]> git.ipfire.org Git - thirdparty/openssl.git/blame_incremental - CHANGES
After objects have been freed, NULLify the pointers so there will be no double
[thirdparty/openssl.git] / CHANGES
... / ...
CommitLineData
1
2 OpenSSL CHANGES
3 _______________
4
5 Changes between 0.9.8d and 0.9.8e [XX xxx XXXX]
6
7 *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
8 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
9 When a point or a seed is encoded in a BIT STRING, we need to
10 prevent the removal of trailing zero bits to get the proper DER
11 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case
12 of a NamedBitList, for which trailing 0 bits need to be removed.)
13 [Bodo Moeller]
14
15 *) Have SSL/TLS server implementation tolerate "mismatched" record
16 protocol version while receiving ClientHello even if the
17 ClientHello is fragmented. (The server can't insist on the
18 particular protocol version it has chosen before the ServerHello
19 message has informed the client about his choice.)
20 [Bodo Moeller]
21
22 *) Add RFC 3779 support.
23 [Rob Austein for ARIN, Ben Laurie]
24
25 *) Load error codes if they are not already present instead of using a
26 static variable. This allows them to be cleanly unloaded and reloaded.
27 Improve header file function name parsing.
28 [Steve Henson]
29
30 Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
31
32 *) Introduce limits to prevent malicious keys being able to
33 cause a denial of service. (CVE-2006-2940)
34 [Steve Henson, Bodo Moeller]
35
36 *) Fix ASN.1 parsing of certain invalid structures that can result
37 in a denial of service. (CVE-2006-2937) [Steve Henson]
38
39 *) Fix buffer overflow in SSL_get_shared_ciphers() function.
40 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
41
42 *) Fix SSL client code which could crash if connecting to a
43 malicious SSLv2 server. (CVE-2006-4343)
44 [Tavis Ormandy and Will Drewry, Google Security Team]
45
46 *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
47 match only those. Before that, "AES256-SHA" would be interpreted
48 as a pattern and match "AES128-SHA" too (since AES128-SHA got
49 the same strength classification in 0.9.7h) as we currently only
50 have a single AES bit in the ciphersuite description bitmap.
51 That change, however, also applied to ciphersuite strings such as
52 "RC4-MD5" that intentionally matched multiple ciphersuites --
53 namely, SSL 2.0 ciphersuites in addition to the more common ones
54 from SSL 3.0/TLS 1.0.
55
56 So we change the selection algorithm again: Naming an explicit
57 ciphersuite selects this one ciphersuite, and any other similar
58 ciphersuite (same bitmap) from *other* protocol versions.
59 Thus, "RC4-MD5" again will properly select both the SSL 2.0
60 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
61
62 Since SSL 2.0 does not have any ciphersuites for which the
63 128/256 bit distinction would be relevant, this works for now.
64 The proper fix will be to use different bits for AES128 and
65 AES256, which would have avoided the problems from the beginning;
66 however, bits are scarce, so we can only do this in a new release
67 (not just a patchlevel) when we can change the SSL_CIPHER
68 definition to split the single 'unsigned long mask' bitmap into
69 multiple values to extend the available space.
70
71 [Bodo Moeller]
72
73 Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
74
75 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
76 (CVE-2006-4339) [Ben Laurie and Google Security Team]
77
78 *) Add AES IGE and biIGE modes.
79 [Ben Laurie]
80
81 *) Change the Unix randomness entropy gathering to use poll() when
82 possible instead of select(), since the latter has some
83 undesirable limitations.
84 [Darryl Miles via Richard Levitte and Bodo Moeller]
85
86 *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
87 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
88 cannot be implicitly activated as part of, e.g., the "AES" alias.
89 However, please upgrade to OpenSSL 0.9.9[-dev] for
90 non-experimental use of the ECC ciphersuites to get TLS extension
91 support, which is required for curve and point format negotiation
92 to avoid potential handshake problems.
93 [Bodo Moeller]
94
95 *) Disable rogue ciphersuites:
96
97 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
98 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
99 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
100
101 The latter two were purportedly from
102 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
103 appear there.
104
105 Also deactivate the remaining ciphersuites from
106 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
107 unofficial, and the ID has long expired.
108 [Bodo Moeller]
109
110 *) Fix RSA blinding Heisenbug (problems sometimes occured on
111 dual-core machines) and other potential thread-safety issues.
112 [Bodo Moeller]
113
114 *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
115 versions), which is now available for royalty-free use
116 (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
117 Also, add Camellia TLS ciphersuites from RFC 4132.
118
119 To minimize changes between patchlevels in the OpenSSL 0.9.8
120 series, Camellia remains excluded from compilation unless OpenSSL
121 is configured with 'enable-camellia'.
122 [NTT]
123
124 *) Disable the padding bug check when compression is in use. The padding
125 bug check assumes the first packet is of even length, this is not
126 necessarily true if compresssion is enabled and can result in false
127 positives causing handshake failure. The actual bug test is ancient
128 code so it is hoped that implementations will either have fixed it by
129 now or any which still have the bug do not support compression.
130 [Steve Henson]
131
132 Changes between 0.9.8a and 0.9.8b [04 May 2006]
133
134 *) When applying a cipher rule check to see if string match is an explicit
135 cipher suite and only match that one cipher suite if it is.
136 [Steve Henson]
137
138 *) Link in manifests for VC++ if needed.
139 [Austin Ziegler <halostatue@gmail.com>]
140
141 *) Update support for ECC-based TLS ciphersuites according to
142 draft-ietf-tls-ecc-12.txt with proposed changes (but without
143 TLS extensions, which are supported starting with the 0.9.9
144 branch, not in the OpenSSL 0.9.8 branch).
145 [Douglas Stebila]
146
147 *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
148 opaque EVP_CIPHER_CTX handling.
149 [Steve Henson]
150
151 *) Fixes and enhancements to zlib compression code. We now only use
152 "zlib1.dll" and use the default __cdecl calling convention on Win32
153 to conform with the standards mentioned here:
154 http://www.zlib.net/DLL_FAQ.txt
155 Static zlib linking now works on Windows and the new --with-zlib-include
156 --with-zlib-lib options to Configure can be used to supply the location
157 of the headers and library. Gracefully handle case where zlib library
158 can't be loaded.
159 [Steve Henson]
160
161 *) Several fixes and enhancements to the OID generation code. The old code
162 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
163 handle numbers larger than ULONG_MAX, truncated printing and had a
164 non standard OBJ_obj2txt() behaviour.
165 [Steve Henson]
166
167 *) Add support for building of engines under engine/ as shared libraries
168 under VC++ build system.
169 [Steve Henson]
170
171 *) Corrected the numerous bugs in the Win32 path splitter in DSO.
172 Hopefully, we will not see any false combination of paths any more.
173 [Richard Levitte]
174
175 Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
176
177 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
178 (part of SSL_OP_ALL). This option used to disable the
179 countermeasure against man-in-the-middle protocol-version
180 rollback in the SSL 2.0 server implementation, which is a bad
181 idea. (CVE-2005-2969)
182
183 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
184 for Information Security, National Institute of Advanced Industrial
185 Science and Technology [AIST], Japan)]
186
187 *) Add two function to clear and return the verify parameter flags.
188 [Steve Henson]
189
190 *) Keep cipherlists sorted in the source instead of sorting them at
191 runtime, thus removing the need for a lock.
192 [Nils Larsch]
193
194 *) Avoid some small subgroup attacks in Diffie-Hellman.
195 [Nick Mathewson and Ben Laurie]
196
197 *) Add functions for well-known primes.
198 [Nick Mathewson]
199
200 *) Extended Windows CE support.
201 [Satoshi Nakamura and Andy Polyakov]
202
203 *) Initialize SSL_METHOD structures at compile time instead of during
204 runtime, thus removing the need for a lock.
205 [Steve Henson]
206
207 *) Make PKCS7_decrypt() work even if no certificate is supplied by
208 attempting to decrypt each encrypted key in turn. Add support to
209 smime utility.
210 [Steve Henson]
211
212 Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
213
214 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
215 OpenSSL 0.9.8.]
216
217 *) Add libcrypto.pc and libssl.pc for those who feel they need them.
218 [Richard Levitte]
219
220 *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
221 key into the same file any more.
222 [Richard Levitte]
223
224 *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
225 [Andy Polyakov]
226
227 *) Add -utf8 command line and config file option to 'ca'.
228 [Stefan <stf@udoma.org]
229
230 *) Removed the macro des_crypt(), as it seems to conflict with some
231 libraries. Use DES_crypt().
232 [Richard Levitte]
233
234 *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
235 involves renaming the source and generated shared-libs for
236 both. The engines will accept the corrected or legacy ids
237 ('ncipher' and '4758_cca' respectively) when binding. NB,
238 this only applies when building 'shared'.
239 [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
240
241 *) Add attribute functions to EVP_PKEY structure. Modify
242 PKCS12_create() to recognize a CSP name attribute and
243 use it. Make -CSP option work again in pkcs12 utility.
244 [Steve Henson]
245
246 *) Add new functionality to the bn blinding code:
247 - automatic re-creation of the BN_BLINDING parameters after
248 a fixed number of uses (currently 32)
249 - add new function for parameter creation
250 - introduce flags to control the update behaviour of the
251 BN_BLINDING parameters
252 - hide BN_BLINDING structure
253 Add a second BN_BLINDING slot to the RSA structure to improve
254 performance when a single RSA object is shared among several
255 threads.
256 [Nils Larsch]
257
258 *) Add support for DTLS.
259 [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
260
261 *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
262 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
263 [Walter Goulet]
264
265 *) Remove buggy and incompletet DH cert support from
266 ssl/ssl_rsa.c and ssl/s3_both.c
267 [Nils Larsch]
268
269 *) Use SHA-1 instead of MD5 as the default digest algorithm for
270 the apps/openssl applications.
271 [Nils Larsch]
272
273 *) Compile clean with "-Wall -Wmissing-prototypes
274 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
275 DEBUG_SAFESTACK must also be set.
276 [Ben Laurie]
277
278 *) Change ./Configure so that certain algorithms can be disabled by default.
279 The new counterpiece to "no-xxx" is "enable-xxx".
280
281 The patented RC5 and MDC2 algorithms will now be disabled unless
282 "enable-rc5" and "enable-mdc2", respectively, are specified.
283
284 (IDEA remains enabled despite being patented. This is because IDEA
285 is frequently required for interoperability, and there is no license
286 fee for non-commercial use. As before, "no-idea" can be used to
287 avoid this algorithm.)
288
289 [Bodo Moeller]
290
291 *) Add processing of proxy certificates (see RFC 3820). This work was
292 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
293 EGEE (Enabling Grids for E-science in Europe).
294 [Richard Levitte]
295
296 *) RC4 performance overhaul on modern architectures/implementations, such
297 as Intel P4, IA-64 and AMD64.
298 [Andy Polyakov]
299
300 *) New utility extract-section.pl. This can be used specify an alternative
301 section number in a pod file instead of having to treat each file as
302 a separate case in Makefile. This can be done by adding two lines to the
303 pod file:
304
305 =for comment openssl_section:XXX
306
307 The blank line is mandatory.
308
309 [Steve Henson]
310
311 *) New arguments -certform, -keyform and -pass for s_client and s_server
312 to allow alternative format key and certificate files and passphrase
313 sources.
314 [Steve Henson]
315
316 *) New structure X509_VERIFY_PARAM which combines current verify parameters,
317 update associated structures and add various utility functions.
318
319 Add new policy related verify parameters, include policy checking in
320 standard verify code. Enhance 'smime' application with extra parameters
321 to support policy checking and print out.
322 [Steve Henson]
323
324 *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
325 Nehemiah processors. These extensions support AES encryption in hardware
326 as well as RNG (though RNG support is currently disabled).
327 [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
328
329 *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
330 [Geoff Thorpe]
331
332 *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
333 [Andy Polyakov and a number of other people]
334
335 *) Improved PowerPC platform support. Most notably BIGNUM assembler
336 implementation contributed by IBM.
337 [Suresh Chari, Peter Waltenberg, Andy Polyakov]
338
339 *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
340 exponent rather than 'unsigned long'. There is a corresponding change to
341 the new 'rsa_keygen' element of the RSA_METHOD structure.
342 [Jelte Jansen, Geoff Thorpe]
343
344 *) Functionality for creating the initial serial number file is now
345 moved from CA.pl to the 'ca' utility with a new option -create_serial.
346
347 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
348 number file to 1, which is bound to cause problems. To avoid
349 the problems while respecting compatibility between different 0.9.7
350 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
351 CA.pl for serial number initialization. With the new release 0.9.8,
352 we can fix the problem directly in the 'ca' utility.)
353 [Steve Henson]
354
355 *) Reduced header interdepencies by declaring more opaque objects in
356 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
357 give fewer recursive includes, which could break lazy source code - so
358 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
359 developers should define this symbol when building and using openssl to
360 ensure they track the recommended behaviour, interfaces, [etc], but
361 backwards-compatible behaviour prevails when this isn't defined.
362 [Geoff Thorpe]
363
364 *) New function X509_POLICY_NODE_print() which prints out policy nodes.
365 [Steve Henson]
366
367 *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
368 This will generate a random key of the appropriate length based on the
369 cipher context. The EVP_CIPHER can provide its own random key generation
370 routine to support keys of a specific form. This is used in the des and
371 3des routines to generate a key of the correct parity. Update S/MIME
372 code to use new functions and hence generate correct parity DES keys.
373 Add EVP_CHECK_DES_KEY #define to return an error if the key is not
374 valid (weak or incorrect parity).
375 [Steve Henson]
376
377 *) Add a local set of CRLs that can be used by X509_verify_cert() as well
378 as looking them up. This is useful when the verified structure may contain
379 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
380 present unless the new PKCS7_NO_CRL flag is asserted.
381 [Steve Henson]
382
383 *) Extend ASN1 oid configuration module. It now additionally accepts the
384 syntax:
385
386 shortName = some long name, 1.2.3.4
387 [Steve Henson]
388
389 *) Reimplemented the BN_CTX implementation. There is now no more static
390 limitation on the number of variables it can handle nor the depth of the
391 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
392 information can now expand as required, and rather than having a single
393 static array of bignums, BN_CTX now uses a linked-list of such arrays
394 allowing it to expand on demand whilst maintaining the usefulness of
395 BN_CTX's "bundling".
396 [Geoff Thorpe]
397
398 *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
399 to allow all RSA operations to function using a single BN_CTX.
400 [Geoff Thorpe]
401
402 *) Preliminary support for certificate policy evaluation and checking. This
403 is initially intended to pass the tests outlined in "Conformance Testing
404 of Relying Party Client Certificate Path Processing Logic" v1.07.
405 [Steve Henson]
406
407 *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
408 remained unused and not that useful. A variety of other little bignum
409 tweaks and fixes have also been made continuing on from the audit (see
410 below).
411 [Geoff Thorpe]
412
413 *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
414 associated ASN1, EVP and SSL functions and old ASN1 macros.
415 [Richard Levitte]
416
417 *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
418 and this should never fail. So the return value from the use of
419 BN_set_word() (which can fail due to needless expansion) is now deprecated;
420 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
421 [Geoff Thorpe]
422
423 *) BN_CTX_get() should return zero-valued bignums, providing the same
424 initialised value as BN_new().
425