evp: prevent underflow in base64 decoding

[openssl.git] / FAQ

diff --git a/FAQ b/FAQ
index 1080069a04ca8719fb71889318b111a79213a908..59d135396edc0bcac119f6c39808c1a4221f925f 100644 (file)
--- a/FAQ
+++ b/FAQ
@@ -10,6 +10,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?

+* How does the versioning scheme work?

 
 [LEGAL] Legal questions
 
 
 [LEGAL] Legal questions
 


@@ -52,6 +53,9 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 * Why does compiler fail to compile sha512.c?
 * Test suite still fails, what to do?
 * Why does the OpenSSL test suite fail in sha512t on x86 CPU?
 * Why does compiler fail to compile sha512.c?
 * Test suite still fails, what to do?

+* I think I've found a bug, what should I do?
+* I'm SURE I've found a bug, how do I report it?
+* I've found a security issue, how do I report it?

 
 [PROG] Questions about programming with OpenSSL
 
 
 [PROG] Questions about programming with OpenSSL
 


@@ -79,11 +83,11 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.

-OpenSSL 0.9.8n was released on Mar 24th, 2010.
+OpenSSL 1.0.1e was released on Feb 11th, 2013.

 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.

 
 
 * Where is the documentation?
 
 
 * Where is the documentation?


@@ -105,7 +109,9 @@ In addition, you can read the most current versions at
 <URL: http://www.openssl.org/docs/>. Note that the online documents refer
 to the very latest development versions of OpenSSL and may include features
 not present in released versions. If in doubt refer to the documentation
 <URL: http://www.openssl.org/docs/>. Note that the online documents refer
 to the very latest development versions of OpenSSL and may include features
 not present in released versions. If in doubt refer to the documentation

-that came with the version of OpenSSL you are using.
+that came with the version of OpenSSL you are using. The pod format
+documentation is included in each OpenSSL distribution under the docs
+directory.

 
 For information on parts of libcrypto that are not yet documented, you
 might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
 
 For information on parts of libcrypto that are not yet documented, you
 might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's


@@ -131,7 +137,7 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in
 * Where can I get a compiled version of OpenSSL?
 
 You can finder pointers to binary distributions in

-http://www.openssl.org/related/binaries.html .
+<URL: http://www.openssl.org/related/binaries.html> .

 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
 
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL


@@ -170,6 +176,19 @@ just do:
 
    pgp TARBALL.asc
 
 
    pgp TARBALL.asc
 

+* How does the versioning scheme work?
+
+After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 
+releases (e.g. 1.0.1a) can only contain bug and security fixes and no
+new features. Minor releases change the last number (e.g. 1.0.2) and 
+can contain new features that retain binary compatibility. Changes to
+the middle number are considered major releases and neither source nor
+binary compatibility is guaranteed.
+
+Therefore the answer to the common question "when will feature X be
+backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
+in the next minor release.
+

 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?


@@ -281,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.)
 Check out the CA.pl(1) manual page. This provides a simple wrapper round
 the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
 out the manual pages for the individual utilities and the certificate
 Check out the CA.pl(1) manual page. This provides a simple wrapper round
 the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
 out the manual pages for the individual utilities and the certificate

-extensions documentation (currently in doc/openssl.txt).
+extensions documentation (in ca(1), req(1), x509v3_config(5) )

 
 
 * Why can't I create certificate requests?
 
 
 * Why can't I create certificate requests?


@@ -463,7 +482,7 @@ administrators.
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
 
 Other projects do have other policies so you can for example extract the CA
 bundle used by Mozilla and/or modssl as described in this article:
 

-  http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+  <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>

 
 
 [BUILD] =======================================================================
 
 
 [BUILD] =======================================================================


@@ -505,7 +524,7 @@ when you run the test suite (using "make test").  The message returned is
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc
 "bc: 1 not implemented".
 
 The best way to deal with this is to find another implementation of bc

-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>

 for download instructions) can be safely used, for example.
 
 
 for download instructions) can be safely used, for example.
 
 


@@ -516,7 +535,7 @@ that the OpenSSL bntest throws at it.  This gets triggered when you run the
 test suite (using "make test").  The message returned is "bc: stack empty".
 
 The best way to deal with this is to find another implementation of bc
 test suite (using "make test").  The message returned is "bc: stack empty".
 
 The best way to deal with this is to find another implementation of bc

-and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it.  GNU bc (see <URL: http://www.gnu.org/software/software.html>

 for download instructions) can be safely used, for example.
 
 
 for download instructions) can be safely used, for example.
 
 


@@ -709,6 +728,49 @@ never make sense, and tend to emerge when you least expect them. In order
 to identify one, drop optimization level, e.g. by editing CFLAG line in
 top-level Makefile, recompile and re-run the test.
 
 to identify one, drop optimization level, e.g. by editing CFLAG line in
 top-level Makefile, recompile and re-run the test.
 

+* I think I've found a bug, what should I do?
+
+If you are a new user then it is quite likely you haven't found a bug and
+something is happening you aren't familiar with. Check this FAQ, the associated
+documentation and the mailing lists for similar queries. If you are still
+unsure whether it is a bug or not submit a query to the openssl-users mailing
+list.
+
+
+* I'm SURE I've found a bug, how do I report it?
+
+Bug reports with no security implications should be sent to the request
+tracker. This can be done by mailing the report to <rt@openssl.org> (or its
+alias <openssl-bugs@openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
+
+The report should be in plain text. Any patches should be sent as
+plain text attachments because some mailers corrupt patches sent inline.
+If your issue affects multiple versions of OpenSSL check any patches apply
+cleanly and, if possible include patches to each affected version.
+
+The report should be given a meaningful subject line briefly summarising the
+issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
+
+By sending reports to the request tracker the bug can then be given a priority
+and assigned to the appropriate maintainer. The history of discussions can be
+accessed and if the issue has been addressed or a reason why not. If patches
+are only sent to openssl-dev they can be mislaid if a team member has to
+wade through months of old messages to review the discussion.
+
+See also <URL: http://www.openssl.org/support/rt.html>
+
+
+* I've found a security issue, how do I report it?
+
+If you think your bug has security implications then please send it to
+openssl-security@openssl.org if you don't get a prompt reply at least 
+acknowledging receipt then resend or mail it directly to one of the
+more active team members (e.g. Steve).
+
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+

 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?


@@ -722,7 +784,7 @@ file.
 Multi-threaded applications must provide two callback functions to
 OpenSSL by calling CRYPTO_set_locking_callback() and
 CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
 Multi-threaded applications must provide two callback functions to
 OpenSSL by calling CRYPTO_set_locking_callback() and
 CRYPTO_set_id_callback(), for all versions of OpenSSL up to and

-including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback()
+including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()

 and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
 and friends. This is described in the threads(3) manpage.
 
 and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
 and friends. This is described in the threads(3) manpage.