]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
2649ce1e DSH |
5 | Changes between 0.9.8m and 0.9.8n [xx XXX xxxx] |
6 | ||
ede13519 DSH |
7 | *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL |
8 | could be crashed if the relevant tables were not present (e.g. chrooted). | |
9 | [Tomas Hoger <thoger@redhat.com>] | |
2649ce1e | 10 | |
7070cdba | 11 | Changes between 0.9.8l and 0.9.8m [25 Feb 2010] |
c2b78c31 | 12 | |
3e4da3f7 BM |
13 | *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) |
14 | [Martin Olsson, Neel Mehta] | |
15 | ||
739e0e93 BM |
16 | *) Fix X509_STORE locking: Every 'objs' access requires a lock (to |
17 | accommodate for stack sorting, always a write lock!). | |
18 | [Bodo Moeller] | |
19 | ||
657b02d0 DSH |
20 | *) On some versions of WIN32 Heap32Next is very slow. This can cause |
21 | excessive delays in the RAND_poll(): over a minute. As a workaround | |
22 | include a time check in the inner Heap32Next loop too. | |
23 | [Steve Henson] | |
24 | ||
ded27f70 | 25 | *) The code that handled flushing of data in SSL/TLS originally used the |
cc629741 DSH |
26 | BIO_CTRL_INFO ctrl to see if any data was pending first. This caused |
27 | the problem outlined in PR#1949. The fix suggested there however can | |
28 | trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions | |
29 | of Apache). So instead simplify the code to flush unconditionally. | |
30 | This should be fine since flushing with no data to flush is a no op. | |
31 | [Steve Henson] | |
32 | ||
c3c3b288 DSH |
33 | *) Handle TLS versions 2.0 and later properly and correctly use the |
34 | highest version of TLS/SSL supported. Although TLS >= 2.0 is some way | |
35 | off ancient servers have a habit of sticking around for a while... | |
36 | [Steve Henson] | |
37 | ||
06e2670a DSH |
38 | *) Modify compression code so it frees up structures without using the |
39 | ex_data callbacks. This works around a problem where some applications | |
81f28ca5 | 40 | call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when |
06e2670a DSH |
41 | restarting) then use compression (e.g. SSL with compression) later. |
42 | This results in significant per-connection memory leaks and | |
43 | has caused some security issues including CVE-2008-1678 and | |
44 | CVE-2009-4355. | |
45 | [Steve Henson] | |
46 | ||
d0e79d7e BM |
47 | *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't |
48 | change when encrypting or decrypting. | |
49 | [Bodo Moeller] | |
50 | ||
ccc3df8c | 51 | *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to |
442ac8d2 | 52 | connect and renegotiate with servers which do not support RI. |
ccc3df8c DSH |
53 | Until RI is more widely deployed this option is enabled by default. |
54 | [Steve Henson] | |
55 | ||
cb4823fd DSH |
56 | *) Add "missing" ssl ctrls to clear options and mode. |
57 | [Steve Henson] | |
58 | ||
17bb0516 | 59 | *) If client attempts to renegotiate and doesn't support RI respond with |
68be98d1 DSH |
60 | a no_renegotiation alert as required by RFC5746. Some renegotiating |
61 | TLS clients will continue a connection gracefully when they receive | |
62 | the alert. Unfortunately OpenSSL mishandled this alert and would hang | |
63 | waiting for a server hello which it will never receive. Now we treat a | |
64 | received no_renegotiation alert as a fatal error. This is because | |
65 | applications requesting a renegotiation might well expect it to succeed | |
66 | and would have no code in place to handle the server denying it so the | |
67 | only safe thing to do is to terminate the connection. | |
17bb0516 DSH |
68 | [Steve Henson] |
69 | ||
59f44e81 DSH |
70 | *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if |
71 | peer supports secure renegotiation and 0 otherwise. Print out peer | |
72 | renegotiation support in s_client/s_server. | |
73 | [Steve Henson] | |
74 | ||
1ff44a99 DSH |
75 | *) Replace the highly broken and deprecated SPKAC certification method with |
76 | the updated NID creation version. This should correctly handle UTF8. | |
77 | [Steve Henson] | |
78 | ||
68be98d1 DSH |
79 | *) Implement RFC5746. Re-enable renegotiation but require the extension |
80 | as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | |
81 | turns out to be a bad idea. It has been replaced by | |
c2b78c31 BL |
82 | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with |
83 | SSL_CTX_set_options(). This is really not recommended unless you | |
84 | know what you are doing. | |
7a014dce | 85 | [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] |
949fbf07 | 86 | |
2a8834cf DSH |
87 | *) Fixes to stateless session resumption handling. Use initial_ctx when |
88 | issuing and attempting to decrypt tickets in case it has changed during | |
89 | servername handling. Use a non-zero length session ID when attempting | |
90 | stateless session resumption: this makes it possible to determine if | |
553d2e32 | 91 | a resumption has occurred immediately after receiving server hello |
2a8834cf DSH |
92 | (several places in OpenSSL subtly assume this) instead of later in |
93 | the handshake. | |
94 | [Steve Henson] | |
afff063a DSH |
95 | |
96 | *) The functions ENGINE_ctrl(), OPENSSL_isservice(), | |
97 | CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error | |
98 | fixes for a few places where the return code is not checked | |
99 | correctly. | |
100 | [Julia Lawall <julia@diku.dk>] | |
101 | ||
d0969d24 DSH |
102 | *) Add --strict-warnings option to Configure script to include devteam |
103 | warnings in other configurations. | |
104 | [Steve Henson] | |
105 | ||
985b5ee7 | 106 | *) Add support for --libdir option and LIBDIR variable in makefiles. This |
553d2e32 | 107 | makes it possible to install openssl libraries in locations which |
985b5ee7 DSH |
108 | have names other than "lib", for example "/usr/lib64" which some |
109 | systems need. | |
110 | [Steve Henson, based on patch from Jeremy Utley] | |
111 | ||
136b5dc7 DSH |
112 | *) Don't allow the use of leading 0x80 in OIDs. This is a violation of |
113 | X690 8.9.12 and can produce some misleading textual output of OIDs. | |
114 | [Steve Henson, reported by Dan Kaminsky] | |
115 | ||
553d2e32 | 116 | *) Delete MD2 from algorithm tables. This follows the recommendation in |
856f3005 DSH |
117 | several standards that it is not used in new applications due to |
118 | several cryptographic weaknesses. For binary compatibility reasons | |
119 | the MD2 API is still compiled in by default. | |
120 | [Steve Henson] | |
121 | ||
e7e7f5de DSH |
122 | *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved |
123 | and restored. | |
124 | [Steve Henson] | |
125 | ||
efaa569c DSH |
126 | *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and |
127 | OPENSSL_asc2uni conditionally on Netware platforms to avoid a name | |
128 | clash. | |
51ebaa9f | 129 | [Guenter <lists@gknw.net>] |
efaa569c | 130 | |
ab8fe43f DSH |
131 | *) Fix the server certificate chain building code to use X509_verify_cert(), |
132 | it used to have an ad-hoc builder which was unable to cope with anything | |
133 | other than a simple chain. | |
134 | [David Woodhouse <dwmw2@infradead.org>, Steve Henson] | |
135 | ||
9aecc3e5 DSH |
136 | *) Don't check self signed certificate signatures in X509_verify_cert() |
137 | by default (a flag can override this): it just wastes time without | |
138 | adding any security. As a useful side effect self signed root CAs | |
139 | with non-FIPS digests are now usable in FIPS mode. | |
1e53b797 DSH |
140 | [Steve Henson] |
141 | ||
f47bce27 DSH |
142 | *) In dtls1_process_out_of_seq_message() the check if the current message |
143 | is already buffered was missing. For every new message was memory | |
144 | allocated, allowing an attacker to perform an denial of service attack | |
145 | with sending out of seq handshake messages until there is no memory | |
146 | left. Additionally every future messege was buffered, even if the | |
147 | sequence number made no sense and would be part of another handshake. | |
148 | So only messages with sequence numbers less than 10 in advance will be | |
a176be48 | 149 | buffered. (CVE-2009-1378) |
f47bce27 DSH |
150 | [Robin Seggelmann, discovered by Daniel Mentz] |
151 | ||
152 | *) Records are buffered if they arrive with a future epoch to be | |
153 | processed after finishing the corresponding handshake. There is | |
154 | currently no limitation to this buffer allowing an attacker to perform | |
155 | a DOS attack with sending records with future epochs until there is no | |
156 | memory left. This patch adds the pqueue_size() function to detemine | |
157 | the size of a buffer and limits the record buffer to 100 entries. | |
a176be48 | 158 | (CVE-2009-1377) |
f47bce27 DSH |
159 | [Robin Seggelmann, discovered by Daniel Mentz] |
160 | ||
161 | *) Keep a copy of frag->msg_header.frag_len so it can be used after the | |
a176be48 | 162 | parent structure is freed. (CVE-2009-1379) |
f47bce27 DSH |
163 | [Daniel Mentz] |
164 | ||
0d399f97 DSH |
165 | *) Handle non-blocking I/O properly in SSL_shutdown() call. |
166 | [Darryl Miles <darryl-mailinglists@netbauds.net>] | |
167 | ||
aca8bf43 DSH |
168 | *) Add 2.5.4.* OIDs |
169 | [Ilya O. <vrghost@gmail.com>] | |
7de0df69 | 170 | |
c2b78c31 BL |
171 | Changes between 0.9.8k and 0.9.8l [5 Nov 2009] |
172 | ||
173 | *) Disable renegotiation completely - this fixes a severe security | |
174 | problem (CVE-2009-3555) at the cost of breaking all | |
175 | renegotiation. Renegotiation can be re-enabled by setting | |
176 | SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at | |
177 | run-time. This is really not recommended unless you know what | |
178 | you're doing. | |
179 | [Ben Laurie] | |
180 | ||
e10051ef | 181 | Changes between 0.9.8j and 0.9.8k [25 Mar 2009] |
d34353cc | 182 | |
c60dca1f DSH |
183 | *) Don't set val to NULL when freeing up structures, it is freed up by |
184 | underlying code. If sizeof(void *) > sizeof(long) this can result in | |
185 | zeroing past the valid field. (CVE-2009-0789) | |
186 | [Paolo Ganci <Paolo.Ganci@AdNovum.CH>] | |
187 | ||
188abf7e DSH |
188 | *) Fix bug where return value of CMS_SignerInfo_verify_content() was not |
189 | checked correctly. This would allow some invalid signed attributes to | |
190 | appear to verify correctly. (CVE-2009-0591) | |
191 | [Ivan Nestlerode <inestlerode@us.ibm.com>] | |
192 | ||
f021b7cc DSH |
193 | *) Reject UniversalString and BMPString types with invalid lengths. This |
194 | prevents a crash in ASN1_STRING_print_ex() which assumes the strings have | |
195 | a legal length. (CVE-2009-0590) | |
196 | [Steve Henson] | |
197 | ||
37afdc95 DSH |
198 | *) Set S/MIME signing as the default purpose rather than setting it |
199 | unconditionally. This allows applications to override it at the store | |
200 | level. | |
201 | [Steve Henson] | |
202 | ||
044855e1 DSH |
203 | *) Permit restricted recursion of ASN1 strings. This is needed in practice |
204 | to handle some structures. | |
205 | [Steve Henson] | |
206 | ||
4fcf8d8b DSH |
207 | *) Improve efficiency of mem_gets: don't search whole buffer each time |
208 | for a '\n' | |
209 | [Jeremy Shapiro <jnshapir@us.ibm.com>] | |
210 | ||
59689735 BM |
211 | *) New -hex option for openssl rand. |
212 | [Matthieu Herrb] | |
213 | ||
73cb3729 DSH |
214 | *) Print out UTF8String and NumericString when parsing ASN1. |
215 | [Steve Henson] | |
216 | ||
1f35508a DSH |
217 | *) Support NumericString type for name components. |
218 | [Steve Henson] | |
219 | ||
dc0cb7e7 BL |
220 | *) Allow CC in the environment to override the automatically chosen |
221 | compiler. Note that nothing is done to ensure flags work with the | |
222 | chosen compiler. | |
223 | [Ben Laurie] | |
d34353cc | 224 | |
6287fa53 DSH |
225 | Changes between 0.9.8i and 0.9.8j [07 Jan 2009] |
226 | ||
a00c3c40 DSH |
227 | *) Properly check EVP_VerifyFinal() and similar return values |
228 | (CVE-2008-5077). | |
229 | [Ben Laurie, Bodo Moeller, Google Security Team] | |
230 | ||
c1534223 BL |
231 | *) Enable TLS extensions by default. |
232 | [Ben Laurie] | |
233 | ||
bfc6482a GT |
234 | *) Allow the CHIL engine to be loaded, whether the application is |
235 | multithreaded or not. (This does not release the developer from the | |
236 | obligation to set up the dynamic locking callbacks.) | |
237 | [Sander Temme <sander@temme.net>] | |
238 | ||
582ef3db DSH |
239 | *) Use correct exit code if there is an error in dgst command. |
240 | [Steve Henson; problem pointed out by Roland Dirlewanger] | |
241 | ||
505ed2b0 BM |
242 | *) Tweak Configure so that you need to say "experimental-jpake" to enable |
243 | JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. | |
244 | [Bodo Moeller] | |
245 | ||
246 | *) Add experimental JPAKE support, including demo authentication in | |
247 | s_client and s_server. | |
2124e869 BL |
248 | [Ben Laurie] |
249 | ||
cdffc716 BL |
250 | *) Set the comparison function in v3_addr_canonize(). |
251 | [Rob Austein <sra@hactrn.net>] | |
252 | ||
5dffc13f BL |
253 | *) Add support for XMPP STARTTLS in s_client. |
254 | [Philip Paeps <philip@freebsd.org>] | |
255 | ||
d875413a BM |
256 | *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior |
257 | to ensure that even with this option, only ciphersuites in the | |
258 | server's preference list will be accepted. (Note that the option | |
259 | applies only when resuming a session, so the earlier behavior was | |
260 | just about the algorithm choice for symmetric cryptography.) | |
261 | [Bodo Moeller] | |
6d3b70c8 | 262 | |
b7e7aa00 | 263 | Changes between 0.9.8h and 0.9.8i [15 Sep 2008] |
3f79793b | 264 | |
389fef6c BM |
265 | *) Fix NULL pointer dereference if a DTLS server received |
266 | ChangeCipherSpec as first record (CVE-2009-1386). | |
267 | [PR #1679] | |
0b8eca58 | 268 | |
200d00c8 BM |
269 | *) Fix a state transitition in s3_srvr.c and d1_srvr.c |
270 | (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). | |
271 | [Nagendra Modadugu] | |
272 | ||
669b912d BM |
273 | *) The fix in 0.9.8c that supposedly got rid of unsafe |
274 | double-checked locking was incomplete for RSA blinding, | |
275 | addressing just one layer of what turns out to have been | |
276 | doubly unsafe triple-checked locking. | |
277 | ||
278 | So now fix this for real by retiring the MONT_HELPER macro | |
279 | in crypto/rsa/rsa_eay.c. | |
280 | ||
281 | [Bodo Moeller; problem pointed out by Marius Schilder] | |
282 | ||
36a4a67b BM |
283 | *) Various precautionary measures: |
284 | ||
285 | - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). | |
286 | ||
287 | - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). | |
288 | (NB: This would require knowledge of the secret session ticket key | |
289 | to exploit, in which case you'd be SOL either way.) | |
290 | ||
291 | - Change bn_nist.c so that it will properly handle input BIGNUMs | |
292 | outside the expected range. | |
293 | ||
294 | - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG | |
295 | builds. | |
296 | ||
297 | [Neel Mehta, Bodo Moeller] | |
298 | ||
4ea574fd BM |
299 | *) Allow engines to be "soft loaded" - i.e. optionally don't die if |
300 | the load fails. Useful for distros. | |
301 | [Ben Laurie and the FreeBSD team] | |
302 | ||
dd6e9046 DSH |
303 | *) Add support for Local Machine Keyset attribute in PKCS#12 files. |
304 | [Steve Henson] | |
305 | ||
4afcee8b BM |
306 | *) Fix BN_GF2m_mod_arr() top-bit cleanup code. |
307 | [Huang Ying] | |
308 | ||
1a12ce8e | 309 | *) Expand ENGINE to support engine supplied SSL client certificate functions. |
1f320621 DSH |
310 | |
311 | This work was sponsored by Logica. | |
1a12ce8e DSH |
312 | [Steve Henson] |
313 | ||
4afcee8b BM |
314 | *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows |
315 | keystores. Support for SSL/TLS client authentication too. | |
1a12ce8e | 316 | Not compiled unless enable-capieng specified to Configure. |
1f320621 DSH |
317 | |
318 | This work was sponsored by Logica. | |
1a12ce8e DSH |
319 | [Steve Henson] |
320 | ||
cf8115de DSH |
321 | *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using |
322 | ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain | |
323 | attribute creation routines such as certifcate requests and PKCS#12 | |
324 | files. | |
325 | [Steve Henson] | |
326 | ||
0d01d8a7 | 327 | Changes between 0.9.8g and 0.9.8h [28 May 2008] |
2339c5d7 | 328 | |
2c0fa03d MC |
329 | *) Fix flaw if 'Server Key exchange message' is omitted from a TLS |
330 | handshake which could lead to a cilent crash as found using the | |
331 | Codenomicon TLS test suite (CVE-2008-1672) | |
332 | [Steve Henson, Mark Cox] | |
333 | ||
d3b3a6d3 MC |
334 | *) Fix double free in TLS server name extensions which could lead to |
335 | a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) | |
336 | [Joe Orton] | |
337 | ||
5f232886 LJ |
338 | *) Clear error queue in SSL_CTX_use_certificate_chain_file() |
339 | ||
340 | Clear the error queue to ensure that error entries left from | |
341 | older function calls do not interfere with the correct operation. | |
342 | [Lutz Jaenicke, Erik de Castro Lopo] | |
343 | ||
45c58c7d LJ |
344 | *) Remove root CA certificates of commercial CAs: |
345 | ||
346 | The OpenSSL project does not recommend any specific CA and does not | |
347 | have any policy with respect to including or excluding any CA. | |
348 | Therefore it does not make any sense to ship an arbitrary selection | |
349 | of root CA certificates with the OpenSSL software. | |
350 | [Lutz Jaenicke] | |
351 | ||
10d3886c DSH |
352 | *) RSA OAEP patches to fix two separate invalid memory reads. |
353 | The first one involves inputs when 'lzero' is greater than | |
354 | 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes | |
355 | before the beginning of from). The second one involves inputs where | |
356 | the 'db' section contains nothing but zeroes (there is a one-byte | |
357 | invalid read after the end of 'db'). | |
112591be | 358 | [Ivan Nestlerode <inestlerode@us.ibm.com>] |
10d3886c | 359 | |
812d8a17 BM |
360 | *) Partial backport from 0.9.9-dev: |
361 | ||
c3031a46 BM |
362 | Introduce bn_mul_mont (dedicated Montgomery multiplication |
363 | procedure) as a candidate for BIGNUM assembler implementation. | |
364 | While 0.9.9-dev uses assembler for various architectures, only | |
365 | x86_64 is available by default here in the 0.9.8 branch, and | |
366 | 32-bit x86 is available through a compile-time setting. | |
367 | ||
368 | To try the 32-bit x86 assembler implementation, use Configure | |
369 | option "enable-montasm" (which exists only for this backport). | |
370 | ||
371 | As "enable-montasm" for 32-bit x86 disclaims code stability | |
372 | anyway, in this constellation we activate additional code | |
373 | backported from 0.9.9-dev for further performance improvements, | |
374 | namely BN_from_montgomery_word. (To enable this otherwise, | |
375 | e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) | |
376 | ||
377 | [Andy Polyakov (backport partially by Bodo Moeller)] | |
812d8a17 | 378 | |
db533c96 DSH |
379 | *) Add TLS session ticket callback. This allows an application to set |
380 | TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed | |
381 | values. This is useful for key rollover for example where several key | |
382 | sets may exist with different names. | |
383 | [Steve Henson] | |
384 | ||
98bd148b GT |
385 | *) Reverse ENGINE-internal logic for caching default ENGINE handles. |
386 | This was broken until now in 0.9.8 releases, such that the only way | |
387 | a registered ENGINE could be used (assuming it initialises | |
388 | successfully on the host) was to explicitly set it as the default | |
389 | for the relevant algorithms. This is in contradiction with 0.9.7 | |
390 | behaviour and the documentation. With this fix, when an ENGINE is | |
391 | registered into a given algorithm's table of implementations, the | |
392 | 'uptodate' flag is reset so that auto-discovery will be used next | |
393 | time a new context for that algorithm attempts to select an | |
394 | implementation. | |
395 | [Ian Lister (tweaked by Geoff Thorpe)] | |
396 | ||
94b2c29f DSH |
397 | *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 |
398 | implemention in the following ways: | |
399 | ||
400 | Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be | |
401 | hard coded. | |
402 | ||
403 | Lack of BER streaming support means one pass streaming processing is | |
404 | only supported if data is detached: setting the streaming flag is | |
405 | ignored for embedded content. | |
406 | ||
407 | CMS support is disabled by default and must be explicitly enabled | |
408 | with the enable-cms configuration option. | |
409 | [Steve Henson] | |
410 | ||
292248b8 GT |
411 | *) Update the GMP engine glue to do direct copies between BIGNUM and |
412 | mpz_t when openssl and GMP use the same limb size. Otherwise the | |
413 | existing "conversion via a text string export" trick is still used. | |
414 | [Paul Sheer <paulsheer@gmail.com>] | |
415 | ||
7ec2d392 | 416 | *) Zlib compression BIO. This is a filter BIO which compressed and |
6b8be6da | 417 | uncompresses any data passed through it. |
7ec2d392 DSH |
418 | [Steve Henson] |
419 | ||
e88f66bb DSH |
420 | *) Add AES_wrap_key() and AES_unwrap_key() functions to implement |
421 | RFC3394 compatible AES key wrapping. | |
422 | [Steve Henson] | |
423 | ||
9e7459fc DSH |
424 | *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): |
425 | sets string data without copying. X509_ALGOR_set0() and | |
426 | X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) | |
427 | data. Attribute function X509at_get0_data_by_OBJ(): retrieves data | |
428 | from an X509_ATTRIBUTE structure optionally checking it occurs only | |
429 | once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied | |
430 | data. | |
431 | [Steve Henson] | |
432 | ||
19398a17 BM |
433 | *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() |
434 | to get the expected BN_FLG_CONSTTIME behavior. | |
435 | [Bodo Moeller (Google)] | |
436 | ||
3b0e61a8 DSH |
437 | *) Netware support: |
438 | ||
439 | - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets | |
440 | - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) | |
441 | - added some more tests to do_tests.pl | |
442 | - fixed RunningProcess usage so that it works with newer LIBC NDKs too | |
443 | - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency | |
444 | - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, | |
445 | netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc | |
446 | - various changes to netware.pl to enable gcc-cross builds on Win32 | |
447 | platform | |
448 | - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) | |
449 | - various changes to fix missing prototype warnings | |
450 | - fixed x86nasm.pl to create correct asm files for NASM COFF output | |
451 | - added AES, WHIRLPOOL and CPUID assembler code to build files | |
452 | - added missing AES assembler make rules to mk1mf.pl | |
453 | - fixed order of includes in apps/ocsp.c so that e_os.h settings apply | |
454 | [Guenter Knauf <eflash@gmx.net>] | |
455 | ||
a5232767 DSH |
456 | *) Implement certificate status request TLS extension defined in RFC3546. |
457 | A client can set the appropriate parameters and receive the encoded | |
458 | OCSP response via a callback. A server can query the supplied parameters | |
459 | and set the encoded OCSP response in the callback. Add simplified examples | |
460 | to s_client and s_server. | |
461 | [Steve Henson] | |
2339c5d7 | 462 | |
32f1f622 LJ |
463 | Changes between 0.9.8f and 0.9.8g [19 Oct 2007] |
464 | ||
465 | *) Fix various bugs: | |
466 | + Binary incompatibility of ssl_ctx_st structure | |
467 | + DTLS interoperation with non-compliant servers | |
468 | + Don't call get_session_cb() without proposed session | |
469 | + Fix ia64 assembler code | |
470 | [Andy Polyakov, Steve Henson] | |
471 | ||
dd002667 | 472 | Changes between 0.9.8e and 0.9.8f [11 Oct 2007] |
927a28ba | 473 | |
bb99ce5f BL |
474 | *) DTLS Handshake overhaul. There were longstanding issues with |
475 | OpenSSL DTLS implementation, which were making it impossible for | |
476 | RFC 4347 compliant client to communicate with OpenSSL server. | |
477 | Unfortunately just fixing these incompatibilities would "cut off" | |
478 | pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e | |
479 | server keeps tolerating non RFC compliant syntax. The opposite is | |
480 | not true, 0.9.8f client can not communicate with earlier server. | |
481 | This update even addresses CVE-2007-4995. | |
482 | [Andy Polyakov] | |
483 | ||
927a28ba | 484 | *) Changes to avoid need for function casts in OpenSSL: some compilers |
294f03a8 DSH |
485 | (gcc 4.2 and later) reject their use. |
486 | [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, | |
487 | Steve Henson] | |
865a90eb DSH |
488 | |
489 | *) Add RFC4507 support to OpenSSL. This includes the corrections in | |
490 | RFC4507bis. The encrypted ticket format is an encrypted encoded | |
491 | SSL_SESSION structure, that way new session features are automatically | |
492 | supported. | |
493 | ||
5b96d1cc DSH |
494 | If a client application caches session in an SSL_SESSION structure |
495 | support is transparent because tickets are now stored in the encoded | |
496 | SSL_SESSION. | |
497 | ||
498 | The SSL_CTX structure automatically generates keys for ticket | |
499 | protection in servers so again support should be possible | |
865a90eb DSH |
500 | with no application modification. |
501 | ||
502 | If a client or server wishes to disable RFC4507 support then the option | |
503 | SSL_OP_NO_TICKET can be set. | |
504 | ||
505 | Add a TLS extension debugging callback to allow the contents of any client | |
506 | or server extensions to be examined. | |
967ead72 DSH |
507 | |
508 | This work was sponsored by Google. | |
865a90eb DSH |
509 | [Steve Henson] |
510 | ||
511 | *) Add initial support for TLS extensions, specifically for the server_name | |
512 | extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now | |
513 | have new members for a host name. The SSL data structure has an | |
514 | additional member SSL_CTX *initial_ctx so that new sessions can be | |
515 | stored in that context to allow for session resumption, even after the | |
516 | SSL has been switched to a new SSL_CTX in reaction to a client's | |
517 | server_name extension. | |
518 | ||
519 | New functions (subject to change): | |
520 | ||
521 | SSL_get_servername() | |
522 | SSL_get_servername_type() | |
523 | SSL_set_SSL_CTX() | |
524 | ||
525 | New CTRL codes and macros (subject to change): | |
526 | ||
527 | SSL_CTRL_SET_TLSEXT_SERVERNAME_CB | |
528 | - SSL_CTX_set_tlsext_servername_callback() | |
529 | SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG | |
530 | - SSL_CTX_set_tlsext_servername_arg() | |
531 | SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() | |
532 | ||
533 | openssl s_client has a new '-servername ...' option. | |
534 | ||
535 | openssl s_server has new options '-servername_host ...', '-cert2 ...', | |
536 | '-key2 ...', '-servername_fatal' (subject to change). This allows | |
537 | testing the HostName extension for a specific single host name ('-cert' | |
538 | and '-key' remain fallbacks for handshakes without HostName | |
539 | negotiation). If the unrecogninzed_name alert has to be sent, this by | |
540 | default is a warning; it becomes fatal with the '-servername_fatal' | |
541 | option. | |
542 | ||
543 | [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] | |
5dd24ead | 544 | |
f805d307 DSH |
545 | *) Add AES and SSE2 assembly language support to VC++ build. |
546 | [Steve Henson] | |
547 | ||
4c5979a1 AP |
548 | *) Mitigate attack on final subtraction in Montgomery reduction. |
549 | [Andy Polyakov] | |
550 | ||
b22250bb BM |
551 | *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 |
552 | (which previously caused an internal error). | |
553 | [Bodo Moeller] | |
554 | ||
8957121c BL |
555 | *) Squeeze another 10% out of IGE mode when in != out. |
556 | [Ben Laurie] | |
557 | ||
50241bc8 BL |
558 | *) AES IGE mode speedup. |
559 | [Dean Gaudet (Google)] | |
560 | ||
c3cc4662 BM |
561 | *) Add the Korean symmetric 128-bit cipher SEED (see |
562 | http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and | |
563 | add SEED ciphersuites from RFC 4162: | |
564 | ||
565 | TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" | |
566 | TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" | |
567 | TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" | |
568 | TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" | |
569 | ||
570 | To minimize changes between patchlevels in the OpenSSL 0.9.8 | |
571 | series, SEED remains excluded from compilation unless OpenSSL | |
572 | is configured with 'enable-seed'. | |
573 | [KISA, Bodo Moeller] | |
574 | ||
7cdb8158 BM |
575 | *) Mitigate branch prediction attacks, which can be practical if a |
576 | single processor is shared, allowing a spy process to extract | |
577 | information. For detailed background information, see | |
578 | http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, | |
579 | J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL | |
580 | and Necessary Software Countermeasures"). The core of the change | |
581 | are new versions BN_div_no_branch() and | |
582 | BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), | |
583 | respectively, which are slower, but avoid the security-relevant | |
584 | conditional branches. These are automatically called by BN_div() | |
2ac061e4 BM |
585 | and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one |
586 | of the input BIGNUMs. Also, BN_is_bit_set() has been changed to | |
587 | remove a conditional branch. | |
7cdb8158 BM |
588 | |
589 | BN_FLG_CONSTTIME is the new name for the previous | |
590 | BN_FLG_EXP_CONSTTIME flag, since it now affects more than just | |
591 | modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag | |
592 | in the exponent causes BN_mod_exp_mont() to use the alternative | |
593 | implementation in BN_mod_exp_mont_consttime().) The old name | |
594 | remains as a deprecated alias. | |
595 | ||
596 | Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general | |
597 | RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses | |
598 | constant-time implementations for more than just exponentiation. | |
599 | Here too the old name is kept as a deprecated alias. | |
600 | ||
601 | BN_BLINDING_new() will now use BN_dup() for the modulus so that | |
602 | the BN_BLINDING structure gets an independent copy of the | |
603 | modulus. This means that the previous "BIGNUM *m" argument to | |
604 | BN_BLINDING_new() and to BN_BLINDING_create_param() now | |
605 | essentially becomes "const BIGNUM *m", although we can't actually | |
606 | change this in the header file before 0.9.9. It allows | |
607 | RSA_setup_blinding() to use BN_with_flags() on the modulus to | |
608 | enable BN_FLG_CONSTTIME. | |
609 | ||
610 | [Matthew D Wood (Intel Corp)] | |
611 | ||
6fd3f326 BM |
612 | *) In the SSL/TLS server implementation, be strict about session ID |
613 | context matching (which matters if an application uses a single | |
614 | external cache for different purposes). Previously, | |
615 | out-of-context reuse was forbidden only if SSL_VERIFY_PEER was | |
616 | set. This did ensure strict client verification, but meant that, | |
617 | with applications using a single external cache for quite | |
618 | different requirements, clients could circumvent ciphersuite | |
619 | restrictions for a given session ID context by starting a session | |
620 | in a different context. | |
621 | [Bodo Moeller] | |
622 | ||
55f05012 BM |
623 | *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
624 | a ciphersuite string such as "DEFAULT:RSA" cannot enable | |
625 | authentication-only ciphersuites. | |
626 | [Bodo Moeller] | |
627 | ||
216ac24b MC |
628 | *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was |
629 | not complete and could lead to a possible single byte overflow | |
630 | (CVE-2007-5135) [Ben Laurie] | |
631 | ||
d9e26244 BM |
632 | Changes between 0.9.8d and 0.9.8e [23 Feb 2007] |
633 | ||
5f4cc234 BM |
634 | *) Since AES128 and AES256 (and similarly Camellia128 and |
635 | Camellia256) share a single mask bit in the logic of | |
636 | ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a | |
637 | kludge to work properly if AES128 is available and AES256 isn't | |
638 | (or if Camellia128 is available and Camellia256 isn't). | |
639 | [Victor Duchovni] | |
640 | ||
1a8521ff BM |
641 | *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c |
642 | (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): | |
643 | When a point or a seed is encoded in a BIT STRING, we need to | |
644 | prevent the removal of trailing zero bits to get the proper DER | |
645 | encoding. (By default, crypto/asn1/a_bitstr.c assumes the case | |
646 | of a NamedBitList, for which trailing 0 bits need to be removed.) | |
647 | [Bodo Moeller] | |
648 | ||
5c6f76da BM |
649 | *) Have SSL/TLS server implementation tolerate "mismatched" record |
650 | protocol version while receiving ClientHello even if the | |
651 | ClientHello is fragmented. (The server can't insist on the | |
652 | particular protocol version it has chosen before the ServerHello | |
653 | message has informed the client about his choice.) | |
654 | [Bodo Moeller] | |
655 | ||
4636341b BL |
656 | *) Add RFC 3779 support. |
657 | [Rob Austein for ARIN, Ben Laurie] | |
25e52a78 | 658 | |
900f7a87 DSH |
659 | *) Load error codes if they are not already present instead of using a |
660 | static variable. This allows them to be cleanly unloaded and reloaded. | |
661 | Improve header file function name parsing. | |
662 | [Steve Henson] | |
663 | ||
cdb13ae8 LJ |
664 | *) extend SMTP and IMAP protocol emulation in s_client to use EHLO |
665 | or CAPABILITY handshake as required by RFCs. | |
666 | [Goetz Babin-Ebell] | |
667 | ||
47c4bb2d | 668 | Changes between 0.9.8c and 0.9.8d [28 Sep 2006] |
da1841a0 | 669 | |
951dfbb1 MC |
670 | *) Introduce limits to prevent malicious keys being able to |
671 | cause a denial of service. (CVE-2006-2940) | |
672 | [Steve Henson, Bodo Moeller] | |
673 | ||
674 | *) Fix ASN.1 parsing of certain invalid structures that can result | |
675 | in a denial of service. (CVE-2006-2937) [Steve Henson] | |
676 | ||
677 | *) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
678 | (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
679 | ||
680 | *) Fix SSL client code which could crash if connecting to a | |
681 | malicious SSLv2 server. (CVE-2006-4343) | |
682 | [Tavis Ormandy and Will Drewry, Google Security Team] | |
683 | ||
879b30aa BM |
684 | *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites |
685 | match only those. Before that, "AES256-SHA" would be interpreted | |
8fdb296c BM |
686 | as a pattern and match "AES128-SHA" too (since AES128-SHA got |
687 | the same strength classification in 0.9.7h) as we currently only | |
879b30aa BM |
688 | have a single AES bit in the ciphersuite description bitmap. |
689 | That change, however, also applied to ciphersuite strings such as | |
690 | "RC4-MD5" that intentionally matched multiple ciphersuites -- | |
691 | namely, SSL 2.0 ciphersuites in addition to the more common ones | |
692 | from SSL 3.0/TLS 1.0. | |
693 | ||
694 | So we change the selection algorithm again: Naming an explicit | |
695 | ciphersuite selects this one ciphersuite, and any other similar | |
696 | ciphersuite (same bitmap) from *other* protocol versions. | |
697 | Thus, "RC4-MD5" again will properly select both the SSL 2.0 | |
698 | ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. | |
699 | ||
700 | Since SSL 2.0 does not have any ciphersuites for which the | |
701 | 128/256 bit distinction would be relevant, this works for now. | |
702 | The proper fix will be to use different bits for AES128 and | |
703 | AES256, which would have avoided the problems from the beginning; | |
704 | however, bits are scarce, so we can only do this in a new release | |
705 | (not just a patchlevel) when we can change the SSL_CIPHER | |
706 | definition to split the single 'unsigned long mask' bitmap into | |
707 | multiple values to extend the available space. | |
708 | ||
709 | [Bodo Moeller] | |
710 | ||
0a0a10d1 | 711 | Changes between 0.9.8b and 0.9.8c [05 Sep 2006] |
1c5dc844 | 712 | |
df20b6e7 MC |
713 | *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
714 | (CVE-2006-4339) [Ben Laurie and Google Security Team] | |
715 | ||
4b9dcd82 BL |
716 | *) Add AES IGE and biIGE modes. |
717 | [Ben Laurie] | |
718 | ||
ec67e3b7 BM |
719 | *) Change the Unix randomness entropy gathering to use poll() when |
720 | possible instead of select(), since the latter has some | |
721 | undesirable limitations. | |
722 | [Darryl Miles via Richard Levitte and Bodo Moeller] | |
723 | ||
aa17ab7e BM |
724 | *) Disable "ECCdraft" ciphersuites more thoroughly. Now special |
725 | treatment in ssl/ssl_ciph.s makes sure that these ciphersuites | |
726 | cannot be implicitly activated as part of, e.g., the "AES" alias. | |
727 | However, please upgrade to OpenSSL 0.9.9[-dev] for | |
728 | non-experimental use of the ECC ciphersuites to get TLS extension | |
729 | support, which is required for curve and point format negotiation | |
730 | to avoid potential handshake problems. | |
35908bd0 BM |
731 | [Bodo Moeller] |
732 | ||
0e73294e BM |
733 | *) Disable rogue ciphersuites: |
734 | ||
735 | - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
736 | - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
737 | - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
738 | ||
739 | The latter two were purportedly from | |
740 | draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
741 | appear there. | |
742 | ||
68bb9815 | 743 | Also deactivate the remaining ciphersuites from |
0e73294e BM |
744 | draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
745 | unofficial, and the ID has long expired. | |
746 | [Bodo Moeller] | |
747 | ||
6d2cd23f BM |
748 | *) Fix RSA blinding Heisenbug (problems sometimes occured on |
749 | dual-core machines) and other potential thread-safety issues. | |
750 | [Bodo Moeller] | |
751 | ||
e18eef3d BM |
752 | *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key |
753 | versions), which is now available for royalty-free use | |
754 | (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). | |
755 | Also, add Camellia TLS ciphersuites from RFC 4132. | |
756 | ||
757 | To minimize changes between patchlevels in the OpenSSL 0.9.8 | |
758 | series, Camellia remains excluded from compilation unless OpenSSL | |
759 | is configured with 'enable-camellia'. | |
760 | [NTT] | |
761 | ||
b723a7b1 DSH |
762 | *) Disable the padding bug check when compression is in use. The padding |
763 | bug check assumes the first packet is of even length, this is not | |
764 | necessarily true if compresssion is enabled and can result in false | |
765 | positives causing handshake failure. The actual bug test is ancient | |
766 | code so it is hoped that implementations will either have fixed it by | |
767 | now or any which still have the bug do not support compression. | |
768 | [Steve Henson] | |
1c5dc844 | 769 | |
f871949e | 770 | Changes between 0.9.8a and 0.9.8b [04 May 2006] |
d8b408b1 | 771 | |
cbb0b734 DSH |
772 | *) When applying a cipher rule check to see if string match is an explicit |
773 | cipher suite and only match that one cipher suite if it is. | |
774 | [Steve Henson] | |
775 | ||
217382d5 DSH |
776 | *) Link in manifests for VC++ if needed. |
777 | [Austin Ziegler <halostatue@gmail.com>] | |
778 | ||
bc932045 | 779 | *) Update support for ECC-based TLS ciphersuites according to |
5586a71a BM |
780 | draft-ietf-tls-ecc-12.txt with proposed changes (but without |
781 | TLS extensions, which are supported starting with the 0.9.9 | |
782 | branch, not in the OpenSSL 0.9.8 branch). | |
bc932045 BM |
783 | [Douglas Stebila] |
784 | ||
23d43aae BM |
785 | *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support |
786 | opaque EVP_CIPHER_CTX handling. | |
787 | [Steve Henson] | |
788 | ||
7614f0e5 DSH |
789 | *) Fixes and enhancements to zlib compression code. We now only use |
790 | "zlib1.dll" and use the default __cdecl calling convention on Win32 | |
791 | to conform with the standards mentioned here: | |
792 | http://www.zlib.net/DLL_FAQ.txt | |
793 | Static zlib linking now works on Windows and the new --with-zlib-include | |
794 | --with-zlib-lib options to Configure can be used to supply the location | |
795 | of the headers and library. Gracefully handle case where zlib library | |
796 | can't be loaded. | |
797 | [Steve Henson] | |
798 | ||
feef17fd DSH |
799 | *) Several fixes and enhancements to the OID generation code. The old code |
800 | sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't | |
801 | handle numbers larger than ULONG_MAX, truncated printing and had a | |
802 | non standard OBJ_obj2txt() behaviour. | |
803 | [Steve Henson] | |
804 | ||
abb0c2bb DSH |
805 | *) Add support for building of engines under engine/ as shared libraries |
806 | under VC++ build system. | |
807 | [Steve Henson] | |
808 | ||
d3afc92b RL |
809 | *) Corrected the numerous bugs in the Win32 path splitter in DSO. |
810 | Hopefully, we will not see any false combination of paths any more. | |
811 | [Richard Levitte] | |
812 | ||
64932f9e MC |
813 | Changes between 0.9.8 and 0.9.8a [11 Oct 2005] |
814 | ||
815 | *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
816 | (part of SSL_OP_ALL). This option used to disable the | |
817 | countermeasure against man-in-the-middle protocol-version | |
818 | rollback in the SSL 2.0 server implementation, which is a bad | |
802c0146 | 819 | idea. (CVE-2005-2969) |
64932f9e MC |
820 | |
821 | [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
822 | for Information Security, National Institute of Advanced Industrial | |
823 | Science and Technology [AIST], Japan)] | |
750cb3d2 | 824 | |
0fce007b DSH |
825 | *) Add two function to clear and return the verify parameter flags. |
826 | [Steve Henson] | |
827 | ||
3c0e39c5 NL |
828 | *) Keep cipherlists sorted in the source instead of sorting them at |
829 | runtime, thus removing the need for a lock. | |
830 | [Nils Larsch] | |
831 | ||
19fddebf | 832 | *) Avoid some small subgroup attacks in Diffie-Hellman. |
60864221 BL |
833 | [Nick Mathewson and Ben Laurie] |
834 | ||
835 | *) Add functions for well-known primes. | |
836 | [Nick Mathewson] | |
9ddb11f1 | 837 | |
98e98614 AP |
838 | *) Extended Windows CE support. |
839 | [Satoshi Nakamura and Andy Polyakov] | |
840 | ||
222f2246 DSH |
841 | *) Initialize SSL_METHOD structures at compile time instead of during |
842 | runtime, thus removing the need for a lock. | |
843 | [Steve Henson] | |
844 | ||
1682e8fb DSH |
845 | *) Make PKCS7_decrypt() work even if no certificate is supplied by |
846 | attempting to decrypt each encrypted key in turn. Add support to | |
847 | smime utility. | |
848 | [Steve Henson] | |
750cb3d2 | 849 | |
f254b540 | 850 | Changes between 0.9.7h and 0.9.8 [05 Jul 2005] |
12bdb643 | 851 | |
6d2cd23f BM |
852 | [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after |
853 | OpenSSL 0.9.8.] | |
854 | ||
1d01c9d4 RL |
855 | *) Add libcrypto.pc and libssl.pc for those who feel they need them. |
856 | [Richard Levitte] | |
857 | ||
858 | *) Change CA.sh and CA.pl so they don't bundle the CSR and the private | |
859 | key into the same file any more. | |
860 | [Richard Levitte] | |
861 | ||
e32ea818 AP |
862 | *) Add initial support for Win64, both IA64 and AMD64/x64 flavors. |
863 | [Andy Polyakov] | |
864 | ||
09c1a425 DSH |
865 | *) Add -utf8 command line and config file option to 'ca'. |
866 | [Stefan <stf@udoma.org] | |
867 | ||
1d01c9d4 RL |
868 | *) Removed the macro des_crypt(), as it seems to conflict with some |
869 | libraries. Use DES_crypt(). | |
870 | [Richard Levitte] | |
871 | ||
a4578a54 GT |
872 | *) Correct naming of the 'chil' and '4758cca' ENGINEs. This |
873 | involves renaming the source and generated shared-libs for | |
874 | both. The engines will accept the corrected or legacy ids | |
875 | ('ncipher' and '4758_cca' respectively) when binding. NB, | |
876 | this only applies when building 'shared'. | |
877 | [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] | |
878 | ||
b6995add DSH |
879 | *) Add attribute functions to EVP_PKEY structure. Modify |
880 | PKCS12_create() to recognize a CSP name attribute and | |
881 | use it. Make -CSP option work again in pkcs12 utility. | |
882 | [Steve Henson] | |
883 | ||
800e400d NL |
884 | *) Add new functionality to the bn blinding code: |
885 | - automatic re-creation of the BN_BLINDING parameters after | |
886 | a fixed number of uses (currently 32) | |
887 | - add new function for parameter creation | |
888 | - introduce flags to control the update behaviour of the | |
889 | BN_BLINDING parameters | |
890 | - hide BN_BLINDING structure | |
891 | Add a second BN_BLINDING slot to the RSA structure to improve | |
892 | performance when a single RSA object is shared among several | |
893 | threads. | |
894 | [Nils Larsch] | |
895 | ||
36d16f8e BL |
896 | *) Add support for DTLS. |
897 | [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] | |
898 | ||
dc0ed30c NL |
899 | *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) |
900 | to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() | |
901 | [Walter Goulet] | |
902 | ||
6049399b NL |
903 | *) Remove buggy and incompletet DH cert support from |
904 | ssl/ssl_rsa.c and ssl/s3_both.c | |
905 | [Nils Larsch] | |
906 | ||
12bdb643 NL |
907 | *) Use SHA-1 instead of MD5 as the default digest algorithm for |
908 | the apps/openssl applications. | |
909 | [Nils Larsch] | |
4d94ae00 | 910 | |
41a15c4f BL |
911 | *) Compile clean with "-Wall -Wmissing-prototypes |
912 | -Wstrict-prototypes -Wmissing-declarations -Werror". Currently | |
913 | DEBUG_SAFESTACK must also be set. | |
914 | [Ben Laurie] | |
915 | ||
c9a112f5 | 916 | *) Change ./Configure so that certain algorithms can be disabled by default. |
ecc5ef87 BM |
917 | The new counterpiece to "no-xxx" is "enable-xxx". |
918 | ||
919 | The patented RC5 and MDC2 algorithms will now be disabled unless | |
920 | "enable-rc5" and "enable-mdc2", respectively, are specified. | |
921 | ||
922 | (IDEA remains enabled despite being patented. This is because IDEA | |
923 | is frequently required for interoperability, and there is no license | |
924 | fee for non-commercial use. As before, "no-idea" can be used to | |
925 | avoid this algorithm.) | |
926 | ||
c9a112f5 BM |
927 | [Bodo Moeller] |
928 | ||
6951c23a RL |
929 | *) Add processing of proxy certificates (see RFC 3820). This work was |
930 | sponsored by KTH (The Royal Institute of Technology in Stockholm) and | |
931 | EGEE (Enabling Grids for E-science in Europe). | |
932 | [Richard Levitte] | |
933 | ||
ea681ba8 AP |
934 | *) RC4 performance overhaul on modern architectures/implementations, such |
935 | as Intel P4, IA-64 and AMD64. | |
936 | [Andy Polyakov] | |
937 | ||
401ee37a DSH |
938 | *) New utility extract-section.pl. This can be used specify an alternative |
939 | section number in a pod file instead of having to treat each file as | |
940 | a separate case in Makefile. This can be done by adding two lines to the | |
941 | pod file: | |
942 | ||
943 | =for comment openssl_section:XXX | |
944 | ||
945 | The blank line is mandatory. | |
946 | ||
947 | [Steve Henson] | |
948 | ||
826a42a0 DSH |
949 | *) New arguments -certform, -keyform and -pass for s_client and s_server |
950 | to allow alternative format key and certificate files and passphrase | |
951 | sources. | |
952 | [Steve Henson] | |
953 | ||
5d7c222d DSH |
954 | *) New structure X509_VERIFY_PARAM which combines current verify parameters, |
955 | update associated structures and add various utility functions. | |
956 | ||
957 | Add new policy related verify parameters, include policy checking in | |
958 | standard verify code. Enhance 'smime' application with extra parameters | |
959 | to support policy checking and print out. | |
960 | [Steve Henson] | |
961 | ||
30fe028f GT |
962 | *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 |
963 | Nehemiah processors. These extensions support AES encryption in hardware | |
964 | as well as RNG (though RNG support is currently disabled). | |
965 | [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] | |
966 | ||
df11e1e9 GT |
967 | *) Deprecate BN_[get|set]_params() functions (they were ignored internally). |
968 | [Geoff Thorpe] | |
969 | ||
ad500340 AP |
970 | *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. |
971 | [Andy Polyakov and a number of other people] | |
972 | ||
e14f4aab AP |
973 | *) Improved PowerPC platform support. Most notably BIGNUM assembler |
974 | implementation contributed by IBM. | |
975 | [Suresh Chari, Peter Waltenberg, Andy Polyakov] | |
976 | ||
bcfea9fb GT |
977 | *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public |
978 | exponent rather than 'unsigned long'. There is a corresponding change to | |
979 | the new 'rsa_keygen' element of the RSA_METHOD structure. | |
980 | [Jelte Jansen, Geoff Thorpe] | |
981 | ||
d5f686d8 BM |
982 | *) Functionality for creating the initial serial number file is now |
983 | moved from CA.pl to the 'ca' utility with a new option -create_serial. | |
984 | ||
985 | (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial | |
986 | number file to 1, which is bound to cause problems. To avoid | |
987 | the problems while respecting compatibility between different 0.9.7 | |
988 | patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in | |
989 | CA.pl for serial number initialization. With the new release 0.9.8, | |
990 | we can fix the problem directly in the 'ca' utility.) | |
64674bcc DSH |
991 | [Steve Henson] |
992 | ||
3a87a9b9 GT |
993 | *) Reduced header interdepencies by declaring more opaque objects in |
994 | ossl_typ.h. As a consequence, including some headers (eg. engine.h) will | |
995 | give fewer recursive includes, which could break lazy source code - so | |
996 | this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, | |
997 | developers should define this symbol when building and using openssl to | |
998 | ensure they track the recommended behaviour, interfaces, [etc], but | |
999 | backwards-compatible behaviour prevails when this isn't defined. | |
1000 | [Geoff Thorpe] | |
1001 | ||
bf5773fa DSH |
1002 | *) New function X509_POLICY_NODE_print() which prints out policy nodes. |
1003 | [Steve Henson] | |
1004 | ||
216659eb DSH |
1005 | *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. |
1006 | This will generate a random key of the appropriate length based on the | |
1007 | cipher context. The EVP_CIPHER can provide its own random key generation | |
1008 | routine to support keys of a specific form. This is used in the des and | |
1009 | 3des routines to generate a key of the correct parity. Update S/MIME | |
1010 | code to use new functions and hence generate correct parity DES keys. | |
1011 | Add EVP_CHECK_DES_KEY #define to return an error if the key is not | |
1012 | valid (weak or incorrect parity). | |
1013 | [Steve Henson] | |
1014 | ||
e1a27eb3 DSH |
1015 | *) Add a local set of CRLs that can be used by X509_verify_cert() as well |
1016 | as looking them up. This is useful when the verified structure may contain | |
1017 | CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs | |
1018 | present unless the new PKCS7_NO_CRL flag is asserted. | |
1019 | [Steve Henson] | |
1020 | ||
6446e0c3 DSH |
1021 | *) Extend ASN1 oid configuration module. It now additionally accepts the |
1022 | syntax: | |
1023 | ||
1024 | shortName = some long name, 1.2.3.4 | |
1025 | [Steve Henson] | |
1026 | ||
5c98b2ca GT |
1027 | *) Reimplemented the BN_CTX implementation. There is now no more static |
1028 | limitation on the number of variables it can handle nor the depth of the | |
1029 | "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack | |
1030 | information can now expand as required, and rather than having a single | |
1031 | static array of bignums, BN_CTX now uses a linked-list of such arrays | |
1032 | allowing it to expand on demand whilst maintaining the usefulness of | |
1033 | BN_CTX's "bundling". | |
1034 | [Geoff Thorpe] | |
1035 | ||
46ef873f GT |
1036 | *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD |
1037 | to allow all RSA operations to function using a single BN_CTX. | |
1038 | [Geoff Thorpe] | |
1039 | ||
4acc3e90 DSH |
1040 | *) Preliminary support for certificate policy evaluation and checking. This |
1041 | is initially intended to pass the tests outlined in "Conformance Testing | |
1042 | of Relying Party Client Certificate Path Processing Logic" v1.07. | |
1043 | [Steve Henson] | |
1044 | ||
7f663ce4 GT |
1045 | *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and |
1046 | remained unused and not that useful. A variety of other little bignum | |
1047 | tweaks and fixes have also been made continuing on from the audit (see | |
1048 | below). | |
1049 | [Geoff Thorpe] | |
1050 | ||
875a644a RL |
1051 | *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with |
1052 | associated ASN1, EVP and SSL functions and old ASN1 macros. | |
7f663ce4 | 1053 | [Richard Levitte] |
875a644a | 1054 | |
b6358c89 GT |
1055 | *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, |
1056 | and this should never fail. So the return value from the use of | |
1057 | BN_set_word() (which can fail due to needless expansion) is now deprecated; | |
1058 | if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. | |
1059 | [Geoff Thorpe] | |
1060 | ||
9e051bac GT |
1061 | *) BN_CTX_get() should return zero-valued bignums, providing the same |
1062 | initialised value as BN_new(). | |
1063 |