[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]

  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
     platform support for Linux and Android.
     [Andy Polyakov]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change current certificate to
     the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     [Rob Stradling <rob.stradling@comodo.com>]

  *) Support for linux-x32, ILP32 environment in x86_64 framework.
     [Andy Polyakov]

  *) RFC 5878 support.
     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]

  *) Experimental multi-implementation support for FIPS capable OpenSSL.
     When in FIPS mode the approved implementations are used as normal,
     when not in FIPS mode the internal unapproved versions are used instead.
     This means that the FIPS capable OpenSSL isn't forced to use the
     (often lower perfomance) FIPS implementations outside FIPS mode.
     [Steve Henson]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

 Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]

  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]

  *) Don't use TLS 1.0 record version number in initial client hello
     if renegotiating.
     [Steve Henson]

 Changes between 1.0.1b and 1.0.1c [10 May 2012]

  *) Sanity check record length before skipping explicit IV in TLS
     1.2, 1.1 and DTLS to avoid DoS attack.

     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]

  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]

  *) In FIPS mode don't try to use composite ciphers as they are not
     approved.
     [Steve Henson]

 Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

  *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
     1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
     mean any application compiled against OpenSSL 1.0.0 headers setting
     SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
     TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
     0x10000000L Any application which was previously compiled against
     OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
     will need to be recompiled as a result. Letting be results in
     inability to disable specifically TLS 1.1 and in client context,
     in unlike event, limit maximum offered version to TLS 1.0 [see below].
     [Steve Henson]

  *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
     disable just protocol X, but all protocols above X *if* there are
     protocols *below* X still enabled. In more practical terms it means
     that if application wants to disable TLS1.0 in favor of TLS1.1 and
     above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
     SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
     client side.
     [Andy Polyakov]

 Changes between 1.0.1 and 1.0.1a [19 Apr 2012]

  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.

     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]

  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
     [Adam Langley]

  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes:
 
     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
        the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
        TLS 1.2 client support entirely.
     [Steve Henson]

  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
     [Andy Polyakov]

 Changes between 1.0.0h and 1.0.1  [14 Mar 2012]

  *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
     STRING form instead of a DigestInfo.
     [Steve Henson]

  *) The format used for MDC2 RSA signatures is inconsistent between EVP
     and the RSA_sign/RSA_verify functions. This was made more apparent when
     OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
     those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
     the correct format in RSA_verify so both forms transparently work.
     [Steve Henson]

  *) Some servers which support TLS 1.0 can choke if we initially indicate
     support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
     encrypted premaster secret. As a workaround use the maximum pemitted
     client version in client hello, this should keep such servers happy
     and still work with previous versions of OpenSSL.
     [Steve Henson]

  *) Add support for TLS/DTLS heartbeats.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Add support for SCTP.
     [Robin Seggelmann <seggelmann@fh-muenster.de>]

  *) Improved PRNG seeding for VOS.
     [Paul Green <Paul.Green@stratus.com>]

  *) Extensive assembler packs updates, most notably:

	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
	- x86_64:       bit-sliced AES implementation;
	- ARM:          NEON support, contemporary platforms optimizations;
	- s390x:        z196 support;
	- *:            GHASH and GF(2^m) multiplication implementations;

     [Andy Polyakov]

  *) Make TLS-SRP code conformant with RFC 5054 API cleanup
     (removal of unnecessary code)
     [Peter Sylvester <peter.sylvester@edelweb.fr>]

  *) Add TLS key material exporter from RFC 5705.
     [Eric Rescorla]

  *) Add DTLS-SRTP negotiation from RFC 5764.
     [Eric Rescorla]

  *) Add Next Protocol Negotiation,
     http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
     disabled with a no-npn flag to config or Configure. Code donated
     by Google.
     [Adam Langley <agl@google.com> and Ben Laurie]

  *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
     NIST-P256, NIST-P521, with constant-time single point multiplication on
     typical inputs. Compiler support for the nonstandard type __uint128_t is
     required to use this (present in gcc 4.4 and later, for 64-bit builds).
     Code made available under Apache License version 2.0.

     Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
     line to include this in your build of OpenSSL, and run "make depend" (or
     "make update"). This enables the following EC_METHODs:

         EC_GFp_nistp224_method()
         EC_GFp_nistp256_method()
         EC_GFp_nistp521_method()

     EC_GROUP_new_by_curve_name() will automatically use these (while
     EC_GROUP_new_curve_GFp() currently prefers the more flexible
     implementations).
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
b9115239 DSH	5	Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
b9115239 DSH	6
988037fe AP	7	*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
	8	platform support for Linux and Android.
	9	[Andy Polyakov]
	10
da8512aa	11	*) Call OCSP Stapling callback after ciphersuite has been chosen, so
dc144417 DSH	12	the right response is stapled. Also change current certificate to
dc144417 DSH	13	the certificate actually sent.
da8512aa BL	14	See http://rt.openssl.org/Ticket/Display.html?id=2836.
	15	[Rob Stradling <rob.stradling@comodo.com>]
	16
0e05b51f AP	17	*) Support for linux-x32, ILP32 environment in x86_64 framework.
	18	[Andy Polyakov]
	19
4e14996e BL	20	*) RFC 5878 support.
	21	[Emilia Kasper, Adam Langley, Ben Laurie (Google)]
	22
1dded7f7 DSH	23	*) Experimental multi-implementation support for FIPS capable OpenSSL.
	24	When in FIPS mode the approved implementations are used as normal,
	25	when not in FIPS mode the internal unapproved versions are used instead.
	26	This means that the FIPS capable OpenSSL isn't forced to use the
	27	(often lower perfomance) FIPS implementations outside FIPS mode.
	28	[Steve Henson]
	29
c3cb0691 DSH	30	*) Transparently support X9.42 DH parameters when calling
	31	PEM_read_bio_DHparameters. This means existing applications can handle
	32	the new parameter format automatically.
	33	[Steve Henson]
	34
491734eb DSH	35	*) Initial experimental support for X9.42 DH parameter format: mainly
	36	to support use of 'q' parameter for RFC5114 parameters.
	37	[Steve Henson]
	38
e811eff5 DSH	39	*) Add DH parameters from RFC5114 including test data to dhtest.
	40	[Steve Henson]
	41
e46c807e DSH	42	*) Support for automatic EC temporary key parameter selection. If enabled
	43	the most preferred EC parameters are automatically used instead of
	44	hardcoded fixed parameters. Now a server just has to call:
	45	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	46	support ECDH and use the most appropriate parameters.
	47	[Steve Henson]
	48
6b870763 DSH	49	*) Enhance and tidy EC curve and point format TLS extension code. Use
	50	static structures instead of allocation if default values are used.
	51	New ctrls to set curves we wish to support and to retrieve shared curves.
	52	Print out shared curves in s_server. New options to s_server and s_client
	53	to set list of supported curves.
	54	[Steve Henson]
	55
55058181 DSH	56	*) New ctrls to retrieve supported signature algorithms and
	57	supported curve values as an array of NIDs. Extend openssl utility
	58	to print out received values.
	59	[Steve Henson]
	60
a068a1d0 DSH	61	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	62	between NIDs and the more common NIST names such as "P-256". Enhance
	63	ecparam utility and ECC method to recognise the NIST names for curves.
	64	[Steve Henson]
	65
37b16c84 DSH	66	*) Enhance SSL/TLS certificate chain handling to support different
	67	chains for each certificate instead of one chain in the parent SSL_CTX.
	68	[Steve Henson]
	69
c523eb98 DSH	70	*) Support for fixed DH ciphersuite client authentication: where both
	71	server and client use DH certificates with common parameters.
	72	[Steve Henson]
	73
0ffa4997 DSH	74	*) Support for fixed DH ciphersuites: those requiring DH server
	75	certificates.
	76	[Steve Henson]
b9115239	77
5e145e54 DSH	78	Changes between 1.0.1c and 1.0.1d [xx XXX xxxx]
5e145e54 DSH	79
482f2380 DSH	80	*) Fix possible deadlock when decoding public keys.
	81	[Steve Henson]
	82
5e145e54 DSH	83	*) Don't use TLS 1.0 record version number in initial client hello
	84	if renegotiating.
	85	[Steve Henson]
	86
	87	Changes between 1.0.1b and 1.0.1c [10 May 2012]
a56f9a61	88
e7c84838 DSH	89	*) Sanity check record length before skipping explicit IV in TLS
	90	1.2, 1.1 and DTLS to avoid DoS attack.
	91
	92	Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
	93	fuzzing as a service testing platform.
	94	(CVE-2012-2333)
	95	[Steve Henson]
	96
24547c23 DSH	97	*) Initialise tkeylen properly when encrypting CMS messages.
	98	Thanks to Solar Designer of Openwall for reporting this issue.
	99	[Steve Henson]
	100
a56f9a61 DSH	101	*) In FIPS mode don't try to use composite ciphers as they are not
	102	approved.
	103	[Steve Henson]
	104
	105	Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
f69abd53	106
7e0c9630	107	*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
a6df6702 DSH	108	1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
	109	mean any application compiled against OpenSSL 1.0.0 headers setting
	110	SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
7e0c9630	111	TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
a6df6702 DSH	112	0x10000000L Any application which was previously compiled against
a6df6702 DSH	113	OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
7e0c9630 AP	114	will need to be recompiled as a result. Letting be results in
	115	inability to disable specifically TLS 1.1 and in client context,
	116	in unlike event, limit maximum offered version to TLS 1.0 [see below].
a6df6702 DSH	117	[Steve Henson]
a6df6702 DSH	118
f69abd53 AP	119	*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
	120	disable just protocol X, but all protocols above X if there are
	121	protocols below X still enabled. In more practical terms it means
	122	that if application wants to disable TLS1.0 in favor of TLS1.1 and
	123	above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
0ae89cf3 AP	124	SSL_OP_NO_TLSv1\|SSL_OP_NO_SSLv3\|SSL_OP_NO_SSLv2. This applies to
0ae89cf3 AP	125	client side.
f69abd53 AP	126	[Andy Polyakov]
f69abd53 AP	127
d6ef8165	128	Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
54543b95	129
564a503b DSH	130	*) Check for potentially exploitable overflows in asn1_d2i_read_bio
	131	BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
	132	in CRYPTO_realloc_clean.
	133
	134	Thanks to Tavis Ormandy, Google Security Team, for discovering this
	135	issue and to Adam Langley <agl@chromium.org> for fixing it.
	136	(CVE-2012-2110)
	137	[Adam Langley (Google), Tavis Ormandy, Google Security Team]
	138
bb3add20 BM	139	*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
	140	[Adam Langley]
	141
48e0f666 DSH	142	*) Workarounds for some broken servers that "hang" if a client hello
	143	record length exceeds 255 bytes:
	144
	145	1. Do not use record version number > TLS 1.0 in initial client
	146	hello: some (but not all) hanging servers will now work.
	147	2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
	148	the number of ciphers sent in the client hello. This should be
	149	set to an even number, such as 50, for example by passing:
	150	-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
	151	Most broken servers should now work.
	152	3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
	153	TLS 1.2 client support entirely.
a6df6702	154	[Steve Henson]
48e0f666	155
54543b95 AP	156	*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
	157	[Andy Polyakov]
	158
f3dcae15	159	Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
9472baae	160
0cd7a032 DSH	161	*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
	162	STRING form instead of a DigestInfo.
	163	[Steve Henson]
	164
16b7c81d DSH	165	*) The format used for MDC2 RSA signatures is inconsistent between EVP
	166	and the RSA_sign/RSA_verify functions. This was made more apparent when
	167	OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
	168	those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
	169	the correct format in RSA_verify so both forms transparently work.
	170	[Steve Henson]
	171
fc6800d1 DSH	172	*) Some servers which support TLS 1.0 can choke if we initially indicate
	173	support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
	174	encrypted premaster secret. As a workaround use the maximum pemitted
	175	client version in client hello, this should keep such servers happy
	176	and still work with previous versions of OpenSSL.
	177	[Steve Henson]
	178
bd6941cf DSH	179	*) Add support for TLS/DTLS heartbeats.
	180	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	181
6e750fcb DSH	182	*) Add support for SCTP.
	183	[Robin Seggelmann <seggelmann@fh-muenster.de>]
	184
62308f3f DSH	185	*) Improved PRNG seeding for VOS.
	186	[Paul Green <Paul.Green@stratus.com>]
	187
cecafcce AP	188	*) Extensive assembler packs updates, most notably:
	189
	190	- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
	191	- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
	192	- x86_64: bit-sliced AES implementation;
	193	- ARM: NEON support, contemporary platforms optimizations;
	194	- s390x: z196 support;
	195	- *: GHASH and GF(2^m) multiplication implementations;
	196
	197	[Andy Polyakov]
	198
ca0efb75 DSH	199	*) Make TLS-SRP code conformant with RFC 5054 API cleanup
	200	(removal of unnecessary code)
	201	[Peter Sylvester <peter.sylvester@edelweb.fr>]
	202
b1d74291 BL	203	*) Add TLS key material exporter from RFC 5705.
	204	[Eric Rescorla]
	205
060a38a2 BL	206	*) Add DTLS-SRTP negotiation from RFC 5764.
	207	[Eric Rescorla]
	208
e2809bfb BL	209	*) Add Next Protocol Negotiation,
	210	http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
	211	disabled with a no-npn flag to config or Configure. Code donated
	212	by Google.
	213	[Adam Langley <agl@google.com> and Ben Laurie]
	214
9c37519b BM	215	*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
	216	NIST-P256, NIST-P521, with constant-time single point multiplication on
	217	typical inputs. Compiler support for the nonstandard type __uint128_t is
3d520f7c BM	218	required to use this (present in gcc 4.4 and later, for 64-bit builds).
3d520f7c BM	219	Code made available under Apache License version 2.0.
9c37519b	220
3d520f7c BM	221	Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
	222	line to include this in your build of OpenSSL, and run "make depend" (or
	223	"make update"). This enables the following EC_METHODs:
9c37519b BM	224
	225	EC_GFp_nistp224_method()
	226	EC_GFp_nistp256_method()
	227	EC_GFp_nistp521_method()
	228
	229	EC_GROUP_new_by_curve_name() will automatically use these (while
	230	EC_GROUP_new_curve_GFp() currently prefers the more flexible
	231	implementations).
	232