X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=082e15ec77c1c779d2a73b10c80399e824a7fcf6;hp=c2a23d1082e5b3248f52d590293a8ede8b1a80c4;hb=1d7df236dcb4f7c95707110753e5e77b19b9a0aa;hpb=2102c53caa616353cdf2c507f9216bf865932816 diff --git a/CHANGES b/CHANGES index c2a23d1082..082e15ec77 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,738 @@ OpenSSL CHANGES _______________ - Changes between 1.0.1h and 1.0.2 [xx XXX xxxx] + Changes between 1.0.2d and 1.0.2e [xx XXX xxxx] + + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen ] + + *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites + from RFC4279, RFC4785, RFC5487, RFC5489. + + Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the + original RSA_PSK patch. + [Steve Henson] + + *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay + era flag was never set throughout the codebase (only read). Also removed + SSL3_FLAGS_POP_BUFFER which was only used if + SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. + [Matt Caswell] + + *) Changed the default name options in the "ca", "crl", "req" and "x509" + to be "oneline" instead of "compat". + [Richard Levitte] + + *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're + not aware of clients that still exhibit this bug, and the workaround + hasn't been working properly for a while. + [Emilia Käsper] + + *) The return type of BIO_number_read() and BIO_number_written() as well as + the corresponding num_read and num_write members in the BIO structure has + changed from unsigned long to uint64_t. On platforms where an unsigned + long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is + transferred. + [Matt Caswell] + + *) Given the pervasive nature of TLS extensions it is inadvisable to run + OpenSSL without support for them. It also means that maintaining + the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably + not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. + [Matt Caswell] + + *) Removed support for the two export grade static DH ciphersuites + EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites + were newly added (along with a number of other static DH ciphersuites) to + 1.0.2. However the two export ones have *never* worked since they were + introduced. It seems strange in any case to be adding new export + ciphersuites, and given "logjam" it also does not seem correct to fix them. + [Matt Caswell] + + *) Version negotiation has been rewritten. In particular SSLv23_method(), + SSLv23_client_method() and SSLv23_server_method() have been deprecated, + and turned into macros which simply call the new preferred function names + TLS_method(), TLS_client_method() and TLS_server_method(). All new code + should use the new names instead. Also as part of this change the ssl23.h + header file has been removed. + [Matt Caswell] + + *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This + code and the associated standard is no longer considered fit-for-purpose. + [Matt Caswell] + + *) RT2547 was closed. When generating a private key, try to make the + output file readable only by the owner. This behavior change might + be noticeable when interacting with other software. + + *) Added HTTP GET support to the ocsp command. + [Rich Salz] + + *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. + [Matt Caswell] + + *) Added support for TLS extended master secret from + draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an + initial patch which was a great help during development. + [Steve Henson] + + *) All libssl internal structures have been removed from the public header + files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is + now redundant). Users should not attempt to access internal structures + directly. Instead they should use the provided API functions. + [Matt Caswell] + + *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used. + Access to deprecated functions can be re-enabled by running config with + "enable-deprecated". In addition applications wishing to use deprecated + functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour + will, by default, disable some transitive includes that previously existed + in the header files (e.g. ec.h will no longer, by default, include bn.h) + [Matt Caswell] + + *) Added support for OCB mode. OpenSSL has been granted a patent license + compatible with the OpenSSL license for use of OCB. Details are available + at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support + for OCB can be removed by calling config with no-ocb. + [Matt Caswell] + + *) SSLv2 support has been removed. It still supports receiving a SSLv2 + compatible client hello. + [Kurt Roeckx] + + *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], + done while fixing the error code for the key-too-small case. + [Annie Yousar ] + + *) CA.sh has been removmed; use CA.pl instead. + [Rich Salz] + + *) Removed old DES API. + [Rich Salz] + + *) Remove various unsupported platforms: + Sony NEWS4 + BEOS and BEOS_R5 + NeXT + SUNOS + MPE/iX + Sinix/ReliantUNIX RM400 + DGUX + NCR + Tandem + Cray + 16-bit platforms such as WIN16 + [Rich Salz] + + *) Clean up OPENSSL_NO_xxx #define's + Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF + Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx + OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC + OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 + OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO + Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY + OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP + OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK + OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY + Remove MS_STATIC; it's a relic from platforms <32 bits. + [Rich Salz] + + *) Cleaned up dead code + Remove all but one '#ifdef undef' which is to be looked at. + [Rich Salz] + + *) Clean up calling of xxx_free routines. + Just like free(), fix most of the xxx_free routines to accept + NULL. Remove the non-null checks from callers. Save much code. + [Rich Salz] + + *) Add secure heap for storage of private keys (when possible). + Add BIO_s_secmem(), CBIGNUM, etc. + Contributed by Akamai Technologies under our Corporate CLA. + [Rich Salz] + + *) Experimental support for a new, fast, unbiased prime candidate generator, + bn_probable_prime_dh_coprime(). Not currently used by any prime generator. + [Felix Laurie von Massenbach ] + + *) New output format NSS in the sess_id command line tool. This allows + exporting the session id and the master key in NSS keylog format. + [Martin Kaiser ] + + *) Harmonize version and its documentation. -f flag is used to display + compilation flags. + [mancha ] + + *) Fix eckey_priv_encode so it immediately returns an error upon a failure + in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. + [mancha ] + + *) Fix some double frees. These are not thought to be exploitable. + [mancha ] + + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley and Bodo Moeller for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + + *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): + this fixes a limitation in previous versions of OpenSSL. + [Steve Henson] + + *) Experimental encrypt-then-mac support. + + Experimental support for encrypt then mac from + draft-gutmann-tls-encrypt-then-mac-02.txt + + To enable it set the appropriate extension number (0x42 for the test + server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 + + For non-compliant peers (i.e. just about everything) this should have no + effect. + + WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. + + [Steve Henson] + + *) Add EVP support for key wrapping algorithms, to avoid problems with + existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in + the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap + algorithms and include tests cases. + [Steve Henson] + + *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for + enveloped data. + [Steve Henson] + + *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, + MGF1 digest and OAEP label. + [Steve Henson] + + *) Make openssl verify return errors. + [Chris Palmer and Ben Laurie] + + *) New function ASN1_TIME_diff to calculate the difference between two + ASN1_TIME structures or one structure and the current time. + [Steve Henson] + + *) Update fips_test_suite to support multiple command line options. New + test to induce all self test errors in sequence and check expected + failures. + [Steve Henson] + + *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and + sign or verify all in one operation. + [Steve Henson] + + *) Add fips_algvs: a multicall fips utility incorporating all the algorithm + test programs and fips_test_suite. Includes functionality to parse + the minimal script output of fipsalgest.pl directly. + [Steve Henson] + + *) Add authorisation parameter to FIPS_module_mode_set(). + [Steve Henson] + + *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. + [Steve Henson] + + *) Use separate DRBG fields for internal and external flags. New function + FIPS_drbg_health_check() to perform on demand health checking. Add + generation tests to fips_test_suite with reduced health check interval to + demonstrate periodic health checking. Add "nodh" option to + fips_test_suite to skip very slow DH test. + [Steve Henson] + + *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers + based on NID. + [Steve Henson] + + *) More extensive health check for DRBG checking many more failure modes. + New function FIPS_selftest_drbg_all() to handle every possible DRBG + combination: call this in fips_test_suite. + [Steve Henson] + + *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test + and POST to handle Dual EC cases. + [Steve Henson] + + *) Add support for canonical generation of DSA parameter 'g'. See + FIPS 186-3 A.2.3. + + *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and + POST to handle HMAC cases. + [Steve Henson] + + *) Add functions FIPS_module_version() and FIPS_module_version_text() + to return numerical and string versions of the FIPS module number. + [Steve Henson] + + *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and + FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented + outside the validated module in the FIPS capable OpenSSL. + [Steve Henson] + + *) Minor change to DRBG entropy callback semantics. In some cases + there is no multiple of the block length between min_len and + max_len. Allow the callback to return more than max_len bytes + of entropy but discard any extra: it is the callback's responsibility + to ensure that the extra data discarded does not impact the + requested amount of entropy. + [Steve Henson] + + *) Add PRNG security strength checks to RSA, DSA and ECDSA using + information in FIPS186-3, SP800-57 and SP800-131A. + [Steve Henson] + + *) CCM support via EVP. Interface is very similar to GCM case except we + must supply all data in one chunk (i.e. no update, final) and the + message length must be supplied if AAD is used. Add algorithm test + support. + [Steve Henson] + + *) Initial version of POST overhaul. Add POST callback to allow the status + of POST to be monitored and/or failures induced. Modify fips_test_suite + to use callback. Always run all selftests even if one fails. + [Steve Henson] + + *) XTS support including algorithm test driver in the fips_gcmtest program. + Note: this does increase the maximum key length from 32 to 64 bytes but + there should be no binary compatibility issues as existing applications + will never use XTS mode. + [Steve Henson] + + *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies + to OpenSSL RAND code and replace with a tiny FIPS RAND API which also + performs algorithm blocking for unapproved PRNG types. Also do not + set PRNG type in FIPS_mode_set(): leave this to the application. + Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with + the standard OpenSSL PRNG: set additional data to a date time vector. + [Steve Henson] + + *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. + This shouldn't present any incompatibility problems because applications + shouldn't be using these directly and any that are will need to rethink + anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 + [Steve Henson] + + *) Extensive self tests and health checking required by SP800-90 DRBG. + Remove strength parameter from FIPS_drbg_instantiate and always + instantiate at maximum supported strength. + [Steve Henson] + + *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. + [Steve Henson] + + *) New algorithm test program fips_dhvs to handle DH primitives only testing. + [Steve Henson] + + *) New function DH_compute_key_padded() to compute a DH key and pad with + leading zeroes if needed: this complies with SP800-56A et al. + [Steve Henson] + + *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by + anything, incomplete, subject to change and largely untested at present. + [Steve Henson] + + *) Modify fipscanisteronly build option to only build the necessary object + files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. + [Steve Henson] + + *) Add experimental option FIPSSYMS to give all symbols in + fipscanister.o and FIPS or fips prefix. This will avoid + conflicts with future versions of OpenSSL. Add perl script + util/fipsas.pl to preprocess assembly language source files + and rename any affected symbols. + [Steve Henson] + + *) Add selftest checks and algorithm block of non-fips algorithms in + FIPS mode. Remove DES2 from selftests. + [Steve Henson] + + *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just + return internal method without any ENGINE dependencies. Add new + tiny fips sign and verify functions. + [Steve Henson] + + *) New build option no-ec2m to disable characteristic 2 code. + [Steve Henson] + + *) New build option "fipscanisteronly". This only builds fipscanister.o + and (currently) associated fips utilities. Uses the file Makefile.fips + instead of Makefile.org as the prototype. + [Steve Henson] + + *) Add some FIPS mode restrictions to GCM. Add internal IV generator. + Update fips_gcmtest to use IV generator. + [Steve Henson] + + *) Initial, experimental EVP support for AES-GCM. AAD can be input by + setting output buffer to NULL. The *Final function must be + called although it will not retrieve any additional data. The tag + can be set or retrieved with a ctrl. The IV length is by default 12 + bytes (96 bits) but can be set to an alternative value. If the IV + length exceeds the maximum IV length (currently 16 bytes) it cannot be + set before the key. + [Steve Henson] + + *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the + underlying do_cipher function handles all cipher semantics itself + including padding and finalisation. This is useful if (for example) + an ENGINE cipher handles block padding itself. The behaviour of + do_cipher is subtly changed if this flag is set: the return value + is the number of characters written to the output buffer (zero is + no longer an error code) or a negative error code. Also if the + input buffer is NULL and length 0 finalisation should be performed. + [Steve Henson] + + *) If a candidate issuer certificate is already part of the constructed + path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. + [Steve Henson] + + *) Improve forward-security support: add functions + + void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) + void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) + + for use by SSL/TLS servers; the callback function will be called whenever a + new session is created, and gets to decide whether the session may be + cached to make it resumable (return 0) or not (return 1). (As by the + SSL/TLS protocol specifications, the session_id sent by the server will be + empty to indicate that the session is not resumable; also, the server will + not generate RFC 4507 (RFC 5077) session tickets.) + + A simple reasonable callback implementation is to return is_forward_secure. + This parameter will be set to 1 or 0 depending on the ciphersuite selected + by the SSL/TLS server library, indicating whether it can provide forward + security. + [Emilia Käsper (Google)] + + *) New -verify_name option in command line utilities to set verification + parameters by name. + [Steve Henson] + + *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. + Add CMAC pkey methods. + [Steve Henson] + + *) Experimental renegotiation in s_server -www mode. If the client + browses /reneg connection is renegotiated. If /renegcert it is + renegotiated requesting a certificate. + [Steve Henson] + + *) Add an "external" session cache for debugging purposes to s_server. This + should help trace issues which normally are only apparent in deployed + multi-process servers. + [Steve Henson] + + *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where + return value is ignored. NB. The functions RAND_add(), RAND_seed(), + BIO_set_cipher() and some obscure PEM functions were changed so they + can now return an error. The RAND changes required a change to the + RAND_METHOD structure. + [Steve Henson] + + *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of + a gcc attribute to warn if the result of a function is ignored. This + is enable if DEBUG_UNUSED is set. Add to several functions in evp.h + whose return value is often ignored. + [Steve Henson] +>>>>>>> f00a10b... GH367: Fix dsa keygen for too-short seed + + Changes between 1.0.2c and 1.0.2d [9 Jul 2015] + + *) Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. + + This issue was reported to OpenSSL by Adam Langley/David Benjamin + (Google/BoringSSL). + [Matt Caswell] + + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + + Changes between 1.0.2a and 1.0.2b [11 Jun 2015] + + *) Malformed ECParameters causes infinite loop + + When processing an ECParameters structure OpenSSL enters an infinite loop + if the curve specified is over a specially malformed binary polynomial + field. + + This can be used to perform denial of service against any + system which processes public keys, certificate requests or + certificates. This includes TLS clients and TLS servers with + client authentication enabled. + + This issue was reported to OpenSSL by Joseph Barr-Pixton. + (CVE-2015-1788) + [Andy Polyakov] + + *) Exploitable out-of-bounds read in X509_cmp_time + + X509_cmp_time does not properly check the length of the ASN1_TIME + string and can read a few bytes out of bounds. In addition, + X509_cmp_time accepts an arbitrary number of fractional seconds in the + time string. + + An attacker can use this to craft malformed certificates and CRLs of + various sizes and potentially cause a segmentation fault, resulting in + a DoS on applications that verify certificates or CRLs. TLS clients + that verify CRLs are affected. TLS clients and servers with client + authentication enabled may be affected if they use custom verification + callbacks. + + This issue was reported to OpenSSL by Robert Swiecki (Google), and + independently by Hanno Böck. + (CVE-2015-1789) + [Emilia Käsper] + + *) PKCS7 crash with missing EnvelopedContent + + The PKCS#7 parsing code does not handle missing inner EncryptedContent + correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs + with missing content and trigger a NULL pointer dereference on parsing. + + Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 + structures from untrusted sources are affected. OpenSSL clients and + servers are not affected. + + This issue was reported to OpenSSL by Michal Zalewski (Google). + (CVE-2015-1790) + [Emilia Käsper] + + *) CMS verify infinite loop with unknown hash function + + When verifying a signedData message the CMS code can enter an infinite loop + if presented with an unknown hash function OID. This can be used to perform + denial of service against any system which verifies signedData messages using + the CMS code. + This issue was reported to OpenSSL by Johannes Bauer. + (CVE-2015-1792) + [Stephen Henson] + + *) Race condition handling NewSessionTicket + + If a NewSessionTicket is received by a multi-threaded client when attempting to + reuse a previous ticket then a race condition can occur potentially leading to + a double free of the ticket data. + (CVE-2015-1791) + [Matt Caswell] + + *) Removed support for the two export grade static DH ciphersuites + EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites + were newly added (along with a number of other static DH ciphersuites) to + 1.0.2. However the two export ones have *never* worked since they were + introduced. It seems strange in any case to be adding new export + ciphersuites, and given "logjam" it also does not seem correct to fix them. + [Matt Caswell] + + *) Only support 256-bit or stronger elliptic curves with the + 'ecdh_auto' setting (server) or by default (client). Of supported + curves, prefer P-256 (both). + [Emilia Kasper] + + *) Reject DH handshakes with parameters shorter than 768 bits. + [Kurt Roeckx and Emilia Kasper] + + Changes between 1.0.2 and 1.0.2a [19 Mar 2015] + + *) ClientHello sigalgs DoS fix + + If a client connects to an OpenSSL 1.0.2 server and renegotiates with an + invalid signature algorithms extension a NULL pointer dereference will + occur. This can be exploited in a DoS attack against the server. + + This issue was was reported to OpenSSL by David Ramos of Stanford + University. + (CVE-2015-0291) + [Stephen Henson and Matt Caswell] + + *) Multiblock corrupted pointer fix + + OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This + feature only applies on 64 bit x86 architecture platforms that support AES + NI instructions. A defect in the implementation of "multiblock" can cause + OpenSSL's internal write buffer to become incorrectly set to NULL when + using non-blocking IO. Typically, when the user application is using a + socket BIO for writing, this will only result in a failed connection. + However if some other BIO is used then it is likely that a segmentation + fault will be triggered, thus enabling a potential DoS attack. + + This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. + (CVE-2015-0290) + [Matt Caswell] + + *) Segmentation fault in DTLSv1_listen fix + + The DTLSv1_listen function is intended to be stateless and processes the + initial ClientHello from many peers. It is common for user code to loop + over the call to DTLSv1_listen until a valid ClientHello is received with + an associated cookie. A defect in the implementation of DTLSv1_listen means + that state is preserved in the SSL object from one invocation to the next + that can lead to a segmentation fault. Errors processing the initial + ClientHello can trigger this scenario. An example of such an error could be + that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only + server. + + This issue was reported to OpenSSL by Per Allansson. + (CVE-2015-0207) + [Matt Caswell] + + *) Segmentation fault in ASN1_TYPE_cmp fix + + The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is + made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check + certificate signature algorithm consistency this can be used to crash any + certificate verification operation and exploited in a DoS attack. Any + application which performs certificate verification is vulnerable including + OpenSSL clients and servers which enable client authentication. + (CVE-2015-0286) + [Stephen Henson] + + *) Segmentation fault for invalid PSS parameters fix + + The signature verification routines will crash with a NULL pointer + dereference if presented with an ASN.1 signature using the RSA PSS + algorithm and invalid parameters. Since these routines are used to verify + certificate signature algorithms this can be used to crash any + certificate verification operation and exploited in a DoS attack. Any + application which performs certificate verification is vulnerable including + OpenSSL clients and servers which enable client authentication. + + This issue was was reported to OpenSSL by Brian Carpenter. + (CVE-2015-0208) + [Stephen Henson] + + *) ASN.1 structure reuse memory corruption fix + + Reusing a structure in ASN.1 parsing may allow an attacker to cause + memory corruption via an invalid write. Such reuse is and has been + strongly discouraged and is believed to be rare. + + Applications that parse structures containing CHOICE or ANY DEFINED BY + components may be affected. Certificate parsing (d2i_X509 and related + functions) are however not affected. OpenSSL clients and servers are + not affected. + (CVE-2015-0287) + [Stephen Henson] + + *) PKCS7 NULL pointer dereferences fix + + The PKCS#7 parsing code does not handle missing outer ContentInfo + correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with + missing content and trigger a NULL pointer dereference on parsing. + + Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or + otherwise parse PKCS#7 structures from untrusted sources are + affected. OpenSSL clients and servers are not affected. + + This issue was reported to OpenSSL by Michal Zalewski (Google). + (CVE-2015-0289) + [Emilia Käsper] + + *) DoS via reachable assert in SSLv2 servers fix + + A malicious client can trigger an OPENSSL_assert (i.e., an abort) in + servers that both support SSLv2 and enable export cipher suites by sending + a specially crafted SSLv2 CLIENT-MASTER-KEY message. + + This issue was discovered by Sean Burford (Google) and Emilia Käsper + (OpenSSL development team). + (CVE-2015-0293) + [Emilia Käsper] + + *) Empty CKE with client auth and DHE fix + + If client auth is used then a server can seg fault in the event of a DHE + ciphersuite being selected and a zero length ClientKeyExchange message + being sent by the client. This could be exploited in a DoS attack. + (CVE-2015-1787) + [Matt Caswell] + + *) Handshake with unseeded PRNG fix + + Under certain conditions an OpenSSL 1.0.2 client can complete a handshake + with an unseeded PRNG. The conditions are: + - The client is on a platform where the PRNG has not been seeded + automatically, and the user has not seeded manually + - A protocol specific client method version has been used (i.e. not + SSL_client_methodv23) + - A ciphersuite is used that does not require additional random data from + the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). + + If the handshake succeeds then the client random that has been used will + have been generated from a PRNG with insufficient entropy and therefore the + output may be predictable. + + For example using the following command with an unseeded openssl will + succeed on an unpatched platform: + + openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA + (CVE-2015-0285) + [Matt Caswell] + + *) Use After Free following d2i_ECPrivatekey error fix + + A malformed EC private key file consumed via the d2i_ECPrivateKey function + could cause a use after free condition. This, in turn, could cause a double + free in several private key parsing functions (such as d2i_PrivateKey + or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption + for applications that receive EC private keys from untrusted + sources. This scenario is considered rare. + + This issue was discovered by the BoringSSL project and fixed in their + commit 517073cd4b. + (CVE-2015-0209) + [Matt Caswell] + + *) X509_to_X509_REQ NULL pointer deref fix + + The function X509_to_X509_REQ will crash with a NULL pointer dereference if + the certificate key is invalid. This function is rarely used in practice. + + This issue was discovered by Brian Carpenter. + (CVE-2015-0288) + [Stephen Henson] + + *) Removed the export ciphers from the DEFAULT ciphers + [Kurt Roeckx] + + Changes between 1.0.1l and 1.0.2 [22 Jan 2015] + + *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. + ARMv5 through ARMv8, as opposite to "locking" it to single one. + So far those who have to target multiple plaforms would compromise + and argue that binary targeting say ARMv5 would still execute on + ARMv8. "Universal" build resolves this compromise by providing + near-optimal performance even on newer platforms. + [Andy Polyakov] + + *) Accelerated NIST P-256 elliptic curve implementation for x86_64 + (other platforms pending). + [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov] *) Add support for the SignedCertificateTimestampList certificate and OCSP response extensions from RFC6962. @@ -38,7 +769,7 @@ *) Accelerated modular exponentiation for Intel processors, a.k.a. RSAZ. - [Shay Gueron (Intel Corp)] + [Shay Gueron & Vlad Krasnov (Intel Corp)] *) Support for new and upcoming Intel processors, including AVX2, BMI and SHA ISA extensions. This includes additional "stitched" @@ -48,6 +779,11 @@ This work was sponsored by Intel Corp. [Andy Polyakov] + *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() + supports both DTLS 1.2 and 1.0 and should use whatever version the peer + supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. + [Steve Henson] + *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): this fixes a limiation in previous versions of OpenSSL. [Steve Henson] @@ -309,6 +1045,284 @@ certificates. [Steve Henson] + *) New function i2d_re_X509_tbs for re-encoding the TBS portion of + the certificate. + Note: Related 1.0.2-beta specific macros X509_get_cert_info, + X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and + X509_CINF_get_signature were reverted post internal team review. + + Changes between 1.0.1k and 1.0.1l [15 Jan 2015] + + *) Build fixes for the Windows and OpenVMS platforms + [Matt Caswell and Richard Levitte] + + Changes between 1.0.1j and 1.0.1k [8 Jan 2015] + + *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS + message can cause a segmentation fault in OpenSSL due to a NULL pointer + dereference. This could lead to a Denial Of Service attack. Thanks to + Markus Stenberg of Cisco Systems, Inc. for reporting this issue. + (CVE-2014-3571) + [Steve Henson] + + *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the + dtls1_buffer_record function under certain conditions. In particular this + could occur if an attacker sent repeated DTLS records with the same + sequence number but for the next epoch. The memory leak could be exploited + by an attacker in a Denial of Service attack through memory exhaustion. + Thanks to Chris Mueller for reporting this issue. + (CVE-2015-0206) + [Matt Caswell] + + *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is + built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl + method would be set to NULL which could later result in a NULL pointer + dereference. Thanks to Frank Schmirler for reporting this issue. + (CVE-2014-3569) + [Kurt Roeckx] + + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for + reporting this issue. + (CVE-2014-3572) + [Steve Henson] + + *) Remove non-export ephemeral RSA code on client and server. This code + violated the TLS standard by allowing the use of temporary RSA keys in + non-export ciphersuites and could be used by a server to effectively + downgrade the RSA key length used to a value smaller than the server + certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at + INRIA or reporting this issue. + (CVE-2015-0204) + [Steve Henson] + + *) Fixed issue where DH client certificates are accepted without verification. + An OpenSSL server will accept a DH certificate for client authentication + without the certificate verify message. This effectively allows a client to + authenticate without the use of a private key. This only affects servers + which trust a client certificate authority which issues certificates + containing DH keys: these are extremely rare and hardly ever encountered. + Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting + this issue. + (CVE-2015-0205) + [Steve Henson] + + *) Ensure that the session ID context of an SSL is updated when its + SSL_CTX is updated via SSL_set_SSL_CTX. + + The session ID context is typically set from the parent SSL_CTX, + and can vary with the CTX. + [Adam Langley] + + *) Fix various certificate fingerprint issues. + + By using non-DER or invalid encodings outside the signed portion of a + certificate the fingerprint can be changed without breaking the signature. + Although no details of the signed portion of the certificate can be changed + this can cause problems with some applications: e.g. those using the + certificate fingerprint for blacklists. + + 1. Reject signatures with non zero unused bits. + + If the BIT STRING containing the signature has non zero unused bits reject + the signature. All current signature algorithms require zero unused bits. + + 2. Check certificate algorithm consistency. + + Check the AlgorithmIdentifier inside TBS matches the one in the + certificate signature. NB: this will result in signature failure + errors for some broken certificates. + + Thanks to Konrad Kraszewski from Google for reporting this issue. + + 3. Check DSA/ECDSA signatures use DER. + + Reencode DSA/ECDSA signatures and compare with the original received + signature. Return an error if there is a mismatch. + + This will reject various cases including garbage after signature + (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS + program for discovering this case) and use of BER or invalid ASN.1 INTEGERs + (negative or with leading zeroes). + + Further analysis was conducted and fixes were developed by Stephen Henson + of the OpenSSL core team. + + (CVE-2014-8275) + [Steve Henson] + + *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect + results on some platforms, including x86_64. This bug occurs at random + with a very low probability, and is not known to be exploitable in any + way, though its exact impact is difficult to determine. Thanks to Pieter + Wuille (Blockstream) who reported this issue and also suggested an initial + fix. Further analysis was conducted by the OpenSSL development team and + Adam Langley of Google. The final fix was developed by Andy Polyakov of + the OpenSSL core team. + (CVE-2014-3570) + [Andy Polyakov] + + *) Do not resume sessions on the server if the negotiated protocol + version does not match the session's version. Resuming with a different + version, while not strictly forbidden by the RFC, is of questionable + sanity and breaks all known clients. + [David Benjamin, Emilia Käsper] + + *) Tighten handling of the ChangeCipherSpec (CCS) message: reject + early CCS messages during renegotiation. (Note that because + renegotiation is encrypted, this early CCS was not exploitable.) + [Emilia Käsper] + + *) Tighten client-side session ticket handling during renegotiation: + ensure that the client only accepts a session ticket if the server sends + the extension anew in the ServerHello. Previously, a TLS client would + reuse the old extension state and thus accept a session ticket if one was + announced in the initial ServerHello. + + Similarly, ensure that the client requires a session ticket if one + was advertised in the ServerHello. Previously, a TLS client would + ignore a missing NewSessionTicket message. + [Emilia Käsper] + + Changes between 1.0.1i and 1.0.1j [15 Oct 2014] + + *) SRTP Memory Leak. + + A flaw in the DTLS SRTP extension parsing code allows an attacker, who + sends a carefully crafted handshake message, to cause OpenSSL to fail + to free up to 64k of memory causing a memory leak. This could be + exploited in a Denial Of Service attack. This issue affects OpenSSL + 1.0.1 server implementations for both SSL/TLS and DTLS regardless of + whether SRTP is used or configured. Implementations of OpenSSL that + have been compiled with OPENSSL_NO_SRTP defined are not affected. + + The fix was developed by the OpenSSL team. + (CVE-2014-3513) + [OpenSSL team] + + *) Session Ticket Memory Leak. + + When an OpenSSL SSL/TLS/DTLS server receives a session ticket the + integrity of that ticket is first verified. In the event of a session + ticket integrity check failing, OpenSSL will fail to free memory + causing a memory leak. By sending a large number of invalid session + tickets an attacker could exploit this issue in a Denial Of Service + attack. + (CVE-2014-3567) + [Steve Henson] + + *) Build option no-ssl3 is incomplete. + + When OpenSSL is configured with "no-ssl3" as a build option, servers + could accept and complete a SSL 3.0 handshake, and clients could be + configured to send them. + (CVE-2014-3568) + [Akamai and the OpenSSL team] + + *) Add support for TLS_FALLBACK_SCSV. + Client applications doing fallback retries should call + SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). + (CVE-2014-3566) + [Adam Langley, Bodo Moeller] + + *) Add additional DigestInfo checks. + + Reencode DigestInto in DER and check against the original when + verifying RSA signature: this will reject any improperly encoded + DigestInfo structures. + + Note: this is a precautionary measure and no attacks are currently known. + + [Steve Henson] + + Changes between 1.0.1h and 1.0.1i [6 Aug 2014] + + *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the + SRP code can be overrun an internal buffer. Add sanity check that + g, A, B < N to SRP code. + + Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC + Group for discovering this issue. + (CVE-2014-3512) + [Steve Henson] + + *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate + TLS 1.0 instead of higher protocol versions when the ClientHello message + is badly fragmented. This allows a man-in-the-middle attacker to force a + downgrade to TLS 1.0 even if both the server and the client support a + higher protocol version, by modifying the client's TLS records. + + Thanks to David Benjamin and Adam Langley (Google) for discovering and + researching this issue. + (CVE-2014-3511) + [David Benjamin] + + *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject + to a denial of service attack. A malicious server can crash the client + with a null pointer dereference (read) by specifying an anonymous (EC)DH + ciphersuite and sending carefully crafted handshake messages. + + Thanks to Felix Gröbert (Google) for discovering and researching this + issue. + (CVE-2014-3510) + [Emilia Käsper] + + *) By sending carefully crafted DTLS packets an attacker could cause openssl + to leak memory. This can be exploited through a Denial of Service attack. + Thanks to Adam Langley for discovering and researching this issue. + (CVE-2014-3507) + [Adam Langley] + + *) An attacker can force openssl to consume large amounts of memory whilst + processing DTLS handshake messages. This can be exploited through a + Denial of Service attack. + Thanks to Adam Langley for discovering and researching this issue. + (CVE-2014-3506) + [Adam Langley] + + *) An attacker can force an error condition which causes openssl to crash + whilst processing DTLS packets due to memory being freed twice. This + can be exploited through a Denial of Service attack. + Thanks to Adam Langley and Wan-Teh Chang for discovering and researching + this issue. + (CVE-2014-3505) + [Adam Langley] + + *) If a multithreaded client connects to a malicious server using a resumed + session and the server sends an ec point format extension it could write + up to 255 bytes to freed memory. + + Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this + issue. + (CVE-2014-3509) + [Gabor Tyukasz] + + *) A malicious server can crash an OpenSSL client with a null pointer + dereference (read) by specifying an SRP ciphersuite even though it was not + properly negotiated with the client. This can be exploited through a + Denial of Service attack. + + Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for + discovering and researching this issue. + (CVE-2014-5139) + [Steve Henson] + + *) A flaw in OBJ_obj2txt may cause pretty printing functions such as + X509_name_oneline, X509_name_print_ex et al. to leak some information + from the stack. Applications may be affected if they echo pretty printing + output to the attacker. + + Thanks to Ivan Fratric (Google) for discovering this issue. + (CVE-2014-3508) + [Emilia Käsper, and Steve Henson] + + *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) + [Bodo Moeller] + Changes between 1.0.1g and 1.0.1h [5 Jun 2014] *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted @@ -332,22 +1346,22 @@ client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) - [Jüri Aedla, Steve Henson] + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. - Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. (CVE-2014-3470) - [Felix Gröbert, Ivan Fratric, Steve Henson] + [Felix Gröbert, Ivan Fratric, Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. [mancha ] *) Fix eckey_priv_encode so it immediately returns an error upon a failure - in i2d_ECPrivateKey. + in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. [mancha ] *) Fix some double frees. These are not thought to be exploitable. @@ -419,9 +1433,9 @@ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. + Emilia Käsper for the initial patch. (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode ciphersuites which can be exploited in a denial of service attack. @@ -596,7 +1610,7 @@ EC_GROUP_new_by_curve_name() will automatically use these (while EC_GROUP_new_curve_GFp() currently prefers the more flexible implementations). - [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] + [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public @@ -806,63 +1820,6 @@ Add command line options to s_client/s_server. [Steve Henson] - Changes between 1.0.0j and 1.0.0k [5 Feb 2013] - - *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. - - This addresses the flaw in CBC record processing discovered by - Nadhem Alfardan and Kenny Paterson. Details of this attack can be found - at: http://www.isg.rhul.ac.uk/tls/ - - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information - Security Group at Royal Holloway, University of London - (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. - (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] - - *) Return an error when checking OCSP signatures when key is NULL. - This fixes a DoS attack. (CVE-2013-0166) - [Steve Henson] - - *) Call OCSP Stapling callback after ciphersuite has been chosen, so - the right response is stapled. Also change SSL_get_certificate() - so it returns the certificate actually sent. - See http://rt.openssl.org/Ticket/Display.html?id=2836. - (This is a backport) - [Rob Stradling ] - - *) Fix possible deadlock when decoding public keys. - [Steve Henson] - - Changes between 1.0.0i and 1.0.0j [10 May 2012] - - [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after - OpenSSL 1.0.1.] - - *) Sanity check record length before skipping explicit IV in DTLS - to fix DoS attack. - - Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic - fuzzing as a service testing platform. - (CVE-2012-2333) - [Steve Henson] - - *) Initialise tkeylen properly when encrypting CMS messages. - Thanks to Solar Designer of Openwall for reporting this issue. - [Steve Henson] - - Changes between 1.0.0h and 1.0.0i [19 Apr 2012] - - *) Check for potentially exploitable overflows in asn1_d2i_read_bio - BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer - in CRYPTO_realloc_clean. - - Thanks to Tavis Ormandy, Google Security Team, for discovering this - issue and to Adam Langley for fixing it. - (CVE-2012-2110) - [Adam Langley (Google), Tavis Ormandy, Google Security Team] - Changes between 1.0.0g and 1.0.0h [12 Mar 2012] *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness @@ -929,7 +1886,7 @@ [Adam Langley (Google)] *) Fix spurious failures in ecdsatest.c. - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). @@ -943,7 +1900,7 @@ lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] @@ -1752,7 +2709,7 @@ *) Add RFC 3161 compliant time stamp request creation, response generation and response verification functionality. - [Zoltán Glózik , The OpenTSA Project] + [Zoltán Glózik , The OpenTSA Project] *) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now @@ -1853,228 +2810,6 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] - Changes between 0.9.8x and 0.9.8y [5 Feb 2013] - - *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. - - This addresses the flaw in CBC record processing discovered by - Nadhem Alfardan and Kenny Paterson. Details of this attack can be found - at: http://www.isg.rhul.ac.uk/tls/ - - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information - Security Group at Royal Holloway, University of London - (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. - (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] - - *) Return an error when checking OCSP signatures when key is NULL. - This fixes a DoS attack. (CVE-2013-0166) - [Steve Henson] - - *) Call OCSP Stapling callback after ciphersuite has been chosen, so - the right response is stapled. Also change SSL_get_certificate() - so it returns the certificate actually sent. - See http://rt.openssl.org/Ticket/Display.html?id=2836. - (This is a backport) - [Rob Stradling ] - - *) Fix possible deadlock when decoding public keys. - [Steve Henson] - - Changes between 0.9.8w and 0.9.8x [10 May 2012] - - *) Sanity check record length before skipping explicit IV in DTLS - to fix DoS attack. - - Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic - fuzzing as a service testing platform. - (CVE-2012-2333) - [Steve Henson] - - *) Initialise tkeylen properly when encrypting CMS messages. - Thanks to Solar Designer of Openwall for reporting this issue. - [Steve Henson] - - Changes between 0.9.8v and 0.9.8w [23 Apr 2012] - - *) The fix for CVE-2012-2110 did not take into account that the - 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an - int in OpenSSL 0.9.8, making it still vulnerable. Fix by - rejecting negative len parameter. (CVE-2012-2131) - [Tomas Hoger ] - - Changes between 0.9.8u and 0.9.8v [19 Apr 2012] - - *) Check for potentially exploitable overflows in asn1_d2i_read_bio - BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer - in CRYPTO_realloc_clean. - - Thanks to Tavis Ormandy, Google Security Team, for discovering this - issue and to Adam Langley for fixing it. - (CVE-2012-2110) - [Adam Langley (Google), Tavis Ormandy, Google Security Team] - - Changes between 0.9.8t and 0.9.8u [12 Mar 2012] - - *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness - in CMS and PKCS7 code. When RSA decryption fails use a random key for - content decryption and always return the same error. Note: this attack - needs on average 2^20 messages so it only affects automated senders. The - old behaviour can be reenabled in the CMS code by setting the - CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where - an MMA defence is not necessary. - Thanks to Ivan Nestlerode for discovering - this issue. (CVE-2012-0884) - [Steve Henson] - - *) Fix CVE-2011-4619: make sure we really are receiving a - client hello before rejecting multiple SGC restarts. Thanks to - Ivan Nestlerode for discovering this bug. - [Steve Henson] - - Changes between 0.9.8s and 0.9.8t [18 Jan 2012] - - *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. - Thanks to Antonio Martin, Enterprise Secure Access Research and - Development, Cisco Systems, Inc. for discovering this bug and - preparing a fix. (CVE-2012-0050) - [Antonio Martin] - - Changes between 0.9.8r and 0.9.8s [4 Jan 2012] - - *) Nadhem Alfardan and Kenny Paterson have discovered an extension - of the Vaudenay padding oracle attack on CBC mode encryption - which enables an efficient plaintext recovery attack against - the OpenSSL implementation of DTLS. Their attack exploits timing - differences arising during decryption processing. A research - paper describing this attack can be found at: - http://www.isg.rhul.ac.uk/~kp/dtls.pdf - Thanks go to Nadhem Alfardan and Kenny Paterson of the Information - Security Group at Royal Holloway, University of London - (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann - and Michael Tuexen - for preparing the fix. (CVE-2011-4108) - [Robin Seggelmann, Michael Tuexen] - - *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) - [Ben Laurie, Kasper ] - - *) Clear bytes used for block padding of SSL 3.0 records. - (CVE-2011-4576) - [Adam Langley (Google)] - - *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George - Kadianakis for discovering this issue and - Adam Langley for preparing the fix. (CVE-2011-4619) - [Adam Langley (Google)] - - *) Prevent malformed RFC3779 data triggering an assertion failure. - Thanks to Andrew Chi, BBN Technologies, for discovering the flaw - and Rob Austein for fixing it. (CVE-2011-4577) - [Rob Austein ] - - *) Fix ssl_ciph.c set-up race. - [Adam Langley (Google)] - - *) Fix spurious failures in ecdsatest.c. - [Emilia Käsper (Google)] - - *) Fix the BIO_f_buffer() implementation (which was mixing different - interpretations of the '..._len' fields). - [Adam Langley (Google)] - - *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than - BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent - threads won't reuse the same blinding coefficients. - - This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING - lock to call BN_BLINDING_invert_ex, and avoids one use of - BN_BLINDING_update for each BN_BLINDING structure (previously, - the last update always remained unused). - [Emilia Käsper (Google)] - - *) Fix SSL memory handling for (EC)DH ciphersuites, in particular - for multi-threaded use of ECDH. - [Adam Langley (Google)] - - *) Fix x509_name_ex_d2i memory leak on bad inputs. - [Bodo Moeller] - - *) Add protection against ECDSA timing attacks as mentioned in the paper - by Billy Bob Brumley and Nicola Tuveri, see: - - http://eprint.iacr.org/2011/232.pdf - - [Billy Bob Brumley and Nicola Tuveri] - - Changes between 0.9.8q and 0.9.8r [8 Feb 2011] - - *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 - [Neel Mehta, Adam Langley, Bodo Moeller (Google)] - - *) Fix bug in string printing code: if *any* escaping is enabled we must - escape the escape character (backslash) or the resulting string is - ambiguous. - [Steve Henson] - - Changes between 0.9.8p and 0.9.8q [2 Dec 2010] - - *) Disable code workaround for ancient and obsolete Netscape browsers - and servers: an attacker can use it in a ciphersuite downgrade attack. - Thanks to Martin Rex for discovering this bug. CVE-2010-4180 - [Steve Henson] - - *) Fixed J-PAKE implementation error, originally discovered by - Sebastien Martini, further info and confirmation from Stefan - Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 - [Ben Laurie] - - Changes between 0.9.8o and 0.9.8p [16 Nov 2010] - - *) Fix extension code to avoid race conditions which can result in a buffer - overrun vulnerability: resumed sessions must not be modified as they can - be shared by multiple threads. CVE-2010-3864 - [Steve Henson] - - *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 - [Steve Henson] - - *) Don't reencode certificate when calculating signature: cache and use - the original encoding instead. This makes signature verification of - some broken encodings work correctly. - [Steve Henson] - - *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT - is also one of the inputs. - [Emilia Käsper (Google)] - - *) Don't repeatedly append PBE algorithms to table if they already exist. - Sort table on each new add. This effectively makes the table read only - after all algorithms are added and subsequent calls to PKCS12_pbe_add - etc are non-op. - [Steve Henson] - - Changes between 0.9.8n and 0.9.8o [01 Jun 2010] - - [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after - OpenSSL 1.0.0.] - - *) Correct a typo in the CMS ASN1 module which can result in invalid memory - access or freeing data twice (CVE-2010-0742) - [Steve Henson, Ronald Moesbergen ] - - *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more - common in certificates and some applications which only call - SSL_library_init and not OpenSSL_add_all_algorithms() will fail. - [Steve Henson] - - *) VMS fixes: - Reduce copying into .apps and .test in makevms.com - Don't try to use blank CA certificate in CA.com - Allow use of C files from original directories in maketests.com - [Steven M. Schweda" ] - Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never @@ -3142,7 +3877,7 @@ *) BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new(). - [Geoff Thorpe, suggested by Ulf Möller] + [Geoff Thorpe, suggested by Ulf Möller] *) Support for inhibitAnyPolicy certificate extension. [Steve Henson] @@ -3161,7 +3896,7 @@ some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details. - [Geoff Thorpe, Nils Larsch, Ulf Möller] + [Geoff Thorpe, Nils Larsch, Ulf Möller] *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly @@ -3228,7 +3963,7 @@ [Douglas Stebila (Sun Microsystems Laboratories)] *) Add the possibility to load symbols globally with DSO. - [Götz Babin-Ebell via Richard Levitte] + [Götz Babin-Ebell via Richard Levitte] *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better control of the error stack. @@ -3943,7 +4678,7 @@ [Steve Henson] *) Undo Cygwin change. - [Ulf Möller] + [Ulf Möller] *) Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, @@ -3976,11 +4711,11 @@ [Stephen Henson, reported by UK NISCC] *) Use Windows randomness collection on Cygwin. - [Ulf Möller] + [Ulf Möller] *) Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD. - [Darren Tucker via Lutz Jänicke, resolves #1014] + [Darren Tucker via Lutz Jänicke, resolves #1014] *) Prompt for pass phrases when appropriate for PKCS12 input format. [Steve Henson] @@ -4442,7 +5177,7 @@ pointers passed to them whenever necessary. Otherwise it is possible the caller may have overwritten (or deallocated) the original string data when a later ENGINE operation tries to use the stored values. - [Götz Babin-Ebell ] + [Götz Babin-Ebell ] *) Improve diagnostics in file reading and command-line digests. [Ben Laurie aided and abetted by Solar Designer ] @@ -6547,7 +7282,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) BN_sqr() bug fix. - [Ulf Möller, reported by Jim Ellis ] + [Ulf Möller, reported by Jim Ellis ] *) Rabin-Miller test analyses assume uniformly distributed witnesses, so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() @@ -6707,7 +7442,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Fix OAEP check. - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 @@ -6969,10 +7704,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Use better test patterns in bntest. - [Ulf Möller] + [Ulf Möller] *) rand_win.c fix for Borland C. - [Ulf Möller] + [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] @@ -7117,14 +7852,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR BIO_ctrl (for BIO pairs). - [Bodo Möller] + [Bodo Möller] *) Add DSO method for VMS. [Richard Levitte] *) Bug fix: Montgomery multiplication could produce results with the wrong sign. - [Ulf Möller] + [Ulf Möller] *) Add RPM specification openssl.spec and modify it to build three packages. The default package contains applications, application @@ -7142,7 +7877,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Don't set the two most significant bits to one when generating a random number < q in the DSA library. - [Ulf Möller] + [Ulf Möller] *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if @@ -7408,7 +8143,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Randomness polling function for Win9x, as described in: Peter Gutmann, Software Generation of Practically Strong Random Numbers. - [Ulf Möller] + [Ulf Möller] *) Fix so PRNG is seeded in req if using an already existing DSA key. @@ -7628,7 +8363,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Eliminate non-ANSI declarations in crypto.h and stack.h. - [Ulf Möller] + [Ulf Möller] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present @@ -7660,7 +8395,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Bugfix for linux-elf makefile.one. - [Ulf Möller] + [Ulf Möller] *) RSA_get_default_method() will now cause a default RSA_METHOD to be chosen if one doesn't exist already. @@ -7749,7 +8484,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) des_quad_cksum() byte order bug fix. - [Ulf Möller, using the problem description in krb4-0.9.7, where + [Ulf Möller, using the problem description in krb4-0.9.7, where the solution is attributed to Derrick J Brashear ] *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly @@ -7850,7 +8585,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Rolf Haberrecker ] *) Assembler module support for Mingw32. - [Ulf Möller] + [Ulf Möller] *) Shared library support for HPUX (in shlib/). [Lutz Jaenicke and Anonymous] @@ -7869,7 +8604,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] case was implemented. This caused BN_div_recp() to fail occasionally. - [Ulf Möller] + [Ulf Möller] *) Add an optional second argument to the set_label() in the perl assembly language builder. If this argument exists and is set @@ -7899,14 +8634,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Fix potential buffer overrun problem in BIO_printf(). - [Ulf Möller, using public domain code by Patrick Powell; problem + [Ulf Möller, using public domain code by Patrick Powell; problem pointed out by David Sacerdote ] *) Support EGD . New functions RAND_egd() and RAND_status(). In the command line application, the EGD socket can be specified like a seed file using RANDFILE or -rand. - [Ulf Möller] + [Ulf Möller] *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. Some CAs (e.g. Verisign) distribute certificates in this form. @@ -7939,7 +8674,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k #define OPENSSL_ALGORITHM_DEFINES #include defines all pertinent NO_ symbols, such as NO_IDEA, NO_RSA, etc. - [Richard Levitte, Ulf and Bodo Möller] + [Richard Levitte, Ulf and Bodo Möller] *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS record layer. @@ -7990,17 +8725,17 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Bug fix for BN_div_recp() for numerators with an even number of bits. - [Ulf Möller] + [Ulf Möller] *) More tests in bntest.c, and changed test_bn output. - [Ulf Möller] + [Ulf Möller] *) ./config recognizes MacOS X now. [Andy Polyakov] *) Bug fix for BN_div() when the first words of num and divsor are equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). - [Ulf Möller] + [Ulf Möller] *) Add support for various broken PKCS#8 formats, and command line options to produce them. @@ -8008,11 +8743,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to get temporary BIGNUMs from a BN_CTX. - [Ulf Möller] + [Ulf Möller] *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() for p == 0. - [Ulf Möller] + [Ulf Möller] *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and include a #define from the old name to the new. The original intent @@ -8036,7 +8771,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Source code cleanups: use const where appropriate, eliminate casts, use void * instead of char * in lhash. - [Ulf Möller] + [Ulf Möller] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of @@ -8081,13 +8816,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New function BN_pseudo_rand(). - [Ulf Möller] + [Ulf Möller] *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) bignum version of BN_from_montgomery() with the working code from SSLeay 0.9.0 (the word based version is faster anyway), and clean up the comments. - [Ulf Möller] + [Ulf Möller] *) Avoid a race condition in s2_clnt.c (function get_server_hello) that made it impossible to use the same SSL_SESSION data structure in @@ -8097,25 +8832,25 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) The return value of RAND_load_file() no longer counts bytes obtained by stat(). RAND_load_file(..., -1) is new and uses the complete file to seed the PRNG (previously an explicit byte count was required). - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes used (char *) instead of (void *) and had casts all over the place. [Steve Henson] *) Make BN_generate_prime() return NULL on error if ret!=NULL. - [Ulf Möller] + [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. - [Ulf Möller] + [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to DH_CHECK_P_NOT_SAFE_PRIME. (Check if this is true? OpenPGP calls them "strong".) - [Ulf Möller] + [Ulf Möller] *) Merge the functionality of "dh" and "gendh" programs into a new program "dhparam". The old programs are retained for now but will handle DH keys @@ -8171,7 +8906,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add missing #ifndefs that caused missing symbols when building libssl as a shared library without RSA. Use #ifndef NO_SSL2 instead of NO_RSA in ssl/s2*.c. - [Kris Kennaway , modified by Ulf Möller] + [Kris Kennaway , modified by Ulf Möller] *) Precautions against using the PRNG uninitialized: RAND_bytes() now has a return value which indicates the quality of the random data @@ -8180,7 +8915,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k guaranteed to be unique but not unpredictable. RAND_add is like RAND_seed, but takes an extra argument for an entropy estimate (RAND_seed always assumes full entropy). - [Ulf Möller] + [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes @@ -8210,7 +8945,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Honor the no-xxx Configure options when creating .DEF files. - [Ulf Möller] + [Ulf Möller] *) Add PKCS#10 attributes to field table: challengePassword, unstructuredName and unstructuredAddress. These are taken from @@ -9044,7 +9779,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) More DES library cleanups: remove references to srand/rand and delete an unused file. - [Ulf Möller] + [Ulf Möller] *) Add support for the the free Netwide assembler (NASM) under Win32, since not many people have MASM (ml) and it can be hard to obtain. @@ -9133,7 +9868,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k worked. *) Fix problems with no-hmac etc. - [Ulf Möller, pointed out by Brian Wellington ] + [Ulf Möller, pointed out by Brian Wellington ] *) New functions RSA_get_default_method(), RSA_set_method() and RSA_get_method(). These allows replacement of RSA_METHODs without having @@ -9250,7 +9985,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) DES library cleanups. - [Ulf Möller] + [Ulf Möller] *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit @@ -9293,7 +10028,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Christian Forster ] *) config now generates no-xxx options for missing ciphers. - [Ulf Möller] + [Ulf Möller] *) Support the EBCDIC character set (work in progress). File ebcdic.c not yet included because it has a different license. @@ -9406,7 +10141,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Move openssl.cnf out of lib/. - [Ulf Möller] + [Ulf Möller] *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes @@ -9463,10 +10198,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) Support Borland C++ builder. - [Janez Jere , modified by Ulf Möller] + [Janez Jere , modified by Ulf Möller] *) Support Mingw32. - [Ulf Möller] + [Ulf Möller] *) SHA-1 cleanups and performance enhancements. [Andy Polyakov ] @@ -9475,7 +10210,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Andy Polyakov ] *) Accept any -xxx and +xxx compiler options in Configure. - [Ulf Möller] + [Ulf Möller] *) Update HPUX configuration. [Anonymous] @@ -9508,7 +10243,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) OAEP decoding bug fix. - [Ulf Möller] + [Ulf Möller] *) Support INSTALL_PREFIX for package builders, as proposed by David Harris. @@ -9531,21 +10266,21 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Niels Poppe ] *) New Configure option no- (rsa, idea, rc5, ...). - [Ulf Möller] + [Ulf Möller] *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for extension adding in x509 utility. [Steve Henson] *) Remove NOPROTO sections and error code comments. - [Ulf Möller] + [Ulf Möller] *) Partial rewrite of the DEF file generator to now parse the ANSI prototypes. [Steve Henson] *) New Configure options --prefix=DIR and --openssldir=DIR. - [Ulf Möller] + [Ulf Möller] *) Complete rewrite of the error code script(s). It is all now handled by one script at the top level which handles error code gathering, @@ -9574,7 +10309,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Move the autogenerated header file parts to crypto/opensslconf.h. - [Ulf Möller] + [Ulf Möller] *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 8 of keying material. Merlin has also confirmed interop with this fix @@ -9592,13 +10327,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Andy Polyakov ] *) Change functions to ANSI C. - [Ulf Möller] + [Ulf Möller] *) Fix typos in error codes. - [Martin Kraemer , Ulf Möller] + [Martin Kraemer , Ulf Möller] *) Remove defunct assembler files from Configure. - [Ulf Möller] + [Ulf Möller] *) SPARC v8 assembler BIGNUM implementation. [Andy Polyakov ] @@ -9635,7 +10370,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New Configure option "rsaref". - [Ulf Möller] + [Ulf Möller] *) Don't auto-generate pem.h. [Bodo Moeller] @@ -9683,7 +10418,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New functions DSA_do_sign and DSA_do_verify to provide access to the raw DSA values prior to ASN.1 encoding. - [Ulf Möller] + [Ulf Möller] *) Tweaks to Configure [Niels Poppe ] @@ -9693,11 +10428,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New variables $(RANLIB) and $(PERL) in the Makefiles. - [Ulf Möller] + [Ulf Möller] *) New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486. - [Ulf Möller] + [Ulf Möller] *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the @@ -10236,7 +10971,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Hagino ] *) File was opened incorrectly in randfile.c. - [Ulf Möller ] + [Ulf Möller ] *) Beginning of support for GeneralizedTime. d2i, i2d, check and print functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or @@ -10246,7 +10981,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Correct Linux 1 recognition in config. - [Ulf Möller ] + [Ulf Möller ] *) Remove pointless MD5 hash when using DSA keys in ca. [Anonymous ] @@ -10393,7 +11128,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but was already fixed by Eric for 0.9.1 it seems. - [Ben Laurie - pointed out by Ulf Möller ] + [Ben Laurie - pointed out by Ulf Möller ] *) Autodetect FreeBSD3. [Ben Laurie]