[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 1.0.1h and 1.0.2 [xx XXX xxxx]

  *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
     for corner cases. (Certain input points at infinity could lead to
     bogus results, with non-infinity inputs mapped to infinity too.)
     [Bodo Moeller]

  *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
     This covers AES, SHA256/512 and GHASH. "Initial" means that most
     common cases are optimized and there still is room for further
     improvements. Vector Permutation AES for Altivec is also added.
     [Andy Polyakov]

  *) Add support for little-endian ppc64 Linux target.
     [Marcelo Cerri (IBM)]

  *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
     SHA1, SHA256 and GHASH. "Initial" means that most common cases
     are optimized and there still is room for further improvements.
     Both 32- and 64-bit modes are supported.
     [Andy Polyakov, Ard Biesheuvel (Linaro)]

  *) Improved ARMv7 NEON support.
     [Andy Polyakov]

  *) Support for SPARC Architecture 2011 crypto extensions, first
     implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
     SHA256/512, MD5, GHASH and modular exponentiation.
     [Andy Polyakov, David Miller]

  *) Accelerated modular exponentiation for Intel processors, a.k.a.
     RSAZ.
     [Shay Gueron (Intel Corp)]

  *) Support for new and upcoming Intel processors, including AVX2,
     BMI and SHA ISA extensions. This includes additional "stitched"
     implementations, AESNI-SHA256 and GCM, and multi-buffer support
     for TLS encrypt.

     This work was sponsored by Intel Corp.
     [Andy Polyakov]

  *) Harmonize version and its documentation. -f flag is used to display
     compilation flags.
     [mancha <mancha1@zoho.com>]

  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
     in i2d_ECPrivateKey.
     [mancha <mancha1@zoho.com>]

  *) Fix some double frees. These are not thought to be exploitable.
     [mancha <mancha1@zoho.com>]

  *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
     this fixes a limiation in previous versions of OpenSSL.
     [Steve Henson]

  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
     MGF1 digest and OAEP label.
     [Steve Henson]

  *) Add EVP support for key wrapping algorithms, to avoid problems with
     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
     algorithms and include tests cases.
     [Steve Henson]

  *) Add functions to allocate and set the fields of an ECDSA_METHOD
     structure.
     [Douglas E. Engert, Steve Henson]

  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
     [Rob Stradling, Adam Langley]

  *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
     difference in days and seconds between two tm or ASN1_TIME structures.
     [Steve Henson]

  *) Add -rev test option to s_server to just reverse order of characters
     received by client and send back to server. Also prints an abbreviated
     summary of the connection parameters.
     [Steve Henson]

  *) New option -brief for s_client and s_server to print out a brief summary
     of connection parameters.
     [Steve Henson]

  *) Add callbacks for arbitrary TLS extensions.
     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

  *) New option -crl_download in several openssl utilities to download CRLs
     from CRLDP extension in certificates.
     [Steve Henson]

  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
     [Steve Henson]

  *) New function X509_CRL_diff to generate a delta CRL from the difference
     of two full CRLs. Add support to "crl" utility.
     [Steve Henson]

  *) New functions to set lookup_crls function and to retrieve
     X509_STORE from X509_STORE_CTX.
     [Steve Henson]

  *) Print out deprecated issuer and subject unique ID fields in
     certificates.
     [Steve Henson]

  *) Extend OCSP I/O functions so they can be used for simple general purpose
     HTTP as well as OCSP. New wrapper function which can be used to download
     CRLs using the OCSP API.
     [Steve Henson]

  *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
     [Steve Henson]

  *) SSL_CONF* functions. These provide a common framework for application
     configuration using configuration files or command lines.
     [Steve Henson]

  *) SSL/TLS tracing code. This parses out SSL/TLS records using the
     message callback and prints the results. Needs compile time option
     "enable-ssl-trace". New options to s_client and s_server to enable
     tracing.
     [Steve Henson]

  *) New ctrl and macro to retrieve supported points extensions.
     Print out extension in s_server and s_client.
     [Steve Henson]

  *) New functions to retrieve certificate signature and signature
     OID NID.
     [Steve Henson]

  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
     client to OpenSSL.
     [Steve Henson]

  *) New Suite B modes for TLS code. These use and enforce the requirements
     of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
     only use Suite B curves. The Suite B modes can be set by using the
     strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
     [Steve Henson]

  *) New chain verification flags for Suite B levels of security. Check
     algorithms are acceptable when flags are set in X509_verify_cert.
     [Steve Henson]

  *) Make tls1_check_chain return a set of flags indicating checks passed
     by a certificate chain. Add additional tests to handle client
     certificates: checks for matching certificate type and issuer name
     comparison.
     [Steve Henson]

  *) If an attempt is made to use a signature algorithm not in the peer
     preference list abort the handshake. If client has no suitable
     signature algorithms in response to a certificate request do not
     use the certificate.
     [Steve Henson]

  *) If server EC tmp key is not in client preference list abort handshake.
     [Steve Henson]

  *) Add support for certificate stores in CERT structure. This makes it
     possible to have different stores per SSL structure or one store in
     the parent SSL_CTX. Include distint stores for certificate chain
     verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
     to build and store a certificate chain in CERT structure: returing
     an error if the chain cannot be built: this will allow applications
     to test if a chain is correctly configured.

     Note: if the CERT based stores are not set then the parent SSL_CTX
     store is used to retain compatibility with existing behaviour.

     [Steve Henson]

  *) New function ssl_set_client_disabled to set a ciphersuite disabled
     mask based on the current session, check mask when sending client
     hello and checking the requested ciphersuite.
     [Steve Henson]

  *) New ctrls to retrieve and set certificate types in a certificate
     request message. Print out received values in s_client. If certificate
     types is not set with custom values set sensible values based on
     supported signature algorithms.
     [Steve Henson]

  *) Support for distinct client and server supported signature algorithms.
     [Steve Henson]

  *) Add certificate callback. If set this is called whenever a certificate
     is required by client or server. An application can decide which
     certificate chain to present based on arbitrary criteria: for example
     supported signature algorithms. Add very simple example to s_server.
     This fixes many of the problems and restrictions of the existing client
     certificate callback: for example you can now clear an existing
     certificate and specify the whole chain.
     [Steve Henson]

  *) Add new "valid_flags" field to CERT_PKEY structure which determines what
     the certificate can be used for (if anything). Set valid_flags field 
     in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
     to have similar checks in it.

     Add new "cert_flags" field to CERT structure and include a "strict mode".
     This enforces some TLS certificate requirements (such as only permitting
     certificate signature algorithms contained in the supported algorithms
     extension) which some implementations ignore: this option should be used
     with caution as it could cause interoperability issues.
     [Steve Henson]

  *) Update and tidy signature algorithm extension processing. Work out
     shared signature algorithms based on preferences and peer algorithms
     and print them out in s_client and s_server. Abort handshake if no
     shared signature algorithms.
     [Steve Henson]

  *) Add new functions to allow customised supported signature algorithms
     for SSL and SSL_CTX structures. Add options to s_client and s_server
     to support them.
     [Steve Henson]

  *) New function SSL_certs_clear() to delete all references to certificates
     from an SSL structure. Before this once a certificate had been added
     it couldn't be removed.
     [Steve Henson]

  *) Integrate hostname, email address and IP address checking with certificate
     verification. New verify options supporting checking in opensl utility.
     [Steve Henson]

  *) Fixes and wildcard matching support to hostname and email checking
     functions. Add manual page.
     [Florian Weimer (Red Hat Product Security Team)]

  *) New functions to check a hostname email or IP address against a
     certificate. Add options x509 utility to print results of checks against
     a certificate.
     [Steve Henson]

  *) Fix OCSP checking.
     [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]

  *) Initial experimental support for explicitly trusted non-root CAs. 
     OpenSSL still tries to build a complete chain to a root but if an
     intermediate CA has a trust setting included that is used. The first
     setting is used: whether to trust (e.g., -addtrust option to the x509
     utility) or reject.
     [Steve Henson]

  *) Add -trusted_first option which attempts to find certificates in the
     trusted store even if an untrusted chain is also supplied.
     [Steve Henson]

  *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
     platform support for Linux and Android.
     [Andy Polyakov]

  *) Support for linux-x32, ILP32 environment in x86_64 framework.
     [Andy Polyakov]

  *) Experimental multi-implementation support for FIPS capable OpenSSL.
     When in FIPS mode the approved implementations are used as normal,
     when not in FIPS mode the internal unapproved versions are used instead.
     This means that the FIPS capable OpenSSL isn't forced to use the
     (often lower perfomance) FIPS implementations outside FIPS mode.
     [Steve Henson]

  *) Transparently support X9.42 DH parameters when calling
     PEM_read_bio_DHparameters. This means existing applications can handle
     the new parameter format automatically.
     [Steve Henson]

  *) Initial experimental support for X9.42 DH parameter format: mainly
     to support use of 'q' parameter for RFC5114 parameters.
     [Steve Henson]

  *) Add DH parameters from RFC5114 including test data to dhtest.
     [Steve Henson]

  *) Support for automatic EC temporary key parameter selection. If enabled
     the most preferred EC parameters are automatically used instead of
     hardcoded fixed parameters. Now a server just has to call:
     SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
     support ECDH and use the most appropriate parameters.
     [Steve Henson]

  *) Enhance and tidy EC curve and point format TLS extension code. Use
     static structures instead of allocation if default values are used.
     New ctrls to set curves we wish to support and to retrieve shared curves.
     Print out shared curves in s_server. New options to s_server and s_client
     to set list of supported curves.
     [Steve Henson]

  *) New ctrls to retrieve supported signature algorithms and 
     supported curve values as an array of NIDs. Extend openssl utility
     to print out received values.
     [Steve Henson]

  *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
     between NIDs and the more common NIST names such as "P-256". Enhance
     ecparam utility and ECC method to recognise the NIST names for curves.
     [Steve Henson]

  *) Enhance SSL/TLS certificate chain handling to support different
     chains for each certificate instead of one chain in the parent SSL_CTX.
     [Steve Henson]

  *) Support for fixed DH ciphersuite client authentication: where both
     server and client use DH certificates with common parameters.
     [Steve Henson]

  *) Support for fixed DH ciphersuites: those requiring DH server
     certificates.
     [Steve Henson]

 Changes between 1.0.1g and 1.0.1h [5 Jun 2014]

  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
     handshake can force the use of weak keying material in OpenSSL
     SSL/TLS clients and servers.

     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
     researching this issue. (CVE-2014-0224)
     [KIKUCHI Masashi, Steve Henson]

  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
     OpenSSL DTLS client the code can be made to recurse eventually crashing
     in a DoS attack.

     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
     (CVE-2014-0221)
     [Imre Rad, Steve Henson]

  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
     client or server. This is potentially exploitable to run arbitrary
     code on a vulnerable client or server.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
68a1e0bc	5	Changes between 1.0.1h and 1.0.2 [xx XXX xxxx]
0a9f7780	6
d5213519 BM	7	*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
	8	for corner cases. (Certain input points at infinity could lead to
	9	bogus results, with non-infinity inputs mapped to infinity too.)
	10	[Bodo Moeller]
	11
0ae6ba18 AP	12	*) Initial support for PowerISA 2.0.7, first implemented in POWER8.
	13	This covers AES, SHA256/512 and GHASH. "Initial" means that most
	14	common cases are optimized and there still is room for further
	15	improvements. Vector Permutation AES for Altivec is also added.
	16	[Andy Polyakov]
	17
	18	*) Add support for little-endian ppc64 Linux target.
	19	[Marcelo Cerri (IBM)]
	20
	21	*) Initial support for AMRv8 ISA crypto extensions. This covers AES,
	22	SHA1, SHA256 and GHASH. "Initial" means that most common cases
	23	are optimized and there still is room for further improvements.
	24	Both 32- and 64-bit modes are supported.
	25	[Andy Polyakov, Ard Biesheuvel (Linaro)]
	26
	27	*) Improved ARMv7 NEON support.
	28	[Andy Polyakov]
	29
	30	*) Support for SPARC Architecture 2011 crypto extensions, first
	31	implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
	32	SHA256/512, MD5, GHASH and modular exponentiation.
	33	[Andy Polyakov, David Miller]
	34
	35	*) Accelerated modular exponentiation for Intel processors, a.k.a.
	36	RSAZ.
	37	[Shay Gueron (Intel Corp)]
	38
	39	*) Support for new and upcoming Intel processors, including AVX2,
	40	BMI and SHA ISA extensions. This includes additional "stitched"
	41	implementations, AESNI-SHA256 and GCM, and multi-buffer support
	42	for TLS encrypt.
	43
	44	This work was sponsored by Intel Corp.
	45	[Andy Polyakov]
	46
e6a01b47	47	*) Harmonize version and its documentation. -f flag is used to display
	48	compilation flags.
	49	[mancha <mancha1@zoho.com>]
	50
3f1b3d96	51	*) Fix eckey_priv_encode so it immediately returns an error upon a failure
	52	in i2d_ECPrivateKey.
	53	[mancha <mancha1@zoho.com>]
	54
3b21abfd BL	55	*) Fix some double frees. These are not thought to be exploitable.
	56	[mancha <mancha1@zoho.com>]
	57
b9fa413a DSH	58	*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
	59	this fixes a limiation in previous versions of OpenSSL.
	60	[Steve Henson]
	61
25f93585 DSH	62	*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
	63	MGF1 digest and OAEP label.
	64	[Steve Henson]
	65
c6f33865 DSH	66	*) Add EVP support for key wrapping algorithms, to avoid problems with
	67	existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
	68	the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
	69	algorithms and include tests cases.
	70	[Steve Henson]
	71
7c23127f DSH	72	*) Add functions to allocate and set the fields of an ECDSA_METHOD
	73	structure.
	74	[Douglas E. Engert, Steve Henson]
	75
86a66deb RS	76	*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
	77	avoids preferring ECDHE-ECDSA ciphers when the client appears to be
	78	Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
	79	several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
	80	is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
	81	10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
	82	[Rob Stradling, Adam Langley]
	83
904348a4 DSH	84	*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
	85	difference in days and seconds between two tm or ASN1_TIME structures.
	86	[Steve Henson]
	87
171c4da5 DSH	88	*) Add -rev test option to s_server to just reverse order of characters
	89	received by client and send back to server. Also prints an abbreviated
	90	summary of the connection parameters.
	91	[Steve Henson]
	92
04611fb0 DSH	93	*) New option -brief for s_client and s_server to print out a brief summary
	94	of connection parameters.
	95	[Steve Henson]
	96
e27711cf T	97	*) Add callbacks for arbitrary TLS extensions.
	98	[Trevor Perrin <trevp@trevp.net> and Ben Laurie]
	99
57912ed3 DSH	100	*) New option -crl_download in several openssl utilities to download CRLs
	101	from CRLDP extension in certificates.
	102	[Steve Henson]
	103
e318431e DSH	104	*) New options -CRL and -CRLform for s_client and s_server for CRLs.
	105	[Steve Henson]
	106
6a10f38d DSH	107	*) New function X509_CRL_diff to generate a delta CRL from the difference
	108	of two full CRLs. Add support to "crl" utility.
	109	[Steve Henson]
	110
75f53531 DSH	111	*) New functions to set lookup_crls function and to retrieve
	112	X509_STORE from X509_STORE_CTX.
	113	[Steve Henson]
	114
2aa3ef78 DSH	115	*) Print out deprecated issuer and subject unique ID fields in
	116	certificates.
	117	[Steve Henson]
	118
5c8d41be DSH	119	*) Extend OCSP I/O functions so they can be used for simple general purpose
	120	HTTP as well as OCSP. New wrapper function which can be used to download
	121	CRLs using the OCSP API.
	122	[Steve Henson]
	123
15387e4c DSH	124	*) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
	125	[Steve Henson]
	126
49ef33fa DSH	127	) SSL_CONF functions. These provide a common framework for application
	128	configuration using configuration files or command lines.
	129	[Steve Henson]
	130
bc200e69 DSH	131	*) SSL/TLS tracing code. This parses out SSL/TLS records using the
	132	message callback and prints the results. Needs compile time option
	133	"enable-ssl-trace". New options to s_client and s_server to enable
	134	tracing.
	135	[Steve Henson]
	136
78b5d89d	137	*) New ctrl and macro to retrieve supported points extensions.
1b9a59c3	138	Print out extension in s_server and s_client.
78b5d89d DSH	139	[Steve Henson]
78b5d89d DSH	140
bd9fc1d6 DSH	141	*) New functions to retrieve certificate signature and signature
	142	OID NID.
	143	[Steve Henson]
	144
1520e6c0 DSH	145	*) Add functions to retrieve and manipulate the raw cipherlist sent by a
	146	client to OpenSSL.
	147	[Steve Henson]
	148
ccf6a19e DSH	149	*) New Suite B modes for TLS code. These use and enforce the requirements
	150	of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
	151	only use Suite B curves. The Suite B modes can be set by using the
	152	strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
	153	[Steve Henson]
	154
ba8bdea7 DSH	155	*) New chain verification flags for Suite B levels of security. Check
	156	algorithms are acceptable when flags are set in X509_verify_cert.
	157	[Steve Henson]
	158
6660baee DSH	159	*) Make tls1_check_chain return a set of flags indicating checks passed
	160	by a certificate chain. Add additional tests to handle client
	161	certificates: checks for matching certificate type and issuer name
	162	comparison.
	163	[Steve Henson]
	164
25d4c925 DSH	165	*) If an attempt is made to use a signature algorithm not in the peer
	166	preference list abort the handshake. If client has no suitable
	167	signature algorithms in response to a certificate request do not
	168	use the certificate.
	169	[Steve Henson]
	170
44adfeb6 DSH	171	*) If server EC tmp key is not in client preference list abort handshake.
	172	[Steve Henson]
	173
b762acad DSH	174	*) Add support for certificate stores in CERT structure. This makes it
	175	possible to have different stores per SSL structure or one store in
	176	the parent SSL_CTX. Include distint stores for certificate chain
	177	verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
	178	to build and store a certificate chain in CERT structure: returing
	179	an error if the chain cannot be built: this will allow applications
	180	to test if a chain is correctly configured.
	181
	182	Note: if the CERT based stores are not set then the parent SSL_CTX
	183	store is used to retain compatibility with existing behaviour.
	184
	185	[Steve Henson]
	186
b28fbdfa DSH	187	*) New function ssl_set_client_disabled to set a ciphersuite disabled
	188	mask based on the current session, check mask when sending client
	189	hello and checking the requested ciphersuite.
	190	[Steve Henson]
	191
a897502c DSH	192	*) New ctrls to retrieve and set certificate types in a certificate
	193	request message. Print out received values in s_client. If certificate
	194	types is not set with custom values set sensible values based on
	195	supported signature algorithms.
	196	[Steve Henson]
	197
04c32cdd DSH	198	*) Support for distinct client and server supported signature algorithms.
	199	[Steve Henson]
	200
623a5e24 DSH	201	*) Add certificate callback. If set this is called whenever a certificate
	202	is required by client or server. An application can decide which
	203	certificate chain to present based on arbitrary criteria: for example
	204	supported signature algorithms. Add very simple example to s_server.
	205	This fixes many of the problems and restrictions of the existing client
	206	certificate callback: for example you can now clear an existing
	207	certificate and specify the whole chain.
	208	[Steve Henson]
	209
484f8762 DSH	210	*) Add new "valid_flags" field to CERT_PKEY structure which determines what
	211	the certificate can be used for (if anything). Set valid_flags field
	212	in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
	213	to have similar checks in it.
	214
	215	Add new "cert_flags" field to CERT structure and include a "strict mode".
	216	This enforces some TLS certificate requirements (such as only permitting
	217	certificate signature algorithms contained in the supported algorithms
	218	extension) which some implementations ignore: this option should be used
	219	with caution as it could cause interoperability issues.
	220	[Steve Henson]
	221
c70a1fee DSH	222	*) Update and tidy signature algorithm extension processing. Work out
	223	shared signature algorithms based on preferences and peer algorithms
	224	and print them out in s_client and s_server. Abort handshake if no
	225	shared signature algorithms.
	226	[Steve Henson]
	227
0b362de5 DSH	228	*) Add new functions to allow customised supported signature algorithms
	229	for SSL and SSL_CTX structures. Add options to s_client and s_server
	230	to support them.
	231	[Steve Henson]
	232
d312f7be DSH	233	*) New function SSL_certs_clear() to delete all references to certificates
	234	from an SSL structure. Before this once a certificate had been added
	235	it couldn't be removed.
	236	[Steve Henson]
	237
70cd3c6b DSH	238	*) Integrate hostname, email address and IP address checking with certificate
	239	verification. New verify options supporting checking in opensl utility.
	240	[Steve Henson]
	241
45da1efc DSH	242	*) Fixes and wildcard matching support to hostname and email checking
	243	functions. Add manual page.
	244	[Florian Weimer (Red Hat Product Security Team)]
	245
	246	*) New functions to check a hostname email or IP address against a
	247	certificate. Add options x509 utility to print results of checks against
	248	a certificate.
	249	[Steve Henson]
	250
d65b8b21 BL	251	*) Fix OCSP checking.
	252	[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
	253
8c149cfd BM	254	*) Initial experimental support for explicitly trusted non-root CAs.
	255	OpenSSL still tries to build a complete chain to a root but if an
	256	intermediate CA has a trust setting included that is used. The first
	257	setting is used: whether to trust (e.g., -addtrust option to the x509
	258	utility) or reject.
	259	[Steve Henson]
d65b8b21	260
9d2006d8 DSH	261	*) Add -trusted_first option which attempts to find certificates in the
	262	trusted store even if an untrusted chain is also supplied.
	263	[Steve Henson]
	264
988037fe AP	265	*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
	266	platform support for Linux and Android.
	267	[Andy Polyakov]
	268
0e05b51f AP	269	*) Support for linux-x32, ILP32 environment in x86_64 framework.
	270	[Andy Polyakov]
	271
1dded7f7 DSH	272	*) Experimental multi-implementation support for FIPS capable OpenSSL.
	273	When in FIPS mode the approved implementations are used as normal,
	274	when not in FIPS mode the internal unapproved versions are used instead.
	275	This means that the FIPS capable OpenSSL isn't forced to use the
	276	(often lower perfomance) FIPS implementations outside FIPS mode.
	277	[Steve Henson]
	278
c3cb0691 DSH	279	*) Transparently support X9.42 DH parameters when calling
	280	PEM_read_bio_DHparameters. This means existing applications can handle
	281	the new parameter format automatically.
	282	[Steve Henson]
	283
491734eb DSH	284	*) Initial experimental support for X9.42 DH parameter format: mainly
	285	to support use of 'q' parameter for RFC5114 parameters.
	286	[Steve Henson]
	287
e811eff5 DSH	288	*) Add DH parameters from RFC5114 including test data to dhtest.
	289	[Steve Henson]
	290
e46c807e DSH	291	*) Support for automatic EC temporary key parameter selection. If enabled
	292	the most preferred EC parameters are automatically used instead of
	293	hardcoded fixed parameters. Now a server just has to call:
	294	SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
	295	support ECDH and use the most appropriate parameters.
	296	[Steve Henson]
	297
6b870763 DSH	298	*) Enhance and tidy EC curve and point format TLS extension code. Use
	299	static structures instead of allocation if default values are used.
	300	New ctrls to set curves we wish to support and to retrieve shared curves.
	301	Print out shared curves in s_server. New options to s_server and s_client
	302	to set list of supported curves.
	303	[Steve Henson]
	304
55058181 DSH	305	*) New ctrls to retrieve supported signature algorithms and
	306	supported curve values as an array of NIDs. Extend openssl utility
	307	to print out received values.
	308	[Steve Henson]
	309
a068a1d0 DSH	310	*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
	311	between NIDs and the more common NIST names such as "P-256". Enhance
	312	ecparam utility and ECC method to recognise the NIST names for curves.
	313	[Steve Henson]
	314
37b16c84 DSH	315	*) Enhance SSL/TLS certificate chain handling to support different
	316	chains for each certificate instead of one chain in the parent SSL_CTX.
	317	[Steve Henson]
	318
c523eb98 DSH	319	*) Support for fixed DH ciphersuite client authentication: where both
	320	server and client use DH certificates with common parameters.
	321	[Steve Henson]
	322
0ffa4997 DSH	323	*) Support for fixed DH ciphersuites: those requiring DH server
	324	certificates.
	325	[Steve Henson]
b9115239	326
68a1e0bc RL	327	Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
	328
	329	*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
	330	handshake can force the use of weak keying material in OpenSSL
	331	SSL/TLS clients and servers.
	332
	333	Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
	334	researching this issue. (CVE-2014-0224)
	335	[KIKUCHI Masashi, Steve Henson]
	336
	337	*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
	338	OpenSSL DTLS client the code can be made to recurse eventually crashing
	339	in a DoS attack.
	340
	341	Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
	342	(CVE-2014-0221)
	343	[Imre Rad, Steve Henson]
	344
	345	*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
	346	be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
	347	client or server. This is potentially exploitable to run arbitrary
	348	code on a vulnerable client or server.
	349
	350