Import OpenSSL 0.9.8l
[dragonfly.git] / crypto / openssl / CHANGES
CommitLineData
56276539
SS
1
2 OpenSSL CHANGES
3 _______________
4
31da3cc6
AE
5 Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
6
7 *) Disable renegotiation completely - this fixes a severe security
8 problem (CVE-2009-3555) at the cost of breaking all
9 renegotiation. Renegotiation can be re-enabled by setting
10 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
11 run-time. This is really not recommended unless you know what
12 you're doing.
13 [Ben Laurie]
14
75607dda 15 Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
730b1645 16
75607dda
PA
17 *) Don't set val to NULL when freeing up structures, it is freed up by
18 underlying code. If sizeof(void *) > sizeof(long) this can result in
19 zeroing past the valid field. (CVE-2009-0789)
20 [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
21
22 *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
23 checked correctly. This would allow some invalid signed attributes to
24 appear to verify correctly. (CVE-2009-0591)
25 [Ivan Nestlerode <inestlerode@us.ibm.com>]
26
27 *) Reject UniversalString and BMPString types with invalid lengths. This
28 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
29 a legal length. (CVE-2009-0590)
30 [Steve Henson]
31
32 *) Set S/MIME signing as the default purpose rather than setting it
33 unconditionally. This allows applications to override it at the store
34 level.
35 [Steve Henson]
36
37 *) Permit restricted recursion of ASN1 strings. This is needed in practice
38 to handle some structures.
39 [Steve Henson]
40
41 *) Improve efficiency of mem_gets: don't search whole buffer each time
42 for a '\n'
43 [Jeremy Shapiro <jnshapir@us.ibm.com>]
44
45 *) New -hex option for openssl rand.
46 [Matthieu Herrb]
47
48 *) Print out UTF8String and NumericString when parsing ASN1.
49 [Steve Henson]
50
51 *) Support NumericString type for name components.
52 [Steve Henson]
53
54 *) Allow CC in the environment to override the automatically chosen
55 compiler. Note that nothing is done to ensure flags work with the
56 chosen compiler.
57 [Ben Laurie]
58
59 Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
730b1645
PA
60
61 *) Properly check EVP_VerifyFinal() and similar return values
62 (CVE-2008-5077).
63 [Ben Laurie, Bodo Moeller, Google Security Team]
64
65 *) Enable TLS extensions by default.
66 [Ben Laurie]
67
68 *) Allow the CHIL engine to be loaded, whether the application is
69 multithreaded or not. (This does not release the developer from the
70 obligation to set up the dynamic locking callbacks.)
71 [Sander Temme <sander@temme.net>]
72
73 *) Use correct exit code if there is an error in dgst command.
74 [Steve Henson; problem pointed out by Roland Dirlewanger]
75
76 *) Tweak Configure so that you need to say "experimental-jpake" to enable
77 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
78 [Bodo Moeller]
79
80 *) Add experimental JPAKE support, including demo authentication in
81 s_client and s_server.
82 [Ben Laurie]
83
84 *) Set the comparison function in v3_addr_canonize().
85 [Rob Austein <sra@hactrn.net>]
86
87 *) Add support for XMPP STARTTLS in s_client.
88 [Philip Paeps <philip@freebsd.org>]
89
90 *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
91 to ensure that even with this option, only ciphersuites in the
92 server's preference list will be accepted. (Note that the option
93 applies only when resuming a session, so the earlier behavior was
94 just about the algorithm choice for symmetric cryptography.)
95 [Bodo Moeller]
96
683caddb
PA
97 Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
98
99 *) Fix a state transitition in s3_srvr.c and d1_srvr.c
100 (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
101 [Nagendra Modadugu]
102
103 *) The fix in 0.9.8c that supposedly got rid of unsafe
104 double-checked locking was incomplete for RSA blinding,
105 addressing just one layer of what turns out to have been
106 doubly unsafe triple-checked locking.
107
108 So now fix this for real by retiring the MONT_HELPER macro
109 in crypto/rsa/rsa_eay.c.
110
111 [Bodo Moeller; problem pointed out by Marius Schilder]
112
113 *) Various precautionary measures:
114
115 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
116
117 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
118 (NB: This would require knowledge of the secret session ticket key
119 to exploit, in which case you'd be SOL either way.)
120
121 - Change bn_nist.c so that it will properly handle input BIGNUMs
122 outside the expected range.
123
124 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
125 builds.
126
127 [Neel Mehta, Bodo Moeller]
128
730b1645
PA
129 *) Allow engines to be "soft loaded" - i.e. optionally don't die if
130 the load fails. Useful for distros.
131 [Ben Laurie and the FreeBSD team]
132
683caddb
PA
133 *) Add support for Local Machine Keyset attribute in PKCS#12 files.
134 [Steve Henson]
135
136 *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
137 [Huang Ying]
138
139 *) Expand ENGINE to support engine supplied SSL client certificate functions.
140
141 This work was sponsored by Logica.
142 [Steve Henson]
143
144 *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
145 keystores. Support for SSL/TLS client authentication too.
146 Not compiled unless enable-capieng specified to Configure.
147
148 This work was sponsored by Logica.
149 [Steve Henson]
150
730b1645
PA
151 *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
152 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
153 attribute creation routines such as certifcate requests and PKCS#12
154 files.
155 [Steve Henson]
683caddb 156
2e6ca3d0
PA
157 Changes between 0.9.8g and 0.9.8h [28 May 2008]
158
159 *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
160 handshake which could lead to a cilent crash as found using the
161 Codenomicon TLS test suite (CVE-2008-1672)
162 [Steve Henson, Mark Cox]
163
164 *) Fix double free in TLS server name extensions which could lead to
165 a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
166 [Joe Orton]
167
168 *) Clear error queue in SSL_CTX_use_certificate_chain_file()
169
170 Clear the error queue to ensure that error entries left from
171 older function calls do not interfere with the correct operation.
172 [Lutz Jaenicke, Erik de Castro Lopo]
173
174 *) Remove root CA certificates of commercial CAs:
175
176 The OpenSSL project does not recommend any specific CA and does not
177 have any policy with respect to including or excluding any CA.
178 Therefore it does not make any sense to ship an arbitrary selection
179 of root CA certificates with the OpenSSL software.
180 [Lutz Jaenicke]
181
182 *) RSA OAEP patches to fix two separate invalid memory reads.
183 The first one involves inputs when 'lzero' is greater than
184 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
185 before the beginning of from). The second one involves inputs where
186 the 'db' section contains nothing but zeroes (there is a one-byte
187 invalid read after the end of 'db').
188 [Ivan Nestlerode <inestlerode@us.ibm.com>]
189
190 *) Partial backport from 0.9.9-dev:
191
192 Introduce bn_mul_mont (dedicated Montgomery multiplication
193 procedure) as a candidate for BIGNUM assembler implementation.
194 While 0.9.9-dev uses assembler for various architectures, only
195 x86_64 is available by default here in the 0.9.8 branch, and
196 32-bit x86 is available through a compile-time setting.
197
198 To try the 32-bit x86 assembler implementation, use Configure
199 option "enable-montasm" (which exists only for this backport).
200
201 As "enable-montasm" for 32-bit x86 disclaims code stability
202 anyway, in this constellation we activate additional code
203 backported from 0.9.9-dev for further performance improvements,
204 namely BN_from_montgomery_word. (To enable this otherwise,
205 e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
206
207 [Andy Polyakov (backport partially by Bodo Moeller)]
208
209 *) Add TLS session ticket callback. This allows an application to set
210 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
211 values. This is useful for key rollover for example where several key
212 sets may exist with different names.
213 [Steve Henson]
214
215 *) Reverse ENGINE-internal logic for caching default ENGINE handles.
216 This was broken until now in 0.9.8 releases, such that the only way
217 a registered ENGINE could be used (assuming it initialises
218 successfully on the host) was to explicitly set it as the default
219 for the relevant algorithms. This is in contradiction with 0.9.7
220 behaviour and the documentation. With this fix, when an ENGINE is
221 registered into a given algorithm's table of implementations, the
222 'uptodate' flag is reset so that auto-discovery will be used next
223 time a new context for that algorithm attempts to select an
224 implementation.
225 [Ian Lister (tweaked by Geoff Thorpe)]
226
227 *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
228 implemention in the following ways:
229
230 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
231 hard coded.
232
233 Lack of BER streaming support means one pass streaming processing is
234 only supported if data is detached: setting the streaming flag is
235 ignored for embedded content.
236
237 CMS support is disabled by default and must be explicitly enabled
238 with the enable-cms configuration option.
239 [Steve Henson]
240
241 *) Update the GMP engine glue to do direct copies between BIGNUM and
242 mpz_t when openssl and GMP use the same limb size. Otherwise the
243 existing "conversion via a text string export" trick is still used.
244 [Paul Sheer <paulsheer@gmail.com>]
245
246 *) Zlib compression BIO. This is a filter BIO which compressed and
247 uncompresses any data passed through it.
248 [Steve Henson]
249
250 *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
251 RFC3394 compatible AES key wrapping.
252 [Steve Henson]
253
254 *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
255 sets string data without copying. X509_ALGOR_set0() and
256 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
257 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
258 from an X509_ATTRIBUTE structure optionally checking it occurs only
259 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
260 data.
261 [Steve Henson]
262
263 *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
264 to get the expected BN_FLG_CONSTTIME behavior.
265 [Bodo Moeller (Google)]
266
267 *) Netware support:
268
269 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
270 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
271 - added some more tests to do_tests.pl
272 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
273 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
274 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
275 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
276 - various changes to netware.pl to enable gcc-cross builds on Win32
277 platform
278 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
279 - various changes to fix missing prototype warnings
280 - fixed x86nasm.pl to create correct asm files for NASM COFF output
281 - added AES, WHIRLPOOL and CPUID assembler code to build files
282 - added missing AES assembler make rules to mk1mf.pl
283 - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
284 [Guenter Knauf <eflash@gmx.net>]
285
286 *) Implement certificate status request TLS extension defined in RFC3546.
287 A client can set the appropriate parameters and receive the encoded
288 OCSP response via a callback. A server can query the supplied parameters
289 and set the encoded OCSP response in the callback. Add simplified examples
290 to s_client and s_server.
291 [Steve Henson]
292
96768186
PA
293 Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
294
295 *) Fix various bugs:
296 + Binary incompatibility of ssl_ctx_st structure
297 + DTLS interoperation with non-compliant servers
298 + Don't call get_session_cb() without proposed session
299 + Fix ia64 assembler code
300 [Andy Polyakov, Steve Henson]
301
e6bc27f5
PA
302 Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
303
304 *) DTLS Handshake overhaul. There were longstanding issues with
305 OpenSSL DTLS implementation, which were making it impossible for
306 RFC 4347 compliant client to communicate with OpenSSL server.
307 Unfortunately just fixing these incompatibilities would "cut off"
308 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
309 server keeps tolerating non RFC compliant syntax. The opposite is
310 not true, 0.9.8f client can not communicate with earlier server.
311 This update even addresses CVE-2007-4995.
312 [Andy Polyakov]
313
314 *) Changes to avoid need for function casts in OpenSSL: some compilers
315 (gcc 4.2 and later) reject their use.
316 [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
317 Steve Henson]
318
319 *) Add RFC4507 support to OpenSSL. This includes the corrections in
320 RFC4507bis. The encrypted ticket format is an encrypted encoded
321 SSL_SESSION structure, that way new session features are automatically
322 supported.
323
324 If a client application caches session in an SSL_SESSION structure
325 support is transparent because tickets are now stored in the encoded
326 SSL_SESSION.
327
328 The SSL_CTX structure automatically generates keys for ticket
329 protection in servers so again support should be possible
330 with no application modification.
331
332 If a client or server wishes to disable RFC4507 support then the option
333 SSL_OP_NO_TICKET can be set.
334
335 Add a TLS extension debugging callback to allow the contents of any client
336 or server extensions to be examined.
337
338 This work was sponsored by Google.
339 [Steve Henson]
340
341 *) Add initial support for TLS extensions, specifically for the server_name
342 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
343 have new members for a host name. The SSL data structure has an
344 additional member SSL_CTX *initial_ctx so that new sessions can be
345 stored in that context to allow for session resumption, even after the
346 SSL has been switched to a new SSL_CTX in reaction to a client's
347 server_name extension.
348
349 New functions (subject to change):
350
351 SSL_get_servername()
352 SSL_get_servername_type()
353 SSL_set_SSL_CTX()
354
355 New CTRL codes and macros (subject to change):
356
357 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
358 - SSL_CTX_set_tlsext_servername_callback()
359 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
360 - SSL_CTX_set_tlsext_servername_arg()
361 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
362
363 openssl s_client has a new '-servername ...' option.
364
365 openssl s_server has new options '-servername_host ...', '-cert2 ...',
366 '-key2 ...', '-servername_fatal' (subject to change). This allows
367 testing the HostName extension for a specific single host name ('-cert'
368 and '-key' remain fallbacks for handshakes without HostName
369 negotiation). If the unrecogninzed_name alert has to be sent, this by
370 default is a warning; it becomes fatal with the '-servername_fatal'
371 option.
372
373 [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson]
374
375 *) Add AES and SSE2 assembly language support to VC++ build.
376 [Steve Henson]
377
378 *) Mitigate attack on final subtraction in Montgomery reduction.
379 [Andy Polyakov]
380
381 *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
382 (which previously caused an internal error).
383 [Bodo Moeller]
384
385 *) Squeeze another 10% out of IGE mode when in != out.
386 [Ben Laurie]
387
388 *) AES IGE mode speedup.
389 [Dean Gaudet (Google)]
390
391 *) Add the Korean symmetric 128-bit cipher SEED (see
392 http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
393 add SEED ciphersuites from RFC 4162:
394
395 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
396 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
397 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
398 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
399
400 To minimize changes between patchlevels in the OpenSSL 0.9.8
401 series, SEED remains excluded from compilation unless OpenSSL
402 is configured with 'enable-seed'.
403 [KISA, Bodo Moeller]
404
405 *) Mitigate branch prediction attacks, which can be practical if a
406 single processor is shared, allowing a spy process to extract
407 information. For detailed background information, see
408 http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
409 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
410 and Necessary Software Countermeasures"). The core of the change
411 are new versions BN_div_no_branch() and
412 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
413 respectively, which are slower, but avoid the security-relevant
414 conditional branches. These are automatically called by BN_div()
415 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
416 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
417 remove a conditional branch.
418
419 BN_FLG_CONSTTIME is the new name for the previous
420 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
421 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
422 in the exponent causes BN_mod_exp_mont() to use the alternative
423 implementation in BN_mod_exp_mont_consttime().) The old name
424 remains as a deprecated alias.
425
426 Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
427 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
428 constant-time implementations for more than just exponentiation.
429 Here too the old name is kept as a deprecated alias.
430
431 BN_BLINDING_new() will now use BN_dup() for the modulus so that
432 the BN_BLINDING structure gets an independent copy of the
433 modulus. This means that the previous "BIGNUM *m" argument to
434 BN_BLINDING_new() and to BN_BLINDING_create_param() now
435 essentially becomes "const BIGNUM *m", although we can't actually
436 change this in the header file before 0.9.9. It allows
437 RSA_setup_blinding() to use BN_with_flags() on the modulus to
438 enable BN_FLG_CONSTTIME.
439
440 [Matthew D Wood (Intel Corp)]
441
442 *) In the SSL/TLS server implementation, be strict about session ID
443 context matching (which matters if an application uses a single
444 external cache for different purposes). Previously,
445 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
446 set. This did ensure strict client verification, but meant that,
447 with applications using a single external cache for quite
448 different requirements, clients could circumvent ciphersuite
449 restrictions for a given session ID context by starting a session
450 in a different context.
451 [Bodo Moeller]
e40c9513
PA
452
453 *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
454 a ciphersuite string such as "DEFAULT:RSA" cannot enable
455 authentication-only ciphersuites.
456 [Bodo Moeller]
457
2e6ca3d0
PA
458 *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
459 not complete and could lead to a possible single byte overflow
460 (CVE-2007-5135) [Ben Laurie]
461
e6bc27f5
PA
462 Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
463
e40c9513
PA
464 *) Since AES128 and AES256 (and similarly Camellia128 and
465 Camellia256) share a single mask bit in the logic of
466 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
467 kludge to work properly if AES128 is available and AES256 isn't
468 (or if Camellia128 is available and Camellia256 isn't).
469 [Victor Duchovni]
470
471 *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
472 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
473 When a point or a seed is encoded in a BIT STRING, we need to
474 prevent the removal of trailing zero bits to get the proper DER
475 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case
476 of a NamedBitList, for which trailing 0 bits need to be removed.)
477 [Bodo Moeller]
478
479 *) Have SSL/TLS server implementation tolerate "mismatched" record
480 protocol version while receiving ClientHello even if the
481 ClientHello is fragmented. (The server can't insist on the
482 particular protocol version it has chosen before the ServerHello
483 message has informed the client about his choice.)
484 [Bodo Moeller]
485
486 *) Add RFC 3779 support.
487 [Rob Austein for ARIN, Ben Laurie]
488
489 *) Load error codes if they are not already present instead of using a
490 static variable. This allows them to be cleanly unloaded and reloaded.
491 Improve header file function name parsing.
492 [Steve Henson]
493
494 *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
495 or CAPABILITY handshake as required by RFCs.
496 [Goetz Babin-Ebell]
497
3b25c29b
PA
498 Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
499
500 *) Introduce limits to prevent malicious keys being able to
501 cause a denial of service. (CVE-2006-2940)
502 [Steve Henson, Bodo Moeller]
503
504 *) Fix ASN.1 parsing of certain invalid structures that can result
505 in a denial of service. (CVE-2006-2937) [Steve Henson]
506
507 *) Fix buffer overflow in SSL_get_shared_ciphers() function.
508 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
509
510 *) Fix SSL client code which could crash if connecting to a
511 malicious SSLv2 server. (CVE-2006-4343)
512 [Tavis Ormandy and Will Drewry, Google Security Team]
513
514 *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
515 match only those. Before that, "AES256-SHA" would be interpreted
516 as a pattern and match "AES128-SHA" too (since AES128-SHA got
517 the same strength classification in 0.9.7h) as we currently only
518 have a single AES bit in the ciphersuite description bitmap.
519 That change, however, also applied to ciphersuite strings such as
520 "RC4-MD5" that intentionally matched multiple ciphersuites --
521 namely, SSL 2.0 ciphersuites in addition to the more common ones
522 from SSL 3.0/TLS 1.0.
523
524 So we change the selection algorithm again: Naming an explicit
525 ciphersuite selects this one ciphersuite, and any other similar
526 ciphersuite (same bitmap) from *other* protocol versions.
527 Thus, "RC4-MD5" again will properly select both the SSL 2.0
528 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
529
530 Since SSL 2.0 does not have any ciphersuites for which the
531 128/256 bit distinction would be relevant, this works for now.
532 The proper fix will be to use different bits for AES128 and
533 AES256, which would have avoided the problems from the beginning;
534 however, bits are scarce, so we can only do this in a new release
535 (not just a patchlevel) when we can change the SSL_CIPHER
536 definition to split the single 'unsigned long mask' bitmap into
537 multiple values to extend the available space.
538
539 [Bodo Moeller]
540
74093195
SS
541 Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
542
543 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
544 (CVE-2006-4339) [Ben Laurie and Google Security Team]
545
546 *) Add AES IGE and biIGE modes.
547 [Ben Laurie]
548
549 *) Change the Unix randomness entropy gathering to use poll() when
550 possible instead of select(), since the latter has some
551 undesirable limitations.
552 [Darryl Miles via Richard Levitte and Bodo Moeller]
553
554 *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
555 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
556 cannot be implicitly activated as part of, e.g., the "AES" alias.
557 However, please upgrade to OpenSSL 0.9.9[-dev] for
558 non-experimental use of the ECC ciphersuites to get TLS extension
559 support, which is required for curve and point format negotiation
560 to avoid potential handshake problems.
561 [Bodo Moeller]
562
563 *) Disable rogue ciphersuites:
564
565 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
566 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
567 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
568
569 The latter two were purportedly from
570 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
571 appear there.
572
e40c9513 573 Also deactivate the remaining ciphersuites from
74093195
SS
574 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
575 unofficial, and the ID has long expired.
576 [Bodo Moeller]
577
578 *) Fix RSA blinding Heisenbug (problems sometimes occured on
579 dual-core machines) and other potential thread-safety issues.
580 [Bodo Moeller]
581
582 *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
583 versions), which is now available for royalty-free use
584 (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
585 Also, add Camellia TLS ciphersuites from RFC 4132.
586
587 To minimize changes between patchlevels in the OpenSSL 0.9.8
588 series, Camellia remains excluded from compilation unless OpenSSL
589 is configured with 'enable-camellia'.
590 [NTT]
591
592 *) Disable the padding bug check when compression is in use. The padding
593 bug check assumes the first packet is of even length, this is not
594 necessarily true if compresssion is enabled and can result in false
595 positives causing handshake failure. The actual bug test is ancient
596 code so it is hoped that implementations will either have fixed it by
597 now or any which still have the bug do not support compression.
598 [Steve Henson]
599
600 Changes between 0.9.8a and 0.9.8b [04 May 2006]
601
602 *) When applying a cipher rule check to see if string match is an explicit
603 cipher suite and only match that one cipher suite if it is.
604 [Steve Henson]
605
606 *) Link in manifests for VC++ if needed.
607 [Austin Ziegler <halostatue@gmail.com>]
608
609 *) Update support for ECC-based TLS ciphersuites according to
610 draft-ietf-tls-ecc-12.txt with proposed changes (but without
611 TLS extensions, which are supported starting with the 0.9.9
612 branch, not in the OpenSSL 0.9.8 branch).
613 [Douglas Stebila]
614
615 *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
616 opaque EVP_CIPHER_CTX handling.
617 [Steve Henson]
618
619 *) Fixes and enhancements to zlib compression code. We now only use
620 "zlib1.dll" and use the default __cdecl calling convention on Win32
621 to conform with the standards mentioned here:
622 http://www.zlib.net/DLL_FAQ.txt
623 Static zlib linking now works on Windows and the new --with-zlib-include
624 --with-zlib-lib options to Configure can be used to supply the location
625 of the headers and library. Gracefully handle case where zlib library
626 can't be loaded.
627 [Steve Henson]
628
629 *) Several fixes and enhancements to the OID generation code. The old code
630 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
631 handle numbers larger than ULONG_MAX, truncated printing and had a
632 non standard OBJ_obj2txt() behaviour.
633 [Steve Henson]
634
635 *) Add support for building of engines under engine/ as shared libraries
636 under VC++ build system.
637 [Steve Henson]
638
639 *) Corrected the numerous bugs in the Win32 path splitter in DSO.
640 Hopefully, we will not see any false combination of paths any more.
641 [Richard Levitte]
642
5bd86ce5
SS
643 Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
644
645 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
646 (part of SSL_OP_ALL). This option used to disable the
647 countermeasure against man-in-the-middle protocol-version
648 rollback in the SSL 2.0 server implementation, which is a bad
74093195 649 idea. (CVE-2005-2969)
5bd86ce5
SS
650
651 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
652 for Information Security, National Institute of Advanced Industrial
653 Science and Technology [AIST], Japan)]
654
655 *) Add two function to clear and return the verify parameter flags.
656 [Steve Henson]
657
658 *) Keep cipherlists sorted in the source instead of sorting them at
659 runtime, thus removing the need for a lock.
660 [Nils Larsch]
661
662 *) Avoid some small subgroup attacks in Diffie-Hellman.
663 [Nick Mathewson and Ben Laurie]
664
665 *) Add functions for well-known primes.
666 [Nick Mathewson]
667
668 *) Extended Windows CE support.
669 [Satoshi Nakamura and Andy Polyakov]
670
671 *) Initialize SSL_METHOD structures at compile time instead of during
672 runtime, thus removing the need for a lock.
673 [Steve Henson]
674
675 *) Make PKCS7_decrypt() work even if no certificate is supplied by
676 attempting to decrypt each encrypted key in turn. Add support to
677 smime utility.
678 [Steve Henson]
679
56276539
SS
680 Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
681
74093195
SS
682 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
683 OpenSSL 0.9.8.]
684
56276539
SS
685 *) Add libcrypto.pc and libssl.pc for those who feel they need them.
686 [Richard Levitte]
687
688 *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
689 key into the same file any more.
690 [Richard Levitte]
691
692 *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
693 [Andy Polyakov]
694
695 *) Add -utf8 command line and config file option to 'ca'.
696 [Stefan <stf@udoma.org]
697
698 *) Removed the macro des_crypt(), as it seems to conflict with some
699 libraries. Use DES_crypt().
700 [Richard Levitte]
701
702 *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
703 involves renaming the source and generated shared-libs for
704 both. The engines will accept the corrected or legacy ids
705 ('ncipher' and '4758_cca' respectively) when binding. NB,
706 this only applies when building 'shared'.
707 [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
708
709 *) Add attribute functions to EVP_PKEY structure. Modify
710 PKCS12_create() to recognize a CSP name attribute and
711 use it. Make -CSP option work again in pkcs12 utility.
712 [Steve Henson]
713
714 *) Add new functionality to the bn blinding code:
715 - automatic re-creation of the BN_BLINDING parameters after
716 a fixed number of uses (currently 32)
717 - add new function for parameter creation
718 - introduce flags to control the update behaviour of the
719 BN_BLINDING parameters
720 - hide BN_BLINDING structure
721 Add a second BN_BLINDING slot to the RSA structure to improve
722 performance when a single RSA object is shared among several
723 threads.
724 [Nils Larsch]
725
726 *) Add support for DTLS.
727 [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
728
729 *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
730 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
731 [Walter Goulet]
732
733 *) Remove buggy and incompletet DH cert support from
734 ssl/ssl_rsa.c and ssl/s3_both.c
735 [Nils Larsch]
736
737 *) Use SHA-1 instead of MD5 as the default digest algorithm for
738 the apps/openssl applications.
739 [Nils Larsch]
740
741 *) Compile clean with "-Wall -Wmissing-prototypes
742 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
743 DEBUG_SAFESTACK must also be set.
744 [Ben Laurie]
745
746 *) Change ./Configure so that certain algorithms can be disabled by default.
747 The new counterpiece to "no-xxx" is "enable-xxx".
748
749 The patented RC5 and MDC2 algorithms will now be disabled unless
750 "enable-rc5" and "enable-mdc2", respectively, are specified.
751
752 (IDEA remains enabled despite being patented. This is because IDEA
753 is frequently required for interoperability, and there is no license
754 fee for non-commercial use. As before, "no-idea" can be used to
755 avoid this algorithm.)
756
757 [Bodo Moeller]
758
759 *) Add processing of proxy certificates (see RFC 3820). This work was
760 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
761 EGEE (Enabling Grids for E-science in Europe).
762 [Richard Levitte]
763
764 *) RC4 performance overhaul on modern architectures/implementations, such
765 as Intel P4, IA-64 and AMD64.
766 [Andy Polyakov]
767
768 *) New utility extract-section.pl. This can be used specify an alternative
769 section number in a pod file instead of having to treat each file as
770 a separate case in Makefile. This can be done by adding two lines to the
771 pod file:
772
773 =for comment openssl_section:XXX
774
775 The blank line is mandatory.
776
777 [Steve Henson]
778
779 *) New arguments -certform, -keyform and -pass for s_client and s_server
780 to allow alternative format key and certificate files and passphrase
781 sources.
782 [Steve Henson]
783
784 *) New structure X509_VERIFY_PARAM which combines current verify parameters,
785 update associated structures and add various utility functions.
786
787 Add new policy related verify parameters, include policy checking in
788 standard verify code. Enhance 'smime' application with extra parameters
789 to support policy checking and print out.
790 [Steve Henson]
791
792 *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
793 Nehemiah processors. These extensions support AES encryption in hardware
794 as well as RNG (though RNG support is currently disabled).
795 [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
796
797 *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
798 [Geoff Thorpe]
799
800 *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
801 [Andy Polyakov and a number of other people]
802
803 *) Improved PowerPC platform support. Most notably BIGNUM assembler
804 implementation contributed by IBM.
805 [Suresh Chari, Peter Waltenberg, Andy Polyakov]
806
807 *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
808 exponent rather than 'unsigned long'. There is a corresponding change to
809 the new 'rsa_keygen' element of the RSA_METHOD structure.
810 [Jelte Jansen, Geoff Thorpe]
811
812 *) Functionality for creating the initial serial number file is now
813 moved from CA.pl to the 'ca' utility with a new option -create_serial.
814
815 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
816 number file to 1, which is bound to cause problems. To avoid
817 the problems while respecting compatibility between different 0.9.7
818 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
819 CA.pl for serial number initialization. With the new release 0.9.8,
820 we can fix the problem directly in the 'ca' utility.)
821 [Steve Henson]
822
823 *) Reduced header interdepencies by declaring more opaque objects in
824 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
825 give fewer recursive includes, which could break lazy source code - so
826 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
827 developers should define this symbol when building and using openssl to
828 ensure they track the recommended behaviour, interfaces, [etc], but
829 backwards-compatible behaviour prevails when this isn't defined.
830 [Geoff Thorpe]
831
832 *) New function X509_POLICY_NODE_print() which prints out policy nodes.
833 [Steve Henson]
834
835 *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
836 This will generate a random key of the appropriate length based on the
837 cipher context. The EVP_CIPHER can provide its own random key generation
838 routine to support keys of a specific form. This is used in the des and
839 3des routines to generate a key of the correct parity. Update S/MIME
840 code to use new functions and hence generate correct parity DES keys.
841 Add EVP_CHECK_DES_KEY #define to return an error if the key is not
842 valid (weak or incorrect parity).
843 [Steve Henson]
844
845 *) Add a local set of CRLs that can be used by X509_verify_cert() as well
846 as looking them up. This is useful when the verified structure may contain
847 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
848 present unless the new PKCS7_NO_CRL flag is asserted.
849 [Steve Henson]
850
851 *) Extend ASN1 oid configuration module. It now additionally accepts the
852 syntax:
853
854 shortName = some long name, 1.2.3.4
855 [Steve Henson]
856
857 *) Reimplemented the BN_CTX implementation. There is now no more static
858 limitation on the number of variables it can handle nor the depth of the
859 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
860 information can now expand as required, and rather than having a single
861 static array of bignums, BN_CTX now uses a linked-list of such arrays
862 allowing it to expand on demand whilst maintaining the usefulness of
863 BN_CTX's "bundling".
864 [Geoff Thorpe]
865
866 *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
867 to allow all RSA operations to function using a single BN_CTX.
868 [Geoff Thorpe]
869
870 *) Preliminary support for certificate policy evaluation and checking. This
871 is initially intended to pass the tests outlined in "Conformance Testing
872 of Relying Party Client Certificate Path Processing Logic" v1.07.
873 [Steve Henson]
874
875 *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
876 remained unused and not that useful. A variety of other little bignum
877 tweaks and fixes have also been made continuing on from the audit (see
878 below).
879 [Geoff Thorpe]
880
881 *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
882 associated ASN1, EVP and SSL functions and old ASN1 macros.
883 [Richard Levitte]
884
885 *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
886 and this should never fail. So the return value from the use of
887 BN_set_word() (which can fail due to needless expansion) is now deprecated;
888 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
889 [Geoff Thorpe]
890
891 *) BN_CTX_get() should return zero-valued bignums, providing the same
892 initialised value as BN_new().
893