Merge from vendor branch SENDMAIL:
[dragonfly.git] / crypto / openssl-0.9 / CHANGES
3 _______________
5 Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
7 *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
8 a ciphersuite string such as "DEFAULT:RSA" cannot enable
9 authentication-only ciphersuites.
10 [Bodo Moeller]
12 *) Since AES128 and AES256 (and similarly Camellia128 and
13 Camellia256) share a single mask bit in the logic of
14 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
15 kludge to work properly if AES128 is available and AES256 isn't
16 (or if Camellia128 is available and Camellia256 isn't).
17 [Victor Duchovni]
19 *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
20 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
21 When a point or a seed is encoded in a BIT STRING, we need to
22 prevent the removal of trailing zero bits to get the proper DER
23 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case
24 of a NamedBitList, for which trailing 0 bits need to be removed.)
25 [Bodo Moeller]
27 *) Have SSL/TLS server implementation tolerate "mismatched" record
28 protocol version while receiving ClientHello even if the
29 ClientHello is fragmented. (The server can't insist on the
30 particular protocol version it has chosen before the ServerHello
31 message has informed the client about his choice.)
32 [Bodo Moeller]
34 *) Add RFC 3779 support.
35 [Rob Austein for ARIN, Ben Laurie]
37 *) Load error codes if they are not already present instead of using a
38 static variable. This allows them to be cleanly unloaded and reloaded.
39 Improve header file function name parsing.
40 [Steve Henson]
42 *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
43 or CAPABILITY handshake as required by RFCs.
44 [Goetz Babin-Ebell]
46 Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
48 *) Introduce limits to prevent malicious keys being able to
49 cause a denial of service. (CVE-2006-2940)
50 [Steve Henson, Bodo Moeller]
52 *) Fix ASN.1 parsing of certain invalid structures that can result
53 in a denial of service. (CVE-2006-2937) [Steve Henson]
55 *) Fix buffer overflow in SSL_get_shared_ciphers() function.
56 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
58 *) Fix SSL client code which could crash if connecting to a
59 malicious SSLv2 server. (CVE-2006-4343)
60 [Tavis Ormandy and Will Drewry, Google Security Team]
62 *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
63 match only those. Before that, "AES256-SHA" would be interpreted
64 as a pattern and match "AES128-SHA" too (since AES128-SHA got
65 the same strength classification in 0.9.7h) as we currently only
66 have a single AES bit in the ciphersuite description bitmap.
67 That change, however, also applied to ciphersuite strings such as
68 "RC4-MD5" that intentionally matched multiple ciphersuites --
69 namely, SSL 2.0 ciphersuites in addition to the more common ones
70 from SSL 3.0/TLS 1.0.
72 So we change the selection algorithm again: Naming an explicit
73 ciphersuite selects this one ciphersuite, and any other similar
74 ciphersuite (same bitmap) from *other* protocol versions.
75 Thus, "RC4-MD5" again will properly select both the SSL 2.0
76 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
78 Since SSL 2.0 does not have any ciphersuites for which the
79 128/256 bit distinction would be relevant, this works for now.
80 The proper fix will be to use different bits for AES128 and
81 AES256, which would have avoided the problems from the beginning;
82 however, bits are scarce, so we can only do this in a new release
83 (not just a patchlevel) when we can change the SSL_CIPHER
84 definition to split the single 'unsigned long mask' bitmap into
85 multiple values to extend the available space.
87 [Bodo Moeller]
89 Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
91 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
92 (CVE-2006-4339) [Ben Laurie and Google Security Team]
94 *) Add AES IGE and biIGE modes.
95 [Ben Laurie]
97 *) Change the Unix randomness entropy gathering to use poll() when
98 possible instead of select(), since the latter has some
99 undesirable limitations.
100 [Darryl Miles via Richard Levitte and Bodo Moeller]
102 *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
103 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
104 cannot be implicitly activated as part of, e.g., the "AES" alias.
105 However, please upgrade to OpenSSL 0.9.9[-dev] for
106 non-experimental use of the ECC ciphersuites to get TLS extension
107 support, which is required for curve and point format negotiation
108 to avoid potential handshake problems.
109 [Bodo Moeller]
111 *) Disable rogue ciphersuites:
113 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
114 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
115 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
117 The latter two were purportedly from
118 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
119 appear there.
e40c9513 121 Also deactivate the remaining ciphersuites from
122 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
123 unofficial, and the ID has long expired.
124 [Bodo Moeller]
126 *) Fix RSA blinding Heisenbug (problems sometimes occured on
127 dual-core machines) and other potential thread-safety issues.
128 [Bodo Moeller]
130 *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
131 versions), which is now available for royalty-free use
132 (see
133 Also, add Camellia TLS ciphersuites from RFC 4132.
135 To minimize changes between patchlevels in the OpenSSL 0.9.8
136 series, Camellia remains excluded from compilation unless OpenSSL
137 is configured with 'enable-camellia'.
138 [NTT]
140 *) Disable the padding bug check when compression is in use. The padding
141 bug check assumes the first packet is of even length, this is not
142 necessarily true if compresssion is enabled and can result in false
143 positives causing handshake failure. The actual bug test is ancient
144 code so it is hoped that implementations will either have fixed it by
145 now or any which still have the bug do not support compression.
146 [Steve Henson]
148 Changes between 0.9.8a and 0.9.8b [04 May 2006]
150 *) When applying a cipher rule check to see if string match is an explicit
151 cipher suite and only match that one cipher suite if it is.
152 [Steve Henson]
154 *) Link in manifests for VC++ if needed.
155 [Austin Ziegler <>]
157 *) Update support for ECC-based TLS ciphersuites according to
158 draft-ietf-tls-ecc-12.txt with proposed changes (but without
159 TLS extensions, which are supported starting with the 0.9.9
160 branch, not in the OpenSSL 0.9.8 branch).
161 [Douglas Stebila]
163 *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
164 opaque EVP_CIPHER_CTX handling.
165 [Steve Henson]
167 *) Fixes and enhancements to zlib compression code. We now only use
168 "zlib1.dll" and use the default __cdecl calling convention on Win32
169 to conform with the standards mentioned here:
171 Static zlib linking now works on Windows and the new --with-zlib-include
172 --with-zlib-lib options to Configure can be used to supply the location
173 of the headers and library. Gracefully handle case where zlib library
174 can't be loaded.
175 [Steve Henson]
177 *) Several fixes and enhancements to the OID generation code. The old code
178 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
179 handle numbers larger than ULONG_MAX, truncated printing and had a
180 non standard OBJ_obj2txt() behaviour.
181 [Steve Henson]
183 *) Add support for building of engines under engine/ as shared libraries
184 under VC++ build system.
185 [Steve Henson]
187 *) Corrected the numerous bugs in the Win32 path splitter in DSO.
188 Hopefully, we will not see any false combination of paths any more.
189 [Richard Levitte]
191 Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
193 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
194 (part of SSL_OP_ALL). This option used to disable the
195 countermeasure against man-in-the-middle protocol-version
196 rollback in the SSL 2.0 server implementation, which is a bad
74093195 197 idea. (CVE-2005-2969)
199 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
200 for Information Security, National Institute of Advanced Industrial
201 Science and Technology [AIST], Japan)]
203 *) Add two function to clear and return the verify parameter flags.
204 [Steve Henson]
206 *) Keep cipherlists sorted in the source instead of sorting them at
207 runtime, thus removing the need for a lock.
208 [Nils Larsch]
210 *) Avoid some small subgroup attacks in Diffie-Hellman.
211 [Nick Mathewson and Ben Laurie]
213 *) Add functions for well-known primes.
214 [Nick Mathewson]
216 *) Extended Windows CE support.
217 [Satoshi Nakamura and Andy Polyakov]
219 *) Initialize SSL_METHOD structures at compile time instead of during
220 runtime, thus removing the need for a lock.
221 [Steve Henson]
223 *) Make PKCS7_decrypt() work even if no certificate is supplied by
224 attempting to decrypt each encrypted key in turn. Add support to
225 smime utility.
226 [Steve Henson]
228 Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
230 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
231 OpenSSL 0.9.8.]
233 *) Add libcrypto.pc and libssl.pc for those who feel they need them.
234 [Richard Levitte]
236 *) Change and so they don't bundle the CSR and the private
237 key into the same file any more.
238 [Richard Levitte]
240 *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
241 [Andy Polyakov]
243 *) Add -utf8 command line and config file option to 'ca'.
244 [Stefan <]
246 *) Removed the macro des_crypt(), as it seems to conflict with some
247 libraries. Use DES_crypt().
248 [Richard Levitte]
250 *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
251 involves renaming the source and generated shared-libs for
252 both. The engines will accept the corrected or legacy ids
253 ('ncipher' and '4758_cca' respectively) when binding. NB,
254 this only applies when building 'shared'.
255 [Corinna Vinschen <> and Geoff Thorpe]
257 *) Add attribute functions to EVP_PKEY structure. Modify
258 PKCS12_create() to recognize a CSP name attribute and
259 use it. Make -CSP option work again in pkcs12 utility.
260 [Steve Henson]
262 *) Add new functionality to the bn blinding code:
263 - automatic re-creation of the BN_BLINDING parameters after
264 a fixed number of uses (currently 32)
265 - add new function for parameter creation
266 - introduce flags to control the update behaviour of the
267 BN_BLINDING parameters
268 - hide BN_BLINDING structure
269 Add a second BN_BLINDING slot to the RSA structure to improve
270 performance when a single RSA object is shared among several
271 threads.
272 [Nils Larsch]
274 *) Add support for DTLS.
275 [Nagendra Modadugu <> and Ben Laurie]
277 *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
278 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
279 [Walter Goulet]
281 *) Remove buggy and incompletet DH cert support from
282 ssl/ssl_rsa.c and ssl/s3_both.c
283 [Nils Larsch]
285 *) Use SHA-1 instead of MD5 as the default digest algorithm for
286 the apps/openssl applications.
287 [Nils Larsch]
289 *) Compile clean with "-Wall -Wmissing-prototypes
290 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
291 DEBUG_SAFESTACK must also be set.
292 [Ben Laurie]
294 *) Change ./Configure so that certain algorithms can be disabled by default.
295 The new counterpiece to "no-xxx" is "enable-xxx".
297 The patented RC5 and MDC2 algorithms will now be disabled unless
298 "enable-rc5" and "enable-mdc2", respectively, are specified.
300 (IDEA remains enabled despite being patented. This is because IDEA
301 is frequently required for interoperability, and there is no license
302 fee for non-commercial use. As before, "no-idea" can be used to
303 avoid this algorithm.)
305 [Bodo Moeller]
307 *) Add processing of proxy certificates (see RFC 3820). This work was
308 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
309 EGEE (Enabling Grids for E-science in Europe).
310 [Richard Levitte]
312 *) RC4 performance overhaul on modern architectures/implementations, such
313 as Intel P4, IA-64 and AMD64.
314 [Andy Polyakov]
316 *) New utility This can be used specify an alternative
317 section number in a pod file instead of having to treat each file as
318 a separate case in Makefile. This can be done by adding two lines to the
319 pod file:
321 =for comment openssl_section:XXX
323 The blank line is mandatory.
325 [Steve Henson]
327 *) New arguments -certform, -keyform and -pass for s_client and s_server
328 to allow alternative format key and certificate files and passphrase
329 sources.
330 [Steve Henson]
332 *) New structure X509_VERIFY_PARAM which combines current verify parameters,
333 update associated structures and add various utility functions.
335 Add new policy related verify parameters, include policy checking in
336 standard verify code. Enhance 'smime' application with extra parameters
337 to support policy checking and print out.
338 [Steve Henson]
340 *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
341 Nehemiah processors. These extensions support AES encryption in hardware
342 as well as RNG (though RNG support is currently disabled).
343 [Michal Ludvig <>, with help from Andy Polyakov]
345 *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
346 [Geoff Thorpe]
348 *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
349 [Andy Polyakov and a number of other people]
351 *) Improved PowerPC platform support. Most notably BIGNUM assembler
352 implementation contributed by IBM.
353 [Suresh Chari, Peter Waltenberg, Andy Polyakov]
355 *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
356 exponent rather than 'unsigned long'. There is a corresponding change to
357 the new 'rsa_keygen' element of the RSA_METHOD structure.
358 [Jelte Jansen, Geoff Thorpe]
360 *) Functionality for creating the initial serial number file is now
361 moved from to the 'ca' utility with a new option -create_serial.
363 (Before OpenSSL 0.9.7e, used to initialize the serial
364 number file to 1, which is bound to cause problems. To avoid
365 the problems while respecting compatibility between different 0.9.7
366 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
367 for serial number initialization. With the new release 0.9.8,
368 we can fix the problem directly in the 'ca' utility.)
369 [Steve Henson]
371 *) Reduced header interdepencies by declaring more opaque objects in
372 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
373 give fewer recursive includes, which could break lazy source code - so
374 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
375 developers should define this symbol when building and using openssl to
376 ensure they track the recommended behaviour, interfaces, [etc], but
377 backwards-compatible behaviour prevails when this isn't defined.
378 [Geoff Thorpe]
380 *) New function X509_POLICY_NODE_print() which prints out policy nodes.
381 [Steve Henson]
383 *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
384 This will generate a random key of the appropriate length based on the
385 cipher context. The EVP_CIPHER can provide its own random key generation
386 routine to support keys of a specific form. This is used in the des and
387 3des routines to generate a key of the correct parity. Update S/MIME
388 code to use new functions and hence generate correct parity DES keys.
389 Add EVP_CHECK_DES_KEY #define to return an error if the key is not
390 valid (weak or incorrect parity).
391 [Steve Henson]
393 *) Add a local set of CRLs that can be used by X509_verify_cert() as well
394 as looking them up. This is useful when the verified structure may contain
395 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
396 present unless the new PKCS7_NO_CRL flag is asserted.
397 [Steve Henson]
399 *) Extend ASN1 oid configuration module. It now additionally accepts the
400 syntax:
402 shortName = some long name,
403 [Steve Henson]
405 *) Reimplemented the BN_CTX implementation. There is now no more static
406 limitation on the number of variables it can handle nor the depth of the
407 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
408 information can now expand as required, and rather than having a single
409 static array of bignums, BN_CTX now uses a linked-list of such arrays
410 allowing it to expand on demand whilst maintaining the usefulness of
411 BN_CTX's "bundling".
412 [Geoff Thorpe]
414 *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
415 to allow all RSA operations to function using a single BN_CTX.
416 [Geoff Thorpe]
418 *) Preliminary support for certificate policy evaluation and checking. This
419 is initially intended to pass the tests outlined in "Conformance Testing
420 of Relying Party Client Certificate Path Processing Logic" v1.07.
421 [Steve Henson]
423 *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
424 remained unused and not that useful. A variety of other little bignum
425 tweaks and fixes have also been made continuing on from the audit (see
426 below).
427 [Geoff Thorpe]
429 *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
430 associated ASN1, EVP and SSL functions and old ASN1 macros.
431 [Richard Levitte]
433 *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
434 and this should never fail. So the return value from the use of
435 BN_set_word() (which can fail due to needless expansion) is now deprecated;
436 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
437 [Geoff Thorpe]
439 *) BN_CTX_get() should return zero-valued bignums, providing the same
440 initialised value as BN_new().