X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=79ef46254ff78bf912e8c1c2357ca31596747844;hp=6b11989fe62fa0e9c0a2be476f5832545dd8cb17;hb=47e6a60e42c84a18b832b9c48e176736d18204a8;hpb=ba64ae6cd13182f4f1d99beed8274e17bf8a92b7 diff --git a/CHANGES b/CHANGES index 6b11989fe6..79ef46254f 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,63 @@ Changes between 1.0.0 and 1.1.0 [xx XXX xxxx] + *) New -sigopt option to the ca, req and x509 utilities. Additional + signature parameters can be passed using this option and in + particular PSS. + [Steve Henson] + + *) Add RSA PSS signing function. This will generate and set the + appropriate AlgorithmIdentifiers for PSS based on those in the + corresponding EVP_MD_CTX structure. No application support yet. + [Steve Henson] + + *) Support for companion algorithm specific ASN1 signing routines. + New function ASN1_item_sign_ctx() signs a pre-initialised + EVP_MD_CTX structure and sets AlgorithmIdentifiers based on + the appropriate parameters. + [Steve Henson] + + *) Add new algorithm specific ASN1 verification initialisation function + to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 + handling will be the same no matter what EVP_PKEY_METHOD is used. + Add a PSS handler to support verification of PSS signatures: checked + against a number of sample certificates. + [Steve Henson] + + *) Add signature printing for PSS. Add PSS OIDs. + [Steve Henson, Martin Kaiser ] + + *) Add algorithm specific signature printing. An individual ASN1 method + can now print out signatures instead of the standard hex dump. + + More complex signatures (e.g. PSS) can print out more meaningful + information. Include DSA version that prints out the signature + parameters r, s. + [Steve Henson] + + *) Add -trusted_first option which attempts to find certificates in the + trusted store even if an untrusted chain is also supplied. + [Steve Henson] + + *) Initial experimental support for explicitly trusted non-root CAs. + OpenSSL still tries to build a complete chain to a root but if an + intermediate CA has a trust setting included that is used. The first + setting is used: whether to trust or reject. + [Steve Henson] + + *) New -verify_name option in command line utilities to set verification + parameters by name. + [Steve Henson] + + *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. + Add CMAC pkey methods. + [Steve Henson] + + *) Experiemental regnegotiation in s_server -www mode. If the client + browses /reneg connection is renegotiated. If /renegcert it is + renegotiated requesting a certificate. + [Steve Henson] + *) Add an "external" session cache for debugging purposes to s_server. This should help trace issues which normally are only apparent in deployed multi-process servers. @@ -42,7 +99,12 @@ whose return value is often ignored. [Steve Henson] - Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx] + Changes between 0.9.8n and 1.0.0 [xx XXX xxxx] + + *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher + context. The operation can be customised via the ctrl mechanism in + case ENGINEs want to include additional functionality. + [Steve Henson] *) Tolerate yet another broken PKCS#8 key format: private key value negative. [Steve Henson] @@ -56,10 +118,6 @@ it from client hello again. Don't allow server to change algorithm. [Steve Henson] - *) Constify crypto/cast (i.e., ): a CAST_KEY doesn't - change when encrypting or decrypting. - [Bodo Moeller] - *) Add load_crls() function to apps tidying load_certs() too. Add option to verify utility to allow additional CRLs to be included. [Steve Henson] @@ -881,8 +939,43 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] + + Changes between 0.9.8m and 0.9.8n [24 Mar 2010] + + *) When rejecting SSL/TLS records due to an incorrect version number, never + update s->server with a new major version number. As of + - OpenSSL 0.9.8m if 'short' is a 16-bit type, + - OpenSSL 0.9.8f if 'short' is longer than 16 bits, + the previous behavior could result in a read attempt at NULL when + receiving specific incorrect SSL/TLS records once record payload + protection is active. (CVE-2010-####) + [Bodo Moeller, Adam Langley] + + *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL + could be crashed if the relevant tables were not present (e.g. chrooted). + [Tomas Hoger ] + + Changes between 0.9.8l and 0.9.8m [25 Feb 2010] - Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx] + *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) + [Martin Olsson, Neel Mehta] + + *) Fix X509_STORE locking: Every 'objs' access requires a lock (to + accommodate for stack sorting, always a write lock!). + [Bodo Moeller] + + *) On some versions of WIN32 Heap32Next is very slow. This can cause + excessive delays in the RAND_poll(): over a minute. As a workaround + include a time check in the inner Heap32Next loop too. + [Steve Henson] + + *) The code that handled flushing of data in SSL/TLS originally used the + BIO_CTRL_INFO ctrl to see if any data was pending first. This caused + the problem outlined in PR#1949. The fix suggested there however can + trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions + of Apache). So instead simplify the code to flush unconditionally. + This should be fine since flushing with no data to flush is a no op. + [Steve Henson] *) Handle TLS versions 2.0 and later properly and correctly use the highest version of TLS/SSL supported. Although TLS >= 2.0 is some way @@ -891,15 +984,19 @@ *) Modify compression code so it frees up structures without using the ex_data callbacks. This works around a problem where some applications - call CRYPTO_free_all_ex_data() before application exit (e.g. when + call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when restarting) then use compression (e.g. SSL with compression) later. This results in significant per-connection memory leaks and has caused some security issues including CVE-2008-1678 and CVE-2009-4355. [Steve Henson] + *) Constify crypto/cast (i.e., ): a CAST_KEY doesn't + change when encrypting or decrypting. + [Bodo Moeller] + *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to - connect (but not renegotiate) with servers which do not support RI. + connect and renegotiate with servers which do not support RI. Until RI is more widely deployed this option is enabled by default. [Steve Henson] @@ -907,14 +1004,14 @@ [Steve Henson] *) If client attempts to renegotiate and doesn't support RI respond with - a no_renegotiation alert as required by draft-ietf-tls-renegotiation. - Some renegotiating TLS clients will continue a connection gracefully - when they receive the alert. Unfortunately OpenSSL mishandled - this alert and would hang waiting for a server hello which it will never - receive. Now we treat a received no_renegotiation alert as a fatal - error. This is because applications requesting a renegotiation might well - expect it to succeed and would have no code in place to handle the server - denying it so the only safe thing to do is to terminate the connection. + a no_renegotiation alert as required by RFC5746. Some renegotiating + TLS clients will continue a connection gracefully when they receive + the alert. Unfortunately OpenSSL mishandled this alert and would hang + waiting for a server hello which it will never receive. Now we treat a + received no_renegotiation alert as a fatal error. This is because + applications requesting a renegotiation might well expect it to succeed + and would have no code in place to handle the server denying it so the + only safe thing to do is to terminate the connection. [Steve Henson] *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if @@ -926,10 +1023,9 @@ the updated NID creation version. This should correctly handle UTF8. [Steve Henson] - *) Implement draft-ietf-tls-renegotiation-03. Re-enable - renegotiation but require the extension as needed. Unfortunately, - SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a - bad idea. It has been replaced by + *) Implement RFC5746. Re-enable renegotiation but require the extension + as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION + turns out to be a bad idea. It has been replaced by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with SSL_CTX_set_options(). This is really not recommended unless you know what you are doing.