p + len < limit. |
335 |
|
336 |
This issue was reported to OpenSSL by Guido Vranken |
337 |
(CVE-2016-2177) |
338 |
[Matt Caswell] |
339 |
|
340 |
*) Constant time flag not preserved in DSA signing |
341 |
|
342 |
Operations in the DSA signing algorithm should run in constant time in |
343 |
order to avoid side channel attacks. A flaw in the OpenSSL DSA |
344 |
implementation means that a non-constant time codepath is followed for |
345 |
certain operations. This has been demonstrated through a cache-timing |
346 |
attack to be sufficient for an attacker to recover the private DSA key. |
347 |
|
348 |
This issue was reported by César Pereida (Aalto University), Billy Brumley |
349 |
(Tampere University of Technology), and Yuval Yarom (The University of |
350 |
Adelaide and NICTA). |
351 |
(CVE-2016-2178) |
352 |
[César Pereida] |
353 |
|
354 |
*) DTLS buffered message DoS |
355 |
|
356 |
In a DTLS connection where handshake messages are delivered out-of-order |
357 |
those messages that OpenSSL is not yet ready to process will be buffered |
358 |
for later use. Under certain circumstances, a flaw in the logic means that |
359 |
those messages do not get removed from the buffer even though the handshake |
360 |
has been completed. An attacker could force up to approx. 15 messages to |
361 |
remain in the buffer when they are no longer required. These messages will |
362 |
be cleared when the DTLS connection is closed. The default maximum size for |
363 |
a message is 100k. Therefore the attacker could force an additional 1500k |
364 |
to be consumed per connection. By opening many simulataneous connections an |
365 |
attacker could cause a DoS attack through memory exhaustion. |
366 |
|
367 |
This issue was reported to OpenSSL by Quan Luo. |
368 |
(CVE-2016-2179) |
369 |
[Matt Caswell] |
370 |
|
371 |
*) DTLS replay protection DoS |
372 |
|
373 |
A flaw in the DTLS replay attack protection mechanism means that records |
374 |
that arrive for future epochs update the replay protection "window" before |
375 |
the MAC for the record has been validated. This could be exploited by an |
376 |
attacker by sending a record for the next epoch (which does not have to |
377 |
decrypt or have a valid MAC), with a very large sequence number. This means |
378 |
that all subsequent legitimate packets are dropped causing a denial of |
379 |
service for a specific DTLS connection. |
380 |
|
381 |
This issue was reported to OpenSSL by the OCAP audit team. |
382 |
(CVE-2016-2181) |
383 |
[Matt Caswell] |
384 |
|
385 |
*) Certificate message OOB reads |
386 |
|
387 |
In OpenSSL 1.0.2 and earlier some missing message length checks can result |
388 |
in OOB reads of up to 2 bytes beyond an allocated buffer. There is a |
389 |
theoretical DoS risk but this has not been observed in practice on common |
390 |
platforms. |
391 |
|
392 |
The messages affected are client certificate, client certificate request |
393 |
and server certificate. As a result the attack can only be performed |
394 |
against a client or a server which enables client authentication. |
395 |
|
396 |
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) |
397 |
(CVE-2016-6306) |
398 |
[Stephen Henson] |
399 |
|
400 |
Changes between 1.0.2g and 1.0.2h [3 May 2016] |
401 |
|
402 |
*) Prevent padding oracle in AES-NI CBC MAC check |
403 |
|
404 |
A MITM attacker can use a padding oracle attack to decrypt traffic |
405 |
when the connection uses an AES CBC cipher and the server support |
406 |
AES-NI. |
407 |
|
408 |
This issue was introduced as part of the fix for Lucky 13 padding |
409 |
attack (CVE-2013-0169). The padding check was rewritten to be in |
410 |
constant time by making sure that always the same bytes are read and |
411 |
compared against either the MAC or padding bytes. But it no longer |
412 |
checked that there was enough data to have both the MAC and padding |
413 |
bytes. |
414 |
|
415 |
This issue was reported by Juraj Somorovsky using TLS-Attacker. |
416 |
(CVE-2016-2107) |
417 |
[Kurt Roeckx] |
418 |
|
419 |
*) Fix EVP_EncodeUpdate overflow |
420 |
|
421 |
An overflow can occur in the EVP_EncodeUpdate() function which is used for |
422 |
Base64 encoding of binary data. If an attacker is able to supply very large |
423 |
amounts of input data then a length check can overflow resulting in a heap |
424 |
corruption. |
425 |
|
426 |
Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by |
427 |
the PEM_write_bio* family of functions. These are mainly used within the |
428 |
OpenSSL command line applications, so any application which processes data |
429 |
from an untrusted source and outputs it as a PEM file should be considered |
430 |
vulnerable to this issue. User applications that call these APIs directly |
431 |
with large amounts of untrusted data may also be vulnerable. |
432 |
|
433 |
This issue was reported by Guido Vranken. |
434 |
(CVE-2016-2105) |
435 |
[Matt Caswell] |
436 |
|
437 |
*) Fix EVP_EncryptUpdate overflow |
438 |
|
439 |
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker |
440 |
is able to supply very large amounts of input data after a previous call to |
441 |
EVP_EncryptUpdate() with a partial block then a length check can overflow |
442 |
resulting in a heap corruption. Following an analysis of all OpenSSL |
443 |
internal usage of the EVP_EncryptUpdate() function all usage is one of two |
444 |
forms. The first form is where the EVP_EncryptUpdate() call is known to be |
445 |
the first called function after an EVP_EncryptInit(), and therefore that |
446 |
specific call must be safe. The second form is where the length passed to |
447 |
EVP_EncryptUpdate() can be seen from the code to be some small value and |
448 |
therefore there is no possibility of an overflow. Since all instances are |
449 |
one of these two forms, it is believed that there can be no overflows in |
450 |
internal code due to this problem. It should be noted that |
451 |
EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. |
452 |
Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances |
453 |
of these calls have also been analysed too and it is believed there are no |
454 |
instances in internal usage where an overflow could occur. |
455 |
|
456 |
This issue was reported by Guido Vranken. |
457 |
(CVE-2016-2106) |
458 |
[Matt Caswell] |
459 |
|
460 |
*) Prevent ASN.1 BIO excessive memory allocation |
461 |
|
462 |
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() |
463 |
a short invalid encoding can casuse allocation of large amounts of memory |
464 |
potentially consuming excessive resources or exhausting memory. |
465 |
|
466 |
Any application parsing untrusted data through d2i BIO functions is |
467 |
affected. The memory based functions such as d2i_X509() are *not* affected. |
468 |
Since the memory based functions are used by the TLS library, TLS |
469 |
applications are not affected. |
470 |
|
471 |
This issue was reported by Brian Carpenter. |
472 |
(CVE-2016-2109) |
473 |
[Stephen Henson] |
474 |
|
475 |
*) EBCDIC overread |
476 |
|
477 |
ASN1 Strings that are over 1024 bytes can cause an overread in applications |
478 |
using the X509_NAME_oneline() function on EBCDIC systems. This could result |
479 |
in arbitrary stack data being returned in the buffer. |
480 |
|
481 |
This issue was reported by Guido Vranken. |
482 |
(CVE-2016-2176) |
483 |
[Matt Caswell] |
484 |
|
485 |
*) Modify behavior of ALPN to invoke callback after SNI/servername |
486 |
callback, such that updates to the SSL_CTX affect ALPN. |
487 |
[Todd Short] |
488 |
|
489 |
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the |
490 |
default. |
491 |
[Kurt Roeckx] |
492 |
|
493 |
*) Only remove the SSLv2 methods with the no-ssl2-method option. When the |
494 |
methods are enabled and ssl2 is disabled the methods return NULL. |
495 |
[Kurt Roeckx] |
496 |
|
497 |
Changes between 1.0.2f and 1.0.2g [1 Mar 2016] |
498 |
|
499 |
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. |
500 |
Builds that are not configured with "enable-weak-ssl-ciphers" will not |
501 |
provide any "EXPORT" or "LOW" strength ciphers. |
502 |
[Viktor Dukhovni] |
503 |
|
504 |
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 |
505 |
is by default disabled at build-time. Builds that are not configured with |
506 |
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, |
507 |
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() |
508 |
will need to explicitly call either of: |
509 |
|
510 |
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); |
511 |
or |
512 |
SSL_clear_options(ssl, SSL_OP_NO_SSLv2); |
513 |
|
514 |
as appropriate. Even if either of those is used, or the application |
515 |
explicitly uses the version-specific SSLv2_method() or its client and |
516 |
server variants, SSLv2 ciphers vulnerable to exhaustive search key |
517 |
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT |
518 |
ciphers, and SSLv2 56-bit DES are no longer available. |
519 |
(CVE-2016-0800) |
520 |
[Viktor Dukhovni] |
521 |
|
522 |
*) Fix a double-free in DSA code |
523 |
|
524 |
A double free bug was discovered when OpenSSL parses malformed DSA private |
525 |
keys and could lead to a DoS attack or memory corruption for applications |
526 |
that receive DSA private keys from untrusted sources. This scenario is |
527 |
considered rare. |
528 |
|
529 |
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using |
530 |
libFuzzer. |
531 |
(CVE-2016-0705) |
532 |
[Stephen Henson] |
533 |
|
534 |
*) Disable SRP fake user seed to address a server memory leak. |
535 |
|
536 |
Add a new method SRP_VBASE_get1_by_user that handles the seed properly. |
537 |
|
538 |
SRP_VBASE_get_by_user had inconsistent memory management behaviour. |
539 |
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user |
540 |
was changed to ignore the "fake user" SRP seed, even if the seed |
541 |
is configured. |
542 |
|
543 |
Users should use SRP_VBASE_get1_by_user instead. Note that in |
544 |
SRP_VBASE_get1_by_user, caller must free the returned value. Note |
545 |
also that even though configuring the SRP seed attempts to hide |
546 |
invalid usernames by continuing the handshake with fake |
547 |
credentials, this behaviour is not constant time and no strong |
548 |
guarantees are made that the handshake is indistinguishable from |
549 |
that of a valid user. |
550 |
(CVE-2016-0798) |
551 |
[Emilia Käsper] |
552 |
|
553 |
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption |
554 |
|
555 |
In the BN_hex2bn function the number of hex digits is calculated using an |
556 |
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For |
557 |
large values of |i| this can result in |bn_expand| not allocating any |
558 |
memory because |i * 4| is negative. This can leave the internal BIGNUM data |
559 |
field as NULL leading to a subsequent NULL ptr deref. For very large values |
560 |
of |i|, the calculation |i * 4| could be a positive value smaller than |i|. |
561 |
In this case memory is allocated to the internal BIGNUM data field, but it |
562 |
is insufficiently sized leading to heap corruption. A similar issue exists |
563 |
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn |
564 |
is ever called by user applications with very large untrusted hex/dec data. |
565 |
This is anticipated to be a rare occurrence. |
566 |
|
567 |
All OpenSSL internal usage of these functions use data that is not expected |
568 |
to be untrusted, e.g. config file data or application command line |
569 |
arguments. If user developed applications generate config file data based |
570 |
on untrusted data then it is possible that this could also lead to security |
571 |
consequences. This is also anticipated to be rare. |
572 |
|
573 |
This issue was reported to OpenSSL by Guido Vranken. |
574 |
(CVE-2016-0797) |
575 |
[Matt Caswell] |
576 |
|
577 |
*) Fix memory issues in BIO_*printf functions |
578 |
|
579 |
The internal |fmtstr| function used in processing a "%s" format string in |
580 |
the BIO_*printf functions could overflow while calculating the length of a |
581 |
string and cause an OOB read when printing very long strings. |
582 |
|
583 |
Additionally the internal |doapr_outch| function can attempt to write to an |
584 |
OOB memory location (at an offset from the NULL pointer) in the event of a |
585 |
memory allocation failure. In 1.0.2 and below this could be caused where |
586 |
the size of a buffer to be allocated is greater than INT_MAX. E.g. this |
587 |
could be in processing a very long "%s" format string. Memory leaks can |
588 |
also occur. |
589 |
|
590 |
The first issue may mask the second issue dependent on compiler behaviour. |
591 |
These problems could enable attacks where large amounts of untrusted data |
592 |
is passed to the BIO_*printf functions. If applications use these functions |
593 |
in this way then they could be vulnerable. OpenSSL itself uses these |
594 |
functions when printing out human-readable dumps of ASN.1 data. Therefore |
595 |
applications that print this data could be vulnerable if the data is from |
596 |
untrusted sources. OpenSSL command line applications could also be |
597 |
vulnerable where they print out ASN.1 data, or if untrusted data is passed |
598 |
as command line arguments. |
599 |
|
600 |
Libssl is not considered directly vulnerable. Additionally certificates etc |
601 |
received via remote connections via libssl are also unlikely to be able to |
602 |
trigger these issues because of message size limits enforced within libssl. |
603 |
|
604 |
This issue was reported to OpenSSL Guido Vranken. |
605 |
(CVE-2016-0799) |
606 |
[Matt Caswell] |
607 |
|
608 |
*) Side channel attack on modular exponentiation |
609 |
|
610 |
A side-channel attack was found which makes use of cache-bank conflicts on |
611 |
the Intel Sandy-Bridge microarchitecture which could lead to the recovery |
612 |
of RSA keys. The ability to exploit this issue is limited as it relies on |
613 |
an attacker who has control of code in a thread running on the same |
614 |
hyper-threaded core as the victim thread which is performing decryptions. |
615 |
|
616 |
This issue was reported to OpenSSL by Yuval Yarom, The University of |
617 |
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and |
618 |
Nadia Heninger, University of Pennsylvania with more information at |
619 |
http://cachebleed.info. |
620 |
(CVE-2016-0702) |
621 |
[Andy Polyakov] |
622 |
|
623 |
*) Change the req app to generate a 2048-bit RSA/DSA key by default, |
624 |
if no keysize is specified with default_bits. This fixes an |
625 |
omission in an earlier change that changed all RSA/DSA key generation |
626 |
apps to use 2048 bits by default. |
627 |
[Emilia Käsper] |
628 |
|
629 |
Changes between 1.0.2e and 1.0.2f [28 Jan 2016] |
630 |
|
631 |
*) DH small subgroups |
632 |
|
633 |
Historically OpenSSL only ever generated DH parameters based on "safe" |
634 |
primes. More recently (in version 1.0.2) support was provided for |
635 |
generating X9.42 style parameter files such as those required for RFC 5114 |
636 |
support. The primes used in such files may not be "safe". Where an |
637 |
application is using DH configured with parameters based on primes that are |
638 |
not "safe" then an attacker could use this fact to find a peer's private |
639 |
DH exponent. This attack requires that the attacker complete multiple |
640 |
handshakes in which the peer uses the same private DH exponent. For example |
641 |
this could be used to discover a TLS server's private DH exponent if it's |
642 |
reusing the private DH exponent or it's using a static DH ciphersuite. |
643 |
|
644 |
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in |
645 |
TLS. It is not on by default. If the option is not set then the server |
646 |
reuses the same private DH exponent for the life of the server process and |
647 |
would be vulnerable to this attack. It is believed that many popular |
648 |
applications do set this option and would therefore not be at risk. |
649 |
|
650 |
The fix for this issue adds an additional check where a "q" parameter is |
651 |
available (as is the case in X9.42 based parameters). This detects the |
652 |
only known attack, and is the only possible defense for static DH |
653 |
ciphersuites. This could have some performance impact. |
654 |
|
655 |
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by |
656 |
default and cannot be disabled. This could have some performance impact. |
657 |
|
658 |
This issue was reported to OpenSSL by Antonio Sanso (Adobe). |
659 |
(CVE-2016-0701) |
660 |
[Matt Caswell] |
661 |
|
662 |
*) SSLv2 doesn't block disabled ciphers |
663 |
|
664 |
A malicious client can negotiate SSLv2 ciphers that have been disabled on |
665 |
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have |
666 |
been disabled, provided that the SSLv2 protocol was not also disabled via |
667 |
SSL_OP_NO_SSLv2. |
668 |
|
669 |
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram |
670 |
and Sebastian Schinzel. |
671 |
(CVE-2015-3197) |
672 |
[Viktor Dukhovni] |
673 |
|
674 |
*) Reject DH handshakes with parameters shorter than 1024 bits. |
675 |
[Kurt Roeckx] |
676 |
|
677 |
Changes between 1.0.2d and 1.0.2e [3 Dec 2015] |
678 |
|
679 |
*) BN_mod_exp may produce incorrect results on x86_64 |
680 |
|
681 |
There is a carry propagating bug in the x86_64 Montgomery squaring |
682 |
procedure. No EC algorithms are affected. Analysis suggests that attacks |
683 |
against RSA and DSA as a result of this defect would be very difficult to |
684 |
perform and are not believed likely. Attacks against DH are considered just |
685 |
feasible (although very difficult) because most of the work necessary to |
686 |
deduce information about a private key may be performed offline. The amount |
687 |
of resources required for such an attack would be very significant and |
688 |
likely only accessible to a limited number of attackers. An attacker would |
689 |
additionally need online access to an unpatched system using the target |
690 |
private key in a scenario with persistent DH parameters and a private |
691 |
key that is shared between multiple clients. For example this can occur by |
692 |
default in OpenSSL DHE based SSL/TLS ciphersuites. |
693 |
|
694 |
This issue was reported to OpenSSL by Hanno Böck. |
695 |
(CVE-2015-3193) |
696 |
[Andy Polyakov] |
697 |
|
698 |
*) Certificate verify crash with missing PSS parameter |
699 |
|
700 |
The signature verification routines will crash with a NULL pointer |
701 |
dereference if presented with an ASN.1 signature using the RSA PSS |
702 |
algorithm and absent mask generation function parameter. Since these |
703 |
routines are used to verify certificate signature algorithms this can be |
704 |
used to crash any certificate verification operation and exploited in a |
705 |
DoS attack. Any application which performs certificate verification is |
706 |
vulnerable including OpenSSL clients and servers which enable client |
707 |
authentication. |
708 |
|
709 |
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). |
710 |
(CVE-2015-3194) |
711 |
[Stephen Henson] |
712 |
|
713 |
*) X509_ATTRIBUTE memory leak |
714 |
|
715 |
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak |
716 |
memory. This structure is used by the PKCS#7 and CMS routines so any |
717 |
application which reads PKCS#7 or CMS data from untrusted sources is |
718 |
affected. SSL/TLS is not affected. |
719 |
|
720 |
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using |
721 |
libFuzzer. |
722 |
(CVE-2015-3195) |
723 |
[Stephen Henson] |
724 |
|
725 |
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. |
726 |
This changes the decoding behaviour for some invalid messages, |
727 |
though the change is mostly in the more lenient direction, and |
728 |
legacy behaviour is preserved as much as possible. |
729 |
[Emilia Käsper] |
730 |
|
731 |
*) In DSA_generate_parameters_ex, if the provided seed is too short, |
732 |
use a random seed, as already documented. |
733 |
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] |
734 |
|
735 |
Changes between 1.0.2c and 1.0.2d [9 Jul 2015] |
736 |
|
737 |
*) Alternate chains certificate forgery |
738 |
|
739 |
During certificate verfification, OpenSSL will attempt to find an |
740 |
alternative certificate chain if the first attempt to build such a chain |
741 |
fails. An error in the implementation of this logic can mean that an |
742 |
attacker could cause certain checks on untrusted certificates to be |
743 |
bypassed, such as the CA flag, enabling them to use a valid leaf |
744 |
certificate to act as a CA and "issue" an invalid certificate. |
745 |
|
746 |
This issue was reported to OpenSSL by Adam Langley/David Benjamin |
747 |
(Google/BoringSSL). |
748 |
(CVE-2015-1793) |
749 |
[Matt Caswell] |
750 |
|
751 |
*) Race condition handling PSK identify hint |
752 |
|
753 |
If PSK identity hints are received by a multi-threaded client then |
754 |
the values are wrongly updated in the parent SSL_CTX structure. This can |
755 |
result in a race condition potentially leading to a double free of the |
756 |
identify hint data. |
757 |
(CVE-2015-3196) |
758 |
[Stephen Henson] |
759 |
|
760 |
Changes between 1.0.2b and 1.0.2c [12 Jun 2015] |
761 |
|
762 |
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI |
763 |
incompatibility in the handling of HMAC. The previous ABI has now been |
764 |
restored. |
765 |
|
766 |
Changes between 1.0.2a and 1.0.2b [11 Jun 2015] |
767 |
|
768 |
*) Malformed ECParameters causes infinite loop |
769 |
|
770 |
When processing an ECParameters structure OpenSSL enters an infinite loop |
771 |
if the curve specified is over a specially malformed binary polynomial |
772 |
field. |
773 |
|
774 |
This can be used to perform denial of service against any |
775 |
system which processes public keys, certificate requests or |
776 |
certificates. This includes TLS clients and TLS servers with |
777 |
client authentication enabled. |
778 |
|
779 |
This issue was reported to OpenSSL by Joseph Barr-Pixton. |
780 |
(CVE-2015-1788) |
781 |
[Andy Polyakov] |
782 |
|
783 |
*) Exploitable out-of-bounds read in X509_cmp_time |
784 |
|
785 |
X509_cmp_time does not properly check the length of the ASN1_TIME |
786 |
string and can read a few bytes out of bounds. In addition, |
787 |
X509_cmp_time accepts an arbitrary number of fractional seconds in the |
788 |
time string. |
789 |
|
790 |
An attacker can use this to craft malformed certificates and CRLs of |
791 |
various sizes and potentially cause a segmentation fault, resulting in |
792 |
a DoS on applications that verify certificates or CRLs. TLS clients |
793 |
that verify CRLs are affected. TLS clients and servers with client |
794 |
authentication enabled may be affected if they use custom verification |
795 |
callbacks. |
796 |
|
797 |
This issue was reported to OpenSSL by Robert Swiecki (Google), and |
798 |
independently by Hanno Böck. |
799 |
(CVE-2015-1789) |
800 |
[Emilia Käsper] |
801 |
|
802 |
*) PKCS7 crash with missing EnvelopedContent |
803 |
|
804 |
The PKCS#7 parsing code does not handle missing inner EncryptedContent |
805 |
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs |
806 |
with missing content and trigger a NULL pointer dereference on parsing. |
807 |
|
808 |
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 |
809 |
structures from untrusted sources are affected. OpenSSL clients and |
810 |
servers are not affected. |
811 |
|
812 |
This issue was reported to OpenSSL by Michal Zalewski (Google). |
813 |
(CVE-2015-1790) |
814 |
[Emilia Käsper] |
815 |
|
816 |
*) CMS verify infinite loop with unknown hash function |
817 |
|
818 |
When verifying a signedData message the CMS code can enter an infinite loop |
819 |
if presented with an unknown hash function OID. This can be used to perform |
820 |
denial of service against any system which verifies signedData messages using |
821 |
the CMS code. |
822 |
This issue was reported to OpenSSL by Johannes Bauer. |
823 |
(CVE-2015-1792) |
824 |
[Stephen Henson] |
825 |
|
826 |
*) Race condition handling NewSessionTicket |
827 |
|
828 |
If a NewSessionTicket is received by a multi-threaded client when attempting to |
829 |
reuse a previous ticket then a race condition can occur potentially leading to |
830 |
a double free of the ticket data. |
831 |
(CVE-2015-1791) |
832 |
[Matt Caswell] |
833 |
|
834 |
*) Removed support for the two export grade static DH ciphersuites |
835 |
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites |
836 |
were newly added (along with a number of other static DH ciphersuites) to |
837 |
1.0.2. However the two export ones have *never* worked since they were |
838 |
introduced. It seems strange in any case to be adding new export |
839 |
ciphersuites, and given "logjam" it also does not seem correct to fix them. |
840 |
[Matt Caswell] |
841 |
|
842 |
*) Only support 256-bit or stronger elliptic curves with the |
843 |
'ecdh_auto' setting (server) or by default (client). Of supported |
844 |
curves, prefer P-256 (both). |
845 |
[Emilia Kasper] |
846 |
|
847 |
*) Reject DH handshakes with parameters shorter than 768 bits. |
848 |
[Kurt Roeckx and Emilia Kasper] |
849 |
|
850 |
Changes between 1.0.2 and 1.0.2a [19 Mar 2015] |
851 |
|
852 |
*) ClientHello sigalgs DoS fix |
853 |
|
854 |
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an |
855 |
invalid signature algorithms extension a NULL pointer dereference will |
856 |
occur. This can be exploited in a DoS attack against the server. |
857 |
|
858 |
This issue was was reported to OpenSSL by David Ramos of Stanford |
859 |
University. |
860 |
(CVE-2015-0291) |
861 |
[Stephen Henson and Matt Caswell] |
862 |
|
863 |
*) Multiblock corrupted pointer fix |
864 |
|
865 |
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This |
866 |
feature only applies on 64 bit x86 architecture platforms that support AES |
867 |
NI instructions. A defect in the implementation of "multiblock" can cause |
868 |
OpenSSL's internal write buffer to become incorrectly set to NULL when |
869 |
using non-blocking IO. Typically, when the user application is using a |
870 |
socket BIO for writing, this will only result in a failed connection. |
871 |
However if some other BIO is used then it is likely that a segmentation |
872 |
fault will be triggered, thus enabling a potential DoS attack. |
873 |
|
874 |
This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. |
875 |
(CVE-2015-0290) |
876 |
[Matt Caswell] |
877 |
|
878 |
*) Segmentation fault in DTLSv1_listen fix |
879 |
|
880 |
The DTLSv1_listen function is intended to be stateless and processes the |
881 |
initial ClientHello from many peers. It is common for user code to loop |
882 |
over the call to DTLSv1_listen until a valid ClientHello is received with |
883 |
an associated cookie. A defect in the implementation of DTLSv1_listen means |
884 |
that state is preserved in the SSL object from one invocation to the next |
885 |
that can lead to a segmentation fault. Errors processing the initial |
886 |
ClientHello can trigger this scenario. An example of such an error could be |
887 |
that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only |
888 |
server. |
889 |
|
890 |
This issue was reported to OpenSSL by Per Allansson. |
891 |
(CVE-2015-0207) |
892 |
[Matt Caswell] |
893 |
|
894 |
*) Segmentation fault in ASN1_TYPE_cmp fix |
895 |
|
896 |
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is |
897 |
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check |
898 |
certificate signature algorithm consistency this can be used to crash any |
899 |
certificate verification operation and exploited in a DoS attack. Any |
900 |
application which performs certificate verification is vulnerable including |
901 |
OpenSSL clients and servers which enable client authentication. |
902 |
(CVE-2015-0286) |
903 |
[Stephen Henson] |
904 |
|
905 |
*) Segmentation fault for invalid PSS parameters fix |
906 |
|
907 |
The signature verification routines will crash with a NULL pointer |
908 |
dereference if presented with an ASN.1 signature using the RSA PSS |
909 |
algorithm and invalid parameters. Since these routines are used to verify |
910 |
certificate signature algorithms this can be used to crash any |
911 |
certificate verification operation and exploited in a DoS attack. Any |
912 |
application which performs certificate verification is vulnerable including |
913 |
OpenSSL clients and servers which enable client authentication. |
914 |
|
915 |
This issue was was reported to OpenSSL by Brian Carpenter. |
916 |
(CVE-2015-0208) |
917 |
[Stephen Henson] |
918 |
|
919 |
*) ASN.1 structure reuse memory corruption fix |
920 |
|
921 |
Reusing a structure in ASN.1 parsing may allow an attacker to cause |
922 |
memory corruption via an invalid write. Such reuse is and has been |
923 |
strongly discouraged and is believed to be rare. |
924 |
|
925 |
Applications that parse structures containing CHOICE or ANY DEFINED BY |
926 |
components may be affected. Certificate parsing (d2i_X509 and related |
927 |
functions) are however not affected. OpenSSL clients and servers are |
928 |
not affected. |
929 |
(CVE-2015-0287) |
930 |
[Stephen Henson] |
931 |
|
932 |
*) PKCS7 NULL pointer dereferences fix |
933 |
|
934 |
The PKCS#7 parsing code does not handle missing outer ContentInfo |
935 |
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with |
936 |
missing content and trigger a NULL pointer dereference on parsing. |
937 |
|
938 |
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or |
939 |
otherwise parse PKCS#7 structures from untrusted sources are |
940 |
affected. OpenSSL clients and servers are not affected. |
941 |
|
942 |
This issue was reported to OpenSSL by Michal Zalewski (Google). |
943 |
(CVE-2015-0289) |
944 |
[Emilia Käsper] |
945 |
|
946 |
*) DoS via reachable assert in SSLv2 servers fix |
947 |
|
948 |
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in |
949 |
servers that both support SSLv2 and enable export cipher suites by sending |
950 |
a specially crafted SSLv2 CLIENT-MASTER-KEY message. |
951 |
|
952 |
This issue was discovered by Sean Burford (Google) and Emilia Käsper |
953 |
(OpenSSL development team). |
954 |
(CVE-2015-0293) |
955 |
[Emilia Käsper] |
956 |
|
957 |
*) Empty CKE with client auth and DHE fix |
958 |
|
959 |
If client auth is used then a server can seg fault in the event of a DHE |
960 |
ciphersuite being selected and a zero length ClientKeyExchange message |
961 |
being sent by the client. This could be exploited in a DoS attack. |
962 |
(CVE-2015-1787) |
963 |
[Matt Caswell] |
964 |
|
965 |
*) Handshake with unseeded PRNG fix |
966 |
|
967 |
Under certain conditions an OpenSSL 1.0.2 client can complete a handshake |
968 |
with an unseeded PRNG. The conditions are: |
969 |
- The client is on a platform where the PRNG has not been seeded |
970 |
automatically, and the user has not seeded manually |
971 |
- A protocol specific client method version has been used (i.e. not |
972 |
SSL_client_methodv23) |
973 |
- A ciphersuite is used that does not require additional random data from |
974 |
the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). |
975 |
|
976 |
If the handshake succeeds then the client random that has been used will |
977 |
have been generated from a PRNG with insufficient entropy and therefore the |
978 |
output may be predictable. |
979 |
|
980 |
For example using the following command with an unseeded openssl will |
981 |
succeed on an unpatched platform: |
982 |
|
983 |
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA |
984 |
(CVE-2015-0285) |
985 |
[Matt Caswell] |
986 |
|
987 |
*) Use After Free following d2i_ECPrivatekey error fix |
988 |
|
989 |
A malformed EC private key file consumed via the d2i_ECPrivateKey function |
990 |
could cause a use after free condition. This, in turn, could cause a double |
991 |
free in several private key parsing functions (such as d2i_PrivateKey |
992 |
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption |
993 |
for applications that receive EC private keys from untrusted |
994 |
sources. This scenario is considered rare. |
995 |
|
996 |
This issue was discovered by the BoringSSL project and fixed in their |
997 |
commit 517073cd4b. |
998 |
(CVE-2015-0209) |
999 |
[Matt Caswell] |
1000 |
|
1001 |
*) X509_to_X509_REQ NULL pointer deref fix |
1002 |
|
1003 |
The function X509_to_X509_REQ will crash with a NULL pointer dereference if |
1004 |
the certificate key is invalid. This function is rarely used in practice. |
1005 |
|
1006 |
This issue was discovered by Brian Carpenter. |
1007 |
(CVE-2015-0288) |
1008 |
[Stephen Henson] |
1009 |
|
1010 |
*) Removed the export ciphers from the DEFAULT ciphers |
1011 |
[Kurt Roeckx] |
1012 |
|
1013 |
Changes between 1.0.1l and 1.0.2 [22 Jan 2015] |
1014 |
|
1015 |
*) Change RSA and DH/DSA key generation apps to generate 2048-bit |
1016 |
keys by default. |
1017 |
[Kurt Roeckx] |
1018 |
|
1019 |
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. |
1020 |
ARMv5 through ARMv8, as opposite to "locking" it to single one. |
1021 |
So far those who have to target multiple plaforms would compromise |
1022 |
and argue that binary targeting say ARMv5 would still execute on |
1023 |
ARMv8. "Universal" build resolves this compromise by providing |
1024 |
near-optimal performance even on newer platforms. |
1025 |
[Andy Polyakov] |
1026 |
|
1027 |
*) Accelerated NIST P-256 elliptic curve implementation for x86_64 |
1028 |
(other platforms pending). |
1029 |
[Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov] |
1030 |
|
1031 |
*) Add support for the SignedCertificateTimestampList certificate and |
1032 |
OCSP response extensions from RFC6962. |
1033 |
[Rob Stradling] |
1034 |
|
1035 |
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
1036 |
for corner cases. (Certain input points at infinity could lead to |
1037 |
bogus results, with non-infinity inputs mapped to infinity too.) |
1038 |
[Bodo Moeller] |
1039 |
|
1040 |
*) Initial support for PowerISA 2.0.7, first implemented in POWER8. |
1041 |
This covers AES, SHA256/512 and GHASH. "Initial" means that most |
1042 |
common cases are optimized and there still is room for further |
1043 |
improvements. Vector Permutation AES for Altivec is also added. |
1044 |
[Andy Polyakov] |
1045 |
|
1046 |
*) Add support for little-endian ppc64 Linux target. |
1047 |
[Marcelo Cerri (IBM)] |
1048 |
|
1049 |
*) Initial support for AMRv8 ISA crypto extensions. This covers AES, |
1050 |
SHA1, SHA256 and GHASH. "Initial" means that most common cases |
1051 |
are optimized and there still is room for further improvements. |
1052 |
Both 32- and 64-bit modes are supported. |
1053 |
[Andy Polyakov, Ard Biesheuvel (Linaro)] |
1054 |
|
1055 |
*) Improved ARMv7 NEON support. |
1056 |
[Andy Polyakov] |
1057 |
|
1058 |
*) Support for SPARC Architecture 2011 crypto extensions, first |
1059 |
implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, |
1060 |
SHA256/512, MD5, GHASH and modular exponentiation. |
1061 |
[Andy Polyakov, David Miller] |
1062 |
|
1063 |
*) Accelerated modular exponentiation for Intel processors, a.k.a. |
1064 |
RSAZ. |
1065 |
[Shay Gueron & Vlad Krasnov (Intel Corp)] |
1066 |
|
1067 |
*) Support for new and upcoming Intel processors, including AVX2, |
1068 |
BMI and SHA ISA extensions. This includes additional "stitched" |
1069 |
implementations, AESNI-SHA256 and GCM, and multi-buffer support |
1070 |
for TLS encrypt. |
1071 |
|
1072 |
This work was sponsored by Intel Corp. |
1073 |
[Andy Polyakov] |
1074 |
|
1075 |
*) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() |
1076 |
supports both DTLS 1.2 and 1.0 and should use whatever version the peer |
1077 |
supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. |
1078 |
[Steve Henson] |
1079 |
|
1080 |
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): |
1081 |
this fixes a limiation in previous versions of OpenSSL. |
1082 |
[Steve Henson] |
1083 |
|
1084 |
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, |
1085 |
MGF1 digest and OAEP label. |
1086 |
[Steve Henson] |
1087 |
|
1088 |
*) Add EVP support for key wrapping algorithms, to avoid problems with |
1089 |
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in |
1090 |
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap |
1091 |
algorithms and include tests cases. |
1092 |
[Steve Henson] |
1093 |
|
1094 |
*) Add functions to allocate and set the fields of an ECDSA_METHOD |
1095 |
structure. |
1096 |
[Douglas E. Engert, Steve Henson] |
1097 |
|
1098 |
*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the |
1099 |
difference in days and seconds between two tm or ASN1_TIME structures. |
1100 |
[Steve Henson] |
1101 |
|
1102 |
*) Add -rev test option to s_server to just reverse order of characters |
1103 |
received by client and send back to server. Also prints an abbreviated |
1104 |
summary of the connection parameters. |
1105 |
[Steve Henson] |
1106 |
|
1107 |
*) New option -brief for s_client and s_server to print out a brief summary |
1108 |
of connection parameters. |
1109 |
[Steve Henson] |
1110 |
|
1111 |
*) Add callbacks for arbitrary TLS extensions. |
1112 |
[Trevor Perrin <trevp@trevp.net> and Ben Laurie] |
1113 |
|
1114 |
*) New option -crl_download in several openssl utilities to download CRLs |
1115 |
from CRLDP extension in certificates. |
1116 |
[Steve Henson] |
1117 |
|
1118 |
*) New options -CRL and -CRLform for s_client and s_server for CRLs. |
1119 |
[Steve Henson] |
1120 |
|
1121 |
*) New function X509_CRL_diff to generate a delta CRL from the difference |
1122 |
of two full CRLs. Add support to "crl" utility. |
1123 |
[Steve Henson] |
1124 |
|
1125 |
*) New functions to set lookup_crls function and to retrieve |
1126 |
X509_STORE from X509_STORE_CTX. |
1127 |
[Steve Henson] |
1128 |
|
1129 |
*) Print out deprecated issuer and subject unique ID fields in |
1130 |
certificates. |
1131 |
[Steve Henson] |
1132 |
|
1133 |
*) Extend OCSP I/O functions so they can be used for simple general purpose |
1134 |
HTTP as well as OCSP. New wrapper function which can be used to download |
1135 |
CRLs using the OCSP API. |
1136 |
[Steve Henson] |
1137 |
|
1138 |
*) Delegate command line handling in s_client/s_server to SSL_CONF APIs. |
1139 |
[Steve Henson] |
1140 |
|
1141 |
*) SSL_CONF* functions. These provide a common framework for application |
1142 |
configuration using configuration files or command lines. |
1143 |
[Steve Henson] |
1144 |
|
1145 |
*) SSL/TLS tracing code. This parses out SSL/TLS records using the |
1146 |
message callback and prints the results. Needs compile time option |
1147 |
"enable-ssl-trace". New options to s_client and s_server to enable |
1148 |
tracing. |
1149 |
[Steve Henson] |
1150 |
|
1151 |
*) New ctrl and macro to retrieve supported points extensions. |
1152 |
Print out extension in s_server and s_client. |
1153 |
[Steve Henson] |
1154 |
|
1155 |
*) New functions to retrieve certificate signature and signature |
1156 |
OID NID. |
1157 |
[Steve Henson] |
1158 |
|
1159 |
*) Add functions to retrieve and manipulate the raw cipherlist sent by a |
1160 |
client to OpenSSL. |
1161 |
[Steve Henson] |
1162 |
|
1163 |
*) New Suite B modes for TLS code. These use and enforce the requirements |
1164 |
of RFC6460: restrict ciphersuites, only permit Suite B algorithms and |
1165 |
only use Suite B curves. The Suite B modes can be set by using the |
1166 |
strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. |
1167 |
[Steve Henson] |
1168 |
|
1169 |
*) New chain verification flags for Suite B levels of security. Check |
1170 |
algorithms are acceptable when flags are set in X509_verify_cert. |
1171 |
[Steve Henson] |
1172 |
|
1173 |
*) Make tls1_check_chain return a set of flags indicating checks passed |
1174 |
by a certificate chain. Add additional tests to handle client |
1175 |
certificates: checks for matching certificate type and issuer name |
1176 |
comparison. |
1177 |
[Steve Henson] |
1178 |
|
1179 |
*) If an attempt is made to use a signature algorithm not in the peer |
1180 |
preference list abort the handshake. If client has no suitable |
1181 |
signature algorithms in response to a certificate request do not |
1182 |
use the certificate. |
1183 |
[Steve Henson] |
1184 |
|
1185 |
*) If server EC tmp key is not in client preference list abort handshake. |
1186 |
[Steve Henson] |
1187 |
|
1188 |
*) Add support for certificate stores in CERT structure. This makes it |
1189 |
possible to have different stores per SSL structure or one store in |
1190 |
the parent SSL_CTX. Include distint stores for certificate chain |
1191 |
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN |
1192 |
to build and store a certificate chain in CERT structure: returing |
1193 |
an error if the chain cannot be built: this will allow applications |
1194 |
to test if a chain is correctly configured. |
1195 |
|
1196 |
Note: if the CERT based stores are not set then the parent SSL_CTX |
1197 |
store is used to retain compatibility with existing behaviour. |
1198 |
|
1199 |
[Steve Henson] |
1200 |
|
1201 |
*) New function ssl_set_client_disabled to set a ciphersuite disabled |
1202 |
mask based on the current session, check mask when sending client |
1203 |
hello and checking the requested ciphersuite. |
1204 |
[Steve Henson] |
1205 |
|
1206 |
*) New ctrls to retrieve and set certificate types in a certificate |
1207 |
request message. Print out received values in s_client. If certificate |
1208 |
types is not set with custom values set sensible values based on |
1209 |
supported signature algorithms. |
1210 |
[Steve Henson] |
1211 |
|
1212 |
*) Support for distinct client and server supported signature algorithms. |
1213 |
[Steve Henson] |
1214 |
|
1215 |
*) Add certificate callback. If set this is called whenever a certificate |
1216 |
is required by client or server. An application can decide which |
1217 |
certificate chain to present based on arbitrary criteria: for example |
1218 |
supported signature algorithms. Add very simple example to s_server. |
1219 |
This fixes many of the problems and restrictions of the existing client |
1220 |
certificate callback: for example you can now clear an existing |
1221 |
certificate and specify the whole chain. |
1222 |
[Steve Henson] |
1223 |
|
1224 |
*) Add new "valid_flags" field to CERT_PKEY structure which determines what |
1225 |
the certificate can be used for (if anything). Set valid_flags field |
1226 |
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used |
1227 |
to have similar checks in it. |
1228 |
|
1229 |
Add new "cert_flags" field to CERT structure and include a "strict mode". |
1230 |
This enforces some TLS certificate requirements (such as only permitting |
1231 |
certificate signature algorithms contained in the supported algorithms |
1232 |
extension) which some implementations ignore: this option should be used |
1233 |
with caution as it could cause interoperability issues. |
1234 |
[Steve Henson] |
1235 |
|
1236 |
*) Update and tidy signature algorithm extension processing. Work out |
1237 |
shared signature algorithms based on preferences and peer algorithms |
1238 |
and print them out in s_client and s_server. Abort handshake if no |
1239 |
shared signature algorithms. |
1240 |
[Steve Henson] |
1241 |
|
1242 |
*) Add new functions to allow customised supported signature algorithms |
1243 |
for SSL and SSL_CTX structures. Add options to s_client and s_server |
1244 |
to support them. |
1245 |
[Steve Henson] |
1246 |
|
1247 |
*) New function SSL_certs_clear() to delete all references to certificates |
1248 |
from an SSL structure. Before this once a certificate had been added |
1249 |
it couldn't be removed. |
1250 |
[Steve Henson] |
1251 |
|
1252 |
*) Integrate hostname, email address and IP address checking with certificate |
1253 |
verification. New verify options supporting checking in opensl utility. |
1254 |
[Steve Henson] |
1255 |
|
1256 |
*) Fixes and wildcard matching support to hostname and email checking |
1257 |
functions. Add manual page. |
1258 |
[Florian Weimer (Red Hat Product Security Team)] |
1259 |
|
1260 |
*) New functions to check a hostname email or IP address against a |
1261 |
certificate. Add options x509 utility to print results of checks against |
1262 |
a certificate. |
1263 |
[Steve Henson] |
1264 |
|
1265 |
*) Fix OCSP checking. |
1266 |
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] |
1267 |
|
1268 |
*) Initial experimental support for explicitly trusted non-root CAs. |
1269 |
OpenSSL still tries to build a complete chain to a root but if an |
1270 |
intermediate CA has a trust setting included that is used. The first |
1271 |
setting is used: whether to trust (e.g., -addtrust option to the x509 |
1272 |
utility) or reject. |
1273 |
[Steve Henson] |
1274 |
|
1275 |
*) Add -trusted_first option which attempts to find certificates in the |
1276 |
trusted store even if an untrusted chain is also supplied. |
1277 |
[Steve Henson] |
1278 |
|
1279 |
*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, |
1280 |
platform support for Linux and Android. |
1281 |
[Andy Polyakov] |
1282 |
|
1283 |
*) Support for linux-x32, ILP32 environment in x86_64 framework. |
1284 |
[Andy Polyakov] |
1285 |
|
1286 |
*) Experimental multi-implementation support for FIPS capable OpenSSL. |
1287 |
When in FIPS mode the approved implementations are used as normal, |
1288 |
when not in FIPS mode the internal unapproved versions are used instead. |
1289 |
This means that the FIPS capable OpenSSL isn't forced to use the |
1290 |
(often lower perfomance) FIPS implementations outside FIPS mode. |
1291 |
[Steve Henson] |
1292 |
|
1293 |
*) Transparently support X9.42 DH parameters when calling |
1294 |
PEM_read_bio_DHparameters. This means existing applications can handle |
1295 |
the new parameter format automatically. |
1296 |
[Steve Henson] |
1297 |
|
1298 |
*) Initial experimental support for X9.42 DH parameter format: mainly |
1299 |
to support use of 'q' parameter for RFC5114 parameters. |
1300 |
[Steve Henson] |
1301 |
|
1302 |
*) Add DH parameters from RFC5114 including test data to dhtest. |
1303 |
[Steve Henson] |
1304 |
|
1305 |
*) Support for automatic EC temporary key parameter selection. If enabled |
1306 |
the most preferred EC parameters are automatically used instead of |
1307 |
hardcoded fixed parameters. Now a server just has to call: |
1308 |
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically |
1309 |
support ECDH and use the most appropriate parameters. |
1310 |
[Steve Henson] |
1311 |
|
1312 |
*) Enhance and tidy EC curve and point format TLS extension code. Use |
1313 |
static structures instead of allocation if default values are used. |
1314 |
New ctrls to set curves we wish to support and to retrieve shared curves. |
1315 |
Print out shared curves in s_server. New options to s_server and s_client |
1316 |
to set list of supported curves. |
1317 |
[Steve Henson] |
1318 |
|
1319 |
*) New ctrls to retrieve supported signature algorithms and |
1320 |
supported curve values as an array of NIDs. Extend openssl utility |
1321 |
to print out received values. |
1322 |
[Steve Henson] |
1323 |
|
1324 |
*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert |
1325 |
between NIDs and the more common NIST names such as "P-256". Enhance |
1326 |
ecparam utility and ECC method to recognise the NIST names for curves. |
1327 |
[Steve Henson] |
1328 |
|
1329 |
*) Enhance SSL/TLS certificate chain handling to support different |
1330 |
chains for each certificate instead of one chain in the parent SSL_CTX. |
1331 |
[Steve Henson] |
1332 |
|
1333 |
*) Support for fixed DH ciphersuite client authentication: where both |
1334 |
server and client use DH certificates with common parameters. |
1335 |
[Steve Henson] |
1336 |
|
1337 |
*) Support for fixed DH ciphersuites: those requiring DH server |
1338 |
certificates. |
1339 |
[Steve Henson] |
1340 |
|
1341 |
*) New function i2d_re_X509_tbs for re-encoding the TBS portion of |
1342 |
the certificate. |
1343 |
Note: Related 1.0.2-beta specific macros X509_get_cert_info, |
1344 |
X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and |
1345 |
X509_CINF_get_signature were reverted post internal team review. |
1346 |
|
1347 |
Changes between 1.0.1k and 1.0.1l [15 Jan 2015] |
1348 |
|
1349 |
*) Build fixes for the Windows and OpenVMS platforms |
1350 |
[Matt Caswell and Richard Levitte] |
1351 |
|
1352 |
Changes between 1.0.1j and 1.0.1k [8 Jan 2015] |
1353 |
|
1354 |
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS |
1355 |
message can cause a segmentation fault in OpenSSL due to a NULL pointer |
1356 |
dereference. This could lead to a Denial Of Service attack. Thanks to |
1357 |
Markus Stenberg of Cisco Systems, Inc. for reporting this issue. |
1358 |
(CVE-2014-3571) |
1359 |
[Steve Henson] |
1360 |
|
1361 |
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the |
1362 |
dtls1_buffer_record function under certain conditions. In particular this |
1363 |
could occur if an attacker sent repeated DTLS records with the same |
1364 |
sequence number but for the next epoch. The memory leak could be exploited |
1365 |
by an attacker in a Denial of Service attack through memory exhaustion. |
1366 |
Thanks to Chris Mueller for reporting this issue. |
1367 |
(CVE-2015-0206) |
1368 |
[Matt Caswell] |
1369 |
|
1370 |
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is |
1371 |
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl |
1372 |
method would be set to NULL which could later result in a NULL pointer |
1373 |
dereference. Thanks to Frank Schmirler for reporting this issue. |
1374 |
(CVE-2014-3569) |
1375 |
[Kurt Roeckx] |
1376 |
|
1377 |
*) Abort handshake if server key exchange message is omitted for ephemeral |
1378 |
ECDH ciphersuites. |
1379 |
|
1380 |
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for |
1381 |
reporting this issue. |
1382 |
(CVE-2014-3572) |
1383 |
[Steve Henson] |
1384 |
|
1385 |
*) Remove non-export ephemeral RSA code on client and server. This code |
1386 |
violated the TLS standard by allowing the use of temporary RSA keys in |
1387 |
non-export ciphersuites and could be used by a server to effectively |
1388 |
downgrade the RSA key length used to a value smaller than the server |
1389 |
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at |
1390 |
INRIA or reporting this issue. |
1391 |
(CVE-2015-0204) |
1392 |
[Steve Henson] |
1393 |
|
1394 |
*) Fixed issue where DH client certificates are accepted without verification. |
1395 |
An OpenSSL server will accept a DH certificate for client authentication |
1396 |
without the certificate verify message. This effectively allows a client to |
1397 |
authenticate without the use of a private key. This only affects servers |
1398 |
which trust a client certificate authority which issues certificates |
1399 |
containing DH keys: these are extremely rare and hardly ever encountered. |
1400 |
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting |
1401 |
this issue. |
1402 |
(CVE-2015-0205) |
1403 |
[Steve Henson] |
1404 |
|
1405 |
*) Ensure that the session ID context of an SSL is updated when its |
1406 |
SSL_CTX is updated via SSL_set_SSL_CTX. |
1407 |
|
1408 |
The session ID context is typically set from the parent SSL_CTX, |
1409 |
and can vary with the CTX. |
1410 |
[Adam Langley] |
1411 |
|
1412 |
*) Fix various certificate fingerprint issues. |
1413 |
|
1414 |
By using non-DER or invalid encodings outside the signed portion of a |
1415 |
certificate the fingerprint can be changed without breaking the signature. |
1416 |
Although no details of the signed portion of the certificate can be changed |
1417 |
this can cause problems with some applications: e.g. those using the |
1418 |
certificate fingerprint for blacklists. |
1419 |
|
1420 |
1. Reject signatures with non zero unused bits. |
1421 |
|
1422 |
If the BIT STRING containing the signature has non zero unused bits reject |
1423 |
the signature. All current signature algorithms require zero unused bits. |
1424 |
|
1425 |
2. Check certificate algorithm consistency. |
1426 |
|
1427 |
Check the AlgorithmIdentifier inside TBS matches the one in the |
1428 |
certificate signature. NB: this will result in signature failure |
1429 |
errors for some broken certificates. |
1430 |
|
1431 |
Thanks to Konrad Kraszewski from Google for reporting this issue. |
1432 |
|
1433 |
3. Check DSA/ECDSA signatures use DER. |
1434 |
|
1435 |
Reencode DSA/ECDSA signatures and compare with the original received |
1436 |
signature. Return an error if there is a mismatch. |
1437 |
|
1438 |
This will reject various cases including garbage after signature |
1439 |
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS |
1440 |
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs |
1441 |
(negative or with leading zeroes). |
1442 |
|
1443 |
Further analysis was conducted and fixes were developed by Stephen Henson |
1444 |
of the OpenSSL core team. |
1445 |
|
1446 |
(CVE-2014-8275) |
1447 |
[Steve Henson] |
1448 |
|
1449 |
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect |
1450 |
results on some platforms, including x86_64. This bug occurs at random |
1451 |
with a very low probability, and is not known to be exploitable in any |
1452 |
way, though its exact impact is difficult to determine. Thanks to Pieter |
1453 |
Wuille (Blockstream) who reported this issue and also suggested an initial |
1454 |
fix. Further analysis was conducted by the OpenSSL development team and |
1455 |
Adam Langley of Google. The final fix was developed by Andy Polyakov of |
1456 |
the OpenSSL core team. |
1457 |
(CVE-2014-3570) |
1458 |
[Andy Polyakov] |
1459 |
|
1460 |
*) Do not resume sessions on the server if the negotiated protocol |
1461 |
version does not match the session's version. Resuming with a different |
1462 |
version, while not strictly forbidden by the RFC, is of questionable |
1463 |
sanity and breaks all known clients. |
1464 |
[David Benjamin, Emilia Käsper] |
1465 |
|
1466 |
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject |
1467 |
early CCS messages during renegotiation. (Note that because |
1468 |
renegotiation is encrypted, this early CCS was not exploitable.) |
1469 |
[Emilia Käsper] |
1470 |
|
1471 |
*) Tighten client-side session ticket handling during renegotiation: |
1472 |
ensure that the client only accepts a session ticket if the server sends |
1473 |
the extension anew in the ServerHello. Previously, a TLS client would |
1474 |
reuse the old extension state and thus accept a session ticket if one was |
1475 |
announced in the initial ServerHello. |
1476 |
|
1477 |
Similarly, ensure that the client requires a session ticket if one |
1478 |
was advertised in the ServerHello. Previously, a TLS client would |
1479 |
ignore a missing NewSessionTicket message. |
1480 |
[Emilia Käsper] |
1481 |
|
1482 |
Changes between 1.0.1i and 1.0.1j [15 Oct 2014] |
1483 |
|
1484 |
*) SRTP Memory Leak. |
1485 |
|
1486 |
A flaw in the DTLS SRTP extension parsing code allows an attacker, who |
1487 |
sends a carefully crafted handshake message, to cause OpenSSL to fail |
1488 |
to free up to 64k of memory causing a memory leak. This could be |
1489 |
exploited in a Denial Of Service attack. This issue affects OpenSSL |
1490 |
1.0.1 server implementations for both SSL/TLS and DTLS regardless of |
1491 |
whether SRTP is used or configured. Implementations of OpenSSL that |
1492 |
have been compiled with OPENSSL_NO_SRTP defined are not affected. |
1493 |
|
1494 |
The fix was developed by the OpenSSL team. |
1495 |
(CVE-2014-3513) |
1496 |
[OpenSSL team] |
1497 |
|
1498 |
*) Session Ticket Memory Leak. |
1499 |
|
1500 |
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the |
1501 |
integrity of that ticket is first verified. In the event of a session |
1502 |
ticket integrity check failing, OpenSSL will fail to free memory |
1503 |
causing a memory leak. By sending a large number of invalid session |
1504 |
tickets an attacker could exploit this issue in a Denial Of Service |
1505 |
attack. |
1506 |
(CVE-2014-3567) |
1507 |
[Steve Henson] |
1508 |
|
1509 |
*) Build option no-ssl3 is incomplete. |
1510 |
|
1511 |
When OpenSSL is configured with "no-ssl3" as a build option, servers |
1512 |
could accept and complete a SSL 3.0 handshake, and clients could be |
1513 |
configured to send them. |
1514 |
(CVE-2014-3568) |
1515 |
[Akamai and the OpenSSL team] |
1516 |
|
1517 |
*) Add support for TLS_FALLBACK_SCSV. |
1518 |
Client applications doing fallback retries should call |
1519 |
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). |
1520 |
(CVE-2014-3566) |
1521 |
[Adam Langley, Bodo Moeller] |
1522 |
|
1523 |
*) Add additional DigestInfo checks. |
1524 |
|
1525 |
Reencode DigestInto in DER and check against the original when |
1526 |
verifying RSA signature: this will reject any improperly encoded |
1527 |
DigestInfo structures. |
1528 |
|
1529 |
Note: this is a precautionary measure and no attacks are currently known. |
1530 |
|
1531 |
[Steve Henson] |
1532 |
|
1533 |
Changes between 1.0.1h and 1.0.1i [6 Aug 2014] |
1534 |
|
1535 |
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the |
1536 |
SRP code can be overrun an internal buffer. Add sanity check that |
1537 |
g, A, B < N to SRP code. |
1538 |
|
1539 |
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC |
1540 |
Group for discovering this issue. |
1541 |
(CVE-2014-3512) |
1542 |
[Steve Henson] |
1543 |
|
1544 |
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate |
1545 |
TLS 1.0 instead of higher protocol versions when the ClientHello message |
1546 |
is badly fragmented. This allows a man-in-the-middle attacker to force a |
1547 |
downgrade to TLS 1.0 even if both the server and the client support a |
1548 |
higher protocol version, by modifying the client's TLS records. |
1549 |
|
1550 |
Thanks to David Benjamin and Adam Langley (Google) for discovering and |
1551 |
researching this issue. |
1552 |
(CVE-2014-3511) |
1553 |
[David Benjamin] |
1554 |
|
1555 |
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject |
1556 |
to a denial of service attack. A malicious server can crash the client |
1557 |
with a null pointer dereference (read) by specifying an anonymous (EC)DH |
1558 |
ciphersuite and sending carefully crafted handshake messages. |
1559 |
|
1560 |
Thanks to Felix Gröbert (Google) for discovering and researching this |
1561 |
issue. |
1562 |
(CVE-2014-3510) |
1563 |
[Emilia Käsper] |
1564 |
|
1565 |
*) By sending carefully crafted DTLS packets an attacker could cause openssl |
1566 |
to leak memory. This can be exploited through a Denial of Service attack. |
1567 |
Thanks to Adam Langley for discovering and researching this issue. |
1568 |
(CVE-2014-3507) |
1569 |
[Adam Langley] |
1570 |
|
1571 |
*) An attacker can force openssl to consume large amounts of memory whilst |
1572 |
processing DTLS handshake messages. This can be exploited through a |
1573 |
Denial of Service attack. |
1574 |
Thanks to Adam Langley for discovering and researching this issue. |
1575 |
(CVE-2014-3506) |
1576 |
[Adam Langley] |
1577 |
|
1578 |
*) An attacker can force an error condition which causes openssl to crash |
1579 |
whilst processing DTLS packets due to memory being freed twice. This |
1580 |
can be exploited through a Denial of Service attack. |
1581 |
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching |
1582 |
this issue. |
1583 |
(CVE-2014-3505) |
1584 |
[Adam Langley] |
1585 |
|
1586 |
*) If a multithreaded client connects to a malicious server using a resumed |
1587 |
session and the server sends an ec point format extension it could write |
1588 |
up to 255 bytes to freed memory. |
1589 |
|
1590 |
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this |
1591 |
issue. |
1592 |
(CVE-2014-3509) |
1593 |
[Gabor Tyukasz] |
1594 |
|
1595 |
*) A malicious server can crash an OpenSSL client with a null pointer |
1596 |
dereference (read) by specifying an SRP ciphersuite even though it was not |
1597 |
properly negotiated with the client. This can be exploited through a |
1598 |
Denial of Service attack. |
1599 |
|
1600 |
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for |
1601 |
discovering and researching this issue. |
1602 |
(CVE-2014-5139) |
1603 |
[Steve Henson] |
1604 |
|
1605 |
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as |
1606 |
X509_name_oneline, X509_name_print_ex et al. to leak some information |
1607 |
from the stack. Applications may be affected if they echo pretty printing |
1608 |
output to the attacker. |
1609 |
|
1610 |
Thanks to Ivan Fratric (Google) for discovering this issue. |
1611 |
(CVE-2014-3508) |
1612 |
[Emilia Käsper, and Steve Henson] |
1613 |
|
1614 |
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) |
1615 |
for corner cases. (Certain input points at infinity could lead to |
1616 |
bogus results, with non-infinity inputs mapped to infinity too.) |
1617 |
[Bodo Moeller] |
1618 |
|
1619 |
Changes between 1.0.1g and 1.0.1h [5 Jun 2014] |
1620 |
|
1621 |
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted |
1622 |
handshake can force the use of weak keying material in OpenSSL |
1623 |
SSL/TLS clients and servers. |
1624 |
|
1625 |
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and |
1626 |
researching this issue. (CVE-2014-0224) |
1627 |
[KIKUCHI Masashi, Steve Henson] |
1628 |
|
1629 |
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an |
1630 |
OpenSSL DTLS client the code can be made to recurse eventually crashing |
1631 |
in a DoS attack. |
1632 |
|
1633 |
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. |
1634 |
(CVE-2014-0221) |
1635 |
[Imre Rad, Steve Henson] |
1636 |
|
1637 |
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can |
1638 |
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS |
1639 |
client or server. This is potentially exploitable to run arbitrary |
1640 |
code on a vulnerable client or server. |
1641 |
|
1642 |
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) |
1643 |
[Jüri Aedla, Steve Henson] |
1644 |
|
1645 |
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites |
1646 |
are subject to a denial of service attack. |
1647 |
|
1648 |
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering |
1649 |
this issue. (CVE-2014-3470) |
1650 |
[Felix Gröbert, Ivan Fratric, Steve Henson] |
1651 |
|
1652 |
*) Harmonize version and its documentation. -f flag is used to display |
1653 |
compilation flags. |
1654 |
[mancha <mancha1@zoho.com>] |
1655 |
|
1656 |
*) Fix eckey_priv_encode so it immediately returns an error upon a failure |
1657 |
in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. |
1658 |
[mancha <mancha1@zoho.com>] |
1659 |
|
1660 |
*) Fix some double frees. These are not thought to be exploitable. |
1661 |
[mancha <mancha1@zoho.com>] |
1662 |
|
1663 |
Changes between 1.0.1f and 1.0.1g [7 Apr 2014] |
1664 |
|
1665 |
*) A missing bounds check in the handling of the TLS heartbeat extension |
1666 |
can be used to reveal up to 64k of memory to a connected client or |
1667 |
server. |
1668 |
|
1669 |
Thanks for Neel Mehta of Google Security for discovering this bug and to |
1670 |
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for |
1671 |
preparing the fix (CVE-2014-0160) |
1672 |
[Adam Langley, Bodo Moeller] |
1673 |
|
1674 |
*) Fix for the attack described in the paper "Recovering OpenSSL |
1675 |
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" |
1676 |
by Yuval Yarom and Naomi Benger. Details can be obtained from: |
1677 |
http://eprint.iacr.org/2014/140 |
1678 |
|
1679 |
Thanks to Yuval Yarom and Naomi Benger for discovering this |
1680 |
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) |
1681 |
[Yuval Yarom and Naomi Benger] |
1682 |
|
1683 |
*) TLS pad extension: draft-agl-tls-padding-03 |
1684 |
|
1685 |
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the |
1686 |
TLS client Hello record length value would otherwise be > 255 and |
1687 |
less that 512 pad with a dummy extension containing zeroes so it |
1688 |
is at least 512 bytes long. |
1689 |
|
1690 |
[Adam Langley, Steve Henson] |
1691 |
|
1692 |
Changes between 1.0.1e and 1.0.1f [6 Jan 2014] |
1693 |
|
1694 |
*) Fix for TLS record tampering bug. A carefully crafted invalid |
1695 |
handshake could crash OpenSSL with a NULL pointer exception. |
1696 |
Thanks to Anton Johansson for reporting this issues. |
1697 |
(CVE-2013-4353) |
1698 |
|
1699 |
*) Keep original DTLS digest and encryption contexts in retransmission |
1700 |
structures so we can use the previous session parameters if they need |
1701 |
to be resent. (CVE-2013-6450) |
1702 |
[Steve Henson] |
1703 |
|
1704 |
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which |
1705 |
avoids preferring ECDHE-ECDSA ciphers when the client appears to be |
1706 |
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for |
1707 |
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug |
1708 |
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing |
1709 |
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. |
1710 |
[Rob Stradling, Adam Langley] |
1711 |
|
1712 |
Changes between 1.0.1d and 1.0.1e [11 Feb 2013] |
1713 |
|
1714 |
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI |
1715 |
supporting platforms or when small records were transferred. |
1716 |
[Andy Polyakov, Steve Henson] |
1717 |
|
1718 |
Changes between 1.0.1c and 1.0.1d [5 Feb 2013] |
1719 |
|
1720 |
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. |
1721 |
|
1722 |
This addresses the flaw in CBC record processing discovered by |
1723 |
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found |
1724 |
at: http://www.isg.rhul.ac.uk/tls/ |
1725 |
|
1726 |
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
1727 |
Security Group at Royal Holloway, University of London |
1728 |
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and |
1729 |
Emilia Käsper for the initial patch. |
1730 |
(CVE-2013-0169) |
1731 |
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] |
1732 |
|
1733 |
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode |
1734 |
ciphersuites which can be exploited in a denial of service attack. |
1735 |
Thanks go to and to Adam Langley <agl@chromium.org> for discovering |
1736 |
and detecting this bug and to Wolfgang Ettlinger |
1737 |
<wolfgang.ettlinger@gmail.com> for independently discovering this issue. |
1738 |
(CVE-2012-2686) |
1739 |
[Adam Langley] |
1740 |
|
1741 |
*) Return an error when checking OCSP signatures when key is NULL. |
1742 |
This fixes a DoS attack. (CVE-2013-0166) |
1743 |
[Steve Henson] |
1744 |
|
1745 |
*) Make openssl verify return errors. |
1746 |
[Chris Palmer <palmer@google.com> and Ben Laurie] |
1747 |
|
1748 |
*) Call OCSP Stapling callback after ciphersuite has been chosen, so |
1749 |
the right response is stapled. Also change SSL_get_certificate() |
1750 |
so it returns the certificate actually sent. |
1751 |
See http://rt.openssl.org/Ticket/Display.html?id=2836. |
1752 |
[Rob Stradling <rob.stradling@comodo.com>] |
1753 |
|
1754 |
*) Fix possible deadlock when decoding public keys. |
1755 |
[Steve Henson] |
1756 |
|
1757 |
*) Don't use TLS 1.0 record version number in initial client hello |
1758 |
if renegotiating. |
1759 |
[Steve Henson] |
1760 |
|
1761 |
Changes between 1.0.1b and 1.0.1c [10 May 2012] |
1762 |
|
1763 |
*) Sanity check record length before skipping explicit IV in TLS |
1764 |
1.2, 1.1 and DTLS to fix DoS attack. |
1765 |
|
1766 |
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic |
1767 |
fuzzing as a service testing platform. |
1768 |
(CVE-2012-2333) |
1769 |
[Steve Henson] |
1770 |
|
1771 |
*) Initialise tkeylen properly when encrypting CMS messages. |
1772 |
Thanks to Solar Designer of Openwall for reporting this issue. |
1773 |
[Steve Henson] |
1774 |
|
1775 |
*) In FIPS mode don't try to use composite ciphers as they are not |
1776 |
approved. |
1777 |
[Steve Henson] |
1778 |
|
1779 |
Changes between 1.0.1a and 1.0.1b [26 Apr 2012] |
1780 |
|
1781 |
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and |
1782 |
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately |
1783 |
mean any application compiled against OpenSSL 1.0.0 headers setting |
1784 |
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng |
1785 |
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to |
1786 |
0x10000000L Any application which was previously compiled against |
1787 |
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 |
1788 |
will need to be recompiled as a result. Letting be results in |
1789 |
inability to disable specifically TLS 1.1 and in client context, |
1790 |
in unlike event, limit maximum offered version to TLS 1.0 [see below]. |
1791 |
[Steve Henson] |
1792 |
|
1793 |
*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not |
1794 |
disable just protocol X, but all protocols above X *if* there are |
1795 |
protocols *below* X still enabled. In more practical terms it means |
1796 |
that if application wants to disable TLS1.0 in favor of TLS1.1 and |
1797 |
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass |
1798 |
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to |
1799 |
client side. |
1800 |
[Andy Polyakov] |
1801 |
|
1802 |
Changes between 1.0.1 and 1.0.1a [19 Apr 2012] |
1803 |
|
1804 |
*) Check for potentially exploitable overflows in asn1_d2i_read_bio |
1805 |
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer |
1806 |
in CRYPTO_realloc_clean. |
1807 |
|
1808 |
Thanks to Tavis Ormandy, Google Security Team, for discovering this |
1809 |
issue and to Adam Langley <agl@chromium.org> for fixing it. |
1810 |
(CVE-2012-2110) |
1811 |
[Adam Langley (Google), Tavis Ormandy, Google Security Team] |
1812 |
|
1813 |
*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. |
1814 |
[Adam Langley] |
1815 |
|
1816 |
*) Workarounds for some broken servers that "hang" if a client hello |
1817 |
record length exceeds 255 bytes. |
1818 |
|
1819 |
1. Do not use record version number > TLS 1.0 in initial client |
1820 |
hello: some (but not all) hanging servers will now work. |
1821 |
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate |
1822 |
the number of ciphers sent in the client hello. This should be |
1823 |
set to an even number, such as 50, for example by passing: |
1824 |
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. |
1825 |
Most broken servers should now work. |
1826 |
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable |
1827 |
TLS 1.2 client support entirely. |
1828 |
[Steve Henson] |
1829 |
|
1830 |
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH. |
1831 |
[Andy Polyakov] |
1832 |
|
1833 |
Changes between 1.0.0h and 1.0.1 [14 Mar 2012] |
1834 |
|
1835 |
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET |
1836 |
STRING form instead of a DigestInfo. |
1837 |
[Steve Henson] |
1838 |
|
1839 |
*) The format used for MDC2 RSA signatures is inconsistent between EVP |
1840 |
and the RSA_sign/RSA_verify functions. This was made more apparent when |
1841 |
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular |
1842 |
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect |
1843 |
the correct format in RSA_verify so both forms transparently work. |
1844 |
[Steve Henson] |
1845 |
|
1846 |
*) Some servers which support TLS 1.0 can choke if we initially indicate |
1847 |
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA |
1848 |
encrypted premaster secret. As a workaround use the maximum pemitted |
1849 |
client version in client hello, this should keep such servers happy |
1850 |
and still work with previous versions of OpenSSL. |
1851 |
[Steve Henson] |
1852 |
|
1853 |
*) Add support for TLS/DTLS heartbeats. |
1854 |
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
1855 |
|
1856 |
*) Add support for SCTP. |
1857 |
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
1858 |
|
1859 |
*) Improved PRNG seeding for VOS. |
1860 |
[Paul Green <Paul.Green@stratus.com>] |
1861 |
|
1862 |
*) Extensive assembler packs updates, most notably: |
1863 |
|
1864 |
- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; |
1865 |
- x86[_64]: SSSE3 support (SHA1, vector-permutation AES); |
1866 |
- x86_64: bit-sliced AES implementation; |
1867 |
- ARM: NEON support, contemporary platforms optimizations; |
1868 |
- s390x: z196 support; |
1869 |
- *: GHASH and GF(2^m) multiplication implementations; |
1870 |
|
1871 |
[Andy Polyakov] |
1872 |
|
1873 |
*) Make TLS-SRP code conformant with RFC 5054 API cleanup |
1874 |
(removal of unnecessary code) |
1875 |
[Peter Sylvester <peter.sylvester@edelweb.fr>] |
1876 |
|
1877 |
*) Add TLS key material exporter from RFC 5705. |
1878 |
[Eric Rescorla] |
1879 |
|
1880 |
*) Add DTLS-SRTP negotiation from RFC 5764. |
1881 |
[Eric Rescorla] |
1882 |
|
1883 |
*) Add Next Protocol Negotiation, |
1884 |
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be |
1885 |
disabled with a no-npn flag to config or Configure. Code donated |
1886 |
by Google. |
1887 |
[Adam Langley <agl@google.com> and Ben Laurie] |
1888 |
|
1889 |
*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, |
1890 |
NIST-P256, NIST-P521, with constant-time single point multiplication on |
1891 |
typical inputs. Compiler support for the nonstandard type __uint128_t is |
1892 |
required to use this (present in gcc 4.4 and later, for 64-bit builds). |
1893 |
Code made available under Apache License version 2.0. |
1894 |
|
1895 |
Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command |
1896 |
line to include this in your build of OpenSSL, and run "make depend" (or |
1897 |
"make update"). This enables the following EC_METHODs: |
1898 |
|
1899 |
EC_GFp_nistp224_method() |
1900 |
EC_GFp_nistp256_method() |
1901 |
EC_GFp_nistp521_method() |
1902 |
|
1903 |
EC_GROUP_new_by_curve_name() will automatically use these (while |
1904 |
EC_GROUP_new_curve_GFp() currently prefers the more flexible |
1905 |
implementations). |
1906 |
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)] |
1907 |
|
1908 |
*) Use type ossl_ssize_t instad of ssize_t which isn't available on |
1909 |
all platforms. Move ssize_t definition from e_os.h to the public |
1910 |
header file e_os2.h as it now appears in public header file cms.h |
1911 |
[Steve Henson] |
1912 |
|
1913 |
*) New -sigopt option to the ca, req and x509 utilities. Additional |
1914 |
signature parameters can be passed using this option and in |
1915 |
particular PSS. |
1916 |
[Steve Henson] |
1917 |
|
1918 |
*) Add RSA PSS signing function. This will generate and set the |
1919 |
appropriate AlgorithmIdentifiers for PSS based on those in the |
1920 |
corresponding EVP_MD_CTX structure. No application support yet. |
1921 |
[Steve Henson] |
1922 |
|
1923 |
*) Support for companion algorithm specific ASN1 signing routines. |
1924 |
New function ASN1_item_sign_ctx() signs a pre-initialised |
1925 |
EVP_MD_CTX structure and sets AlgorithmIdentifiers based on |
1926 |
the appropriate parameters. |
1927 |
[Steve Henson] |
1928 |
|
1929 |
*) Add new algorithm specific ASN1 verification initialisation function |
1930 |
to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 |
1931 |
handling will be the same no matter what EVP_PKEY_METHOD is used. |
1932 |
Add a PSS handler to support verification of PSS signatures: checked |
1933 |
against a number of sample certificates. |
1934 |
[Steve Henson] |
1935 |
|
1936 |
*) Add signature printing for PSS. Add PSS OIDs. |
1937 |
[Steve Henson, Martin Kaiser <lists@kaiser.cx>] |
1938 |
|
1939 |
*) Add algorithm specific signature printing. An individual ASN1 method |
1940 |
can now print out signatures instead of the standard hex dump. |
1941 |
|
1942 |
More complex signatures (e.g. PSS) can print out more meaningful |
1943 |
information. Include DSA version that prints out the signature |
1944 |
parameters r, s. |
1945 |
[Steve Henson] |
1946 |
|
1947 |
*) Password based recipient info support for CMS library: implementing |
1948 |
RFC3211. |
1949 |
[Steve Henson] |
1950 |
|
1951 |
*) Split password based encryption into PBES2 and PBKDF2 functions. This |
1952 |
neatly separates the code into cipher and PBE sections and is required |
1953 |
for some algorithms that split PBES2 into separate pieces (such as |
1954 |
password based CMS). |
1955 |
[Steve Henson] |
1956 |
|
1957 |
*) Session-handling fixes: |
1958 |
- Fix handling of connections that are resuming with a session ID, |
1959 |
but also support Session Tickets. |
1960 |
- Fix a bug that suppressed issuing of a new ticket if the client |
1961 |
presented a ticket with an expired session. |
1962 |
- Try to set the ticket lifetime hint to something reasonable. |
1963 |
- Make tickets shorter by excluding irrelevant information. |
1964 |
- On the client side, don't ignore renewed tickets. |
1965 |
[Adam Langley, Bodo Moeller (Google)] |
1966 |
|
1967 |
*) Fix PSK session representation. |
1968 |
[Bodo Moeller] |
1969 |
|
1970 |
*) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. |
1971 |
|
1972 |
This work was sponsored by Intel. |
1973 |
[Andy Polyakov] |
1974 |
|
1975 |
*) Add GCM support to TLS library. Some custom code is needed to split |
1976 |
the IV between the fixed (from PRF) and explicit (from TLS record) |
1977 |
portions. This adds all GCM ciphersuites supported by RFC5288 and |
1978 |
RFC5289. Generalise some AES* cipherstrings to inlclude GCM and |
1979 |
add a special AESGCM string for GCM only. |
1980 |
[Steve Henson] |
1981 |
|
1982 |
*) Expand range of ctrls for AES GCM. Permit setting invocation |
1983 |
field on decrypt and retrieval of invocation field only on encrypt. |
1984 |
[Steve Henson] |
1985 |
|
1986 |
*) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. |
1987 |
As required by RFC5289 these ciphersuites cannot be used if for |
1988 |
versions of TLS earlier than 1.2. |
1989 |
[Steve Henson] |
1990 |
|
1991 |
*) For FIPS capable OpenSSL interpret a NULL default public key method |
1992 |
as unset and return the appopriate default but do *not* set the default. |
1993 |
This means we can return the appopriate method in applications that |
1994 |
swicth between FIPS and non-FIPS modes. |
1995 |
[Steve Henson] |
1996 |
|
1997 |
*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an |
1998 |
ENGINE is used then we cannot handle that in the FIPS module so we |
1999 |
keep original code iff non-FIPS operations are allowed. |
2000 |
[Steve Henson] |
2001 |
|
2002 |
*) Add -attime option to openssl utilities. |
2003 |
[Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson] |
2004 |
|
2005 |
*) Redirect DSA and DH operations to FIPS module in FIPS mode. |
2006 |
[Steve Henson] |
2007 |
|
2008 |
*) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use |
2009 |
FIPS EC methods unconditionally for now. |
2010 |
[Steve Henson] |
2011 |
|
2012 |
*) New build option no-ec2m to disable characteristic 2 code. |
2013 |
[Steve Henson] |
2014 |
|
2015 |
*) Backport libcrypto audit of return value checking from 1.1.0-dev; not |
2016 |
all cases can be covered as some introduce binary incompatibilities. |
2017 |
[Steve Henson] |
2018 |
|
2019 |
*) Redirect RSA operations to FIPS module including keygen, |
2020 |
encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. |
2021 |
[Steve Henson] |
2022 |
|
2023 |
*) Add similar low level API blocking to ciphers. |
2024 |
[Steve Henson] |
2025 |
|
2026 |
*) Low level digest APIs are not approved in FIPS mode: any attempt |
2027 |
to use these will cause a fatal error. Applications that *really* want |
2028 |
to use them can use the private_* version instead. |
2029 |
[Steve Henson] |
2030 |
|
2031 |
*) Redirect cipher operations to FIPS module for FIPS builds. |
2032 |
[Steve Henson] |
2033 |
|
2034 |
*) Redirect digest operations to FIPS module for FIPS builds. |
2035 |
[Steve Henson] |
2036 |
|
2037 |
*) Update build system to add "fips" flag which will link in fipscanister.o |
2038 |
for static and shared library builds embedding a signature if needed. |
2039 |
[Steve Henson] |
2040 |
|
2041 |
*) Output TLS supported curves in preference order instead of numerical |
2042 |
order. This is currently hardcoded for the highest order curves first. |
2043 |
This should be configurable so applications can judge speed vs strength. |
2044 |
[Steve Henson] |
2045 |
|
2046 |
*) Add TLS v1.2 server support for client authentication. |
2047 |
[Steve Henson] |
2048 |
|
2049 |
*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers |
2050 |
and enable MD5. |
2051 |
[Steve Henson] |
2052 |
|
2053 |
*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying |
2054 |
FIPS modules versions. |
2055 |
[Steve Henson] |
2056 |
|
2057 |
*) Add TLS v1.2 client side support for client authentication. Keep cache |
2058 |
of handshake records longer as we don't know the hash algorithm to use |
2059 |
until after the certificate request message is received. |
2060 |
[Steve Henson] |
2061 |
|
2062 |
*) Initial TLS v1.2 client support. Add a default signature algorithms |
2063 |
extension including all the algorithms we support. Parse new signature |
2064 |
format in client key exchange. Relax some ECC signing restrictions for |
2065 |
TLS v1.2 as indicated in RFC5246. |
2066 |
[Steve Henson] |
2067 |
|
2068 |
*) Add server support for TLS v1.2 signature algorithms extension. Switch |
2069 |
to new signature format when needed using client digest preference. |
2070 |
All server ciphersuites should now work correctly in TLS v1.2. No client |
2071 |
support yet and no support for client certificates. |
2072 |
[Steve Henson] |
2073 |
|
2074 |
*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch |
2075 |
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based |
2076 |
ciphersuites. At present only RSA key exchange ciphersuites work with |
2077 |
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete |
2078 |
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods |
2079 |
and version checking. |
2080 |
[Steve Henson] |
2081 |
|
2082 |
*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled |
2083 |
with this defined it will not be affected by any changes to ssl internal |
2084 |
structures. Add several utility functions to allow openssl application |
2085 |
to work with OPENSSL_NO_SSL_INTERN defined. |
2086 |
[Steve Henson] |
2087 |
|
2088 |
*) A long standing patch to add support for SRP from EdelWeb (Peter |
2089 |
Sylvester and Christophe Renou) was integrated. |
2090 |
[Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester |
2091 |
<peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and |
2092 |
Ben Laurie] |
2093 |
|
2094 |
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. |
2095 |
[Steve Henson] |
2096 |
|
2097 |
*) Permit abbreviated handshakes when renegotiating using the function |
2098 |
SSL_renegotiate_abbreviated(). |
2099 |
[Robin Seggelmann <seggelmann@fh-muenster.de>] |
2100 |
|
2101 |
*) Add call to ENGINE_register_all_complete() to |
2102 |
ENGINE_load_builtin_engines(), so some implementations get used |
2103 |
automatically instead of needing explicit application support. |
2104 |
[Steve Henson] |
2105 |
|
2106 |
*) Add support for TLS key exporter as described in RFC5705. |
2107 |
[Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] |
2108 |
|
2109 |
*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only |
2110 |
a few changes are required: |
2111 |
|
2112 |
Add SSL_OP_NO_TLSv1_1 flag. |
2113 |
Add TLSv1_1 methods. |
2114 |
Update version checking logic to handle version 1.1. |
2115 |
Add explicit IV handling (ported from DTLS code). |
2116 |
Add command line options to s_client/s_server. |
2117 |
[Steve Henson] |
2118 |
|
2119 |
Changes between 1.0.0g and 1.0.0h [12 Mar 2012] |
2120 |
|
2121 |
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness |
2122 |
in CMS and PKCS7 code. When RSA decryption fails use a random key for |
2123 |
content decryption and always return the same error. Note: this attack |
2124 |
needs on average 2^20 messages so it only affects automated senders. The |
2125 |
old behaviour can be reenabled in the CMS code by setting the |
2126 |
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where |
2127 |
an MMA defence is not necessary. |
2128 |
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering |
2129 |
this issue. (CVE-2012-0884) |
2130 |
[Steve Henson] |
2131 |
|
2132 |
*) Fix CVE-2011-4619: make sure we really are receiving a |
2133 |
client hello before rejecting multiple SGC restarts. Thanks to |
2134 |
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. |
2135 |
[Steve Henson] |
2136 |
|
2137 |
Changes between 1.0.0f and 1.0.0g [18 Jan 2012] |
2138 |
|
2139 |
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. |
2140 |
Thanks to Antonio Martin, Enterprise Secure Access Research and |
2141 |
Development, Cisco Systems, Inc. for discovering this bug and |
2142 |
preparing a fix. (CVE-2012-0050) |
2143 |
[Antonio Martin] |
2144 |
|
2145 |
Changes between 1.0.0e and 1.0.0f [4 Jan 2012] |
2146 |
|
2147 |
*) Nadhem Alfardan and Kenny Paterson have discovered an extension |
2148 |
of the Vaudenay padding oracle attack on CBC mode encryption |
2149 |
which enables an efficient plaintext recovery attack against |
2150 |
the OpenSSL implementation of DTLS. Their attack exploits timing |
2151 |
differences arising during decryption processing. A research |
2152 |
paper describing this attack can be found at: |
2153 |
http://www.isg.rhul.ac.uk/~kp/dtls.pdf |
2154 |
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information |
2155 |
Security Group at Royal Holloway, University of London |
2156 |
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann |
2157 |
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> |
2158 |
for preparing the fix. (CVE-2011-4108) |
2159 |
[Robin Seggelmann, Michael Tuexen] |
2160 |
|
2161 |
*) Clear bytes used for block padding of SSL 3.0 records. |
2162 |
(CVE-2011-4576) |
2163 |
[Adam Langley (Google)] |
2164 |
|
2165 |
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George |
2166 |
Kadianakis <desnacked@gmail.com> for discovering this issue and |
2167 |
Adam Langley for preparing the fix. (CVE-2011-4619) |
2168 |
[Adam Langley (Google)] |
2169 |
|
2170 |
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) |
2171 |
[Andrey Kulikov <amdeich@gmail.com>] |
2172 |
|
2173 |
*) Prevent malformed RFC3779 data triggering an assertion failure. |
2174 |
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw |
2175 |
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) |
2176 |
[Rob Austein <sra@hactrn.net>] |
2177 |
|
2178 |
*) Improved PRNG seeding for VOS. |
2179 |
[Paul Green <Paul.Green@stratus.com>] |
2180 |
|
2181 |
*) Fix ssl_ciph.c set-up race. |
2182 |
[Adam Langley (Google)] |
2183 |
|
2184 |
*) Fix spurious failures in ecdsatest.c. |
2185 |
[Emilia Käsper (Google)] |
2186 |
|
2187 |
*) Fix the BIO_f_buffer() implementation (which was mixing different |
2188 |
interpretations of the '..._len' fields). |
2189 |
[Adam Langley (Google)] |
2190 |
|
2191 |
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than |
2192 |
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent |
2193 |
threads won't reuse the same blinding coefficients. |
2194 |
|
2195 |
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING |
2196 |
lock to call BN_BLINDING_invert_ex, and avoids one use of |
2197 |
BN_BLINDING_update for each BN_BLINDING structure (previously, |
2198 |
the last update always remained unused). |
2199 |
[Emilia Käsper (Google)] |
2200 |
|
2201 |
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. |
2202 |
[Bob Buckholz (Google)] |
2203 |
|
2204 |
Changes between 1.0.0d and 1.0.0e [6 Sep 2011] |
2205 |
|
2206 |
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted |
2207 |
by initialising X509_STORE_CTX properly. (CVE-2011-3207) |
2208 |
[Kaspar Brand <ossl@velox.ch>] |
2209 |
|
2210 |
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular |
2211 |
for multi-threaded use of ECDH. (CVE-2011-3210) |
2212 |
[Adam Langley (Google)] |
2213 |
|
2214 |
*) Fix x509_name_ex_d2i memory leak on bad inputs. |
2215 |
[Bodo Moeller] |
2216 |
|
2217 |
*) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check |
2218 |
signature public key algorithm by using OID xref utilities instead. |
2219 |
Before this you could only use some ECC ciphersuites with SHA1 only. |
2220 |
[Steve Henson] |
2221 |
|
2222 |
*) Add protection against ECDSA timing attacks as mentioned in the paper |
2223 |
by Billy Bob Brumley and Nicola Tuveri, see: |
2224 |
|
2225 |
http://eprint.iacr.org/2011/232.pdf |
2226 |
|
2227 |
[Billy Bob Brumley and Nicola Tuveri] |
2228 |
|
2229 |
Changes between 1.0.0c and 1.0.0d [8 Feb 2011] |
2230 |
|
2231 |
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 |
2232 |
[Neel Mehta, Adam Langley, Bodo Moeller (Google)] |
2233 |
|
2234 |
*) Fix bug in string printing code: if *any* escaping is enabled we must |
2235 |
escape the escape character (backslash) or the resulting string is |
2236 |
ambiguous. |
2237 |
[Steve Henson] |
2238 |
|
2239 |
Changes between 1.0.0b and 1.0.0c [2 Dec 2010] |
2240 |
|
2241 |
*) Disable code workaround for ancient and obsolete Netscape browsers |
2242 |
and servers: an attacker can use it in a ciphersuite downgrade attack. |
2243 |
Thanks to Martin Rex for discovering this bug. CVE-2010-4180 |
2244 |
[Steve Henson] |
2245 |
|
2246 |
*) Fixed J-PAKE implementation error, originally discovered by |
2247 |
Sebastien Martini, further info and confirmation from Stefan |
2248 |
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 |
2249 |
[Ben Laurie] |
2250 |
|
2251 |
Changes between 1.0.0a and 1.0.0b [16 Nov 2010] |
2252 |
|
2253 |
*) Fix extension code to avoid race conditions which can result in a buffer |
2254 |
overrun vulnerability: resumed sessions must not be modified as they can |
2255 |
be shared by multiple threads. CVE-2010-3864 |
2256 |
[Steve Henson] |
2257 |
|
2258 |
*) Fix WIN32 build system to correctly link an ENGINE directory into |
2259 |
a DLL. |
2260 |
[Steve Henson] |
2261 |
|
2262 |
Changes between 1.0.0 and 1.0.0a [01 Jun 2010] |
2263 |
|
2264 |
*) Check return value of int_rsa_verify in pkey_rsa_verifyrecover |
2265 |
(CVE-2010-1633) |
2266 |
[Steve Henson, Peter-Michael Hager <hager@dortmund.net>] |
2267 |
|
2268 |
Changes between 0.9.8n and 1.0.0 [29 Mar 2010] |
2269 |
|
2270 |
*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher |
2271 |
context. The operation can be customised via the ctrl mechanism in |
2272 |
case ENGINEs want to include additional functionality. |
2273 |
[Steve Henson] |
2274 |
|
2275 |
*) Tolerate yet another broken PKCS#8 key format: private key value negative. |
2276 |
[Steve Henson] |
2277 |
|
2278 |
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to |
2279 |
output hashes compatible with older versions of OpenSSL. |
2280 |
[Willy Weisz <weisz@vcpc.univie.ac.at>] |
2281 |
|
2282 |
*) Fix compression algorithm handling: if resuming a session use the |
2283 |
compression algorithm of the resumed session instead of determining |
2284 |
it from client hello again. Don't allow server to change algorithm. |
2285 |
[Steve Henson] |
2286 |
|
2287 |
*) Add load_crls() function to apps tidying load_certs() too. Add option |
2288 |
to verify utility to allow additional CRLs to be included. |
2289 |
[Steve Henson] |
2290 |
|
2291 |
*) Update OCSP request code to permit adding custom headers to the request: |
2292 |
some responders need this. |
2293 |
[Steve Henson] |
2294 |
|
2295 |
*) The function EVP_PKEY_sign() returns <=0 on error: check return code |
2296 |
correctly. |
2297 |
[Julia Lawall <julia@diku.dk>] |
2298 |
|
2299 |
*) Update verify callback code in apps/s_cb.c and apps/verify.c, it |
2300 |
needlessly dereferenced structures, used obsolete functions and |
2301 |
didn't handle all updated verify codes correctly. |
2302 |
[Steve Henson] |
2303 |
|
2304 |
*) Disable MD2 in the default configuration. |
2305 |
[Steve Henson] |
2306 |
|
2307 |
*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to |
2308 |
indicate the initial BIO being pushed or popped. This makes it possible |
2309 |
to determine whether the BIO is the one explicitly called or as a result |
2310 |
of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so |
2311 |
it handles reference counts correctly and doesn't zero out the I/O bio |
2312 |
when it is not being explicitly popped. WARNING: applications which |
2313 |
included workarounds for the old buggy behaviour will need to be modified |
2314 |
or they could free up already freed BIOs. |
2315 |
[Steve Henson] |
2316 |
|
2317 |
*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni |
2318 |
renaming to all platforms (within the 0.9.8 branch, this was |
2319 |
done conditionally on Netware platforms to avoid a name clash). |
2320 |
[Guenter <lists@gknw.net>] |
2321 |
|
2322 |
*) Add ECDHE and PSK support to DTLS. |
2323 |
[Michael Tuexen <tuexen@fh-muenster.de>] |
2324 |
|
2325 |
*) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't |
2326 |
be used on C++. |
2327 |
[Steve Henson] |
2328 |
|
2329 |
*) Add "missing" function EVP_MD_flags() (without this the only way to |
2330 |
retrieve a digest flags is by accessing the structure directly. Update |
2331 |
EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest |
2332 |
or cipher is registered as in the "from" argument. Print out all |
2333 |
registered digests in the dgst usage message instead of manually |
2334 |
attempting to work them out. |
2335 |
[Steve Henson] |
2336 |
|
2337 |
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: |
2338 |
this allows the use of compression and extensions. Change default cipher |
2339 |
string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 |
2340 |
by default unless an application cipher string requests it. |
2341 |
[Steve Henson] |
2342 |
|
2343 |
*) Alter match criteria in PKCS12_parse(). It used to try to use local |
2344 |
key ids to find matching certificates and keys but some PKCS#12 files |
2345 |
don't follow the (somewhat unwritten) rules and this strategy fails. |
2346 |
Now just gather all certificates together and the first private key |
2347 |
then look for the first certificate that matches the key. |
2348 |
[Steve Henson] |
2349 |
|
2350 |
*) Support use of registered digest and cipher names for dgst and cipher |
2351 |
commands instead of having to add each one as a special case. So now |
2352 |
you can do: |
2353 |
|
2354 |
openssl sha256 foo |
2355 |
|
2356 |
as well as: |
2357 |
|
2358 |
openssl dgst -sha256 foo |
2359 |
|
2360 |
and this works for ENGINE based algorithms too. |
2361 |
|
2362 |
[Steve Henson] |
2363 |
|
2364 |
*) Update Gost ENGINE to support parameter files. |
2365 |
[Victor B. Wagner <vitus@cryptocom.ru>] |
2366 |
|
2367 |
*) Support GeneralizedTime in ca utility. |
2368 |
[Oliver Martin <oliver@volatilevoid.net>, Steve Henson] |
2369 |
|
2370 |
*) Enhance the hash format used for certificate directory links. The new |
2371 |
form uses the canonical encoding (meaning equivalent names will work |
2372 |
even if they aren't identical) and uses SHA1 instead of MD5. This form |
2373 |
is incompatible with the older format and as a result c_rehash should |
2374 |
be used to rebuild symbolic links. |
2375 |
[Steve Henson] |
2376 |
|
2377 |
*) Make PKCS#8 the default write format for private keys, replacing the |
2378 |
traditional format. This form is standardised, more secure and doesn't |
2379 |
include an implicit MD5 dependency. |
2380 |
[Steve Henson] |
2381 |
|
2382 |
*) Add a $gcc_devteam_warn option to Configure. The idea is that any code |
2383 |
committed to OpenSSL should pass this lot as a minimum. |
2384 |
[Steve Henson] |
2385 |
|
2386 |
*) Add session ticket override functionality for use by EAP-FAST. |
2387 |
[Jouni Malinen <j@w1.fi>] |
2388 |
|
2389 |
*) Modify HMAC functions to return a value. Since these can be implemented |
2390 |
in an ENGINE errors can occur. |
2391 |
[Steve Henson] |
2392 |
|
2393 |
*) Type-checked OBJ_bsearch_ex. |
2394 |
[Ben Laurie] |
2395 |
|
2396 |
*) Type-checked OBJ_bsearch. Also some constification necessitated |
2397 |
by type-checking. Still to come: TXT_DB, bsearch(?), |
2398 |
OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, |
2399 |
CONF_VALUE. |
2400 |
[Ben Laurie] |
2401 |
|
2402 |
*) New function OPENSSL_gmtime_adj() to add a specific number of days and |
2403 |
seconds to a tm structure directly, instead of going through OS |
2404 |
specific date routines. This avoids any issues with OS routines such |
2405 |
as the year 2038 bug. New *_adj() functions for ASN1 time structures |
2406 |
and X509_time_adj_ex() to cover the extended range. The existing |
2407 |
X509_time_adj() is still usable and will no longer have any date issues. |
2408 |
[Steve Henson] |
2409 |
|
2410 |
*) Delta CRL support. New use deltas option which will attempt to locate |
2411 |
and search any appropriate delta CRLs available. |
2412 |
|
2413 |
This work was sponsored by Google. |
2414 |
[Steve Henson] |
2415 |
|
2416 |
*) Support for CRLs partitioned by reason code. Reorganise CRL processing |
2417 |
code and add additional score elements. Validate alternate CRL paths |
2418 |
as part of the CRL checking and indicate a new error "CRL path validation |
2419 |
error" in this case. Applications wanting additional details can use |
2420 |
the verify callback and check the new "parent" field. If this is not |
2421 |
NULL CRL path validation is taking place. Existing applications wont |
2422 |
see this because it requires extended CRL support which is off by |
2423 |
default. |
2424 |
|
2425 |
This work was sponsored by Google. |
2426 |
[Steve Henson] |
2427 |
|
2428 |
*) Support for freshest CRL extension. |
2429 |
|
2430 |
This work was sponsored by Google. |
2431 |
[Steve Henson] |
2432 |
|
2433 |
*) Initial indirect CRL support. Currently only supported in the CRLs |
2434 |
passed directly and not via lookup. Process certificate issuer |
2435 |
CRL entry extension and lookup CRL entries by bother issuer name |
2436 |
and serial number. Check and process CRL issuer entry in IDP extension. |
2437 |
|
2438 |
This work was sponsored by Google. |
2439 |
[Steve Henson] |
2440 |
|
2441 |
*) Add support for distinct certificate and CRL paths. The CRL issuer |
2442 |
certificate is validated separately in this case. Only enabled if |
2443 |
an extended CRL support flag is set: this flag will enable additional |
2444 |
CRL functionality in future. |
2445 |
|
2446 |
This work was sponsored by Google. |
2447 |
[Steve Henson] |
2448 |
|
2449 |
*) Add support for policy mappings extension. |
2450 |
|
2451 |
This work was sponsored by Google. |
2452 |
[Steve Henson] |
2453 |
|
2454 |
*) Fixes to pathlength constraint, self issued certificate handling, |
2455 |
policy processing to align with RFC3280 and PKITS tests. |
2456 |
|
2457 |
This work was sponsored by Google. |
2458 |
[Steve Henson] |
2459 |
|
2460 |
*) Support for name constraints certificate extension. DN, email, DNS |
2461 |
and URI types are currently supported. |
2462 |
|
2463 |
This work was sponsored by Google. |
2464 |
[Steve Henson] |
2465 |
|
2466 |
*) To cater for systems that provide a pointer-based thread ID rather |
2467 |
than numeric, deprecate the current numeric thread ID mechanism and |
2468 |
replace it with a structure and associated callback type. This |
2469 |
mechanism allows a numeric "hash" to be extracted from a thread ID in |
2470 |
either case, and on platforms where pointers are larger than 'long', |
2471 |
mixing is done to help ensure the numeric 'hash' is usable even if it |
2472 |
can't be guaranteed unique. The default mechanism is to use "&errno" |
2473 |
as a pointer-based thread ID to distinguish between threads. |
2474 |
|
2475 |
Applications that want to provide their own thread IDs should now use |
2476 |
CRYPTO_THREADID_set_callback() to register a callback that will call |
2477 |
either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). |
2478 |
|
2479 |
Note that ERR_remove_state() is now deprecated, because it is tied |
2480 |
to the assumption that thread IDs are numeric. ERR_remove_state(0) |
2481 |
to free the current thread's error state should be replaced by |
2482 |
ERR_remove_thread_state(NULL). |
2483 |
|
2484 |
(This new approach replaces the functions CRYPTO_set_idptr_callback(), |
2485 |
CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in |
2486 |
OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an |
2487 |
application was previously providing a numeric thread callback that |
2488 |
was inappropriate for distinguishing threads, then uniqueness might |
2489 |
have been obtained with &errno that happened immediately in the |
2490 |
intermediate development versions of OpenSSL; this is no longer the |
2491 |
case, the numeric thread callback will now override the automatic use |
2492 |
of &errno.) |
2493 |
[Geoff Thorpe, with help from Bodo Moeller] |
2494 |
|
2495 |
*) Initial support for different CRL issuing certificates. This covers a |
2496 |
simple case where the self issued certificates in the chain exist and |
2497 |
the real CRL issuer is higher in the existing chain. |
2498 |
|
2499 |
This work was sponsored by Google. |
2500 |
[Steve Henson] |
2501 |
|
2502 |
*) Removed effectively defunct crypto/store from the build. |
2503 |
[Ben Laurie] |
2504 |
|
2505 |
*) Revamp of STACK to provide stronger type-checking. Still to come: |
2506 |
TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, |
2507 |
ASN1_STRING, CONF_VALUE. |
2508 |
[Ben Laurie] |
2509 |
|
2510 |
*) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer |
2511 |
RAM on SSL connections. This option can save about 34k per idle SSL. |
2512 |
[Nick Mathewson] |
2513 |
|
2514 |
*) Revamp of LHASH to provide stronger type-checking. Still to come: |
2515 |
STACK, TXT_DB, bsearch, qsort. |
2516 |
[Ben Laurie] |
2517 |
|
2518 |
*) Initial support for Cryptographic Message Syntax (aka CMS) based |
2519 |
on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, |
2520 |
support for data, signedData, compressedData, digestedData and |
2521 |
encryptedData, envelopedData types included. Scripts to check against |
2522 |
RFC4134 examples draft and interop and consistency checks of many |
2523 |
content types and variants. |
2524 |
[Steve Henson] |
2525 |
|
2526 |
*) Add options to enc utility to support use of zlib compression BIO. |
2527 |
[Steve Henson] |
2528 |
|
2529 |
*) Extend mk1mf to support importing of options and assembly language |
2530 |
files from Configure script, currently only included in VC-WIN32. |
2531 |
The assembly language rules can now optionally generate the source |
2532 |
files from the associated perl scripts. |
2533 |
[Steve Henson] |
2534 |
|
2535 |
*) Implement remaining functionality needed to support GOST ciphersuites. |
2536 |
Interop testing has been performed using CryptoPro implementations. |
2537 |
[Victor B. Wagner <vitus@cryptocom.ru>] |
2538 |
|
2539 |
*) s390x assembler pack. |
2540 |
[Andy Polyakov] |
2541 |
|
2542 |
*) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU |
2543 |
"family." |
2544 |
[Andy Polyakov] |
2545 |
|
2546 |
*) Implement Opaque PRF Input TLS extension as specified in |
2547 |
draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an |
2548 |
official specification yet and no extension type assignment by |
2549 |
IANA exists, this extension (for now) will have to be explicitly |
2550 |
enabled when building OpenSSL by providing the extension number |
2551 |
to use. For example, specify an option |
2552 |
|
2553 |
-DTLSEXT_TYPE_opaque_prf_input=0x9527 |
2554 |
|
2555 |
to the "config" or "Configure" script to enable the extension, |
2556 |
assuming extension number 0x9527 (which is a completely arbitrary |
2557 |
and unofficial assignment based on the MD5 hash of the Internet |
2558 |
Draft). Note that by doing so, you potentially lose |
2559 |
interoperability with other TLS implementations since these might |
2560 |
be using the same extension number for other purposes. |
2561 |
|
2562 |
SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the |
2563 |
opaque PRF input value to use in the handshake. This will create |
2564 |
an interal copy of the length-'len' string at 'src', and will |
2565 |
return non-zero for success. |
2566 |
|
2567 |
To get more control and flexibility, provide a callback function |
2568 |
by using |
2569 |
|
2570 |
SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) |
2571 |
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) |
2572 |
|
2573 |
where |
2574 |
|
2575 |
int (*cb)(SSL *, void *peerinput, size_t len, void *arg); |
2576 |
void *arg; |
2577 |
|
2578 |
Callback function 'cb' will be called in handshakes, and is |
2579 |
expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. |
2580 |
Argument 'arg' is for application purposes (the value as given to |
2581 |
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly |
2582 |
be provided to the callback function). The callback function |
2583 |
has to return non-zero to report success: usually 1 to use opaque |
2584 |
PRF input just if possible, or 2 to enforce use of the opaque PRF |
2585 |
input. In the latter case, the library will abort the handshake |
2586 |
if opaque PRF input is not successfully negotiated. |
2587 |
|
2588 |
Arguments 'peerinput' and 'len' given to the callback function |
2589 |
will always be NULL and 0 in the case of a client. A server will |
2590 |
see the client's opaque PRF input through these variables if |
2591 |
available (NULL and 0 otherwise). Note that if the server |
2592 |
provides an opaque PRF input, the length must be the same as the |
2593 |
length of the client's opaque PRF input. |
2594 |
|
2595 |
Note that the callback function will only be called when creating |
2596 |
a new session (session resumption can resume whatever was |
2597 |
previously negotiated), and will not be called in SSL 2.0 |
2598 |
handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or |
2599 |
SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended |
2600 |
for applications that need to enforce opaque PRF input. |
2601 |
|
2602 |
[Bodo Moeller] |
2603 |
|
2604 |
*) Update ssl code to support digests other than SHA1+MD5 for handshake |
2605 |
MAC. |
2606 |
|
2607 |
[Victor B. Wagner <vitus@cryptocom.ru>] |
2608 |
|
2609 |
*) Add RFC4507 support to OpenSSL. This includes the corrections in |
2610 |
RFC4507bis. The encrypted ticket format is an encrypted encoded |
2611 |
SSL_SESSION structure, that way new session features are automatically |
2612 |
supported. |
2613 |
|
2614 |
If a client application caches session in an SSL_SESSION structure |
2615 |
support is transparent because tickets are now stored in the encoded |
2616 |
SSL_SESSION. |
2617 |
|
2618 |
The SSL_CTX structure automatically generates keys for ticket |
2619 |
protection in servers so again support should be possible |
2620 |
with no application modification. |
2621 |
|
2622 |
If a client or server wishes to disable RFC4507 support then the option |
2623 |
SSL_OP_NO_TICKET can be set. |
2624 |
|
2625 |
Add a TLS extension debugging callback to allow the contents of any client |
2626 |
or server extensions to be examined. |
2627 |
|
2628 |
This work was sponsored by Google. |
2629 |
[Steve Henson] |
2630 |
|
2631 |
*) Final changes to avoid use of pointer pointer casts in OpenSSL. |
2632 |
OpenSSL should now compile cleanly on gcc 4.2 |
2633 |
[Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] |
2634 |
|
2635 |
*) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC |
2636 |
support including streaming MAC support: this is required for GOST |
2637 |
ciphersuite support. |
2638 |
[Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] |
2639 |
|
2640 |
*) Add option -stream to use PKCS#7 streaming in smime utility. New |
2641 |
function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() |
2642 |
to output in BER and PEM format. |
2643 |
[Steve Henson] |
2644 |
|
2645 |
*) Experimental support for use of HMAC via EVP_PKEY interface. This |
2646 |
allows HMAC to be handled via the EVP_DigestSign*() interface. The |
2647 |
EVP_PKEY "key" in this case is the HMAC key, potentially allowing |
2648 |
ENGINE support for HMAC keys which are unextractable. New -mac and |
2649 |
-macopt options to dgst utility. |
2650 |
[Steve Henson] |
2651 |
|
2652 |
*) New option -sigopt to dgst utility. Update dgst to use |
2653 |
EVP_Digest{Sign,Verify}*. These two changes make it possible to use |
2654 |
alternative signing paramaters such as X9.31 or PSS in the dgst |
2655 |
utility. |
2656 |
[Steve Henson] |
2657 |
|
2658 |
*) Change ssl_cipher_apply_rule(), the internal function that does |
2659 |
the work each time a ciphersuite string requests enabling |
2660 |
("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or |
2661 |
removing ("!foo+bar") a class of ciphersuites: Now it maintains |
2662 |
the order of disabled ciphersuites such that those ciphersuites |
2663 |
that most recently went from enabled to disabled not only stay |
2664 |
in order with respect to each other, but also have higher priority |
2665 |
than other disabled ciphersuites the next time ciphersuites are |
2666 |
enabled again. |
2667 |
|
2668 |
This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable |
2669 |
the same ciphersuites as with "HIGH" alone, but in a specific |
2670 |
order where the PSK ciphersuites come first (since they are the |
2671 |
most recently disabled ciphersuites when "HIGH" is parsed). |
2672 |
|
2673 |
Also, change ssl_create_cipher_list() (using this new |
2674 |
funcionality) such that between otherwise identical |
2675 |
cihpersuites, ephemeral ECDH is preferred over ephemeral DH in |
2676 |
the default order. |
2677 |
[Bodo Moeller] |
2678 |
|
2679 |
*) Change ssl_create_cipher_list() so that it automatically |
2680 |
arranges the ciphersuites in reasonable order before starting |
2681 |
to process the rule string. Thus, the definition for "DEFAULT" |
2682 |
(SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but |
2683 |
remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". |
2684 |
This makes it much easier to arrive at a reasonable default order |
2685 |
in applications for which anonymous ciphers are OK (meaning |
2686 |
that you can't actually use DEFAULT). |
2687 |
[Bodo Moeller; suggested by Victor Duchovni] |
2688 |
|
2689 |
*) Split the SSL/TLS algorithm mask (as used for ciphersuite string |
2690 |
processing) into multiple integers instead of setting |
2691 |
"SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", |
2692 |
"SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. |
2693 |
(These masks as well as the individual bit definitions are hidden |
2694 |
away into the non-exported interface ssl/ssl_locl.h, so this |
2695 |
change to the definition of the SSL_CIPHER structure shouldn't |
2696 |
affect applications.) This give us more bits for each of these |
2697 |
categories, so there is no longer a need to coagulate AES128 and |
2698 |
AES256 into a single algorithm bit, and to coagulate Camellia128 |
2699 |
and Camellia256 into a single algorithm bit, which has led to all |
2700 |
kinds of kludges. |
2701 |
|
2702 |
Thus, among other things, the kludge introduced in 0.9.7m and |
2703 |
0.9.8e for masking out AES256 independently of AES128 or masking |
2704 |
out Camellia256 independently of AES256 is not needed here in 0.9.9. |
2705 |
|
2706 |
With the change, we also introduce new ciphersuite aliases that |
2707 |
so far were missing: "AES128", "AES256", "CAMELLIA128", and |
2708 |
"CAMELLIA256". |
2709 |
[Bodo Moeller] |
2710 |
|
2711 |
*) Add support for dsa-with-SHA224 and dsa-with-SHA256. |
2712 |
Use the leftmost N bytes of the signature input if the input is |
2713 |
larger than the prime q (with N being the size in bytes of q). |
2714 |
[Nils Larsch] |
2715 |
|
2716 |
*) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses |
2717 |
it yet and it is largely untested. |
2718 |
[Steve Henson] |
2719 |
|
2720 |
*) Add support for the ecdsa-with-SHA224/256/384/512 signature types. |
2721 |
[Nils Larsch] |
2722 |
|
2723 |
*) Initial incomplete changes to avoid need for function casts in OpenSSL |
2724 |
some compilers (gcc 4.2 and later) reject their use. Safestack is |
2725 |
reimplemented. Update ASN1 to avoid use of legacy functions. |
2726 |
[Steve Henson] |
2727 |
|
2728 |
*) Win32/64 targets are linked with Winsock2. |
2729 |
[Andy Polyakov] |
2730 |
|
2731 |
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected |
2732 |
to external functions. This can be used to increase CRL handling |
2733 |
efficiency especially when CRLs are very large by (for example) storing |
2734 |
the CRL revoked certificates in a database. |
2735 |
[Steve Henson] |
2736 |
|
2737 |
*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so |
2738 |
new CRLs added to a directory can be used. New command line option |
2739 |
-verify_return_error to s_client and s_server. This causes real errors |
2740 |
to be returned by the verify callback instead of carrying on no matter |
2741 |
what. This reflects the way a "real world" verify callback would behave. |
2742 |
[Steve Henson] |
2743 |
|
2744 |
*) GOST engine, supporting several GOST algorithms and public key formats. |
2745 |
Kindly donated by Cryptocom. |
2746 |
[Cryptocom] |
2747 |
|
2748 |
*) Partial support for Issuing Distribution Point CRL extension. CRLs |
2749 |
partitioned by DP are handled but no indirect CRL or reason partitioning |
2750 |
(yet). Complete overhaul of CRL handling: now the most suitable CRL is |
2751 |
selected via a scoring technique which handles IDP and AKID in CRLs. |
2752 |
[Steve Henson] |
2753 |
|
2754 |
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which |
2755 |
will ultimately be used for all verify operations: this will remove the |
2756 |
X509_STORE dependency on certificate verification and allow alternative |
2757 |
lookup methods. X509_STORE based implementations of these two callbacks. |
2758 |
[Steve Henson] |
2759 |
|
2760 |
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. |
2761 |
Modify get_crl() to find a valid (unexpired) CRL if possible. |
2762 |
[Steve Henson] |
2763 |
|
2764 |
*) New function X509_CRL_match() to check if two CRLs are identical. Normally |
2765 |
this would be called X509_CRL_cmp() but that name is already used by |
2766 |
a function that just compares CRL issuer names. Cache several CRL |
2767 |
extensions in X509_CRL structure and cache CRLDP in X509. |
2768 |
[Steve Henson] |
2769 |
|
2770 |
*) Store a "canonical" representation of X509_NAME structure (ASN1 Name) |
2771 |
this maps equivalent X509_NAME structures into a consistent structure. |
2772 |
Name comparison can then be performed rapidly using memcmp(). |
2773 |
[Steve Henson] |
2774 |
|
2775 |
*) Non-blocking OCSP request processing. Add -timeout option to ocsp |
2776 |
utility. |
2777 |
[Steve Henson] |
2778 |
|
2779 |
*) Allow digests to supply their own micalg string for S/MIME type using |
2780 |
the ctrl EVP_MD_CTRL_MICALG. |
2781 |
[Steve Henson] |
2782 |
|
2783 |
*) During PKCS7 signing pass the PKCS7 SignerInfo structure to the |
2784 |
EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN |
2785 |
ctrl. It can then customise the structure before and/or after signing |
2786 |
if necessary. |
2787 |
[Steve Henson] |
2788 |
|
2789 |
*) New function OBJ_add_sigid() to allow application defined signature OIDs |
2790 |
to be added to OpenSSLs internal tables. New function OBJ_sigid_free() |
2791 |
to free up any added signature OIDs. |
2792 |
[Steve Henson] |
2793 |
|
2794 |
*) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), |
2795 |
EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal |
2796 |
digest and cipher tables. New options added to openssl utility: |
2797 |
list-message-digest-algorithms and list-cipher-algorithms. |
2798 |
[Steve Henson] |
2799 |
|
2800 |
*) Change the array representation of binary polynomials: the list |
2801 |
of degrees of non-zero coefficients is now terminated with -1. |
2802 |
Previously it was terminated with 0, which was also part of the |
2803 |
value; thus, the array representation was not applicable to |
2804 |
polynomials where t^0 has coefficient zero. This change makes |
2805 |
the array representation useful in a more general context. |
2806 |
[Douglas Stebila] |
2807 |
|
2808 |
*) Various modifications and fixes to SSL/TLS cipher string |
2809 |
handling. For ECC, the code now distinguishes between fixed ECDH |
2810 |
with RSA certificates on the one hand and with ECDSA certificates |
2811 |
on the other hand, since these are separate ciphersuites. The |
2812 |
unused code for Fortezza ciphersuites has been removed. |
2813 |
|
2814 |
For consistency with EDH, ephemeral ECDH is now called "EECDH" |
2815 |
(not "ECDHE"). For consistency with the code for DH |
2816 |
certificates, use of ECDH certificates is now considered ECDH |
2817 |
authentication, not RSA or ECDSA authentication (the latter is |
2818 |
merely the CA's signing algorithm and not actively used in the |
2819 |
protocol). |
2820 |
|
2821 |
The temporary ciphersuite alias "ECCdraft" is no longer |
2822 |
available, and ECC ciphersuites are no longer excluded from "ALL" |
2823 |
and "DEFAULT". The following aliases now exist for RFC 4492 |
2824 |
ciphersuites, most of these by analogy with the DH case: |
2825 |
|
2826 |
kECDHr - ECDH cert, signed with RSA |
2827 |
kECDHe - ECDH cert, signed with ECDSA |
2828 |
kECDH - ECDH cert (signed with either RSA or ECDSA) |
2829 |
kEECDH - ephemeral ECDH |
2830 |
ECDH - ECDH cert or ephemeral ECDH |
2831 |
|
2832 |
aECDH - ECDH cert |
2833 |
aECDSA - ECDSA cert |
2834 |
ECDSA - ECDSA cert |
2835 |
|
2836 |
AECDH - anonymous ECDH |
2837 |
EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") |
2838 |
|
2839 |
[Bodo Moeller] |
2840 |
|
2841 |
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported. |
2842 |
Use correct micalg parameters depending on digest(s) in signed message. |
2843 |
[Steve Henson] |
2844 |
|
2845 |
*) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process |
2846 |
an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. |
2847 |
[Steve Henson] |
2848 |
|
2849 |
*) Initial engine support for EVP_PKEY_METHOD. New functions to permit |
2850 |
an engine to register a method. Add ENGINE lookups for methods and |
2851 |
functional reference processing. |
2852 |
[Steve Henson] |
2853 |
|
2854 |
*) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of |
2855 |
EVP_{Sign,Verify}* which allow an application to customise the signature |
2856 |
process. |
2857 |
[Steve Henson] |
2858 |
|
2859 |
*) New -resign option to smime utility. This adds one or more signers |
2860 |
to an existing PKCS#7 signedData structure. Also -md option to use an |
2861 |
alternative message digest algorithm for signing. |
2862 |
[Steve Henson] |
2863 |
|
2864 |
*) Tidy up PKCS#7 routines and add new functions to make it easier to |
2865 |
create PKCS7 structures containing multiple signers. Update smime |
2866 |
application to support multiple signers. |
2867 |
[Steve Henson] |
2868 |
|
2869 |
*) New -macalg option to pkcs12 utility to allow setting of an alternative |
2870 |
digest MAC. |
2871 |
[Steve Henson] |
2872 |
|
2873 |
*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. |
2874 |
Reorganize PBE internals to lookup from a static table using NIDs, |
2875 |
add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: |
2876 |
EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative |
2877 |
PRF which will be automatically used with PBES2. |
2878 |
[Steve Henson] |
2879 |
|
2880 |
*) Replace the algorithm specific calls to generate keys in "req" with the |
2881 |
new API. |
2882 |
[Steve Henson] |
2883 |
|
2884 |
*) Update PKCS#7 enveloped data routines to use new API. This is now |
2885 |
supported by any public key method supporting the encrypt operation. A |
2886 |
ctrl is added to allow the public key algorithm to examine or modify |
2887 |
the PKCS#7 RecipientInfo structure if it needs to: for RSA this is |
2888 |
a no op. |
2889 |
[Steve Henson] |
2890 |
|
2891 |
*) Add a ctrl to asn1 method to allow a public key algorithm to express |
2892 |
a default digest type to use. In most cases this will be SHA1 but some |
2893 |
algorithms (such as GOST) need to specify an alternative digest. The |
2894 |
return value indicates how strong the prefernce is 1 means optional and |
2895 |
2 is mandatory (that is it is the only supported type). Modify |
2896 |
ASN1_item_sign() to accept a NULL digest argument to indicate it should |
2897 |
use the default md. Update openssl utilities to use the default digest |
2898 |
type for signing if it is not explicitly indicated. |
2899 |
[Steve Henson] |
2900 |
|
2901 |
*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New |
2902 |
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant |
2903 |
signing method from the key type. This effectively removes the link |
2904 |
between digests and public key types. |
2905 |
[Steve Henson] |
2906 |
|
2907 |
*) Add an OID cross reference table and utility functions. Its purpose is to |
2908 |
translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, |
2909 |
rsaEncryption. This will allow some of the algorithm specific hackery |
2910 |
needed to use the correct OID to be removed. |
2911 |
[Steve Henson] |
2912 |
|
2913 |
*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO |
2914 |
structures for PKCS7_sign(). They are now set up by the relevant public |
2915 |
key ASN1 method. |
2916 |
[Steve Henson] |
2917 |
|
2918 |
*) Add provisional EC pkey method with support for ECDSA and ECDH. |
2919 |
[Steve Henson] |
2920 |
|
2921 |
*) Add support for key derivation (agreement) in the API, DH method and |
2922 |
pkeyutl. |
2923 |
[Steve Henson] |
2924 |
|
2925 |
*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support |
2926 |
public and private key formats. As a side effect these add additional |
2927 |
command line functionality not previously available: DSA signatures can be |
2928 |
generated and verified using pkeyutl and DH key support and generation in |
2929 |
pkey, genpkey. |
2930 |
[Steve Henson] |
2931 |
|
2932 |
*) BeOS support. |
2933 |
[Oliver Tappe <zooey@hirschkaefer.de>] |
2934 |
|
2935 |
*) New make target "install_html_docs" installs HTML renditions of the |
2936 |
manual pages. |
2937 |
[Oliver Tappe <zooey@hirschkaefer.de>] |
2938 |
|
2939 |
*) New utility "genpkey" this is analagous to "genrsa" etc except it can |
2940 |
generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to |
2941 |
support key and parameter generation and add initial key generation |
2942 |
functionality for RSA. |
2943 |
[Steve Henson] |
2944 |
|
2945 |
*) Add functions for main EVP_PKEY_method operations. The undocumented |
2946 |
functions EVP_PKEY_{encrypt,decrypt} have been renamed to |
2947 |
EVP_PKEY_{encrypt,decrypt}_old. |
2948 |
[Steve Henson] |
2949 |
|
2950 |
*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public |
2951 |
key API, doesn't do much yet. |
2952 |
[Steve Henson] |
2953 |
|
2954 |
*) New function EVP_PKEY_asn1_get0_info() to retrieve information about |
2955 |
public key algorithms. New option to openssl utility: |
2956 |
"list-public-key-algorithms" to print out info. |
2957 |
[Steve Henson] |
2958 |
|
2959 |
*) Implement the Supported Elliptic Curves Extension for |
2960 |
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
2961 |
[Douglas Stebila] |
2962 |
|
2963 |
*) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or |
2964 |
EVP_CIPHER structures to avoid later problems in EVP_cleanup(). |
2965 |
[Steve Henson] |
2966 |
|
2967 |
*) New utilities pkey and pkeyparam. These are similar to algorithm specific |
2968 |
utilities such as rsa, dsa, dsaparam etc except they process any key |
2969 |
type. |
2970 |
[Steve Henson] |
2971 |
|
2972 |
*) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New |
2973 |
functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), |
2974 |
EVP_PKEY_print_param() to print public key data from an EVP_PKEY |
2975 |
structure. |
2976 |
[Steve Henson] |
2977 |
|
2978 |
*) Initial support for pluggable public key ASN1. |
2979 |
De-spaghettify the public key ASN1 handling. Move public and private |
2980 |
key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate |
2981 |
algorithm specific handling to a single module within the relevant |
2982 |
algorithm directory. Add functions to allow (near) opaque processing |
2983 |
of public and private key structures. |
2984 |
[Steve Henson] |
2985 |
|
2986 |
*) Implement the Supported Point Formats Extension for |
2987 |
ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
2988 |
[Douglas Stebila] |
2989 |
|
2990 |
*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members |
2991 |
for the psk identity [hint] and the psk callback functions to the |
2992 |
SSL_SESSION, SSL and SSL_CTX structure. |
2993 |
|
2994 |
New ciphersuites: |
2995 |
PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, |
2996 |
PSK-AES256-CBC-SHA |
2997 |
|
2998 |
New functions: |
2999 |
SSL_CTX_use_psk_identity_hint |
3000 |
SSL_get_psk_identity_hint |
3001 |
SSL_get_psk_identity |
3002 |
SSL_use_psk_identity_hint |
3003 |
|
3004 |
[Mika Kousa and Pasi Eronen of Nokia Corporation] |
3005 |
|
3006 |
*) Add RFC 3161 compliant time stamp request creation, response generation |
3007 |
and response verification functionality. |
3008 |
[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project] |
3009 |
|
3010 |
*) Add initial support for TLS extensions, specifically for the server_name |
3011 |
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now |
3012 |
have new members for a host name. The SSL data structure has an |
3013 |
additional member SSL_CTX *initial_ctx so that new sessions can be |
3014 |
stored in that context to allow for session resumption, even after the |
3015 |
SSL has been switched to a new SSL_CTX in reaction to a client's |
3016 |
server_name extension. |
3017 |
|
3018 |
New functions (subject to change): |
3019 |
|
3020 |
SSL_get_servername() |
3021 |
SSL_get_servername_type() |
3022 |
SSL_set_SSL_CTX() |
3023 |
|
3024 |
New CTRL codes and macros (subject to change): |
3025 |
|
3026 |
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB |
3027 |
- SSL_CTX_set_tlsext_servername_callback() |
3028 |
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG |
3029 |
- SSL_CTX_set_tlsext_servername_arg() |
3030 |
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() |
3031 |
|
3032 |
openssl s_client has a new '-servername ...' option. |
3033 |
|
3034 |
openssl s_server has new options '-servername_host ...', '-cert2 ...', |
3035 |
'-key2 ...', '-servername_fatal' (subject to change). This allows |
3036 |
testing the HostName extension for a specific single host name ('-cert' |
3037 |
and '-key' remain fallbacks for handshakes without HostName |
3038 |
negotiation). If the unrecogninzed_name alert has to be sent, this by |
3039 |
default is a warning; it becomes fatal with the '-servername_fatal' |
3040 |
option. |
3041 |
|
3042 |
[Peter Sylvester, Remy Allais, Christophe Renou] |
3043 |
|
3044 |
*) Whirlpool hash implementation is added. |
3045 |
[Andy Polyakov] |
3046 |
|
3047 |
*) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to |
3048 |
bn(64,32). Because of instruction set limitations it doesn't have |
3049 |
any negative impact on performance. This was done mostly in order |
3050 |
to make it possible to share assembler modules, such as bn_mul_mont |
3051 |
implementations, between 32- and 64-bit builds without hassle. |
3052 |
[Andy Polyakov] |
3053 |
|
3054 |
*) Move code previously exiled into file crypto/ec/ec2_smpt.c |
3055 |
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP |
3056 |
macro. |
3057 |
[Bodo Moeller] |
3058 |
|
3059 |
*) New candidate for BIGNUM assembler implementation, bn_mul_mont, |
3060 |
dedicated Montgomery multiplication procedure, is introduced. |
3061 |
BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher |
3062 |
"64-bit" performance on certain 32-bit targets. |
3063 |
[Andy Polyakov] |
3064 |
|
3065 |
*) New option SSL_OP_NO_COMP to disable use of compression selectively |
3066 |
in SSL structures. New SSL ctrl to set maximum send fragment size. |
3067 |
Save memory by seeting the I/O buffer sizes dynamically instead of |
3068 |
using the maximum available value. |
3069 |
[Steve Henson] |
3070 |
|
3071 |
*) New option -V for 'openssl ciphers'. This prints the ciphersuite code |
3072 |
in addition to the text details. |
3073 |
[Bodo Moeller] |
3074 |
|
3075 |
*) Very, very preliminary EXPERIMENTAL support for printing of general |
3076 |
ASN1 structures. This currently produces rather ugly output and doesn't |
3077 |
handle several customised structures at all. |
3078 |
[Steve Henson] |
3079 |
|
3080 |
*) Integrated support for PVK file format and some related formats such |
3081 |
as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support |
3082 |
these in the 'rsa' and 'dsa' utilities. |
3083 |
[Steve Henson] |
3084 |
|
3085 |
*) Support for PKCS#1 RSAPublicKey format on rsa utility command line. |
3086 |
[Steve Henson] |
3087 |
|
3088 |
*) Remove the ancient ASN1_METHOD code. This was only ever used in one |
3089 |
place for the (very old) "NETSCAPE" format certificates which are now |
3090 |
handled using new ASN1 code equivalents. |
3091 |
[Steve Henson] |
3092 |
|
3093 |
*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD |
3094 |
pointer and make the SSL_METHOD parameter in SSL_CTX_new, |
3095 |
SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. |
3096 |
[Nils Larsch] |
3097 |
|
3098 |
*) Modify CRL distribution points extension code to print out previously |
3099 |
unsupported fields. Enhance extension setting code to allow setting of |
3100 |
all fields. |
3101 |
[Steve Henson] |
3102 |
|
3103 |
*) Add print and set support for Issuing Distribution Point CRL extension. |
3104 |
[Steve Henson] |
3105 |
|
3106 |
*) Change 'Configure' script to enable Camellia by default. |
3107 |
[NTT] |
3108 |
|
3109 |
Changes between 0.9.8m and 0.9.8n [24 Mar 2010] |
3110 |
|
3111 |
*) When rejecting SSL/TLS records due to an incorrect version number, never |
3112 |
update s->server with a new major version number. As of |
3113 |
- OpenSSL 0.9.8m if 'short' is a 16-bit type, |
3114 |
- OpenSSL 0.9.8f if 'short' is longer than 16 bits, |
3115 |
the previous behavior could result in a read attempt at NULL when |
3116 |
receiving specific incorrect SSL/TLS records once record payload |
3117 |
protection is active. (CVE-2010-0740) |
3118 |
[Bodo Moeller, Adam Langley <agl@chromium.org>] |
3119 |
|
3120 |
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL |
3121 |
could be crashed if the relevant tables were not present (e.g. chrooted). |
3122 |
[Tomas Hoger <thoger@redhat.com>] |
3123 |
|
3124 |
Changes between 0.9.8l and 0.9.8m [25 Feb 2010] |
3125 |
|
3126 |
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245) |
3127 |
[Martin Olsson, Neel Mehta] |
3128 |
|
3129 |
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to |
3130 |
accommodate for stack sorting, always a write lock!). |
3131 |
[Bodo Moeller] |
3132 |
|
3133 |
*) On some versions of WIN32 Heap32Next is very slow. This can cause |
3134 |
excessive delays in the RAND_poll(): over a minute. As a workaround |
3135 |
include a time check in the inner Heap32Next loop too. |
3136 |
[Steve Henson] |
3137 |
|
3138 |
*) The code that handled flushing of data in SSL/TLS originally used the |
3139 |
BIO_CTRL_INFO ctrl to see if any data was pending first. This caused |
3140 |
the problem outlined in PR#1949. The fix suggested there however can |
3141 |
trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions |
3142 |
of Apache). So instead simplify the code to flush unconditionally. |
3143 |
This should be fine since flushing with no data to flush is a no op. |
3144 |
[Steve Henson] |
3145 |
|
3146 |
*) Handle TLS versions 2.0 and later properly and correctly use the |
3147 |
highest version of TLS/SSL supported. Although TLS >= 2.0 is some way |
3148 |
off ancient servers have a habit of sticking around for a while... |
3149 |
[Steve Henson] |
3150 |
|
3151 |
*) Modify compression code so it frees up structures without using the |
3152 |
ex_data callbacks. This works around a problem where some applications |
3153 |
call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when |
3154 |
restarting) then use compression (e.g. SSL with compression) later. |
3155 |
This results in significant per-connection memory leaks and |
3156 |
has caused some security issues including CVE-2008-1678 and |
3157 |
CVE-2009-4355. |
3158 |
[Steve Henson] |
3159 |
|
3160 |
*) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't |
3161 |
change when encrypting or decrypting. |
3162 |
[Bodo Moeller] |
3163 |
|
3164 |
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to |
3165 |
connect and renegotiate with servers which do not support RI. |
3166 |
Until RI is more widely deployed this option is enabled by default. |
3167 |
[Steve Henson] |
3168 |
|
3169 |
*) Add "missing" ssl ctrls to clear options and mode. |
3170 |
[Steve Henson] |
3171 |
|
3172 |
*) If client attempts to renegotiate and doesn't support RI respond with |
3173 |
a no_renegotiation alert as required by RFC5746. Some renegotiating |
3174 |
TLS clients will continue a connection gracefully when they receive |
3175 |
the alert. Unfortunately OpenSSL mishandled this alert and would hang |
3176 |
waiting for a server hello which it will never receive. Now we treat a |
3177 |
received no_renegotiation alert as a fatal error. This is because |
3178 |
applications requesting a renegotiation might well expect it to succeed |
3179 |
and would have no code in place to handle the server denying it so the |
3180 |
only safe thing to do is to terminate the connection. |
3181 |
[Steve Henson] |
3182 |
|
3183 |
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if |
3184 |
peer supports secure renegotiation and 0 otherwise. Print out peer |
3185 |
renegotiation support in s_client/s_server. |
3186 |
[Steve Henson] |
3187 |
|
3188 |
*) Replace the highly broken and deprecated SPKAC certification method with |
3189 |
the updated NID creation version. This should correctly handle UTF8. |
3190 |
[Steve Henson] |
3191 |
|
3192 |
*) Implement RFC5746. Re-enable renegotiation but require the extension |
3193 |
as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
3194 |
turns out to be a bad idea. It has been replaced by |
3195 |
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with |
3196 |
SSL_CTX_set_options(). This is really not recommended unless you |
3197 |
know what you are doing. |
3198 |
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] |
3199 |
|
3200 |
*) Fixes to stateless session resumption handling. Use initial_ctx when |
3201 |
issuing and attempting to decrypt tickets in case it has changed during |
3202 |
servername handling. Use a non-zero length session ID when attempting |
3203 |
stateless session resumption: this makes it possible to determine if |
3204 |
a resumption has occurred immediately after receiving server hello |
3205 |
(several places in OpenSSL subtly assume this) instead of later in |
3206 |
the handshake. |
3207 |
[Steve Henson] |
3208 |
|
3209 |
*) The functions ENGINE_ctrl(), OPENSSL_isservice(), |
3210 |
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error |
3211 |
fixes for a few places where the return code is not checked |
3212 |
correctly. |
3213 |
[Julia Lawall <julia@diku.dk>] |
3214 |
|
3215 |
*) Add --strict-warnings option to Configure script to include devteam |
3216 |
warnings in other configurations. |
3217 |
[Steve Henson] |
3218 |
|
3219 |
*) Add support for --libdir option and LIBDIR variable in makefiles. This |
3220 |
makes it possible to install openssl libraries in locations which |
3221 |
have names other than "lib", for example "/usr/lib64" which some |
3222 |
systems need. |
3223 |
[Steve Henson, based on patch from Jeremy Utley] |
3224 |
|
3225 |
*) Don't allow the use of leading 0x80 in OIDs. This is a violation of |
3226 |
X690 8.9.12 and can produce some misleading textual output of OIDs. |
3227 |
[Steve Henson, reported by Dan Kaminsky] |
3228 |
|
3229 |
*) Delete MD2 from algorithm tables. This follows the recommendation in |
3230 |
several standards that it is not used in new applications due to |
3231 |
several cryptographic weaknesses. For binary compatibility reasons |
3232 |
the MD2 API is still compiled in by default. |
3233 |
[Steve Henson] |
3234 |
|
3235 |
*) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved |
3236 |
and restored. |
3237 |
[Steve Henson] |
3238 |
|
3239 |
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and |
3240 |
OPENSSL_asc2uni conditionally on Netware platforms to avoid a name |
3241 |
clash. |
3242 |
[Guenter <lists@gknw.net>] |
3243 |
|
3244 |
*) Fix the server certificate chain building code to use X509_verify_cert(), |
3245 |
it used to have an ad-hoc builder which was unable to cope with anything |
3246 |
other than a simple chain. |
3247 |
[David Woodhouse <dwmw2@infradead.org>, Steve Henson] |
3248 |
|
3249 |
*) Don't check self signed certificate signatures in X509_verify_cert() |
3250 |
by default (a flag can override this): it just wastes time without |
3251 |
adding any security. As a useful side effect self signed root CAs |
3252 |
with non-FIPS digests are now usable in FIPS mode. |
3253 |
[Steve Henson] |
3254 |
|
3255 |
*) In dtls1_process_out_of_seq_message() the check if the current message |
3256 |
is already buffered was missing. For every new message was memory |
3257 |
allocated, allowing an attacker to perform an denial of service attack |
3258 |
with sending out of seq handshake messages until there is no memory |
3259 |
left. Additionally every future messege was buffered, even if the |
3260 |
sequence number made no sense and would be part of another handshake. |
3261 |
So only messages with sequence numbers less than 10 in advance will be |
3262 |
buffered. (CVE-2009-1378) |
3263 |
[Robin Seggelmann, discovered by Daniel Mentz] |
3264 |
|
3265 |
*) Records are buffered if they arrive with a future epoch to be |
3266 |
processed after finishing the corresponding handshake. There is |
3267 |
currently no limitation to this buffer allowing an attacker to perform |
3268 |
a DOS attack with sending records with future epochs until there is no |
3269 |
memory left. This patch adds the pqueue_size() function to detemine |
3270 |
the size of a buffer and limits the record buffer to 100 entries. |
3271 |
(CVE-2009-1377) |
3272 |
[Robin Seggelmann, discovered by Daniel Mentz] |
3273 |
|
3274 |
*) Keep a copy of frag->msg_header.frag_len so it can be used after the |
3275 |
parent structure is freed. (CVE-2009-1379) |
3276 |
[Daniel Mentz] |
3277 |
|
3278 |
*) Handle non-blocking I/O properly in SSL_shutdown() call. |
3279 |
[Darryl Miles <darryl-mailinglists@netbauds.net>] |
3280 |
|
3281 |
*) Add 2.5.4.* OIDs |
3282 |
[Ilya O. <vrghost@gmail.com>] |
3283 |
|
3284 |
Changes between 0.9.8k and 0.9.8l [5 Nov 2009] |
3285 |
|
3286 |
*) Disable renegotiation completely - this fixes a severe security |
3287 |
problem (CVE-2009-3555) at the cost of breaking all |
3288 |
renegotiation. Renegotiation can be re-enabled by setting |
3289 |
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at |
3290 |
run-time. This is really not recommended unless you know what |
3291 |
you're doing. |
3292 |
[Ben Laurie] |
3293 |
|
3294 |
Changes between 0.9.8j and 0.9.8k [25 Mar 2009] |
3295 |
|
3296 |
*) Don't set val to NULL when freeing up structures, it is freed up by |
3297 |
underlying code. If sizeof(void *) > sizeof(long) this can result in |
3298 |
zeroing past the valid field. (CVE-2009-0789) |
3299 |
[Paolo Ganci <Paolo.Ganci@AdNovum.CH>] |
3300 |
|
3301 |
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not |
3302 |
checked correctly. This would allow some invalid signed attributes to |
3303 |
appear to verify correctly. (CVE-2009-0591) |
3304 |
[Ivan Nestlerode <inestlerode@us.ibm.com>] |
3305 |
|
3306 |
*) Reject UniversalString and BMPString types with invalid lengths. This |
3307 |
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have |
3308 |
a legal length. (CVE-2009-0590) |
3309 |
[Steve Henson] |
3310 |
|
3311 |
*) Set S/MIME signing as the default purpose rather than setting it |
3312 |
unconditionally. This allows applications to override it at the store |
3313 |
level. |
3314 |
[Steve Henson] |
3315 |
|
3316 |
*) Permit restricted recursion of ASN1 strings. This is needed in practice |
3317 |
to handle some structures. |
3318 |
[Steve Henson] |
3319 |
|
3320 |
*) Improve efficiency of mem_gets: don't search whole buffer each time |
3321 |
for a '\n' |
3322 |
[Jeremy Shapiro <jnshapir@us.ibm.com>] |
3323 |
|
3324 |
*) New -hex option for openssl rand. |
3325 |
[Matthieu Herrb] |
3326 |
|
3327 |
*) Print out UTF8String and NumericString when parsing ASN1. |
3328 |
[Steve Henson] |
3329 |
|
3330 |
*) Support NumericString type for name components. |
3331 |
[Steve Henson] |
3332 |
|
3333 |
*) Allow CC in the environment to override the automatically chosen |
3334 |
compiler. Note that nothing is done to ensure flags work with the |
3335 |
chosen compiler. |
3336 |
[Ben Laurie] |
3337 |
|
3338 |
Changes between 0.9.8i and 0.9.8j [07 Jan 2009] |
3339 |
|
3340 |
*) Properly check EVP_VerifyFinal() and similar return values |
3341 |
(CVE-2008-5077). |
3342 |
[Ben Laurie, Bodo Moeller, Google Security Team] |
3343 |
|
3344 |
*) Enable TLS extensions by default. |
3345 |
[Ben Laurie] |
3346 |
|
3347 |
*) Allow the CHIL engine to be loaded, whether the application is |
3348 |
multithreaded or not. (This does not release the developer from the |
3349 |
obligation to set up the dynamic locking callbacks.) |
3350 |
[Sander Temme <sander@temme.net>] |
3351 |
|
3352 |
*) Use correct exit code if there is an error in dgst command. |
3353 |
[Steve Henson; problem pointed out by Roland Dirlewanger] |
3354 |
|
3355 |
*) Tweak Configure so that you need to say "experimental-jpake" to enable |
3356 |
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. |
3357 |
[Bodo Moeller] |
3358 |
|
3359 |
*) Add experimental JPAKE support, including demo authentication in |
3360 |
s_client and s_server. |
3361 |
[Ben Laurie] |
3362 |
|
3363 |
*) Set the comparison function in v3_addr_canonize(). |
3364 |
[Rob Austein <sra@hactrn.net>] |
3365 |
|
3366 |
*) Add support for XMPP STARTTLS in s_client. |
3367 |
[Philip Paeps <philip@freebsd.org>] |
3368 |
|
3369 |
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior |
3370 |
to ensure that even with this option, only ciphersuites in the |
3371 |
server's preference list will be accepted. (Note that the option |
3372 |
applies only when resuming a session, so the earlier behavior was |
3373 |
just about the algorithm choice for symmetric cryptography.) |
3374 |
[Bodo Moeller] |
3375 |
|
3376 |
Changes between 0.9.8h and 0.9.8i [15 Sep 2008] |
3377 |
|
3378 |
*) Fix NULL pointer dereference if a DTLS server received |
3379 |
ChangeCipherSpec as first record (CVE-2009-1386). |
3380 |
[PR #1679] |
3381 |
|
3382 |
*) Fix a state transitition in s3_srvr.c and d1_srvr.c |
3383 |
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). |
3384 |
[Nagendra Modadugu] |
3385 |
|
3386 |
*) The fix in 0.9.8c that supposedly got rid of unsafe |
3387 |
double-checked locking was incomplete for RSA blinding, |
3388 |
addressing just one layer of what turns out to have been |
3389 |
doubly unsafe triple-checked locking. |
3390 |
|
3391 |
So now fix this for real by retiring the MONT_HELPER macro |
3392 |
in crypto/rsa/rsa_eay.c. |
3393 |
|
3394 |
[Bodo Moeller; problem pointed out by Marius Schilder] |
3395 |
|
3396 |
*) Various precautionary measures: |
3397 |
|
3398 |
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). |
3399 |
|
3400 |
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). |
3401 |
(NB: This would require knowledge of the secret session ticket key |
3402 |
to exploit, in which case you'd be SOL either way.) |
3403 |
|
3404 |
- Change bn_nist.c so that it will properly handle input BIGNUMs |
3405 |
outside the expected range. |
3406 |
|
3407 |
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG |
3408 |
builds. |
3409 |
|
3410 |
[Neel Mehta, Bodo Moeller] |
3411 |
|
3412 |
*) Allow engines to be "soft loaded" - i.e. optionally don't die if |
3413 |
the load fails. Useful for distros. |
3414 |
[Ben Laurie and the FreeBSD team] |
3415 |
|
3416 |
*) Add support for Local Machine Keyset attribute in PKCS#12 files. |
3417 |
[Steve Henson] |
3418 |
|
3419 |
*) Fix BN_GF2m_mod_arr() top-bit cleanup code. |
3420 |
[Huang Ying] |
3421 |
|
3422 |
*) Expand ENGINE to support engine supplied SSL client certificate functions. |
3423 |
|
3424 |
This work was sponsored by Logica. |
3425 |
[Steve Henson] |
3426 |
|
3427 |
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows |
3428 |
keystores. Support for SSL/TLS client authentication too. |
3429 |
Not compiled unless enable-capieng specified to Configure. |
3430 |
|
3431 |
This work was sponsored by Logica. |
3432 |
[Steve Henson] |
3433 |
|
3434 |
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using |
3435 |
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain |
3436 |
attribute creation routines such as certifcate requests and PKCS#12 |
3437 |
files. |
3438 |
[Steve Henson] |
3439 |
|
3440 |
Changes between 0.9.8g and 0.9.8h [28 May 2008] |
3441 |
|
3442 |
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS |
3443 |
handshake which could lead to a cilent crash as found using the |
3444 |
Codenomicon TLS test suite (CVE-2008-1672) |
3445 |
[Steve Henson, Mark Cox] |
3446 |
|
3447 |
*) Fix double free in TLS server name extensions which could lead to |
3448 |
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) |
3449 |
[Joe Orton] |
3450 |
|
3451 |
*) Clear error queue in SSL_CTX_use_certificate_chain_file() |
3452 |
|
3453 |
Clear the error queue to ensure that error entries left from |
3454 |
older function calls do not interfere with the correct operation. |
3455 |
[Lutz Jaenicke, Erik de Castro Lopo] |
3456 |
|
3457 |
*) Remove root CA certificates of commercial CAs: |
3458 |
|
3459 |
The OpenSSL project does not recommend any specific CA and does not |
3460 |
have any policy with respect to including or excluding any CA. |
3461 |
Therefore it does not make any sense to ship an arbitrary selection |
3462 |
of root CA certificates with the OpenSSL software. |
3463 |
[Lutz Jaenicke] |
3464 |
|
3465 |
*) RSA OAEP patches to fix two separate invalid memory reads. |
3466 |
The first one involves inputs when 'lzero' is greater than |
3467 |
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes |
3468 |
before the beginning of from). The second one involves inputs where |
3469 |
the 'db' section contains nothing but zeroes (there is a one-byte |
3470 |
invalid read after the end of 'db'). |
3471 |
[Ivan Nestlerode <inestlerode@us.ibm.com>] |
3472 |
|
3473 |
*) Partial backport from 0.9.9-dev: |
3474 |
|
3475 |
Introduce bn_mul_mont (dedicated Montgomery multiplication |
3476 |
procedure) as a candidate for BIGNUM assembler implementation. |
3477 |
While 0.9.9-dev uses assembler for various architectures, only |
3478 |
x86_64 is available by default here in the 0.9.8 branch, and |
3479 |
32-bit x86 is available through a compile-time setting. |
3480 |
|
3481 |
To try the 32-bit x86 assembler implementation, use Configure |
3482 |
option "enable-montasm" (which exists only for this backport). |
3483 |
|
3484 |
As "enable-montasm" for 32-bit x86 disclaims code stability |
3485 |
anyway, in this constellation we activate additional code |
3486 |
backported from 0.9.9-dev for further performance improvements, |
3487 |
namely BN_from_montgomery_word. (To enable this otherwise, |
3488 |
e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) |
3489 |
|
3490 |
[Andy Polyakov (backport partially by Bodo Moeller)] |
3491 |
|
3492 |
*) Add TLS session ticket callback. This allows an application to set |
3493 |
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed |
3494 |
values. This is useful for key rollover for example where several key |
3495 |
sets may exist with different names. |
3496 |
[Steve Henson] |
3497 |
|
3498 |
*) Reverse ENGINE-internal logic for caching default ENGINE handles. |
3499 |
This was broken until now in 0.9.8 releases, such that the only way |
3500 |
a registered ENGINE could be used (assuming it initialises |
3501 |
successfully on the host) was to explicitly set it as the default |
3502 |
for the relevant algorithms. This is in contradiction with 0.9.7 |
3503 |
behaviour and the documentation. With this fix, when an ENGINE is |
3504 |
registered into a given algorithm's table of implementations, the |
3505 |
'uptodate' flag is reset so that auto-discovery will be used next |
3506 |
time a new context for that algorithm attempts to select an |
3507 |
implementation. |
3508 |
[Ian Lister (tweaked by Geoff Thorpe)] |
3509 |
|
3510 |
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 |
3511 |
implemention in the following ways: |
3512 |
|
3513 |
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be |
3514 |
hard coded. |
3515 |
|
3516 |
Lack of BER streaming support means one pass streaming processing is |
3517 |
only supported if data is detached: setting the streaming flag is |
3518 |
ignored for embedded content. |
3519 |
|
3520 |
CMS support is disabled by default and must be explicitly enabled |
3521 |
with the enable-cms configuration option. |
3522 |
[Steve Henson] |
3523 |
|
3524 |
*) Update the GMP engine glue to do direct copies between BIGNUM and |
3525 |
mpz_t when openssl and GMP use the same limb size. Otherwise the |
3526 |
existing "conversion via a text string export" trick is still used. |
3527 |
[Paul Sheer <paulsheer@gmail.com>] |
3528 |
|
3529 |
*) Zlib compression BIO. This is a filter BIO which compressed and |
3530 |
uncompresses any data passed through it. |
3531 |
[Steve Henson] |
3532 |
|
3533 |
*) Add AES_wrap_key() and AES_unwrap_key() functions to implement |
3534 |
RFC3394 compatible AES key wrapping. |
3535 |
[Steve Henson] |
3536 |
|
3537 |
*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): |
3538 |
sets string data without copying. X509_ALGOR_set0() and |
3539 |
X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) |
3540 |
data. Attribute function X509at_get0_data_by_OBJ(): retrieves data |
3541 |
from an X509_ATTRIBUTE structure optionally checking it occurs only |
3542 |
once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied |
3543 |
data. |
3544 |
[Steve Henson] |
3545 |
|
3546 |
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() |
3547 |
to get the expected BN_FLG_CONSTTIME behavior. |
3548 |
[Bodo Moeller (Google)] |
3549 |
|
3550 |
*) Netware support: |
3551 |
|
3552 |
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets |
3553 |
- fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) |
3554 |
- added some more tests to do_tests.pl |
3555 |
- fixed RunningProcess usage so that it works with newer LIBC NDKs too |
3556 |
- removed usage of BN_LLONG for CLIB builds to avoid runtime dependency |
3557 |
- added new Configure targets netware-clib-bsdsock, netware-clib-gcc, |
3558 |
netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc |
3559 |
- various changes to netware.pl to enable gcc-cross builds on Win32 |
3560 |
platform |
3561 |
- changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) |
3562 |
- various changes to fix missing prototype warnings |
3563 |
- fixed x86nasm.pl to create correct asm files for NASM COFF output |
3564 |
- added AES, WHIRLPOOL and CPUID assembler code to build files |
3565 |
- added missing AES assembler make rules to mk1mf.pl |
3566 |
- fixed order of includes in apps/ocsp.c so that e_os.h settings apply |
3567 |
[Guenter Knauf <eflash@gmx.net>] |
3568 |
|
3569 |
*) Implement certificate status request TLS extension defined in RFC3546. |
3570 |
A client can set the appropriate parameters and receive the encoded |
3571 |
OCSP response via a callback. A server can query the supplied parameters |
3572 |
and set the encoded OCSP response in the callback. Add simplified examples |
3573 |
to s_client and s_server. |
3574 |
[Steve Henson] |
3575 |
|
3576 |
Changes between 0.9.8f and 0.9.8g [19 Oct 2007] |
3577 |
|
3578 |
*) Fix various bugs: |
3579 |
+ Binary incompatibility of ssl_ctx_st structure |
3580 |
+ DTLS interoperation with non-compliant servers |
3581 |
+ Don't call get_session_cb() without proposed session |
3582 |
+ Fix ia64 assembler code |
3583 |
[Andy Polyakov, Steve Henson] |
3584 |
|
3585 |
Changes between 0.9.8e and 0.9.8f [11 Oct 2007] |
3586 |
|
3587 |
*) DTLS Handshake overhaul. There were longstanding issues with |
3588 |
OpenSSL DTLS implementation, which were making it impossible for |
3589 |
RFC 4347 compliant client to communicate with OpenSSL server. |
3590 |
Unfortunately just fixing these incompatibilities would "cut off" |
3591 |
pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e |
3592 |
server keeps tolerating non RFC compliant syntax. The opposite is |
3593 |
not true, 0.9.8f client can not communicate with earlier server. |
3594 |
This update even addresses CVE-2007-4995. |
3595 |
[Andy Polyakov] |
3596 |
|
3597 |
*) Changes to avoid need for function casts in OpenSSL: some compilers |
3598 |
(gcc 4.2 and later) reject their use. |
3599 |
[Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, |
3600 |
Steve Henson] |
3601 |
|
3602 |
*) Add RFC4507 support to OpenSSL. This includes the corrections in |
3603 |
RFC4507bis. The encrypted ticket format is an encrypted encoded |
3604 |
SSL_SESSION structure, that way new session features are automatically |
3605 |
supported. |
3606 |
|
3607 |
If a client application caches session in an SSL_SESSION structure |
3608 |
support is transparent because tickets are now stored in the encoded |
3609 |
SSL_SESSION. |
3610 |
|
3611 |
The SSL_CTX structure automatically generates keys for ticket |
3612 |
protection in servers so again support should be possible |
3613 |
with no application modification. |
3614 |
|
3615 |
If a client or server wishes to disable RFC4507 support then the option |
3616 |
SSL_OP_NO_TICKET can be set. |
3617 |
|
3618 |
Add a TLS extension debugging callback to allow the contents of any client |
3619 |
or server extensions to be examined. |
3620 |
|
3621 |
This work was sponsored by Google. |
3622 |
[Steve Henson] |
3623 |
|
3624 |
*) Add initial support for TLS extensions, specifically for the server_name |
3625 |
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now |
3626 |
have new members for a host name. The SSL data structure has an |
3627 |
additional member SSL_CTX *initial_ctx so that new sessions can be |
3628 |
stored in that context to allow for session resumption, even after the |
3629 |
SSL has been switched to a new SSL_CTX in reaction to a client's |
3630 |
server_name extension. |
3631 |
|
3632 |
New functions (subject to change): |
3633 |
|
3634 |
SSL_get_servername() |
3635 |
SSL_get_servername_type() |
3636 |
SSL_set_SSL_CTX() |
3637 |
|
3638 |
New CTRL codes and macros (subject to change): |
3639 |
|
3640 |
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB |
3641 |
- SSL_CTX_set_tlsext_servername_callback() |
3642 |
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG |
3643 |
- SSL_CTX_set_tlsext_servername_arg() |
3644 |
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() |
3645 |
|
3646 |
openssl s_client has a new '-servername ...' option. |
3647 |
|
3648 |
openssl s_server has new options '-servername_host ...', '-cert2 ...', |
3649 |
'-key2 ...', '-servername_fatal' (subject to change). This allows |
3650 |
testing the HostName extension for a specific single host name ('-cert' |
3651 |
and '-key' remain fallbacks for handshakes without HostName |
3652 |
negotiation). If the unrecogninzed_name alert has to be sent, this by |
3653 |
default is a warning; it becomes fatal with the '-servername_fatal' |
3654 |
option. |
3655 |
|
3656 |
[Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] |
3657 |
|
3658 |
*) Add AES and SSE2 assembly language support to VC++ build. |
3659 |
[Steve Henson] |
3660 |
|
3661 |
*) Mitigate attack on final subtraction in Montgomery reduction. |
3662 |
[Andy Polyakov] |
3663 |
|
3664 |
*) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 |
3665 |
(which previously caused an internal error). |
3666 |
[Bodo Moeller] |
3667 |
|
3668 |
*) Squeeze another 10% out of IGE mode when in != out. |
3669 |
[Ben Laurie] |
3670 |
|
3671 |
*) AES IGE mode speedup. |
3672 |
[Dean Gaudet (Google)] |
3673 |
|
3674 |
*) Add the Korean symmetric 128-bit cipher SEED (see |
3675 |
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and |
3676 |
add SEED ciphersuites from RFC 4162: |
3677 |
|
3678 |
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" |
3679 |
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" |
3680 |
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" |
3681 |
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" |
3682 |
|
3683 |
To minimize changes between patchlevels in the OpenSSL 0.9.8 |
3684 |
series, SEED remains excluded from compilation unless OpenSSL |
3685 |
is configured with 'enable-seed'. |
3686 |
[KISA, Bodo Moeller] |
3687 |
|
3688 |
*) Mitigate branch prediction attacks, which can be practical if a |
3689 |
single processor is shared, allowing a spy process to extract |
3690 |
information. For detailed background information, see |
3691 |
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, |
3692 |
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL |
3693 |
and Necessary Software Countermeasures"). The core of the change |
3694 |
are new versions BN_div_no_branch() and |
3695 |
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), |
3696 |
respectively, which are slower, but avoid the security-relevant |
3697 |
conditional branches. These are automatically called by BN_div() |
3698 |
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one |
3699 |
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to |
3700 |
remove a conditional branch. |
3701 |
|
3702 |
BN_FLG_CONSTTIME is the new name for the previous |
3703 |
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just |
3704 |
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag |
3705 |
in the exponent causes BN_mod_exp_mont() to use the alternative |
3706 |
implementation in BN_mod_exp_mont_consttime().) The old name |
3707 |
remains as a deprecated alias. |
3708 |
|
3709 |
Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general |
3710 |
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses |
3711 |
constant-time implementations for more than just exponentiation. |
3712 |
Here too the old name is kept as a deprecated alias. |
3713 |
|
3714 |
BN_BLINDING_new() will now use BN_dup() for the modulus so that |
3715 |
the BN_BLINDING structure gets an independent copy of the |
3716 |
modulus. This means that the previous "BIGNUM *m" argument to |
3717 |
BN_BLINDING_new() and to BN_BLINDING_create_param() now |
3718 |
essentially becomes "const BIGNUM *m", although we can't actually |
3719 |
change this in the header file before 0.9.9. It allows |
3720 |
RSA_setup_blinding() to use BN_with_flags() on the modulus to |
3721 |
enable BN_FLG_CONSTTIME. |
3722 |
|
3723 |
[Matthew D Wood (Intel Corp)] |
3724 |
|
3725 |
*) In the SSL/TLS server implementation, be strict about session ID |
3726 |
context matching (which matters if an application uses a single |
3727 |
external cache for different purposes). Previously, |
3728 |
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was |
3729 |
set. This did ensure strict client verification, but meant that, |
3730 |
with applications using a single external cache for quite |
3731 |
different requirements, clients could circumvent ciphersuite |
3732 |
restrictions for a given session ID context by starting a session |
3733 |
in a different context. |
3734 |
[Bodo Moeller] |
3735 |
|
3736 |
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
3737 |
a ciphersuite string such as "DEFAULT:RSA" cannot enable |
3738 |
authentication-only ciphersuites. |
3739 |
[Bodo Moeller] |
3740 |
|
3741 |
*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was |
3742 |
not complete and could lead to a possible single byte overflow |
3743 |
(CVE-2007-5135) [Ben Laurie] |
3744 |
|
3745 |
Changes between 0.9.8d and 0.9.8e [23 Feb 2007] |
3746 |
|
3747 |
*) Since AES128 and AES256 (and similarly Camellia128 and |
3748 |
Camellia256) share a single mask bit in the logic of |
3749 |
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a |
3750 |
kludge to work properly if AES128 is available and AES256 isn't |
3751 |
(or if Camellia128 is available and Camellia256 isn't). |
3752 |
[Victor Duchovni] |
3753 |
|
3754 |
*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c |
3755 |
(within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): |
3756 |
When a point or a seed is encoded in a BIT STRING, we need to |
3757 |
prevent the removal of trailing zero bits to get the proper DER |
3758 |
encoding. (By default, crypto/asn1/a_bitstr.c assumes the case |
3759 |
of a NamedBitList, for which trailing 0 bits need to be removed.) |
3760 |
[Bodo Moeller] |
3761 |
|
3762 |
*) Have SSL/TLS server implementation tolerate "mismatched" record |
3763 |
protocol version while receiving ClientHello even if the |
3764 |
ClientHello is fragmented. (The server can't insist on the |
3765 |
particular protocol version it has chosen before the ServerHello |
3766 |
message has informed the client about his choice.) |
3767 |
[Bodo Moeller] |
3768 |
|
3769 |
*) Add RFC 3779 support. |
3770 |
[Rob Austein for ARIN, Ben Laurie] |
3771 |
|
3772 |
*) Load error codes if they are not already present instead of using a |
3773 |
static variable. This allows them to be cleanly unloaded and reloaded. |
3774 |
Improve header file function name parsing. |
3775 |
[Steve Henson] |
3776 |
|
3777 |
*) extend SMTP and IMAP protocol emulation in s_client to use EHLO |
3778 |
or CAPABILITY handshake as required by RFCs. |
3779 |
[Goetz Babin-Ebell] |
3780 |
|
3781 |
Changes between 0.9.8c and 0.9.8d [28 Sep 2006] |
3782 |
|
3783 |
*) Introduce limits to prevent malicious keys being able to |
3784 |
cause a denial of service. (CVE-2006-2940) |
3785 |
[Steve Henson, Bodo Moeller] |
3786 |
|
3787 |
*) Fix ASN.1 parsing of certain invalid structures that can result |
3788 |
in a denial of service. (CVE-2006-2937) [Steve Henson] |
3789 |
|
3790 |
*) Fix buffer overflow in SSL_get_shared_ciphers() function. |
3791 |
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] |
3792 |
|
3793 |
*) Fix SSL client code which could crash if connecting to a |
3794 |
malicious SSLv2 server. (CVE-2006-4343) |
3795 |
[Tavis Ormandy and Will Drewry, Google Security Team] |
3796 |
|
3797 |
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites |
3798 |
match only those. Before that, "AES256-SHA" would be interpreted |
3799 |
as a pattern and match "AES128-SHA" too (since AES128-SHA got |
3800 |
the same strength classification in 0.9.7h) as we currently only |
3801 |
have a single AES bit in the ciphersuite description bitmap. |
3802 |
That change, however, also applied to ciphersuite strings such as |
3803 |
"RC4-MD5" that intentionally matched multiple ciphersuites -- |
3804 |
namely, SSL 2.0 ciphersuites in addition to the more common ones |
3805 |
from SSL 3.0/TLS 1.0. |
3806 |
|
3807 |
So we change the selection algorithm again: Naming an explicit |
3808 |
ciphersuite selects this one ciphersuite, and any other similar |
3809 |
ciphersuite (same bitmap) from *other* protocol versions. |
3810 |
Thus, "RC4-MD5" again will properly select both the SSL 2.0 |
3811 |
ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. |
3812 |
|
3813 |
Since SSL 2.0 does not have any ciphersuites for which the |
3814 |
128/256 bit distinction would be relevant, this works for now. |
3815 |
The proper fix will be to use different bits for AES128 and |
3816 |
AES256, which would have avoided the problems from the beginning; |
3817 |
however, bits are scarce, so we can only do this in a new release |
3818 |
(not just a patchlevel) when we can change the SSL_CIPHER |
3819 |
definition to split the single 'unsigned long mask' bitmap into |
3820 |
multiple values to extend the available space. |
3821 |
|
3822 |
[Bodo Moeller] |
3823 |
|
3824 |
Changes between 0.9.8b and 0.9.8c [05 Sep 2006] |
3825 |
|
3826 |
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
3827 |
(CVE-2006-4339) [Ben Laurie and Google Security Team] |
3828 |
|
3829 |
*) Add AES IGE and biIGE modes. |
3830 |
[Ben Laurie] |
3831 |
|
3832 |
*) Change the Unix randomness entropy gathering to use poll() when |
3833 |
possible instead of select(), since the latter has some |
3834 |
undesirable limitations. |
3835 |
[Darryl Miles via Richard Levitte and Bodo Moeller] |
3836 |
|
3837 |
*) Disable "ECCdraft" ciphersuites more thoroughly. Now special |
3838 |
treatment in ssl/ssl_ciph.s makes sure that these ciphersuites |
3839 |
cannot be implicitly activated as part of, e.g., the "AES" alias. |
3840 |
However, please upgrade to OpenSSL 0.9.9[-dev] for |
3841 |
non-experimental use of the ECC ciphersuites to get TLS extension |
3842 |
support, which is required for curve and point format negotiation |
3843 |
to avoid potential handshake problems. |
3844 |
[Bodo Moeller] |
3845 |
|
3846 |
*) Disable rogue ciphersuites: |
3847 |
|
3848 |
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") |
3849 |
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") |
3850 |
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") |
3851 |
|
3852 |
The latter two were purportedly from |
3853 |
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really |
3854 |
appear there. |
3855 |
|
3856 |
Also deactivate the remaining ciphersuites from |
3857 |
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
3858 |
unofficial, and the ID has long expired. |
3859 |
[Bodo Moeller] |
3860 |
|
3861 |
*) Fix RSA blinding Heisenbug (problems sometimes occured on |
3862 |
dual-core machines) and other potential thread-safety issues. |
3863 |
[Bodo Moeller] |
3864 |
|
3865 |
*) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key |
3866 |
versions), which is now available for royalty-free use |
3867 |
(see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). |
3868 |
Also, add Camellia TLS ciphersuites from RFC 4132. |
3869 |
|
3870 |
To minimize changes between patchlevels in the OpenSSL 0.9.8 |
3871 |
series, Camellia remains excluded from compilation unless OpenSSL |
3872 |
is configured with 'enable-camellia'. |
3873 |
[NTT] |
3874 |
|
3875 |
*) Disable the padding bug check when compression is in use. The padding |
3876 |
bug check assumes the first packet is of even length, this is not |
3877 |
necessarily true if compresssion is enabled and can result in false |
3878 |
positives causing handshake failure. The actual bug test is ancient |
3879 |
code so it is hoped that implementations will either have fixed it by |
3880 |
now or any which still have the bug do not support compression. |
3881 |
[Steve Henson] |
3882 |
|
3883 |
Changes between 0.9.8a and 0.9.8b [04 May 2006] |
3884 |
|
3885 |
*) When applying a cipher rule check to see if string match is an explicit |
3886 |
cipher suite and only match that one cipher suite if it is. |
3887 |
[Steve Henson] |
3888 |
|
3889 |
*) Link in manifests for VC++ if needed. |
3890 |
[Austin Ziegler <halostatue@gmail.com>] |
3891 |
|
3892 |
*) Update support for ECC-based TLS ciphersuites according to |
3893 |
draft-ietf-tls-ecc-12.txt with proposed changes (but without |
3894 |
TLS extensions, which are supported starting with the 0.9.9 |
3895 |
branch, not in the OpenSSL 0.9.8 branch). |
3896 |
[Douglas Stebila] |
3897 |
|
3898 |
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support |
3899 |
opaque EVP_CIPHER_CTX handling. |
3900 |
[Steve Henson] |
3901 |
|
3902 |
*) Fixes and enhancements to zlib compression code. We now only use |
3903 |
"zlib1.dll" and use the default __cdecl calling convention on Win32 |
3904 |
to conform with the standards mentioned here: |
3905 |
http://www.zlib.net/DLL_FAQ.txt |
3906 |
Static zlib linking now works on Windows and the new --with-zlib-include |
3907 |
--with-zlib-lib options to Configure can be used to supply the location |
3908 |
of the headers and library. Gracefully handle case where zlib library |
3909 |
can't be loaded. |
3910 |
[Steve Henson] |
3911 |
|
3912 |
*) Several fixes and enhancements to the OID generation code. The old code |
3913 |
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't |
3914 |
handle numbers larger than ULONG_MAX, truncated printing and had a |
3915 |
non standard OBJ_obj2txt() behaviour. |
3916 |
[Steve Henson] |
3917 |
|
3918 |
*) Add support for building of engines under engine/ as shared libraries |
3919 |
under VC++ build system. |
3920 |
[Steve Henson] |
3921 |
|
3922 |
*) Corrected the numerous bugs in the Win32 path splitter in DSO. |
3923 |
Hopefully, we will not see any false combination of paths any more. |
3924 |
[Richard Levitte] |
3925 |
|
3926 |
Changes between 0.9.8 and 0.9.8a [11 Oct 2005] |
3927 |
|
3928 |
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING |
3929 |
(part of SSL_OP_ALL). This option used to disable the |
3930 |
countermeasure against man-in-the-middle protocol-version |
3931 |
rollback in the SSL 2.0 server implementation, which is a bad |
3932 |
idea. (CVE-2005-2969) |
3933 |
|
3934 |
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center |
3935 |
for Information Security, National Institute of Advanced Industrial |
3936 |
Science and Technology [AIST], Japan)] |
3937 |
|
3938 |
*) Add two function to clear and return the verify parameter flags. |
3939 |
[Steve Henson] |
3940 |
|
3941 |
*) Keep cipherlists sorted in the source instead of sorting them at |
3942 |
runtime, thus removing the need for a lock. |
3943 |
[Nils Larsch] |
3944 |
|
3945 |
*) Avoid some small subgroup attacks in Diffie-Hellman. |
3946 |
[Nick Mathewson and Ben Laurie] |
3947 |
|
3948 |
*) Add functions for well-known primes. |
3949 |
[Nick Mathewson] |
3950 |
|
3951 |
*) Extended Windows CE support. |
3952 |
[Satoshi Nakamura and Andy Polyakov] |
3953 |
|
3954 |
*) Initialize SSL_METHOD structures at compile time instead of during |
3955 |
runtime, thus removing the need for a lock. |
3956 |
[Steve Henson] |
3957 |
|
3958 |
*) Make PKCS7_decrypt() work even if no certificate is supplied by |
3959 |
attempting to decrypt each encrypted key in turn. Add support to |
3960 |
smime utility. |
3961 |
[Steve Henson] |
3962 |
|
3963 |
Changes between 0.9.7h and 0.9.8 [05 Jul 2005] |
3964 |
|
3965 |
[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after |
3966 |
OpenSSL 0.9.8.] |
3967 |
|
3968 |
*) Add libcrypto.pc and libssl.pc for those who feel they need them. |
3969 |
[Richard Levitte] |
3970 |
|
3971 |
*) Change CA.sh and CA.pl so they don't bundle the CSR and the private |
3972 |
key into the same file any more. |
3973 |
[Richard Levitte] |
3974 |
|
3975 |
*) Add initial support for Win64, both IA64 and AMD64/x64 flavors. |
3976 |
[Andy Polyakov] |
3977 |
|
3978 |
*) Add -utf8 command line and config file option to 'ca'. |
3979 |
[Stefan <stf@udoma.org] |
3980 |
|
3981 |
*) Removed the macro des_crypt(), as it seems to conflict with some |
3982 |
libraries. Use DES_crypt(). |
3983 |
[Richard Levitte] |
3984 |
|
3985 |
*) Correct naming of the 'chil' and '4758cca' ENGINEs. This |
3986 |
involves renaming the source and generated shared-libs for |
3987 |
both. The engines will accept the corrected or legacy ids |
3988 |
('ncipher' and '4758_cca' respectively) when binding. NB, |
3989 |
this only applies when building 'shared'. |
3990 |
[Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] |
3991 |
|
3992 |
*) Add attribute functions to EVP_PKEY structure. Modify |
3993 |
PKCS12_create() to recognize a CSP name attribute and |
3994 |
use it. Make -CSP option work again in pkcs12 utility. |
3995 |
[Steve Henson] |
3996 |
|
3997 |
*) Add new functionality to the bn blinding code: |
3998 |
- automatic re-creation of the BN_BLINDING parameters after |
3999 |
a fixed number of uses (currently 32) |
4000 |
- add new function for parameter creation |
4001 |
- introduce flags to control the update behaviour of the |
4002 |
BN_BLINDING parameters |
4003 |
- hide BN_BLINDING structure |
4004 |
Add a second BN_BLINDING slot to the RSA structure to improve |
4005 |
performance when a single RSA object is shared among several |
4006 |
threads. |
4007 |
[Nils Larsch] |
4008 |
|
4009 |
*) Add support for DTLS. |
4010 |
[Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] |
4011 |
|
4012 |
*) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) |
4013 |
to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() |
4014 |
[Walter Goulet] |
4015 |
|
4016 |
*) Remove buggy and incompletet DH cert support from |
4017 |
ssl/ssl_rsa.c and ssl/s3_both.c |
4018 |
[Nils Larsch] |
4019 |
|
4020 |
*) Use SHA-1 instead of MD5 as the default digest algorithm for |
4021 |
the apps/openssl applications. |
4022 |
[Nils Larsch] |
4023 |
|
4024 |
*) Compile clean with "-Wall -Wmissing-prototypes |
4025 |
-Wstrict-prototypes -Wmissing-declarations -Werror". Currently |
4026 |
DEBUG_SAFESTACK must also be set. |
4027 |
[Ben Laurie] |
4028 |
|
4029 |
*) Change ./Configure so that certain algorithms can be disabled by default. |
4030 |
The new counterpiece to "no-xxx" is "enable-xxx". |
4031 |
|
4032 |
The patented RC5 and MDC2 algorithms will now be disabled unless |
4033 |
"enable-rc5" and "enable-mdc2", respectively, are specified. |
4034 |
|
4035 |
(IDEA remains enabled despite being patented. This is because IDEA |
4036 |
is frequently required for interoperability, and there is no license |
4037 |
fee for non-commercial use. As before, "no-idea" can be used to |
4038 |
avoid this algorithm.) |
4039 |
|
4040 |
[Bodo Moeller] |
4041 |
|
4042 |
*) Add processing of proxy certificates (see RFC 3820). This work was |
4043 |
sponsored by KTH (The Royal Institute of Technology in Stockholm) and |
4044 |
EGEE (Enabling Grids for E-science in Europe). |
4045 |
[Richard Levitte] |
4046 |
|
4047 |
*) RC4 performance overhaul on modern architectures/implementations, such |
4048 |
as Intel P4, IA-64 and AMD64. |
4049 |
[Andy Polyakov] |
4050 |
|
4051 |
*) New utility extract-section.pl. This can be used specify an alternative |
4052 |
section number in a pod file instead of having to treat each file as |
4053 |
a separate case in Makefile. This can be done by adding two lines to the |
4054 |
pod file: |
4055 |
|
4056 |
=for comment openssl_section:XXX |
4057 |
|
4058 |
The blank line is mandatory. |
4059 |
|
4060 |
[Steve Henson] |
4061 |
|
4062 |
*) New arguments -certform, -keyform and -pass for s_client and s_server |
4063 |
to allow alternative format key and certificate files and passphrase |
4064 |
sources. |
4065 |
[Steve Henson] |
4066 |
|
4067 |
*) New structure X509_VERIFY_PARAM which combines current verify parameters, |
4068 |
update associated structures and add various utility functions. |
4069 |
|
4070 |
Add new policy related verify parameters, include policy checking in |
4071 |
standard verify code. Enhance 'smime' application with extra parameters |
4072 |
to support policy checking and print out. |
4073 |
[Steve Henson] |
4074 |
|
4075 |
*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 |
4076 |
Nehemiah processors. These extensions support AES encryption in hardware |
4077 |
as well as RNG (though RNG support is currently disabled). |
4078 |
[Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] |
4079 |
|
4080 |
*) Deprecate BN_[get|set]_params() functions (they were ignored internally). |
4081 |
[Geoff Thorpe] |
4082 |
|
4083 |
*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. |
4084 |
[Andy Polyakov and a number of other people] |
4085 |
|
4086 |
*) Improved PowerPC platform support. Most notably BIGNUM assembler |
4087 |
implementation contributed by IBM. |
4088 |
[Suresh Chari, Peter Waltenberg, Andy Polyakov] |
4089 |
|
4090 |
*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public |
4091 |
exponent rather than 'unsigned long'. There is a corresponding change to |
4092 |
the new 'rsa_keygen' element of the RSA_METHOD structure. |
4093 |
[Jelte Jansen, Geoff Thorpe] |
4094 |
|
4095 |
*) Functionality for creating the initial serial number file is now |
4096 |
moved from CA.pl to the 'ca' utility with a new option -create_serial. |
4097 |
|
4098 |
(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial |
4099 |
number file to 1, which is bound to cause problems. To avoid |
4100 |
the problems while respecting compatibility between different 0.9.7 |
4101 |
patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in |
4102 |
CA.pl for serial number initialization. With the new release 0.9.8, |
4103 |
we can fix the problem directly in the 'ca' utility.) |
4104 |
[Steve Henson] |
4105 |
|
4106 |
*) Reduced header interdepencies by declaring more opaque objects in |
4107 |
ossl_typ.h. As a consequence, including some headers (eg. engine.h) will |
4108 |
give fewer recursive includes, which could break lazy source code - so |
4109 |
this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, |
4110 |
developers should define this symbol when building and using openssl to |
4111 |
ensure they track the recommended behaviour, interfaces, [etc], but |
4112 |
backwards-compatible behaviour prevails when this isn't defined. |
4113 |
[Geoff Thorpe] |
4114 |
|
4115 |
*) New function X509_POLICY_NODE_print() which prints out policy nodes. |
4116 |
[Steve Henson] |
4117 |
|
4118 |
*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. |
4119 |
This will generate a random key of the appropriate length based on the |
4120 |
cipher context. The EVP_CIPHER can provide its own random key generation |
4121 |
routine to support keys of a specific form. This is used in the des and |
4122 |
3des routines to generate a key of the correct parity. Update S/MIME |
4123 |
code to use new functions and hence generate correct parity DES keys. |
4124 |
Add EVP_CHECK_DES_KEY #define to return an error if the key is not |
4125 |
valid (weak or incorrect parity). |
4126 |
[Steve Henson] |
4127 |
|
4128 |
*) Add a local set of CRLs that can be used by X509_verify_cert() as well |
4129 |
as looking them up. This is useful when the verified structure may contain |
4130 |
CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs |
4131 |
present unless the new PKCS7_NO_CRL flag is asserted. |
4132 |
[Steve Henson] |
4133 |
|
4134 |
*) Extend ASN1 oid configuration module. It now additionally accepts the |
4135 |
syntax: |
4136 |
|
4137 |
shortName = some long name, 1.2.3.4 |
4138 |
[Steve Henson] |
4139 |
|
4140 |
*) Reimplemented the BN_CTX implementation. There is now no more static |
4141 |
limitation on the number of variables it can handle nor the depth of the |
4142 |
"stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack |
4143 |
information can now expand as required, and rather than having a single |
4144 |
static array of bignums, BN_CTX now uses a linked-list of such arrays |
4145 |
allowing it to expand on demand whilst maintaining the usefulness of |
4146 |
BN_CTX's "bundling". |
4147 |
[Geoff Thorpe] |
4148 |
|
4149 |
*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD |
4150 |
to allow all RSA operations to function using a single BN_CTX. |
4151 |
[Geoff Thorpe] |
4152 |
|
4153 |
*) Preliminary support for certificate policy evaluation and checking. This |
4154 |
is initially intended to pass the tests outlined in "Conformance Testing |
4155 |
of Relying Party Client Certificate Path Processing Logic" v1.07. |
4156 |
[Steve Henson] |
4157 |
|
4158 |
*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and |
4159 |
remained unused and not that useful. A variety of other little bignum |
4160 |
tweaks and fixes have also been made continuing on from the audit (see |
4161 |
below). |
4162 |
[Geoff Thorpe] |
4163 |
|
4164 |
*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with |
4165 |
associated ASN1, EVP and SSL functions and old ASN1 macros. |
4166 |
[Richard Levitte] |
4167 |
|
4168 |
*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, |
4169 |
and this should never fail. So the return value from the use of |
4170 |
BN_set_word() (which can fail due to needless expansion) is now deprecated; |
4171 |
if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. |
4172 |
[Geoff Thorpe] |
4173 |
|
4174 |
*) BN_CTX_get() should return zero-valued bignums, providing the same |
4175 |
initialised value as BN_new(). |
4176 |
[Geoff Thorpe, suggested by Ulf Möller] |
4177 |
|
4178 |
*) Support for inhibitAnyPolicy certificate extension. |
4179 |
[Steve Henson] |
4180 |
|
4181 |
*) An audit of the BIGNUM code is underway, for which debugging code is |
4182 |
enabled when BN_DEBUG is defined. This makes stricter enforcements on what |
4183 |
is considered valid when processing BIGNUMs, and causes execution to |
4184 |
assert() when a problem is discovered. If BN_DEBUG_RAND is defined, |
4185 |
further steps are taken to deliberately pollute unused data in BIGNUM |
4186 |
structures to try and expose faulty code further on. For now, openssl will |
4187 |
(in its default mode of operation) continue to tolerate the inconsistent |
4188 |
forms that it has tolerated in the past, but authors and packagers should |
4189 |
consider trying openssl and their own applications when compiled with |
4190 |
these debugging symbols defined. It will help highlight potential bugs in |
4191 |
their own code, and will improve the test coverage for OpenSSL itself. At |
4192 |
some point, these tighter rules will become openssl's default to improve |
4193 |
maintainability, though the assert()s and other overheads will remain only |
4194 |
in debugging configurations. See bn.h for more details. |
4195 |
[Geoff Thorpe, Nils Larsch, Ulf Möller] |
4196 |
|
4197 |
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure |
4198 |
that can only be obtained through BN_CTX_new() (which implicitly |
4199 |
initialises it). The presence of this function only made it possible |
4200 |
to overwrite an existing structure (and cause memory leaks). |
4201 |
[Geoff Thorpe] |
4202 |
|
4203 |
*) Because of the callback-based approach for implementing LHASH as a |
4204 |
template type, lh_insert() adds opaque objects to hash-tables and |
4205 |
lh_doall() or lh_doall_arg() are typically used with a destructor callback |
4206 |
to clean up those corresponding objects before destroying the hash table |
4207 |
(and losing the object pointers). So some over-zealous constifications in |
4208 |
LHASH have been relaxed so that lh_insert() does not take (nor store) the |
4209 |
objects as "const" and the lh_doall[_arg] callback wrappers are not |
4210 |
prototyped to have "const" restrictions on the object pointers they are |
4211 |
given (and so aren't required to cast them away any more). |
4212 |
[Geoff Thorpe] |
4213 |
|
4214 |
*) The tmdiff.h API was so ugly and minimal that our own timing utility |
4215 |
(speed) prefers to use its own implementation. The two implementations |
4216 |
haven't been consolidated as yet (volunteers?) but the tmdiff API has had |
4217 |
its object type properly exposed (MS_TM) instead of casting to/from "char |
4218 |
*". This may still change yet if someone realises MS_TM and "ms_time_***" |
4219 |
aren't necessarily the greatest nomenclatures - but this is what was used |
4220 |
internally to the implementation so I've used that for now. |
4221 |
[Geoff Thorpe] |
4222 |
|
4223 |
*) Ensure that deprecated functions do not get compiled when |
4224 |
OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of |
4225 |
the self-tests were still using deprecated key-generation functions so |
4226 |
these have been updated also. |
4227 |
[Geoff Thorpe] |
4228 |
|
4229 |
*) Reorganise PKCS#7 code to separate the digest location functionality |
4230 |
into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). |
4231 |
New function PKCS7_set_digest() to set the digest type for PKCS#7 |
4232 |
digestedData type. Add additional code to correctly generate the |
4233 |
digestedData type and add support for this type in PKCS7 initialization |
4234 |
functions. |
4235 |
[Steve Henson] |
4236 |
|
4237 |
*) New function PKCS7_set0_type_other() this initializes a PKCS7 |
4238 |
structure of type "other". |
4239 |
[Steve Henson] |
4240 |
|
4241 |
*) Fix prime generation loop in crypto/bn/bn_prime.pl by making |
4242 |
sure the loop does correctly stop and breaking ("division by zero") |
4243 |
modulus operations are not performed. The (pre-generated) prime |
4244 |
table crypto/bn/bn_prime.h was already correct, but it could not be |
4245 |
re-generated on some platforms because of the "division by zero" |
4246 |
situation in the script. |
4247 |
[Ralf S. Engelschall] |
4248 |
|
4249 |
*) Update support for ECC-based TLS ciphersuites according to |
4250 |
draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with |
4251 |
SHA-1 now is only used for "small" curves (where the |
4252 |
representation of a field element takes up to 24 bytes); for |
4253 |
larger curves, the field element resulting from ECDH is directly |
4254 |
used as premaster secret. |
4255 |
[Douglas Stebila (Sun Microsystems Laboratories)] |
4256 |
|
4257 |
*) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 |
4258 |
curve secp160r1 to the tests. |
4259 |
[Douglas Stebila (Sun Microsystems Laboratories)] |
4260 |
|
4261 |
*) Add the possibility to load symbols globally with DSO. |
4262 |
[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] |
4263 |
|
4264 |
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better |
4265 |
control of the error stack. |
4266 |
[Richard Levitte] |
4267 |
|
4268 |
*) Add support for STORE in ENGINE. |
4269 |
[Richard Levitte] |
4270 |
|
4271 |
*) Add the STORE type. The intention is to provide a common interface |
4272 |
to certificate and key stores, be they simple file-based stores, or |
4273 |
HSM-type store, or LDAP stores, or... |
4274 |
NOTE: The code is currently UNTESTED and isn't really used anywhere. |
4275 |
[Richard Levitte] |
4276 |
|
4277 |
*) Add a generic structure called OPENSSL_ITEM. This can be used to |
4278 |
pass a list of arguments to any function as well as provide a way |
4279 |
for a function to pass data back to the caller. |
4280 |
[Richard Levitte] |
4281 |
|
4282 |
*) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() |
4283 |
works like BUF_strdup() but can be used to duplicate a portion of |
4284 |
a string. The copy gets NUL-terminated. BUF_memdup() duplicates |
4285 |
a memory area. |
4286 |
[Richard Levitte] |
4287 |
|
4288 |
*) Add the function sk_find_ex() which works like sk_find(), but will |
4289 |
return an index to an element even if an exact match couldn't be |
4290 |
found. The index is guaranteed to point at the element where the |
4291 |
searched-for key would be inserted to preserve sorting order. |
4292 |
[Richard Levitte] |
4293 |
|
4294 |
*) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but |
4295 |
takes an extra flags argument for optional functionality. Currently, |
4296 |
the following flags are defined: |
4297 |
|
4298 |
OBJ_BSEARCH_VALUE_ON_NOMATCH |
4299 |
This one gets OBJ_bsearch_ex() to return a pointer to the first |
4300 |
element where the comparing function returns a negative or zero |
4301 |
number. |
4302 |
|
4303 |
OBJ_BSEARCH_FIRST_VALUE_ON_MATCH |
4304 |
This one gets OBJ_bsearch_ex() to return a pointer to the first |
4305 |
element where the comparing function returns zero. This is useful |
4306 |
if there are more than one element where the comparing function |
4307 |
returns zero. |
4308 |
[Richard Levitte] |
4309 |
|
4310 |
*) Make it possible to create self-signed certificates with 'openssl ca' |
4311 |
in such a way that the self-signed certificate becomes part of the |
4312 |
CA database and uses the same mechanisms for serial number generation |
4313 |
as all other certificate signing. The new flag '-selfsign' enables |
4314 |
this functionality. Adapt CA.sh and CA.pl.in. |
4315 |
[Richard Levitte] |
4316 |
|
4317 |
*) Add functionality to check the public key of a certificate request |
4318 |
against a given private. This is useful to check that a certificate |
4319 |
request can be signed by that key (self-signing). |
4320 |
[Richard Levitte] |
4321 |
|
4322 |
*) Make it possible to have multiple active certificates with the same |
4323 |
subject in the CA index file. This is done only if the keyword |
4324 |
'unique_subject' is set to 'no' in the main CA section (default |
4325 |
if 'CA_default') of the configuration file. The value is saved |
4326 |
with the database itself in a separate index attribute file, |
4327 |
named like the index file with '.attr' appended to the name. |
4328 |
[Richard Levitte] |
4329 |
|
4330 |
*) Generate muti valued AVAs using '+' notation in config files for |
4331 |
req and dirName. |
4332 |
[Steve Henson] |
4333 |
|
4334 |
*) Support for nameConstraints certificate extension. |
4335 |
[Steve Henson] |
4336 |
|
4337 |
*) Support for policyConstraints certificate extension. |
4338 |
[Steve Henson] |
4339 |
|
4340 |
*) Support for policyMappings certificate extension. |
4341 |
[Steve Henson] |
4342 |
|
4343 |
*) Make sure the default DSA_METHOD implementation only uses its |
4344 |
dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, |
4345 |
and change its own handlers to be NULL so as to remove unnecessary |
4346 |
indirection. This lets alternative implementations fallback to the |
4347 |
default implementation more easily. |
4348 |
[Geoff Thorpe] |
4349 |
|
4350 |
*) Support for directoryName in GeneralName related extensions |
4351 |
in config files. |
4352 |
[Steve Henson] |
4353 |
|
4354 |
*) Make it possible to link applications using Makefile.shared. |
4355 |
Make that possible even when linking against static libraries! |
4356 |
[Richard Levitte] |
4357 |
|
4358 |
*) Support for single pass processing for S/MIME signing. This now |
4359 |
means that S/MIME signing can be done from a pipe, in addition |
4360 |
cleartext signing (multipart/signed type) is effectively streaming |
4361 |
and the signed data does not need to be all held in memory. |
4362 |
|
4363 |
This is done with a new flag PKCS7_STREAM. When this flag is set |
4364 |
PKCS7_sign() only initializes the PKCS7 structure and the actual signing |
4365 |
is done after the data is output (and digests calculated) in |
4366 |
SMIME_write_PKCS7(). |
4367 |
[Steve Henson] |
4368 |
|
4369 |
*) Add full support for -rpath/-R, both in shared libraries and |
4370 |
applications, at least on the platforms where it's known how |
4371 |
to do it. |
4372 |
[Richard Levitte] |
4373 |
|
4374 |
*) In crypto/ec/ec_mult.c, implement fast point multiplication with |
4375 |
precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() |
4376 |
will now compute a table of multiples of the generator that |
4377 |
makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() |
4378 |
faster (notably in the case of a single point multiplication, |
4379 |
scalar * generator). |
4380 |
[Nils Larsch, Bodo Moeller] |
4381 |
|
4382 |
*) IPv6 support for certificate extensions. The various extensions |
4383 |
which use the IP:a.b.c.d can now take IPv6 addresses using the |
4384 |
formats of RFC1884 2.2 . IPv6 addresses are now also displayed |
4385 |
correctly. |
4386 |
[Steve Henson] |
4387 |
|
4388 |
*) Added an ENGINE that implements RSA by performing private key |
4389 |
exponentiations with the GMP library. The conversions to and from |
4390 |
GMP's mpz_t format aren't optimised nor are any montgomery forms |
4391 |
cached, and on x86 it appears OpenSSL's own performance has caught up. |
4392 |
However there are likely to be other architectures where GMP could |
4393 |
provide a boost. This ENGINE is not built in by default, but it can be |
4394 |
specified at Configure time and should be accompanied by the necessary |
4395 |
linker additions, eg; |
4396 |
./config -DOPENSSL_USE_GMP -lgmp |
4397 |
[Geoff Thorpe] |
4398 |
|
4399 |
*) "openssl engine" will not display ENGINE/DSO load failure errors when |
4400 |
testing availability of engines with "-t" - the old behaviour is |
4401 |
produced by increasing the feature's verbosity with "-tt". |
4402 |
[Geoff Thorpe] |
4403 |
|
4404 |
*) ECDSA routines: under certain error conditions uninitialized BN objects |
4405 |
could be freed. Solution: make sure initialization is performed early |
4406 |
enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> |
4407 |
via PR#459) |
4408 |
[Lutz Jaenicke] |
4409 |
|
4410 |
*) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD |
4411 |
and DH_METHOD (eg. by ENGINE implementations) to override the normal |
4412 |
software implementations. For DSA and DH, parameter generation can |
4413 |
also be overriden by providing the appropriate method callbacks. |
4414 |
[Geoff Thorpe] |
4415 |
|
4416 |
*) Change the "progress" mechanism used in key-generation and |
4417 |
primality testing to functions that take a new BN_GENCB pointer in |
4418 |
place of callback/argument pairs. The new API functions have "_ex" |
4419 |
postfixes and the older functions are reimplemented as wrappers for |
4420 |
the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide |
4421 |
declarations of the old functions to help (graceful) attempts to |
4422 |
migrate to the new functions. Also, the new key-generation API |
4423 |
functions operate on a caller-supplied key-structure and return |
4424 |
success/failure rather than returning a key or NULL - this is to |
4425 |
help make "keygen" another member function of RSA_METHOD etc. |
4426 |
|
4427 |
Example for using the new callback interface: |
4428 |
|
4429 |
int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; |
4430 |
void *my_arg = ...; |
4431 |
BN_GENCB my_cb; |
4432 |
|
4433 |
BN_GENCB_set(&my_cb, my_callback, my_arg); |
4434 |
|
4435 |
return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); |
4436 |
/* For the meaning of a, b in calls to my_callback(), see the |
4437 |
* documentation of the function that calls the callback. |
4438 |
* cb will point to my_cb; my_arg can be retrieved as cb->arg. |
4439 |
* my_callback should return 1 if it wants BN_is_prime_ex() |
4440 |
* to continue, or 0 to stop. |
4441 |
*/ |
4442 |
|
4443 |
[Geoff Thorpe] |
4444 |
|
4445 |
*) Change the ZLIB compression method to be stateful, and make it |
4446 |
available to TLS with the number defined in |
4447 |
draft-ietf-tls-compression-04.txt. |
4448 |
[Richard Levitte] |
4449 |
|
4450 |
*) Add the ASN.1 structures and functions for CertificatePair, which |
4451 |
is defined as follows (according to X.509_4thEditionDraftV6.pdf): |
4452 |
|
4453 |
CertificatePair ::= SEQUENCE { |
4454 |
forward [0] Certificate OPTIONAL, |
4455 |
reverse [1] Certificate OPTIONAL, |
4456 |
-- at least one of the pair shall be present -- } |
4457 |
|
4458 |
Also implement the PEM functions to read and write certificate |
4459 |
pairs, and defined the PEM tag as "CERTIFICATE PAIR". |
4460 |
|
4461 |
This needed to be defined, mostly for the sake of the LDAP |
4462 |
attribute crossCertificatePair, but may prove useful elsewhere as |
4463 |
well. |
4464 |
[Richard Levitte] |
4465 |
|
4466 |
*) Make it possible to inhibit symlinking of shared libraries in |
4467 |
Makefile.shared, for Cygwin's sake. |
4468 |
[Richard Levitte] |
4469 |
|
4470 |
*) Extend the BIGNUM API by creating a function |
4471 |
void BN_set_negative(BIGNUM *a, int neg); |
4472 |
and a macro that behave like |
4473 |
int BN_is_negative(const BIGNUM *a); |
4474 |
|
4475 |
to avoid the need to access 'a->neg' directly in applications. |
4476 |
[Nils Larsch] |
4477 |
|
4478 |
*) Implement fast modular reduction for pseudo-Mersenne primes |
4479 |
used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). |
4480 |
EC_GROUP_new_curve_GFp() will now automatically use this |
4481 |
if applicable. |
4482 |
[Nils Larsch <nla@trustcenter.de>] |
4483 |
|
4484 |
*) Add new lock type (CRYPTO_LOCK_BN). |
4485 |
[Bodo Moeller] |
4486 |
|
4487 |
*) Change the ENGINE framework to automatically load engines |
4488 |
dynamically from specific directories unless they could be |
4489 |
found to already be built in or loaded. Move all the |
4490 |
current engines except for the cryptodev one to a new |
4491 |
directory engines/. |
4492 |
The engines in engines/ are built as shared libraries if |
4493 |
the "shared" options was given to ./Configure or ./config. |
4494 |
Otherwise, they are inserted in libcrypto.a. |
4495 |
/usr/local/ssl/engines is the default directory for dynamic |
4496 |
engines, but that can be overriden at configure time through |
4497 |
the usual use of --prefix and/or --openssldir, and at run |
4498 |
time with the environment variable OPENSSL_ENGINES. |
4499 |
[Geoff Thorpe and Richard Levitte] |
4500 |
|
4501 |
*) Add Makefile.shared, a helper makefile to build shared |
4502 |
libraries. Addapt Makefile.org. |
4503 |
[Richard Levitte] |
4504 |
|
4505 |
*) Add version info to Win32 DLLs. |
4506 |
[Peter 'Luna' Runestig" <peter@runestig.com>] |
4507 |
|
4508 |
*) Add new 'medium level' PKCS#12 API. Certificates and keys |
4509 |
can be added using this API to created arbitrary PKCS#12 |
4510 |
files while avoiding the low level API. |
4511 |
|
4512 |
New options to PKCS12_create(), key or cert can be NULL and |
4513 |
will then be omitted from the output file. The encryption |
4514 |
algorithm NIDs can be set to -1 for no encryption, the mac |
4515 |
iteration count can be set to 0 to omit the mac. |
4516 |
|
4517 |
Enhance pkcs12 utility by making the -nokeys and -nocerts |
4518 |
options work when creating a PKCS#12 file. New option -nomac |
4519 |
to omit the mac, NONE can be set for an encryption algorithm. |
4520 |
New code is modified to use the enhanced PKCS12_create() |
4521 |
instead of the low level API. |
4522 |
[Steve Henson] |
4523 |
|
4524 |
*) Extend ASN1 encoder to support indefinite length constructed |
4525 |
encoding. This can output sequences tags and octet strings in |
4526 |
this form. Modify pk7_asn1.c to support indefinite length |
4527 |
encoding. This is experimental and needs additional code to |
4528 |
be useful, such as an ASN1 bio and some enhanced streaming |
4529 |
PKCS#7 code. |
4530 |
|
4531 |
Extend template encode functionality so that tagging is passed |
4532 |
down to the template encoder. |
4533 |
[Steve Henson] |
4534 |
|
4535 |
*) Let 'openssl req' fail if an argument to '-newkey' is not |
4536 |
recognized instead of using RSA as a default. |
4537 |
[Bodo Moeller] |
4538 |
|
4539 |
*) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. |
4540 |
As these are not official, they are not included in "ALL"; |
4541 |
the "ECCdraft" ciphersuite group alias can be used to select them. |
4542 |
[Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] |
4543 |
|
4544 |
*) Add ECDH engine support. |
4545 |
[Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] |
4546 |
|
4547 |
*) Add ECDH in new directory crypto/ecdh/. |
4548 |
[Douglas Stebila (Sun Microsystems Laboratories)] |
4549 |
|
4550 |
*) Let BN_rand_range() abort with an error after 100 iterations |
4551 |
without success (which indicates a broken PRNG). |
4552 |
[Bodo Moeller] |
4553 |
|
4554 |
*) Change BN_mod_sqrt() so that it verifies that the input value |
4555 |
is really the square of the return value. (Previously, |
4556 |
BN_mod_sqrt would show GIGO behaviour.) |
4557 |
[Bodo Moeller] |
4558 |
|
4559 |
*) Add named elliptic curves over binary fields from X9.62, SECG, |
4560 |
and WAP/WTLS; add OIDs that were still missing. |
4561 |
|
4562 |
[Sheueling Chang Shantz and Douglas Stebila |
4563 |
(Sun Microsystems Laboratories)] |
4564 |
|
4565 |
*) Extend the EC library for elliptic curves over binary fields |
4566 |
(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). |
4567 |
New EC_METHOD: |
4568 |
|
4569 |
EC_GF2m_simple_method |
4570 |
|
4571 |
New API functions: |
4572 |
|
4573 |
EC_GROUP_new_curve_GF2m |
4574 |
EC_GROUP_set_curve_GF2m |
4575 |
EC_GROUP_get_curve_GF2m |
4576 |
EC_POINT_set_affine_coordinates_GF2m |
4577 |
EC_POINT_get_affine_coordinates_GF2m |
4578 |
EC_POINT_set_compressed_coordinates_GF2m |
4579 |
|
4580 |
Point compression for binary fields is disabled by default for |
4581 |
patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to |
4582 |
enable it). |
4583 |
|
4584 |
As binary polynomials are represented as BIGNUMs, various members |
4585 |
of the EC_GROUP and EC_POINT data structures can be shared |
4586 |
between the implementations for prime fields and binary fields; |
4587 |
the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) |
4588 |
are essentially identical to their ..._GFp counterparts. |
4589 |
(For simplicity, the '..._GFp' prefix has been dropped from |
4590 |
various internal method names.) |
4591 |
|
4592 |
An internal 'field_div' method (similar to 'field_mul' and |
4593 |
'field_sqr') has been added; this is used only for binary fields. |
4594 |
|
4595 |
[Sheueling Chang Shantz and Douglas Stebila |
4596 |
(Sun Microsystems Laboratories)] |
4597 |
|
4598 |
*) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() |
4599 |
through methods ('mul', 'precompute_mult'). |
4600 |
|
4601 |
The generic implementations (now internally called 'ec_wNAF_mul' |
4602 |
and 'ec_wNAF_precomputed_mult') remain the default if these |
4603 |
methods are undefined. |
4604 |
|
4605 |
[Sheueling Chang Shantz and Douglas Stebila |
4606 |
(Sun Microsystems Laboratories)] |
4607 |
|
4608 |
*) New function EC_GROUP_get_degree, which is defined through |
4609 |
EC_METHOD. For curves over prime fields, this returns the bit |
4610 |
length of the modulus. |
4611 |
|
4612 |
[Sheueling Chang Shantz and Douglas Stebila |
4613 |
(Sun Microsystems Laboratories)] |
4614 |
|
4615 |
*) New functions EC_GROUP_dup, EC_POINT_dup. |
4616 |
(These simply call ..._new and ..._copy). |
4617 |
|
4618 |
[Sheueling Chang Shantz and Douglas Stebila |
4619 |
(Sun Microsystems Laboratories)] |
4620 |
|
4621 |
*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. |
4622 |
Polynomials are represented as BIGNUMs (where the sign bit is not |
4623 |
used) in the following functions [macros]: |
4624 |
|
4625 |
BN_GF2m_add |
4626 |
BN_GF2m_sub [= BN_GF2m_add] |
4627 |
BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] |
4628 |
BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] |
4629 |
BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] |
4630 |
BN_GF2m_mod_inv |
4631 |
BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] |
4632 |
BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] |
4633 |
BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] |
4634 |
BN_GF2m_cmp [= BN_ucmp] |
4635 |
|
4636 |
(Note that only the 'mod' functions are actually for fields GF(2^m). |
4637 |
BN_GF2m_add() is misnomer, but this is for the sake of consistency.) |
4638 |
|
4639 |
For some functions, an the irreducible polynomial defining a |
4640 |
field can be given as an 'unsigned int[]' with strictly |
4641 |
decreasing elements giving the indices of those bits that are set; |
4642 |
i.e., p[] represents the polynomial |
4643 |
f(t) = t^p[0] + t^p[1] + ... + t^p[k] |
4644 |
where |
4645 |
p[0] > p[1] > ... > p[k] = 0. |
4646 |
This applies to the following functions: |
4647 |
|
4648 |
BN_GF2m_mod_arr |
4649 |
BN_GF2m_mod_mul_arr |
4650 |
BN_GF2m_mod_sqr_arr |
4651 |
BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] |
4652 |
BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] |
4653 |
BN_GF2m_mod_exp_arr |
4654 |
BN_GF2m_mod_sqrt_arr |
4655 |
BN_GF2m_mod_solve_quad_arr |
4656 |
BN_GF2m_poly2arr |
4657 |
BN_GF2m_arr2poly |
4658 |
|
4659 |
Conversion can be performed by the following functions: |
4660 |
|
4661 |
BN_GF2m_poly2arr |
4662 |
BN_GF2m_arr2poly |
4663 |
|
4664 |
bntest.c has additional tests for binary polynomial arithmetic. |
4665 |
|
4666 |
Two implementations for BN_GF2m_mod_div() are available. |
4667 |
The default algorithm simply uses BN_GF2m_mod_inv() and |
4668 |
BN_GF2m_mod_mul(). The alternative algorithm is compiled in only |
4669 |
if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the |
4670 |
copyright notice in crypto/bn/bn_gf2m.c before enabling it). |
4671 |
|
4672 |
[Sheueling Chang Shantz and Douglas Stebila |
4673 |
(Sun Microsystems Laboratories)] |
4674 |
|
4675 |
*) Add new error code 'ERR_R_DISABLED' that can be used when some |
4676 |
functionality is disabled at compile-time. |
4677 |
[Douglas Stebila <douglas.stebila@sun.com>] |
4678 |
|
4679 |
*) Change default behaviour of 'openssl asn1parse' so that more |
4680 |
information is visible when viewing, e.g., a certificate: |
4681 |
|
4682 |
Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' |
4683 |
mode the content of non-printable OCTET STRINGs is output in a |
4684 |
style similar to INTEGERs, but with '[HEX DUMP]' prepended to |
4685 |
avoid the appearance of a printable string. |
4686 |
[Nils Larsch <nla@trustcenter.de>] |
4687 |
|
4688 |
*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access |
4689 |
functions |
4690 |
EC_GROUP_set_asn1_flag() |
4691 |
EC_GROUP_get_asn1_flag() |
4692 |
EC_GROUP_set_point_conversion_form() |
4693 |
EC_GROUP_get_point_conversion_form() |
4694 |
These control ASN1 encoding details: |
4695 |
- Curves (i.e., groups) are encoded explicitly unless asn1_flag |
4696 |
has been set to OPENSSL_EC_NAMED_CURVE. |
4697 |
- Points are encoded in uncompressed form by default; options for |
4698 |
asn1_for are as for point2oct, namely |
4699 |
POINT_CONVERSION_COMPRESSED |
4700 |
POINT_CONVERSION_UNCOMPRESSED |
4701 |
POINT_CONVERSION_HYBRID |
4702 |
|
4703 |
Also add 'seed' and 'seed_len' members to EC_GROUP with access |
4704 |
functions |
4705 |
EC_GROUP_set_seed() |
4706 |
EC_GROUP_get0_seed() |
4707 |
EC_GROUP_get_seed_len() |
4708 |
This is used only for ASN1 purposes (so far). |
4709 |
[Nils Larsch <nla@trustcenter.de>] |
4710 |
|
4711 |
*) Add 'field_type' member to EC_METHOD, which holds the NID |
4712 |
of the appropriate field type OID. The new function |
4713 |
EC_METHOD_get_field_type() returns this value. |
4714 |
[Nils Larsch <nla@trustcenter.de>] |
4715 |
|
4716 |
*) Add functions |
4717 |
EC_POINT_point2bn() |
4718 |
EC_POINT_bn2point() |
4719 |
EC_POINT_point2hex() |
4720 |
EC_POINT_hex2point() |
4721 |
providing useful interfaces to EC_POINT_point2oct() and |
4722 |
EC_POINT_oct2point(). |
4723 |
[Nils Larsch <nla@trustcenter.de>] |
4724 |
|
4725 |
*) Change internals of the EC library so that the functions |
4726 |
EC_GROUP_set_generator() |
4727 |
EC_GROUP_get_generator() |
4728 |
EC_GROUP_get_order() |
4729 |
EC_GROUP_get_cofactor() |
4730 |
are implemented directly in crypto/ec/ec_lib.c and not dispatched |
4731 |
to methods, which would lead to unnecessary code duplication when |
4732 |
adding different types of curves. |
4733 |
[Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] |
4734 |
|
4735 |
*) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM |
4736 |
arithmetic, and such that modified wNAFs are generated |
4737 |
(which avoid length expansion in many cases). |
4738 |
[Bodo Moeller] |
4739 |
|
4740 |
*) Add a function EC_GROUP_check_discriminant() (defined via |
4741 |
EC_METHOD) that verifies that the curve discriminant is non-zero. |
4742 |
|
4743 |
Add a function EC_GROUP_check() that makes some sanity tests |
4744 |
on a EC_GROUP, its generator and order. This includes |
4745 |
EC_GROUP_check_discriminant(). |
4746 |
[Nils Larsch <nla@trustcenter.de>] |
4747 |
|
4748 |
*) Add ECDSA in new directory crypto/ecdsa/. |
4749 |
|
4750 |
Add applications 'openssl ecparam' and 'openssl ecdsa' |
4751 |
(these are based on 'openssl dsaparam' and 'openssl dsa'). |
4752 |
|
4753 |
ECDSA support is also included in various other files across the |
4754 |
library. Most notably, |
4755 |
- 'openssl req' now has a '-newkey ecdsa:file' option; |
4756 |
- EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; |
4757 |
- X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and |
4758 |
d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make |
4759 |
them suitable for ECDSA where domain parameters must be |
4760 |
extracted before the specific public key; |
4761 |
- ECDSA engine support has been added. |
4762 |
[Nils Larsch <nla@trustcenter.de>] |
4763 |
|
4764 |
*) Include some named elliptic curves, and add OIDs from X9.62, |
4765 |
SECG, and WAP/WTLS. Each curve can be obtained from the new |
4766 |
function |
4767 |
EC_GROUP_new_by_curve_name(), |
4768 |
and the list of available named curves can be obtained with |
4769 |
EC_get_builtin_curves(). |
4770 |
Also add a 'curve_name' member to EC_GROUP objects, which can be |
4771 |
accessed via |
4772 |
EC_GROUP_set_curve_name() |
4773 |
EC_GROUP_get_curve_name() |
4774 |
[Nils Larsch <larsch@trustcenter.de, Bodo Moeller] |
4775 |
|
4776 |
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
4777 |
was actually never needed) and in BN_mul(). The removal in BN_mul() |
4778 |
required a small change in bn_mul_part_recursive() and the addition |
4779 |
of the functions bn_cmp_part_words(), bn_sub_part_words() and |
4780 |
bn_add_part_words(), which do the same thing as bn_cmp_words(), |
4781 |
bn_sub_words() and bn_add_words() except they take arrays with |
4782 |
differing sizes. |
4783 |
[Richard Levitte] |
4784 |
|
4785 |
Changes between 0.9.7l and 0.9.7m [23 Feb 2007] |
4786 |
|
4787 |
*) Cleanse PEM buffers before freeing them since they may contain |
4788 |
sensitive data. |
4789 |
[Benjamin Bennett <ben@psc.edu>] |
4790 |
|
4791 |
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
4792 |
a ciphersuite string such as "DEFAULT:RSA" cannot enable |
4793 |
authentication-only ciphersuites. |
4794 |
[Bodo Moeller] |
4795 |
|
4796 |
*) Since AES128 and AES256 share a single mask bit in the logic of |
4797 |
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a |
4798 |
kludge to work properly if AES128 is available and AES256 isn't. |
4799 |
[Victor Duchovni] |
4800 |
|
4801 |
*) Expand security boundary to match 1.1.1 module. |
4802 |
[Steve Henson] |
4803 |
|
4804 |
*) Remove redundant features: hash file source, editing of test vectors |
4805 |
modify fipsld to use external fips_premain.c signature. |
4806 |
[Steve Henson] |
4807 |
|
4808 |
*) New perl script mkfipsscr.pl to create shell scripts or batch files to |
4809 |
run algorithm test programs. |
4810 |
[Steve Henson] |
4811 |
|
4812 |
*) Make algorithm test programs more tolerant of whitespace. |
4813 |
[Steve Henson] |
4814 |
|
4815 |
*) Have SSL/TLS server implementation tolerate "mismatched" record |
4816 |
protocol version while receiving ClientHello even if the |
4817 |
ClientHello is fragmented. (The server can't insist on the |
4818 |
particular protocol version it has chosen before the ServerHello |
4819 |
message has informed the client about his choice.) |
4820 |
[Bodo Moeller] |
4821 |
|
4822 |
*) Load error codes if they are not already present instead of using a |
4823 |
static variable. This allows them to be cleanly unloaded and reloaded. |
4824 |
[Steve Henson] |
4825 |
|
4826 |
Changes between 0.9.7k and 0.9.7l [28 Sep 2006] |
4827 |
|
4828 |
*) Introduce limits to prevent malicious keys being able to |
4829 |
cause a denial of service. (CVE-2006-2940) |
4830 |
[Steve Henson, Bodo Moeller] |
4831 |
|
4832 |
*) Fix ASN.1 parsing of certain invalid structures that can result |
4833 |
in a denial of service. (CVE-2006-2937) [Steve Henson] |
4834 |
|
4835 |
*) Fix buffer overflow in SSL_get_shared_ciphers() function. |
4836 |
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] |
4837 |
|
4838 |
*) Fix SSL client code which could crash if connecting to a |
4839 |
malicious SSLv2 server. (CVE-2006-4343) |
4840 |
[Tavis Ormandy and Will Drewry, Google Security Team] |
4841 |
|
4842 |
*) Change ciphersuite string processing so that an explicit |
4843 |
ciphersuite selects this one ciphersuite (so that "AES256-SHA" |
4844 |
will no longer include "AES128-SHA"), and any other similar |
4845 |
ciphersuite (same bitmap) from *other* protocol versions (so that |
4846 |
"RC4-MD5" will still include both the SSL 2.0 ciphersuite and the |
4847 |
SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining |
4848 |
changes from 0.9.8b and 0.9.8d. |
4849 |
[Bodo Moeller] |
4850 |
|
4851 |
Changes between 0.9.7j and 0.9.7k [05 Sep 2006] |
4852 |
|
4853 |
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
4854 |
(CVE-2006-4339) [Ben Laurie and Google Security Team] |
4855 |
|
4856 |
*) Change the Unix randomness entropy gathering to use poll() when |
4857 |
possible instead of select(), since the latter has some |
4858 |
undesirable limitations. |
4859 |
[Darryl Miles via Richard Levitte and Bodo Moeller] |
4860 |
|
4861 |
*) Disable rogue ciphersuites: |
4862 |
|
4863 |
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") |
4864 |
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") |
4865 |
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") |
4866 |
|
4867 |
The latter two were purportedly from |
4868 |
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really |
4869 |
appear there. |
4870 |
|
4871 |
Also deactive the remaining ciphersuites from |
4872 |
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
4873 |
unofficial, and the ID has long expired. |
4874 |
[Bodo Moeller] |
4875 |
|
4876 |
*) Fix RSA blinding Heisenbug (problems sometimes occured on |
4877 |
dual-core machines) and other potential thread-safety issues. |
4878 |
[Bodo Moeller] |
4879 |
|
4880 |
Changes between 0.9.7i and 0.9.7j [04 May 2006] |
4881 |
|
4882 |
*) Adapt fipsld and the build system to link against the validated FIPS |
4883 |
module in FIPS mode. |
4884 |
[Steve Henson] |
4885 |
|
4886 |
*) Fixes for VC++ 2005 build under Windows. |
4887 |
[Steve Henson] |
4888 |
|
4889 |
*) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make |
4890 |
from a Windows bash shell such as MSYS. It is autodetected from the |
4891 |
"config" script when run from a VC++ environment. Modify standard VC++ |
4892 |
build to use fipscanister.o from the GNU make build. |
4893 |
[Steve Henson] |
4894 |
|
4895 |
Changes between 0.9.7h and 0.9.7i [14 Oct 2005] |
4896 |
|
4897 |
*) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. |
4898 |
The value now differs depending on if you build for FIPS or not. |
4899 |
BEWARE! A program linked with a shared FIPSed libcrypto can't be |
4900 |
safely run with a non-FIPSed libcrypto, as it may crash because of |
4901 |
the difference induced by this change. |
4902 |
[Andy Polyakov] |
4903 |
|
4904 |
Changes between 0.9.7g and 0.9.7h [11 Oct 2005] |
4905 |
|
4906 |
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING |
4907 |
(part of SSL_OP_ALL). This option used to disable the |
4908 |
countermeasure against man-in-the-middle protocol-version |
4909 |
rollback in the SSL 2.0 server implementation, which is a bad |
4910 |
idea. (CVE-2005-2969) |
4911 |
|
4912 |
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center |
4913 |
for Information Security, National Institute of Advanced Industrial |
4914 |
Science and Technology [AIST], Japan)] |
4915 |
|
4916 |
*) Minimal support for X9.31 signatures and PSS padding modes. This is |
4917 |
mainly for FIPS compliance and not fully integrated at this stage. |
4918 |
[Steve Henson] |
4919 |
|
4920 |
*) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform |
4921 |
the exponentiation using a fixed-length exponent. (Otherwise, |
4922 |
the information leaked through timing could expose the secret key |
4923 |
after many signatures; cf. Bleichenbacher's attack on DSA with |
4924 |
biased k.) |
4925 |
[Bodo Moeller] |
4926 |
|
4927 |
*) Make a new fixed-window mod_exp implementation the default for |
4928 |
RSA, DSA, and DH private-key operations so that the sequence of |
4929 |
squares and multiplies and the memory access pattern are |
4930 |
independent of the particular secret key. This will mitigate |
4931 |
cache-timing and potential related attacks. |
4932 |
|
4933 |
BN_mod_exp_mont_consttime() is the new exponentiation implementation, |
4934 |
and this is automatically used by BN_mod_exp_mont() if the new flag |
4935 |
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH |
4936 |
will use this BN flag for private exponents unless the flag |
4937 |
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or |
4938 |
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. |
4939 |
|
4940 |
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] |
4941 |
|
4942 |
*) Change the client implementation for SSLv23_method() and |
4943 |
SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 |
4944 |
Client Hello message format if the SSL_OP_NO_SSLv2 option is set. |
4945 |
(Previously, the SSL 2.0 backwards compatible Client Hello |
4946 |
message format would be used even with SSL_OP_NO_SSLv2.) |
4947 |
[Bodo Moeller] |
4948 |
|
4949 |
*) Add support for smime-type MIME parameter in S/MIME messages which some |
4950 |
clients need. |
4951 |
[Steve Henson] |
4952 |
|
4953 |
*) New function BN_MONT_CTX_set_locked() to set montgomery parameters in |
4954 |
a threadsafe manner. Modify rsa code to use new function and add calls |
4955 |
to dsa and dh code (which had race conditions before). |
4956 |
[Steve Henson] |
4957 |
|
4958 |
*) Include the fixed error library code in the C error file definitions |
4959 |
instead of fixing them up at runtime. This keeps the error code |
4960 |
structures constant. |
4961 |
[Steve Henson] |
4962 |
|
4963 |
Changes between 0.9.7f and 0.9.7g [11 Apr 2005] |
4964 |
|
4965 |
[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after |
4966 |
OpenSSL 0.9.8.] |
4967 |
|
4968 |
*) Fixes for newer kerberos headers. NB: the casts are needed because |
4969 |
the 'length' field is signed on one version and unsigned on another |
4970 |
with no (?) obvious way to tell the difference, without these VC++ |
4971 |
complains. Also the "definition" of FAR (blank) is no longer included |
4972 |
nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up |
4973 |
some needed definitions. |
4974 |
[Steve Henson] |
4975 |
|
4976 |
*) Undo Cygwin change. |
4977 |
[Ulf Möller] |
4978 |
|
4979 |
*) Added support for proxy certificates according to RFC 3820. |
4980 |
Because they may be a security thread to unaware applications, |
4981 |
they must be explicitely allowed in run-time. See |
4982 |
docs/HOWTO/proxy_certificates.txt for further information. |
4983 |
[Richard Levitte] |
4984 |
|
4985 |
Changes between 0.9.7e and 0.9.7f [22 Mar 2005] |
4986 |
|
4987 |
*) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating |
4988 |
server and client random values. Previously |
4989 |
(SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in |
4990 |
less random data when sizeof(time_t) > 4 (some 64 bit platforms). |
4991 |
|
4992 |
This change has negligible security impact because: |
4993 |
|
4994 |
1. Server and client random values still have 24 bytes of pseudo random |
4995 |
data. |
4996 |
|
4997 |
2. Server and client random values are sent in the clear in the initial |
4998 |
handshake. |
4999 |
|
5000 |
3. The master secret is derived using the premaster secret (48 bytes in |
5001 |
size for static RSA ciphersuites) as well as client server and random |
5002 |
values. |
5003 |
|
5004 |
The OpenSSL team would like to thank the UK NISCC for bringing this issue |
5005 |
to our attention. |
5006 |
|
5007 |
[Stephen Henson, reported by UK NISCC] |
5008 |
|
5009 |
*) Use Windows randomness collection on Cygwin. |
5010 |
[Ulf Möller] |
5011 |
|
5012 |
*) Fix hang in EGD/PRNGD query when communication socket is closed |
5013 |
prematurely by EGD/PRNGD. |
5014 |
[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] |
5015 |
|
5016 |
*) Prompt for pass phrases when appropriate for PKCS12 input format. |
5017 |
[Steve Henson] |
5018 |
|
5019 |
*) Back-port of selected performance improvements from development |
5020 |
branch, as well as improved support for PowerPC platforms. |
5021 |
[Andy Polyakov] |
5022 |
|
5023 |
*) Add lots of checks for memory allocation failure, error codes to indicate |
5024 |
failure and freeing up memory if a failure occurs. |
5025 |
[Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] |
5026 |
|
5027 |
*) Add new -passin argument to dgst. |
5028 |
[Steve Henson] |
5029 |
|
5030 |
*) Perform some character comparisons of different types in X509_NAME_cmp: |
5031 |
this is needed for some certificates that reencode DNs into UTF8Strings |
5032 |
(in violation of RFC3280) and can't or wont issue name rollover |
5033 |
certificates. |
5034 |
[Steve Henson] |
5035 |
|
5036 |
*) Make an explicit check during certificate validation to see that |
5037 |
the CA setting in each certificate on the chain is correct. As a |
5038 |
side effect always do the following basic checks on extensions, |
5039 |
not just when there's an associated purpose to the check: |
5040 |
|
5041 |
- if there is an unhandled critical extension (unless the user |
5042 |
has chosen to ignore this fault) |
5043 |
- if the path length has been exceeded (if one is set at all) |
5044 |
- that certain extensions fit the associated purpose (if one has |
5045 |
been given) |
5046 |
[Richard Levitte] |
5047 |
|
5048 |
Changes between 0.9.7d and 0.9.7e [25 Oct 2004] |
5049 |
|
5050 |
*) Avoid a race condition when CRLs are checked in a multi threaded |
5051 |
environment. This would happen due to the reordering of the revoked |
5052 |
entries during signature checking and serial number lookup. Now the |
5053 |
encoding is cached and the serial number sort performed under a lock. |
5054 |
Add new STACK function sk_is_sorted(). |
5055 |
[Steve Henson] |
5056 |
|
5057 |
*) Add Delta CRL to the extension code. |
5058 |
[Steve Henson] |
5059 |
|
5060 |
*) Various fixes to s3_pkt.c so alerts are sent properly. |
5061 |
[David Holmes <d.holmes@f5.com>] |
5062 |
|
5063 |
*) Reduce the chances of duplicate issuer name and serial numbers (in |
5064 |
violation of RFC3280) using the OpenSSL certificate creation utilities. |
5065 |
This is done by creating a random 64 bit value for the initial serial |
5066 |
number when a serial number file is created or when a self signed |
5067 |
certificate is created using 'openssl req -x509'. The initial serial |
5068 |
number file is created using 'openssl x509 -next_serial' in CA.pl |
5069 |
rather than being initialized to 1. |
5070 |
[Steve Henson] |
5071 |
|
5072 |
Changes between 0.9.7c and 0.9.7d [17 Mar 2004] |
5073 |
|
5074 |
*) Fix null-pointer assignment in do_change_cipher_spec() revealed |
5075 |
by using the Codenomicon TLS Test Tool (CVE-2004-0079) |
5076 |
[Joe Orton, Steve Henson] |
5077 |
|
5078 |
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites |
5079 |
(CVE-2004-0112) |
5080 |
[Joe Orton, Steve Henson] |
5081 |
|
5082 |
*) Make it possible to have multiple active certificates with the same |
5083 |
subject in the CA index file. This is done only if the keyword |
5084 |
'unique_subject' is set to 'no' in the main CA section (default |
5085 |
if 'CA_default') of the configuration file. The value is saved |
5086 |
with the database itself in a separate index attribute file, |
5087 |
named like the index file with '.attr' appended to the name. |
5088 |
[Richard Levitte] |
5089 |
|
5090 |
*) X509 verify fixes. Disable broken certificate workarounds when |
5091 |
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if |
5092 |
keyUsage extension present. Don't accept CRLs with unhandled critical |
5093 |
extensions: since verify currently doesn't process CRL extensions this |
5094 |
rejects a CRL with *any* critical extensions. Add new verify error codes |
5095 |
for these cases. |
5096 |
[Steve Henson] |
5097 |
|
5098 |
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue. |
5099 |
A clarification of RFC2560 will require the use of OCTET STRINGs and |
5100 |
some implementations cannot handle the current raw format. Since OpenSSL |
5101 |
copies and compares OCSP nonces as opaque blobs without any attempt at |
5102 |
parsing them this should not create any compatibility issues. |
5103 |
[Steve Henson] |
5104 |
|
5105 |
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when |
5106 |
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without |
5107 |
this HMAC (and other) operations are several times slower than OpenSSL |
5108 |
< 0.9.7. |
5109 |
[Steve Henson] |
5110 |
|
5111 |
*) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). |
5112 |
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
5113 |
|
5114 |
*) Use the correct content when signing type "other". |
5115 |
[Steve Henson] |
5116 |
|
5117 |
Changes between 0.9.7b and 0.9.7c [30 Sep 2003] |
5118 |
|
5119 |
*) Fix various bugs revealed by running the NISCC test suite: |
5120 |
|
5121 |
Stop out of bounds reads in the ASN1 code when presented with |
5122 |
invalid tags (CVE-2003-0543 and CVE-2003-0544). |
5123 |
|
5124 |
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). |
5125 |
|
5126 |
If verify callback ignores invalid public key errors don't try to check |
5127 |
certificate signature with the NULL public key. |
5128 |
|
5129 |
[Steve Henson] |
5130 |
|
5131 |
*) New -ignore_err option in ocsp application to stop the server |
5132 |
exiting on the first error in a request. |
5133 |
[Steve Henson] |
5134 |
|
5135 |
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate |
5136 |
if the server requested one: as stated in TLS 1.0 and SSL 3.0 |
5137 |
specifications. |
5138 |
[Steve Henson] |
5139 |
|
5140 |
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional |
5141 |
extra data after the compression methods not only for TLS 1.0 |
5142 |
but also for SSL 3.0 (as required by the specification). |
5143 |
[Bodo Moeller; problem pointed out by Matthias Loepfe] |
5144 |
|
5145 |
*) Change X509_certificate_type() to mark the key as exported/exportable |
5146 |
when it's 512 *bits* long, not 512 bytes. |
5147 |
[Richard Levitte] |
5148 |
|
5149 |
*) Change AES_cbc_encrypt() so it outputs exact multiple of |
5150 |
blocks during encryption. |
5151 |
[Richard Levitte] |
5152 |
|
5153 |
*) Various fixes to base64 BIO and non blocking I/O. On write |
5154 |
flushes were not handled properly if the BIO retried. On read |
5155 |
data was not being buffered properly and had various logic bugs. |
5156 |
This also affects blocking I/O when the data being decoded is a |
5157 |
certain size. |
5158 |
[Steve Henson] |
5159 |
|
5160 |
*) Various S/MIME bugfixes and compatibility changes: |
5161 |
output correct application/pkcs7 MIME type if |
5162 |
PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. |
5163 |
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening |
5164 |
of files as .eml work). Correctly handle very long lines in MIME |
5165 |
parser. |
5166 |
[Steve Henson] |
5167 |
|
5168 |
Changes between 0.9.7a and 0.9.7b [10 Apr 2003] |
5169 |
|
5170 |
*) Countermeasure against the Klima-Pokorny-Rosa extension of |
5171 |
Bleichbacher's attack on PKCS #1 v1.5 padding: treat |
5172 |
a protocol version number mismatch like a decryption error |
5173 |
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). |
5174 |
[Bodo Moeller] |
5175 |
|
5176 |
*) Turn on RSA blinding by default in the default implementation |
5177 |
to avoid a timing attack. Applications that don't want it can call |
5178 |
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. |
5179 |
They would be ill-advised to do so in most cases. |
5180 |
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] |
5181 |
|
5182 |
*) Change RSA blinding code so that it works when the PRNG is not |
5183 |
seeded (in this case, the secret RSA exponent is abused as |
5184 |
an unpredictable seed -- if it is not unpredictable, there |
5185 |
is no point in blinding anyway). Make RSA blinding thread-safe |
5186 |
by remembering the creator's thread ID in rsa->blinding and |
5187 |
having all other threads use local one-time blinding factors |
5188 |
(this requires more computation than sharing rsa->blinding, but |
5189 |
avoids excessive locking; and if an RSA object is not shared |
5190 |
between threads, blinding will still be very fast). |
5191 |
[Bodo Moeller] |
5192 |
|
5193 |
*) Fixed a typo bug that would cause ENGINE_set_default() to set an |
5194 |
ENGINE as defaults for all supported algorithms irrespective of |
5195 |
the 'flags' parameter. 'flags' is now honoured, so applications |
5196 |
should make sure they are passing it correctly. |
5197 |
[Geoff Thorpe] |
5198 |
|
5199 |
*) Target "mingw" now allows native Windows code to be generated in |
5200 |
the Cygwin environment as well as with the MinGW compiler. |
5201 |
[Ulf Moeller] |
5202 |
|
5203 |
Changes between 0.9.7 and 0.9.7a [19 Feb 2003] |
5204 |
|
5205 |
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked |
5206 |
via timing by performing a MAC computation even if incorrrect |
5207 |
block cipher padding has been found. This is a countermeasure |
5208 |
against active attacks where the attacker has to distinguish |
5209 |
between bad padding and a MAC verification error. (CVE-2003-0078) |
5210 |
|
5211 |
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL), |
5212 |
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and |
5213 |
Martin Vuagnoux (EPFL, Ilion)] |
5214 |
|
5215 |
*) Make the no-err option work as intended. The intention with no-err |
5216 |
is not to have the whole error stack handling routines removed from |
5217 |
libcrypto, it's only intended to remove all the function name and |
5218 |
reason texts, thereby removing some of the footprint that may not |
5219 |
be interesting if those errors aren't displayed anyway. |
5220 |
|
5221 |
NOTE: it's still possible for any application or module to have it's |
5222 |
own set of error texts inserted. The routines are there, just not |
5223 |
used by default when no-err is given. |
5224 |
[Richard Levitte] |
5225 |
|
5226 |
*) Add support for FreeBSD on IA64. |
5227 |
[dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] |
5228 |
|
5229 |
*) Adjust DES_cbc_cksum() so it returns the same value as the MIT |
5230 |
Kerberos function mit_des_cbc_cksum(). Before this change, |
5231 |
the value returned by DES_cbc_cksum() was like the one from |
5232 |
mit_des_cbc_cksum(), except the bytes were swapped. |
5233 |
[Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] |
5234 |
|
5235 |
*) Allow an application to disable the automatic SSL chain building. |
5236 |
Before this a rather primitive chain build was always performed in |
5237 |
ssl3_output_cert_chain(): an application had no way to send the |
5238 |
correct chain if the automatic operation produced an incorrect result. |
5239 |
|
5240 |
Now the chain builder is disabled if either: |
5241 |
|
5242 |
1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). |
5243 |
|
5244 |
2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. |
5245 |
|
5246 |
The reasoning behind this is that an application would not want the |
5247 |
auto chain building to take place if extra chain certificates are |
5248 |
present and it might also want a means of sending no additional |
5249 |
certificates (for example the chain has two certificates and the |
5250 |
root is omitted). |
5251 |
[Steve Henson] |
5252 |
|
5253 |
*) Add the possibility to build without the ENGINE framework. |
5254 |
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] |
5255 |
|
5256 |
*) Under Win32 gmtime() can return NULL: check return value in |
5257 |
OPENSSL_gmtime(). Add error code for case where gmtime() fails. |
5258 |
[Steve Henson] |
5259 |
|
5260 |
*) DSA routines: under certain error conditions uninitialized BN objects |
5261 |
could be freed. Solution: make sure initialization is performed early |
5262 |
enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, |
5263 |
Nils Larsch <nla@trustcenter.de> via PR#459) |
5264 |
[Lutz Jaenicke] |
5265 |
|
5266 |
*) Another fix for SSLv2 session ID handling: the session ID was incorrectly |
5267 |
checked on reconnect on the client side, therefore session resumption |
5268 |
could still fail with a "ssl session id is different" error. This |
5269 |
behaviour is masked when SSL_OP_ALL is used due to |
5270 |
SSL_OP_MICROSOFT_SESS_ID_BUG being set. |
5271 |
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as |
5272 |
followup to PR #377. |
5273 |
[Lutz Jaenicke] |
5274 |
|
5275 |
*) IA-32 assembler support enhancements: unified ELF targets, support |
5276 |
for SCO/Caldera platforms, fix for Cygwin shared build. |
5277 |
[Andy Polyakov] |
5278 |
|
5279 |
*) Add support for FreeBSD on sparc64. As a consequence, support for |
5280 |
FreeBSD on non-x86 processors is separate from x86 processors on |
5281 |
the config script, much like the NetBSD support. |
5282 |
[Richard Levitte & Kris Kennaway <kris@obsecurity.org>] |
5283 |
|
5284 |
Changes between 0.9.6h and 0.9.7 [31 Dec 2002] |
5285 |
|
5286 |
[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after |
5287 |
OpenSSL 0.9.7.] |
5288 |
|
5289 |
*) Fix session ID handling in SSLv2 client code: the SERVER FINISHED |
5290 |
code (06) was taken as the first octet of the session ID and the last |
5291 |
octet was ignored consequently. As a result SSLv2 client side session |
5292 |
caching could not have worked due to the session ID mismatch between |
5293 |
client and server. |
5294 |
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as |
5295 |
PR #377. |
5296 |
[Lutz Jaenicke] |
5297 |
|
5298 |
*) Change the declaration of needed Kerberos libraries to use EX_LIBS |
5299 |
instead of the special (and badly supported) LIBKRB5. LIBKRB5 is |
5300 |
removed entirely. |
5301 |
[Richard Levitte] |
5302 |
|
5303 |
*) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it |
5304 |
seems that in spite of existing for more than a year, many application |
5305 |
author have done nothing to provide the necessary callbacks, which |
5306 |
means that this particular engine will not work properly anywhere. |
5307 |
This is a very unfortunate situation which forces us, in the name |
5308 |
of usability, to give the hw_ncipher.c a static lock, which is part |
5309 |
of libcrypto. |
5310 |
NOTE: This is for the 0.9.7 series ONLY. This hack will never |
5311 |
appear in 0.9.8 or later. We EXPECT application authors to have |
5312 |
dealt properly with this when 0.9.8 is released (unless we actually |
5313 |
make such changes in the libcrypto locking code that changes will |
5314 |
have to be made anyway). |
5315 |
[Richard Levitte] |
5316 |
|
5317 |
*) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content |
5318 |
octets have been read, EOF or an error occurs. Without this change |
5319 |
some truncated ASN1 structures will not produce an error. |
5320 |
[Steve Henson] |
5321 |
|
5322 |
*) Disable Heimdal support, since it hasn't been fully implemented. |
5323 |
Still give the possibility to force the use of Heimdal, but with |
5324 |
warnings and a request that patches get sent to openssl-dev. |
5325 |
[Richard Levitte] |
5326 |
|
5327 |
*) Add the VC-CE target, introduce the WINCE sysname, and add |
5328 |
INSTALL.WCE and appropriate conditionals to make it build. |
5329 |
[Steven Reddie <smr@essemer.com.au> via Richard Levitte] |
5330 |
|
5331 |
*) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and |
5332 |
cygssl-x.y.z.dll, where x, y and z are the major, minor and |
5333 |
edit numbers of the version. |
5334 |
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] |
5335 |
|
5336 |
*) Introduce safe string copy and catenation functions |
5337 |
(BUF_strlcpy() and BUF_strlcat()). |
5338 |
[Ben Laurie (CHATS) and Richard Levitte] |
5339 |
|
5340 |
*) Avoid using fixed-size buffers for one-line DNs. |
5341 |
[Ben Laurie (CHATS)] |
5342 |
|
5343 |
*) Add BUF_MEM_grow_clean() to avoid information leakage when |
5344 |
resizing buffers containing secrets, and use where appropriate. |
5345 |
[Ben Laurie (CHATS)] |
5346 |
|
5347 |
*) Avoid using fixed size buffers for configuration file location. |
5348 |
[Ben Laurie (CHATS)] |
5349 |
|
5350 |
*) Avoid filename truncation for various CA files. |
5351 |
[Ben Laurie (CHATS)] |
5352 |
|
5353 |
*) Use sizeof in preference to magic numbers. |
5354 |
[Ben Laurie (CHATS)] |
5355 |
|
5356 |
*) Avoid filename truncation in cert requests. |
5357 |
[Ben Laurie (CHATS)] |
5358 |
|
5359 |
*) Add assertions to check for (supposedly impossible) buffer |
5360 |
overflows. |
5361 |
[Ben Laurie (CHATS)] |
5362 |
|
5363 |
*) Don't cache truncated DNS entries in the local cache (this could |
5364 |
potentially lead to a spoofing attack). |
5365 |
[Ben Laurie (CHATS)] |
5366 |
|
5367 |
*) Fix various buffers to be large enough for hex/decimal |
5368 |
representations in a platform independent manner. |
5369 |
[Ben Laurie (CHATS)] |
5370 |
|
5371 |
*) Add CRYPTO_realloc_clean() to avoid information leakage when |
5372 |
resizing buffers containing secrets, and use where appropriate. |
5373 |
[Ben Laurie (CHATS)] |
5374 |
|
5375 |
*) Add BIO_indent() to avoid much slightly worrying code to do |
5376 |
indents. |
5377 |
[Ben Laurie (CHATS)] |
5378 |
|
5379 |
*) Convert sprintf()/BIO_puts() to BIO_printf(). |
5380 |
[Ben Laurie (CHATS)] |
5381 |
|
5382 |
*) buffer_gets() could terminate with the buffer only half |
5383 |
full. Fixed. |
5384 |
[Ben Laurie (CHATS)] |
5385 |
|
5386 |
*) Add assertions to prevent user-supplied crypto functions from |
5387 |
overflowing internal buffers by having large block sizes, etc. |
5388 |
[Ben Laurie (CHATS)] |
5389 |
|
5390 |
*) New OPENSSL_assert() macro (similar to assert(), but enabled |
5391 |
unconditionally). |
5392 |
[Ben Laurie (CHATS)] |
5393 |
|
5394 |
*) Eliminate unused copy of key in RC4. |
5395 |
[Ben Laurie (CHATS)] |
5396 |
|
5397 |
*) Eliminate unused and incorrectly sized buffers for IV in pem.h. |
5398 |
[Ben Laurie (CHATS)] |
5399 |
|
5400 |
*) Fix off-by-one error in EGD path. |
5401 |
[Ben Laurie (CHATS)] |
5402 |
|
5403 |
*) If RANDFILE path is too long, ignore instead of truncating. |
5404 |
[Ben Laurie (CHATS)] |
5405 |
|
5406 |
*) Eliminate unused and incorrectly sized X.509 structure |
5407 |
CBCParameter. |
5408 |
[Ben Laurie (CHATS)] |
5409 |
|
5410 |
*) Eliminate unused and dangerous function knumber(). |
5411 |
[Ben Laurie (CHATS)] |
5412 |
|
5413 |
*) Eliminate unused and dangerous structure, KSSL_ERR. |
5414 |
[Ben Laurie (CHATS)] |
5415 |
|
5416 |
*) Protect against overlong session ID context length in an encoded |
5417 |
session object. Since these are local, this does not appear to be |
5418 |
exploitable. |
5419 |
[Ben Laurie (CHATS)] |
5420 |
|
5421 |
*) Change from security patch (see 0.9.6e below) that did not affect |
5422 |
the 0.9.6 release series: |
5423 |
|
5424 |
Remote buffer overflow in SSL3 protocol - an attacker could |
5425 |
supply an oversized master key in Kerberos-enabled versions. |
5426 |
(CVE-2002-0657) |
5427 |
[Ben Laurie (CHATS)] |
5428 |
|
5429 |
*) Change the SSL kerb5 codes to match RFC 2712. |
5430 |
[Richard Levitte] |
5431 |
|
5432 |
*) Make -nameopt work fully for req and add -reqopt switch. |
5433 |
[Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] |
5434 |
|
5435 |
*) The "block size" for block ciphers in CFB and OFB mode should be 1. |
5436 |
[Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] |
5437 |
|
5438 |
*) Make sure tests can be performed even if the corresponding algorithms |
5439 |
have been removed entirely. This was also the last step to make |
5440 |
OpenSSL compilable with DJGPP under all reasonable conditions. |
5441 |
[Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] |
5442 |
|
5443 |
*) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT |
5444 |
to allow version independent disabling of normally unselected ciphers, |
5445 |
which may be activated as a side-effect of selecting a single cipher. |
5446 |
|
5447 |
(E.g., cipher list string "RSA" enables ciphersuites that are left |
5448 |
out of "ALL" because they do not provide symmetric encryption. |
5449 |
"RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) |
5450 |
[Lutz Jaenicke, Bodo Moeller] |
5451 |
|
5452 |
*) Add appropriate support for separate platform-dependent build |
5453 |
directories. The recommended way to make a platform-dependent |
5454 |
build directory is the following (tested on Linux), maybe with |
5455 |
some local tweaks: |
5456 |
|
5457 |
# Place yourself outside of the OpenSSL source tree. In |
5458 |
# this example, the environment variable OPENSSL_SOURCE |
5459 |
# is assumed to contain the absolute OpenSSL source directory. |
5460 |
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" |
5461 |
cd objtree/"`uname -s`-`uname -r`-`uname -m`" |
5462 |
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do |
5463 |
mkdir -p `dirname $F` |
5464 |
ln -s $OPENSSL_SOURCE/$F $F |
5465 |
done |
5466 |
|
5467 |
To be absolutely sure not to disturb the source tree, a "make clean" |
5468 |
is a good thing. If it isn't successfull, don't worry about it, |
5469 |
it probably means the source directory is very clean. |
5470 |
[Richard Levitte] |
5471 |
|
5472 |
*) Make sure any ENGINE control commands make local copies of string |
5473 |
pointers passed to them whenever necessary. Otherwise it is possible |
5474 |
the caller may have overwritten (or deallocated) the original string |
5475 |
data when a later ENGINE operation tries to use the stored values. |
5476 |
[Götz Babin-Ebell <babinebell@trustcenter.de>] |
5477 |
|
5478 |
*) Improve diagnostics in file reading and command-line digests. |
5479 |
[Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] |
5480 |
|
5481 |
*) Add AES modes CFB and OFB to the object database. Correct an |
5482 |
error in AES-CFB decryption. |
5483 |
[Richard Levitte] |
5484 |
|
5485 |
*) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this |
5486 |
allows existing EVP_CIPHER_CTX structures to be reused after |
5487 |
calling EVP_*Final(). This behaviour is used by encryption |
5488 |
BIOs and some applications. This has the side effect that |
5489 |
applications must explicitly clean up cipher contexts with |
5490 |
EVP_CIPHER_CTX_cleanup() or they will leak memory. |
5491 |
[Steve Henson] |
5492 |
|
5493 |
*) Check the values of dna and dnb in bn_mul_recursive before calling |
5494 |
bn_mul_comba (a non zero value means the a or b arrays do not contain |
5495 |
n2 elements) and fallback to bn_mul_normal if either is not zero. |
5496 |
[Steve Henson] |
5497 |
|
5498 |
*) Fix escaping of non-ASCII characters when using the -subj option |
5499 |
of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) |
5500 |
[Lutz Jaenicke] |
5501 |
|
5502 |
*) Make object definitions compliant to LDAP (RFC2256): SN is the short |
5503 |
form for "surname", serialNumber has no short form. |
5504 |
Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; |
5505 |
therefore remove "mail" short name for "internet 7". |
5506 |
The OID for unique identifiers in X509 certificates is |
5507 |
x500UniqueIdentifier, not uniqueIdentifier. |
5508 |
Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) |
5509 |
[Lutz Jaenicke] |
5510 |
|
5511 |
*) Add an "init" command to the ENGINE config module and auto initialize |
5512 |
ENGINEs. Without any "init" command the ENGINE will be initialized |
5513 |
after all ctrl commands have been executed on it. If init=1 the |
5514 |
ENGINE is initailized at that point (ctrls before that point are run |
5515 |
on the uninitialized ENGINE and after on the initialized one). If |
5516 |
init=0 then the ENGINE will not be iniatialized at all. |
5517 |
[Steve Henson] |
5518 |
|
5519 |
*) Fix the 'app_verify_callback' interface so that the user-defined |
5520 |
argument is actually passed to the callback: In the |
5521 |
SSL_CTX_set_cert_verify_callback() prototype, the callback |
5522 |
declaration has been changed from |
5523 |
int (*cb)() |
5524 |
into |
5525 |
int (*cb)(X509_STORE_CTX *,void *); |
5526 |
in ssl_verify_cert_chain (ssl/ssl_cert.c), the call |
5527 |
i=s->ctx->app_verify_callback(&ctx) |
5528 |
has been changed into |
5529 |
i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). |
5530 |
|
5531 |
To update applications using SSL_CTX_set_cert_verify_callback(), |
5532 |
a dummy argument can be added to their callback functions. |
5533 |
[D. K. Smetters <smetters@parc.xerox.com>] |
5534 |
|
5535 |
*) Added the '4758cca' ENGINE to support IBM 4758 cards. |
5536 |
[Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] |
5537 |
|
5538 |
*) Add and OPENSSL_LOAD_CONF define which will cause |
5539 |
OpenSSL_add_all_algorithms() to load the openssl.cnf config file. |
5540 |
This allows older applications to transparently support certain |
5541 |
OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. |
5542 |
Two new functions OPENSSL_add_all_algorithms_noconf() which will never |
5543 |
load the config file and OPENSSL_add_all_algorithms_conf() which will |
5544 |
always load it have also been added. |
5545 |
[Steve Henson] |
5546 |
|
5547 |
*) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. |
5548 |
Adjust NIDs and EVP layer. |
5549 |
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] |
5550 |
|
5551 |
*) Config modules support in openssl utility. |
5552 |
|
5553 |
Most commands now load modules from the config file, |
5554 |
though in a few (such as version) this isn't done |
5555 |
because it couldn't be used for anything. |
5556 |
|
5557 |
In the case of ca and req the config file used is |
5558 |
the same as the utility itself: that is the -config |
5559 |
command line option can be used to specify an |
5560 |
alternative file. |
5561 |
[Steve Henson] |
5562 |
|
5563 |
*) Move default behaviour from OPENSSL_config(). If appname is NULL |
5564 |
use "openssl_conf" if filename is NULL use default openssl config file. |
5565 |
[Steve Henson] |
5566 |
|
5567 |
*) Add an argument to OPENSSL_config() to allow the use of an alternative |
5568 |
config section name. Add a new flag to tolerate a missing config file |
5569 |
and move code to CONF_modules_load_file(). |
5570 |
[Steve Henson] |
5571 |
|
5572 |
*) Support for crypto accelerator cards from Accelerated Encryption |
5573 |
Processing, www.aep.ie. (Use engine 'aep') |
5574 |
The support was copied from 0.9.6c [engine] and adapted/corrected |
5575 |
to work with the new engine framework. |
5576 |
[AEP Inc. and Richard Levitte] |
5577 |
|
5578 |
*) Support for SureWare crypto accelerator cards from Baltimore |
5579 |
Technologies. (Use engine 'sureware') |
5580 |
The support was copied from 0.9.6c [engine] and adapted |
5581 |
to work with the new engine framework. |
5582 |
[Richard Levitte] |
5583 |
|
5584 |
*) Have the CHIL engine fork-safe (as defined by nCipher) and actually |
5585 |
make the newer ENGINE framework commands for the CHIL engine work. |
5586 |
[Toomas Kiisk <vix@cyber.ee> and Richard Levitte] |
5587 |
|
5588 |
*) Make it possible to produce shared libraries on ReliantUNIX. |
5589 |
[Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] |
5590 |
|
5591 |
*) Add the configuration target debug-linux-ppro. |
5592 |
Make 'openssl rsa' use the general key loading routines |
5593 |
implemented in apps.c, and make those routines able to |
5594 |
handle the key format FORMAT_NETSCAPE and the variant |
5595 |
FORMAT_IISSGC. |
5596 |
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
5597 |
|
5598 |
*) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
5599 |
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
5600 |
|
5601 |
*) Add -keyform to rsautl, and document -engine. |
5602 |
[Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] |
5603 |
|
5604 |
*) Change BIO_new_file (crypto/bio/bss_file.c) to use new |
5605 |
BIO_R_NO_SUCH_FILE error code rather than the generic |
5606 |
ERR_R_SYS_LIB error code if fopen() fails with ENOENT. |
5607 |
[Ben Laurie] |
5608 |
|
5609 |
*) Add new functions |
5610 |
ERR_peek_last_error |
5611 |
ERR_peek_last_error_line |
5612 |
ERR_peek_last_error_line_data. |
5613 |
These are similar to |
5614 |
ERR_peek_error |
5615 |
ERR_peek_error_line |
5616 |
ERR_peek_error_line_data, |
5617 |
but report on the latest error recorded rather than the first one |
5618 |
still in the error queue. |
5619 |
[Ben Laurie, Bodo Moeller] |
5620 |
|
5621 |
*) default_algorithms option in ENGINE config module. This allows things |
5622 |
like: |
5623 |
default_algorithms = ALL |
5624 |
default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS |
5625 |
[Steve Henson] |
5626 |
|
5627 |
*) Prelminary ENGINE config module. |
5628 |
[Steve Henson] |
5629 |
|
5630 |
*) New experimental application configuration code. |
5631 |
[Steve Henson] |
5632 |
|
5633 |
*) Change the AES code to follow the same name structure as all other |
5634 |
symmetric ciphers, and behave the same way. Move everything to |
5635 |
the directory crypto/aes, thereby obsoleting crypto/rijndael. |
5636 |
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] |
5637 |
|
5638 |
*) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. |
5639 |
[Ben Laurie and Theo de Raadt] |
5640 |
|
5641 |
*) Add option to output public keys in req command. |
5642 |
[Massimiliano Pala madwolf@openca.org] |
5643 |
|
5644 |
*) Use wNAFs in EC_POINTs_mul() for improved efficiency |
5645 |
(up to about 10% better than before for P-192 and P-224). |
5646 |
[Bodo Moeller] |
5647 |
|
5648 |
*) New functions/macros |
5649 |
|
5650 |
SSL_CTX_set_msg_callback(ctx, cb) |
5651 |
SSL_CTX_set_msg_callback_arg(ctx, arg) |
5652 |
SSL_set_msg_callback(ssl, cb) |
5653 |
SSL_set_msg_callback_arg(ssl, arg) |
5654 |
|
5655 |
to request calling a callback function |
5656 |
|
5657 |
void cb(int write_p, int version, int content_type, |
5658 |
const void *buf, size_t len, SSL *ssl, void *arg) |
5659 |
|
5660 |
whenever a protocol message has been completely received |
5661 |
(write_p == 0) or sent (write_p == 1). Here 'version' is the |
5662 |
protocol version according to which the SSL library interprets |
5663 |
the current protocol message (SSL2_VERSION, SSL3_VERSION, or |
5664 |
TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or |
5665 |
the content type as defined in the SSL 3.0/TLS 1.0 protocol |
5666 |
specification (change_cipher_spec(20), alert(21), handshake(22)). |
5667 |
'buf' and 'len' point to the actual message, 'ssl' to the |
5668 |
SSL object, and 'arg' is the application-defined value set by |
5669 |
SSL[_CTX]_set_msg_callback_arg(). |
5670 |
|
5671 |
'openssl s_client' and 'openssl s_server' have new '-msg' options |
5672 |
to enable a callback that displays all protocol messages. |
5673 |
[Bodo Moeller] |
5674 |
|
5675 |
*) Change the shared library support so shared libraries are built as |
5676 |
soon as the corresponding static library is finished, and thereby get |
5677 |
openssl and the test programs linked against the shared library. |
5678 |
This still only happens when the keyword "shard" has been given to |
5679 |
the configuration scripts. |
5680 |
|
5681 |
NOTE: shared library support is still an experimental thing, and |
5682 |
backward binary compatibility is still not guaranteed. |
5683 |
["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] |
5684 |
|
5685 |
*) Add support for Subject Information Access extension. |
5686 |
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
5687 |
|
5688 |
*) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero |
5689 |
additional bytes when new memory had to be allocated, not just |
5690 |
when reusing an existing buffer. |
5691 |
[Bodo Moeller] |
5692 |
|
5693 |
*) New command line and configuration option 'utf8' for the req command. |
5694 |
This allows field values to be specified as UTF8 strings. |
5695 |
[Steve Henson] |
5696 |
|
5697 |
*) Add -multi and -mr options to "openssl speed" - giving multiple parallel |
5698 |
runs for the former and machine-readable output for the latter. |
5699 |
[Ben Laurie] |
5700 |
|
5701 |
*) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion |
5702 |
of the e-mail address in the DN (i.e., it will go into a certificate |
5703 |
extension only). The new configuration file option 'email_in_dn = no' |
5704 |
has the same effect. |
5705 |
[Massimiliano Pala madwolf@openca.org] |
5706 |
|
5707 |
*) Change all functions with names starting with des_ to be starting |
5708 |
with DES_ instead. Add wrappers that are compatible with libdes, |
5709 |
but are named _ossl_old_des_*. Finally, add macros that map the |
5710 |
des_* symbols to the corresponding _ossl_old_des_* if libdes |
5711 |
compatibility is desired. If OpenSSL 0.9.6c compatibility is |
5712 |
desired, the des_* symbols will be mapped to DES_*, with one |
5713 |
exception. |
5714 |
|
5715 |
Since we provide two compatibility mappings, the user needs to |
5716 |
define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes |
5717 |
compatibility is desired. The default (i.e., when that macro |
5718 |
isn't defined) is OpenSSL 0.9.6c compatibility. |
5719 |
|
5720 |
There are also macros that enable and disable the support of old |
5721 |
des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT |
5722 |
and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those |
5723 |
are defined, the default will apply: to support the old des routines. |
5724 |
|
5725 |
In either case, one must include openssl/des.h to get the correct |
5726 |
definitions. Do not try to just include openssl/des_old.h, that |
5727 |
won't work. |
5728 |
|
5729 |
NOTE: This is a major break of an old API into a new one. Software |
5730 |
authors are encouraged to switch to the DES_ style functions. Some |
5731 |
time in the future, des_old.h and the libdes compatibility functions |
5732 |
will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the |
5733 |
default), and then completely removed. |
5734 |
[Richard Levitte] |
5735 |
|
5736 |
*) Test for certificates which contain unsupported critical extensions. |
5737 |
If such a certificate is found during a verify operation it is |
5738 |
rejected by default: this behaviour can be overridden by either |
5739 |
handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or |
5740 |
by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function |
5741 |
X509_supported_extension() has also been added which returns 1 if a |
5742 |
particular extension is supported. |
5743 |
[Steve Henson] |
5744 |
|
5745 |
*) Modify the behaviour of EVP cipher functions in similar way to digests |
5746 |
to retain compatibility with existing code. |
5747 |
[Steve Henson] |
5748 |
|
5749 |
*) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain |
5750 |
compatibility with existing code. In particular the 'ctx' parameter does |
5751 |
not have to be to be initialized before the call to EVP_DigestInit() and |
5752 |
it is tidied up after a call to EVP_DigestFinal(). New function |
5753 |
EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function |
5754 |
EVP_MD_CTX_copy() changed to not require the destination to be |
5755 |
initialized valid and new function EVP_MD_CTX_copy_ex() added which |
5756 |
requires the destination to be valid. |
5757 |
|
5758 |
Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), |
5759 |
EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). |
5760 |
[Steve Henson] |
5761 |
|
5762 |
*) Change ssl3_get_message (ssl/s3_both.c) and the functions using it |
5763 |
so that complete 'Handshake' protocol structures are kept in memory |
5764 |
instead of overwriting 'msg_type' and 'length' with 'body' data. |
5765 |
[Bodo Moeller] |
5766 |
|
5767 |
*) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. |
5768 |
[Massimo Santin via Richard Levitte] |
5769 |
|
5770 |
*) Major restructuring to the underlying ENGINE code. This includes |
5771 |
reduction of linker bloat, separation of pure "ENGINE" manipulation |
5772 |
(initialisation, etc) from functionality dealing with implementations |
5773 |
of specific crypto iterfaces. This change also introduces integrated |
5774 |
support for symmetric ciphers and digest implementations - so ENGINEs |
5775 |
can now accelerate these by providing EVP_CIPHER and EVP_MD |
5776 |
implementations of their own. This is detailed in crypto/engine/README |
5777 |
as it couldn't be adequately described here. However, there are a few |
5778 |
API changes worth noting - some RSA, DSA, DH, and RAND functions that |
5779 |
were changed in the original introduction of ENGINE code have now |
5780 |
reverted back - the hooking from this code to ENGINE is now a good |
5781 |
deal more passive and at run-time, operations deal directly with |
5782 |
RSA_METHODs, DSA_METHODs (etc) as they did before, rather than |
5783 |
dereferencing through an ENGINE pointer any more. Also, the ENGINE |
5784 |
functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - |
5785 |
they were not being used by the framework as there is no concept of a |
5786 |
BIGNUM_METHOD and they could not be generalised to the new |
5787 |
'ENGINE_TABLE' mechanism that underlies the new code. Similarly, |
5788 |
ENGINE_cpy() has been removed as it cannot be consistently defined in |
5789 |
the new code. |
5790 |
[Geoff Thorpe] |
5791 |
|
5792 |
*) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. |
5793 |
[Steve Henson] |
5794 |
|
5795 |
*) Change mkdef.pl to sort symbols that get the same entry number, |
5796 |
and make sure the automatically generated functions ERR_load_* |
5797 |
become part of libeay.num as well. |
5798 |
[Richard Levitte] |
5799 |
|
5800 |
*) New function SSL_renegotiate_pending(). This returns true once |
5801 |
renegotiation has been requested (either SSL_renegotiate() call |
5802 |
or HelloRequest/ClientHello receveived from the peer) and becomes |
5803 |
false once a handshake has been completed. |
5804 |
(For servers, SSL_renegotiate() followed by SSL_do_handshake() |
5805 |
sends a HelloRequest, but does not ensure that a handshake takes |
5806 |
place. SSL_renegotiate_pending() is useful for checking if the |
5807 |
client has followed the request.) |
5808 |
[Bodo Moeller] |
5809 |
|
5810 |
*) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. |
5811 |
By default, clients may request session resumption even during |
5812 |
renegotiation (if session ID contexts permit); with this option, |
5813 |
session resumption is possible only in the first handshake. |
5814 |
|
5815 |
SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes |
5816 |
more bits available for options that should not be part of |
5817 |
SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). |
5818 |
[Bodo Moeller] |
5819 |
|
5820 |
*) Add some demos for certificate and certificate request creation. |
5821 |
[Steve Henson] |
5822 |
|
5823 |
*) Make maximum certificate chain size accepted from the peer application |
5824 |
settable (SSL*_get/set_max_cert_list()), as proposed by |
5825 |
"Douglas E. Engert" <deengert@anl.gov>. |
5826 |
[Lutz Jaenicke] |
5827 |
|
5828 |
*) Add support for shared libraries for Unixware-7 |
5829 |
(Boyd Lynn Gerber <gerberb@zenez.com>). |
5830 |
[Lutz Jaenicke] |
5831 |
|
5832 |
*) Add a "destroy" handler to ENGINEs that allows structural cleanup to |
5833 |
be done prior to destruction. Use this to unload error strings from |
5834 |
ENGINEs that load their own error strings. NB: This adds two new API |
5835 |
functions to "get" and "set" this destroy handler in an ENGINE. |
5836 |
[Geoff Thorpe] |
5837 |
|
5838 |
*) Alter all existing ENGINE implementations (except "openssl" and |
5839 |
"openbsd") to dynamically instantiate their own error strings. This |
5840 |
makes them more flexible to be built both as statically-linked ENGINEs |
5841 |
and self-contained shared-libraries loadable via the "dynamic" ENGINE. |
5842 |
Also, add stub code to each that makes building them as self-contained |
5843 |
shared-libraries easier (see README.ENGINE). |
5844 |
[Geoff Thorpe] |
5845 |
|
5846 |
*) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE |
5847 |
implementations into applications that are completely implemented in |
5848 |
self-contained shared-libraries. The "dynamic" ENGINE exposes control |
5849 |
commands that can be used to configure what shared-library to load and |
5850 |
to control aspects of the way it is handled. Also, made an update to |
5851 |
the README.ENGINE file that brings its information up-to-date and |
5852 |
provides some information and instructions on the "dynamic" ENGINE |
5853 |
(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). |
5854 |
[Geoff Thorpe] |
5855 |
|
5856 |
*) Make it possible to unload ranges of ERR strings with a new |
5857 |
"ERR_unload_strings" function. |
5858 |
[Geoff Thorpe] |
5859 |
|
5860 |
*) Add a copy() function to EVP_MD. |
5861 |
[Ben Laurie] |
5862 |
|
5863 |
*) Make EVP_MD routines take a context pointer instead of just the |
5864 |
md_data void pointer. |
5865 |
[Ben Laurie] |
5866 |
|
5867 |
*) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates |
5868 |
that the digest can only process a single chunk of data |
5869 |
(typically because it is provided by a piece of |
5870 |
hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application |
5871 |
is only going to provide a single chunk of data, and hence the |
5872 |
framework needn't accumulate the data for oneshot drivers. |
5873 |
[Ben Laurie] |
5874 |
|
5875 |
*) As with "ERR", make it possible to replace the underlying "ex_data" |
5876 |
functions. This change also alters the storage and management of global |
5877 |
ex_data state - it's now all inside ex_data.c and all "class" code (eg. |
5878 |
RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class |
5879 |
index counters. The API functions that use this state have been changed |
5880 |
to take a "class_index" rather than pointers to the class's local STACK |
5881 |
and counter, and there is now an API function to dynamically create new |
5882 |
classes. This centralisation allows us to (a) plug a lot of the |
5883 |
thread-safety problems that existed, and (b) makes it possible to clean |
5884 |
up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) |
5885 |
such data would previously have always leaked in application code and |
5886 |
workarounds were in place to make the memory debugging turn a blind eye |
5887 |
to it. Application code that doesn't use this new function will still |
5888 |
leak as before, but their memory debugging output will announce it now |
5889 |
rather than letting it slide. |
5890 |
|
5891 |
Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change |
5892 |
induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now |
5893 |
has a return value to indicate success or failure. |
5894 |
[Geoff Thorpe] |
5895 |
|
5896 |
*) Make it possible to replace the underlying "ERR" functions such that the |
5897 |
global state (2 LHASH tables and 2 locks) is only used by the "default" |
5898 |
implementation. This change also adds two functions to "get" and "set" |
5899 |
the implementation prior to it being automatically set the first time |
5900 |
any other ERR function takes place. Ie. an application can call "get", |
5901 |
pass the return value to a module it has just loaded, and that module |
5902 |
can call its own "set" function using that value. This means the |
5903 |
module's "ERR" operations will use (and modify) the error state in the |
5904 |
application and not in its own statically linked copy of OpenSSL code. |
5905 |
[Geoff Thorpe] |
5906 |
|
5907 |
*) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment |
5908 |
reference counts. This performs normal REF_PRINT/REF_CHECK macros on |
5909 |
the operation, and provides a more encapsulated way for external code |
5910 |
(crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code |
5911 |
to use these functions rather than manually incrementing the counts. |
5912 |
|
5913 |
Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". |
5914 |
[Geoff Thorpe] |
5915 |
|
5916 |
*) Add EVP test program. |
5917 |
[Ben Laurie] |
5918 |
|
5919 |
*) Add symmetric cipher support to ENGINE. Expect the API to change! |
5920 |
[Ben Laurie] |
5921 |
|
5922 |
*) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() |
5923 |
X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), |
5924 |
X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). |
5925 |
These allow a CRL to be built without having to access X509_CRL fields |
5926 |
directly. Modify 'ca' application to use new functions. |
5927 |
[Steve Henson] |
5928 |
|
5929 |
*) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended |
5930 |
bug workarounds. Rollback attack detection is a security feature. |
5931 |
The problem will only arise on OpenSSL servers when TLSv1 is not |
5932 |
available (sslv3_server_method() or SSL_OP_NO_TLSv1). |
5933 |
Software authors not wanting to support TLSv1 will have special reasons |
5934 |
for their choice and can explicitly enable this option. |
5935 |
[Bodo Moeller, Lutz Jaenicke] |
5936 |
|
5937 |
*) Rationalise EVP so it can be extended: don't include a union of |
5938 |
cipher/digest structures, add init/cleanup functions for EVP_MD_CTX |
5939 |
(similar to those existing for EVP_CIPHER_CTX). |
5940 |
Usage example: |
5941 |
|
5942 |
EVP_MD_CTX md; |
5943 |
|
5944 |
EVP_MD_CTX_init(&md); /* new function call */ |
5945 |
EVP_DigestInit(&md, EVP_sha1()); |
5946 |
EVP_DigestUpdate(&md, in, len); |
5947 |
EVP_DigestFinal(&md, out, NULL); |
5948 |
EVP_MD_CTX_cleanup(&md); /* new function call */ |
5949 |
|
5950 |
[Ben Laurie] |
5951 |
|
5952 |
*) Make DES key schedule conform to the usual scheme, as well as |
5953 |
correcting its structure. This means that calls to DES functions |
5954 |
now have to pass a pointer to a des_key_schedule instead of a |
5955 |
plain des_key_schedule (which was actually always a pointer |
5956 |
anyway): E.g., |
5957 |
|
5958 |
des_key_schedule ks; |
5959 |
|
5960 |
des_set_key_checked(..., &ks); |
5961 |
des_ncbc_encrypt(..., &ks, ...); |
5962 |
|
5963 |
(Note that a later change renames 'des_...' into 'DES_...'.) |
5964 |
[Ben Laurie] |
5965 |
|
5966 |
*) Initial reduction of linker bloat: the use of some functions, such as |
5967 |
PEM causes large amounts of unused functions to be linked in due to |
5968 |
poor organisation. For example pem_all.c contains every PEM function |
5969 |
which has a knock on effect of linking in large amounts of (unused) |
5970 |
ASN1 code. Grouping together similar functions and splitting unrelated |
5971 |
functions prevents this. |
5972 |
[Steve Henson] |
5973 |
|
5974 |
*) Cleanup of EVP macros. |
5975 |
[Ben Laurie] |
5976 |
|
5977 |
*) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the |
5978 |
correct _ecb suffix. |
5979 |
[Ben Laurie] |
5980 |
|
5981 |
*) Add initial OCSP responder support to ocsp application. The |
5982 |
revocation information is handled using the text based index |
5983 |
use by the ca application. The responder can either handle |
5984 |
requests generated internally, supplied in files (for example |
5985 |
via a CGI script) or using an internal minimal server. |
5986 |
[Steve Henson] |
5987 |
|
5988 |
*) Add configuration choices to get zlib compression for TLS. |
5989 |
[Richard Levitte] |
5990 |
|
5991 |
*) Changes to Kerberos SSL for RFC 2712 compliance: |
5992 |
1. Implemented real KerberosWrapper, instead of just using |
5993 |
KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] |
5994 |
2. Implemented optional authenticator field of KerberosWrapper. |
5995 |
|
5996 |
Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, |
5997 |
and authenticator structs; see crypto/krb5/. |
5998 |
|
5999 |
Generalized Kerberos calls to support multiple Kerberos libraries. |
6000 |
[Vern Staats <staatsvr@asc.hpc.mil>, |
6001 |
Jeffrey Altman <jaltman@columbia.edu> |
6002 |
via Richard Levitte] |
6003 |
|
6004 |
*) Cause 'openssl speed' to use fully hard-coded DSA keys as it |
6005 |
already does with RSA. testdsa.h now has 'priv_key/pub_key' |
6006 |
values for each of the key sizes rather than having just |
6007 |
parameters (and 'speed' generating keys each time). |
6008 |
[Geoff Thorpe] |
6009 |
|
6010 |
*) Speed up EVP routines. |
6011 |
Before: |
6012 |
encrypt |
6013 |
type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes |
6014 |
des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k |
6015 |
des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k |
6016 |
des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k |
6017 |
decrypt |
6018 |
des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k |
6019 |
des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k |
6020 |
des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k |
6021 |
After: |
6022 |
encrypt |
6023 |
des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k |
6024 |
decrypt |
6025 |
des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
6026 |
[Ben Laurie] |
6027 |
|
6028 |
*) Added the OS2-EMX target. |
6029 |
["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] |
6030 |
|
6031 |
*) Rewrite apps to use NCONF routines instead of the old CONF. New functions |
6032 |
to support NCONF routines in extension code. New function CONF_set_nconf() |
6033 |
to allow functions which take an NCONF to also handle the old LHASH |
6034 |
structure: this means that the old CONF compatible routines can be |
6035 |
retained (in particular wrt extensions) without having to duplicate the |
6036 |
code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. |
6037 |
[Steve Henson] |
6038 |
|
6039 |
*) Enhance the general user interface with mechanisms for inner control |
6040 |
and with possibilities to have yes/no kind of prompts. |
6041 |
[Richard Levitte] |
6042 |
|
6043 |
*) Change all calls to low level digest routines in the library and |
6044 |
applications to use EVP. Add missing calls to HMAC_cleanup() and |
6045 |
don't assume HMAC_CTX can be copied using memcpy(). |
6046 |
[Verdon Walker <VWalker@novell.com>, Steve Henson] |
6047 |
|
6048 |
*) Add the possibility to control engines through control names but with |
6049 |
arbitrary arguments instead of just a string. |
6050 |
Change the key loaders to take a UI_METHOD instead of a callback |
6051 |
function pointer. NOTE: this breaks binary compatibility with earlier |
6052 |
versions of OpenSSL [engine]. |
6053 |
Adapt the nCipher code for these new conditions and add a card insertion |
6054 |
callback. |
6055 |
[Richard Levitte] |
6056 |
|
6057 |
*) Enhance the general user interface with mechanisms to better support |
6058 |
dialog box interfaces, application-defined prompts, the possibility |
6059 |
to use defaults (for example default passwords from somewhere else) |
6060 |
and interrupts/cancellations. |
6061 |
[Richard Levitte] |
6062 |
|
6063 |
*) Tidy up PKCS#12 attribute handling. Add support for the CSP name |
6064 |
attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. |
6065 |
[Steve Henson] |
6066 |
|
6067 |
*) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also |
6068 |
tidy up some unnecessarily weird code in 'sk_new()'). |
6069 |
[Geoff, reported by Diego Tartara <dtartara@novamens.com>] |
6070 |
|
6071 |
*) Change the key loading routines for ENGINEs to use the same kind |
6072 |
callback (pem_password_cb) as all other routines that need this |
6073 |
kind of callback. |
6074 |
[Richard Levitte] |
6075 |
|
6076 |
*) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with |
6077 |
256 bit (=32 byte) keys. Of course seeding with more entropy bytes |
6078 |
than this minimum value is recommended. |
6079 |
[Lutz Jaenicke] |
6080 |
|
6081 |
*) New random seeder for OpenVMS, using the system process statistics |
6082 |
that are easily reachable. |
6083 |
[Richard Levitte] |
6084 |
|
6085 |
*) Windows apparently can't transparently handle global |
6086 |
variables defined in DLLs. Initialisations such as: |
6087 |
|
6088 |
const ASN1_ITEM *it = &ASN1_INTEGER_it; |
6089 |
|
6090 |
wont compile. This is used by the any applications that need to |
6091 |
declare their own ASN1 modules. This was fixed by adding the option |
6092 |
EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly |
6093 |
needed for static libraries under Win32. |
6094 |
[Steve Henson] |
6095 |
|
6096 |
*) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle |
6097 |
setting of purpose and trust fields. New X509_STORE trust and |
6098 |
purpose functions and tidy up setting in other SSL functions. |
6099 |
[Steve Henson] |
6100 |
|
6101 |
*) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE |
6102 |
structure. These are inherited by X509_STORE_CTX when it is |
6103 |
initialised. This allows various defaults to be set in the |
6104 |
X509_STORE structure (such as flags for CRL checking and custom |
6105 |
purpose or trust settings) for functions which only use X509_STORE_CTX |
6106 |
internally such as S/MIME. |
6107 |
|
6108 |
Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and |
6109 |
trust settings if they are not set in X509_STORE. This allows X509_STORE |
6110 |
purposes and trust (in S/MIME for example) to override any set by default. |
6111 |
|
6112 |
Add command line options for CRL checking to smime, s_client and s_server |
6113 |
applications. |
6114 |
[Steve Henson] |
6115 |
|
6116 |
*) Initial CRL based revocation checking. If the CRL checking flag(s) |
6117 |
are set then the CRL is looked up in the X509_STORE structure and |
6118 |
its validity and signature checked, then if the certificate is found |
6119 |
in the CRL the verify fails with a revoked error. |
6120 |
|
6121 |
Various new CRL related callbacks added to X509_STORE_CTX structure. |
6122 |
|
6123 |
Command line options added to 'verify' application to support this. |
6124 |
|
6125 |
This needs some additional work, such as being able to handle multiple |
6126 |
CRLs with different times, extension based lookup (rather than just |
6127 |
by subject name) and ultimately more complete V2 CRL extension |
6128 |
handling. |
6129 |
[Steve Henson] |
6130 |
|
6131 |
*) Add a general user interface API (crypto/ui/). This is designed |
6132 |
to replace things like des_read_password and friends (backward |
6133 |
compatibility functions using this new API are provided). |
6134 |
The purpose is to remove prompting functions from the DES code |
6135 |
section as well as provide for prompting through dialog boxes in |
6136 |
a window system and the like. |
6137 |
[Richard Levitte] |
6138 |
|
6139 |
*) Add "ex_data" support to ENGINE so implementations can add state at a |
6140 |
per-structure level rather than having to store it globally. |
6141 |
[Geoff] |
6142 |
|
6143 |
*) Make it possible for ENGINE structures to be copied when retrieved by |
6144 |
ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. |
6145 |
This causes the "original" ENGINE structure to act like a template, |
6146 |
analogous to the RSA vs. RSA_METHOD type of separation. Because of this |
6147 |
operational state can be localised to each ENGINE structure, despite the |
6148 |
fact they all share the same "methods". New ENGINE structures returned in |
6149 |
this case have no functional references and the return value is the single |
6150 |
structural reference. This matches the single structural reference returned |
6151 |
by ENGINE_by_id() normally, when it is incremented on the pre-existing |
6152 |
ENGINE structure. |
6153 |
[Geoff] |
6154 |
|
6155 |
*) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this |
6156 |
needs to match any other type at all we need to manually clear the |
6157 |
tag cache. |
6158 |
[Steve Henson] |
6159 |
|
6160 |
*) Changes to the "openssl engine" utility to include; |
6161 |
- verbosity levels ('-v', '-vv', and '-vvv') that provide information |
6162 |
about an ENGINE's available control commands. |
6163 |
- executing control commands from command line arguments using the |
6164 |
'-pre' and '-post' switches. '-post' is only used if '-t' is |
6165 |
specified and the ENGINE is successfully initialised. The syntax for |
6166 |
the individual commands are colon-separated, for example; |
6167 |
openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so |
6168 |
[Geoff] |
6169 |
|
6170 |
*) New dynamic control command support for ENGINEs. ENGINEs can now |
6171 |
declare their own commands (numbers), names (strings), descriptions, |
6172 |
and input types for run-time discovery by calling applications. A |
6173 |
subset of these commands are implicitly classed as "executable" |
6174 |
depending on their input type, and only these can be invoked through |
6175 |
the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this |
6176 |
can be based on user input, config files, etc). The distinction is |
6177 |
that "executable" commands cannot return anything other than a boolean |
6178 |
result and can only support numeric or string input, whereas some |
6179 |
discoverable commands may only be for direct use through |
6180 |
ENGINE_ctrl(), eg. supporting the exchange of binary data, function |
6181 |
pointers, or other custom uses. The "executable" commands are to |
6182 |
support parameterisations of ENGINE behaviour that can be |
6183 |
unambiguously defined by ENGINEs and used consistently across any |
6184 |
OpenSSL-based application. Commands have been added to all the |
6185 |
existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow |
6186 |
control over shared-library paths without source code alterations. |
6187 |
[Geoff] |
6188 |
|
6189 |
*) Changed all ENGINE implementations to dynamically allocate their |
6190 |
ENGINEs rather than declaring them statically. Apart from this being |
6191 |
necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, |
6192 |
this also allows the implementations to compile without using the |
6193 |
internal engine_int.h header. |
6194 |
[Geoff] |
6195 |
|
6196 |
*) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a |
6197 |
'const' value. Any code that should be able to modify a RAND_METHOD |
6198 |
should already have non-const pointers to it (ie. they should only |
6199 |
modify their own ones). |
6200 |
[Geoff] |
6201 |
|
6202 |
*) Made a variety of little tweaks to the ENGINE code. |
6203 |
- "atalla" and "ubsec" string definitions were moved from header files |
6204 |
to C code. "nuron" string definitions were placed in variables |
6205 |
rather than hard-coded - allowing parameterisation of these values |
6206 |
later on via ctrl() commands. |
6207 |
- Removed unused "#if 0"'d code. |
6208 |
- Fixed engine list iteration code so it uses ENGINE_free() to release |
6209 |
structural references. |
6210 |
- Constified the RAND_METHOD element of ENGINE structures. |
6211 |
- Constified various get/set functions as appropriate and added |
6212 |
missing functions (including a catch-all ENGINE_cpy that duplicates |
6213 |
all ENGINE values onto a new ENGINE except reference counts/state). |
6214 |
- Removed NULL parameter checks in get/set functions. Setting a method |
6215 |
or function to NULL is a way of cancelling out a previously set |
6216 |
value. Passing a NULL ENGINE parameter is just plain stupid anyway |
6217 |
and doesn't justify the extra error symbols and code. |
6218 |
- Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for |
6219 |
flags from engine_int.h to engine.h. |
6220 |
- Changed prototypes for ENGINE handler functions (init(), finish(), |
6221 |
ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. |
6222 |
[Geoff] |
6223 |
|
6224 |
*) Implement binary inversion algorithm for BN_mod_inverse in addition |
6225 |
to the algorithm using long division. The binary algorithm can be |
6226 |
used only if the modulus is odd. On 32-bit systems, it is faster |
6227 |
only for relatively small moduli (roughly 20-30% for 128-bit moduli, |
6228 |
roughly 5-15% for 256-bit moduli), so we use it only for moduli |
6229 |
up to 450 bits. In 64-bit environments, the binary algorithm |
6230 |
appears to be advantageous for much longer moduli; here we use it |
6231 |
for moduli up to 2048 bits. |
6232 |
[Bodo Moeller] |
6233 |
|
6234 |
*) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code |
6235 |
could not support the combine flag in choice fields. |
6236 |
[Steve Henson] |
6237 |
|
6238 |
*) Add a 'copy_extensions' option to the 'ca' utility. This copies |
6239 |
extensions from a certificate request to the certificate. |
6240 |
[Steve Henson] |
6241 |
|
6242 |
*) Allow multiple 'certopt' and 'nameopt' options to be separated |
6243 |
by commas. Add 'namopt' and 'certopt' options to the 'ca' config |
6244 |
file: this allows the display of the certificate about to be |
6245 |
signed to be customised, to allow certain fields to be included |
6246 |
or excluded and extension details. The old system didn't display |
6247 |
multicharacter strings properly, omitted fields not in the policy |
6248 |
and couldn't display additional details such as extensions. |
6249 |
[Steve Henson] |
6250 |
|
6251 |
*) Function EC_POINTs_mul for multiple scalar multiplication |
6252 |
of an arbitrary number of elliptic curve points |
6253 |
\sum scalars[i]*points[i], |
6254 |
optionally including the generator defined for the EC_GROUP: |
6255 |
scalar*generator + \sum scalars[i]*points[i]. |
6256 |
|
6257 |
EC_POINT_mul is a simple wrapper function for the typical case |
6258 |
that the point list has just one item (besides the optional |
6259 |
generator). |
6260 |
[Bodo Moeller] |
6261 |
|
6262 |
*) First EC_METHODs for curves over GF(p): |
6263 |
|
6264 |
EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr |
6265 |
operations and provides various method functions that can also |
6266 |
operate with faster implementations of modular arithmetic. |
6267 |
|
6268 |
EC_GFp_mont_method() reuses most functions that are part of |
6269 |
EC_GFp_simple_method, but uses Montgomery arithmetic. |
6270 |
|
6271 |
[Bodo Moeller; point addition and point doubling |
6272 |
implementation directly derived from source code provided by |
6273 |
Lenka Fibikova <fibikova@exp-math.uni-essen.de>] |
6274 |
|
6275 |
*) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, |
6276 |
crypto/ec/ec_lib.c): |
6277 |
|
6278 |
Curves are EC_GROUP objects (with an optional group generator) |
6279 |
based on EC_METHODs that are built into the library. |
6280 |
|
6281 |
Points are EC_POINT objects based on EC_GROUP objects. |
6282 |
|
6283 |
Most of the framework would be able to handle curves over arbitrary |
6284 |
finite fields, but as there are no obvious types for fields other |
6285 |
than GF(p), some functions are limited to that for now. |
6286 |
[Bodo Moeller] |
6287 |
|
6288 |
*) Add the -HTTP option to s_server. It is similar to -WWW, but requires |
6289 |
that the file contains a complete HTTP response. |
6290 |
[Richard Levitte] |
6291 |
|
6292 |
*) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl |
6293 |
change the def and num file printf format specifier from "%-40sXXX" |
6294 |
to "%-39s XXX". The latter will always guarantee a space after the |
6295 |
field while the former will cause them to run together if the field |
6296 |
is 40 of more characters long. |
6297 |
[Steve Henson] |
6298 |
|
6299 |
*) Constify the cipher and digest 'method' functions and structures |
6300 |
and modify related functions to take constant EVP_MD and EVP_CIPHER |
6301 |
pointers. |
6302 |
[Steve Henson] |
6303 |
|
6304 |
*) Hide BN_CTX structure details in bn_lcl.h instead of publishing them |
6305 |
in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. |
6306 |
[Bodo Moeller] |
6307 |
|
6308 |
*) Modify EVP_Digest*() routines so they now return values. Although the |
6309 |
internal software routines can never fail additional hardware versions |
6310 |
might. |
6311 |
[Steve Henson] |
6312 |
|
6313 |
*) Clean up crypto/err/err.h and change some error codes to avoid conflicts: |
6314 |
|
6315 |
Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 |
6316 |
(= ERR_R_PKCS7_LIB); it is now 64 instead of 32. |
6317 |
|
6318 |
ASN1 error codes |
6319 |
ERR_R_NESTED_ASN1_ERROR |
6320 |
... |
6321 |
ERR_R_MISSING_ASN1_EOS |
6322 |
were 4 .. 9, conflicting with |
6323 |
ERR_LIB_RSA (= ERR_R_RSA_LIB) |
6324 |
... |
6325 |
ERR_LIB_PEM (= ERR_R_PEM_LIB). |
6326 |
They are now 58 .. 63 (i.e., just below ERR_R_FATAL). |
6327 |
|
6328 |
Add new error code 'ERR_R_INTERNAL_ERROR'. |
6329 |
[Bodo Moeller] |
6330 |
|
6331 |
*) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock |
6332 |
suffices. |
6333 |
[Bodo Moeller] |
6334 |
|
6335 |
*) New option '-subj arg' for 'openssl req' and 'openssl ca'. This |
6336 |
sets the subject name for a new request or supersedes the |
6337 |
subject name in a given request. Formats that can be parsed are |
6338 |
'CN=Some Name, OU=myOU, C=IT' |
6339 |
and |
6340 |
'CN=Some Name/OU=myOU/C=IT'. |
6341 |
|
6342 |
Add options '-batch' and '-verbose' to 'openssl req'. |
6343 |
[Massimiliano Pala <madwolf@hackmasters.net>] |
6344 |
|
6345 |
*) Introduce the possibility to access global variables through |
6346 |
functions on platform were that's the best way to handle exporting |
6347 |
global variables in shared libraries. To enable this functionality, |
6348 |
one must configure with "EXPORT_VAR_AS_FN" or defined the C macro |
6349 |
"OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter |
6350 |
is normally done by Configure or something similar). |
6351 |
|
6352 |
To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL |
6353 |
in the source file (foo.c) like this: |
6354 |
|
6355 |
OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; |
6356 |
OPENSSL_IMPLEMENT_GLOBAL(double,bar); |
6357 |
|
6358 |
To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL |
6359 |
and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: |
6360 |
|
6361 |
OPENSSL_DECLARE_GLOBAL(int,foo); |
6362 |
#define foo OPENSSL_GLOBAL_REF(foo) |
6363 |
OPENSSL_DECLARE_GLOBAL(double,bar); |
6364 |
#define bar OPENSSL_GLOBAL_REF(bar) |
6365 |
|
6366 |
The #defines are very important, and therefore so is including the |
6367 |
header file everywhere where the defined globals are used. |
6368 |
|
6369 |
The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition |
6370 |
of ASN.1 items, but that structure is a bit different. |
6371 |
|
6372 |
The largest change is in util/mkdef.pl which has been enhanced with |
6373 |
better and easier to understand logic to choose which symbols should |
6374 |
go into the Windows .def files as well as a number of fixes and code |
6375 |
cleanup (among others, algorithm keywords are now sorted |
6376 |
lexicographically to avoid constant rewrites). |
6377 |
[Richard Levitte] |
6378 |
|
6379 |
*) In BN_div() keep a copy of the sign of 'num' before writing the |
6380 |
result to 'rm' because if rm==num the value will be overwritten |
6381 |
and produce the wrong result if 'num' is negative: this caused |
6382 |
problems with BN_mod() and BN_nnmod(). |
6383 |
[Steve Henson] |
6384 |
|
6385 |
*) Function OCSP_request_verify(). This checks the signature on an |
6386 |
OCSP request and verifies the signer certificate. The signer |
6387 |
certificate is just checked for a generic purpose and OCSP request |
6388 |
trust settings. |
6389 |
[Steve Henson] |
6390 |
|
6391 |
*) Add OCSP_check_validity() function to check the validity of OCSP |
6392 |
responses. OCSP responses are prepared in real time and may only |
6393 |
be a few seconds old. Simply checking that the current time lies |
6394 |
between thisUpdate and nextUpdate max reject otherwise valid responses |
6395 |
caused by either OCSP responder or client clock inaccuracy. Instead |
6396 |
we allow thisUpdate and nextUpdate to fall within a certain period of |
6397 |
the current time. The age of the response can also optionally be |
6398 |
checked. Two new options -validity_period and -status_age added to |
6399 |
ocsp utility. |
6400 |
[Steve Henson] |
6401 |
|
6402 |
*) If signature or public key algorithm is unrecognized print out its |
6403 |
OID rather that just UNKNOWN. |
6404 |
[Steve Henson] |
6405 |
|
6406 |
*) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and |
6407 |
OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate |
6408 |
ID to be generated from the issuer certificate alone which can then be |
6409 |
passed to OCSP_id_issuer_cmp(). |
6410 |
[Steve Henson] |
6411 |
|
6412 |
*) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new |
6413 |
ASN1 modules to export functions returning ASN1_ITEM pointers |
6414 |
instead of the ASN1_ITEM structures themselves. This adds several |
6415 |
new macros which allow the underlying ASN1 function/structure to |
6416 |
be accessed transparently. As a result code should not use ASN1_ITEM |
6417 |
references directly (such as &X509_it) but instead use the relevant |
6418 |
macros (such as ASN1_ITEM_rptr(X509)). This option is to allow |
6419 |
use of the new ASN1 code on platforms where exporting structures |
6420 |
is problematical (for example in shared libraries) but exporting |
6421 |
functions returning pointers to structures is not. |
6422 |
[Steve Henson] |
6423 |
|
6424 |
*) Add support for overriding the generation of SSL/TLS session IDs. |
6425 |
These callbacks can be registered either in an SSL_CTX or per SSL. |
6426 |
The purpose of this is to allow applications to control, if they wish, |
6427 |
the arbitrary values chosen for use as session IDs, particularly as it |
6428 |
can be useful for session caching in multiple-server environments. A |
6429 |
command-line switch for testing this (and any client code that wishes |
6430 |
to use such a feature) has been added to "s_server". |
6431 |
[Geoff Thorpe, Lutz Jaenicke] |
6432 |
|
6433 |
*) Modify mkdef.pl to recognise and parse preprocessor conditionals |
6434 |
of the form '#if defined(...) || defined(...) || ...' and |
6435 |
'#if !defined(...) && !defined(...) && ...'. This also avoids |
6436 |
the growing number of special cases it was previously handling. |
6437 |
[Richard Levitte] |
6438 |
|
6439 |
*) Make all configuration macros available for application by making |
6440 |
sure they are available in opensslconf.h, by giving them names starting |
6441 |
with "OPENSSL_" to avoid conflicts with other packages and by making |
6442 |
sure e_os2.h will cover all platform-specific cases together with |
6443 |
opensslconf.h. |
6444 |
Additionally, it is now possible to define configuration/platform- |
6445 |
specific names (called "system identities"). In the C code, these |
6446 |
are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another |
6447 |
macro with the name beginning with "OPENSSL_SYS_", which is determined |
6448 |
from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on |
6449 |
what is available. |
6450 |
[Richard Levitte] |
6451 |
|
6452 |
*) New option -set_serial to 'req' and 'x509' this allows the serial |
6453 |
number to use to be specified on the command line. Previously self |
6454 |
signed certificates were hard coded with serial number 0 and the |
6455 |
CA options of 'x509' had to use a serial number in a file which was |
6456 |
auto incremented. |
6457 |
[Steve Henson] |
6458 |
|
6459 |
*) New options to 'ca' utility to support V2 CRL entry extensions. |
6460 |
Currently CRL reason, invalidity date and hold instruction are |
6461 |
supported. Add new CRL extensions to V3 code and some new objects. |
6462 |
[Steve Henson] |
6463 |
|
6464 |
*) New function EVP_CIPHER_CTX_set_padding() this is used to |
6465 |
disable standard block padding (aka PKCS#5 padding) in the EVP |
6466 |
API, which was previously mandatory. This means that the data is |
6467 |
not padded in any way and so the total length much be a multiple |
6468 |
of the block size, otherwise an error occurs. |
6469 |
[Steve Henson] |
6470 |
|
6471 |
*) Initial (incomplete) OCSP SSL support. |
6472 |
[Steve Henson] |
6473 |
|
6474 |
*) New function OCSP_parse_url(). This splits up a URL into its host, |
6475 |
port and path components: primarily to parse OCSP URLs. New -url |
6476 |
option to ocsp utility. |
6477 |
[Steve Henson] |
6478 |
|
6479 |
*) New nonce behavior. The return value of OCSP_check_nonce() now |
6480 |
reflects the various checks performed. Applications can decide |
6481 |
whether to tolerate certain situations such as an absent nonce |
6482 |
in a response when one was present in a request: the ocsp application |
6483 |
just prints out a warning. New function OCSP_add1_basic_nonce() |
6484 |
this is to allow responders to include a nonce in a response even if |
6485 |
the request is nonce-less. |
6486 |
[Steve Henson] |
6487 |
|
6488 |
*) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are |
6489 |
skipped when using openssl x509 multiple times on a single input file, |
6490 |
e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". |
6491 |
[Bodo Moeller] |
6492 |
|
6493 |
*) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() |
6494 |
set string type: to handle setting ASN1_TIME structures. Fix ca |
6495 |
utility to correctly initialize revocation date of CRLs. |
6496 |
[Steve Henson] |
6497 |
|
6498 |
*) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override |
6499 |
the clients preferred ciphersuites and rather use its own preferences. |
6500 |
Should help to work around M$ SGC (Server Gated Cryptography) bug in |
6501 |
Internet Explorer by ensuring unchanged hash method during stepup. |
6502 |
(Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) |
6503 |
[Lutz Jaenicke] |
6504 |
|
6505 |
*) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael |
6506 |
to aes and add a new 'exist' option to print out symbols that don't |
6507 |
appear to exist. |
6508 |
[Steve Henson] |
6509 |
|
6510 |
*) Additional options to ocsp utility to allow flags to be set and |
6511 |
additional certificates supplied. |
6512 |
[Steve Henson] |
6513 |
|
6514 |
*) Add the option -VAfile to 'openssl ocsp', so the user can give the |
6515 |
OCSP client a number of certificate to only verify the response |
6516 |
signature against. |
6517 |
[Richard Levitte] |
6518 |
|
6519 |
*) Update Rijndael code to version 3.0 and change EVP AES ciphers to |
6520 |
handle the new API. Currently only ECB, CBC modes supported. Add new |
6521 |
AES OIDs. |
6522 |
|
6523 |
Add TLS AES ciphersuites as described in RFC3268, "Advanced |
6524 |
Encryption Standard (AES) Ciphersuites for Transport Layer |
6525 |
Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were |
6526 |
not enabled by default and were not part of the "ALL" ciphersuite |
6527 |
alias because they were not yet official; they could be |
6528 |
explicitly requested by specifying the "AESdraft" ciphersuite |
6529 |
group alias. In the final release of OpenSSL 0.9.7, the group |
6530 |
alias is called "AES" and is part of "ALL".) |
6531 |
[Ben Laurie, Steve Henson, Bodo Moeller] |
6532 |
|
6533 |
*) New function OCSP_copy_nonce() to copy nonce value (if present) from |
6534 |
request to response. |
6535 |
[Steve Henson] |
6536 |
|
6537 |
*) Functions for OCSP responders. OCSP_request_onereq_count(), |
6538 |
OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() |
6539 |
extract information from a certificate request. OCSP_response_create() |
6540 |
creates a response and optionally adds a basic response structure. |
6541 |
OCSP_basic_add1_status() adds a complete single response to a basic |
6542 |
response and returns the OCSP_SINGLERESP structure just added (to allow |
6543 |
extensions to be included for example). OCSP_basic_add1_cert() adds a |
6544 |
certificate to a basic response and OCSP_basic_sign() signs a basic |
6545 |
response with various flags. New helper functions ASN1_TIME_check() |
6546 |
(checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() |
6547 |
(converts ASN1_TIME to GeneralizedTime). |
6548 |
[Steve Henson] |
6549 |
|
6550 |
*) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() |
6551 |
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key |
6552 |
structure from a certificate. X509_pubkey_digest() digests the public_key |
6553 |
contents: this is used in various key identifiers. |
6554 |
[Steve Henson] |
6555 |
|
6556 |
*) Make sk_sort() tolerate a NULL argument. |
6557 |
[Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] |
6558 |
|
6559 |
*) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates |
6560 |
passed by the function are trusted implicitly. If any of them signed the |
6561 |
response then it is assumed to be valid and is not verified. |
6562 |
[Steve Henson] |
6563 |
|
6564 |
*) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT |
6565 |
to data. This was previously part of the PKCS7 ASN1 code. This |
6566 |
was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. |
6567 |
[Steve Henson, reported by Kenneth R. Robinette |
6568 |
<support@securenetterm.com>] |
6569 |
|
6570 |
*) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 |
6571 |
routines: without these tracing memory leaks is very painful. |
6572 |
Fix leaks in PKCS12 and PKCS7 routines. |
6573 |
[Steve Henson] |
6574 |
|
6575 |
*) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). |
6576 |
Previously it initialised the 'type' argument to V_ASN1_UTCTIME which |
6577 |
effectively meant GeneralizedTime would never be used. Now it |
6578 |
is initialised to -1 but X509_time_adj() now has to check the value |
6579 |
and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or |
6580 |
V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. |
6581 |
[Steve Henson, reported by Kenneth R. Robinette |
6582 |
<support@securenetterm.com>] |
6583 |
|
6584 |
*) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously |
6585 |
result in a zero length in the ASN1_INTEGER structure which was |
6586 |
not consistent with the structure when d2i_ASN1_INTEGER() was used |
6587 |
and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() |
6588 |
to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() |
6589 |
where it did not print out a minus for negative ASN1_INTEGER. |
6590 |
[Steve Henson] |
6591 |
|
6592 |
*) Add summary printout to ocsp utility. The various functions which |
6593 |
convert status values to strings have been renamed to: |
6594 |
OCSP_response_status_str(), OCSP_cert_status_str() and |
6595 |
OCSP_crl_reason_str() and are no longer static. New options |
6596 |
to verify nonce values and to disable verification. OCSP response |
6597 |
printout format cleaned up. |
6598 |
[Steve Henson] |
6599 |
|
6600 |
*) Add additional OCSP certificate checks. These are those specified |
6601 |
in RFC2560. This consists of two separate checks: the CA of the |
6602 |
certificate being checked must either be the OCSP signer certificate |
6603 |
or the issuer of the OCSP signer certificate. In the latter case the |
6604 |
OCSP signer certificate must contain the OCSP signing extended key |
6605 |
usage. This check is performed by attempting to match the OCSP |
6606 |
signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash |
6607 |
in the OCSP_CERTID structures of the response. |
6608 |
[Steve Henson] |
6609 |
|
6610 |
*) Initial OCSP certificate verification added to OCSP_basic_verify() |
6611 |
and related routines. This uses the standard OpenSSL certificate |
6612 |
verify routines to perform initial checks (just CA validity) and |
6613 |
to obtain the certificate chain. Then additional checks will be |
6614 |
performed on the chain. Currently the root CA is checked to see |
6615 |
if it is explicitly trusted for OCSP signing. This is used to set |
6616 |
a root CA as a global signing root: that is any certificate that |
6617 |
chains to that CA is an acceptable OCSP signing certificate. |
6618 |
[Steve Henson] |
6619 |
|
6620 |
*) New '-extfile ...' option to 'openssl ca' for reading X.509v3 |
6621 |
extensions from a separate configuration file. |
6622 |
As when reading extensions from the main configuration file, |
6623 |
the '-extensions ...' option may be used for specifying the |
6624 |
section to use. |
6625 |
[Massimiliano Pala <madwolf@comune.modena.it>] |
6626 |
|
6627 |
*) New OCSP utility. Allows OCSP requests to be generated or |
6628 |
read. The request can be sent to a responder and the output |
6629 |
parsed, outputed or printed in text form. Not complete yet: |
6630 |
still needs to check the OCSP response validity. |
6631 |
[Steve Henson] |
6632 |
|
6633 |
*) New subcommands for 'openssl ca': |
6634 |
'openssl ca -status <serial>' prints the status of the cert with |
6635 |
the given serial number (according to the index file). |
6636 |
'openssl ca -updatedb' updates the expiry status of certificates |
6637 |
in the index file. |
6638 |
[Massimiliano Pala <madwolf@comune.modena.it>] |
6639 |
|
6640 |
*) New '-newreq-nodes' command option to CA.pl. This is like |
6641 |
'-newreq', but calls 'openssl req' with the '-nodes' option |
6642 |
so that the resulting key is not encrypted. |
6643 |
[Damien Miller <djm@mindrot.org>] |
6644 |
|
6645 |
*) New configuration for the GNU Hurd. |
6646 |
[Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] |
6647 |
|
6648 |
*) Initial code to implement OCSP basic response verify. This |
6649 |
is currently incomplete. Currently just finds the signer's |
6650 |
certificate and verifies the signature on the response. |
6651 |
[Steve Henson] |
6652 |
|
6653 |
*) New SSLeay_version code SSLEAY_DIR to determine the compiled-in |
6654 |
value of OPENSSLDIR. This is available via the new '-d' option |
6655 |
to 'openssl version', and is also included in 'openssl version -a'. |
6656 |
[Bodo Moeller] |
6657 |
|
6658 |
*) Allowing defining memory allocation callbacks that will be given |
6659 |
file name and line number information in additional arguments |
6660 |
(a const char* and an int). The basic functionality remains, as |
6661 |
well as the original possibility to just replace malloc(), |
6662 |
realloc() and free() by functions that do not know about these |
6663 |
additional arguments. To register and find out the current |
6664 |
settings for extended allocation functions, the following |
6665 |
functions are provided: |
6666 |
|
6667 |
CRYPTO_set_mem_ex_functions |
6668 |
CRYPTO_set_locked_mem_ex_functions |
6669 |
CRYPTO_get_mem_ex_functions |
6670 |
CRYPTO_get_locked_mem_ex_functions |
6671 |
|
6672 |
These work the same way as CRYPTO_set_mem_functions and friends. |
6673 |
CRYPTO_get_[locked_]mem_functions now writes 0 where such an |
6674 |
extended allocation function is enabled. |
6675 |
Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where |
6676 |
a conventional allocation function is enabled. |
6677 |
[Richard Levitte, Bodo Moeller] |
6678 |
|
6679 |
*) Finish off removing the remaining LHASH function pointer casts. |
6680 |
There should no longer be any prototype-casting required when using |
6681 |
the LHASH abstraction, and any casts that remain are "bugs". See |
6682 |
the callback types and macros at the head of lhash.h for details |
6683 |
(and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). |
6684 |
[Geoff Thorpe] |
6685 |
|
6686 |
*) Add automatic query of EGD sockets in RAND_poll() for the unix variant. |
6687 |
If /dev/[u]random devices are not available or do not return enough |
6688 |
entropy, EGD style sockets (served by EGD or PRNGD) will automatically |
6689 |
be queried. |
6690 |
The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and |
6691 |
/etc/entropy will be queried once each in this sequence, quering stops |
6692 |
when enough entropy was collected without querying more sockets. |
6693 |
[Lutz Jaenicke] |
6694 |
|
6695 |
*) Change the Unix RAND_poll() variant to be able to poll several |
6696 |
random devices, as specified by DEVRANDOM, until a sufficient amount |
6697 |
of data has been collected. We spend at most 10 ms on each file |
6698 |
(select timeout) and read in non-blocking mode. DEVRANDOM now |
6699 |
defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" |
6700 |
(previously it was just the string "/dev/urandom"), so on typical |
6701 |
platforms the 10 ms delay will never occur. |
6702 |
Also separate out the Unix variant to its own file, rand_unix.c. |
6703 |
For VMS, there's a currently-empty rand_vms.c. |
6704 |
[Richard Levitte] |
6705 |
|
6706 |
*) Move OCSP client related routines to ocsp_cl.c. These |
6707 |
provide utility functions which an application needing |
6708 |
to issue a request to an OCSP responder and analyse the |
6709 |
response will typically need: as opposed to those which an |
6710 |
OCSP responder itself would need which will be added later. |
6711 |
|
6712 |
OCSP_request_sign() signs an OCSP request with an API similar |
6713 |
to PKCS7_sign(). OCSP_response_status() returns status of OCSP |
6714 |
response. OCSP_response_get1_basic() extracts basic response |
6715 |
from response. OCSP_resp_find_status(): finds and extracts status |
6716 |
information from an OCSP_CERTID structure (which will be created |
6717 |
when the request structure is built). These are built from lower |
6718 |
level functions which work on OCSP_SINGLERESP structures but |
6719 |
wont normally be used unless the application wishes to examine |
6720 |
extensions in the OCSP response for example. |
6721 |
|
6722 |
Replace nonce routines with a pair of functions. |
6723 |
OCSP_request_add1_nonce() adds a nonce value and optionally |
6724 |
generates a random value. OCSP_check_nonce() checks the |
6725 |
validity of the nonce in an OCSP response. |
6726 |
[Steve Henson] |
6727 |
|
6728 |
*) Change function OCSP_request_add() to OCSP_request_add0_id(). |
6729 |
This doesn't copy the supplied OCSP_CERTID and avoids the |
6730 |
need to free up the newly created id. Change return type |
6731 |
to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. |
6732 |
This can then be used to add extensions to the request. |
6733 |
Deleted OCSP_request_new(), since most of its functionality |
6734 |
is now in OCSP_REQUEST_new() (and the case insensitive name |
6735 |
clash) apart from the ability to set the request name which |
6736 |
will be added elsewhere. |
6737 |
[Steve Henson] |
6738 |
|
6739 |
*) Update OCSP API. Remove obsolete extensions argument from |
6740 |
various functions. Extensions are now handled using the new |
6741 |
OCSP extension code. New simple OCSP HTTP function which |
6742 |
can be used to send requests and parse the response. |
6743 |
[Steve Henson] |
6744 |
|
6745 |
*) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new |
6746 |
ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN |
6747 |
uses the special reorder version of SET OF to sort the attributes |
6748 |
and reorder them to match the encoded order. This resolves a long |
6749 |
standing problem: a verify on a PKCS7 structure just after signing |
6750 |
it used to fail because the attribute order did not match the |
6751 |
encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: |
6752 |
it uses the received order. This is necessary to tolerate some broken |
6753 |
software that does not order SET OF. This is handled by encoding |
6754 |
as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) |
6755 |
to produce the required SET OF. |
6756 |
[Steve Henson] |
6757 |
|
6758 |
*) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and |
6759 |
OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header |
6760 |
files to get correct declarations of the ASN.1 item variables. |
6761 |
[Richard Levitte] |
6762 |
|
6763 |
*) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many |
6764 |
PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: |
6765 |
asn1_check_tlen() would sometimes attempt to use 'ctx' when it was |
6766 |
NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). |
6767 |
New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant |
6768 |
ASN1_ITEM and no wrapper functions. |
6769 |
[Steve Henson] |
6770 |
|
6771 |
*) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These |
6772 |
replace the old function pointer based I/O routines. Change most of |
6773 |
the *_d2i_bio() and *_d2i_fp() functions to use these. |
6774 |
[Steve Henson] |
6775 |
|
6776 |
*) Enhance mkdef.pl to be more accepting about spacing in C preprocessor |
6777 |
lines, recognice more "algorithms" that can be deselected, and make |
6778 |
it complain about algorithm deselection that isn't recognised. |
6779 |
[Richard Levitte] |
6780 |
|
6781 |
*) New ASN1 functions to handle dup, sign, verify, digest, pack and |
6782 |
unpack operations in terms of ASN1_ITEM. Modify existing wrappers |
6783 |
to use new functions. Add NO_ASN1_OLD which can be set to remove |
6784 |
some old style ASN1 functions: this can be used to determine if old |
6785 |
code will still work when these eventually go away. |
6786 |
[Steve Henson] |
6787 |
|
6788 |
*) New extension functions for OCSP structures, these follow the |
6789 |
same conventions as certificates and CRLs. |
6790 |
[Steve Henson] |
6791 |
|
6792 |
*) New function X509V3_add1_i2d(). This automatically encodes and |
6793 |
adds an extension. Its behaviour can be customised with various |
6794 |
flags to append, replace or delete. Various wrappers added for |
6795 |
certifcates and CRLs. |
6796 |
[Steve Henson] |
6797 |
|
6798 |
*) Fix to avoid calling the underlying ASN1 print routine when |
6799 |
an extension cannot be parsed. Correct a typo in the |
6800 |
OCSP_SERVICELOC extension. Tidy up print OCSP format. |
6801 |
[Steve Henson] |
6802 |
|
6803 |
*) Make mkdef.pl parse some of the ASN1 macros and add apropriate |
6804 |
entries for variables. |
6805 |
[Steve Henson] |
6806 |
|
6807 |
*) Add functionality to apps/openssl.c for detecting locking |
6808 |
problems: As the program is single-threaded, all we have |
6809 |
to do is register a locking callback using an array for |
6810 |
storing which locks are currently held by the program. |
6811 |
[Bodo Moeller] |
6812 |
|
6813 |
*) Use a lock around the call to CRYPTO_get_ex_new_index() in |
6814 |
SSL_get_ex_data_X509_STORE_idx(), which is used in |
6815 |
ssl_verify_cert_chain() and thus can be called at any time |
6816 |
during TLS/SSL handshakes so that thread-safety is essential. |
6817 |
Unfortunately, the ex_data design is not at all suited |
6818 |
for multi-threaded use, so it probably should be abolished. |
6819 |
[Bodo Moeller] |
6820 |
|
6821 |
*) Added Broadcom "ubsec" ENGINE to OpenSSL. |
6822 |
[Broadcom, tweaked and integrated by Geoff Thorpe] |
6823 |
|
6824 |
*) Move common extension printing code to new function |
6825 |
X509V3_print_extensions(). Reorganise OCSP print routines and |
6826 |
implement some needed OCSP ASN1 functions. Add OCSP extensions. |
6827 |
[Steve Henson] |
6828 |
|
6829 |
*) New function X509_signature_print() to remove duplication in some |
6830 |
print routines. |
6831 |
[Steve Henson] |
6832 |
|
6833 |
*) Add a special meaning when SET OF and SEQUENCE OF flags are both |
6834 |
set (this was treated exactly the same as SET OF previously). This |
6835 |
is used to reorder the STACK representing the structure to match the |
6836 |
encoding. This will be used to get round a problem where a PKCS7 |
6837 |
structure which was signed could not be verified because the STACK |
6838 |
order did not reflect the encoded order. |
6839 |
[Steve Henson] |
6840 |
|
6841 |
*) Reimplement the OCSP ASN1 module using the new code. |
6842 |
[Steve Henson] |
6843 |
|
6844 |
*) Update the X509V3 code to permit the use of an ASN1_ITEM structure |
6845 |
for its ASN1 operations. The old style function pointers still exist |
6846 |
for now but they will eventually go away. |
6847 |
[Steve Henson] |
6848 |
|
6849 |
*) Merge in replacement ASN1 code from the ASN1 branch. This almost |
6850 |
completely replaces the old ASN1 functionality with a table driven |
6851 |
encoder and decoder which interprets an ASN1_ITEM structure describing |
6852 |
the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is |
6853 |
largely maintained. Almost all of the old asn1_mac.h macro based ASN1 |
6854 |
has also been converted to the new form. |
6855 |
[Steve Henson] |
6856 |
|
6857 |
*) Change BN_mod_exp_recp so that negative moduli are tolerated |
6858 |
(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set |
6859 |
so that BN_mod_exp_mont and BN_mod_exp_mont_word work |
6860 |
for negative moduli. |
6861 |
[Bodo Moeller] |
6862 |
|
6863 |
*) Fix BN_uadd and BN_usub: Always return non-negative results instead |
6864 |
of not touching the result's sign bit. |
6865 |
[Bodo Moeller] |
6866 |
|
6867 |
*) BN_div bugfix: If the result is 0, the sign (res->neg) must not be |
6868 |
set. |
6869 |
[Bodo Moeller] |
6870 |
|
6871 |
*) Changed the LHASH code to use prototypes for callbacks, and created |
6872 |
macros to declare and implement thin (optionally static) functions |
6873 |
that provide type-safety and avoid function pointer casting for the |
6874 |
type-specific callbacks. |
6875 |
[Geoff Thorpe] |
6876 |
|
6877 |
*) Added Kerberos Cipher Suites to be used with TLS, as written in |
6878 |
RFC 2712. |
6879 |
[Veers Staats <staatsvr@asc.hpc.mil>, |
6880 |
Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] |
6881 |
|
6882 |
*) Reformat the FAQ so the different questions and answers can be divided |
6883 |
in sections depending on the subject. |
6884 |
[Richard Levitte] |
6885 |
|
6886 |
*) Have the zlib compression code load ZLIB.DLL dynamically under |
6887 |
Windows. |
6888 |
[Richard Levitte] |
6889 |
|
6890 |
*) New function BN_mod_sqrt for computing square roots modulo a prime |
6891 |
(using the probabilistic Tonelli-Shanks algorithm unless |
6892 |
p == 3 (mod 4) or p == 5 (mod 8), which are cases that can |
6893 |
be handled deterministically). |
6894 |
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
6895 |
|
6896 |
*) Make BN_mod_inverse faster by explicitly handling small quotients |
6897 |
in the Euclid loop. (Speed gain about 20% for small moduli [256 or |
6898 |
512 bits], about 30% for larger ones [1024 or 2048 bits].) |
6899 |
[Bodo Moeller] |
6900 |
|
6901 |
*) New function BN_kronecker. |
6902 |
[Bodo Moeller] |
6903 |
|
6904 |
*) Fix BN_gcd so that it works on negative inputs; the result is |
6905 |
positive unless both parameters are zero. |
6906 |
Previously something reasonably close to an infinite loop was |
6907 |
possible because numbers could be growing instead of shrinking |
6908 |
in the implementation of Euclid's algorithm. |
6909 |
[Bodo Moeller] |
6910 |
|
6911 |
*) Fix BN_is_word() and BN_is_one() macros to take into account the |
6912 |
sign of the number in question. |
6913 |
|
6914 |
Fix BN_is_word(a,w) to work correctly for w == 0. |
6915 |
|
6916 |
The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) |
6917 |
because its test if the absolute value of 'a' equals 'w'. |
6918 |
Note that BN_abs_is_word does *not* handle w == 0 reliably; |
6919 |
it exists mostly for use in the implementations of BN_is_zero(), |
6920 |
BN_is_one(), and BN_is_word(). |
6921 |
[Bodo Moeller] |
6922 |
|
6923 |
*) New function BN_swap. |
6924 |
[Bodo Moeller] |
6925 |
|
6926 |
*) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that |
6927 |
the exponentiation functions are more likely to produce reasonable |
6928 |
results on negative inputs. |
6929 |
[Bodo Moeller] |
6930 |
|
6931 |
*) Change BN_mod_mul so that the result is always non-negative. |
6932 |
Previously, it could be negative if one of the factors was negative; |
6933 |
I don't think anyone really wanted that behaviour. |
6934 |
[Bodo Moeller] |
6935 |
|
6936 |
*) Move BN_mod_... functions into new file crypto/bn/bn_mod.c |
6937 |
(except for exponentiation, which stays in crypto/bn/bn_exp.c, |
6938 |
and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) |
6939 |
and add new functions: |
6940 |
|
6941 |
BN_nnmod |
6942 |
BN_mod_sqr |
6943 |
BN_mod_add |
6944 |
BN_mod_add_quick |
6945 |
BN_mod_sub |
6946 |
BN_mod_sub_quick |
6947 |
BN_mod_lshift1 |
6948 |
BN_mod_lshift1_quick |
6949 |
BN_mod_lshift |
6950 |
BN_mod_lshift_quick |
6951 |
|
6952 |
These functions always generate non-negative results. |
6953 |
|
6954 |
BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r |
6955 |
such that |m| < r < 0, BN_nnmod will output rem + |m| instead). |
6956 |
|
6957 |
BN_mod_XXX_quick(r, a, [b,] m) generates the same result as |
6958 |
BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] |
6959 |
be reduced modulo m. |
6960 |
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
6961 |
|
6962 |
#if 0 |
6963 |
The following entry accidentily appeared in the CHANGES file |
6964 |
distributed with OpenSSL 0.9.7. The modifications described in |
6965 |
it do *not* apply to OpenSSL 0.9.7. |
6966 |
|
6967 |
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
6968 |
was actually never needed) and in BN_mul(). The removal in BN_mul() |
6969 |
required a small change in bn_mul_part_recursive() and the addition |
6970 |
of the functions bn_cmp_part_words(), bn_sub_part_words() and |
6971 |
bn_add_part_words(), which do the same thing as bn_cmp_words(), |
6972 |
bn_sub_words() and bn_add_words() except they take arrays with |
6973 |
differing sizes. |
6974 |
[Richard Levitte] |
6975 |
#endif |
6976 |
|
6977 |
*) In 'openssl passwd', verify passwords read from the terminal |
6978 |
unless the '-salt' option is used (which usually means that |
6979 |
verification would just waste user's time since the resulting |
6980 |
hash is going to be compared with some given password hash) |
6981 |
or the new '-noverify' option is used. |
6982 |
|
6983 |
This is an incompatible change, but it does not affect |
6984 |
non-interactive use of 'openssl passwd' (passwords on the command |
6985 |
line, '-stdin' option, '-in ...' option) and thus should not |
6986 |
cause any problems. |
6987 |
[Bodo Moeller] |
6988 |
|
6989 |
*) Remove all references to RSAref, since there's no more need for it. |
6990 |
[Richard Levitte] |
6991 |
|
6992 |
*) Make DSO load along a path given through an environment variable |
6993 |
(SHLIB_PATH) with shl_load(). |
6994 |
[Richard Levitte] |
6995 |
|
6996 |
*) Constify the ENGINE code as a result of BIGNUM constification. |
6997 |
Also constify the RSA code and most things related to it. In a |
6998 |
few places, most notable in the depth of the ASN.1 code, ugly |
6999 |
casts back to non-const were required (to be solved at a later |
7000 |
time) |
7001 |
[Richard Levitte] |
7002 |
|
7003 |
*) Make it so the openssl application has all engines loaded by default. |
7004 |
[Richard Levitte] |
7005 |
|
7006 |
*) Constify the BIGNUM routines a little more. |
7007 |
[Richard Levitte] |
7008 |
|
7009 |
*) Add the following functions: |
7010 |
|
7011 |
ENGINE_load_cswift() |
7012 |
ENGINE_load_chil() |
7013 |
ENGINE_load_atalla() |
7014 |
ENGINE_load_nuron() |
7015 |
ENGINE_load_builtin_engines() |
7016 |
|
7017 |
That way, an application can itself choose if external engines that |
7018 |
are built-in in OpenSSL shall ever be used or not. The benefit is |
7019 |
that applications won't have to be linked with libdl or other dso |
7020 |
libraries unless it's really needed. |
7021 |
|
7022 |
Changed 'openssl engine' to load all engines on demand. |
7023 |
Changed the engine header files to avoid the duplication of some |
7024 |
declarations (they differed!). |
7025 |
[Richard Levitte] |
7026 |
|
7027 |
*) 'openssl engine' can now list capabilities. |
7028 |
[Richard Levitte] |
7029 |
|
7030 |
*) Better error reporting in 'openssl engine'. |
7031 |
[Richard Levitte] |
7032 |
|
7033 |
*) Never call load_dh_param(NULL) in s_server. |
7034 |
[Bodo Moeller] |
7035 |
|
7036 |
*) Add engine application. It can currently list engines by name and |
7037 |
identity, and test if they are actually available. |
7038 |
[Richard Levitte] |
7039 |
|
7040 |
*) Improve RPM specification file by forcing symbolic linking and making |
7041 |
sure the installed documentation is also owned by root.root. |
7042 |
[Damien Miller <djm@mindrot.org>] |
7043 |
|
7044 |
*) Give the OpenSSL applications more possibilities to make use of |
7045 |
keys (public as well as private) handled by engines. |
7046 |
[Richard Levitte] |
7047 |
|
7048 |
*) Add OCSP code that comes from CertCo. |
7049 |
[Richard Levitte] |
7050 |
|
7051 |
*) Add VMS support for the Rijndael code. |
7052 |
[Richard Levitte] |
7053 |
|
7054 |
*) Added untested support for Nuron crypto accelerator. |
7055 |
[Ben Laurie] |
7056 |
|
7057 |
*) Add support for external cryptographic devices. This code was |
7058 |
previously distributed separately as the "engine" branch. |
7059 |
[Geoff Thorpe, Richard Levitte] |
7060 |
|
7061 |
*) Rework the filename-translation in the DSO code. It is now possible to |
7062 |
have far greater control over how a "name" is turned into a filename |
7063 |
depending on the operating environment and any oddities about the |
7064 |
different shared library filenames on each system. |
7065 |
[Geoff Thorpe] |
7066 |
|
7067 |
*) Support threads on FreeBSD-elf in Configure. |
7068 |
[Richard Levitte] |
7069 |
|
7070 |
*) Fix for SHA1 assembly problem with MASM: it produces |
7071 |
warnings about corrupt line number information when assembling |
7072 |
with debugging information. This is caused by the overlapping |
7073 |
of two sections. |
7074 |
[Bernd Matthes <mainbug@celocom.de>, Steve Henson] |
7075 |
|
7076 |
*) NCONF changes. |
7077 |
NCONF_get_number() has no error checking at all. As a replacement, |
7078 |
NCONF_get_number_e() is defined (_e for "error checking") and is |
7079 |
promoted strongly. The old NCONF_get_number is kept around for |
7080 |
binary backward compatibility. |
7081 |
Make it possible for methods to load from something other than a BIO, |
7082 |
by providing a function pointer that is given a name instead of a BIO. |
7083 |
For example, this could be used to load configuration data from an |
7084 |
LDAP server. |
7085 |
[Richard Levitte] |
7086 |
|
7087 |
*) Fix for non blocking accept BIOs. Added new I/O special reason |
7088 |
BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs |
7089 |
with non blocking I/O was not possible because no retry code was |
7090 |
implemented. Also added new SSL code SSL_WANT_ACCEPT to cover |
7091 |
this case. |
7092 |
[Steve Henson] |
7093 |
|
7094 |
*) Added the beginnings of Rijndael support. |
7095 |
[Ben Laurie] |
7096 |
|
7097 |
*) Fix for bug in DirectoryString mask setting. Add support for |
7098 |
X509_NAME_print_ex() in 'req' and X509_print_ex() function |
7099 |
to allow certificate printing to more controllable, additional |
7100 |
'certopt' option to 'x509' to allow new printing options to be |
7101 |
set. |
7102 |
[Steve Henson] |
7103 |
|
7104 |
*) Clean old EAY MD5 hack from e_os.h. |
7105 |
[Richard Levitte] |
7106 |
|
7107 |
Changes between 0.9.6l and 0.9.6m [17 Mar 2004] |
7108 |
|
7109 |
*) Fix null-pointer assignment in do_change_cipher_spec() revealed |
7110 |
by using the Codenomicon TLS Test Tool (CVE-2004-0079) |
7111 |
[Joe Orton, Steve Henson] |
7112 |
|
7113 |
Changes between 0.9.6k and 0.9.6l [04 Nov 2003] |
7114 |
|
7115 |
*) Fix additional bug revealed by the NISCC test suite: |
7116 |
|
7117 |
Stop bug triggering large recursion when presented with |
7118 |
certain ASN.1 tags (CVE-2003-0851) |
7119 |
[Steve Henson] |
7120 |
|
7121 |
Changes between 0.9.6j and 0.9.6k [30 Sep 2003] |
7122 |
|
7123 |
*) Fix various bugs revealed by running the NISCC test suite: |
7124 |
|
7125 |
Stop out of bounds reads in the ASN1 code when presented with |
7126 |
invalid tags (CVE-2003-0543 and CVE-2003-0544). |
7127 |
|
7128 |
If verify callback ignores invalid public key errors don't try to check |
7129 |
certificate signature with the NULL public key. |
7130 |
|
7131 |
[Steve Henson] |
7132 |
|
7133 |
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate |
7134 |
if the server requested one: as stated in TLS 1.0 and SSL 3.0 |
7135 |
specifications. |
7136 |
[Steve Henson] |
7137 |
|
7138 |
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional |
7139 |
extra data after the compression methods not only for TLS 1.0 |
7140 |
but also for SSL 3.0 (as required by the specification). |
7141 |
[Bodo Moeller; problem pointed out by Matthias Loepfe] |
7142 |
|
7143 |
*) Change X509_certificate_type() to mark the key as exported/exportable |
7144 |
when it's 512 *bits* long, not 512 bytes. |
7145 |
[Richard Levitte] |
7146 |
|
7147 |
Changes between 0.9.6i and 0.9.6j [10 Apr 2003] |
7148 |
|
7149 |
*) Countermeasure against the Klima-Pokorny-Rosa extension of |
7150 |
Bleichbacher's attack on PKCS #1 v1.5 padding: treat |
7151 |
a protocol version number mismatch like a decryption error |
7152 |
in ssl3_get_client_key_exchange (ssl/s3_srvr.c). |
7153 |
[Bodo Moeller] |
7154 |
|
7155 |
*) Turn on RSA blinding by default in the default implementation |
7156 |
to avoid a timing attack. Applications that don't want it can call |
7157 |
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. |
7158 |
They would be ill-advised to do so in most cases. |
7159 |
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] |
7160 |
|
7161 |
*) Change RSA blinding code so that it works when the PRNG is not |
7162 |
seeded (in this case, the secret RSA exponent is abused as |
7163 |
an unpredictable seed -- if it is not unpredictable, there |
7164 |
is no point in blinding anyway). Make RSA blinding thread-safe |
7165 |
by remembering the creator's thread ID in rsa->blinding and |
7166 |
having all other threads use local one-time blinding factors |
7167 |
(this requires more computation than sharing rsa->blinding, but |
7168 |
avoids excessive locking; and if an RSA object is not shared |
7169 |
between threads, blinding will still be very fast). |
7170 |
[Bodo Moeller] |
7171 |
|
7172 |
Changes between 0.9.6h and 0.9.6i [19 Feb 2003] |
7173 |
|
7174 |
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked |
7175 |
via timing by performing a MAC computation even if incorrrect |
7176 |
block cipher padding has been found. This is a countermeasure |
7177 |
against active attacks where the attacker has to distinguish |
7178 |
between bad padding and a MAC verification error. (CVE-2003-0078) |
7179 |
|
7180 |
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL), |
7181 |
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and |
7182 |
Martin Vuagnoux (EPFL, Ilion)] |
7183 |
|
7184 |
Changes between 0.9.6g and 0.9.6h [5 Dec 2002] |
7185 |
|
7186 |
*) New function OPENSSL_cleanse(), which is used to cleanse a section of |
7187 |
memory from it's contents. This is done with a counter that will |
7188 |
place alternating values in each byte. This can be used to solve |
7189 |
two issues: 1) the removal of calls to memset() by highly optimizing |
7190 |
compilers, and 2) cleansing with other values than 0, since those can |
7191 |
be read through on certain media, for example a swap space on disk. |
7192 |
[Geoff Thorpe] |
7193 |
|
7194 |
*) Bugfix: client side session caching did not work with external caching, |
7195 |
because the session->cipher setting was not restored when reloading |
7196 |
from the external cache. This problem was masked, when |
7197 |
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. |
7198 |
(Found by Steve Haslam <steve@araqnid.ddts.net>.) |
7199 |
[Lutz Jaenicke] |
7200 |
|
7201 |
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total |
7202 |
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. |
7203 |
[Zeev Lieber <zeev-l@yahoo.com>] |
7204 |
|
7205 |
*) Undo an undocumented change introduced in 0.9.6e which caused |
7206 |
repeated calls to OpenSSL_add_all_ciphers() and |
7207 |
OpenSSL_add_all_digests() to be ignored, even after calling |
7208 |
EVP_cleanup(). |
7209 |
[Richard Levitte] |
7210 |
|
7211 |
*) Change the default configuration reader to deal with last line not |
7212 |
being properly terminated. |
7213 |
[Richard Levitte] |
7214 |
|
7215 |
*) Change X509_NAME_cmp() so it applies the special rules on handling |
7216 |
DN values that are of type PrintableString, as well as RDNs of type |
7217 |
emailAddress where the value has the type ia5String. |
7218 |
[stefank@valicert.com via Richard Levitte] |
7219 |
|
7220 |
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half |
7221 |
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently |
7222 |
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be |
7223 |
the bitwise-OR of the two for use by the majority of applications |
7224 |
wanting this behaviour, and update the docs. The documented |
7225 |
behaviour and actual behaviour were inconsistent and had been |
7226 |
changing anyway, so this is more a bug-fix than a behavioural |
7227 |
change. |
7228 |
[Geoff Thorpe, diagnosed by Nadav Har'El] |
7229 |
|
7230 |
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c |
7231 |
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). |
7232 |
[Bodo Moeller] |
7233 |
|
7234 |
*) Fix initialization code race conditions in |
7235 |
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), |
7236 |
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), |
7237 |
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), |
7238 |
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), |
7239 |
ssl2_get_cipher_by_char(), |
7240 |
ssl3_get_cipher_by_char(). |
7241 |
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller] |
7242 |
|
7243 |
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after |
7244 |
the cached sessions are flushed, as the remove_cb() might use ex_data |
7245 |
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> |
7246 |
(see [openssl.org #212]). |
7247 |
[Geoff Thorpe, Lutz Jaenicke] |
7248 |
|
7249 |
*) Fix typo in OBJ_txt2obj which incorrectly passed the content |
7250 |
length, instead of the encoding length to d2i_ASN1_OBJECT. |
7251 |
[Steve Henson] |
7252 |
|
7253 |
Changes between 0.9.6f and 0.9.6g [9 Aug 2002] |
7254 |
|
7255 |
*) [In 0.9.6g-engine release:] |
7256 |
Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). |
7257 |
[Lynn Gazis <lgazis@rainbow.com>] |
7258 |
|
7259 |
Changes between 0.9.6e and 0.9.6f [8 Aug 2002] |
7260 |
|
7261 |
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX |
7262 |
and get fix the header length calculation. |
7263 |
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, |
7264 |
Alon Kantor <alonk@checkpoint.com> (and others), |
7265 |
Steve Henson] |
7266 |
|
7267 |
*) Use proper error handling instead of 'assertions' in buffer |
7268 |
overflow checks added in 0.9.6e. This prevents DoS (the |
7269 |
assertions could call abort()). |
7270 |
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller] |
7271 |
|
7272 |
Changes between 0.9.6d and 0.9.6e [30 Jul 2002] |
7273 |
|
7274 |
*) Add various sanity checks to asn1_get_length() to reject |
7275 |
the ASN1 length bytes if they exceed sizeof(long), will appear |
7276 |
negative or the content length exceeds the length of the |
7277 |
supplied buffer. |
7278 |
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] |
7279 |
|
7280 |
*) Fix cipher selection routines: ciphers without encryption had no flags |
7281 |
for the cipher strength set and where therefore not handled correctly |
7282 |
by the selection routines (PR #130). |
7283 |
[Lutz Jaenicke] |
7284 |
|
7285 |
*) Fix EVP_dsa_sha macro. |
7286 |
[Nils Larsch] |
7287 |
|
7288 |
*) New option |
7289 |
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
7290 |
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure |
7291 |
that was added in OpenSSL 0.9.6d. |
7292 |
|
7293 |
As the countermeasure turned out to be incompatible with some |
7294 |
broken SSL implementations, the new option is part of SSL_OP_ALL. |
7295 |
SSL_OP_ALL is usually employed when compatibility with weird SSL |
7296 |
implementations is desired (e.g. '-bugs' option to 's_client' and |
7297 |
's_server'), so the new option is automatically set in many |
7298 |
applications. |
7299 |
[Bodo Moeller] |
7300 |
|
7301 |
*) Changes in security patch: |
7302 |
|
7303 |
Changes marked "(CHATS)" were sponsored by the Defense Advanced |
7304 |
Research Projects Agency (DARPA) and Air Force Research Laboratory, |
7305 |
Air Force Materiel Command, USAF, under agreement number |
7306 |
F30602-01-2-0537. |
7307 |
|
7308 |
*) Add various sanity checks to asn1_get_length() to reject |
7309 |
the ASN1 length bytes if they exceed sizeof(long), will appear |
7310 |
negative or the content length exceeds the length of the |
7311 |
supplied buffer. (CVE-2002-0659) |
7312 |
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] |
7313 |
|
7314 |
*) Assertions for various potential buffer overflows, not known to |
7315 |
happen in practice. |
7316 |
[Ben Laurie (CHATS)] |
7317 |
|
7318 |
*) Various temporary buffers to hold ASCII versions of integers were |
7319 |
too small for 64 bit platforms. (CVE-2002-0655) |
7320 |
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> |
7321 |
|
7322 |
*) Remote buffer overflow in SSL3 protocol - an attacker could |
7323 |
supply an oversized session ID to a client. (CVE-2002-0656) |
7324 |
[Ben Laurie (CHATS)] |
7325 |
|
7326 |
*) Remote buffer overflow in SSL2 protocol - an attacker could |
7327 |
supply an oversized client master key. (CVE-2002-0656) |
7328 |
[Ben Laurie (CHATS)] |
7329 |
|
7330 |
Changes between 0.9.6c and 0.9.6d [9 May 2002] |
7331 |
|
7332 |
*) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not |
7333 |
encoded as NULL) with id-dsa-with-sha1. |
7334 |
[Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] |
7335 |
|
7336 |
*) Check various X509_...() return values in apps/req.c. |
7337 |
[Nils Larsch <nla@trustcenter.de>] |
7338 |
|
7339 |
*) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: |
7340 |
an end-of-file condition would erronously be flagged, when the CRLF |
7341 |
was just at the end of a processed block. The bug was discovered when |
7342 |
processing data through a buffering memory BIO handing the data to a |
7343 |
BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov |
7344 |
<ptsekov@syntrex.com> and Nedelcho Stanev. |
7345 |
[Lutz Jaenicke] |
7346 |
|
7347 |
*) Implement a countermeasure against a vulnerability recently found |
7348 |
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment |
7349 |
before application data chunks to avoid the use of known IVs |
7350 |
with data potentially chosen by the attacker. |
7351 |
[Bodo Moeller] |
7352 |
|
7353 |
*) Fix length checks in ssl3_get_client_hello(). |
7354 |
[Bodo Moeller] |
7355 |
|
7356 |
*) TLS/SSL library bugfix: use s->s3->in_read_app_data differently |
7357 |
to prevent ssl3_read_internal() from incorrectly assuming that |
7358 |
ssl3_read_bytes() found application data while handshake |
7359 |
processing was enabled when in fact s->s3->in_read_app_data was |
7360 |
merely automatically cleared during the initial handshake. |
7361 |
[Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] |
7362 |
|
7363 |
*) Fix object definitions for Private and Enterprise: they were not |
7364 |
recognized in their shortname (=lowercase) representation. Extend |
7365 |
obj_dat.pl to issue an error when using undefined keywords instead |
7366 |
of silently ignoring the problem (Svenning Sorensen |
7367 |
<sss@sss.dnsalias.net>). |
7368 |
[Lutz Jaenicke] |
7369 |
|
7370 |
*) Fix DH_generate_parameters() so that it works for 'non-standard' |
7371 |
generators, i.e. generators other than 2 and 5. (Previously, the |
7372 |
code did not properly initialise the 'add' and 'rem' values to |
7373 |
BN_generate_prime().) |
7374 |
|
7375 |
In the new general case, we do not insist that 'generator' is |
7376 |
actually a primitive root: This requirement is rather pointless; |
7377 |
a generator of the order-q subgroup is just as good, if not |
7378 |
better. |
7379 |
[Bodo Moeller] |
7380 |
|
7381 |
*) Map new X509 verification errors to alerts. Discovered and submitted by |
7382 |
Tom Wu <tom@arcot.com>. |
7383 |
[Lutz Jaenicke] |
7384 |
|
7385 |
*) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from |
7386 |
returning non-zero before the data has been completely received |
7387 |
when using non-blocking I/O. |
7388 |
[Bodo Moeller; problem pointed out by John Hughes] |
7389 |
|
7390 |
*) Some of the ciphers missed the strength entry (SSL_LOW etc). |
7391 |
[Ben Laurie, Lutz Jaenicke] |
7392 |
|
7393 |
*) Fix bug in SSL_clear(): bad sessions were not removed (found by |
7394 |
Yoram Zahavi <YoramZ@gilian.com>). |
7395 |
[Lutz Jaenicke] |
7396 |
|
7397 |
*) Add information about CygWin 1.3 and on, and preserve proper |
7398 |
configuration for the versions before that. |
7399 |
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] |
7400 |
|
7401 |
*) Make removal from session cache (SSL_CTX_remove_session()) more robust: |
7402 |
check whether we deal with a copy of a session and do not delete from |
7403 |
the cache in this case. Problem reported by "Izhar Shoshani Levi" |
7404 |
<izhar@checkpoint.com>. |
7405 |
[Lutz Jaenicke] |
7406 |
|
7407 |
*) Do not store session data into the internal session cache, if it |
7408 |
is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP |
7409 |
flag is set). Proposed by Aslam <aslam@funk.com>. |
7410 |
[Lutz Jaenicke] |
7411 |
|
7412 |
*) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested |
7413 |
value is 0. |
7414 |
[Richard Levitte] |
7415 |
|
7416 |
*) [In 0.9.6d-engine release:] |
7417 |
Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
7418 |
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
7419 |
|
7420 |
*) Add the configuration target linux-s390x. |
7421 |
[Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] |
7422 |
|
7423 |
*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of |
7424 |
ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag |
7425 |
variable as an indication that a ClientHello message has been |
7426 |
received. As the flag value will be lost between multiple |
7427 |
invocations of ssl3_accept when using non-blocking I/O, the |
7428 |
function may not be aware that a handshake has actually taken |
7429 |
place, thus preventing a new session from being added to the |
7430 |
session cache. |
7431 |
|
7432 |
To avoid this problem, we now set s->new_session to 2 instead of |
7433 |
using a local variable. |
7434 |
[Lutz Jaenicke, Bodo Moeller] |
7435 |
|
7436 |
*) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) |
7437 |
if the SSL_R_LENGTH_MISMATCH error is detected. |
7438 |
[Geoff Thorpe, Bodo Moeller] |
7439 |
|
7440 |
*) New 'shared_ldflag' column in Configure platform table. |
7441 |
[Richard Levitte] |
7442 |
|
7443 |
*) Fix EVP_CIPHER_mode macro. |
7444 |
["Dan S. Camper" <dan@bti.net>] |
7445 |
|
7446 |
*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown |
7447 |
type, we must throw them away by setting rr->length to 0. |
7448 |
[D P Chang <dpc@qualys.com>] |
7449 |
|
7450 |
Changes between 0.9.6b and 0.9.6c [21 dec 2001] |
7451 |
|
7452 |
*) Fix BN_rand_range bug pointed out by Dominikus Scherkl |
7453 |
<Dominikus.Scherkl@biodata.com>. (The previous implementation |
7454 |
worked incorrectly for those cases where range = 10..._2 and |
7455 |
3*range is two bits longer than range.) |
7456 |
[Bodo Moeller] |
7457 |
|
7458 |
*) Only add signing time to PKCS7 structures if it is not already |
7459 |
present. |
7460 |
[Steve Henson] |
7461 |
|
7462 |
*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", |
7463 |
OBJ_ld_ce should be OBJ_id_ce. |
7464 |
Also some ip-pda OIDs in crypto/objects/objects.txt were |
7465 |
incorrect (cf. RFC 3039). |
7466 |
[Matt Cooper, Frederic Giudicelli, Bodo Moeller] |
7467 |
|
7468 |
*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() |
7469 |
returns early because it has nothing to do. |
7470 |
[Andy Schneider <andy.schneider@bjss.co.uk>] |
7471 |
|
7472 |
*) [In 0.9.6c-engine release:] |
7473 |
Fix mutex callback return values in crypto/engine/hw_ncipher.c. |
7474 |
[Andy Schneider <andy.schneider@bjss.co.uk>] |
7475 |
|
7476 |
*) [In 0.9.6c-engine release:] |
7477 |
Add support for Cryptographic Appliance's keyserver technology. |
7478 |
(Use engine 'keyclient') |
7479 |
[Cryptographic Appliances and Geoff Thorpe] |
7480 |
|
7481 |
*) Add a configuration entry for OS/390 Unix. The C compiler 'c89' |
7482 |
is called via tools/c89.sh because arguments have to be |
7483 |
rearranged (all '-L' options must appear before the first object |
7484 |
modules). |
7485 |
[Richard Shapiro <rshapiro@abinitio.com>] |
7486 |
|
7487 |
*) [In 0.9.6c-engine release:] |
7488 |
Add support for Broadcom crypto accelerator cards, backported |
7489 |
from 0.9.7. |
7490 |
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] |
7491 |
|
7492 |
*) [In 0.9.6c-engine release:] |
7493 |
Add support for SureWare crypto accelerator cards from |
7494 |
Baltimore Technologies. (Use engine 'sureware') |
7495 |
[Baltimore Technologies and Mark Cox] |
7496 |
|
7497 |
*) [In 0.9.6c-engine release:] |
7498 |
Add support for crypto accelerator cards from Accelerated |
7499 |
Encryption Processing, www.aep.ie. (Use engine 'aep') |
7500 |
[AEP Inc. and Mark Cox] |
7501 |
|
7502 |
*) Add a configuration entry for gcc on UnixWare. |
7503 |
[Gary Benson <gbenson@redhat.com>] |
7504 |
|
7505 |
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake |
7506 |
messages are stored in a single piece (fixed-length part and |
7507 |
variable-length part combined) and fix various bugs found on the way. |
7508 |
[Bodo Moeller] |
7509 |
|
7510 |
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname() |
7511 |
instead. BIO_gethostbyname() does not know what timeouts are |
7512 |
appropriate, so entries would stay in cache even when they have |
7513 |
become invalid. |
7514 |
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> |
7515 |
|
7516 |
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when |
7517 |
faced with a pathologically small ClientHello fragment that does |
7518 |
not contain client_version: Instead of aborting with an error, |
7519 |
simply choose the highest available protocol version (i.e., |
7520 |
TLS 1.0 unless it is disabled). In practice, ClientHello |
7521 |
messages are never sent like this, but this change gives us |
7522 |
strictly correct behaviour at least for TLS. |
7523 |
[Bodo Moeller] |
7524 |
|
7525 |
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear() |
7526 |
never resets s->method to s->ctx->method when called from within |
7527 |
one of the SSL handshake functions. |
7528 |
[Bodo Moeller; problem pointed out by Niko Baric] |
7529 |
|
7530 |
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert |
7531 |
(sent using the client's version number) if client_version is |
7532 |
smaller than the protocol version in use. Also change |
7533 |
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if |
7534 |
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then |
7535 |
the client will at least see that alert. |
7536 |
[Bodo Moeller] |
7537 |
|
7538 |
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation |
7539 |
correctly. |
7540 |
[Bodo Moeller] |
7541 |
|
7542 |
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a |
7543 |
client receives HelloRequest while in a handshake. |
7544 |
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] |
7545 |
|
7546 |
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C |
7547 |
should end in 'break', not 'goto end' which circuments various |
7548 |
cleanups done in state SSL_ST_OK. But session related stuff |
7549 |
must be disabled for SSL_ST_OK in the case that we just sent a |
7550 |
HelloRequest. |
7551 |
|
7552 |
Also avoid some overhead by not calling ssl_init_wbio_buffer() |
7553 |
before just sending a HelloRequest. |
7554 |
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] |
7555 |
|
7556 |
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't |
7557 |
reveal whether illegal block cipher padding was found or a MAC |
7558 |
verification error occured. (Neither SSLerr() codes nor alerts |
7559 |
are directly visible to potential attackers, but the information |
7560 |
may leak via logfiles.) |
7561 |
|
7562 |
Similar changes are not required for the SSL 2.0 implementation |
7563 |
because the number of padding bytes is sent in clear for SSL 2.0, |
7564 |
and the extra bytes are just ignored. However ssl/s2_pkt.c |
7565 |
failed to verify that the purported number of padding bytes is in |
7566 |
the legal range. |
7567 |
[Bodo Moeller] |
7568 |
|
7569 |
*) Add OpenUNIX-8 support including shared libraries |
7570 |
(Boyd Lynn Gerber <gerberb@zenez.com>). |
7571 |
[Lutz Jaenicke] |
7572 |
|
7573 |
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid |
7574 |
'wristwatch attack' using huge encoding parameters (cf. |
7575 |
James H. Manger's CRYPTO 2001 paper). Note that the |
7576 |
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use |
7577 |
encoding parameters and hence was not vulnerable. |
7578 |
[Bodo Moeller] |
7579 |
|
7580 |
*) BN_sqr() bug fix. |
7581 |
[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>] |
7582 |
|
7583 |
*) Rabin-Miller test analyses assume uniformly distributed witnesses, |
7584 |
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() |
7585 |
followed by modular reduction. |
7586 |
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] |
7587 |
|
7588 |
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() |
7589 |
equivalent based on BN_pseudo_rand() instead of BN_rand(). |
7590 |
[Bodo Moeller] |
7591 |
|
7592 |
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). |
7593 |
This function was broken, as the check for a new client hello message |
7594 |
to handle SGC did not allow these large messages. |
7595 |
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) |
7596 |
[Lutz Jaenicke] |
7597 |
|
7598 |
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). |
7599 |
[Lutz Jaenicke] |
7600 |
|
7601 |
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() |
7602 |
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). |
7603 |
[Lutz Jaenicke] |
7604 |
|
7605 |
*) Rework the configuration and shared library support for Tru64 Unix. |
7606 |
The configuration part makes use of modern compiler features and |
7607 |
still retains old compiler behavior for those that run older versions |
7608 |
of the OS. The shared library support part includes a variant that |
7609 |
uses the RPATH feature, and is available through the special |
7610 |
configuration target "alpha-cc-rpath", which will never be selected |
7611 |
automatically. |
7612 |
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] |
7613 |
|
7614 |
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() |
7615 |
with the same message size as in ssl3_get_certificate_request(). |
7616 |
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest |
7617 |
messages might inadvertently be reject as too long. |
7618 |
[Petr Lampa <lampa@fee.vutbr.cz>] |
7619 |
|
7620 |
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). |
7621 |
[Andy Polyakov] |
7622 |
|
7623 |
*) Modified SSL library such that the verify_callback that has been set |
7624 |
specificly for an SSL object with SSL_set_verify() is actually being |
7625 |
used. Before the change, a verify_callback set with this function was |
7626 |
ignored and the verify_callback() set in the SSL_CTX at the time of |
7627 |
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced |
7628 |
to allow the necessary settings. |
7629 |
[Lutz Jaenicke] |
7630 |
|
7631 |
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c |
7632 |
explicitly to NULL, as at least on Solaris 8 this seems not always to be |
7633 |
done automatically (in contradiction to the requirements of the C |
7634 |
standard). This made problems when used from OpenSSH. |
7635 |
[Lutz Jaenicke] |
7636 |
|
7637 |
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored |
7638 |
dh->length and always used |
7639 |
|
7640 |
BN_rand_range(priv_key, dh->p). |
7641 |
|
7642 |
BN_rand_range() is not necessary for Diffie-Hellman, and this |
7643 |
specific range makes Diffie-Hellman unnecessarily inefficient if |
7644 |
dh->length (recommended exponent length) is much smaller than the |
7645 |
length of dh->p. We could use BN_rand_range() if the order of |
7646 |
the subgroup was stored in the DH structure, but we only have |
7647 |
dh->length. |
7648 |
|
7649 |
So switch back to |
7650 |
|
7651 |
BN_rand(priv_key, l, ...) |
7652 |
|
7653 |
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 |
7654 |
otherwise. |
7655 |
[Bodo Moeller] |
7656 |
|
7657 |
*) In |
7658 |
|
7659 |
RSA_eay_public_encrypt |
7660 |
RSA_eay_private_decrypt |
7661 |
RSA_eay_private_encrypt (signing) |
7662 |
RSA_eay_public_decrypt (signature verification) |
7663 |
|
7664 |
(default implementations for RSA_public_encrypt, |
7665 |
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), |
7666 |
always reject numbers >= n. |
7667 |
[Bodo Moeller] |
7668 |
|
7669 |
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 |
7670 |
to synchronize access to 'locking_thread'. This is necessary on |
7671 |
systems where access to 'locking_thread' (an 'unsigned long' |
7672 |
variable) is not atomic. |
7673 |
[Bodo Moeller] |
7674 |
|
7675 |
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID |
7676 |
*before* setting the 'crypto_lock_rand' flag. The previous code had |
7677 |
a race condition if 0 is a valid thread ID. |
7678 |
[Travis Vitek <vitek@roguewave.com>] |
7679 |
|
7680 |
*) Add support for shared libraries under Irix. |
7681 |
[Albert Chin-A-Young <china@thewrittenword.com>] |
7682 |
|
7683 |
*) Add configuration option to build on Linux on both big-endian and |
7684 |
little-endian MIPS. |
7685 |
[Ralf Baechle <ralf@uni-koblenz.de>] |
7686 |
|
7687 |
*) Add the possibility to create shared libraries on HP-UX. |
7688 |
[Richard Levitte] |
7689 |
|
7690 |
Changes between 0.9.6a and 0.9.6b [9 Jul 2001] |
7691 |
|
7692 |
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c) |
7693 |
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by |
7694 |
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: |
7695 |
PRNG state recovery was possible based on the output of |
7696 |
one PRNG request appropriately sized to gain knowledge on |
7697 |
'md' followed by enough consecutive 1-byte PRNG requests |
7698 |
to traverse all of 'state'. |
7699 |
|
7700 |
1. When updating 'md_local' (the current thread's copy of 'md') |
7701 |
during PRNG output generation, hash all of the previous |
7702 |
'md_local' value, not just the half used for PRNG output. |
7703 |
|
7704 |
2. Make the number of bytes from 'state' included into the hash |
7705 |
independent from the number of PRNG bytes requested. |
7706 |
|
7707 |
The first measure alone would be sufficient to avoid |
7708 |
Markku-Juhani's attack. (Actually it had never occurred |
7709 |
to me that the half of 'md_local' used for chaining was the |
7710 |
half from which PRNG output bytes were taken -- I had always |
7711 |
assumed that the secret half would be used.) The second |
7712 |
measure makes sure that additional data from 'state' is never |
7713 |
mixed into 'md_local' in small portions; this heuristically |
7714 |
further strengthens the PRNG. |
7715 |
[Bodo Moeller] |
7716 |
|
7717 |
*) Fix crypto/bn/asm/mips3.s. |
7718 |
[Andy Polyakov] |
7719 |
|
7720 |
*) When only the key is given to "enc", the IV is undefined. Print out |
7721 |
an error message in this case. |
7722 |
[Lutz Jaenicke] |
7723 |
|
7724 |
*) Handle special case when X509_NAME is empty in X509 printing routines. |
7725 |
[Steve Henson] |
7726 |
|
7727 |
*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are |
7728 |
positive and less than q. |
7729 |
[Bodo Moeller] |
7730 |
|
7731 |
*) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is |
7732 |
used: it isn't thread safe and the add_lock_callback should handle |
7733 |
that itself. |
7734 |
[Paul Rose <Paul.Rose@bridge.com>] |
7735 |
|
7736 |
*) Verify that incoming data obeys the block size in |
7737 |
ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). |
7738 |
[Bodo Moeller] |
7739 |
|
7740 |
*) Fix OAEP check. |
7741 |
[Ulf Möller, Bodo Möller] |
7742 |
|
7743 |
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 |
7744 |
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 |
7745 |
when fixing the server behaviour for backwards-compatible 'client |
7746 |
hello' messages. (Note that the attack is impractical against |
7747 |
SSL 3.0 and TLS 1.0 anyway because length and version checking |
7748 |
means that the probability of guessing a valid ciphertext is |
7749 |
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 |
7750 |
paper.) |
7751 |
|
7752 |
Before 0.9.5, the countermeasure (hide the error by generating a |
7753 |
random 'decryption result') did not work properly because |
7754 |
ERR_clear_error() was missing, meaning that SSL_get_error() would |
7755 |
detect the supposedly ignored error. |
7756 |
|
7757 |
Both problems are now fixed. |
7758 |
[Bodo Moeller] |
7759 |
|
7760 |
*) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 |
7761 |
(previously it was 1024). |
7762 |
[Bodo Moeller] |
7763 |
|
7764 |
*) Fix for compatibility mode trust settings: ignore trust settings |
7765 |
unless some valid trust or reject settings are present. |
7766 |
[Steve Henson] |
7767 |
|
7768 |
*) Fix for blowfish EVP: its a variable length cipher. |
7769 |
[Steve Henson] |
7770 |
|
7771 |
*) Fix various bugs related to DSA S/MIME verification. Handle missing |
7772 |
parameters in DSA public key structures and return an error in the |
7773 |
DSA routines if parameters are absent. |
7774 |
[Steve Henson] |
7775 |
|
7776 |
*) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" |
7777 |
in the current directory if neither $RANDFILE nor $HOME was set. |
7778 |
RAND_file_name() in 0.9.6a returned NULL in this case. This has |
7779 |
caused some confusion to Windows users who haven't defined $HOME. |
7780 |
Thus RAND_file_name() is changed again: e_os.h can define a |
7781 |
DEFAULT_HOME, which will be used if $HOME is not set. |
7782 |
For Windows, we use "C:"; on other platforms, we still require |
7783 |
environment variables. |
7784 |
|
7785 |
*) Move 'if (!initialized) RAND_poll()' into regions protected by |
7786 |
CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids |
7787 |
having multiple threads call RAND_poll() concurrently. |
7788 |
[Bodo Moeller] |
7789 |
|
7790 |
*) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a |
7791 |
combination of a flag and a thread ID variable. |
7792 |
Otherwise while one thread is in ssleay_rand_bytes (which sets the |
7793 |
flag), *other* threads can enter ssleay_add_bytes without obeying |
7794 |
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock |
7795 |
that they do not hold after the first thread unsets add_do_not_lock). |
7796 |
[Bodo Moeller] |
7797 |
|
7798 |
*) Change bctest again: '-x' expressions are not available in all |
7799 |
versions of 'test'. |
7800 |
[Bodo Moeller] |
7801 |
|
7802 |
Changes between 0.9.6 and 0.9.6a [5 Apr 2001] |
7803 |
|
7804 |
*) Fix a couple of memory leaks in PKCS7_dataDecode() |
7805 |
[Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] |
7806 |
|
7807 |
*) Change Configure and Makefiles to provide EXE_EXT, which will contain |
7808 |
the default extension for executables, if any. Also, make the perl |
7809 |
scripts that use symlink() to test if it really exists and use "cp" |
7810 |
if it doesn't. All this made OpenSSL compilable and installable in |
7811 |
CygWin. |
7812 |
[Richard Levitte] |
7813 |
|
7814 |
*) Fix for asn1_GetSequence() for indefinite length constructed data. |
7815 |
If SEQUENCE is length is indefinite just set c->slen to the total |
7816 |
amount of data available. |
7817 |
[Steve Henson, reported by shige@FreeBSD.org] |
7818 |
[This change does not apply to 0.9.7.] |
7819 |
|
7820 |
*) Change bctest to avoid here-documents inside command substitution |
7821 |
(workaround for FreeBSD /bin/sh bug). |
7822 |
For compatibility with Ultrix, avoid shell functions (introduced |
7823 |
in the bctest version that searches along $PATH). |
7824 |
[Bodo Moeller] |
7825 |
|
7826 |
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes |
7827 |
with des_encrypt() defined on some operating systems, like Solaris |
7828 |
and UnixWare. |
7829 |
[Richard Levitte] |
7830 |
|
7831 |
*) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: |
7832 |
On the Importance of Eliminating Errors in Cryptographic |
7833 |
Computations, J. Cryptology 14 (2001) 2, 101-119, |
7834 |
http://theory.stanford.edu/~dabo/papers/faults.ps.gz). |
7835 |
[Ulf Moeller] |
7836 |
|
7837 |
*) MIPS assembler BIGNUM division bug fix. |
7838 |
[Andy Polyakov] |
7839 |
|
7840 |
*) Disabled incorrect Alpha assembler code. |
7841 |
[Richard Levitte] |
7842 |
|
7843 |
*) Fix PKCS#7 decode routines so they correctly update the length |
7844 |
after reading an EOC for the EXPLICIT tag. |
7845 |
[Steve Henson] |
7846 |
[This change does not apply to 0.9.7.] |
7847 |
|
7848 |
*) Fix bug in PKCS#12 key generation routines. This was triggered |
7849 |
if a 3DES key was generated with a 0 initial byte. Include |
7850 |
PKCS12_BROKEN_KEYGEN compilation option to retain the old |
7851 |
(but broken) behaviour. |
7852 |
[Steve Henson] |
7853 |
|
7854 |
*) Enhance bctest to search for a working bc along $PATH and print |
7855 |
it when found. |
7856 |
[Tim Rice <tim@multitalents.net> via Richard Levitte] |
7857 |
|
7858 |
*) Fix memory leaks in err.c: free err_data string if necessary; |
7859 |
don't write to the wrong index in ERR_set_error_data. |
7860 |
[Bodo Moeller] |
7861 |
|
7862 |
*) Implement ssl23_peek (analogous to ssl23_read), which previously |
7863 |
did not exist. |
7864 |
[Bodo Moeller] |
7865 |
|
7866 |
*) Replace rdtsc with _emit statements for VC++ version 5. |
7867 |
[Jeremy Cooper <jeremy@baymoo.org>] |
7868 |
|
7869 |
*) Make it possible to reuse SSLv2 sessions. |
7870 |
[Richard Levitte] |
7871 |
|
7872 |
*) In copy_email() check for >= 0 as a return value for |
7873 |
X509_NAME_get_index_by_NID() since 0 is a valid index. |
7874 |
[Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] |
7875 |
|
7876 |
*) Avoid coredump with unsupported or invalid public keys by checking if |
7877 |
X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when |
7878 |
PKCS7_verify() fails with non detached data. |
7879 |
[Steve Henson] |
7880 |
|
7881 |
*) Don't use getenv in library functions when run as setuid/setgid. |
7882 |
New function OPENSSL_issetugid(). |
7883 |
[Ulf Moeller] |
7884 |
|
7885 |
*) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) |
7886 |
due to incorrect handling of multi-threading: |
7887 |
|
7888 |
1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). |
7889 |
|
7890 |
2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). |
7891 |
|
7892 |
3. Count how many times MemCheck_off() has been called so that |
7893 |
nested use can be treated correctly. This also avoids |
7894 |
inband-signalling in the previous code (which relied on the |
7895 |
assumption that thread ID 0 is impossible). |
7896 |
[Bodo Moeller] |
7897 |
|
7898 |
*) Add "-rand" option also to s_client and s_server. |
7899 |
[Lutz Jaenicke] |
7900 |
|
7901 |
*) Fix CPU detection on Irix 6.x. |
7902 |
[Kurt Hockenbury <khockenb@stevens-tech.edu> and |
7903 |
"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] |
7904 |
|
7905 |
*) Fix X509_NAME bug which produced incorrect encoding if X509_NAME |
7906 |
was empty. |
7907 |
[Steve Henson] |
7908 |
[This change does not apply to 0.9.7.] |
7909 |
|
7910 |
*) Use the cached encoding of an X509_NAME structure rather than |
7911 |
copying it. This is apparently the reason for the libsafe "errors" |
7912 |
but the code is actually correct. |
7913 |
[Steve Henson] |
7914 |
|
7915 |
*) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent |
7916 |
Bleichenbacher's DSA attack. |
7917 |
Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits |
7918 |
to be set and top=0 forces the highest bit to be set; top=-1 is new |
7919 |
and leaves the highest bit random. |
7920 |
[Ulf Moeller, Bodo Moeller] |
7921 |
|
7922 |
*) In the NCONF_...-based implementations for CONF_... queries |
7923 |
(crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using |
7924 |
a temporary CONF structure with the data component set to NULL |
7925 |
(which gives segmentation faults in lh_retrieve). |
7926 |
Instead, use NULL for the CONF pointer in CONF_get_string and |
7927 |
CONF_get_number (which may use environment variables) and directly |
7928 |
return NULL from CONF_get_section. |
7929 |
[Bodo Moeller] |
7930 |
|
7931 |
*) Fix potential buffer overrun for EBCDIC. |
7932 |
[Ulf Moeller] |
7933 |
|
7934 |
*) Tolerate nonRepudiation as being valid for S/MIME signing and certSign |
7935 |
keyUsage if basicConstraints absent for a CA. |
7936 |
[Steve Henson] |
7937 |
|
7938 |
*) Make SMIME_write_PKCS7() write mail header values with a format that |
7939 |
is more generally accepted (no spaces before the semicolon), since |
7940 |
some programs can't parse those values properly otherwise. Also make |
7941 |
sure BIO's that break lines after each write do not create invalid |
7942 |
headers. |
7943 |
[Richard Levitte] |
7944 |
|
7945 |
*) Make the CRL encoding routines work with empty SEQUENCE OF. The |
7946 |
macros previously used would not encode an empty SEQUENCE OF |
7947 |
and break the signature. |
7948 |
[Steve Henson] |
7949 |
[This change does not apply to 0.9.7.] |
7950 |
|
7951 |
*) Zero the premaster secret after deriving the master secret in |
7952 |
DH ciphersuites. |
7953 |
[Steve Henson] |
7954 |
|
7955 |
*) Add some EVP_add_digest_alias registrations (as found in |
7956 |
OpenSSL_add_all_digests()) to SSL_library_init() |
7957 |
aka OpenSSL_add_ssl_algorithms(). This provides improved |
7958 |
compatibility with peers using X.509 certificates |
7959 |
with unconventional AlgorithmIdentifier OIDs. |
7960 |
[Bodo Moeller] |
7961 |
|
7962 |
*) Fix for Irix with NO_ASM. |
7963 |
["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] |
7964 |
|
7965 |
*) ./config script fixes. |
7966 |
[Ulf Moeller, Richard Levitte] |
7967 |
|
7968 |
*) Fix 'openssl passwd -1'. |
7969 |
[Bodo Moeller] |
7970 |
|
7971 |
*) Change PKCS12_key_gen_asc() so it can cope with non null |
7972 |
terminated strings whose length is passed in the passlen |
7973 |
parameter, for example from PEM callbacks. This was done |
7974 |
by adding an extra length parameter to asc2uni(). |
7975 |
[Steve Henson, reported by <oddissey@samsung.co.kr>] |
7976 |
|
7977 |
*) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn |
7978 |
call failed, free the DSA structure. |
7979 |
[Bodo Moeller] |
7980 |
|
7981 |
*) Fix to uni2asc() to cope with zero length Unicode strings. |
7982 |
These are present in some PKCS#12 files. |
7983 |
[Steve Henson] |
7984 |
|
7985 |
*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). |
7986 |
Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits |
7987 |
when writing a 32767 byte record. |
7988 |
[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] |
7989 |
|
7990 |
*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), |
7991 |
obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. |
7992 |
|
7993 |
(RSA objects have a reference count access to which is protected |
7994 |
by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], |
7995 |
so they are meant to be shared between threads.) |
7996 |
[Bodo Moeller, Geoff Thorpe; original patch submitted by |
7997 |
"Reddie, Steven" <Steven.Reddie@ca.com>] |
7998 |
|
7999 |
*) Fix a deadlock in CRYPTO_mem_leaks(). |
8000 |
[Bodo Moeller] |
8001 |
|
8002 |
*) Use better test patterns in bntest. |
8003 |
[Ulf Möller] |
8004 |
|
8005 |
*) rand_win.c fix for Borland C. |
8006 |
[Ulf Möller] |
8007 |
|
8008 |
*) BN_rshift bugfix for n == 0. |
8009 |
[Bodo Moeller] |
8010 |
|
8011 |
*) Add a 'bctest' script that checks for some known 'bc' bugs |
8012 |
so that 'make test' does not abort just because 'bc' is broken. |
8013 |
[Bodo Moeller] |
8014 |
|
8015 |
*) Store verify_result within SSL_SESSION also for client side to |
8016 |
avoid potential security hole. (Re-used sessions on the client side |
8017 |
always resulted in verify_result==X509_V_OK, not using the original |
8018 |
result of the server certificate verification.) |
8019 |
[Lutz Jaenicke] |
8020 |
|
8021 |
*) Fix ssl3_pending: If the record in s->s3->rrec is not of type |
8022 |
SSL3_RT_APPLICATION_DATA, return 0. |
8023 |
Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. |
8024 |
[Bodo Moeller] |
8025 |
|
8026 |
*) Fix SSL_peek: |
8027 |
Both ssl2_peek and ssl3_peek, which were totally broken in earlier |
8028 |
releases, have been re-implemented by renaming the previous |
8029 |
implementations of ssl2_read and ssl3_read to ssl2_read_internal |
8030 |
and ssl3_read_internal, respectively, and adding 'peek' parameters |
8031 |
to them. The new ssl[23]_{read,peek} functions are calls to |
8032 |
ssl[23]_read_internal with the 'peek' flag set appropriately. |
8033 |
A 'peek' parameter has also been added to ssl3_read_bytes, which |
8034 |
does the actual work for ssl3_read_internal. |
8035 |
[Bodo Moeller] |
8036 |
|
8037 |
*) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling |
8038 |
the method-specific "init()" handler. Also clean up ex_data after |
8039 |
calling the method-specific "finish()" handler. Previously, this was |
8040 |
happening the other way round. |
8041 |
[Geoff Thorpe] |
8042 |
|
8043 |
*) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. |
8044 |
The previous value, 12, was not always sufficient for BN_mod_exp(). |
8045 |
[Bodo Moeller] |
8046 |
|
8047 |
*) Make sure that shared libraries get the internal name engine with |
8048 |
the full version number and not just 0. This should mark the |
8049 |
shared libraries as not backward compatible. Of course, this should |
8050 |
be changed again when we can guarantee backward binary compatibility. |
8051 |
[Richard Levitte] |
8052 |
|
8053 |
*) Fix typo in get_cert_by_subject() in by_dir.c |
8054 |
[Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] |
8055 |
|
8056 |
*) Rework the system to generate shared libraries: |
8057 |
|
8058 |
- Make note of the expected extension for the shared libraries and |
8059 |
if there is a need for symbolic links from for example libcrypto.so.0 |
8060 |
to libcrypto.so.0.9.7. There is extended info in Configure for |
8061 |
that. |
8062 |
|
8063 |
- Make as few rebuilds of the shared libraries as possible. |
8064 |
|
8065 |
- Still avoid linking the OpenSSL programs with the shared libraries. |
8066 |
|
8067 |
- When installing, install the shared libraries separately from the |
8068 |
static ones. |
8069 |
[Richard Levitte] |
8070 |
|
8071 |
*) Fix SSL_CTX_set_read_ahead macro to actually use its argument. |
8072 |
|
8073 |
Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new |
8074 |
and not in SSL_clear because the latter is also used by the |
8075 |
accept/connect functions; previously, the settings made by |
8076 |
SSL_set_read_ahead would be lost during the handshake. |
8077 |
[Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] |
8078 |
|
8079 |
*) Correct util/mkdef.pl to be selective about disabled algorithms. |
8080 |
Previously, it would create entries for disableed algorithms no |
8081 |
matter what. |
8082 |
[Richard Levitte] |
8083 |
|
8084 |
*) Added several new manual pages for SSL_* function. |
8085 |
[Lutz Jaenicke] |
8086 |
|
8087 |
Changes between 0.9.5a and 0.9.6 [24 Sep 2000] |
8088 |
|
8089 |
*) In ssl23_get_client_hello, generate an error message when faced |
8090 |
with an initial SSL 3.0/TLS record that is too small to contain the |
8091 |
first two bytes of the ClientHello message, i.e. client_version. |
8092 |
(Note that this is a pathologic case that probably has never happened |
8093 |
in real life.) The previous approach was to use the version number |
8094 |
from the record header as a substitute; but our protocol choice |
8095 |
should not depend on that one because it is not authenticated |
8096 |
by the Finished messages. |
8097 |
[Bodo Moeller] |
8098 |
|
8099 |
*) More robust randomness gathering functions for Windows. |
8100 |
[Jeffrey Altman <jaltman@columbia.edu>] |
8101 |
|
8102 |
*) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is |
8103 |
not set then we don't setup the error code for issuer check errors |
8104 |
to avoid possibly overwriting other errors which the callback does |
8105 |
handle. If an application does set the flag then we assume it knows |
8106 |
what it is doing and can handle the new informational codes |
8107 |
appropriately. |
8108 |
[Steve Henson] |
8109 |
|
8110 |
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for |
8111 |
a general "ANY" type, as such it should be able to decode anything |
8112 |
including tagged types. However it didn't check the class so it would |
8113 |
wrongly interpret tagged types in the same way as their universal |
8114 |
counterpart and unknown types were just rejected. Changed so that the |
8115 |
tagged and unknown types are handled in the same way as a SEQUENCE: |
8116 |
that is the encoding is stored intact. There is also a new type |
8117 |
"V_ASN1_OTHER" which is used when the class is not universal, in this |
8118 |
case we have no idea what the actual type is so we just lump them all |
8119 |
together. |
8120 |
[Steve Henson] |
8121 |
|
8122 |
*) On VMS, stdout may very well lead to a file that is written to |
8123 |
in a record-oriented fashion. That means that every write() will |
8124 |
write a separate record, which will be read separately by the |
8125 |
programs trying to read from it. This can be very confusing. |
8126 |
|
8127 |
The solution is to put a BIO filter in the way that will buffer |
8128 |
text until a linefeed is reached, and then write everything a |
8129 |
line at a time, so every record written will be an actual line, |
8130 |
not chunks of lines and not (usually doesn't happen, but I've |
8131 |
seen it once) several lines in one record. BIO_f_linebuffer() is |
8132 |
the answer. |
8133 |
|
8134 |
Currently, it's a VMS-only method, because that's where it has |
8135 |
been tested well enough. |
8136 |
[Richard Levitte] |
8137 |
|
8138 |
*) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, |
8139 |
it can return incorrect results. |
8140 |
(Note: The buggy variant was not enabled in OpenSSL 0.9.5a, |
8141 |
but it was in 0.9.6-beta[12].) |
8142 |
[Bodo Moeller] |
8143 |
|
8144 |
*) Disable the check for content being present when verifying detached |
8145 |
signatures in pk7_smime.c. Some versions of Netscape (wrongly) |
8146 |
include zero length content when signing messages. |
8147 |
[Steve Henson] |
8148 |
|
8149 |
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR |
8150 |
BIO_ctrl (for BIO pairs). |
8151 |
[Bodo Möller] |
8152 |
|
8153 |
*) Add DSO method for VMS. |
8154 |
[Richard Levitte] |
8155 |
|
8156 |
*) Bug fix: Montgomery multiplication could produce results with the |
8157 |
wrong sign. |
8158 |
[Ulf Möller] |
8159 |
|
8160 |
*) Add RPM specification openssl.spec and modify it to build three |
8161 |
packages. The default package contains applications, application |
8162 |
documentation and run-time libraries. The devel package contains |
8163 |
include files, static libraries and function documentation. The |
8164 |
doc package contains the contents of the doc directory. The original |
8165 |
openssl.spec was provided by Damien Miller <djm@mindrot.org>. |
8166 |
[Richard Levitte] |
8167 |
|
8168 |
*) Add a large number of documentation files for many SSL routines. |
8169 |
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] |
8170 |
|
8171 |
*) Add a configuration entry for Sony News 4. |
8172 |
[NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>] |
8173 |
|
8174 |
*) Don't set the two most significant bits to one when generating a |
8175 |
random number < q in the DSA library. |
8176 |
[Ulf Möller] |
8177 |
|
8178 |
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default |
8179 |
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if |
8180 |
the underlying transport is blocking) if a handshake took place. |
8181 |
(The default behaviour is needed by applications such as s_client |
8182 |
and s_server that use select() to determine when to use SSL_read; |
8183 |
but for applications that know in advance when to expect data, it |
8184 |
just makes things more complicated.) |
8185 |
[Bodo Moeller] |
8186 |
|
8187 |
*) Add RAND_egd_bytes(), which gives control over the number of bytes read |
8188 |
from EGD. |
8189 |
[Ben Laurie] |
8190 |
|
8191 |
*) Add a few more EBCDIC conditionals that make `req' and `x509' |
8192 |
work better on such systems. |
8193 |
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
8194 |
|
8195 |
*) Add two demo programs for PKCS12_parse() and PKCS12_create(). |
8196 |
Update PKCS12_parse() so it copies the friendlyName and the |
8197 |
keyid to the certificates aux info. |
8198 |
[Steve Henson] |
8199 |
|
8200 |
*) Fix bug in PKCS7_verify() which caused an infinite loop |
8201 |
if there was more than one signature. |
8202 |
[Sven Uszpelkat <su@celocom.de>] |
8203 |
|
8204 |
*) Major change in util/mkdef.pl to include extra information |
8205 |
about each symbol, as well as presentig variables as well |
8206 |
as functions. This change means that there's n more need |
8207 |
to rebuild the .num files when some algorithms are excluded. |
8208 |
[Richard Levitte] |
8209 |
|
8210 |
*) Allow the verify time to be set by an application, |
8211 |
rather than always using the current time. |
8212 |
[Steve Henson] |
8213 |
|
8214 |
*) Phase 2 verify code reorganisation. The certificate |
8215 |
verify code now looks up an issuer certificate by a |
8216 |
number of criteria: subject name, authority key id |
8217 |
and key usage. It also verifies self signed certificates |
8218 |
by the same criteria. The main comparison function is |
8219 |
X509_check_issued() which performs these checks. |
8220 |
|
8221 |
Lot of changes were necessary in order to support this |
8222 |
without completely rewriting the lookup code. |
8223 |
|
8224 |
Authority and subject key identifier are now cached. |
8225 |
|
8226 |
The LHASH 'certs' is X509_STORE has now been replaced |
8227 |
by a STACK_OF(X509_OBJECT). This is mainly because an |
8228 |
LHASH can't store or retrieve multiple objects with |
8229 |
the same hash value. |
8230 |
|
8231 |
As a result various functions (which were all internal |
8232 |
use only) have changed to handle the new X509_STORE |
8233 |
structure. This will break anything that messed round |
8234 |
with X509_STORE internally. |
8235 |
|
8236 |
The functions X509_STORE_add_cert() now checks for an |
8237 |
exact match, rather than just subject name. |
8238 |
|
8239 |
The X509_STORE API doesn't directly support the retrieval |
8240 |
of multiple certificates matching a given criteria, however |
8241 |
this can be worked round by performing a lookup first |
8242 |
(which will fill the cache with candidate certificates) |
8243 |
and then examining the cache for matches. This is probably |
8244 |
the best we can do without throwing out X509_LOOKUP |
8245 |
entirely (maybe later...). |
8246 |
|
8247 |
The X509_VERIFY_CTX structure has been enhanced considerably. |
8248 |
|
8249 |
All certificate lookup operations now go via a get_issuer() |
8250 |
callback. Although this currently uses an X509_STORE it |
8251 |
can be replaced by custom lookups. This is a simple way |
8252 |
to bypass the X509_STORE hackery necessary to make this |
8253 |
work and makes it possible to use more efficient techniques |
8254 |
in future. A very simple version which uses a simple |
8255 |
STACK for its trusted certificate store is also provided |
8256 |
using X509_STORE_CTX_trusted_stack(). |
8257 |
|
8258 |
The verify_cb() and verify() callbacks now have equivalents |
8259 |
in the X509_STORE_CTX structure. |
8260 |
|
8261 |
X509_STORE_CTX also has a 'flags' field which can be used |
8262 |
to customise the verify behaviour. |
8263 |
[Steve Henson] |
8264 |
|
8265 |
*) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which |
8266 |
excludes S/MIME capabilities. |
8267 |
[Steve Henson] |
8268 |
|
8269 |
*) When a certificate request is read in keep a copy of the |
8270 |
original encoding of the signed data and use it when outputing |
8271 |
again. Signatures then use the original encoding rather than |
8272 |
a decoded, encoded version which may cause problems if the |
8273 |
request is improperly encoded. |
8274 |
[Steve Henson] |
8275 |
|
8276 |
*) For consistency with other BIO_puts implementations, call |
8277 |
buffer_write(b, ...) directly in buffer_puts instead of calling |
8278 |
BIO_write(b, ...). |
8279 |
|
8280 |
In BIO_puts, increment b->num_write as in BIO_write. |
8281 |
[Peter.Sylvester@EdelWeb.fr] |
8282 |
|
8283 |
*) Fix BN_mul_word for the case where the word is 0. (We have to use |
8284 |
BN_zero, we may not return a BIGNUM with an array consisting of |
8285 |
words set to zero.) |
8286 |
[Bodo Moeller] |
8287 |
|
8288 |
*) Avoid calling abort() from within the library when problems are |
8289 |
detected, except if preprocessor symbols have been defined |
8290 |
(such as REF_CHECK, BN_DEBUG etc.). |
8291 |
[Bodo Moeller] |
8292 |
|
8293 |
*) New openssl application 'rsautl'. This utility can be |
8294 |
used for low level RSA operations. DER public key |
8295 |
BIO/fp routines also added. |
8296 |
[Steve Henson] |
8297 |
|
8298 |
*) New Configure entry and patches for compiling on QNX 4. |
8299 |
[Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>] |
8300 |
|
8301 |
*) A demo state-machine implementation was sponsored by |
8302 |
Nuron (http://www.nuron.com/) and is now available in |
8303 |
demos/state_machine. |
8304 |
[Ben Laurie] |
8305 |
|
8306 |
*) New options added to the 'dgst' utility for signature |
8307 |
generation and verification. |
8308 |
[Steve Henson] |
8309 |
|
8310 |
*) Unrecognized PKCS#7 content types are now handled via a |
8311 |
catch all ASN1_TYPE structure. This allows unsupported |
8312 |
types to be stored as a "blob" and an application can |
8313 |
encode and decode it manually. |
8314 |
[Steve Henson] |
8315 |
|
8316 |
*) Fix various signed/unsigned issues to make a_strex.c |
8317 |
compile under VC++. |
8318 |
[Oscar Jacobsson <oscar.jacobsson@celocom.com>] |
8319 |
|
8320 |
*) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct |
8321 |
length if passed a buffer. ASN1_INTEGER_to_BN failed |
8322 |
if passed a NULL BN and its argument was negative. |
8323 |
[Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>] |
8324 |
|
8325 |
*) Modification to PKCS#7 encoding routines to output definite |
8326 |
length encoding. Since currently the whole structures are in |
8327 |
memory there's not real point in using indefinite length |
8328 |
constructed encoding. However if OpenSSL is compiled with |
8329 |
the flag PKCS7_INDEFINITE_ENCODING the old form is used. |
8330 |
[Steve Henson] |
8331 |
|
8332 |
*) Added BIO_vprintf() and BIO_vsnprintf(). |
8333 |
[Richard Levitte] |
8334 |
|
8335 |
*) Added more prefixes to parse for in the the strings written |
8336 |
through a logging bio, to cover all the levels that are available |
8337 |
through syslog. The prefixes are now: |
8338 |
|
8339 |
PANIC, EMERG, EMR => LOG_EMERG |
8340 |
ALERT, ALR => LOG_ALERT |
8341 |
CRIT, CRI => LOG_CRIT |
8342 |
ERROR, ERR => LOG_ERR |
8343 |
WARNING, WARN, WAR => LOG_WARNING |
8344 |
NOTICE, NOTE, NOT => LOG_NOTICE |
8345 |
INFO, INF => LOG_INFO |
8346 |
DEBUG, DBG => LOG_DEBUG |
8347 |
|
8348 |
and as before, if none of those prefixes are present at the |
8349 |
beginning of the string, LOG_ERR is chosen. |
8350 |
|
8351 |
On Win32, the LOG_* levels are mapped according to this: |
8352 |
|
8353 |
LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE |
8354 |
LOG_WARNING => EVENTLOG_WARNING_TYPE |
8355 |
LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE |
8356 |
|
8357 |
[Richard Levitte] |
8358 |
|
8359 |
*) Made it possible to reconfigure with just the configuration |
8360 |
argument "reconf" or "reconfigure". The command line arguments |
8361 |
are stored in Makefile.ssl in the variable CONFIGURE_ARGS, |
8362 |
and are retrieved from there when reconfiguring. |
8363 |
[Richard Levitte] |
8364 |
|
8365 |
*) MD4 implemented. |
8366 |
[Assar Westerlund <assar@sics.se>, Richard Levitte] |
8367 |
|
8368 |
*) Add the arguments -CAfile and -CApath to the pkcs12 utility. |
8369 |
[Richard Levitte] |
8370 |
|
8371 |
*) The obj_dat.pl script was messing up the sorting of object |
8372 |
names. The reason was that it compared the quoted version |
8373 |
of strings as a result "OCSP" > "OCSP Signing" because |
8374 |
" > SPACE. Changed script to store unquoted versions of |
8375 |
names and add quotes on output. It was also omitting some |
8376 |
names from the lookup table if they were given a default |
8377 |
value (that is if SN is missing it is given the same |
8378 |
value as LN and vice versa), these are now added on the |
8379 |
grounds that if an object has a name we should be able to |
8380 |
look it up. Finally added warning output when duplicate |
8381 |
short or long names are found. |
8382 |
[Steve Henson] |
8383 |
|
8384 |
*) Changes needed for Tandem NSK. |
8385 |
[Scott Uroff <scott@xypro.com>] |
8386 |
|
8387 |
*) Fix SSL 2.0 rollback checking: Due to an off-by-one error in |
8388 |
RSA_padding_check_SSLv23(), special padding was never detected |
8389 |
and thus the SSL 3.0/TLS 1.0 countermeasure against protocol |
8390 |
version rollback attacks was not effective. |
8391 |
|
8392 |
In s23_clnt.c, don't use special rollback-attack detection padding |
8393 |
(RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the |
8394 |
client; similarly, in s23_srvr.c, don't do the rollback check if |
8395 |
SSL 2.0 is the only protocol enabled in the server. |
8396 |
[Bodo Moeller] |
8397 |
|
8398 |
*) Make it possible to get hexdumps of unprintable data with 'openssl |
8399 |
asn1parse'. By implication, the functions ASN1_parse_dump() and |
8400 |
BIO_dump_indent() are added. |
8401 |
[Richard Levitte] |
8402 |
|
8403 |
*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() |
8404 |
these print out strings and name structures based on various |
8405 |
flags including RFC2253 support and proper handling of |
8406 |
multibyte characters. Added options to the 'x509' utility |
8407 |
to allow the various flags to be set. |
8408 |
[Steve Henson] |
8409 |
|
8410 |
*) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. |
8411 |
Also change the functions X509_cmp_current_time() and |
8412 |
X509_gmtime_adj() work with an ASN1_TIME structure, |
8413 |
this will enable certificates using GeneralizedTime in validity |
8414 |
dates to be checked. |
8415 |
[Steve Henson] |
8416 |
|
8417 |
*) Make the NEG_PUBKEY_BUG code (which tolerates invalid |
8418 |
negative public key encodings) on by default, |
8419 |
NO_NEG_PUBKEY_BUG can be set to disable it. |
8420 |
[Steve Henson] |
8421 |
|
8422 |
*) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT |
8423 |
content octets. An i2c_ASN1_OBJECT is unnecessary because |
8424 |
the encoding can be trivially obtained from the structure. |
8425 |
[Steve Henson] |
8426 |
|
8427 |
*) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), |
8428 |
not read locks (CRYPTO_r_[un]lock). |
8429 |
[Bodo Moeller] |
8430 |
|
8431 |
*) A first attempt at creating official support for shared |
8432 |
libraries through configuration. I've kept it so the |
8433 |
default is static libraries only, and the OpenSSL programs |
8434 |
are always statically linked for now, but there are |
8435 |
preparations for dynamic linking in place. |
8436 |
This has been tested on Linux and Tru64. |
8437 |
[Richard Levitte] |
8438 |
|
8439 |
*) Randomness polling function for Win9x, as described in: |
8440 |
Peter Gutmann, Software Generation of Practically Strong |
8441 |
Random Numbers. |
8442 |
[Ulf Möller] |
8443 |
|
8444 |
*) Fix so PRNG is seeded in req if using an already existing |
8445 |
DSA key. |
8446 |
[Steve Henson] |
8447 |
|
8448 |
*) New options to smime application. -inform and -outform |
8449 |
allow alternative formats for the S/MIME message including |
8450 |
PEM and DER. The -content option allows the content to be |
8451 |
specified separately. This should allow things like Netscape |
8452 |
form signing output easier to verify. |
8453 |
[Steve Henson] |
8454 |
|
8455 |
*) Fix the ASN1 encoding of tags using the 'long form'. |
8456 |
[Steve Henson] |
8457 |
|
8458 |
*) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT |
8459 |
STRING types. These convert content octets to and from the |
8460 |
underlying type. The actual tag and length octets are |
8461 |
already assumed to have been read in and checked. These |
8462 |
are needed because all other string types have virtually |
8463 |
identical handling apart from the tag. By having versions |
8464 |
of the ASN1 functions that just operate on content octets |
8465 |
IMPLICIT tagging can be handled properly. It also allows |
8466 |
the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED |
8467 |
and ASN1_INTEGER are identical apart from the tag. |
8468 |
[Steve Henson] |
8469 |
|
8470 |
*) Change the handling of OID objects as follows: |
8471 |
|
8472 |
- New object identifiers are inserted in objects.txt, following |
8473 |
the syntax given in objects.README. |
8474 |
- objects.pl is used to process obj_mac.num and create a new |
8475 |
obj_mac.h. |
8476 |
- obj_dat.pl is used to create a new obj_dat.h, using the data in |
8477 |
obj_mac.h. |
8478 |
|
8479 |
This is currently kind of a hack, and the perl code in objects.pl |
8480 |
isn't very elegant, but it works as I intended. The simplest way |
8481 |
to check that it worked correctly is to look in obj_dat.h and |
8482 |
check the array nid_objs and make sure the objects haven't moved |
8483 |
around (this is important!). Additions are OK, as well as |
8484 |
consistent name changes. |
8485 |
[Richard Levitte] |
8486 |
|
8487 |
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). |
8488 |
[Bodo Moeller] |
8489 |
|
8490 |
*) Addition of the command line parameter '-rand file' to 'openssl req'. |
8491 |
The given file adds to whatever has already been seeded into the |
8492 |
random pool through the RANDFILE configuration file option or |
8493 |
environment variable, or the default random state file. |
8494 |
[Richard Levitte] |
8495 |
|
8496 |
*) mkstack.pl now sorts each macro group into lexical order. |
8497 |
Previously the output order depended on the order the files |
8498 |
appeared in the directory, resulting in needless rewriting |
8499 |
of safestack.h . |
8500 |
[Steve Henson] |
8501 |
|
8502 |
*) Patches to make OpenSSL compile under Win32 again. Mostly |
8503 |
work arounds for the VC++ problem that it treats func() as |
8504 |
func(void). Also stripped out the parts of mkdef.pl that |
8505 |
added extra typesafe functions: these no longer exist. |
8506 |
[Steve Henson] |
8507 |
|
8508 |
*) Reorganisation of the stack code. The macros are now all |
8509 |
collected in safestack.h . Each macro is defined in terms of |
8510 |
a "stack macro" of the form SKM_<name>(type, a, b). The |
8511 |
DEBUG_SAFESTACK is now handled in terms of function casts, |
8512 |
this has the advantage of retaining type safety without the |
8513 |
use of additional functions. If DEBUG_SAFESTACK is not defined |
8514 |
then the non typesafe macros are used instead. Also modified the |
8515 |
mkstack.pl script to handle the new form. Needs testing to see |
8516 |
if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK |
8517 |
the default if no major problems. Similar behaviour for ASN1_SET_OF |
8518 |
and PKCS12_STACK_OF. |
8519 |
[Steve Henson] |
8520 |
|
8521 |
*) When some versions of IIS use the 'NET' form of private key the |
8522 |
key derivation algorithm is different. Normally MD5(password) is |
8523 |
used as a 128 bit RC4 key. In the modified case |
8524 |
MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some |
8525 |
new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same |
8526 |
as the old Netscape_RSA functions except they have an additional |
8527 |
'sgckey' parameter which uses the modified algorithm. Also added |
8528 |
an -sgckey command line option to the rsa utility. Thanks to |
8529 |
Adrian Peck <bertie@ncipher.com> for posting details of the modified |
8530 |
algorithm to openssl-dev. |
8531 |
[Steve Henson] |
8532 |
|
8533 |
*) The evp_local.h macros were using 'c.##kname' which resulted in |
8534 |
invalid expansion on some systems (SCO 5.0.5 for example). |
8535 |
Corrected to 'c.kname'. |
8536 |
[Phillip Porch <root@theporch.com>] |
8537 |
|
8538 |
*) New X509_get1_email() and X509_REQ_get1_email() functions that return |
8539 |
a STACK of email addresses from a certificate or request, these look |
8540 |
in the subject name and the subject alternative name extensions and |
8541 |
omit any duplicate addresses. |
8542 |
[Steve Henson] |
8543 |
|
8544 |
*) Re-implement BN_mod_exp2_mont using independent (and larger) windows. |
8545 |
This makes DSA verification about 2 % faster. |
8546 |
[Bodo Moeller] |
8547 |
|
8548 |
*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5 |
8549 |
(meaning that now 2^5 values will be precomputed, which is only 4 KB |
8550 |
plus overhead for 1024 bit moduli). |
8551 |
This makes exponentiations about 0.5 % faster for 1024 bit |
8552 |
exponents (as measured by "openssl speed rsa2048"). |
8553 |
[Bodo Moeller] |
8554 |
|
8555 |
*) Rename memory handling macros to avoid conflicts with other |
8556 |
software: |
8557 |
Malloc => OPENSSL_malloc |
8558 |
Malloc_locked => OPENSSL_malloc_locked |
8559 |
Realloc => OPENSSL_realloc |
8560 |
Free => OPENSSL_free |
8561 |
[Richard Levitte] |
8562 |
|
8563 |
*) New function BN_mod_exp_mont_word for small bases (roughly 15% |
8564 |
faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). |
8565 |
[Bodo Moeller] |
8566 |
|
8567 |
*) CygWin32 support. |
8568 |
[John Jarvie <jjarvie@newsguy.com>] |
8569 |
|
8570 |
*) The type-safe stack code has been rejigged. It is now only compiled |
8571 |
in when OpenSSL is configured with the DEBUG_SAFESTACK option and |
8572 |
by default all type-specific stack functions are "#define"d back to |
8573 |
standard stack functions. This results in more streamlined output |
8574 |
but retains the type-safety checking possibilities of the original |
8575 |
approach. |
8576 |
[Geoff Thorpe] |
8577 |
|
8578 |
*) The STACK code has been cleaned up, and certain type declarations |
8579 |
that didn't make a lot of sense have been brought in line. This has |
8580 |
also involved a cleanup of sorts in safestack.h to more correctly |
8581 |
map type-safe stack functions onto their plain stack counterparts. |
8582 |
This work has also resulted in a variety of "const"ifications of |
8583 |
lots of the code, especially "_cmp" operations which should normally |
8584 |
be prototyped with "const" parameters anyway. |
8585 |
[Geoff Thorpe] |
8586 |
|
8587 |
*) When generating bytes for the first time in md_rand.c, 'stir the pool' |
8588 |
by seeding with STATE_SIZE dummy bytes (with zero entropy count). |
8589 |
(The PRNG state consists of two parts, the large pool 'state' and 'md', |
8590 |
where all of 'md' is used each time the PRNG is used, but 'state' |
8591 |
is used only indexed by a cyclic counter. As entropy may not be |
8592 |
well distributed from the beginning, 'md' is important as a |
8593 |
chaining variable. However, the output function chains only half |
8594 |
of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains |
8595 |
all of 'md', and seeding with STATE_SIZE dummy bytes will result |
8596 |
in all of 'state' being rewritten, with the new values depending |
8597 |
on virtually all of 'md'. This overcomes the 80 bit limitation.) |
8598 |
[Bodo Moeller] |
8599 |
|
8600 |
*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when |
8601 |
the handshake is continued after ssl_verify_cert_chain(); |
8602 |
otherwise, if SSL_VERIFY_NONE is set, remaining error codes |
8603 |
can lead to 'unexplainable' connection aborts later. |
8604 |
[Bodo Moeller; problem tracked down by Lutz Jaenicke] |
8605 |
|
8606 |
*) Major EVP API cipher revision. |
8607 |
Add hooks for extra EVP features. This allows various cipher |
8608 |
parameters to be set in the EVP interface. Support added for variable |
8609 |
key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and |
8610 |
setting of RC2 and RC5 parameters. |
8611 |
|
8612 |
Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length |
8613 |
ciphers. |
8614 |
|
8615 |
Remove lots of duplicated code from the EVP library. For example *every* |
8616 |
cipher init() function handles the 'iv' in the same way according to the |
8617 |
cipher mode. They also all do nothing if the 'key' parameter is NULL and |
8618 |
for CFB and OFB modes they zero ctx->num. |
8619 |
|
8620 |
New functionality allows removal of S/MIME code RC2 hack. |
8621 |
|
8622 |
Most of the routines have the same form and so can be declared in terms |
8623 |
of macros. |
8624 |
|
8625 |
By shifting this to the top level EVP_CipherInit() it can be removed from |
8626 |
all individual ciphers. If the cipher wants to handle IVs or keys |
8627 |
differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT |
8628 |
flags. |
8629 |
|
8630 |
Change lots of functions like EVP_EncryptUpdate() to now return a |
8631 |
value: although software versions of the algorithms cannot fail |
8632 |
any installed hardware versions can. |
8633 |
[Steve Henson] |
8634 |
|
8635 |
*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if |
8636 |
this option is set, tolerate broken clients that send the negotiated |
8637 |
protocol version number instead of the requested protocol version |
8638 |
number. |
8639 |
[Bodo Moeller] |
8640 |
|
8641 |
*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag; |
8642 |
i.e. non-zero for export ciphersuites, zero otherwise. |
8643 |
Previous versions had this flag inverted, inconsistent with |
8644 |
rsa_tmp_cb (..._TMP_RSA_CB). |
8645 |
[Bodo Moeller; problem reported by Amit Chopra] |
8646 |
|
8647 |
*) Add missing DSA library text string. Work around for some IIS |
8648 |
key files with invalid SEQUENCE encoding. |
8649 |
[Steve Henson] |
8650 |
|
8651 |
*) Add a document (doc/standards.txt) that list all kinds of standards |
8652 |
and so on that are implemented in OpenSSL. |
8653 |
[Richard Levitte] |
8654 |
|
8655 |
*) Enhance c_rehash script. Old version would mishandle certificates |
8656 |
with the same subject name hash and wouldn't handle CRLs at all. |
8657 |
Added -fingerprint option to crl utility, to support new c_rehash |
8658 |
features. |
8659 |
[Steve Henson] |
8660 |
|
8661 |
*) Eliminate non-ANSI declarations in crypto.h and stack.h. |
8662 |
[Ulf Möller] |
8663 |
|
8664 |
*) Fix for SSL server purpose checking. Server checking was |
8665 |
rejecting certificates which had extended key usage present |
8666 |
but no ssl client purpose. |
8667 |
[Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] |
8668 |
|
8669 |
*) Make PKCS#12 code work with no password. The PKCS#12 spec |
8670 |
is a little unclear about how a blank password is handled. |
8671 |
Since the password in encoded as a BMPString with terminating |
8672 |
double NULL a zero length password would end up as just the |
8673 |
double NULL. However no password at all is different and is |
8674 |
handled differently in the PKCS#12 key generation code. NS |
8675 |
treats a blank password as zero length. MSIE treats it as no |
8676 |
password on export: but it will try both on import. We now do |
8677 |
the same: PKCS12_parse() tries zero length and no password if |
8678 |
the password is set to "" or NULL (NULL is now a valid password: |
8679 |
it wasn't before) as does the pkcs12 application. |
8680 |
[Steve Henson] |
8681 |
|
8682 |
*) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use |
8683 |
perror when PEM_read_bio_X509_REQ fails, the error message must |
8684 |
be obtained from the error queue. |
8685 |
[Bodo Moeller] |
8686 |
|
8687 |
*) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing |
8688 |
it in ERR_remove_state if appropriate, and change ERR_get_state |
8689 |
accordingly to avoid race conditions (this is necessary because |
8690 |
thread_hash is no longer constant once set). |
8691 |
[Bodo Moeller] |
8692 |
|
8693 |
*) Bugfix for linux-elf makefile.one. |
8694 |
[Ulf Möller] |
8695 |
|
8696 |
*) RSA_get_default_method() will now cause a default |
8697 |
RSA_METHOD to be chosen if one doesn't exist already. |
8698 |
Previously this was only set during a call to RSA_new() |
8699 |
or RSA_new_method(NULL) meaning it was possible for |
8700 |
RSA_get_default_method() to return NULL. |
8701 |
[Geoff Thorpe] |
8702 |
|
8703 |
*) Added native name translation to the existing DSO code |
8704 |
that will convert (if the flag to do so is set) filenames |
8705 |
that are sufficiently small and have no path information |
8706 |
into a canonical native form. Eg. "blah" converted to |
8707 |
"libblah.so" or "blah.dll" etc. |
8708 |
[Geoff Thorpe] |
8709 |
|
8710 |
*) New function ERR_error_string_n(e, buf, len) which is like |
8711 |
ERR_error_string(e, buf), but writes at most 'len' bytes |
8712 |
including the 0 terminator. For ERR_error_string_n, 'buf' |
8713 |
may not be NULL. |
8714 |
[Damien Miller <djm@mindrot.org>, Bodo Moeller] |
8715 |
|
8716 |
*) CONF library reworked to become more general. A new CONF |
8717 |
configuration file reader "class" is implemented as well as a |
8718 |
new functions (NCONF_*, for "New CONF") to handle it. The now |
8719 |
old CONF_* functions are still there, but are reimplemented to |
8720 |
work in terms of the new functions. Also, a set of functions |
8721 |
to handle the internal storage of the configuration data is |
8722 |
provided to make it easier to write new configuration file |
8723 |
reader "classes" (I can definitely see something reading a |
8724 |
configuration file in XML format, for example), called _CONF_*, |
8725 |
or "the configuration storage API"... |
8726 |
|
8727 |
The new configuration file reading functions are: |
8728 |
|
8729 |
NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, |
8730 |
NCONF_get_section, NCONF_get_string, NCONF_get_numbre |
8731 |
|
8732 |
NCONF_default, NCONF_WIN32 |
8733 |
|
8734 |
NCONF_dump_fp, NCONF_dump_bio |
8735 |
|
8736 |
NCONF_default and NCONF_WIN32 are method (or "class") choosers, |
8737 |
NCONF_new creates a new CONF object. This works in the same way |
8738 |
as other interfaces in OpenSSL, like the BIO interface. |
8739 |
NCONF_dump_* dump the internal storage of the configuration file, |
8740 |
which is useful for debugging. All other functions take the same |
8741 |
arguments as the old CONF_* functions wth the exception of the |
8742 |
first that must be a `CONF *' instead of a `LHASH *'. |
8743 |
|
8744 |
To make it easer to use the new classes with the old CONF_* functions, |
8745 |
the function CONF_set_default_method is provided. |
8746 |
[Richard Levitte] |
8747 |
|
8748 |
*) Add '-tls1' option to 'openssl ciphers', which was already |
8749 |
mentioned in the documentation but had not been implemented. |
8750 |
(This option is not yet really useful because even the additional |
8751 |
experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) |
8752 |
[Bodo Moeller] |
8753 |
|
8754 |
*) Initial DSO code added into libcrypto for letting OpenSSL (and |
8755 |
OpenSSL-based applications) load shared libraries and bind to |
8756 |
them in a portable way. |
8757 |
[Geoff Thorpe, with contributions from Richard Levitte] |
8758 |
|
8759 |
Changes between 0.9.5 and 0.9.5a [1 Apr 2000] |
8760 |
|
8761 |
*) Make sure _lrotl and _lrotr are only used with MSVC. |
8762 |
|
8763 |
*) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status |
8764 |
(the default implementation of RAND_status). |
8765 |
|
8766 |
*) Rename openssl x509 option '-crlext', which was added in 0.9.5, |
8767 |
to '-clrext' (= clear extensions), as intended and documented. |
8768 |
[Bodo Moeller; inconsistency pointed out by Michael Attili |
8769 |
<attili@amaxo.com>] |
8770 |
|
8771 |
*) Fix for HMAC. It wasn't zeroing the rest of the block if the key length |
8772 |
was larger than the MD block size. |
8773 |
[Steve Henson, pointed out by Yost William <YostW@tce.com>] |
8774 |
|
8775 |
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument |
8776 |
fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() |
8777 |
using the passed key: if the passed key was a private key the result |
8778 |
of X509_print(), for example, would be to print out all the private key |
8779 |
components. |
8780 |
[Steve Henson] |
8781 |
|
8782 |
*) des_quad_cksum() byte order bug fix. |
8783 |
[Ulf Möller, using the problem description in krb4-0.9.7, where |
8784 |
the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>] |
8785 |
|
8786 |
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly |
8787 |
discouraged. |
8788 |
[Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>] |
8789 |
|
8790 |
*) For easily testing in shell scripts whether some command |
8791 |
'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' |
8792 |
returns with exit code 0 iff no command of the given name is available. |
8793 |
'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, |
8794 |
the output goes to stdout and nothing is printed to stderr. |
8795 |
Additional arguments are always ignored. |
8796 |
|
8797 |
Since for each cipher there is a command of the same name, |
8798 |
the 'no-cipher' compilation switches can be tested this way. |
8799 |
|
8800 |
('openssl no-XXX' is not able to detect pseudo-commands such |
8801 |
as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) |
8802 |
[Bodo Moeller] |
8803 |
|
8804 |
*) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. |
8805 |
[Bodo Moeller] |
8806 |
|
8807 |
*) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE |
8808 |
is set; it will be thrown away anyway because each handshake creates |
8809 |
its own key. |
8810 |
ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition |
8811 |
to parameters -- in previous versions (since OpenSSL 0.9.3) the |
8812 |
'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining |
8813 |
you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. |
8814 |
[Bodo Moeller] |
8815 |
|
8816 |
*) New s_client option -ign_eof: EOF at stdin is ignored, and |
8817 |
'Q' and 'R' lose their special meanings (quit/renegotiate). |
8818 |
This is part of what -quiet does; unlike -quiet, -ign_eof |
8819 |
does not suppress any output. |
8820 |
[Richard Levitte] |
8821 |
|
8822 |
*) Add compatibility options to the purpose and trust code. The |
8823 |
purpose X509_PURPOSE_ANY is "any purpose" which automatically |
8824 |
accepts a certificate or CA, this was the previous behaviour, |
8825 |
with all the associated security issues. |
8826 |
|
8827 |
X509_TRUST_COMPAT is the old trust behaviour: only and |
8828 |
automatically trust self signed roots in certificate store. A |
8829 |
new trust setting X509_TRUST_DEFAULT is used to specify that |
8830 |
a purpose has no associated trust setting and it should instead |
8831 |
use the value in the default purpose. |
8832 |
[Steve Henson] |
8833 |
|
8834 |
*) Fix the PKCS#8 DSA private key code so it decodes keys again |
8835 |
and fix a memory leak. |
8836 |
[Steve Henson] |
8837 |
|
8838 |
*) In util/mkerr.pl (which implements 'make errors'), preserve |
8839 |
reason strings from the previous version of the .c file, as |
8840 |
the default to have only downcase letters (and digits) in |
8841 |
automatically generated reasons codes is not always appropriate. |
8842 |
[Bodo Moeller] |
8843 |
|
8844 |
*) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table |
8845 |
using strerror. Previously, ERR_reason_error_string() returned |
8846 |
library names as reason strings for SYSerr; but SYSerr is a special |
8847 |
case where small numbers are errno values, not library numbers. |
8848 |
[Bodo Moeller] |
8849 |
|
8850 |
*) Add '-dsaparam' option to 'openssl dhparam' application. This |
8851 |
converts DSA parameters into DH parameters. (When creating parameters, |
8852 |
DSA_generate_parameters is used.) |
8853 |
[Bodo Moeller] |
8854 |
|
8855 |
*) Include 'length' (recommended exponent length) in C code generated |
8856 |
by 'openssl dhparam -C'. |
8857 |
[Bodo Moeller] |
8858 |
|
8859 |
*) The second argument to set_label in perlasm was already being used |
8860 |
so couldn't be used as a "file scope" flag. Moved to third argument |
8861 |
which was free. |
8862 |
[Steve Henson] |
8863 |
|
8864 |
*) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes |
8865 |
instead of RAND_bytes for encryption IVs and salts. |
8866 |
[Bodo Moeller] |
8867 |
|
8868 |
*) Include RAND_status() into RAND_METHOD instead of implementing |
8869 |
it only for md_rand.c Otherwise replacing the PRNG by calling |
8870 |
RAND_set_rand_method would be impossible. |
8871 |
[Bodo Moeller] |
8872 |
|
8873 |
*) Don't let DSA_generate_key() enter an infinite loop if the random |
8874 |
number generation fails. |
8875 |
[Bodo Moeller] |
8876 |
|
8877 |
*) New 'rand' application for creating pseudo-random output. |
8878 |
[Bodo Moeller] |
8879 |
|
8880 |
*) Added configuration support for Linux/IA64 |
8881 |
[Rolf Haberrecker <rolf@suse.de>] |
8882 |
|
8883 |
*) Assembler module support for Mingw32. |
8884 |
[Ulf Möller] |
8885 |
|
8886 |
*) Shared library support for HPUX (in shlib/). |
8887 |
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous] |
8888 |
|
8889 |
*) Shared library support for Solaris gcc. |
8890 |
[Lutz Behnke <behnke@trustcenter.de>] |
8891 |
|
8892 |
Changes between 0.9.4 and 0.9.5 [28 Feb 2000] |
8893 |
|
8894 |
*) PKCS7_encrypt() was adding text MIME headers twice because they |
8895 |
were added manually and by SMIME_crlf_copy(). |
8896 |
[Steve Henson] |
8897 |
|
8898 |
*) In bntest.c don't call BN_rand with zero bits argument. |
8899 |
[Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>] |
8900 |
|
8901 |
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] |
8902 |
case was implemented. This caused BN_div_recp() to fail occasionally. |
8903 |
[Ulf Möller] |
8904 |
|
8905 |
*) Add an optional second argument to the set_label() in the perl |
8906 |
assembly language builder. If this argument exists and is set |
8907 |
to 1 it signals that the assembler should use a symbol whose |
8908 |
scope is the entire file, not just the current function. This |
8909 |
is needed with MASM which uses the format label:: for this scope. |
8910 |
[Steve Henson, pointed out by Peter Runestig <peter@runestig.com>] |
8911 |
|
8912 |
*) Change the ASN1 types so they are typedefs by default. Before |
8913 |
almost all types were #define'd to ASN1_STRING which was causing |
8914 |
STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) |
8915 |
for example. |
8916 |
[Steve Henson] |
8917 |
|
8918 |
*) Change names of new functions to the new get1/get0 naming |
8919 |
convention: After 'get1', the caller owns a reference count |
8920 |
and has to call ..._free; 'get0' returns a pointer to some |
8921 |
data structure without incrementing reference counters. |
8922 |
(Some of the existing 'get' functions increment a reference |
8923 |
counter, some don't.) |
8924 |
Similarly, 'set1' and 'add1' functions increase reference |
8925 |
counters or duplicate objects. |
8926 |
[Steve Henson] |
8927 |
|
8928 |
*) Allow for the possibility of temp RSA key generation failure: |
8929 |
the code used to assume it always worked and crashed on failure. |
8930 |
[Steve Henson] |
8931 |
|
8932 |
*) Fix potential buffer overrun problem in BIO_printf(). |
8933 |
[Ulf Möller, using public domain code by Patrick Powell; problem |
8934 |
pointed out by David Sacerdote <das33@cornell.edu>] |
8935 |
|
8936 |
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions |
8937 |
RAND_egd() and RAND_status(). In the command line application, |
8938 |
the EGD socket can be specified like a seed file using RANDFILE |
8939 |
or -rand. |
8940 |
[Ulf Möller] |
8941 |
|
8942 |
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. |
8943 |
Some CAs (e.g. Verisign) distribute certificates in this form. |
8944 |
[Steve Henson] |
8945 |
|
8946 |
*) Remove the SSL_ALLOW_ADH compile option and set the default cipher |
8947 |
list to exclude them. This means that no special compilation option |
8948 |
is needed to use anonymous DH: it just needs to be included in the |
8949 |
cipher list. |
8950 |
[Steve Henson] |
8951 |
|
8952 |
*) Change the EVP_MD_CTX_type macro so its meaning consistent with |
8953 |
EVP_MD_type. The old functionality is available in a new macro called |
8954 |
EVP_MD_md(). Change code that uses it and update docs. |
8955 |
[Steve Henson] |
8956 |
|
8957 |
*) ..._ctrl functions now have corresponding ..._callback_ctrl functions |
8958 |
where the 'void *' argument is replaced by a function pointer argument. |
8959 |
Previously 'void *' was abused to point to functions, which works on |
8960 |
many platforms, but is not correct. As these functions are usually |
8961 |
called by macros defined in OpenSSL header files, most source code |
8962 |
should work without changes. |
8963 |
[Richard Levitte] |
8964 |
|
8965 |
*) <openssl/opensslconf.h> (which is created by Configure) now contains |
8966 |
sections with information on -D... compiler switches used for |
8967 |
compiling the library so that applications can see them. To enable |
8968 |
one of these sections, a pre-processor symbol OPENSSL_..._DEFINES |
8969 |
must be defined. E.g., |
8970 |
#define OPENSSL_ALGORITHM_DEFINES |
8971 |
#include <openssl/opensslconf.h> |
8972 |
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc. |
8973 |
[Richard Levitte, Ulf and Bodo Möller] |
8974 |
|
8975 |
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS |
8976 |
record layer. |
8977 |
[Bodo Moeller] |
8978 |
|
8979 |
*) Change the 'other' type in certificate aux info to a STACK_OF |
8980 |
X509_ALGOR. Although not an AlgorithmIdentifier as such it has |
8981 |
the required ASN1 format: arbitrary types determined by an OID. |
8982 |
[Steve Henson] |
8983 |
|
8984 |
*) Add some PEM_write_X509_REQ_NEW() functions and a command line |
8985 |
argument to 'req'. This is not because the function is newer or |
8986 |
better than others it just uses the work 'NEW' in the certificate |
8987 |
request header lines. Some software needs this. |
8988 |
[Steve Henson] |
8989 |
|
8990 |
*) Reorganise password command line arguments: now passwords can be |
8991 |
obtained from various sources. Delete the PEM_cb function and make |
8992 |
it the default behaviour: i.e. if the callback is NULL and the |
8993 |
usrdata argument is not NULL interpret it as a null terminated pass |
8994 |
phrase. If usrdata and the callback are NULL then the pass phrase |
8995 |
is prompted for as usual. |
8996 |
[Steve Henson] |
8997 |
|
8998 |
*) Add support for the Compaq Atalla crypto accelerator. If it is installed, |
8999 |
the support is automatically enabled. The resulting binaries will |
9000 |
autodetect the card and use it if present. |
9001 |
[Ben Laurie and Compaq Inc.] |
9002 |
|
9003 |
*) Work around for Netscape hang bug. This sends certificate request |
9004 |
and server done in one record. Since this is perfectly legal in the |
9005 |
SSL/TLS protocol it isn't a "bug" option and is on by default. See |
9006 |
the bugs/SSLv3 entry for more info. |
9007 |
[Steve Henson] |
9008 |
|
9009 |
*) HP-UX tune-up: new unified configs, HP C compiler bug workaround. |
9010 |
[Andy Polyakov] |
9011 |
|
9012 |
*) Add -rand argument to smime and pkcs12 applications and read/write |
9013 |
of seed file. |
9014 |
[Steve Henson] |
9015 |
|
9016 |
*) New 'passwd' tool for crypt(3) and apr1 password hashes. |
9017 |
[Bodo Moeller] |
9018 |
|
9019 |
*) Add command line password options to the remaining applications. |
9020 |
[Steve Henson] |
9021 |
|
9022 |
*) Bug fix for BN_div_recp() for numerators with an even number of |
9023 |
bits. |
9024 |
[Ulf Möller] |
9025 |
|
9026 |
*) More tests in bntest.c, and changed test_bn output. |
9027 |
[Ulf Möller] |
9028 |
|
9029 |
*) ./config recognizes MacOS X now. |
9030 |
[Andy Polyakov] |
9031 |
|
9032 |
*) Bug fix for BN_div() when the first words of num and divsor are |
9033 |
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). |
9034 |
[Ulf Möller] |
9035 |
|
9036 |
*) Add support for various broken PKCS#8 formats, and command line |
9037 |
options to produce them. |
9038 |
[Steve Henson] |
9039 |
|
9040 |
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to |
9041 |
get temporary BIGNUMs from a BN_CTX. |
9042 |
[Ulf Möller] |
9043 |
|
9044 |
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() |
9045 |
for p == 0. |
9046 |
[Ulf Möller] |
9047 |
|
9048 |
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and |
9049 |
include a #define from the old name to the new. The original intent |
9050 |
was that statically linked binaries could for example just call |
9051 |
SSLeay_add_all_ciphers() to just add ciphers to the table and not |
9052 |
link with digests. This never worked becayse SSLeay_add_all_digests() |
9053 |
and SSLeay_add_all_ciphers() were in the same source file so calling |
9054 |
one would link with the other. They are now in separate source files. |
9055 |
[Steve Henson] |
9056 |
|
9057 |
*) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. |
9058 |
[Steve Henson] |
9059 |
|
9060 |
*) Use a less unusual form of the Miller-Rabin primality test (it used |
9061 |
a binary algorithm for exponentiation integrated into the Miller-Rabin |
9062 |
loop, our standard modexp algorithms are faster). |
9063 |
[Bodo Moeller] |
9064 |
|
9065 |
*) Support for the EBCDIC character set completed. |
9066 |
[Martin Kraemer <Martin.Kraemer@Mch.SNI.De>] |
9067 |
|
9068 |
*) Source code cleanups: use const where appropriate, eliminate casts, |
9069 |
use void * instead of char * in lhash. |
9070 |
[Ulf Möller] |
9071 |
|
9072 |
*) Bugfix: ssl3_send_server_key_exchange was not restartable |
9073 |
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of |
9074 |
this the server could overwrite ephemeral keys that the client |
9075 |
has already seen). |
9076 |
[Bodo Moeller] |
9077 |
|
9078 |
*) Turn DSA_is_prime into a macro that calls BN_is_prime, |
9079 |
using 50 iterations of the Rabin-Miller test. |
9080 |
|
9081 |
DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 |
9082 |
iterations of the Rabin-Miller test as required by the appendix |
9083 |
to FIPS PUB 186[-1]) instead of DSA_is_prime. |
9084 |
As BN_is_prime_fasttest includes trial division, DSA parameter |
9085 |
generation becomes much faster. |
9086 |
|
9087 |
This implies a change for the callback functions in DSA_is_prime |
9088 |
and DSA_generate_parameters: The callback function is called once |
9089 |
for each positive witness in the Rabin-Miller test, not just |
9090 |
occasionally in the inner loop; and the parameters to the |
9091 |
callback function now provide an iteration count for the outer |
9092 |
loop rather than for the current invocation of the inner loop. |
9093 |
DSA_generate_parameters additionally can call the callback |
9094 |
function with an 'iteration count' of -1, meaning that a |
9095 |
candidate has passed the trial division test (when q is generated |
9096 |
from an application-provided seed, trial division is skipped). |
9097 |
[Bodo Moeller] |
9098 |
|
9099 |
*) New function BN_is_prime_fasttest that optionally does trial |
9100 |
division before starting the Rabin-Miller test and has |
9101 |
an additional BN_CTX * argument (whereas BN_is_prime always |
9102 |
has to allocate at least one BN_CTX). |
9103 |
'callback(1, -1, cb_arg)' is called when a number has passed the |
9104 |
trial division stage. |
9105 |
[Bodo Moeller] |
9106 |
|
9107 |
*) Fix for bug in CRL encoding. The validity dates weren't being handled |
9108 |
as ASN1_TIME. |
9109 |
[Steve Henson] |
9110 |
|
9111 |
*) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. |
9112 |
[Steve Henson] |
9113 |
|
9114 |
*) New function BN_pseudo_rand(). |
9115 |
[Ulf Möller] |
9116 |
|
9117 |
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) |
9118 |
bignum version of BN_from_montgomery() with the working code from |
9119 |
SSLeay 0.9.0 (the word based version is faster anyway), and clean up |
9120 |
the comments. |
9121 |
[Ulf Möller] |
9122 |
|
9123 |
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that |
9124 |
made it impossible to use the same SSL_SESSION data structure in |
9125 |
SSL2 clients in multiple threads. |
9126 |
[Bodo Moeller] |
9127 |
|
9128 |
*) The return value of RAND_load_file() no longer counts bytes obtained |
9129 |
by stat(). RAND_load_file(..., -1) is new and uses the complete file |
9130 |
to seed the PRNG (previously an explicit byte count was required). |
9131 |
[Ulf Möller, Bodo Möller] |
9132 |
|
9133 |
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes |
9134 |
used (char *) instead of (void *) and had casts all over the place. |
9135 |
[Steve Henson] |
9136 |
|
9137 |
*) Make BN_generate_prime() return NULL on error if ret!=NULL. |
9138 |
[Ulf Möller] |
9139 |
|
9140 |
*) Retain source code compatibility for BN_prime_checks macro: |
9141 |
BN_is_prime(..., BN_prime_checks, ...) now uses |
9142 |
BN_prime_checks_for_size to determine the appropriate number of |
9143 |
Rabin-Miller iterations. |
9144 |
[Ulf Möller] |
9145 |
|
9146 |
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to |
9147 |
DH_CHECK_P_NOT_SAFE_PRIME. |
9148 |
(Check if this is true? OpenPGP calls them "strong".) |
9149 |
[Ulf Möller] |
9150 |
|
9151 |
*) Merge the functionality of "dh" and "gendh" programs into a new program |
9152 |
"dhparam". The old programs are retained for now but will handle DH keys |
9153 |
(instead of parameters) in future. |
9154 |
[Steve Henson] |
9155 |
|
9156 |
*) Make the ciphers, s_server and s_client programs check the return values |
9157 |
when a new cipher list is set. |
9158 |
[Steve Henson] |
9159 |
|
9160 |
*) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit |
9161 |
ciphers. Before when the 56bit ciphers were enabled the sorting was |
9162 |
wrong. |
9163 |
|
9164 |
The syntax for the cipher sorting has been extended to support sorting by |
9165 |
cipher-strength (using the strength_bits hard coded in the tables). |
9166 |
The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). |
9167 |
|
9168 |
Fix a bug in the cipher-command parser: when supplying a cipher command |
9169 |
string with an "undefined" symbol (neither command nor alphanumeric |
9170 |
[A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now |
9171 |
an error is flagged. |
9172 |
|
9173 |
Due to the strength-sorting extension, the code of the |
9174 |
ssl_create_cipher_list() function was completely rearranged. I hope that |
9175 |
the readability was also increased :-) |
9176 |
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] |
9177 |
|
9178 |
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 |
9179 |
for the first serial number and places 2 in the serial number file. This |
9180 |
avoids problems when the root CA is created with serial number zero and |
9181 |
the first user certificate has the same issuer name and serial number |
9182 |
as the root CA. |
9183 |
[Steve Henson] |
9184 |
|
9185 |
*) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses |
9186 |
the new code. Add documentation for this stuff. |
9187 |
[Steve Henson] |
9188 |
|
9189 |
*) Changes to X509_ATTRIBUTE utilities. These have been renamed from |
9190 |
X509_*() to X509at_*() on the grounds that they don't handle X509 |
9191 |
structures and behave in an analagous way to the X509v3 functions: |
9192 |
they shouldn't be called directly but wrapper functions should be used |
9193 |
instead. |
9194 |
|
9195 |
So we also now have some wrapper functions that call the X509at functions |
9196 |
when passed certificate requests. (TO DO: similar things can be done with |
9197 |
PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other |
9198 |
things. Some of these need some d2i or i2d and print functionality |
9199 |
because they handle more complex structures.) |
9200 |
[Steve Henson] |
9201 |
|
9202 |
*) Add missing #ifndefs that caused missing symbols when building libssl |
9203 |
as a shared library without RSA. Use #ifndef NO_SSL2 instead of |
9204 |
NO_RSA in ssl/s2*.c. |
9205 |
[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller] |
9206 |
|
9207 |
*) Precautions against using the PRNG uninitialized: RAND_bytes() now |
9208 |
has a return value which indicates the quality of the random data |
9209 |
(1 = ok, 0 = not seeded). Also an error is recorded on the thread's |
9210 |
error queue. New function RAND_pseudo_bytes() generates output that is |
9211 |
guaranteed to be unique but not unpredictable. RAND_add is like |
9212 |
RAND_seed, but takes an extra argument for an entropy estimate |
9213 |
(RAND_seed always assumes full entropy). |
9214 |
[Ulf Möller] |
9215 |
|
9216 |
*) Do more iterations of Rabin-Miller probable prime test (specifically, |
9217 |
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes |
9218 |
instead of only 2 for all lengths; see BN_prime_checks_for_size definition |
9219 |
in crypto/bn/bn_prime.c for the complete table). This guarantees a |
9220 |
false-positive rate of at most 2^-80 for random input. |
9221 |
[Bodo Moeller] |
9222 |
|
9223 |
*) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. |
9224 |
[Bodo Moeller] |
9225 |
|
9226 |
*) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain |
9227 |
in the 0.9.5 release), this returns the chain |
9228 |
from an X509_CTX structure with a dup of the stack and all |
9229 |
the X509 reference counts upped: so the stack will exist |
9230 |
after X509_CTX_cleanup() has been called. Modify pkcs12.c |
9231 |
to use this. |
9232 |
|
9233 |
Also make SSL_SESSION_print() print out the verify return |
9234 |
code. |
9235 |
[Steve Henson] |
9236 |
|
9237 |
*) Add manpage for the pkcs12 command. Also change the default |
9238 |
behaviour so MAC iteration counts are used unless the new |
9239 |
-nomaciter option is used. This improves file security and |
9240 |
only older versions of MSIE (4.0 for example) need it. |
9241 |
[Steve Henson] |
9242 |
|
9243 |
*) Honor the no-xxx Configure options when creating .DEF files. |
9244 |
[Ulf Möller] |
9245 |
|
9246 |
*) Add PKCS#10 attributes to field table: challengePassword, |
9247 |
unstructuredName and unstructuredAddress. These are taken from |
9248 |
draft PKCS#9 v2.0 but are compatible with v1.2 provided no |
9249 |
international characters are used. |
9250 |
|
9251 |
More changes to X509_ATTRIBUTE code: allow the setting of types |
9252 |
based on strings. Remove the 'loc' parameter when adding |
9253 |
attributes because these will be a SET OF encoding which is sorted |
9254 |
in ASN1 order. |
9255 |
[Steve Henson] |
9256 |
|
9257 |
*) Initial changes to the 'req' utility to allow request generation |
9258 |
automation. This will allow an application to just generate a template |
9259 |
file containing all the field values and have req construct the |
9260 |
request. |
9261 |
|
9262 |
Initial support for X509_ATTRIBUTE handling. Stacks of these are |
9263 |
used all over the place including certificate requests and PKCS#7 |
9264 |
structures. They are currently handled manually where necessary with |
9265 |
some primitive wrappers for PKCS#7. The new functions behave in a |
9266 |
manner analogous to the X509 extension functions: they allow |
9267 |
attributes to be looked up by NID and added. |
9268 |
|
9269 |
Later something similar to the X509V3 code would be desirable to |
9270 |
automatically handle the encoding, decoding and printing of the |
9271 |
more complex types. The string types like challengePassword can |
9272 |
be handled by the string table functions. |
9273 |
|
9274 |
Also modified the multi byte string table handling. Now there is |
9275 |
a 'global mask' which masks out certain types. The table itself |
9276 |
can use the flag STABLE_NO_MASK to ignore the mask setting: this |
9277 |
is useful when for example there is only one permissible type |
9278 |
(as in countryName) and using the mask might result in no valid |
9279 |
types at all. |
9280 |
[Steve Henson] |
9281 |
|
9282 |
*) Clean up 'Finished' handling, and add functions SSL_get_finished and |
9283 |
SSL_get_peer_finished to allow applications to obtain the latest |
9284 |
Finished messages sent to the peer or expected from the peer, |
9285 |
respectively. (SSL_get_peer_finished is usually the Finished message |
9286 |
actually received from the peer, otherwise the protocol will be aborted.) |
9287 |
|
9288 |
As the Finished message are message digests of the complete handshake |
9289 |
(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can |
9290 |
be used for external authentication procedures when the authentication |
9291 |
provided by SSL/TLS is not desired or is not enough. |
9292 |
[Bodo Moeller] |
9293 |
|
9294 |
*) Enhanced support for Alpha Linux is added. Now ./config checks if |
9295 |
the host supports BWX extension and if Compaq C is present on the |
9296 |
$PATH. Just exploiting of the BWX extension results in 20-30% |
9297 |
performance kick for some algorithms, e.g. DES and RC4 to mention |
9298 |
a couple. Compaq C in turn generates ~20% faster code for MD5 and |
9299 |
SHA1. |
9300 |
[Andy Polyakov] |
9301 |
|
9302 |
*) Add support for MS "fast SGC". This is arguably a violation of the |
9303 |
SSL3/TLS protocol. Netscape SGC does two handshakes: the first with |
9304 |
weak crypto and after checking the certificate is SGC a second one |
9305 |
with strong crypto. MS SGC stops the first handshake after receiving |
9306 |
the server certificate message and sends a second client hello. Since |
9307 |
a server will typically do all the time consuming operations before |
9308 |
expecting any further messages from the client (server key exchange |
9309 |
is the most expensive) there is little difference between the two. |
9310 |
|
9311 |
To get OpenSSL to support MS SGC we have to permit a second client |
9312 |
hello message after we have sent server done. In addition we have to |
9313 |
reset the MAC if we do get this second client hello. |
9314 |
[Steve Henson] |
9315 |
|
9316 |
*) Add a function 'd2i_AutoPrivateKey()' this will automatically decide |
9317 |
if a DER encoded private key is RSA or DSA traditional format. Changed |
9318 |
d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" |
9319 |
format DER encoded private key. Newer code should use PKCS#8 format which |
9320 |
has the key type encoded in the ASN1 structure. Added DER private key |
9321 |
support to pkcs8 application. |
9322 |
[Steve Henson] |
9323 |
|
9324 |
*) SSL 3/TLS 1 servers now don't request certificates when an anonymous |
9325 |
ciphersuites has been selected (as required by the SSL 3/TLS 1 |
9326 |
specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
9327 |
is set, we interpret this as a request to violate the specification |
9328 |
(the worst that can happen is a handshake failure, and 'correct' |
9329 |
behaviour would result in a handshake failure anyway). |
9330 |
[Bodo Moeller] |
9331 |
|
9332 |
*) In SSL_CTX_add_session, take into account that there might be multiple |
9333 |
SSL_SESSION structures with the same session ID (e.g. when two threads |
9334 |
concurrently obtain them from an external cache). |
9335 |
The internal cache can handle only one SSL_SESSION with a given ID, |
9336 |
so if there's a conflict, we now throw out the old one to achieve |
9337 |
consistency. |
9338 |
[Bodo Moeller] |
9339 |
|
9340 |
*) Add OIDs for idea and blowfish in CBC mode. This will allow both |
9341 |
to be used in PKCS#5 v2.0 and S/MIME. Also add checking to |
9342 |
some routines that use cipher OIDs: some ciphers do not have OIDs |
9343 |
defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for |
9344 |
example. |
9345 |
[Steve Henson] |
9346 |
|
9347 |
*) Simplify the trust setting structure and code. Now we just have |
9348 |
two sequences of OIDs for trusted and rejected settings. These will |
9349 |
typically have values the same as the extended key usage extension |
9350 |
and any application specific purposes. |
9351 |
|
9352 |
The trust checking code now has a default behaviour: it will just |
9353 |
check for an object with the same NID as the passed id. Functions can |
9354 |
be provided to override either the default behaviour or the behaviour |
9355 |
for a given id. SSL client, server and email already have functions |
9356 |
in place for compatibility: they check the NID and also return "trusted" |
9357 |
if the certificate is self signed. |
9358 |
[Steve Henson] |
9359 |
|
9360 |
*) Add d2i,i2d bio/fp functions for PrivateKey: these convert the |
9361 |
traditional format into an EVP_PKEY structure. |
9362 |
[Steve Henson] |
9363 |
|
9364 |
*) Add a password callback function PEM_cb() which either prompts for |
9365 |
a password if usr_data is NULL or otherwise assumes it is a null |
9366 |
terminated password. Allow passwords to be passed on command line |
9367 |
environment or config files in a few more utilities. |
9368 |
[Steve Henson] |
9369 |
|
9370 |
*) Add a bunch of DER and PEM functions to handle PKCS#8 format private |
9371 |
keys. Add some short names for PKCS#8 PBE algorithms and allow them |
9372 |
to be specified on the command line for the pkcs8 and pkcs12 utilities. |
9373 |
Update documentation. |
9374 |
[Steve Henson] |
9375 |
|
9376 |
*) Support for ASN1 "NULL" type. This could be handled before by using |
9377 |
ASN1_TYPE but there wasn't any function that would try to read a NULL |
9378 |
and produce an error if it couldn't. For compatibility we also have |
9379 |
ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and |
9380 |
don't allocate anything because they don't need to. |
9381 |
[Steve Henson] |
9382 |
|
9383 |
*) Initial support for MacOS is now provided. Examine INSTALL.MacOS |
9384 |
for details. |
9385 |
[Andy Polyakov, Roy Woods <roy@centicsystems.ca>] |
9386 |
|
9387 |
*) Rebuild of the memory allocation routines used by OpenSSL code and |
9388 |
possibly others as well. The purpose is to make an interface that |
9389 |
provide hooks so anyone can build a separate set of allocation and |
9390 |
deallocation routines to be used by OpenSSL, for example memory |
9391 |
pool implementations, or something else, which was previously hard |
9392 |
since Malloc(), Realloc() and Free() were defined as macros having |
9393 |
the values malloc, realloc and free, respectively (except for Win32 |
9394 |
compilations). The same is provided for memory debugging code. |
9395 |
OpenSSL already comes with functionality to find memory leaks, but |
9396 |
this gives people a chance to debug other memory problems. |
9397 |
|
9398 |
With these changes, a new set of functions and macros have appeared: |
9399 |
|
9400 |
CRYPTO_set_mem_debug_functions() [F] |
9401 |
CRYPTO_get_mem_debug_functions() [F] |
9402 |
CRYPTO_dbg_set_options() [F] |
9403 |
CRYPTO_dbg_get_options() [F] |
9404 |
CRYPTO_malloc_debug_init() [M] |
9405 |
|
9406 |
The memory debug functions are NULL by default, unless the library |
9407 |
is compiled with CRYPTO_MDEBUG or friends is defined. If someone |
9408 |
wants to debug memory anyway, CRYPTO_malloc_debug_init() (which |
9409 |
gives the standard debugging functions that come with OpenSSL) or |
9410 |
CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions |
9411 |
provided by the library user) must be used. When the standard |
9412 |
debugging functions are used, CRYPTO_dbg_set_options can be used to |
9413 |
request additional information: |
9414 |
CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting |
9415 |
the CRYPTO_MDEBUG_xxx macro when compiling the library. |
9416 |
|
9417 |
Also, things like CRYPTO_set_mem_functions will always give the |
9418 |
expected result (the new set of functions is used for allocation |
9419 |
and deallocation) at all times, regardless of platform and compiler |
9420 |
options. |
9421 |
|
9422 |
To finish it up, some functions that were never use in any other |
9423 |
way than through macros have a new API and new semantic: |
9424 |
|
9425 |
CRYPTO_dbg_malloc() |
9426 |
CRYPTO_dbg_realloc() |
9427 |
CRYPTO_dbg_free() |
9428 |
|
9429 |
All macros of value have retained their old syntax. |
9430 |
[Richard Levitte and Bodo Moeller] |
9431 |
|
9432 |
*) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the |
9433 |
ordering of SMIMECapabilities wasn't in "strength order" and there |
9434 |
was a missing NULL in the AlgorithmIdentifier for the SHA1 signature |
9435 |
algorithm. |
9436 |
[Steve Henson] |
9437 |
|
9438 |
*) Some ASN1 types with illegal zero length encoding (INTEGER, |
9439 |
ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. |
9440 |
[Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] |
9441 |
|
9442 |
*) Merge in my S/MIME library for OpenSSL. This provides a simple |
9443 |
S/MIME API on top of the PKCS#7 code, a MIME parser (with enough |
9444 |
functionality to handle multipart/signed properly) and a utility |
9445 |
called 'smime' to call all this stuff. This is based on code I |
9446 |
originally wrote for Celo who have kindly allowed it to be |
9447 |
included in OpenSSL. |
9448 |
[Steve Henson] |
9449 |
|
9450 |
*) Add variants des_set_key_checked and des_set_key_unchecked of |
9451 |
des_set_key (aka des_key_sched). Global variable des_check_key |
9452 |
decides which of these is called by des_set_key; this way |
9453 |
des_check_key behaves as it always did, but applications and |
9454 |
the library itself, which was buggy for des_check_key == 1, |
9455 |
have a cleaner way to pick the version they need. |
9456 |
[Bodo Moeller] |
9457 |
|
9458 |
*) New function PKCS12_newpass() which changes the password of a |
9459 |
PKCS12 structure. |
9460 |
[Steve Henson] |
9461 |
|
9462 |
*) Modify X509_TRUST and X509_PURPOSE so it also uses a static and |
9463 |
dynamic mix. In both cases the ids can be used as an index into the |
9464 |
table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() |
9465 |
functions so they accept a list of the field values and the |
9466 |
application doesn't need to directly manipulate the X509_TRUST |
9467 |
structure. |
9468 |
[Steve Henson] |
9469 |
|
9470 |
*) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't |
9471 |
need initialising. |
9472 |
[Steve Henson] |
9473 |
|
9474 |
*) Modify the way the V3 extension code looks up extensions. This now |
9475 |
works in a similar way to the object code: we have some "standard" |
9476 |
extensions in a static table which is searched with OBJ_bsearch() |
9477 |
and the application can add dynamic ones if needed. The file |
9478 |
crypto/x509v3/ext_dat.h now has the info: this file needs to be |
9479 |
updated whenever a new extension is added to the core code and kept |
9480 |
in ext_nid order. There is a simple program 'tabtest.c' which checks |
9481 |
this. New extensions are not added too often so this file can readily |
9482 |
be maintained manually. |
9483 |
|
9484 |
There are two big advantages in doing things this way. The extensions |
9485 |
can be looked up immediately and no longer need to be "added" using |
9486 |
X509V3_add_standard_extensions(): this function now does nothing. |
9487 |
[Side note: I get *lots* of email saying the extension code doesn't |
9488 |
work because people forget to call this function] |
9489 |
Also no dynamic allocation is done unless new extensions are added: |
9490 |
so if we don't add custom extensions there is no need to call |
9491 |
X509V3_EXT_cleanup(). |
9492 |
[Steve Henson] |
9493 |
|
9494 |
*) Modify enc utility's salting as follows: make salting the default. Add a |
9495 |
magic header, so unsalted files fail gracefully instead of just decrypting |
9496 |
to garbage. This is because not salting is a big security hole, so people |
9497 |
should be discouraged from doing it. |
9498 |
[Ben Laurie] |
9499 |
|
9500 |
*) Fixes and enhancements to the 'x509' utility. It allowed a message |
9501 |
digest to be passed on the command line but it only used this |
9502 |
parameter when signing a certificate. Modified so all relevant |
9503 |
operations are affected by the digest parameter including the |
9504 |
-fingerprint and -x509toreq options. Also -x509toreq choked if a |
9505 |
DSA key was used because it didn't fix the digest. |
9506 |
[Steve Henson] |
9507 |
|
9508 |
*) Initial certificate chain verify code. Currently tests the untrusted |
9509 |
certificates for consistency with the verify purpose (which is set |
9510 |
when the X509_STORE_CTX structure is set up) and checks the pathlength. |
9511 |
|
9512 |
There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: |
9513 |
this is because it will reject chains with invalid extensions whereas |
9514 |
every previous version of OpenSSL and SSLeay made no checks at all. |
9515 |
|
9516 |
Trust code: checks the root CA for the relevant trust settings. Trust |
9517 |
settings have an initial value consistent with the verify purpose: e.g. |
9518 |
if the verify purpose is for SSL client use it expects the CA to be |
9519 |
trusted for SSL client use. However the default value can be changed to |
9520 |
permit custom trust settings: one example of this would be to only trust |
9521 |
certificates from a specific "secure" set of CAs. |
9522 |
|
9523 |
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions |
9524 |
which should be used for version portability: especially since the |
9525 |
verify structure is likely to change more often now. |
9526 |
|
9527 |
SSL integration. Add purpose and trust to SSL_CTX and SSL and functions |
9528 |
to set them. If not set then assume SSL clients will verify SSL servers |
9529 |
and vice versa. |
9530 |
|
9531 |
Two new options to the verify program: -untrusted allows a set of |
9532 |
untrusted certificates to be passed in and -purpose which sets the |
9533 |
intended purpose of the certificate. If a purpose is set then the |
9534 |
new chain verify code is used to check extension consistency. |
9535 |
[Steve Henson] |
9536 |
|
9537 |
*) Support for the authority information access extension. |
9538 |
[Steve Henson] |
9539 |
|
9540 |
*) Modify RSA and DSA PEM read routines to transparently handle |
9541 |
PKCS#8 format private keys. New *_PUBKEY_* functions that handle |
9542 |
public keys in a format compatible with certificate |
9543 |
SubjectPublicKeyInfo structures. Unfortunately there were already |
9544 |
functions called *_PublicKey_* which used various odd formats so |
9545 |
these are retained for compatibility: however the DSA variants were |
9546 |
never in a public release so they have been deleted. Changed dsa/rsa |
9547 |
utilities to handle the new format: note no releases ever handled public |
9548 |
keys so we should be OK. |
9549 |
|
9550 |
The primary motivation for this change is to avoid the same fiasco |
9551 |
that dogs private keys: there are several incompatible private key |
9552 |
formats some of which are standard and some OpenSSL specific and |
9553 |
require various evil hacks to allow partial transparent handling and |
9554 |
even then it doesn't work with DER formats. Given the option anything |
9555 |
other than PKCS#8 should be dumped: but the other formats have to |
9556 |
stay in the name of compatibility. |
9557 |
|
9558 |
With public keys and the benefit of hindsight one standard format |
9559 |
is used which works with EVP_PKEY, RSA or DSA structures: though |
9560 |
it clearly returns an error if you try to read the wrong kind of key. |
9561 |
|
9562 |
Added a -pubkey option to the 'x509' utility to output the public key. |
9563 |
Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() |
9564 |
(renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add |
9565 |
EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) |
9566 |
that do the same as the EVP_PKEY_assign_*() except they up the |
9567 |
reference count of the added key (they don't "swallow" the |
9568 |
supplied key). |
9569 |
[Steve Henson] |
9570 |
|
9571 |
*) Fixes to crypto/x509/by_file.c the code to read in certificates and |
9572 |
CRLs would fail if the file contained no certificates or no CRLs: |
9573 |
added a new function to read in both types and return the number |
9574 |
read: this means that if none are read it will be an error. The |
9575 |
DER versions of the certificate and CRL reader would always fail |
9576 |
because it isn't possible to mix certificates and CRLs in DER format |
9577 |
without choking one or the other routine. Changed this to just read |
9578 |
a certificate: this is the best we can do. Also modified the code |
9579 |
in apps/verify.c to take notice of return codes: it was previously |
9580 |
attempting to read in certificates from NULL pointers and ignoring |
9581 |
any errors: this is one reason why the cert and CRL reader seemed |
9582 |
to work. It doesn't check return codes from the default certificate |
9583 |
routines: these may well fail if the certificates aren't installed. |
9584 |
[Steve Henson] |
9585 |
|
9586 |
*) Code to support otherName option in GeneralName. |
9587 |
[Steve Henson] |
9588 |
|
9589 |
*) First update to verify code. Change the verify utility |
9590 |
so it warns if it is passed a self signed certificate: |
9591 |
for consistency with the normal behaviour. X509_verify |
9592 |
has been modified to it will now verify a self signed |
9593 |
certificate if *exactly* the same certificate appears |
9594 |
in the store: it was previously impossible to trust a |
9595 |
single self signed certificate. This means that: |
9596 |
openssl verify ss.pem |
9597 |
now gives a warning about a self signed certificate but |
9598 |
openssl verify -CAfile ss.pem ss.pem |
9599 |
is OK. |
9600 |
[Steve Henson] |
9601 |
|
9602 |
*) For servers, store verify_result in SSL_SESSION data structure |
9603 |
(and add it to external session representation). |
9604 |
This is needed when client certificate verifications fails, |
9605 |
but an application-provided verification callback (set by |
9606 |
SSL_CTX_set_cert_verify_callback) allows accepting the session |
9607 |
anyway (i.e. leaves x509_store_ctx->error != X509_V_OK |
9608 |
but returns 1): When the session is reused, we have to set |
9609 |
ssl->verify_result to the appropriate error code to avoid |
9610 |
security holes. |
9611 |
[Bodo Moeller, problem pointed out by Lutz Jaenicke] |
9612 |
|
9613 |
*) Fix a bug in the new PKCS#7 code: it didn't consider the |
9614 |
case in PKCS7_dataInit() where the signed PKCS7 structure |
9615 |
didn't contain any existing data because it was being created. |
9616 |
[Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] |
9617 |
|
9618 |
*) Add a salt to the key derivation routines in enc.c. This |
9619 |
forms the first 8 bytes of the encrypted file. Also add a |
9620 |
-S option to allow a salt to be input on the command line. |
9621 |
[Steve Henson] |
9622 |
|
9623 |
*) New function X509_cmp(). Oddly enough there wasn't a function |
9624 |
to compare two certificates. We do this by working out the SHA1 |
9625 |
hash and comparing that. X509_cmp() will be needed by the trust |
9626 |
code. |
9627 |
[Steve Henson] |
9628 |
|
9629 |
*) SSL_get1_session() is like SSL_get_session(), but increments |
9630 |
the reference count in the SSL_SESSION returned. |
9631 |
[Geoff Thorpe <geoff@eu.c2.net>] |
9632 |
|
9633 |
*) Fix for 'req': it was adding a null to request attributes. |
9634 |
Also change the X509_LOOKUP and X509_INFO code to handle |
9635 |
certificate auxiliary information. |
9636 |
[Steve Henson] |
9637 |
|
9638 |
*) Add support for 40 and 64 bit RC2 and RC4 algorithms: document |
9639 |
the 'enc' command. |
9640 |
[Steve Henson] |
9641 |
|
9642 |
*) Add the possibility to add extra information to the memory leak |
9643 |
detecting output, to form tracebacks, showing from where each |
9644 |
allocation was originated: CRYPTO_push_info("constant string") adds |
9645 |
the string plus current file name and line number to a per-thread |
9646 |
stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() |
9647 |
is like calling CYRPTO_pop_info() until the stack is empty. |
9648 |
Also updated memory leak detection code to be multi-thread-safe. |
9649 |
[Richard Levitte] |
9650 |
|
9651 |
*) Add options -text and -noout to pkcs7 utility and delete the |
9652 |
encryption options which never did anything. Update docs. |
9653 |
[Steve Henson] |
9654 |
|
9655 |
*) Add options to some of the utilities to allow the pass phrase |
9656 |
to be included on either the command line (not recommended on |
9657 |
OSes like Unix) or read from the environment. Update the |
9658 |
manpages and fix a few bugs. |
9659 |
[Steve Henson] |
9660 |
|
9661 |
*) Add a few manpages for some of the openssl commands. |
9662 |
[Steve Henson] |
9663 |
|
9664 |
*) Fix the -revoke option in ca. It was freeing up memory twice, |
9665 |
leaking and not finding already revoked certificates. |
9666 |
[Steve Henson] |
9667 |
|
9668 |
*) Extensive changes to support certificate auxiliary information. |
9669 |
This involves the use of X509_CERT_AUX structure and X509_AUX |
9670 |
functions. An X509_AUX function such as PEM_read_X509_AUX() |
9671 |
can still read in a certificate file in the usual way but it |
9672 |
will also read in any additional "auxiliary information". By |
9673 |
doing things this way a fair degree of compatibility can be |
9674 |
retained: existing certificates can have this information added |
9675 |
using the new 'x509' options. |
9676 |
|
9677 |
Current auxiliary information includes an "alias" and some trust |
9678 |
settings. The trust settings will ultimately be used in enhanced |
9679 |
certificate chain verification routines: currently a certificate |
9680 |
can only be trusted if it is self signed and then it is trusted |
9681 |
for all purposes. |
9682 |
[Steve Henson] |
9683 |
|
9684 |
*) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). |
9685 |
The problem was that one of the replacement routines had not been working |
9686 |
since SSLeay releases. For now the offending routine has been replaced |
9687 |
with non-optimised assembler. Even so, this now gives around 95% |
9688 |
performance improvement for 1024 bit RSA signs. |
9689 |
[Mark Cox] |
9690 |
|
9691 |
*) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 |
9692 |
handling. Most clients have the effective key size in bits equal to |
9693 |
the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. |
9694 |
A few however don't do this and instead use the size of the decrypted key |
9695 |
to determine the RC2 key length and the AlgorithmIdentifier to determine |
9696 |
the effective key length. In this case the effective key length can still |
9697 |
be 40 bits but the key length can be 168 bits for example. This is fixed |
9698 |
by manually forcing an RC2 key into the EVP_PKEY structure because the |
9699 |
EVP code can't currently handle unusual RC2 key sizes: it always assumes |
9700 |
the key length and effective key length are equal. |
9701 |
[Steve Henson] |
9702 |
|
9703 |
*) Add a bunch of functions that should simplify the creation of |
9704 |
X509_NAME structures. Now you should be able to do: |
9705 |
X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); |
9706 |
and have it automatically work out the correct field type and fill in |
9707 |
the structures. The more adventurous can try: |
9708 |
X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); |
9709 |
and it will (hopefully) work out the correct multibyte encoding. |
9710 |
[Steve Henson] |
9711 |
|
9712 |
*) Change the 'req' utility to use the new field handling and multibyte |
9713 |
copy routines. Before the DN field creation was handled in an ad hoc |
9714 |
way in req, ca, and x509 which was rather broken and didn't support |
9715 |
BMPStrings or UTF8Strings. Since some software doesn't implement |
9716 |
BMPStrings or UTF8Strings yet, they can be enabled using the config file |
9717 |
using the dirstring_type option. See the new comment in the default |
9718 |
openssl.cnf for more info. |
9719 |
[Steve Henson] |
9720 |
|
9721 |
*) Make crypto/rand/md_rand.c more robust: |
9722 |
- Assure unique random numbers after fork(). |
9723 |
- Make sure that concurrent threads access the global counter and |
9724 |
md serializably so that we never lose entropy in them |
9725 |
or use exactly the same state in multiple threads. |
9726 |
Access to the large state is not always serializable because |
9727 |
the additional locking could be a performance killer, and |
9728 |
md should be large enough anyway. |
9729 |
[Bodo Moeller] |
9730 |
|
9731 |
*) New file apps/app_rand.c with commonly needed functionality |
9732 |
for handling the random seed file. |
9733 |
|
9734 |
Use the random seed file in some applications that previously did not: |
9735 |
ca, |
9736 |
dsaparam -genkey (which also ignored its '-rand' option), |
9737 |
s_client, |
9738 |
s_server, |
9739 |
x509 (when signing). |
9740 |
Except on systems with /dev/urandom, it is crucial to have a random |
9741 |
seed file at least for key creation, DSA signing, and for DH exchanges; |
9742 |
for RSA signatures we could do without one. |
9743 |
|
9744 |
gendh and gendsa (unlike genrsa) used to read only the first byte |
9745 |
of each file listed in the '-rand' option. The function as previously |
9746 |
found in genrsa is now in app_rand.c and is used by all programs |
9747 |
that support '-rand'. |
9748 |
[Bodo Moeller] |
9749 |
|
9750 |
*) In RAND_write_file, use mode 0600 for creating files; |
9751 |
don't just chmod when it may be too late. |
9752 |
[Bodo Moeller] |
9753 |
|
9754 |
*) Report an error from X509_STORE_load_locations |
9755 |
when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. |
9756 |
[Bill Perry] |
9757 |
|
9758 |
*) New function ASN1_mbstring_copy() this copies a string in either |
9759 |
ASCII, Unicode, Universal (4 bytes per character) or UTF8 format |
9760 |
into an ASN1_STRING type. A mask of permissible types is passed |
9761 |
and it chooses the "minimal" type to use or an error if not type |
9762 |
is suitable. |
9763 |
[Steve Henson] |
9764 |
|
9765 |
*) Add function equivalents to the various macros in asn1.h. The old |
9766 |
macros are retained with an M_ prefix. Code inside the library can |
9767 |
use the M_ macros. External code (including the openssl utility) |
9768 |
should *NOT* in order to be "shared library friendly". |
9769 |
[Steve Henson] |
9770 |
|
9771 |
*) Add various functions that can check a certificate's extensions |
9772 |
to see if it usable for various purposes such as SSL client, |
9773 |
server or S/MIME and CAs of these types. This is currently |
9774 |
VERY EXPERIMENTAL but will ultimately be used for certificate chain |
9775 |
verification. Also added a -purpose flag to x509 utility to |
9776 |
print out all the purposes. |
9777 |
[Steve Henson] |
9778 |
|
9779 |
*) Add a CRYPTO_EX_DATA to X509 certificate structure and associated |
9780 |
functions. |
9781 |
[Steve Henson] |
9782 |
|
9783 |
*) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search |
9784 |
for, obtain and decode and extension and obtain its critical flag. |
9785 |
This allows all the necessary extension code to be handled in a |
9786 |
single function call. |
9787 |
[Steve Henson] |
9788 |
|
9789 |
*) RC4 tune-up featuring 30-40% performance improvement on most RISC |
9790 |
platforms. See crypto/rc4/rc4_enc.c for further details. |
9791 |
[Andy Polyakov] |
9792 |
|
9793 |
*) New -noout option to asn1parse. This causes no output to be produced |
9794 |
its main use is when combined with -strparse and -out to extract data |
9795 |
from a file (which may not be in ASN.1 format). |
9796 |
[Steve Henson] |
9797 |
|
9798 |
*) Fix for pkcs12 program. It was hashing an invalid certificate pointer |
9799 |
when producing the local key id. |
9800 |
[Richard Levitte <levitte@stacken.kth.se>] |
9801 |
|
9802 |
*) New option -dhparam in s_server. This allows a DH parameter file to be |
9803 |
stated explicitly. If it is not stated then it tries the first server |
9804 |
certificate file. The previous behaviour hard coded the filename |
9805 |
"server.pem". |
9806 |
[Steve Henson] |
9807 |
|
9808 |
*) Add -pubin and -pubout options to the rsa and dsa commands. These allow |
9809 |
a public key to be input or output. For example: |
9810 |
openssl rsa -in key.pem -pubout -out pubkey.pem |
9811 |
Also added necessary DSA public key functions to handle this. |
9812 |
[Steve Henson] |
9813 |
|
9814 |
*) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained |
9815 |
in the message. This was handled by allowing |
9816 |
X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. |
9817 |
[Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] |
9818 |
|
9819 |
*) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null |
9820 |
to the end of the strings whereas this didn't. This would cause problems |
9821 |
if strings read with d2i_ASN1_bytes() were later modified. |
9822 |
[Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] |
9823 |
|
9824 |
*) Fix for base64 decode bug. When a base64 bio reads only one line of |
9825 |
data and it contains EOF it will end up returning an error. This is |
9826 |
caused by input 46 bytes long. The cause is due to the way base64 |
9827 |
BIOs find the start of base64 encoded data. They do this by trying a |
9828 |
trial decode on each line until they find one that works. When they |
9829 |
do a flag is set and it starts again knowing it can pass all the |
9830 |
data directly through the decoder. Unfortunately it doesn't reset |
9831 |
the context it uses. This means that if EOF is reached an attempt |
9832 |
is made to pass two EOFs through the context and this causes the |
9833 |
resulting error. This can also cause other problems as well. As is |
9834 |
usual with these problems it takes *ages* to find and the fix is |
9835 |
trivial: move one line. |
9836 |
[Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] |
9837 |
|
9838 |
*) Ugly workaround to get s_client and s_server working under Windows. The |
9839 |
old code wouldn't work because it needed to select() on sockets and the |
9840 |
tty (for keypresses and to see if data could be written). Win32 only |
9841 |
supports select() on sockets so we select() with a 1s timeout on the |
9842 |
sockets and then see if any characters are waiting to be read, if none |
9843 |
are present then we retry, we also assume we can always write data to |
9844 |
the tty. This isn't nice because the code then blocks until we've |
9845 |
received a complete line of data and it is effectively polling the |
9846 |
keyboard at 1s intervals: however it's quite a bit better than not |
9847 |
working at all :-) A dedicated Windows application might handle this |
9848 |
with an event loop for example. |
9849 |
[Steve Henson] |
9850 |
|
9851 |
*) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign |
9852 |
and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions |
9853 |
will be called when RSA_sign() and RSA_verify() are used. This is useful |
9854 |
if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. |
9855 |
For this to work properly RSA_public_decrypt() and RSA_private_encrypt() |
9856 |
should *not* be used: RSA_sign() and RSA_verify() must be used instead. |
9857 |
This necessitated the support of an extra signature type NID_md5_sha1 |
9858 |
for SSL signatures and modifications to the SSL library to use it instead |
9859 |
of calling RSA_public_decrypt() and RSA_private_encrypt(). |
9860 |
[Steve Henson] |
9861 |
|
9862 |
*) Add new -verify -CAfile and -CApath options to the crl program, these |
9863 |
will lookup a CRL issuers certificate and verify the signature in a |
9864 |
similar way to the verify program. Tidy up the crl program so it |
9865 |
no longer accesses structures directly. Make the ASN1 CRL parsing a bit |
9866 |
less strict. It will now permit CRL extensions even if it is not |
9867 |
a V2 CRL: this will allow it to tolerate some broken CRLs. |
9868 |
[Steve Henson] |
9869 |
|
9870 |
*) Initialize all non-automatic variables each time one of the openssl |
9871 |
sub-programs is started (this is necessary as they may be started |
9872 |
multiple times from the "OpenSSL>" prompt). |
9873 |
[Lennart Bang, Bodo Moeller] |
9874 |
|
9875 |
*) Preliminary compilation option RSA_NULL which disables RSA crypto without |
9876 |
removing all other RSA functionality (this is what NO_RSA does). This |
9877 |
is so (for example) those in the US can disable those operations covered |
9878 |
by the RSA patent while allowing storage and parsing of RSA keys and RSA |
9879 |
key generation. |
9880 |
[Steve Henson] |
9881 |
|
9882 |
*) Non-copying interface to BIO pairs. |
9883 |
(still largely untested) |
9884 |
[Bodo Moeller] |
9885 |
|
9886 |
*) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive |
9887 |
ASCII string. This was handled independently in various places before. |
9888 |
[Steve Henson] |
9889 |
|
9890 |
*) New functions UTF8_getc() and UTF8_putc() that parse and generate |
9891 |
UTF8 strings a character at a time. |
9892 |
[Steve Henson] |
9893 |
|
9894 |
*) Use client_version from client hello to select the protocol |
9895 |
(s23_srvr.c) and for RSA client key exchange verification |
9896 |
(s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. |
9897 |
[Bodo Moeller] |
9898 |
|
9899 |
*) Add various utility functions to handle SPKACs, these were previously |
9900 |
handled by poking round in the structure internals. Added new function |
9901 |
NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to |
9902 |
print, verify and generate SPKACs. Based on an original idea from |
9903 |
Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. |
9904 |
[Steve Henson] |
9905 |
|
9906 |
*) RIPEMD160 is operational on all platforms and is back in 'make test'. |
9907 |
[Andy Polyakov] |
9908 |
|
9909 |
*) Allow the config file extension section to be overwritten on the |
9910 |
command line. Based on an original idea from Massimiliano Pala |
9911 |
<madwolf@comune.modena.it>. The new option is called -extensions |
9912 |
and can be applied to ca, req and x509. Also -reqexts to override |
9913 |
the request extensions in req and -crlexts to override the crl extensions |
9914 |
in ca. |
9915 |
[Steve Henson] |
9916 |
|
9917 |
*) Add new feature to the SPKAC handling in ca. Now you can include |
9918 |
the same field multiple times by preceding it by "XXXX." for example: |
9919 |
1.OU="Unit name 1" |
9920 |
2.OU="Unit name 2" |
9921 |
this is the same syntax as used in the req config file. |
9922 |
[Steve Henson] |
9923 |
|
9924 |
*) Allow certificate extensions to be added to certificate requests. These |
9925 |
are specified in a 'req_extensions' option of the req section of the |
9926 |
config file. They can be printed out with the -text option to req but |
9927 |
are otherwise ignored at present. |
9928 |
[Steve Henson] |
9929 |
|
9930 |
*) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first |
9931 |
data read consists of only the final block it would not decrypted because |
9932 |
EVP_CipherUpdate() would correctly report zero bytes had been decrypted. |
9933 |
A misplaced 'break' also meant the decrypted final block might not be |
9934 |
copied until the next read. |
9935 |
[Steve Henson] |
9936 |
|
9937 |
*) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added |
9938 |
a few extra parameters to the DH structure: these will be useful if |
9939 |
for example we want the value of 'q' or implement X9.42 DH. |
9940 |
[Steve Henson] |
9941 |
|
9942 |
*) Initial support for DSA_METHOD. This is based on the RSA_METHOD and |
9943 |
provides hooks that allow the default DSA functions or functions on a |
9944 |
"per key" basis to be replaced. This allows hardware acceleration and |
9945 |
hardware key storage to be handled without major modification to the |
9946 |
library. Also added low level modexp hooks and CRYPTO_EX structure and |
9947 |
associated functions. |
9948 |
[Steve Henson] |
9949 |
|
9950 |
*) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO |
9951 |
as "read only": it can't be written to and the buffer it points to will |
9952 |
not be freed. Reading from a read only BIO is much more efficient than |
9953 |
a normal memory BIO. This was added because there are several times when |
9954 |
an area of memory needs to be read from a BIO. The previous method was |
9955 |
to create a memory BIO and write the data to it, this results in two |
9956 |
copies of the data and an O(n^2) reading algorithm. There is a new |
9957 |
function BIO_new_mem_buf() which creates a read only memory BIO from |
9958 |
an area of memory. Also modified the PKCS#7 routines to use read only |
9959 |
memory BIOs. |
9960 |
[Steve Henson] |
9961 |
|
9962 |
*) Bugfix: ssl23_get_client_hello did not work properly when called in |
9963 |
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of |
9964 |
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, |
9965 |
but a retry condition occured while trying to read the rest. |
9966 |
[Bodo Moeller] |
9967 |
|
9968 |
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as |
9969 |
NID_pkcs7_encrypted by default: this was wrong since this should almost |
9970 |
always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle |
9971 |
the encrypted data type: this is a more sensible place to put it and it |
9972 |
allows the PKCS#12 code to be tidied up that duplicated this |
9973 |
functionality. |
9974 |
[Steve Henson] |
9975 |
|
9976 |
*) Changed obj_dat.pl script so it takes its input and output files on |
9977 |
the command line. This should avoid shell escape redirection problems |
9978 |
under Win32. |
9979 |
[Steve Henson] |
9980 |
|
9981 |
*) Initial support for certificate extension requests, these are included |
9982 |
in things like Xenroll certificate requests. Included functions to allow |
9983 |
extensions to be obtained and added. |
9984 |
[Steve Henson] |
9985 |
|
9986 |
*) -crlf option to s_client and s_server for sending newlines as |
9987 |
CRLF (as required by many protocols). |
9988 |
[Bodo Moeller] |
9989 |
|
9990 |
Changes between 0.9.3a and 0.9.4 [09 Aug 1999] |
9991 |
|
9992 |
*) Install libRSAglue.a when OpenSSL is built with RSAref. |
9993 |
[Ralf S. Engelschall] |
9994 |
|
9995 |
*) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. |
9996 |
[Andrija Antonijevic <TheAntony2@bigfoot.com>] |
9997 |
|
9998 |
*) Fix -startdate and -enddate (which was missing) arguments to 'ca' |
9999 |
program. |
10000 |
[Steve Henson] |
10001 |
|
10002 |
*) New function DSA_dup_DH, which duplicates DSA parameters/keys as |
10003 |
DH parameters/keys (q is lost during that conversion, but the resulting |
10004 |
DH parameters contain its length). |
10005 |
|
10006 |
For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is |
10007 |
much faster than DH_generate_parameters (which creates parameters |
10008 |
where p = 2*q + 1), and also the smaller q makes DH computations |
10009 |
much more efficient (160-bit exponentiation instead of 1024-bit |
10010 |
exponentiation); so this provides a convenient way to support DHE |
10011 |
ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of |
10012 |
utter importance to use |
10013 |
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
10014 |
or |
10015 |
SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
10016 |
when such DH parameters are used, because otherwise small subgroup |
10017 |
attacks may become possible! |
10018 |
[Bodo Moeller] |
10019 |
|
10020 |
*) Avoid memory leak in i2d_DHparams. |
10021 |
[Bodo Moeller] |
10022 |
|
10023 |
*) Allow the -k option to be used more than once in the enc program: |
10024 |
this allows the same encrypted message to be read by multiple recipients. |
10025 |
[Steve Henson] |
10026 |
|
10027 |
*) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts |
10028 |
an ASN1_OBJECT to a text string. If the "no_name" parameter is set then |
10029 |
it will always use the numerical form of the OID, even if it has a short |
10030 |
or long name. |
10031 |
[Steve Henson] |
10032 |
|
10033 |
*) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp |
10034 |
method only got called if p,q,dmp1,dmq1,iqmp components were present, |
10035 |
otherwise bn_mod_exp was called. In the case of hardware keys for example |
10036 |
no private key components need be present and it might store extra data |
10037 |
in the RSA structure, which cannot be accessed from bn_mod_exp. |
10038 |
By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for |
10039 |
private key operations. |
10040 |
[Steve Henson] |
10041 |
|
10042 |
*) Added support for SPARC Linux. |
10043 |
[Andy Polyakov] |
10044 |
|
10045 |
*) pem_password_cb function type incompatibly changed from |
10046 |
typedef int pem_password_cb(char *buf, int size, int rwflag); |
10047 |
to |
10048 |
....(char *buf, int size, int rwflag, void *userdata); |
10049 |
so that applications can pass data to their callbacks: |
10050 |
The PEM[_ASN1]_{read,write}... functions and macros now take an |
10051 |
additional void * argument, which is just handed through whenever |
10052 |
the password callback is called. |
10053 |
[Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] |
10054 |
|
10055 |
New function SSL_CTX_set_default_passwd_cb_userdata. |
10056 |
|
10057 |
Compatibility note: As many C implementations push function arguments |
10058 |
onto the stack in reverse order, the new library version is likely to |
10059 |
interoperate with programs that have been compiled with the old |
10060 |
pem_password_cb definition (PEM_whatever takes some data that |
10061 |
happens to be on the stack as its last argument, and the callback |
10062 |
just ignores this garbage); but there is no guarantee whatsoever that |
10063 |
this will work. |
10064 |
|
10065 |
*) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... |
10066 |
(both in crypto/Makefile.ssl for use by crypto/cversion.c) caused |
10067 |
problems not only on Windows, but also on some Unix platforms. |
10068 |
To avoid problematic command lines, these definitions are now in an |
10069 |
auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl |
10070 |
for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). |
10071 |
[Bodo Moeller] |
10072 |
|
10073 |
*) MIPS III/IV assembler module is reimplemented. |
10074 |
[Andy Polyakov] |
10075 |
|
10076 |
*) More DES library cleanups: remove references to srand/rand and |
10077 |
delete an unused file. |
10078 |
[Ulf Möller] |
10079 |
|
10080 |
*) Add support for the the free Netwide assembler (NASM) under Win32, |
10081 |
since not many people have MASM (ml) and it can be hard to obtain. |
10082 |
This is currently experimental but it seems to work OK and pass all |
10083 |
the tests. Check out INSTALL.W32 for info. |
10084 |
[Steve Henson] |
10085 |
|
10086 |
*) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections |
10087 |
without temporary keys kept an extra copy of the server key, |
10088 |
and connections with temporary keys did not free everything in case |
10089 |
of an error. |
10090 |
[Bodo Moeller] |
10091 |
|
10092 |
*) New function RSA_check_key and new openssl rsa option -check |
10093 |
for verifying the consistency of RSA keys. |
10094 |
[Ulf Moeller, Bodo Moeller] |
10095 |
|
10096 |
*) Various changes to make Win32 compile work: |
10097 |
1. Casts to avoid "loss of data" warnings in p5_crpt2.c |
10098 |
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned |
10099 |
comparison" warnings. |
10100 |
3. Add sk_<TYPE>_sort to DEF file generator and do make update. |
10101 |
[Steve Henson] |
10102 |
|
10103 |
*) Add a debugging option to PKCS#5 v2 key generation function: when |
10104 |
you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and |
10105 |
derived keys are printed to stderr. |
10106 |
[Steve Henson] |
10107 |
|
10108 |
*) Copy the flags in ASN1_STRING_dup(). |
10109 |
[Roman E. Pavlov <pre@mo.msk.ru>] |
10110 |
|
10111 |
*) The x509 application mishandled signing requests containing DSA |
10112 |
keys when the signing key was also DSA and the parameters didn't match. |
10113 |
|
10114 |
It was supposed to omit the parameters when they matched the signing key: |
10115 |
the verifying software was then supposed to automatically use the CA's |
10116 |
parameters if they were absent from the end user certificate. |
10117 |
|
10118 |
Omitting parameters is no longer recommended. The test was also |
10119 |
the wrong way round! This was probably due to unusual behaviour in |
10120 |
EVP_cmp_parameters() which returns 1 if the parameters match. |
10121 |
This meant that parameters were omitted when they *didn't* match and |
10122 |
the certificate was useless. Certificates signed with 'ca' didn't have |
10123 |
this bug. |
10124 |
[Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] |
10125 |
|
10126 |
*) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. |
10127 |
The interface is as follows: |
10128 |
Applications can use |
10129 |
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), |
10130 |
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); |
10131 |
"off" is now the default. |
10132 |
The library internally uses |
10133 |
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), |
10134 |
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() |
10135 |
to disable memory-checking temporarily. |
10136 |
|
10137 |
Some inconsistent states that previously were possible (and were |
10138 |
even the default) are now avoided. |
10139 |
|
10140 |
-DCRYPTO_MDEBUG_TIME is new and additionally stores the current time |
10141 |
with each memory chunk allocated; this is occasionally more helpful |
10142 |
than just having a counter. |
10143 |
|
10144 |
-DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. |
10145 |
|
10146 |
-DCRYPTO_MDEBUG_ALL enables all of the above, plus any future |
10147 |
extensions. |
10148 |
[Bodo Moeller] |
10149 |
|
10150 |
*) Introduce "mode" for SSL structures (with defaults in SSL_CTX), |
10151 |
which largely parallels "options", but is for changing API behaviour, |
10152 |
whereas "options" are about protocol behaviour. |
10153 |
Initial "mode" flags are: |
10154 |
|
10155 |
SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when |
10156 |
a single record has been written. |
10157 |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write |
10158 |
retries use the same buffer location. |
10159 |
(But all of the contents must be |
10160 |
copied!) |
10161 |
[Bodo Moeller] |
10162 |
|
10163 |
*) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options |
10164 |
worked. |
10165 |
|
10166 |
*) Fix problems with no-hmac etc. |
10167 |
[Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>] |
10168 |
|
10169 |
*) New functions RSA_get_default_method(), RSA_set_method() and |
10170 |
RSA_get_method(). These allows replacement of RSA_METHODs without having |
10171 |
to mess around with the internals of an RSA structure. |
10172 |
[Steve Henson] |
10173 |
|
10174 |
*) Fix memory leaks in DSA_do_sign and DSA_is_prime. |
10175 |
Also really enable memory leak checks in openssl.c and in some |
10176 |
test programs. |
10177 |
[Chad C. Mulligan, Bodo Moeller] |
10178 |
|
10179 |
*) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess |
10180 |
up the length of negative integers. This has now been simplified to just |
10181 |
store the length when it is first determined and use it later, rather |
10182 |
than trying to keep track of where data is copied and updating it to |
10183 |
point to the end. |
10184 |
[Steve Henson, reported by Brien Wheeler |
10185 |
<bwheeler@authentica-security.com>] |
10186 |
|
10187 |
*) Add a new function PKCS7_signatureVerify. This allows the verification |
10188 |
of a PKCS#7 signature but with the signing certificate passed to the |
10189 |
function itself. This contrasts with PKCS7_dataVerify which assumes the |
10190 |
certificate is present in the PKCS#7 structure. This isn't always the |
10191 |
case: certificates can be omitted from a PKCS#7 structure and be |
10192 |
distributed by "out of band" means (such as a certificate database). |
10193 |
[Steve Henson] |
10194 |
|
10195 |
*) Complete the PEM_* macros with DECLARE_PEM versions to replace the |
10196 |
function prototypes in pem.h, also change util/mkdef.pl to add the |
10197 |
necessary function names. |
10198 |
[Steve Henson] |
10199 |
|
10200 |
*) mk1mf.pl (used by Windows builds) did not properly read the |
10201 |
options set by Configure in the top level Makefile, and Configure |
10202 |
was not even able to write more than one option correctly. |
10203 |
Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. |
10204 |
[Bodo Moeller] |
10205 |
|
10206 |
*) New functions CONF_load_bio() and CONF_load_fp() to allow a config |
10207 |
file to be loaded from a BIO or FILE pointer. The BIO version will |
10208 |
for example allow memory BIOs to contain config info. |
10209 |
[Steve Henson] |
10210 |
|
10211 |
*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. |
10212 |
Whoever hopes to achieve shared-library compatibility across versions |
10213 |
must use this, not the compile-time macro. |
10214 |
(Exercise 0.9.4: Which is the minimum library version required by |
10215 |
such programs?) |
10216 |
Note: All this applies only to multi-threaded programs, others don't |
10217 |
need locks. |
10218 |
[Bodo Moeller] |
10219 |
|
10220 |
*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests |
10221 |
through a BIO pair triggered the default case, i.e. |
10222 |
SSLerr(...,SSL_R_UNKNOWN_STATE). |
10223 |
[Bodo Moeller] |
10224 |
|
10225 |
*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications |
10226 |
can use the SSL library even if none of the specific BIOs is |
10227 |
appropriate. |
10228 |
[Bodo Moeller] |
10229 |
|
10230 |
*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value |
10231 |
for the encoded length. |
10232 |
[Jeon KyoungHo <khjeon@sds.samsung.co.kr>] |
10233 |
|
10234 |
*) Add initial documentation of the X509V3 functions. |
10235 |
[Steve Henson] |
10236 |
|
10237 |
*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and |
10238 |
PEM_write_bio_PKCS8PrivateKey() that are equivalent to |
10239 |
PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more |
10240 |
secure PKCS#8 private key format with a high iteration count. |
10241 |
[Steve Henson] |
10242 |
|
10243 |
*) Fix determination of Perl interpreter: A perl or perl5 |
10244 |
_directory_ in $PATH was also accepted as the interpreter. |
10245 |
[Ralf S. Engelschall] |
10246 |
|
10247 |
*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking |
10248 |
wrong with it but it was very old and did things like calling |
10249 |
PEM_ASN1_read() directly and used MD5 for the hash not to mention some |
10250 |
unusual formatting. |
10251 |
[Steve Henson] |
10252 |
|
10253 |
*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed |
10254 |
to use the new extension code. |
10255 |
[Steve Henson] |
10256 |
|
10257 |
*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c |
10258 |
with macros. This should make it easier to change their form, add extra |
10259 |
arguments etc. Fix a few PEM prototypes which didn't have cipher as a |
10260 |
constant. |
10261 |
[Steve Henson] |
10262 |
|
10263 |
*) Add to configuration table a new entry that can specify an alternative |
10264 |
name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, |
10265 |
according to Mark Crispin <MRC@Panda.COM>. |
10266 |
[Bodo Moeller] |
10267 |
|
10268 |
#if 0 |
10269 |
*) DES CBC did not update the IV. Weird. |
10270 |
[Ben Laurie] |
10271 |
#else |
10272 |
des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. |
10273 |
Changing the behaviour of the former might break existing programs -- |
10274 |
where IV updating is needed, des_ncbc_encrypt can be used. |
10275 |
#endif |
10276 |
|
10277 |
*) When bntest is run from "make test" it drives bc to check its |
10278 |
calculations, as well as internally checking them. If an internal check |
10279 |
fails, it needs to cause bc to give a non-zero result or make test carries |
10280 |
on without noticing the failure. Fixed. |
10281 |
[Ben Laurie] |
10282 |
|
10283 |
*) DES library cleanups. |
10284 |
[Ulf Möller] |
10285 |
|
10286 |
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be |
10287 |
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit |
10288 |
ciphers. NOTE: although the key derivation function has been verified |
10289 |
against some published test vectors it has not been extensively tested |
10290 |
yet. Added a -v2 "cipher" option to pkcs8 application to allow the use |
10291 |
of v2.0. |
10292 |
[Steve Henson] |
10293 |
|
10294 |
*) Instead of "mkdir -p", which is not fully portable, use new |
10295 |
Perl script "util/mkdir-p.pl". |
10296 |
[Bodo Moeller] |
10297 |
|
10298 |
*) Rewrite the way password based encryption (PBE) is handled. It used to |
10299 |
assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter |
10300 |
structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms |
10301 |
but doesn't apply to PKCS#5 v2.0 where it can be something else. Now |
10302 |
the 'parameter' field of the AlgorithmIdentifier is passed to the |
10303 |
underlying key generation function so it must do its own ASN1 parsing. |
10304 |
This has also changed the EVP_PBE_CipherInit() function which now has a |
10305 |
'parameter' argument instead of literal salt and iteration count values |
10306 |
and the function EVP_PBE_ALGOR_CipherInit() has been deleted. |
10307 |
[Steve Henson] |
10308 |
|
10309 |
*) Support for PKCS#5 v1.5 compatible password based encryption algorithms |
10310 |
and PKCS#8 functionality. New 'pkcs8' application linked to openssl. |
10311 |
Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE |
10312 |
KEY" because this clashed with PKCS#8 unencrypted string. Since this |
10313 |
value was just used as a "magic string" and not used directly its |
10314 |
value doesn't matter. |
10315 |
[Steve Henson] |
10316 |
|
10317 |
*) Introduce some semblance of const correctness to BN. Shame C doesn't |
10318 |
support mutable. |
10319 |
[Ben Laurie] |
10320 |
|
10321 |
*) "linux-sparc64" configuration (ultrapenguin). |
10322 |
[Ray Miller <ray.miller@oucs.ox.ac.uk>] |
10323 |
"linux-sparc" configuration. |
10324 |
[Christian Forster <fo@hawo.stw.uni-erlangen.de>] |
10325 |
|
10326 |
*) config now generates no-xxx options for missing ciphers. |
10327 |
[Ulf Möller] |
10328 |
|
10329 |
*) Support the EBCDIC character set (work in progress). |
10330 |
File ebcdic.c not yet included because it has a different license. |
10331 |
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
10332 |
|
10333 |
*) Support BS2000/OSD-POSIX. |
10334 |
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] |
10335 |
|
10336 |
*) Make callbacks for key generation use void * instead of char *. |
10337 |
[Ben Laurie] |
10338 |
|
10339 |
*) Make S/MIME samples compile (not yet tested). |
10340 |
[Ben Laurie] |
10341 |
|
10342 |
*) Additional typesafe stacks. |
10343 |
[Ben Laurie] |
10344 |
|
10345 |
*) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). |
10346 |
[Bodo Moeller] |
10347 |
|
10348 |
|
10349 |
Changes between 0.9.3 and 0.9.3a [29 May 1999] |
10350 |
|
10351 |
*) New configuration variant "sco5-gcc". |
10352 |
|
10353 |
*) Updated some demos. |
10354 |
[Sean O Riordain, Wade Scholine] |
10355 |
|
10356 |
*) Add missing BIO_free at exit of pkcs12 application. |
10357 |
[Wu Zhigang] |
10358 |
|
10359 |
*) Fix memory leak in conf.c. |
10360 |
[Steve Henson] |
10361 |
|
10362 |
*) Updates for Win32 to assembler version of MD5. |
10363 |
[Steve Henson] |
10364 |
|
10365 |
*) Set #! path to perl in apps/der_chop to where we found it |
10366 |
instead of using a fixed path. |
10367 |
[Bodo Moeller] |
10368 |
|
10369 |
*) SHA library changes for irix64-mips4-cc. |
10370 |
[Andy Polyakov] |
10371 |
|
10372 |
*) Improvements for VMS support. |
10373 |
[Richard Levitte] |
10374 |
|
10375 |
|
10376 |
Changes between 0.9.2b and 0.9.3 [24 May 1999] |
10377 |
|
10378 |
*) Bignum library bug fix. IRIX 6 passes "make test" now! |
10379 |
This also avoids the problems with SC4.2 and unpatched SC5. |
10380 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10381 |
|
10382 |
*) New functions sk_num, sk_value and sk_set to replace the previous macros. |
10383 |
These are required because of the typesafe stack would otherwise break |
10384 |
existing code. If old code used a structure member which used to be STACK |
10385 |
and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with |
10386 |
sk_num or sk_value it would produce an error because the num, data members |
10387 |
are not present in STACK_OF. Now it just produces a warning. sk_set |
10388 |
replaces the old method of assigning a value to sk_value |
10389 |
(e.g. sk_value(x, i) = y) which the library used in a few cases. Any code |
10390 |
that does this will no longer work (and should use sk_set instead) but |
10391 |
this could be regarded as a "questionable" behaviour anyway. |
10392 |
[Steve Henson] |
10393 |
|
10394 |
*) Fix most of the other PKCS#7 bugs. The "experimental" code can now |
10395 |
correctly handle encrypted S/MIME data. |
10396 |
[Steve Henson] |
10397 |
|
10398 |
*) Change type of various DES function arguments from des_cblock |
10399 |
(which means, in function argument declarations, pointer to char) |
10400 |
to des_cblock * (meaning pointer to array with 8 char elements), |
10401 |
which allows the compiler to do more typechecking; it was like |
10402 |
that back in SSLeay, but with lots of ugly casts. |
10403 |
|
10404 |
Introduce new type const_des_cblock. |
10405 |
[Bodo Moeller] |
10406 |
|
10407 |
*) Reorganise the PKCS#7 library and get rid of some of the more obvious |
10408 |
problems: find RecipientInfo structure that matches recipient certificate |
10409 |
and initialise the ASN1 structures properly based on passed cipher. |
10410 |
[Steve Henson] |
10411 |
|
10412 |
*) Belatedly make the BN tests actually check the results. |
10413 |
[Ben Laurie] |
10414 |
|
10415 |
*) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion |
10416 |
to and from BNs: it was completely broken. New compilation option |
10417 |
NEG_PUBKEY_BUG to allow for some broken certificates that encode public |
10418 |
key elements as negative integers. |
10419 |
[Steve Henson] |
10420 |
|
10421 |
*) Reorganize and speed up MD5. |
10422 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10423 |
|
10424 |
*) VMS support. |
10425 |
[Richard Levitte <richard@levitte.org>] |
10426 |
|
10427 |
*) New option -out to asn1parse to allow the parsed structure to be |
10428 |
output to a file. This is most useful when combined with the -strparse |
10429 |
option to examine the output of things like OCTET STRINGS. |
10430 |
[Steve Henson] |
10431 |
|
10432 |
*) Make SSL library a little more fool-proof by not requiring any longer |
10433 |
that SSL_set_{accept,connect}_state be called before |
10434 |
SSL_{accept,connect} may be used (SSL_set_..._state is omitted |
10435 |
in many applications because usually everything *appeared* to work as |
10436 |
intended anyway -- now it really works as intended). |
10437 |
[Bodo Moeller] |
10438 |
|
10439 |
*) Move openssl.cnf out of lib/. |
10440 |
[Ulf Möller] |
10441 |
|
10442 |
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall |
10443 |
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes |
10444 |
-Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ |
10445 |
[Ralf S. Engelschall] |
10446 |
|
10447 |
*) Various fixes to the EVP and PKCS#7 code. It may now be able to |
10448 |
handle PKCS#7 enveloped data properly. |
10449 |
[Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve] |
10450 |
|
10451 |
*) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of |
10452 |
copying pointers. The cert_st handling is changed by this in |
10453 |
various ways (and thus what used to be known as ctx->default_cert |
10454 |
is now called ctx->cert, since we don't resort to s->ctx->[default_]cert |
10455 |
any longer when s->cert does not give us what we need). |
10456 |
ssl_cert_instantiate becomes obsolete by this change. |
10457 |
As soon as we've got the new code right (possibly it already is?), |
10458 |
we have solved a couple of bugs of the earlier code where s->cert |
10459 |
was used as if it could not have been shared with other SSL structures. |
10460 |
|
10461 |
Note that using the SSL API in certain dirty ways now will result |
10462 |
in different behaviour than observed with earlier library versions: |
10463 |
Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) |
10464 |
does not influence s as it used to. |
10465 |
|
10466 |
In order to clean up things more thoroughly, inside SSL_SESSION |
10467 |
we don't use CERT any longer, but a new structure SESS_CERT |
10468 |
that holds per-session data (if available); currently, this is |
10469 |
the peer's certificate chain and, for clients, the server's certificate |
10470 |
and temporary key. CERT holds only those values that can have |
10471 |
meaningful defaults in an SSL_CTX. |
10472 |
[Bodo Moeller] |
10473 |
|
10474 |
*) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure |
10475 |
from the internal representation. Various PKCS#7 fixes: remove some |
10476 |
evil casts and set the enc_dig_alg field properly based on the signing |
10477 |
key type. |
10478 |
[Steve Henson] |
10479 |
|
10480 |
*) Allow PKCS#12 password to be set from the command line or the |
10481 |
environment. Let 'ca' get its config file name from the environment |
10482 |
variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' |
10483 |
and 'x509'). |
10484 |
[Steve Henson] |
10485 |
|
10486 |
*) Allow certificate policies extension to use an IA5STRING for the |
10487 |
organization field. This is contrary to the PKIX definition but |
10488 |
VeriSign uses it and IE5 only recognises this form. Document 'x509' |
10489 |
extension option. |
10490 |
[Steve Henson] |
10491 |
|
10492 |
*) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, |
10493 |
without disallowing inline assembler and the like for non-pedantic builds. |
10494 |
[Ben Laurie] |
10495 |
|
10496 |
*) Support Borland C++ builder. |
10497 |
[Janez Jere <jj@void.si>, modified by Ulf Möller] |
10498 |
|
10499 |
*) Support Mingw32. |
10500 |
[Ulf Möller] |
10501 |
|
10502 |
*) SHA-1 cleanups and performance enhancements. |
10503 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10504 |
|
10505 |
*) Sparc v8plus assembler for the bignum library. |
10506 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10507 |
|
10508 |
*) Accept any -xxx and +xxx compiler options in Configure. |
10509 |
[Ulf Möller] |
10510 |
|
10511 |
*) Update HPUX configuration. |
10512 |
[Anonymous] |
10513 |
|
10514 |
*) Add missing sk_<type>_unshift() function to safestack.h |
10515 |
[Ralf S. Engelschall] |
10516 |
|
10517 |
*) New function SSL_CTX_use_certificate_chain_file that sets the |
10518 |
"extra_cert"s in addition to the certificate. (This makes sense |
10519 |
only for "PEM" format files, as chains as a whole are not |
10520 |
DER-encoded.) |
10521 |
[Bodo Moeller] |
10522 |
|
10523 |
*) Support verify_depth from the SSL API. |
10524 |
x509_vfy.c had what can be considered an off-by-one-error: |
10525 |
Its depth (which was not part of the external interface) |
10526 |
was actually counting the number of certificates in a chain; |
10527 |
now it really counts the depth. |
10528 |
[Bodo Moeller] |
10529 |
|
10530 |
*) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used |
10531 |
instead of X509err, which often resulted in confusing error |
10532 |
messages since the error codes are not globally unique |
10533 |
(e.g. an alleged error in ssl3_accept when a certificate |
10534 |
didn't match the private key). |
10535 |
|
10536 |
*) New function SSL_CTX_set_session_id_context that allows to set a default |
10537 |
value (so that you don't need SSL_set_session_id_context for each |
10538 |
connection using the SSL_CTX). |
10539 |
[Bodo Moeller] |
10540 |
|
10541 |
*) OAEP decoding bug fix. |
10542 |
[Ulf Möller] |
10543 |
|
10544 |
*) Support INSTALL_PREFIX for package builders, as proposed by |
10545 |
David Harris. |
10546 |
[Bodo Moeller] |
10547 |
|
10548 |
*) New Configure options "threads" and "no-threads". For systems |
10549 |
where the proper compiler options are known (currently Solaris |
10550 |
and Linux), "threads" is the default. |
10551 |
[Bodo Moeller] |
10552 |
|
10553 |
*) New script util/mklink.pl as a faster substitute for util/mklink.sh. |
10554 |
[Bodo Moeller] |
10555 |
|
10556 |
*) Install various scripts to $(OPENSSLDIR)/misc, not to |
10557 |
$(INSTALLTOP)/bin -- they shouldn't clutter directories |
10558 |
such as /usr/local/bin. |
10559 |
[Bodo Moeller] |
10560 |
|
10561 |
*) "make linux-shared" to build shared libraries. |
10562 |
[Niels Poppe <niels@netbox.org>] |
10563 |
|
10564 |
*) New Configure option no-<cipher> (rsa, idea, rc5, ...). |
10565 |
[Ulf Möller] |
10566 |
|
10567 |
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for |
10568 |
extension adding in x509 utility. |
10569 |
[Steve Henson] |
10570 |
|
10571 |
*) Remove NOPROTO sections and error code comments. |
10572 |
[Ulf Möller] |
10573 |
|
10574 |
*) Partial rewrite of the DEF file generator to now parse the ANSI |
10575 |
prototypes. |
10576 |
[Steve Henson] |
10577 |
|
10578 |
*) New Configure options --prefix=DIR and --openssldir=DIR. |
10579 |
[Ulf Möller] |
10580 |
|
10581 |
*) Complete rewrite of the error code script(s). It is all now handled |
10582 |
by one script at the top level which handles error code gathering, |
10583 |
header rewriting and C source file generation. It should be much better |
10584 |
than the old method: it now uses a modified version of Ulf's parser to |
10585 |
read the ANSI prototypes in all header files (thus the old K&R definitions |
10586 |
aren't needed for error creation any more) and do a better job of |
10587 |
translating function codes into names. The old 'ASN1 error code imbedded |
10588 |
in a comment' is no longer necessary and it doesn't use .err files which |
10589 |
have now been deleted. Also the error code call doesn't have to appear all |
10590 |
on one line (which resulted in some large lines...). |
10591 |
[Steve Henson] |
10592 |
|
10593 |
*) Change #include filenames from <foo.h> to <openssl/foo.h>. |
10594 |
[Bodo Moeller] |
10595 |
|
10596 |
*) Change behaviour of ssl2_read when facing length-0 packets: Don't return |
10597 |
0 (which usually indicates a closed connection), but continue reading. |
10598 |
[Bodo Moeller] |
10599 |
|
10600 |
*) Fix some race conditions. |
10601 |
[Bodo Moeller] |
10602 |
|
10603 |
*) Add support for CRL distribution points extension. Add Certificate |
10604 |
Policies and CRL distribution points documentation. |
10605 |
[Steve Henson] |
10606 |
|
10607 |
*) Move the autogenerated header file parts to crypto/opensslconf.h. |
10608 |
[Ulf Möller] |
10609 |
|
10610 |
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of |
10611 |
8 of keying material. Merlin has also confirmed interop with this fix |
10612 |
between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. |
10613 |
[Merlin Hughes <merlin@baltimore.ie>] |
10614 |
|
10615 |
*) Fix lots of warnings. |
10616 |
[Richard Levitte <levitte@stacken.kth.se>] |
10617 |
|
10618 |
*) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if |
10619 |
the directory spec didn't end with a LIST_SEPARATOR_CHAR. |
10620 |
[Richard Levitte <levitte@stacken.kth.se>] |
10621 |
|
10622 |
*) Fix problems with sizeof(long) == 8. |
10623 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10624 |
|
10625 |
*) Change functions to ANSI C. |
10626 |
[Ulf Möller] |
10627 |
|
10628 |
*) Fix typos in error codes. |
10629 |
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller] |
10630 |
|
10631 |
*) Remove defunct assembler files from Configure. |
10632 |
[Ulf Möller] |
10633 |
|
10634 |
*) SPARC v8 assembler BIGNUM implementation. |
10635 |
[Andy Polyakov <appro@fy.chalmers.se>] |
10636 |
|
10637 |
*) Support for Certificate Policies extension: both print and set. |
10638 |
Various additions to support the r2i method this uses. |
10639 |
[Steve Henson] |
10640 |
|
10641 |
*) A lot of constification, and fix a bug in X509_NAME_oneline() that could |
10642 |
return a const string when you are expecting an allocated buffer. |
10643 |
[Ben Laurie] |
10644 |
|
10645 |
*) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE |
10646 |
types DirectoryString and DisplayText. |
10647 |
[Steve Henson] |
10648 |
|
10649 |
*) Add code to allow r2i extensions to access the configuration database, |
10650 |
add an LHASH database driver and add several ctx helper functions. |
10651 |
[Steve Henson] |
10652 |
|
10653 |
*) Fix an evil bug in bn_expand2() which caused various BN functions to |
10654 |
fail when they extended the size of a BIGNUM. |
10655 |
[Steve Henson] |
10656 |
|
10657 |
*) Various utility functions to handle SXNet extension. Modify mkdef.pl to |
10658 |
support typesafe stack. |
10659 |
[Steve Henson] |
10660 |
|
10661 |
*) Fix typo in SSL_[gs]et_options(). |
10662 |
[Nils Frostberg <nils@medcom.se>] |
10663 |
|
10664 |
*) Delete various functions and files that belonged to the (now obsolete) |
10665 |
old X509V3 handling code. |
10666 |
[Steve Henson] |
10667 |
|
10668 |
*) New Configure option "rsaref". |
10669 |
[Ulf Möller] |
10670 |
|
10671 |
*) Don't auto-generate pem.h. |
10672 |
[Bodo Moeller] |
10673 |
|
10674 |
*) Introduce type-safe ASN.1 SETs. |
10675 |
[Ben Laurie] |
10676 |
|
10677 |
*) Convert various additional casted stacks to type-safe STACK_OF() variants. |
10678 |
[Ben Laurie, Ralf S. Engelschall, Steve Henson] |
10679 |
|
10680 |
*) Introduce type-safe STACKs. This will almost certainly break lots of code |
10681 |
that links with OpenSSL (well at least cause lots of warnings), but fear |
10682 |
not: the conversion is trivial, and it eliminates loads of evil casts. A |
10683 |
few STACKed things have been converted already. Feel free to convert more. |
10684 |
In the fullness of time, I'll do away with the STACK type altogether. |
10685 |
[Ben Laurie] |
10686 |
|
10687 |
*) Add `openssl ca -revoke <certfile>' facility which revokes a certificate |
10688 |
specified in <certfile> by updating the entry in the index.txt file. |
10689 |
This way one no longer has to edit the index.txt file manually for |
10690 |
revoking a certificate. The -revoke option does the gory details now. |
10691 |
[Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall] |
10692 |
|
10693 |
*) Fix `openssl crl -noout -text' combination where `-noout' killed the |
10694 |
`-text' option at all and this way the `-noout -text' combination was |
10695 |
inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. |
10696 |
[Ralf S. Engelschall] |
10697 |
|
10698 |
*) Make sure a corresponding plain text error message exists for the |
10699 |
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a |
10700 |
verify callback function determined that a certificate was revoked. |
10701 |
[Ralf S. Engelschall] |
10702 |
|
10703 |
*) Bugfix: In test/testenc, don't test "openssl <cipher>" for |
10704 |
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test |
10705 |
all available cipers including rc5, which was forgotten until now. |
10706 |
In order to let the testing shell script know which algorithms |
10707 |
are available, a new (up to now undocumented) command |
10708 |
"openssl list-cipher-commands" is used. |
10709 |
[Bodo Moeller] |
10710 |
|
10711 |
*) Bugfix: s_client occasionally would sleep in select() when |
10712 |
it should have checked SSL_pending() first. |
10713 |
[Bodo Moeller] |
10714 |
|
10715 |
*) New functions DSA_do_sign and DSA_do_verify to provide access to |
10716 |
the raw DSA values prior to ASN.1 encoding. |
10717 |
[Ulf Möller] |
10718 |
|
10719 |
*) Tweaks to Configure |
10720 |
[Niels Poppe <niels@netbox.org>] |
10721 |
|
10722 |
*) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, |
10723 |
yet... |
10724 |
[Steve Henson] |
10725 |
|
10726 |
*) New variables $(RANLIB) and $(PERL) in the Makefiles. |
10727 |
[Ulf Möller] |
10728 |
|
10729 |
*) New config option to avoid instructions that are illegal on the 80386. |
10730 |
The default code is faster, but requires at least a 486. |
10731 |
[Ulf Möller] |
10732 |
|
10733 |
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and |
10734 |
SSL2_SERVER_VERSION (not used at all) macros, which are now the |
10735 |
same as SSL2_VERSION anyway. |
10736 |
[Bodo Moeller] |
10737 |
|
10738 |
*) New "-showcerts" option for s_client. |
10739 |
[Bodo Moeller] |
10740 |
|
10741 |
*) Still more PKCS#12 integration. Add pkcs12 application to openssl |
10742 |
application. Various cleanups and fixes. |
10743 |
[Steve Henson] |
10744 |
|
10745 |
*) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and |
10746 |
modify error routines to work internally. Add error codes and PBE init |
10747 |
to library startup routines. |
10748 |
[Steve Henson] |
10749 |
|
10750 |
*) Further PKCS#12 integration. Added password based encryption, PKCS#8 and |
10751 |
packing functions to asn1 and evp. Changed function names and error |
10752 |
codes along the way. |
10753 |
[Steve Henson] |
10754 |
|
10755 |
*) PKCS12 integration: and so it begins... First of several patches to |
10756 |
slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 |
10757 |
objects to objects.h |
10758 |
[Steve Henson] |
10759 |
|
10760 |
*) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 |
10761 |
and display support for Thawte strong extranet extension. |
10762 |
[Steve Henson] |
10763 |
|
10764 |
*) Add LinuxPPC support. |
10765 |
[Jeff Dubrule <igor@pobox.org>] |
10766 |
|
10767 |
*) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to |
10768 |
bn_div_words in alpha.s. |
10769 |
[Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie] |
10770 |
|
10771 |
*) Make sure the RSA OAEP test is skipped under -DRSAref because |
10772 |
OAEP isn't supported when OpenSSL is built with RSAref. |
10773 |
[Ulf Moeller <ulf@fitug.de>] |
10774 |
|
10775 |
*) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h |
10776 |
so they no longer are missing under -DNOPROTO. |
10777 |
[Soren S. Jorvang <soren@t.dk>] |
10778 |
|
10779 |
|
10780 |
Changes between 0.9.1c and 0.9.2b [22 Mar 1999] |
10781 |
|
10782 |
*) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still |
10783 |
doesn't work when the session is reused. Coming soon! |
10784 |
[Ben Laurie] |
10785 |
|
10786 |
*) Fix a security hole, that allows sessions to be reused in the wrong |
10787 |
context thus bypassing client cert protection! All software that uses |
10788 |
client certs and session caches in multiple contexts NEEDS PATCHING to |
10789 |
allow session reuse! A fuller solution is in the works. |
10790 |
[Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] |
10791 |
|
10792 |
*) Some more source tree cleanups (removed obsolete files |
10793 |
crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed |
10794 |
permission on "config" script to be executable) and a fix for the INSTALL |
10795 |
document. |
10796 |
[Ulf Moeller <ulf@fitug.de>] |
10797 |
|
10798 |
*) Remove some legacy and erroneous uses of malloc, free instead of |
10799 |
Malloc, Free. |
10800 |
[Lennart Bang <lob@netstream.se>, with minor changes by Steve] |
10801 |
|
10802 |
*) Make rsa_oaep_test return non-zero on error. |
10803 |
[Ulf Moeller <ulf@fitug.de>] |
10804 |
|
10805 |
*) Add support for native Solaris shared libraries. Configure |
10806 |
solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice |
10807 |
if someone would make that last step automatic. |
10808 |
[Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>] |
10809 |
|
10810 |
*) ctx_size was not built with the right compiler during "make links". Fixed. |
10811 |
[Ben Laurie] |
10812 |
|
10813 |
*) Change the meaning of 'ALL' in the cipher list. It now means "everything |
10814 |
except NULL ciphers". This means the default cipher list will no longer |
10815 |
enable NULL ciphers. They need to be specifically enabled e.g. with |
10816 |
the string "DEFAULT:eNULL". |
10817 |
[Steve Henson] |
10818 |
|
10819 |
*) Fix to RSA private encryption routines: if p < q then it would |
10820 |
occasionally produce an invalid result. This will only happen with |
10821 |
externally generated keys because OpenSSL (and SSLeay) ensure p > q. |
10822 |
[Steve Henson] |
10823 |
|
10824 |
*) Be less restrictive and allow also `perl util/perlpath.pl |
10825 |
/path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', |
10826 |
because this way one can also use an interpreter named `perl5' (which is |
10827 |
usually the name of Perl 5.xxx on platforms where an Perl 4.x is still |
10828 |
installed as `perl'). |
10829 |
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
10830 |
|
10831 |
*) Let util/clean-depend.pl work also with older Perl 5.00x versions. |
10832 |
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
10833 |
|
10834 |
*) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add |
10835 |
advapi32.lib to Win32 build and change the pem test comparision |
10836 |
to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the |
10837 |
suggestion). Fix misplaced ASNI prototypes and declarations in evp.h |
10838 |
and crypto/des/ede_cbcm_enc.c. |
10839 |
[Steve Henson] |
10840 |
|
10841 |
*) DES quad checksum was broken on big-endian architectures. Fixed. |
10842 |
[Ben Laurie] |
10843 |
|
10844 |
*) Comment out two functions in bio.h that aren't implemented. Fix up the |
10845 |
Win32 test batch file so it (might) work again. The Win32 test batch file |
10846 |
is horrible: I feel ill.... |
10847 |
[Steve Henson] |
10848 |
|
10849 |
*) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected |
10850 |
in e_os.h. Audit of header files to check ANSI and non ANSI |
10851 |
sections: 10 functions were absent from non ANSI section and not exported |
10852 |
from Windows DLLs. Fixed up libeay.num for new functions. |
10853 |
[Steve Henson] |
10854 |
|
10855 |
*) Make `openssl version' output lines consistent. |
10856 |
[Ralf S. Engelschall] |
10857 |
|
10858 |
*) Fix Win32 symbol export lists for BIO functions: Added |
10859 |
BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data |
10860 |
to ms/libeay{16,32}.def. |
10861 |
[Ralf S. Engelschall] |
10862 |
|
10863 |
*) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled |
10864 |
fine under Unix and passes some trivial tests I've now added. But the |
10865 |
whole stuff is horribly incomplete, so a README.1ST with a disclaimer was |
10866 |
added to make sure no one expects that this stuff really works in the |
10867 |
OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources |
10868 |
up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and |
10869 |
openssl_bio.xs. |
10870 |
[Ralf S. Engelschall] |
10871 |
|
10872 |
*) Fix the generation of two part addresses in perl. |
10873 |
[Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie] |
10874 |
|
10875 |
*) Add config entry for Linux on MIPS. |
10876 |
[John Tobey <jtobey@channel1.com>] |
10877 |
|
10878 |
*) Make links whenever Configure is run, unless we are on Windoze. |
10879 |
[Ben Laurie] |
10880 |
|
10881 |
*) Permit extensions to be added to CRLs using crl_section in openssl.cnf. |
10882 |
Currently only issuerAltName and AuthorityKeyIdentifier make any sense |
10883 |
in CRLs. |
10884 |
[Steve Henson] |
10885 |
|
10886 |
*) Add a useful kludge to allow package maintainers to specify compiler and |
10887 |
other platforms details on the command line without having to patch the |
10888 |
Configure script everytime: One now can use ``perl Configure |
10889 |
<id>:<details>'', i.e. platform ids are allowed to have details appended |
10890 |
to them (seperated by colons). This is treated as there would be a static |
10891 |
pre-configured entry in Configure's %table under key <id> with value |
10892 |
<details> and ``perl Configure <id>'' is called. So, when you want to |
10893 |
perform a quick test-compile under FreeBSD 3.1 with pgcc and without |
10894 |
assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' |
10895 |
now, which overrides the FreeBSD-elf entry on-the-fly. |
10896 |
[Ralf S. Engelschall] |
10897 |
|
10898 |
*) Disable new TLS1 ciphersuites by default: they aren't official yet. |
10899 |
[Ben Laurie] |
10900 |
|
10901 |
*) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified |
10902 |
on the `perl Configure ...' command line. This way one can compile |
10903 |
OpenSSL libraries with Position Independent Code (PIC) which is needed |
10904 |
for linking it into DSOs. |
10905 |
[Ralf S. Engelschall] |
10906 |
|
10907 |
*) Remarkably, export ciphers were totally broken and no-one had noticed! |
10908 |
Fixed. |
10909 |
[Ben Laurie] |
10910 |
|
10911 |
*) Cleaned up the LICENSE document: The official contact for any license |
10912 |
questions now is the OpenSSL core team under openssl-core@openssl.org. |
10913 |
And add a paragraph about the dual-license situation to make sure people |
10914 |
recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply |
10915 |
to the OpenSSL toolkit. |
10916 |
[Ralf S. Engelschall] |
10917 |
|
10918 |
*) General source tree makefile cleanups: Made `making xxx in yyy...' |
10919 |
display consistent in the source tree and replaced `/bin/rm' by `rm'. |
10920 |
Additonally cleaned up the `make links' target: Remove unnecessary |
10921 |
semicolons, subsequent redundant removes, inline point.sh into mklink.sh |
10922 |
to speed processing and no longer clutter the display with confusing |
10923 |
stuff. Instead only the actually done links are displayed. |
10924 |
[Ralf S. Engelschall] |
10925 |
|
10926 |
*) Permit null encryption ciphersuites, used for authentication only. It used |
10927 |
to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. |
10928 |
It is now necessary to set SSL_FORBID_ENULL to prevent the use of null |
10929 |
encryption. |
10930 |
[Ben Laurie] |
10931 |
|
10932 |
*) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder |
10933 |
signed attributes when verifying signatures (this would break them), |
10934 |
the detached data encoding was wrong and public keys obtained using |
10935 |
X509_get_pubkey() weren't freed. |
10936 |
[Steve Henson] |
10937 |
|
10938 |
*) Add text documentation for the BUFFER functions. Also added a work around |
10939 |
to a Win95 console bug. This was triggered by the password read stuff: the |
10940 |
last character typed gets carried over to the next fread(). If you were |
10941 |
generating a new cert request using 'req' for example then the last |
10942 |
character of the passphrase would be CR which would then enter the first |
10943 |
field as blank. |
10944 |
[Steve Henson] |
10945 |
|
10946 |
*) Added the new `Includes OpenSSL Cryptography Software' button as |
10947 |
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay |
10948 |
button and can be used by applications based on OpenSSL to show the |
10949 |
relationship to the OpenSSL project. |
10950 |
[Ralf S. Engelschall] |
10951 |
|
10952 |
*) Remove confusing variables in function signatures in files |
10953 |
ssl/ssl_lib.c and ssl/ssl.h. |
10954 |
[Lennart Bong <lob@kulthea.stacken.kth.se>] |
10955 |
|
10956 |
*) Don't install bss_file.c under PREFIX/include/ |
10957 |
[Lennart Bong <lob@kulthea.stacken.kth.se>] |
10958 |
|
10959 |
*) Get the Win32 compile working again. Modify mkdef.pl so it can handle |
10960 |
functions that return function pointers and has support for NT specific |
10961 |
stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various |
10962 |
#ifdef WIN32 and WINNTs sprinkled about the place and some changes from |
10963 |
unsigned to signed types: this was killing the Win32 compile. |
10964 |
[Steve Henson] |
10965 |
|
10966 |
*) Add new certificate file to stack functions, |
10967 |
SSL_add_dir_cert_subjects_to_stack() and |
10968 |
SSL_add_file_cert_subjects_to_stack(). These largely supplant |
10969 |
SSL_load_client_CA_file(), and can be used to add multiple certs easily |
10970 |
to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). |
10971 |
This means that Apache-SSL and similar packages don't have to mess around |
10972 |
to add as many CAs as they want to the preferred list. |
10973 |
[Ben Laurie] |
10974 |
|
10975 |
*) Experiment with doxygen documentation. Currently only partially applied to |
10976 |
ssl/ssl_lib.c. |
10977 |
See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with |
10978 |
openssl.doxy as the configuration file. |
10979 |
[Ben Laurie] |
10980 |
|
10981 |
*) Get rid of remaining C++-style comments which strict C compilers hate. |
10982 |
[Ralf S. Engelschall, pointed out by Carlos Amengual] |
10983 |
|
10984 |
*) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not |
10985 |
compiled in by default: it has problems with large keys. |
10986 |
[Steve Henson] |
10987 |
|
10988 |
*) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and |
10989 |
DH private keys and/or callback functions which directly correspond to |
10990 |
their SSL_CTX_xxx() counterparts but work on a per-connection basis. This |
10991 |
is needed for applications which have to configure certificates on a |
10992 |
per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis |
10993 |
(e.g. s_server). |
10994 |
For the RSA certificate situation is makes no difference, but |
10995 |
for the DSA certificate situation this fixes the "no shared cipher" |
10996 |
problem where the OpenSSL cipher selection procedure failed because the |
10997 |
temporary keys were not overtaken from the context and the API provided |
10998 |
no way to reconfigure them. |
10999 |
The new functions now let applications reconfigure the stuff and they |
11000 |
are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, |
11001 |
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new |
11002 |
non-public-API function ssl_cert_instantiate() is used as a helper |
11003 |
function and also to reduce code redundancy inside ssl_rsa.c. |
11004 |
[Ralf S. Engelschall] |
11005 |
|
11006 |
*) Move s_server -dcert and -dkey options out of the undocumented feature |
11007 |
area because they are useful for the DSA situation and should be |
11008 |
recognized by the users. |
11009 |
[Ralf S. Engelschall] |
11010 |
|
11011 |
*) Fix the cipher decision scheme for export ciphers: the export bits are |
11012 |
*not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within |
11013 |
SSL_EXP_MASK. So, the original variable has to be used instead of the |
11014 |
already masked variable. |
11015 |
[Richard Levitte <levitte@stacken.kth.se>] |
11016 |
|
11017 |
*) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c |
11018 |
[Richard Levitte <levitte@stacken.kth.se>] |
11019 |
|
11020 |
*) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() |
11021 |
from `int' to `unsigned int' because it's a length and initialized by |
11022 |
EVP_DigestFinal() which expects an `unsigned int *'. |
11023 |
[Richard Levitte <levitte@stacken.kth.se>] |
11024 |
|
11025 |
*) Don't hard-code path to Perl interpreter on shebang line of Configure |
11026 |
script. Instead use the usual Shell->Perl transition trick. |
11027 |
[Ralf S. Engelschall] |
11028 |
|
11029 |
*) Make `openssl x509 -noout -modulus' functional also for DSA certificates |
11030 |
(in addition to RSA certificates) to match the behaviour of `openssl dsa |
11031 |
-noout -modulus' as it's already the case for `openssl rsa -noout |
11032 |
-modulus'. For RSA the -modulus is the real "modulus" while for DSA |
11033 |
currently the public key is printed (a decision which was already done by |
11034 |
`openssl dsa -modulus' in the past) which serves a similar purpose. |
11035 |
Additionally the NO_RSA no longer completely removes the whole -modulus |
11036 |
option; it now only avoids using the RSA stuff. Same applies to NO_DSA |
11037 |
now, too. |
11038 |
[Ralf S. Engelschall] |
11039 |
|
11040 |
*) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested |
11041 |
BIO. See the source (crypto/evp/bio_ok.c) for more info. |
11042 |
[Arne Ansper <arne@ats.cyber.ee>] |
11043 |
|
11044 |
*) Dump the old yucky req code that tried (and failed) to allow raw OIDs |
11045 |
to be added. Now both 'req' and 'ca' can use new objects defined in the |
11046 |
config file. |
11047 |
[Steve Henson] |
11048 |
|
11049 |
*) Add cool BIO that does syslog (or event log on NT). |
11050 |
[Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie] |
11051 |
|
11052 |
*) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, |
11053 |
TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and |
11054 |
TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher |
11055 |
Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. |
11056 |
[Ben Laurie] |
11057 |
|
11058 |
*) Add preliminary config info for new extension code. |
11059 |
[Steve Henson] |
11060 |
|
11061 |
*) Make RSA_NO_PADDING really use no padding. |
11062 |
[Ulf Moeller <ulf@fitug.de>] |
11063 |
|
11064 |
*) Generate errors when private/public key check is done. |
11065 |
[Ben Laurie] |
11066 |
|
11067 |
*) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support |
11068 |
for some CRL extensions and new objects added. |
11069 |
[Steve Henson] |
11070 |
|
11071 |
*) Really fix the ASN1 IMPLICIT bug this time... Partial support for private |
11072 |
key usage extension and fuller support for authority key id. |
11073 |
[Steve Henson] |
11074 |
|
11075 |
*) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved |
11076 |
padding method for RSA, which is recommended for new applications in PKCS |
11077 |
#1 v2.0 (RFC 2437, October 1998). |
11078 |
OAEP (Optimal Asymmetric Encryption Padding) has better theoretical |
11079 |
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure |
11080 |
against Bleichbacher's attack on RSA. |
11081 |
[Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by |
11082 |
Ben Laurie] |
11083 |
|
11084 |
*) Updates to the new SSL compression code |
11085 |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
11086 |
|
11087 |
*) Fix so that the version number in the master secret, when passed |
11088 |
via RSA, checks that if TLS was proposed, but we roll back to SSLv3 |
11089 |
(because the server will not accept higher), that the version number |
11090 |
is 0x03,0x01, not 0x03,0x00 |
11091 |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
11092 |
|
11093 |
*) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory |
11094 |
leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes |
11095 |
in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c |
11096 |
[Steve Henson] |
11097 |
|
11098 |
*) Support for RAW extensions where an arbitrary extension can be |
11099 |
created by including its DER encoding. See apps/openssl.cnf for |
11100 |
an example. |
11101 |
[Steve Henson] |
11102 |
|
11103 |
*) Make sure latest Perl versions don't interpret some generated C array |
11104 |
code as Perl array code in the crypto/err/err_genc.pl script. |
11105 |
[Lars Weber <3weber@informatik.uni-hamburg.de>] |
11106 |
|
11107 |
*) Modify ms/do_ms.bat to not generate assembly language makefiles since |
11108 |
not many people have the assembler. Various Win32 compilation fixes and |
11109 |
update to the INSTALL.W32 file with (hopefully) more accurate Win32 |
11110 |
build instructions. |
11111 |
[Steve Henson] |
11112 |
|
11113 |
*) Modify configure script 'Configure' to automatically create crypto/date.h |
11114 |
file under Win32 and also build pem.h from pem.org. New script |
11115 |
util/mkfiles.pl to create the MINFO file on environments that can't do a |
11116 |
'make files': perl util/mkfiles.pl >MINFO should work. |
11117 |
[Steve Henson] |
11118 |
|
11119 |
*) Major rework of DES function declarations, in the pursuit of correctness |
11120 |
and purity. As a result, many evil casts evaporated, and some weirdness, |
11121 |
too. You may find this causes warnings in your code. Zapping your evil |
11122 |
casts will probably fix them. Mostly. |
11123 |
[Ben Laurie] |
11124 |
|
11125 |
*) Fix for a typo in asn1.h. Bug fix to object creation script |
11126 |
obj_dat.pl. It considered a zero in an object definition to mean |
11127 |
"end of object": none of the objects in objects.h have any zeros |
11128 |
so it wasn't spotted. |
11129 |
[Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>] |
11130 |
|
11131 |
*) Add support for Triple DES Cipher Block Chaining with Output Feedback |
11132 |
Masking (CBCM). In the absence of test vectors, the best I have been able |
11133 |
to do is check that the decrypt undoes the encrypt, so far. Send me test |
11134 |
vectors if you have them. |
11135 |
[Ben Laurie] |
11136 |
|
11137 |
*) Correct calculation of key length for export ciphers (too much space was |
11138 |
allocated for null ciphers). This has not been tested! |
11139 |
[Ben Laurie] |
11140 |
|
11141 |
*) Modifications to the mkdef.pl for Win32 DEF file creation. The usage |
11142 |
message is now correct (it understands "crypto" and "ssl" on its |
11143 |
command line). There is also now an "update" option. This will update |
11144 |
the util/ssleay.num and util/libeay.num files with any new functions. |
11145 |
If you do a: |
11146 |
perl util/mkdef.pl crypto ssl update |
11147 |
it will update them. |
11148 |
[Steve Henson] |
11149 |
|
11150 |
*) Overhauled the Perl interface (perl/*): |
11151 |
- ported BN stuff to OpenSSL's different BN library |
11152 |
- made the perl/ source tree CVS-aware |
11153 |
- renamed the package from SSLeay to OpenSSL (the files still contain |
11154 |
their history because I've copied them in the repository) |
11155 |
- removed obsolete files (the test scripts will be replaced |
11156 |
by better Test::Harness variants in the future) |
11157 |
[Ralf S. Engelschall] |
11158 |
|
11159 |
*) First cut for a very conservative source tree cleanup: |
11160 |
1. merge various obsolete readme texts into doc/ssleay.txt |
11161 |
where we collect the old documents and readme texts. |
11162 |
2. remove the first part of files where I'm already sure that we no |
11163 |
longer need them because of three reasons: either they are just temporary |
11164 |
files which were left by Eric or they are preserved original files where |
11165 |
I've verified that the diff is also available in the CVS via "cvs diff |
11166 |
-rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for |
11167 |
the crypto/md/ stuff). |
11168 |
[Ralf S. Engelschall] |
11169 |
|
11170 |
*) More extension code. Incomplete support for subject and issuer alt |
11171 |
name, issuer and authority key id. Change the i2v function parameters |
11172 |
and add an extra 'crl' parameter in the X509V3_CTX structure: guess |
11173 |
what that's for :-) Fix to ASN1 macro which messed up |
11174 |
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. |
11175 |
[Steve Henson] |
11176 |
|
11177 |
*) Preliminary support for ENUMERATED type. This is largely copied from the |
11178 |
INTEGER code. |
11179 |
[Steve Henson] |
11180 |
|
11181 |
*) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. |
11182 |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
11183 |
|
11184 |
*) Make sure `make rehash' target really finds the `openssl' program. |
11185 |
[Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] |
11186 |
|
11187 |
*) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd |
11188 |
like to hear about it if this slows down other processors. |
11189 |
[Ben Laurie] |
11190 |
|
11191 |
*) Add CygWin32 platform information to Configure script. |
11192 |
[Alan Batie <batie@aahz.jf.intel.com>] |
11193 |
|
11194 |
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm' |
11195 |
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>] |
11196 |
|
11197 |
*) New program nseq to manipulate netscape certificate sequences |
11198 |
[Steve Henson] |
11199 |
|
11200 |
*) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a |
11201 |
few typos. |
11202 |
[Steve Henson] |
11203 |
|
11204 |
*) Fixes to BN code. Previously the default was to define BN_RECURSION |
11205 |
but the BN code had some problems that would cause failures when |
11206 |
doing certificate verification and some other functions. |
11207 |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] |
11208 |
|
11209 |
*) Add ASN1 and PEM code to support netscape certificate sequences. |
11210 |
[Steve Henson] |
11211 |
|
11212 |
*) Add ASN1 and PEM code to support netscape certificate sequences. |
11213 |
[Steve Henson] |
11214 |
|
11215 |
*) Add several PKIX and private extended key usage OIDs. |
11216 |
[Steve Henson] |
11217 |
|
11218 |
*) Modify the 'ca' program to handle the new extension code. Modify |
11219 |
openssl.cnf for new extension format, add comments. |
11220 |
[Steve Henson] |
11221 |
|
11222 |
*) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' |
11223 |
and add a sample to openssl.cnf so req -x509 now adds appropriate |
11224 |
CA extensions. |
11225 |
[Steve Henson] |
11226 |
|
11227 |
*) Continued X509 V3 changes. Add to other makefiles, integrate with the |
11228 |
error code, add initial support to X509_print() and x509 application. |
11229 |
[Steve Henson] |
11230 |
|
11231 |
*) Takes a deep breath and start addding X509 V3 extension support code. Add |
11232 |
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this |
11233 |
stuff is currently isolated and isn't even compiled yet. |
11234 |
[Steve Henson] |
11235 |
|
11236 |
*) Continuing patches for GeneralizedTime. Fix up certificate and CRL |
11237 |
ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. |
11238 |
Removed the versions check from X509 routines when loading extensions: |
11239 |
this allows certain broken certificates that don't set the version |
11240 |
properly to be processed. |
11241 |
[Steve Henson] |
11242 |
|
11243 |
*) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another |
11244 |
Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which |
11245 |
can still be regenerated with "make depend". |
11246 |
[Ben Laurie] |
11247 |
|
11248 |
*) Spelling mistake in C version of CAST-128. |
11249 |
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>] |
11250 |
|
11251 |
*) Changes to the error generation code. The perl script err-code.pl |
11252 |
now reads in the old error codes and retains the old numbers, only |
11253 |
adding new ones if necessary. It also only changes the .err files if new |
11254 |
codes are added. The makefiles have been modified to only insert errors |
11255 |
when needed (to avoid needlessly modifying header files). This is done |
11256 |
by only inserting errors if the .err file is newer than the auto generated |
11257 |
C file. To rebuild all the error codes from scratch (the old behaviour) |
11258 |
either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl |
11259 |
or delete all the .err files. |
11260 |
[Steve Henson] |
11261 |
|
11262 |
*) CAST-128 was incorrectly implemented for short keys. The C version has |
11263 |
been fixed, but is untested. The assembler versions are also fixed, but |
11264 |
new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing |
11265 |
to regenerate it if needed. |
11266 |
[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun |
11267 |
Hagino <itojun@kame.net>] |
11268 |
|
11269 |
*) File was opened incorrectly in randfile.c. |
11270 |
[Ulf Möller <ulf@fitug.de>] |
11271 |
|
11272 |
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print |
11273 |
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or |
11274 |
GeneralizedTime. ASN1_TIME is the proper type used in certificates et |
11275 |
al: it's just almost always a UTCTime. Note this patch adds new error |
11276 |
codes so do a "make errors" if there are problems. |
11277 |
[Steve Henson] |
11278 |
|
11279 |
*) Correct Linux 1 recognition in config. |
11280 |
[Ulf Möller <ulf@fitug.de>] |
11281 |
|
11282 |
*) Remove pointless MD5 hash when using DSA keys in ca. |
11283 |
[Anonymous <nobody@replay.com>] |
11284 |
|
11285 |
*) Generate an error if given an empty string as a cert directory. Also |
11286 |
generate an error if handed NULL (previously returned 0 to indicate an |
11287 |
error, but didn't set one). |
11288 |
[Ben Laurie, reported by Anonymous <nobody@replay.com>] |
11289 |
|
11290 |
*) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. |
11291 |
[Ben Laurie] |
11292 |
|
11293 |
*) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct |
11294 |
parameters. This was causing a warning which killed off the Win32 compile. |
11295 |
[Steve Henson] |
11296 |
|
11297 |
*) Remove C++ style comments from crypto/bn/bn_local.h. |
11298 |
[Neil Costigan <neil.costigan@celocom.com>] |
11299 |
|
11300 |
*) The function OBJ_txt2nid was broken. It was supposed to return a nid |
11301 |
based on a text string, looking up short and long names and finally |
11302 |
"dot" format. The "dot" format stuff didn't work. Added new function |
11303 |
OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote |
11304 |
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the |
11305 |
OID is not part of the table. |
11306 |
[Steve Henson] |
11307 |
|
11308 |
*) Add prototypes to X509 lookup/verify methods, fixing a bug in |
11309 |
X509_LOOKUP_by_alias(). |
11310 |
[Ben Laurie] |
11311 |
|
11312 |
*) Sort openssl functions by name. |
11313 |
[Ben Laurie] |
11314 |
|
11315 |
*) Get the gendsa program working (hopefully) and add it to app list. Remove |
11316 |
encryption from sample DSA keys (in case anyone is interested the password |
11317 |
was "1234"). |
11318 |
[Steve Henson] |
11319 |
|
11320 |
*) Make _all_ *_free functions accept a NULL pointer. |
11321 |
[Frans Heymans <fheymans@isaserver.be>] |
11322 |
|
11323 |
*) If a DH key is generated in s3_srvr.c, don't blow it by trying to use |
11324 |
NULL pointers. |
11325 |
[Anonymous <nobody@replay.com>] |
11326 |
|
11327 |
*) s_server should send the CAfile as acceptable CAs, not its own cert. |
11328 |
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] |
11329 |
|
11330 |
*) Don't blow it for numeric -newkey arguments to apps/req. |
11331 |
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] |
11332 |
|
11333 |
*) Temp key "for export" tests were wrong in s3_srvr.c. |
11334 |
[Anonymous <nobody@replay.com>] |
11335 |
|
11336 |
*) Add prototype for temp key callback functions |
11337 |
SSL_CTX_set_tmp_{rsa,dh}_callback(). |
11338 |
[Ben Laurie] |
11339 |
|
11340 |
*) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and |
11341 |
DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). |
11342 |
[Steve Henson] |
11343 |
|
11344 |
*) X509_name_add_entry() freed the wrong thing after an error. |
11345 |
[Arne Ansper <arne@ats.cyber.ee>] |
11346 |
|
11347 |
*) rsa_eay.c would attempt to free a NULL context. |
11348 |
[Arne Ansper <arne@ats.cyber.ee>] |
11349 |
|
11350 |
*) BIO_s_socket() had a broken should_retry() on Windoze. |
11351 |
[Arne Ansper <arne@ats.cyber.ee>] |
11352 |
|
11353 |
*) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. |
11354 |
[Arne Ansper <arne@ats.cyber.ee>] |
11355 |
|
11356 |
*) Make sure the already existing X509_STORE->depth variable is initialized |
11357 |
in X509_STORE_new(), but document the fact that this variable is still |
11358 |
unused in the certificate verification process. |
11359 |
[Ralf S. Engelschall] |
11360 |
|
11361 |
*) Fix the various library and apps files to free up pkeys obtained from |
11362 |
X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. |
11363 |
[Steve Henson] |
11364 |
|
11365 |
*) Fix reference counting in X509_PUBKEY_get(). This makes |
11366 |
demos/maurice/example2.c work, amongst others, probably. |
11367 |
[Steve Henson and Ben Laurie] |
11368 |
|
11369 |
*) First cut of a cleanup for apps/. First the `ssleay' program is now named |
11370 |
`openssl' and second, the shortcut symlinks for the `openssl <command>' |
11371 |
are no longer created. This way we have a single and consistent command |
11372 |
line interface `openssl <command>', similar to `cvs <command>'. |
11373 |
[Ralf S. Engelschall, Paul Sutton and Ben Laurie] |
11374 |
|
11375 |
*) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey |
11376 |
BIT STRING wrapper always have zero unused bits. |
11377 |
[Steve Henson] |
11378 |
|
11379 |
*) Add CA.pl, perl version of CA.sh, add extended key usage OID. |
11380 |
[Steve Henson] |
11381 |
|
11382 |
*) Make the top-level INSTALL documentation easier to understand. |
11383 |
[Paul Sutton] |
11384 |
|
11385 |
*) Makefiles updated to exit if an error occurs in a sub-directory |
11386 |
make (including if user presses ^C) [Paul Sutton] |
11387 |
|
11388 |
*) Make Montgomery context stuff explicit in RSA data structure. |
11389 |
[Ben Laurie] |
11390 |
|
11391 |
*) Fix build order of pem and err to allow for generated pem.h. |
11392 |
[Ben Laurie] |
11393 |
|
11394 |
*) Fix renumbering bug in X509_NAME_delete_entry(). |
11395 |
[Ben Laurie] |
11396 |
|
11397 |
*) Enhanced the err-ins.pl script so it makes the error library number |
11398 |
global and can add a library name. This is needed for external ASN1 and |
11399 |
other error libraries. |
11400 |
[Steve Henson] |
11401 |
|
11402 |
*) Fixed sk_insert which never worked properly. |
11403 |
[Steve Henson] |
11404 |
|
11405 |
*) Fix ASN1 macros so they can handle indefinite length construted |
11406 |
EXPLICIT tags. Some non standard certificates use these: they can now |
11407 |
be read in. |
11408 |
[Steve Henson] |
11409 |
|
11410 |
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) |
11411 |
into a single doc/ssleay.txt bundle. This way the information is still |
11412 |
preserved but no longer messes up this directory. Now it's new room for |
11413 |
the new set of documenation files. |
11414 |
[Ralf S. Engelschall] |
11415 |
|
11416 |
*) SETs were incorrectly DER encoded. This was a major pain, because they |
11417 |
shared code with SEQUENCEs, which aren't coded the same. This means that |
11418 |
almost everything to do with SETs or SEQUENCEs has either changed name or |
11419 |
number of arguments. |
11420 |
[Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>] |
11421 |
|
11422 |
*) Fix test data to work with the above. |
11423 |
[Ben Laurie] |
11424 |
|
11425 |
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but |
11426 |
was already fixed by Eric for 0.9.1 it seems. |
11427 |
[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>] |
11428 |
|
11429 |
*) Autodetect FreeBSD3. |
11430 |
[Ben Laurie] |
11431 |
|
11432 |
*) Fix various bugs in Configure. This affects the following platforms: |
11433 |
nextstep |
11434 |
ncr-scde |
11435 |
unixware-2.0 |
11436 |
unixware-2.0-pentium |
11437 |
sco5-cc. |
11438 |
[Ben Laurie] |
11439 |
|
11440 |
*) Eliminate generated files from CVS. Reorder tests to regenerate files |
11441 |
before they are needed. |
11442 |
[Ben Laurie] |
11443 |
|
11444 |
*) Generate Makefile.ssl from Makefile.org (to keep CVS happy). |
11445 |
[Ben Laurie] |
11446 |
|
11447 |
|
11448 |
Changes between 0.9.1b and 0.9.1c [23-Dec-1998] |
11449 |
|
11450 |
*) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and |
11451 |
changed SSLeay to OpenSSL in version strings. |
11452 |
[Ralf S. Engelschall] |
11453 |
|
11454 |
*) Some fixups to the top-level documents. |
11455 |
[Paul Sutton] |
11456 |
|
11457 |
*) Fixed the nasty bug where rsaref.h was not found under compile-time |
11458 |
because the symlink to include/ was missing. |
11459 |
[Ralf S. Engelschall] |
11460 |
|
11461 |
*) Incorporated the popular no-RSA/DSA-only patches |
11462 |
which allow to compile a RSA-free SSLeay. |
11463 |
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] |
11464 |
|
11465 |
*) Fixed nasty rehash problem under `make -f Makefile.ssl links' |
11466 |
when "ssleay" is still not found. |
11467 |
[Ralf S. Engelschall] |
11468 |
|
11469 |
*) Added more platforms to Configure: Cray T3E, HPUX 11, |
11470 |
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>] |
11471 |
|
11472 |
*) Updated the README file. |
11473 |
[Ralf S. Engelschall] |
11474 |
|
11475 |
*) Added various .cvsignore files in the CVS repository subdirs |
11476 |
to make a "cvs update" really silent. |
11477 |
[Ralf S. Engelschall] |
11478 |
|
11479 |
*) Recompiled the error-definition header files and added |
11480 |
missing symbols to the Win32 linker tables. |
11481 |
[Ralf S. Engelschall] |
11482 |
|
11483 |
*) Cleaned up the top-level documents; |
11484 |
o new files: CHANGES and LICENSE |
11485 |
o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay |
11486 |
o merged COPYRIGHT into LICENSE |
11487 |
o removed obsolete TODO file |
11488 |
o renamed MICROSOFT to INSTALL.W32 |
11489 |
[Ralf S. Engelschall] |
11490 |
|
11491 |
*) Removed dummy files from the 0.9.1b source tree: |
11492 |
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi |
11493 |
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f |
11494 |
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f |
11495 |
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f |
11496 |
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f |
11497 |
[Ralf S. Engelschall] |
11498 |
|
11499 |
*) Added various platform portability fixes. |
11500 |
[Mark J. Cox] |
11501 |
|
11502 |
*) The Genesis of the OpenSSL rpject: |
11503 |
We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. |
11504 |
Young and Tim J. Hudson created while they were working for C2Net until |
11505 |
summer 1998. |
11506 |
[The OpenSSL Project] |
11507 |
|
11508 |
|
11509 |
Changes between 0.9.0b and 0.9.1b [not released] |
11510 |
|
11511 |
*) Updated a few CA certificates under certs/ |
11512 |
[Eric A. Young] |
11513 |
|
11514 |
*) Changed some BIGNUM api stuff. |
11515 |
[Eric A. Young] |
11516 |
|
11517 |
*) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, |
11518 |
DGUX x86, Linux Alpha, etc. |
11519 |
[Eric A. Young] |
11520 |
|
11521 |
*) New COMP library [crypto/comp/] for SSL Record Layer Compression: |
11522 |
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is |
11523 |
available). |
11524 |
[Eric A. Young] |
11525 |
|
11526 |
*) Add -strparse option to asn1pars program which parses nested |
11527 |
binary structures |
11528 |
[Dr Stephen Henson <shenson@bigfoot.com>] |
11529 |
|
11530 |
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. |
11531 |
[Eric A. Young] |
11532 |
|
11533 |
*) DSA fix for "ca" program. |
11534 |
[Eric A. Young] |
11535 |
|
11536 |
*) Added "-genkey" option to "dsaparam" program. |
11537 |
[Eric A. Young] |
11538 |
|
11539 |
*) Added RIPE MD160 (rmd160) message digest. |
11540 |
[Eric A. Young] |
11541 |
|
11542 |
*) Added -a (all) option to "ssleay version" command. |
11543 |
[Eric A. Young] |
11544 |
|
11545 |
*) Added PLATFORM define which is the id given to Configure. |
11546 |
[Eric A. Young] |
11547 |
|
11548 |
*) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. |
11549 |
[Eric A. Young] |
11550 |
|
11551 |
*) Extended the ASN.1 parser routines. |
11552 |
[Eric A. Young] |
11553 |
|
11554 |
*) Extended BIO routines to support REUSEADDR, seek, tell, etc. |
11555 |
[Eric A. Young] |
11556 |
|
11557 |
*) Added a BN_CTX to the BN library. |
11558 |
[Eric A. Young] |
11559 |
|
11560 |
*) Fixed the weak key values in DES library |
11561 |
[Eric A. Young] |
11562 |
|
11563 |
*) Changed API in EVP library for cipher aliases. |
11564 |
[Eric A. Young] |
11565 |
|
11566 |
*) Added support for RC2/64bit cipher. |
11567 |
[Eric A. Young] |
11568 |
|
11569 |
*) Converted the lhash library to the crypto/mem.c functions. |
11570 |
[Eric A. Young] |
11571 |
|
11572 |
*) Added more recognized ASN.1 object ids. |
11573 |
[Eric A. Young] |
11574 |
|
11575 |
*) Added more RSA padding checks for SSL/TLS. |
11576 |
[Eric A. Young] |
11577 |
|
11578 |
*) Added BIO proxy/filter functionality. |
11579 |
[Eric A. Young] |
11580 |
|
11581 |
*) Added extra_certs to SSL_CTX which can be used |
11582 |
send extra CA certificates to the client in the CA cert chain sending |
11583 |
process. It can be configured with SSL_CTX_add_extra_chain_cert(). |
11584 |
[Eric A. Young] |
11585 |
|
11586 |
*) Now Fortezza is denied in the authentication phase because |
11587 |
this is key exchange mechanism is not supported by SSLeay at all. |
11588 |
[Eric A. Young] |
11589 |
|
11590 |
*) Additional PKCS1 checks. |
11591 |
[Eric A. Young] |
11592 |
|
11593 |
*) Support the string "TLSv1" for all TLS v1 ciphers. |
11594 |
[Eric A. Young] |
11595 |
|
11596 |
*) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the |
11597 |
ex_data index of the SSL context in the X509_STORE_CTX ex_data. |
11598 |
[Eric A. Young] |
11599 |
|
11600 |
*) Fixed a few memory leaks. |
11601 |
[Eric A. Young] |
11602 |
|
11603 |
*) Fixed various code and comment typos. |
11604 |
[Eric A. Young] |
11605 |
|
11606 |
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0 |
11607 |
bytes sent in the client random. |
11608 |
[Edward Bishop <ebishop@spyglass.com>] |
11609 |
|