Import OpenSSL 0.9.8l
[dragonfly.git] / crypto / openssl / CHANGES
3 _______________
5 Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
7 *) Disable renegotiation completely - this fixes a severe security
8 problem (CVE-2009-3555) at the cost of breaking all
9 renegotiation. Renegotiation can be re-enabled by setting
11 run-time. This is really not recommended unless you know what
12 you're doing.
13 [Ben Laurie]
75607dda 15 Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
730b1645 16
17 *) Don't set val to NULL when freeing up structures, it is freed up by
18 underlying code. If sizeof(void *) > sizeof(long) this can result in
19 zeroing past the valid field. (CVE-2009-0789)
20 [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
22 *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
23 checked correctly. This would allow some invalid signed attributes to
24 appear to verify correctly. (CVE-2009-0591)
25 [Ivan Nestlerode <>]
27 *) Reject UniversalString and BMPString types with invalid lengths. This
28 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
29 a legal length. (CVE-2009-0590)
30 [Steve Henson]
32 *) Set S/MIME signing as the default purpose rather than setting it
33 unconditionally. This allows applications to override it at the store
34 level.
35 [Steve Henson]
37 *) Permit restricted recursion of ASN1 strings. This is needed in practice
38 to handle some structures.
39 [Steve Henson]
41 *) Improve efficiency of mem_gets: don't search whole buffer each time
42 for a '\n'
43 [Jeremy Shapiro <>]
45 *) New -hex option for openssl rand.
46 [Matthieu Herrb]
48 *) Print out UTF8String and NumericString when parsing ASN1.
49 [Steve Henson]
51 *) Support NumericString type for name components.
52 [Steve Henson]
54 *) Allow CC in the environment to override the automatically chosen
55 compiler. Note that nothing is done to ensure flags work with the
56 chosen compiler.
57 [Ben Laurie]
59 Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
61 *) Properly check EVP_VerifyFinal() and similar return values
62 (CVE-2008-5077).
63 [Ben Laurie, Bodo Moeller, Google Security Team]
65 *) Enable TLS extensions by default.
66 [Ben Laurie]
68 *) Allow the CHIL engine to be loaded, whether the application is
69 multithreaded or not. (This does not release the developer from the
70 obligation to set up the dynamic locking callbacks.)
71 [Sander Temme <>]
73 *) Use correct exit code if there is an error in dgst command.
74 [Steve Henson; problem pointed out by Roland Dirlewanger]
76 *) Tweak Configure so that you need to say "experimental-jpake" to enable
77 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
78 [Bodo Moeller]
80 *) Add experimental JPAKE support, including demo authentication in
81 s_client and s_server.
82 [Ben Laurie]
84 *) Set the comparison function in v3_addr_canonize().
85 [Rob Austein <>]
87 *) Add support for XMPP STARTTLS in s_client.
88 [Philip Paeps <>]
90 *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
91 to ensure that even with this option, only ciphersuites in the
92 server's preference list will be accepted. (Note that the option
93 applies only when resuming a session, so the earlier behavior was
94 just about the algorithm choice for symmetric cryptography.)
95 [Bodo Moeller]
97 Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
99 *) Fix a state transitition in s3_srvr.c and d1_srvr.c
100 (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
101 [Nagendra Modadugu]
103 *) The fix in 0.9.8c that supposedly got rid of unsafe
104 double-checked locking was incomplete for RSA blinding,
105 addressing just one layer of what turns out to have been
106 doubly unsafe triple-checked locking.
108 So now fix this for real by retiring the MONT_HELPER macro
109 in crypto/rsa/rsa_eay.c.
111 [Bodo Moeller; problem pointed out by Marius Schilder]
113 *) Various precautionary measures:
115 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
117 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
118 (NB: This would require knowledge of the secret session ticket key
119 to exploit, in which case you'd be SOL either way.)
121 - Change bn_nist.c so that it will properly handle input BIGNUMs
122 outside the expected range.
124 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
125 builds.
127 [Neel Mehta, Bodo Moeller]
129 *) Allow engines to be "soft loaded" - i.e. optionally don't die if
130 the load fails. Useful for distros.
131 [Ben Laurie and the FreeBSD team]
133 *) Add support for Local Machine Keyset attribute in PKCS#12 files.
134 [Steve Henson]
136 *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
137 [Huang Ying]
139 *) Expand ENGINE to support engine supplied SSL client certificate functions.
141 This work was sponsored by Logica.
142 [Steve Henson]
144 *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
145 keystores. Support for SSL/TLS client authentication too.
146 Not compiled unless enable-capieng specified to Configure.
148 This work was sponsored by Logica.
149 [Steve Henson]
151 *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
152 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
153 attribute creation routines such as certifcate requests and PKCS#12
154 files.
155 [Steve Henson]
683caddb 156
157 Changes between 0.9.8g and 0.9.8h [28 May 2008]
159 *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
160 handshake which could lead to a cilent crash as found using the
161 Codenomicon TLS test suite (CVE-2008-1672)
162 [Steve Henson, Mark Cox]
164 *) Fix double free in TLS server name extensions which could lead to
165 a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
166 [Joe Orton]
168 *) Clear error queue in SSL_CTX_use_certificate_chain_file()
170 Clear the error queue to ensure that error entries left from
171 older function calls do not interfere with the correct operation.
172 [Lutz Jaenicke, Erik de Castro Lopo]
174 *) Remove root CA certificates of commercial CAs:
176 The OpenSSL project does not recommend any specific CA and does not
177 have any policy with respect to including or excluding any CA.
178 Therefore it does not make any sense to ship an arbitrary selection
179 of root CA certificates with the OpenSSL software.
180 [Lutz Jaenicke]
182 *) RSA OAEP patches to fix two separate invalid memory reads.
183 The first one involves inputs when 'lzero' is greater than
184 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
185 before the beginning of from). The second one involves inputs where
186 the 'db' section contains nothing but zeroes (there is a one-byte
187 invalid read after the end of 'db').
188 [Ivan Nestlerode <>]
190 *) Partial backport from 0.9.9-dev:
192 Introduce bn_mul_mont (dedicated Montgomery multiplication
193 procedure) as a candidate for BIGNUM assembler implementation.
194 While 0.9.9-dev uses assembler for various architectures, only
195 x86_64 is available by default here in the 0.9.8 branch, and
196 32-bit x86 is available through a compile-time setting.
198 To try the 32-bit x86 assembler implementation, use Configure
199 option "enable-montasm" (which exists only for this backport).
201 As "enable-montasm" for 32-bit x86 disclaims code stability
202 anyway, in this constellation we activate additional code
203 backported from 0.9.9-dev for further performance improvements,
204 namely BN_from_montgomery_word. (To enable this otherwise,
205 e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
207 [Andy Polyakov (backport partially by Bodo Moeller)]
209 *) Add TLS session ticket callback. This allows an application to set
210 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
211 values. This is useful for key rollover for example where several key
212 sets may exist with different names.
213 [Steve Henson]
215 *) Reverse ENGINE-internal logic for caching default ENGINE handles.
216 This was broken until now in 0.9.8 releases, such that the only way
217 a registered ENGINE could be used (assuming it initialises
218 successfully on the host) was to explicitly set it as the default
219 for the relevant algorithms. This is in contradiction with 0.9.7
220 behaviour and the documentation. With this fix, when an ENGINE is
221 registered into a given algorithm's table of implementations, the
222 'uptodate' flag is reset so that auto-discovery will be used next
223 time a new context for that algorithm attempts to select an
224 implementation.
225 [Ian Lister (tweaked by Geoff Thorpe)]
227 *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
228 implemention in the following ways:
230 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
231 hard coded.
233 Lack of BER streaming support means one pass streaming processing is
234 only supported if data is detached: setting the streaming flag is
235 ignored for embedded content.
237 CMS support is disabled by default and must be explicitly enabled
238 with the enable-cms configuration option.
239 [Steve Henson]
241 *) Update the GMP engine glue to do direct copies between BIGNUM and
242 mpz_t when openssl and GMP use the same limb size. Otherwise the
243 existing "conversion via a text string export" trick is still used.
244 [Paul Sheer <>]
246 *) Zlib compression BIO. This is a filter BIO which compressed and
247 uncompresses any data passed through it.
248 [Steve Henson]
250 *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
251 RFC3394 compatible AES key wrapping.
252 [Steve Henson]
254 *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
255 sets string data without copying. X509_ALGOR_set0() and
256 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
257 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
258 from an X509_ATTRIBUTE structure optionally checking it occurs only
259 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
260 data.
261 [Steve Henson]
263 *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
264 to get the expected BN_FLG_CONSTTIME behavior.
265 [Bodo Moeller (Google)]
267 *) Netware support:
269 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
270 - fixed to run the test suite with CLIB builds too (CLIB_OPT)
271 - added some more tests to
272 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
273 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
274 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
275 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
276 - various changes to to enable gcc-cross builds on Win32
277 platform
278 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
279 - various changes to fix missing prototype warnings
280 - fixed to create correct asm files for NASM COFF output
281 - added AES, WHIRLPOOL and CPUID assembler code to build files
282 - added missing AES assembler make rules to
283 - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
284 [Guenter Knauf <>]
286 *) Implement certificate status request TLS extension defined in RFC3546.
287 A client can set the appropriate parameters and receive the encoded
288 OCSP response via a callback. A server can query the supplied parameters
289 and set the encoded OCSP response in the callback. Add simplified examples
290 to s_client and s_server.
291 [Steve Henson]
293 Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
295 *) Fix various bugs:
296 + Binary incompatibility of ssl_ctx_st structure
297 + DTLS interoperation with non-compliant servers
298 + Don't call get_session_cb() without proposed session
299 + Fix ia64 assembler code
300 [Andy Polyakov, Steve Henson]
302 Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
304 *) DTLS Handshake overhaul. There were longstanding issues with
305 OpenSSL DTLS implementation, which were making it impossible for
306 RFC 4347 compliant client to communicate with OpenSSL server.
307 Unfortunately just fixing these incompatibilities would "cut off"
308 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
309 server keeps tolerating non RFC compliant syntax. The opposite is
310 not true, 0.9.8f client can not communicate with earlier server.
311 This update even addresses CVE-2007-4995.
312 [Andy Polyakov]
314 *) Changes to avoid need for function casts in OpenSSL: some compilers
315 (gcc 4.2 and later) reject their use.
316 [Kurt Roeckx <>, Peter Hartley <>,
317 Steve Henson]
319 *) Add RFC4507 support to OpenSSL. This includes the corrections in
320 RFC4507bis. The encrypted ticket format is an encrypted encoded
321 SSL_SESSION structure, that way new session features are automatically
322 supported.
324 If a client application caches session in an SSL_SESSION structure
325 support is transparent because tickets are now stored in the encoded
328 The SSL_CTX structure automatically generates keys for ticket
329 protection in servers so again support should be possible
330 with no application modification.
332 If a client or server wishes to disable RFC4507 support then the option
333 SSL_OP_NO_TICKET can be set.
335 Add a TLS extension debugging callback to allow the contents of any client
336 or server extensions to be examined.
338 This work was sponsored by Google.
339 [Steve Henson]
341 *) Add initial support for TLS extensions, specifically for the server_name
342 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
343 have new members for a host name. The SSL data structure has an
344 additional member SSL_CTX *initial_ctx so that new sessions can be
345 stored in that context to allow for session resumption, even after the
346 SSL has been switched to a new SSL_CTX in reaction to a client's
347 server_name extension.
349 New functions (subject to change):
351 SSL_get_servername()
352 SSL_get_servername_type()
353 SSL_set_SSL_CTX()
355 New CTRL codes and macros (subject to change):
358 - SSL_CTX_set_tlsext_servername_callback()
360 - SSL_CTX_set_tlsext_servername_arg()
361 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
363 openssl s_client has a new '-servername ...' option.
365 openssl s_server has new options '-servername_host ...', '-cert2 ...',
366 '-key2 ...', '-servername_fatal' (subject to change). This allows
367 testing the HostName extension for a specific single host name ('-cert'
368 and '-key' remain fallbacks for handshakes without HostName
369 negotiation). If the unrecogninzed_name alert has to be sent, this by
370 default is a warning; it becomes fatal with the '-servername_fatal'
371 option.
373 [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson]
375 *) Add AES and SSE2 assembly language support to VC++ build.
376 [Steve Henson]
378 *) Mitigate attack on final subtraction in Montgomery reduction.
379 [Andy Polyakov]
381 *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
382 (which previously caused an internal error).
383 [Bodo Moeller]
385 *) Squeeze another 10% out of IGE mode when in != out.
386 [Ben Laurie]
388 *) AES IGE mode speedup.
389 [Dean Gaudet (Google)]
391 *) Add the Korean symmetric 128-bit cipher SEED (see
392 and
393 add SEED ciphersuites from RFC 4162:
400 To minimize changes between patchlevels in the OpenSSL 0.9.8
401 series, SEED remains excluded from compilation unless OpenSSL
402 is configured with 'enable-seed'.
403 [KISA, Bodo Moeller]
405 *) Mitigate branch prediction attacks, which can be practical if a
406 single processor is shared, allowing a spy process to extract
407 information. For detailed background information, see
408 (O. Aciicmez, S. Gueron,
409 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
410 and Necessary Software Countermeasures"). The core of the change
411 are new versions BN_div_no_branch() and
412 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
413 respectively, which are slower, but avoid the security-relevant
414 conditional branches. These are automatically called by BN_div()
415 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
416 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
417 remove a conditional branch.
419 BN_FLG_CONSTTIME is the new name for the previous
420 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
421 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
422 in the exponent causes BN_mod_exp_mont() to use the alternative
423 implementation in BN_mod_exp_mont_consttime().) The old name
424 remains as a deprecated alias.
426 Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
427 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
428 constant-time implementations for more than just exponentiation.
429 Here too the old name is kept as a deprecated alias.
431 BN_BLINDING_new() will now use BN_dup() for the modulus so that
432 the BN_BLINDING structure gets an independent copy of the
433 modulus. This means that the previous "BIGNUM *m" argument to
434 BN_BLINDING_new() and to BN_BLINDING_create_param() now
435 essentially becomes "const BIGNUM *m", although we can't actually
436 change this in the header file before 0.9.9. It allows
437 RSA_setup_blinding() to use BN_with_flags() on the modulus to
438 enable BN_FLG_CONSTTIME.
440 [Matthew D Wood (Intel Corp)]
442 *) In the SSL/TLS server implementation, be strict about session ID
443 context matching (which matters if an application uses a single
444 external cache for different purposes). Previously,
445 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
446 set. This did ensure strict client verification, but meant that,
447 with applications using a single external cache for quite
448 different requirements, clients could circumvent ciphersuite
449 restrictions for a given session ID context by starting a session
450 in a different context.
451 [Bodo Moeller]
453 *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
454 a ciphersuite string such as "DEFAULT:RSA" cannot enable
455 authentication-only ciphersuites.
456 [Bodo Moeller]
458 *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
459 not complete and could lead to a possible single byte overflow
460 (CVE-2007-5135) [Ben Laurie]
462 Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
464 *) Since AES128 and AES256 (and similarly Camellia128 and
465 Camellia256) share a single mask bit in the logic of
466 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
467 kludge to work properly if AES128 is available and AES256 isn't
468 (or if Camellia128 is available and Camellia256 isn't).
469 [Victor Duchovni]
471 *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
472 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
473 When a point or a seed is encoded in a BIT STRING, we need to
474 prevent the removal of trailing zero bits to get the proper DER
475 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case
476 of a NamedBitList, for which trailing 0 bits need to be removed.)
477 [Bodo Moeller]
479 *) Have SSL/TLS server implementation tolerate "mismatched" record
480 protocol version while receiving ClientHello even if the
481 ClientHello is fragmented. (The server can't insist on the
482 particular protocol version it has chosen before the ServerHello
483 message has informed the client about his choice.)
484 [Bodo Moeller]
486 *) Add RFC 3779 support.
487 [Rob Austein for ARIN, Ben Laurie]
489 *) Load error codes if they are not already present instead of using a
490 static variable. This allows them to be cleanly unloaded and reloaded.
491 Improve header file function name parsing.
492 [Steve Henson]
494 *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
495 or CAPABILITY handshake as required by RFCs.
496 [Goetz Babin-Ebell]
498 Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
500 *) Introduce limits to prevent malicious keys being able to
501 cause a denial of service. (CVE-2006-2940)
502 [Steve Henson, Bodo Moeller]
504 *) Fix ASN.1 parsing of certain invalid structures that can result
505 in a denial of service. (CVE-2006-2937) [Steve Henson]
507 *) Fix buffer overflow in SSL_get_shared_ciphers() function.
508 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
510 *) Fix SSL client code which could crash if connecting to a
511 malicious SSLv2 server. (CVE-2006-4343)
512 [Tavis Ormandy and Will Drewry, Google Security Team]
514 *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
515 match only those. Before that, "AES256-SHA" would be interpreted
516 as a pattern and match "AES128-SHA" too (since AES128-SHA got
517 the same strength classification in 0.9.7h) as we currently only
518 have a single AES bit in the ciphersuite description bitmap.
519 That change, however, also applied to ciphersuite strings such as
520 "RC4-MD5" that intentionally matched multiple ciphersuites --
521 namely, SSL 2.0 ciphersuites in addition to the more common ones
522 from SSL 3.0/TLS 1.0.
524 So we change the selection algorithm again: Naming an explicit
525 ciphersuite selects this one ciphersuite, and any other similar
526 ciphersuite (same bitmap) from *other* protocol versions.
527 Thus, "RC4-MD5" again will properly select both the SSL 2.0
528 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
530 Since SSL 2.0 does not have any ciphersuites for which the
531 128/256 bit distinction would be relevant, this works for now.
532 The proper fix will be to use different bits for AES128 and
533 AES256, which would have avoided the problems from the beginning;
534 however, bits are scarce, so we can only do this in a new release
535 (not just a patchlevel) when we can change the SSL_CIPHER
536 definition to split the single 'unsigned long mask' bitmap into
537 multiple values to extend the available space.
539 [Bodo Moeller]
541 Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
543 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
544 (CVE-2006-4339) [Ben Laurie and Google Security Team]
546 *) Add AES IGE and biIGE modes.
547 [Ben Laurie]
549 *) Change the Unix randomness entropy gathering to use poll() when
550 possible instead of select(), since the latter has some
551 undesirable limitations.
552 [Darryl Miles via Richard Levitte and Bodo Moeller]
554 *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
555 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
556 cannot be implicitly activated as part of, e.g., the "AES" alias.
557 However, please upgrade to OpenSSL 0.9.9[-dev] for
558 non-experimental use of the ECC ciphersuites to get TLS extension
559 support, which is required for curve and point format negotiation
560 to avoid potential handshake problems.
561 [Bodo Moeller]
563 *) Disable rogue ciphersuites:
565 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
566 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
567 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
569 The latter two were purportedly from
570 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
571 appear there.
e40c9513 573 Also deactivate the remaining ciphersuites from
574 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
575 unofficial, and the ID has long expired.
576 [Bodo Moeller]
578 *) Fix RSA blinding Heisenbug (problems sometimes occured on
579 dual-core machines) and other potential thread-safety issues.
580 [Bodo Moeller]
582 *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
583 versions), which is now available for royalty-free use
584 (see
585 Also, add Camellia TLS ciphersuites from RFC 4132.
587 To minimize changes between patchlevels in the OpenSSL 0.9.8
588 series, Camellia remains excluded from compilation unless OpenSSL
589 is configured with 'enable-camellia'.
590 [NTT]
592 *) Disable the padding bug check when compression is in use. The padding
593 bug check assumes the first packet is of even length, this is not
594 necessarily true if compresssion is enabled and can result in false
595 positives causing handshake failure. The actual bug test is ancient
596 code so it is hoped that implementations will either have fixed it by
597 now or any which still have the bug do not support compression.
598 [Steve Henson]
600 Changes between 0.9.8a and 0.9.8b [04 May 2006]
602 *) When applying a cipher rule check to see if string match is an explicit
603 cipher suite and only match that one cipher suite if it is.
604 [Steve Henson]
606 *) Link in manifests for VC++ if needed.
607 [Austin Ziegler <>]
609 *) Update support for ECC-based TLS ciphersuites according to
610 draft-ietf-tls-ecc-12.txt with proposed changes (but without
611 TLS extensions, which are supported starting with the 0.9.9
612 branch, not in the OpenSSL 0.9.8 branch).
613 [Douglas Stebila]
615 *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
616 opaque EVP_CIPHER_CTX handling.
617 [Steve Henson]
619 *) Fixes and enhancements to zlib compression code. We now only use
620 "zlib1.dll" and use the default __cdecl calling convention on Win32
621 to conform with the standards mentioned here:
623 Static zlib linking now works on Windows and the new --with-zlib-include
624 --with-zlib-lib options to Configure can be used to supply the location
625 of the headers and library. Gracefully handle case where zlib library
626 can't be loaded.
627 [Steve Henson]
629 *) Several fixes and enhancements to the OID generation code. The old code
630 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
631 handle numbers larger than ULONG_MAX, truncated printing and had a
632 non standard OBJ_obj2txt() behaviour.
633 [Steve Henson]
635 *) Add support for building of engines under engine/ as shared libraries
636 under VC++ build system.
637 [Steve Henson]
639 *) Corrected the numerous bugs in the Win32 path splitter in DSO.
640 Hopefully, we will not see any false combination of paths any more.
641 [Richard Levitte]
643 Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
645 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
646 (part of SSL_OP_ALL). This option used to disable the
647 countermeasure against man-in-the-middle protocol-version
648 rollback in the SSL 2.0 server implementation, which is a bad
74093195 649 idea. (CVE-2005-2969)
651 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
652 for Information Security, National Institute of Advanced Industrial
653 Science and Technology [AIST], Japan)]
655 *) Add two function to clear and return the verify parameter flags.
656 [Steve Henson]
658 *) Keep cipherlists sorted in the source instead of sorting them at
659 runtime, thus removing the need for a lock.
660 [Nils Larsch]
662 *) Avoid some small subgroup attacks in Diffie-Hellman.
663 [Nick Mathewson and Ben Laurie]
665 *) Add functions for well-known primes.
666 [Nick Mathewson]
668 *) Extended Windows CE support.
669 [Satoshi Nakamura and Andy Polyakov]
671 *) Initialize SSL_METHOD structures at compile time instead of during
672 runtime, thus removing the need for a lock.
673 [Steve Henson]
675 *) Make PKCS7_decrypt() work even if no certificate is supplied by
676 attempting to decrypt each encrypted key in turn. Add support to
677 smime utility.
678 [Steve Henson]
680 Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
682 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
683 OpenSSL 0.9.8.]
685 *) Add libcrypto.pc and libssl.pc for those who feel they need them.
686 [Richard Levitte]
688 *) Change and so they don't bundle the CSR and the private
689 key into the same file any more.
690 [Richard Levitte]
692 *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
693 [Andy Polyakov]
695 *) Add -utf8 command line and config file option to 'ca'.
696 [Stefan <]
698 *) Removed the macro des_crypt(), as it seems to conflict with some
699 libraries. Use DES_crypt().
700 [Richard Levitte]
702 *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
703 involves renaming the source and generated shared-libs for
704 both. The engines will accept the corrected or legacy ids
705 ('ncipher' and '4758_cca' respectively) when binding. NB,
706 this only applies when building 'shared'.
707 [Corinna Vinschen <> and Geoff Thorpe]
709 *) Add attribute functions to EVP_PKEY structure. Modify
710 PKCS12_create() to recognize a CSP name attribute and
711 use it. Make -CSP option work again in pkcs12 utility.
712 [Steve Henson]
714 *) Add new functionality to the bn blinding code:
715 - automatic re-creation of the BN_BLINDING parameters after
716 a fixed number of uses (currently 32)
717 - add new function for parameter creation
718 - introduce flags to control the update behaviour of the
719 BN_BLINDING parameters
720 - hide BN_BLINDING structure
721 Add a second BN_BLINDING slot to the RSA structure to improve
722 performance when a single RSA object is shared among several
723 threads.
724 [Nils Larsch]
726 *) Add support for DTLS.
727 [Nagendra Modadugu <> and Ben Laurie]
729 *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
730 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
731 [Walter Goulet]
733 *) Remove buggy and incompletet DH cert support from
734 ssl/ssl_rsa.c and ssl/s3_both.c
735 [Nils Larsch]
737 *) Use SHA-1 instead of MD5 as the default digest algorithm for
738 the apps/openssl applications.
739 [Nils Larsch]
741 *) Compile clean with "-Wall -Wmissing-prototypes
742 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
743 DEBUG_SAFESTACK must also be set.
744 [Ben Laurie]
746 *) Change ./Configure so that certain algorithms can be disabled by default.
747 The new counterpiece to "no-xxx" is "enable-xxx".
749 The patented RC5 and MDC2 algorithms will now be disabled unless
750 "enable-rc5" and "enable-mdc2", respectively, are specified.
752 (IDEA remains enabled despite being patented. This is because IDEA
753 is frequently required for interoperability, and there is no license
754 fee for non-commercial use. As before, "no-idea" can be used to
755 avoid this algorithm.)
757 [Bodo Moeller]
759 *) Add processing of proxy certificates (see RFC 3820). This work was
760 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
761 EGEE (Enabling Grids for E-science in Europe).
762 [Richard Levitte]
764 *) RC4 performance overhaul on modern architectures/implementations, such
765 as Intel P4, IA-64 and AMD64.
766 [Andy Polyakov]
768 *) New utility This can be used specify an alternative
769 section number in a pod file instead of having to treat each file as
770 a separate case in Makefile. This can be done by adding two lines to the
771 pod file:
773 =for comment openssl_section:XXX
775 The blank line is mandatory.
777 [Steve Henson]
779 *) New arguments -certform, -keyform and -pass for s_client and s_server
780 to allow alternative format key and certificate files and passphrase
781 sources.
782 [Steve Henson]
784 *) New structure X509_VERIFY_PARAM which combines current verify parameters,
785 update associated structures and add various utility functions.
787 Add new policy related verify parameters, include policy checking in
788 standard verify code. Enhance 'smime' application with extra parameters
789 to support policy checking and print out.
790 [Steve Henson]
792 *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
793 Nehemiah processors. These extensions support AES encryption in hardware
794 as well as RNG (though RNG support is currently disabled).
795 [Michal Ludvig <>, with help from Andy Polyakov]
797 *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
798 [Geoff Thorpe]
800 *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
801 [Andy Polyakov and a number of other people]
803 *) Improved PowerPC platform support. Most notably BIGNUM assembler
804 implementation contributed by IBM.
805 [Suresh Chari, Peter Waltenberg, Andy Polyakov]
807 *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
808 exponent rather than 'unsigned long'. There is a corresponding change to
809 the new 'rsa_keygen' element of the RSA_METHOD structure.
810 [Jelte Jansen, Geoff Thorpe]
812 *) Functionality for creating the initial serial number file is now
813 moved from to the 'ca' utility with a new option -create_serial.
815 (Before OpenSSL 0.9.7e, used to initialize the serial
816 number file to 1, which is bound to cause problems. To avoid
817 the problems while respecting compatibility between different 0.9.7
818 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
819 for serial number initialization. With the new release 0.9.8,
820 we can fix the problem directly in the 'ca' utility.)
821 [Steve Henson]
823 *) Reduced header interdepencies by declaring more opaque objects in
824 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
825 give fewer recursive includes, which could break lazy source code - so
826 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
827 developers should define this symbol when building and using openssl to
828 ensure they track the recommended behaviour, interfaces, [etc], but
829 backwards-compatible behaviour prevails when this isn't defined.
830 [Geoff Thorpe]
832 *) New function X509_POLICY_NODE_print() which prints out policy nodes.
833 [Steve Henson]
835 *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
836 This will generate a random key of the appropriate length based on the
837 cipher context. The EVP_CIPHER can provide its own random key generation
838 routine to support keys of a specific form. This is used in the des and
839 3des routines to generate a key of the correct parity. Update S/MIME
840 code to use new functions and hence generate correct parity DES keys.
841 Add EVP_CHECK_DES_KEY #define to return an error if the key is not
842 valid (weak or incorrect parity).
843 [Steve Henson]
845 *) Add a local set of CRLs that can be used by X509_verify_cert() as well
846 as looking them up. This is useful when the verified structure may contain
847 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
848 present unless the new PKCS7_NO_CRL flag is asserted.
849 [Steve Henson]
851 *) Extend ASN1 oid configuration module. It now additionally accepts the
852 syntax:
854 shortName = some long name,
855 [Steve Henson]
857 *) Reimplemented the BN_CTX implementation. There is now no more static
858 limitation on the number of variables it can handle nor the depth of the
859 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
860 information can now expand as required, and rather than having a single
861 static array of bignums, BN_CTX now uses a linked-list of such arrays
862 allowing it to expand on demand whilst maintaining the usefulness of
863 BN_CTX's "bundling".
864 [Geoff Thorpe]
866 *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
867 to allow all RSA operations to function using a single BN_CTX.
868 [Geoff Thorpe]
870 *) Preliminary support for certificate policy evaluation and checking. This
871 is initially intended to pass the tests outlined in "Conformance Testing
872 of Relying Party Client Certificate Path Processing Logic" v1.07.
873 [Steve Henson]
875 *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
876 remained unused and not that useful. A variety of other little bignum
877 tweaks and fixes have also been made continuing on from the audit (see
878 below).
879 [Geoff Thorpe]
881 *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
882 associated ASN1, EVP and SSL functions and old ASN1 macros.
883 [Richard Levitte]
885 *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
886 and this should never fail. So the return value from the use of
887 BN_set_word() (which can fail due to needless expansion) is now deprecated;
888 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
889 [Geoff Thorpe]
891 *) BN_CTX_get() should return zero-valued bignums, providing the same
892 initialised value as BN_new().