| 1 | |
| 2 | OpenSSL CHANGES |
| 3 | _______________ |
| 4 | |
| 5 | Changes between 1.0.0d and 1.0.0e [6 Sep 2011] |
| 6 | |
| 7 | *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted |
| 8 | by initialising X509_STORE_CTX properly. (CVE-2011-3207) |
| 9 | [Kaspar Brand <ossl@velox.ch>] |
| 10 | |
| 11 | *) Fix SSL memory handling for (EC)DH ciphersuites, in particular |
| 12 | for multi-threaded use of ECDH. (CVE-2011-3210) |
| 13 | [Adam Langley (Google)] |
| 14 | |
| 15 | *) Fix x509_name_ex_d2i memory leak on bad inputs. |
| 16 | [Bodo Moeller] |
| 17 | |
| 18 | *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check |
| 19 | signature public key algorithm by using OID xref utilities instead. |
| 20 | Before this you could only use some ECC ciphersuites with SHA1 only. |
| 21 | [Steve Henson] |
| 22 | |
| 23 | *) Add protection against ECDSA timing attacks as mentioned in the paper |
| 24 | by Billy Bob Brumley and Nicola Tuveri, see: |
| 25 | |
| 26 | http://eprint.iacr.org/2011/232.pdf |
| 27 | |
| 28 | [Billy Bob Brumley and Nicola Tuveri] |
| 29 | |
| 30 | Changes between 1.0.0c and 1.0.0d [8 Feb 2011] |
| 31 | |
| 32 | *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 |
| 33 | [Neel Mehta, Adam Langley, Bodo Moeller (Google)] |
| 34 | |
| 35 | *) Fix bug in string printing code: if *any* escaping is enabled we must |
| 36 | escape the escape character (backslash) or the resulting string is |
| 37 | ambiguous. |
| 38 | [Steve Henson] |
| 39 | |
| 40 | Changes between 1.0.0b and 1.0.0c [2 Dec 2010] |
| 41 | |
| 42 | *) Disable code workaround for ancient and obsolete Netscape browsers |
| 43 | and servers: an attacker can use it in a ciphersuite downgrade attack. |
| 44 | Thanks to Martin Rex for discovering this bug. CVE-2010-4180 |
| 45 | [Steve Henson] |
| 46 | |
| 47 | *) Fixed J-PAKE implementation error, originally discovered by |
| 48 | Sebastien Martini, further info and confirmation from Stefan |
| 49 | Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 |
| 50 | [Ben Laurie] |
| 51 | |
| 52 | Changes between 1.0.0a and 1.0.0b [16 Nov 2010] |
| 53 | |
| 54 | *) Fix extension code to avoid race conditions which can result in a buffer |
| 55 | overrun vulnerability: resumed sessions must not be modified as they can |
| 56 | be shared by multiple threads. CVE-2010-3864 |
| 57 | [Steve Henson] |
| 58 | |
| 59 | *) Fix WIN32 build system to correctly link an ENGINE directory into |
| 60 | a DLL. |
| 61 | [Steve Henson] |
| 62 | |
| 63 | Changes between 1.0.0 and 1.0.0a [01 Jun 2010] |
| 64 | |
| 65 | *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover |
| 66 | (CVE-2010-1633) |
| 67 | [Steve Henson, Peter-Michael Hager <hager@dortmund.net>] |
| 68 | |
| 69 | Changes between 0.9.8n and 1.0.0 [29 Mar 2010] |
| 70 | |
| 71 | *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher |
| 72 | context. The operation can be customised via the ctrl mechanism in |
| 73 | case ENGINEs want to include additional functionality. |
| 74 | [Steve Henson] |
| 75 | |
| 76 | *) Tolerate yet another broken PKCS#8 key format: private key value negative. |
| 77 | [Steve Henson] |
| 78 | |
| 79 | *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to |
| 80 | output hashes compatible with older versions of OpenSSL. |
| 81 | [Willy Weisz <weisz@vcpc.univie.ac.at>] |
| 82 | |
| 83 | *) Fix compression algorithm handling: if resuming a session use the |
| 84 | compression algorithm of the resumed session instead of determining |
| 85 | it from client hello again. Don't allow server to change algorithm. |
| 86 | [Steve Henson] |
| 87 | |
| 88 | *) Add load_crls() function to apps tidying load_certs() too. Add option |
| 89 | to verify utility to allow additional CRLs to be included. |
| 90 | [Steve Henson] |
| 91 | |
| 92 | *) Update OCSP request code to permit adding custom headers to the request: |
| 93 | some responders need this. |
| 94 | [Steve Henson] |
| 95 | |
| 96 | *) The function EVP_PKEY_sign() returns <=0 on error: check return code |
| 97 | correctly. |
| 98 | [Julia Lawall <julia@diku.dk>] |
| 99 | |
| 100 | *) Update verify callback code in apps/s_cb.c and apps/verify.c, it |
| 101 | needlessly dereferenced structures, used obsolete functions and |
| 102 | didn't handle all updated verify codes correctly. |
| 103 | [Steve Henson] |
| 104 | |
| 105 | *) Disable MD2 in the default configuration. |
| 106 | [Steve Henson] |
| 107 | |
| 108 | *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to |
| 109 | indicate the initial BIO being pushed or popped. This makes it possible |
| 110 | to determine whether the BIO is the one explicitly called or as a result |
| 111 | of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so |
| 112 | it handles reference counts correctly and doesn't zero out the I/O bio |
| 113 | when it is not being explicitly popped. WARNING: applications which |
| 114 | included workarounds for the old buggy behaviour will need to be modified |
| 115 | or they could free up already freed BIOs. |
| 116 | [Steve Henson] |
| 117 | |
| 118 | *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni |
| 119 | renaming to all platforms (within the 0.9.8 branch, this was |
| 120 | done conditionally on Netware platforms to avoid a name clash). |
| 121 | [Guenter <lists@gknw.net>] |
| 122 | |
| 123 | *) Add ECDHE and PSK support to DTLS. |
| 124 | [Michael Tuexen <tuexen@fh-muenster.de>] |
| 125 | |
| 126 | *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't |
| 127 | be used on C++. |
| 128 | [Steve Henson] |
| 129 | |
| 130 | *) Add "missing" function EVP_MD_flags() (without this the only way to |
| 131 | retrieve a digest flags is by accessing the structure directly. Update |
| 132 | EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest |
| 133 | or cipher is registered as in the "from" argument. Print out all |
| 134 | registered digests in the dgst usage message instead of manually |
| 135 | attempting to work them out. |
| 136 | [Steve Henson] |
| 137 | |
| 138 | *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: |
| 139 | this allows the use of compression and extensions. Change default cipher |
| 140 | string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 |
| 141 | by default unless an application cipher string requests it. |
| 142 | [Steve Henson] |
| 143 | |
| 144 | *) Alter match criteria in PKCS12_parse(). It used to try to use local |
| 145 | key ids to find matching certificates and keys but some PKCS#12 files |
| 146 | don't follow the (somewhat unwritten) rules and this strategy fails. |
| 147 | Now just gather all certificates together and the first private key |
| 148 | then look for the first certificate that matches the key. |
| 149 | [Steve Henson] |
| 150 | |
| 151 | *) Support use of registered digest and cipher names for dgst and cipher |
| 152 | commands instead of having to add each one as a special case. So now |
| 153 | you can do: |
| 154 | |
| 155 | openssl sha256 foo |
| 156 | |
| 157 | as well as: |
| 158 | |
| 159 | openssl dgst -sha256 foo |
| 160 | |
| 161 | and this works for ENGINE based algorithms too. |
| 162 | |
| 163 | [Steve Henson] |
| 164 | |
| 165 | *) Update Gost ENGINE to support parameter files. |
| 166 | [Victor B. Wagner <vitus@cryptocom.ru>] |
| 167 | |
| 168 | *) Support GeneralizedTime in ca utility. |
| 169 | [Oliver Martin <oliver@volatilevoid.net>, Steve Henson] |
| 170 | |
| 171 | *) Enhance the hash format used for certificate directory links. The new |
| 172 | form uses the canonical encoding (meaning equivalent names will work |
| 173 | even if they aren't identical) and uses SHA1 instead of MD5. This form |
| 174 | is incompatible with the older format and as a result c_rehash should |
| 175 | be used to rebuild symbolic links. |
| 176 | [Steve Henson] |
| 177 | |
| 178 | *) Make PKCS#8 the default write format for private keys, replacing the |
| 179 | traditional format. This form is standardised, more secure and doesn't |
| 180 | include an implicit MD5 dependency. |
| 181 | [Steve Henson] |
| 182 | |
| 183 | *) Add a $gcc_devteam_warn option to Configure. The idea is that any code |
| 184 | committed to OpenSSL should pass this lot as a minimum. |
| 185 | [Steve Henson] |
| 186 | |
| 187 | *) Add session ticket override functionality for use by EAP-FAST. |
| 188 | [Jouni Malinen <j@w1.fi>] |
| 189 | |
| 190 | *) Modify HMAC functions to return a value. Since these can be implemented |
| 191 | in an ENGINE errors can occur. |
| 192 | [Steve Henson] |
| 193 | |
| 194 | *) Type-checked OBJ_bsearch_ex. |
| 195 | [Ben Laurie] |
| 196 | |
| 197 | *) Type-checked OBJ_bsearch. Also some constification necessitated |
| 198 | by type-checking. Still to come: TXT_DB, bsearch(?), |
| 199 | OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, |
| 200 | CONF_VALUE. |
| 201 | [Ben Laurie] |
| 202 | |
| 203 | *) New function OPENSSL_gmtime_adj() to add a specific number of days and |
| 204 | seconds to a tm structure directly, instead of going through OS |
| 205 | specific date routines. This avoids any issues with OS routines such |
| 206 | as the year 2038 bug. New *_adj() functions for ASN1 time structures |
| 207 | and X509_time_adj_ex() to cover the extended range. The existing |
| 208 | X509_time_adj() is still usable and will no longer have any date issues. |
| 209 | [Steve Henson] |
| 210 | |
| 211 | *) Delta CRL support. New use deltas option which will attempt to locate |
| 212 | and search any appropriate delta CRLs available. |
| 213 | |
| 214 | This work was sponsored by Google. |
| 215 | [Steve Henson] |
| 216 | |
| 217 | *) Support for CRLs partitioned by reason code. Reorganise CRL processing |
| 218 | code and add additional score elements. Validate alternate CRL paths |
| 219 | as part of the CRL checking and indicate a new error "CRL path validation |
| 220 | error" in this case. Applications wanting additional details can use |
| 221 | the verify callback and check the new "parent" field. If this is not |
| 222 | NULL CRL path validation is taking place. Existing applications wont |
| 223 | see this because it requires extended CRL support which is off by |
| 224 | default. |
| 225 | |
| 226 | This work was sponsored by Google. |
| 227 | [Steve Henson] |
| 228 | |
| 229 | *) Support for freshest CRL extension. |
| 230 | |
| 231 | This work was sponsored by Google. |
| 232 | [Steve Henson] |
| 233 | |
| 234 | *) Initial indirect CRL support. Currently only supported in the CRLs |
| 235 | passed directly and not via lookup. Process certificate issuer |
| 236 | CRL entry extension and lookup CRL entries by bother issuer name |
| 237 | and serial number. Check and process CRL issuer entry in IDP extension. |
| 238 | |
| 239 | This work was sponsored by Google. |
| 240 | [Steve Henson] |
| 241 | |
| 242 | *) Add support for distinct certificate and CRL paths. The CRL issuer |
| 243 | certificate is validated separately in this case. Only enabled if |
| 244 | an extended CRL support flag is set: this flag will enable additional |
| 245 | CRL functionality in future. |
| 246 | |
| 247 | This work was sponsored by Google. |
| 248 | [Steve Henson] |
| 249 | |
| 250 | *) Add support for policy mappings extension. |
| 251 | |
| 252 | This work was sponsored by Google. |
| 253 | [Steve Henson] |
| 254 | |
| 255 | *) Fixes to pathlength constraint, self issued certificate handling, |
| 256 | policy processing to align with RFC3280 and PKITS tests. |
| 257 | |
| 258 | This work was sponsored by Google. |
| 259 | [Steve Henson] |
| 260 | |
| 261 | *) Support for name constraints certificate extension. DN, email, DNS |
| 262 | and URI types are currently supported. |
| 263 | |
| 264 | This work was sponsored by Google. |
| 265 | [Steve Henson] |
| 266 | |
| 267 | *) To cater for systems that provide a pointer-based thread ID rather |
| 268 | than numeric, deprecate the current numeric thread ID mechanism and |
| 269 | replace it with a structure and associated callback type. This |
| 270 | mechanism allows a numeric "hash" to be extracted from a thread ID in |
| 271 | either case, and on platforms where pointers are larger than 'long', |
| 272 | mixing is done to help ensure the numeric 'hash' is usable even if it |
| 273 | can't be guaranteed unique. The default mechanism is to use "&errno" |
| 274 | as a pointer-based thread ID to distinguish between threads. |
| 275 | |
| 276 | Applications that want to provide their own thread IDs should now use |
| 277 | CRYPTO_THREADID_set_callback() to register a callback that will call |
| 278 | either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). |
| 279 | |
| 280 | Note that ERR_remove_state() is now deprecated, because it is tied |
| 281 | to the assumption that thread IDs are numeric. ERR_remove_state(0) |
| 282 | to free the current thread's error state should be replaced by |
| 283 | ERR_remove_thread_state(NULL). |
| 284 | |
| 285 | (This new approach replaces the functions CRYPTO_set_idptr_callback(), |
| 286 | CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in |
| 287 | OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an |
| 288 | application was previously providing a numeric thread callback that |
| 289 | was inappropriate for distinguishing threads, then uniqueness might |
| 290 | have been obtained with &errno that happened immediately in the |
| 291 | intermediate development versions of OpenSSL; this is no longer the |
| 292 | case, the numeric thread callback will now override the automatic use |
| 293 | of &errno.) |
| 294 | [Geoff Thorpe, with help from Bodo Moeller] |
| 295 | |
| 296 | *) Initial support for different CRL issuing certificates. This covers a |
| 297 | simple case where the self issued certificates in the chain exist and |
| 298 | the real CRL issuer is higher in the existing chain. |
| 299 | |
| 300 | This work was sponsored by Google. |
| 301 | [Steve Henson] |
| 302 | |
| 303 | *) Removed effectively defunct crypto/store from the build. |
| 304 | [Ben Laurie] |
| 305 | |
| 306 | *) Revamp of STACK to provide stronger type-checking. Still to come: |
| 307 | TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, |
| 308 | ASN1_STRING, CONF_VALUE. |
| 309 | [Ben Laurie] |
| 310 | |
| 311 | *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer |
| 312 | RAM on SSL connections. This option can save about 34k per idle SSL. |
| 313 | [Nick Mathewson] |
| 314 | |
| 315 | *) Revamp of LHASH to provide stronger type-checking. Still to come: |
| 316 | STACK, TXT_DB, bsearch, qsort. |
| 317 | [Ben Laurie] |
| 318 | |
| 319 | *) Initial support for Cryptographic Message Syntax (aka CMS) based |
| 320 | on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, |
| 321 | support for data, signedData, compressedData, digestedData and |
| 322 | encryptedData, envelopedData types included. Scripts to check against |
| 323 | RFC4134 examples draft and interop and consistency checks of many |
| 324 | content types and variants. |
| 325 | [Steve Henson] |
| 326 | |
| 327 | *) Add options to enc utility to support use of zlib compression BIO. |
| 328 | [Steve Henson] |
| 329 | |
| 330 | *) Extend mk1mf to support importing of options and assembly language |
| 331 | files from Configure script, currently only included in VC-WIN32. |
| 332 | The assembly language rules can now optionally generate the source |
| 333 | files from the associated perl scripts. |
| 334 | [Steve Henson] |
| 335 | |
| 336 | *) Implement remaining functionality needed to support GOST ciphersuites. |
| 337 | Interop testing has been performed using CryptoPro implementations. |
| 338 | [Victor B. Wagner <vitus@cryptocom.ru>] |
| 339 | |
| 340 | *) s390x assembler pack. |
| 341 | [Andy Polyakov] |
| 342 | |
| 343 | *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU |
| 344 | "family." |
| 345 | [Andy Polyakov] |
| 346 | |
| 347 | *) Implement Opaque PRF Input TLS extension as specified in |
| 348 | draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an |
| 349 | official specification yet and no extension type assignment by |
| 350 | IANA exists, this extension (for now) will have to be explicitly |
| 351 | enabled when building OpenSSL by providing the extension number |
| 352 | to use. For example, specify an option |
| 353 | |
| 354 | -DTLSEXT_TYPE_opaque_prf_input=0x9527 |
| 355 | |
| 356 | to the "config" or "Configure" script to enable the extension, |
| 357 | assuming extension number 0x9527 (which is a completely arbitrary |
| 358 | and unofficial assignment based on the MD5 hash of the Internet |
| 359 | Draft). Note that by doing so, you potentially lose |
| 360 | interoperability with other TLS implementations since these might |
| 361 | be using the same extension number for other purposes. |
| 362 | |
| 363 | SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the |
| 364 | opaque PRF input value to use in the handshake. This will create |
| 365 | an interal copy of the length-'len' string at 'src', and will |
| 366 | return non-zero for success. |
| 367 | |
| 368 | To get more control and flexibility, provide a callback function |
| 369 | by using |
| 370 | |
| 371 | SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) |
| 372 | SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) |
| 373 | |
| 374 | where |
| 375 | |
| 376 | int (*cb)(SSL *, void *peerinput, size_t len, void *arg); |
| 377 | void *arg; |
| 378 | |
| 379 | Callback function 'cb' will be called in handshakes, and is |
| 380 | expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. |
| 381 | Argument 'arg' is for application purposes (the value as given to |
| 382 | SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly |
| 383 | be provided to the callback function). The callback function |
| 384 | has to return non-zero to report success: usually 1 to use opaque |
| 385 | PRF input just if possible, or 2 to enforce use of the opaque PRF |
| 386 | input. In the latter case, the library will abort the handshake |
| 387 | if opaque PRF input is not successfully negotiated. |
| 388 | |
| 389 | Arguments 'peerinput' and 'len' given to the callback function |
| 390 | will always be NULL and 0 in the case of a client. A server will |
| 391 | see the client's opaque PRF input through these variables if |
| 392 | available (NULL and 0 otherwise). Note that if the server |
| 393 | provides an opaque PRF input, the length must be the same as the |
| 394 | length of the client's opaque PRF input. |
| 395 | |
| 396 | Note that the callback function will only be called when creating |
| 397 | a new session (session resumption can resume whatever was |
| 398 | previously negotiated), and will not be called in SSL 2.0 |
| 399 | handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or |
| 400 | SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended |
| 401 | for applications that need to enforce opaque PRF input. |
| 402 | |
| 403 | [Bodo Moeller] |
| 404 | |
| 405 | *) Update ssl code to support digests other than SHA1+MD5 for handshake |
| 406 | MAC. |
| 407 | |
| 408 | [Victor B. Wagner <vitus@cryptocom.ru>] |
| 409 | |
| 410 | *) Add RFC4507 support to OpenSSL. This includes the corrections in |
| 411 | RFC4507bis. The encrypted ticket format is an encrypted encoded |
| 412 | SSL_SESSION structure, that way new session features are automatically |
| 413 | supported. |
| 414 | |
| 415 | If a client application caches session in an SSL_SESSION structure |
| 416 | support is transparent because tickets are now stored in the encoded |
| 417 | SSL_SESSION. |
| 418 | |
| 419 | The SSL_CTX structure automatically generates keys for ticket |
| 420 | protection in servers so again support should be possible |
| 421 | with no application modification. |
| 422 | |
| 423 | If a client or server wishes to disable RFC4507 support then the option |
| 424 | SSL_OP_NO_TICKET can be set. |
| 425 | |
| 426 | Add a TLS extension debugging callback to allow the contents of any client |
| 427 | or server extensions to be examined. |
| 428 | |
| 429 | This work was sponsored by Google. |
| 430 | [Steve Henson] |
| 431 | |
| 432 | *) Final changes to avoid use of pointer pointer casts in OpenSSL. |
| 433 | OpenSSL should now compile cleanly on gcc 4.2 |
| 434 | [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] |
| 435 | |
| 436 | *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC |
| 437 | support including streaming MAC support: this is required for GOST |
| 438 | ciphersuite support. |
| 439 | [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] |
| 440 | |
| 441 | *) Add option -stream to use PKCS#7 streaming in smime utility. New |
| 442 | function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() |
| 443 | to output in BER and PEM format. |
| 444 | [Steve Henson] |
| 445 | |
| 446 | *) Experimental support for use of HMAC via EVP_PKEY interface. This |
| 447 | allows HMAC to be handled via the EVP_DigestSign*() interface. The |
| 448 | EVP_PKEY "key" in this case is the HMAC key, potentially allowing |
| 449 | ENGINE support for HMAC keys which are unextractable. New -mac and |
| 450 | -macopt options to dgst utility. |
| 451 | [Steve Henson] |
| 452 | |
| 453 | *) New option -sigopt to dgst utility. Update dgst to use |
| 454 | EVP_Digest{Sign,Verify}*. These two changes make it possible to use |
| 455 | alternative signing paramaters such as X9.31 or PSS in the dgst |
| 456 | utility. |
| 457 | [Steve Henson] |
| 458 | |
| 459 | *) Change ssl_cipher_apply_rule(), the internal function that does |
| 460 | the work each time a ciphersuite string requests enabling |
| 461 | ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or |
| 462 | removing ("!foo+bar") a class of ciphersuites: Now it maintains |
| 463 | the order of disabled ciphersuites such that those ciphersuites |
| 464 | that most recently went from enabled to disabled not only stay |
| 465 | in order with respect to each other, but also have higher priority |
| 466 | than other disabled ciphersuites the next time ciphersuites are |
| 467 | enabled again. |
| 468 | |
| 469 | This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable |
| 470 | the same ciphersuites as with "HIGH" alone, but in a specific |
| 471 | order where the PSK ciphersuites come first (since they are the |
| 472 | most recently disabled ciphersuites when "HIGH" is parsed). |
| 473 | |
| 474 | Also, change ssl_create_cipher_list() (using this new |
| 475 | funcionality) such that between otherwise identical |
| 476 | cihpersuites, ephemeral ECDH is preferred over ephemeral DH in |
| 477 | the default order. |
| 478 | [Bodo Moeller] |
| 479 | |
| 480 | *) Change ssl_create_cipher_list() so that it automatically |
| 481 | arranges the ciphersuites in reasonable order before starting |
| 482 | to process the rule string. Thus, the definition for "DEFAULT" |
| 483 | (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but |
| 484 | remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". |
| 485 | This makes it much easier to arrive at a reasonable default order |
| 486 | in applications for which anonymous ciphers are OK (meaning |
| 487 | that you can't actually use DEFAULT). |
| 488 | [Bodo Moeller; suggested by Victor Duchovni] |
| 489 | |
| 490 | *) Split the SSL/TLS algorithm mask (as used for ciphersuite string |
| 491 | processing) into multiple integers instead of setting |
| 492 | "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", |
| 493 | "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. |
| 494 | (These masks as well as the individual bit definitions are hidden |
| 495 | away into the non-exported interface ssl/ssl_locl.h, so this |
| 496 | change to the definition of the SSL_CIPHER structure shouldn't |
| 497 | affect applications.) This give us more bits for each of these |
| 498 | categories, so there is no longer a need to coagulate AES128 and |
| 499 | AES256 into a single algorithm bit, and to coagulate Camellia128 |
| 500 | and Camellia256 into a single algorithm bit, which has led to all |
| 501 | kinds of kludges. |
| 502 | |
| 503 | Thus, among other things, the kludge introduced in 0.9.7m and |
| 504 | 0.9.8e for masking out AES256 independently of AES128 or masking |
| 505 | out Camellia256 independently of AES256 is not needed here in 0.9.9. |
| 506 | |
| 507 | With the change, we also introduce new ciphersuite aliases that |
| 508 | so far were missing: "AES128", "AES256", "CAMELLIA128", and |
| 509 | "CAMELLIA256". |
| 510 | [Bodo Moeller] |
| 511 | |
| 512 | *) Add support for dsa-with-SHA224 and dsa-with-SHA256. |
| 513 | Use the leftmost N bytes of the signature input if the input is |
| 514 | larger than the prime q (with N being the size in bytes of q). |
| 515 | [Nils Larsch] |
| 516 | |
| 517 | *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses |
| 518 | it yet and it is largely untested. |
| 519 | [Steve Henson] |
| 520 | |
| 521 | *) Add support for the ecdsa-with-SHA224/256/384/512 signature types. |
| 522 | [Nils Larsch] |
| 523 | |
| 524 | *) Initial incomplete changes to avoid need for function casts in OpenSSL |
| 525 | some compilers (gcc 4.2 and later) reject their use. Safestack is |
| 526 | reimplemented. Update ASN1 to avoid use of legacy functions. |
| 527 | [Steve Henson] |
| 528 | |
| 529 | *) Win32/64 targets are linked with Winsock2. |
| 530 | [Andy Polyakov] |
| 531 | |
| 532 | *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected |
| 533 | to external functions. This can be used to increase CRL handling |
| 534 | efficiency especially when CRLs are very large by (for example) storing |
| 535 | the CRL revoked certificates in a database. |
| 536 | [Steve Henson] |
| 537 | |
| 538 | *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so |
| 539 | new CRLs added to a directory can be used. New command line option |
| 540 | -verify_return_error to s_client and s_server. This causes real errors |
| 541 | to be returned by the verify callback instead of carrying on no matter |
| 542 | what. This reflects the way a "real world" verify callback would behave. |
| 543 | [Steve Henson] |
| 544 | |
| 545 | *) GOST engine, supporting several GOST algorithms and public key formats. |
| 546 | Kindly donated by Cryptocom. |
| 547 | [Cryptocom] |
| 548 | |
| 549 | *) Partial support for Issuing Distribution Point CRL extension. CRLs |
| 550 | partitioned by DP are handled but no indirect CRL or reason partitioning |
| 551 | (yet). Complete overhaul of CRL handling: now the most suitable CRL is |
| 552 | selected via a scoring technique which handles IDP and AKID in CRLs. |
| 553 | [Steve Henson] |
| 554 | |
| 555 | *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which |
| 556 | will ultimately be used for all verify operations: this will remove the |
| 557 | X509_STORE dependency on certificate verification and allow alternative |
| 558 | lookup methods. X509_STORE based implementations of these two callbacks. |
| 559 | [Steve Henson] |
| 560 | |
| 561 | *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. |
| 562 | Modify get_crl() to find a valid (unexpired) CRL if possible. |
| 563 | [Steve Henson] |
| 564 | |
| 565 | *) New function X509_CRL_match() to check if two CRLs are identical. Normally |
| 566 | this would be called X509_CRL_cmp() but that name is already used by |
| 567 | a function that just compares CRL issuer names. Cache several CRL |
| 568 | extensions in X509_CRL structure and cache CRLDP in X509. |
| 569 | [Steve Henson] |
| 570 | |
| 571 | *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) |
| 572 | this maps equivalent X509_NAME structures into a consistent structure. |
| 573 | Name comparison can then be performed rapidly using memcmp(). |
| 574 | [Steve Henson] |
| 575 | |
| 576 | *) Non-blocking OCSP request processing. Add -timeout option to ocsp |
| 577 | utility. |
| 578 | [Steve Henson] |
| 579 | |
| 580 | *) Allow digests to supply their own micalg string for S/MIME type using |
| 581 | the ctrl EVP_MD_CTRL_MICALG. |
| 582 | [Steve Henson] |
| 583 | |
| 584 | *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the |
| 585 | EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN |
| 586 | ctrl. It can then customise the structure before and/or after signing |
| 587 | if necessary. |
| 588 | [Steve Henson] |
| 589 | |
| 590 | *) New function OBJ_add_sigid() to allow application defined signature OIDs |
| 591 | to be added to OpenSSLs internal tables. New function OBJ_sigid_free() |
| 592 | to free up any added signature OIDs. |
| 593 | [Steve Henson] |
| 594 | |
| 595 | *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), |
| 596 | EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal |
| 597 | digest and cipher tables. New options added to openssl utility: |
| 598 | list-message-digest-algorithms and list-cipher-algorithms. |
| 599 | [Steve Henson] |
| 600 | |
| 601 | *) Change the array representation of binary polynomials: the list |
| 602 | of degrees of non-zero coefficients is now terminated with -1. |
| 603 | Previously it was terminated with 0, which was also part of the |
| 604 | value; thus, the array representation was not applicable to |
| 605 | polynomials where t^0 has coefficient zero. This change makes |
| 606 | the array representation useful in a more general context. |
| 607 | [Douglas Stebila] |
| 608 | |
| 609 | *) Various modifications and fixes to SSL/TLS cipher string |
| 610 | handling. For ECC, the code now distinguishes between fixed ECDH |
| 611 | with RSA certificates on the one hand and with ECDSA certificates |
| 612 | on the other hand, since these are separate ciphersuites. The |
| 613 | unused code for Fortezza ciphersuites has been removed. |
| 614 | |
| 615 | For consistency with EDH, ephemeral ECDH is now called "EECDH" |
| 616 | (not "ECDHE"). For consistency with the code for DH |
| 617 | certificates, use of ECDH certificates is now considered ECDH |
| 618 | authentication, not RSA or ECDSA authentication (the latter is |
| 619 | merely the CA's signing algorithm and not actively used in the |
| 620 | protocol). |
| 621 | |
| 622 | The temporary ciphersuite alias "ECCdraft" is no longer |
| 623 | available, and ECC ciphersuites are no longer excluded from "ALL" |
| 624 | and "DEFAULT". The following aliases now exist for RFC 4492 |
| 625 | ciphersuites, most of these by analogy with the DH case: |
| 626 | |
| 627 | kECDHr - ECDH cert, signed with RSA |
| 628 | kECDHe - ECDH cert, signed with ECDSA |
| 629 | kECDH - ECDH cert (signed with either RSA or ECDSA) |
| 630 | kEECDH - ephemeral ECDH |
| 631 | ECDH - ECDH cert or ephemeral ECDH |
| 632 | |
| 633 | aECDH - ECDH cert |
| 634 | aECDSA - ECDSA cert |
| 635 | ECDSA - ECDSA cert |
| 636 | |
| 637 | AECDH - anonymous ECDH |
| 638 | EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") |
| 639 | |
| 640 | [Bodo Moeller] |
| 641 | |
| 642 | *) Add additional S/MIME capabilities for AES and GOST ciphers if supported. |
| 643 | Use correct micalg parameters depending on digest(s) in signed message. |
| 644 | [Steve Henson] |
| 645 | |
| 646 | *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process |
| 647 | an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. |
| 648 | [Steve Henson] |
| 649 | |
| 650 | *) Initial engine support for EVP_PKEY_METHOD. New functions to permit |
| 651 | an engine to register a method. Add ENGINE lookups for methods and |
| 652 | functional reference processing. |
| 653 | [Steve Henson] |
| 654 | |
| 655 | *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of |
| 656 | EVP_{Sign,Verify}* which allow an application to customise the signature |
| 657 | process. |
| 658 | [Steve Henson] |
| 659 | |
| 660 | *) New -resign option to smime utility. This adds one or more signers |
| 661 | to an existing PKCS#7 signedData structure. Also -md option to use an |
| 662 | alternative message digest algorithm for signing. |
| 663 | [Steve Henson] |
| 664 | |
| 665 | *) Tidy up PKCS#7 routines and add new functions to make it easier to |
| 666 | create PKCS7 structures containing multiple signers. Update smime |
| 667 | application to support multiple signers. |
| 668 | [Steve Henson] |
| 669 | |
| 670 | *) New -macalg option to pkcs12 utility to allow setting of an alternative |
| 671 | digest MAC. |
| 672 | [Steve Henson] |
| 673 | |
| 674 | *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. |
| 675 | Reorganize PBE internals to lookup from a static table using NIDs, |
| 676 | add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: |
| 677 | EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative |
| 678 | PRF which will be automatically used with PBES2. |
| 679 | [Steve Henson] |
| 680 | |
| 681 | *) Replace the algorithm specific calls to generate keys in "req" with the |
| 682 | new API. |
| 683 | [Steve Henson] |
| 684 | |
| 685 | *) Update PKCS#7 enveloped data routines to use new API. This is now |
| 686 | supported by any public key method supporting the encrypt operation. A |
| 687 | ctrl is added to allow the public key algorithm to examine or modify |
| 688 | the PKCS#7 RecipientInfo structure if it needs to: for RSA this is |
| 689 | a no op. |
| 690 | [Steve Henson] |
| 691 | |
| 692 | *) Add a ctrl to asn1 method to allow a public key algorithm to express |
| 693 | a default digest type to use. In most cases this will be SHA1 but some |
| 694 | algorithms (such as GOST) need to specify an alternative digest. The |
| 695 | return value indicates how strong the prefernce is 1 means optional and |
| 696 | 2 is mandatory (that is it is the only supported type). Modify |
| 697 | ASN1_item_sign() to accept a NULL digest argument to indicate it should |
| 698 | use the default md. Update openssl utilities to use the default digest |
| 699 | type for signing if it is not explicitly indicated. |
| 700 | [Steve Henson] |
| 701 | |
| 702 | *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New |
| 703 | EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant |
| 704 | signing method from the key type. This effectively removes the link |
| 705 | between digests and public key types. |
| 706 | [Steve Henson] |
| 707 | |
| 708 | *) Add an OID cross reference table and utility functions. Its purpose is to |
| 709 | translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, |
| 710 | rsaEncryption. This will allow some of the algorithm specific hackery |
| 711 | needed to use the correct OID to be removed. |
| 712 | [Steve Henson] |
| 713 | |
| 714 | *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO |
| 715 | structures for PKCS7_sign(). They are now set up by the relevant public |
| 716 | key ASN1 method. |
| 717 | [Steve Henson] |
| 718 | |
| 719 | *) Add provisional EC pkey method with support for ECDSA and ECDH. |
| 720 | [Steve Henson] |
| 721 | |
| 722 | *) Add support for key derivation (agreement) in the API, DH method and |
| 723 | pkeyutl. |
| 724 | [Steve Henson] |
| 725 | |
| 726 | *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support |
| 727 | public and private key formats. As a side effect these add additional |
| 728 | command line functionality not previously available: DSA signatures can be |
| 729 | generated and verified using pkeyutl and DH key support and generation in |
| 730 | pkey, genpkey. |
| 731 | [Steve Henson] |
| 732 | |
| 733 | *) BeOS support. |
| 734 | [Oliver Tappe <zooey@hirschkaefer.de>] |
| 735 | |
| 736 | *) New make target "install_html_docs" installs HTML renditions of the |
| 737 | manual pages. |
| 738 | [Oliver Tappe <zooey@hirschkaefer.de>] |
| 739 | |
| 740 | *) New utility "genpkey" this is analagous to "genrsa" etc except it can |
| 741 | generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to |
| 742 | support key and parameter generation and add initial key generation |
| 743 | functionality for RSA. |
| 744 | [Steve Henson] |
| 745 | |
| 746 | *) Add functions for main EVP_PKEY_method operations. The undocumented |
| 747 | functions EVP_PKEY_{encrypt,decrypt} have been renamed to |
| 748 | EVP_PKEY_{encrypt,decrypt}_old. |
| 749 | [Steve Henson] |
| 750 | |
| 751 | *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public |
| 752 | key API, doesn't do much yet. |
| 753 | [Steve Henson] |
| 754 | |
| 755 | *) New function EVP_PKEY_asn1_get0_info() to retrieve information about |
| 756 | public key algorithms. New option to openssl utility: |
| 757 | "list-public-key-algorithms" to print out info. |
| 758 | [Steve Henson] |
| 759 | |
| 760 | *) Implement the Supported Elliptic Curves Extension for |
| 761 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
| 762 | [Douglas Stebila] |
| 763 | |
| 764 | *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or |
| 765 | EVP_CIPHER structures to avoid later problems in EVP_cleanup(). |
| 766 | [Steve Henson] |
| 767 | |
| 768 | *) New utilities pkey and pkeyparam. These are similar to algorithm specific |
| 769 | utilities such as rsa, dsa, dsaparam etc except they process any key |
| 770 | type. |
| 771 | [Steve Henson] |
| 772 | |
| 773 | *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New |
| 774 | functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), |
| 775 | EVP_PKEY_print_param() to print public key data from an EVP_PKEY |
| 776 | structure. |
| 777 | [Steve Henson] |
| 778 | |
| 779 | *) Initial support for pluggable public key ASN1. |
| 780 | De-spaghettify the public key ASN1 handling. Move public and private |
| 781 | key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate |
| 782 | algorithm specific handling to a single module within the relevant |
| 783 | algorithm directory. Add functions to allow (near) opaque processing |
| 784 | of public and private key structures. |
| 785 | [Steve Henson] |
| 786 | |
| 787 | *) Implement the Supported Point Formats Extension for |
| 788 | ECC ciphersuites from draft-ietf-tls-ecc-12.txt. |
| 789 | [Douglas Stebila] |
| 790 | |
| 791 | *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members |
| 792 | for the psk identity [hint] and the psk callback functions to the |
| 793 | SSL_SESSION, SSL and SSL_CTX structure. |
| 794 | |
| 795 | New ciphersuites: |
| 796 | PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, |
| 797 | PSK-AES256-CBC-SHA |
| 798 | |
| 799 | New functions: |
| 800 | SSL_CTX_use_psk_identity_hint |
| 801 | SSL_get_psk_identity_hint |
| 802 | SSL_get_psk_identity |
| 803 | SSL_use_psk_identity_hint |
| 804 | |
| 805 | [Mika Kousa and Pasi Eronen of Nokia Corporation] |
| 806 | |
| 807 | *) Add RFC 3161 compliant time stamp request creation, response generation |
| 808 | and response verification functionality. |
| 809 |