X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=b94b8e97269f26df274054929b24983b6f12c55f;hp=70b846e3a9b0fc24cbb4a08ace614fd605d2e013;hb=034d55cd5c82517418708a0b41b94f20911774c0;hpb=4f4d13b146b7d90b63f4cef1d7a0437ac9441332 diff --git a/CHANGES b/CHANGES index 70b846e3a9..b94b8e9726 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,603 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2g and 1.1.0 [xx XXX xxxx] + This is a high-level summary of the most important changes. + For a full list of changes, see the git commit log; for example, + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. + + Changes between 1.1.0f and 1.1.1 [xx XXX xxxx] + + *) Support for TLSv1.3 added. Note that users upgrading from an earlier + version of OpenSSL should review their configuration settings to ensure + that they are still appropriate for TLSv1.3. In particular if no TLSv1.3 + ciphersuites are enabled then OpenSSL will refuse to make a connection + unless (1) TLSv1.3 is explicitly disabled or (2) the ciphersuite + configuration is updated to include suitable ciphersuites. The DEFAULT + ciphersuite configuration does include TLSv1.3 ciphersuites. For further + information on this and other related issues please see: + https://www.openssl.org/blog/blog/2018/02/08/tlsv1.3/ + + NOTE: In this pre-release of OpenSSL a draft version of the + TLSv1.3 standard has been implemented. Implementations of different draft + versions of the standard do not inter-operate, and this version will not + inter-operate with an implementation of the final standard when it is + eventually published. Different pre-release versions may implement + different versions of the draft. The final version of OpenSSL 1.1.1 will + implement the final version of the standard. + TODO(TLS1.3): Remove the above note before final release + [Matt Caswell] + + *) Changed Configure so it only says what it does and doesn't dump + so much data. Instead, ./configdata.pm should be used as a script + to display all sorts of configuration data. + [Richard Levitte] + + *) Added processing of "make variables" to Configure. + [Richard Levitte] + + *) Added SHA512/224 and SHA512/256 algorithm support. + [Paul Dale] + + *) The last traces of Netware support, first removed in 1.1.0, have + now been removed. + [Rich Salz] + + *) Get rid of Makefile.shared, and in the process, make the processing + of certain files (rc.obj, or the .def/.map/.opt files produced from + the ordinal files) more visible and hopefully easier to trace and + debug (or make silent). + [Richard Levitte] + + *) Make it possible to have environment variable assignments as + arguments to config / Configure. + [Richard Levitte] + + *) Add multi-prime RSA (RFC 8017) support. + [Paul Yang] + + *) Add SM3 implemented according to GB/T 32905-2016 + [ Jack Lloyd , + Ronald Tse , + Erick Borsboom ] + + *) Add 'Maximum Fragment Length' TLS extension negotiation and support + as documented in RFC6066. + Based on a patch from Tomasz Moń + [Filipe Raimundo da Silva] + + *) Add SM4 implemented according to GB/T 32907-2016. + [ Jack Lloyd , + Ronald Tse , + Erick Borsboom ] + + *) Reimplement -newreq-nodes and ERR_error_string_n; the + original author does not agree with the license change. + [Rich Salz] + + *) Add ARIA AEAD TLS support. + [Jon Spillett] + + *) Some macro definitions to support VS6 have been removed. Visual + Studio 6 has not worked since 1.1.0 + [Rich Salz] + + *) Add ERR_clear_last_mark(), to allow callers to clear the last mark + without clearing the errors. + [Richard Levitte] + + *) Add "atfork" functions. If building on a system that without + pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application + requirements. The RAND facility now uses/requires this. + [Rich Salz] + + *) Add SHA3. + [Andy Polyakov] + + *) The UI API becomes a permanent and integral part of libcrypto, i.e. + not possible to disable entirely. However, it's still possible to + disable the console reading UI method, UI_OpenSSL() (use UI_null() + as a fallback). + + To disable, configure with 'no-ui-console'. 'no-ui' is still + possible to use as an alias. Check at compile time with the + macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still + possible to check and is an alias for OPENSSL_NO_UI_CONSOLE. + [Richard Levitte] + + *) Add a STORE module, which implements a uniform and URI based reader of + stores that can contain keys, certificates, CRLs and numerous other + objects. The main API is loosely based on a few stdio functions, + and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof, + OSSL_STORE_error and OSSL_STORE_close. + The implementation uses backends called "loaders" to implement arbitrary + URI schemes. There is one built in "loader" for the 'file' scheme. + [Richard Levitte] + + *) Add devcrypto engine. This has been implemented against cryptodev-linux, + then adjusted to work on FreeBSD 8.4 as well. + Enable by configuring with 'enable-devcryptoeng'. This is done by default + on BSD implementations, as cryptodev.h is assumed to exist on all of them. + [Richard Levitte] + + *) Module names can prefixed with OSSL_ or OPENSSL_. This affects + util/mkerr.pl, which is adapted to allow those prefixes, leading to + error code calls like this: + + OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER); + + With this change, we claim the namespaces OSSL and OPENSSL in a manner + that can be encoded in C. For the foreseeable future, this will only + affect new modules. + [Richard Levitte and Tim Hudson] + + *) Removed BSD cryptodev engine. + [Rich Salz] + + *) Add a build target 'build_all_generated', to build all generated files + and only that. This can be used to prepare everything that requires + things like perl for a system that lacks perl and then move everything + to that system and do the rest of the build there. + [Richard Levitte] + + *) In the UI interface, make it possible to duplicate the user data. This + can be used by engines that need to retain the data for a longer time + than just the call where this user data is passed. + [Richard Levitte] + + *) Ignore the '-named_curve auto' value for compatibility of applications + with OpenSSL 1.0.2. + [Tomas Mraz ] + + *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2 + bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such + alerts across multiple records (some of which could be empty). In practice + it make no sense to send an empty alert record, or to fragment one. TLSv1.3 + prohibts this altogether and other libraries (BoringSSL, NSS) do not + support this at all. Supporting it adds significant complexity to the + record layer, and its removal is unlikely to cause inter-operability + issues. + [Matt Caswell] + + *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed + with Z. These are meant to replace LONG and ZLONG and to be size safe. + The use of LONG and ZLONG is discouraged and scheduled for deprecation + in OpenSSL 1.2.0. + [Richard Levitte] + + *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string, + 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t. + [Richard Levitte, Andy Polyakov] + + *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine() + does for RSA, etc. + [Richard Levitte] + + *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target + platform rather than 'mingw'. + [Richard Levitte] + + *) The functions X509_STORE_add_cert and X509_STORE_add_crl return + success if they are asked to add an object which already exists + in the store. This change cascades to other functions which load + certificates and CRLs. + [Paul Dale] + + *) x86_64 assembly pack: annotate code with DWARF CFI directives to + facilitate stack unwinding even from assembly subroutines. + [Andy Polyakov] + + *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN. + Also remove OPENSSL_GLOBAL entirely, as it became a no-op. + [Richard Levitte] + + *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. + VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, + which is the minimum version we support. + [Richard Levitte] + + *) Certificate time validation (X509_cmp_time) enforces stricter + compliance with RFC 5280. Fractional seconds and timezone offsets + are no longer allowed. + [Emilia Käsper] + + *) Add support for ARIA + [Paul Dale] + + *) s_client will now send the Server Name Indication (SNI) extension by + default unless the new "-noservername" option is used. The server name is + based on the host provided to the "-connect" option unless overridden by + using "-servername". + [Matt Caswell] + + *) Add support for SipHash + [Todd Short] + + *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 + or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to + prevent issues where no progress is being made and the peer continually + sends unrecognised record types, using up resources processing them. + [Matt Caswell] + + *) 'openssl passwd' can now produce SHA256 and SHA512 based output, + using the algorithm defined in + https://www.akkadia.org/drepper/SHA-crypt.txt + [Richard Levitte] + + *) Heartbeat support has been removed; the ABI is changed for now. + [Richard Levitte, Rich Salz] + + *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd. + [Emilia Käsper] + + *) The RSA "null" method, which was partially supported to avoid patent + issues, has been replaced to always returns NULL. + [Rich Salz] + + Changes between 1.1.0g and 1.1.0h [xx XXX xxxx] + + *) Removed the OS390-Unix config target. It relied on a script that doesn't + exist. + [Rich Salz] + + *) rsaz_1024_mul_avx2 overflow bug on x86_64 + + There is an overflow bug in the AVX2 Montgomery multiplication procedure + used in exponentiation with 1024-bit moduli. No EC algorithms are affected. + Analysis suggests that attacks against RSA and DSA as a result of this + defect would be very difficult to perform and are not believed likely. + Attacks against DH1024 are considered just feasible, because most of the + work necessary to deduce information about a private key may be performed + offline. The amount of resources required for such an attack would be + significant. However, for an attack on TLS to be meaningful, the server + would have to share the DH1024 private key among multiple clients, which is + no longer an option since CVE-2016-0701. + + This only affects processors that support the AVX2 but not ADX extensions + like Intel Haswell (4th generation). + + This issue was reported to OpenSSL by David Benjamin (Google). The issue + was originally found via the OSS-Fuzz project. + (CVE-2017-3738) + [Andy Polyakov] + + Changes between 1.1.0f and 1.1.0g [2 Nov 2017] + + *) bn_sqrx8x_internal carry bug on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. + + This only affects processors that support the BMI1, BMI2 and ADX extensions + like Intel Broadwell (5th generation) and later or AMD Ryzen. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3736) + [Andy Polyakov] + + *) Malformed X.509 IPAddressFamily could cause OOB read + + If an X.509 certificate has a malformed IPAddressFamily extension, + OpenSSL could do a one-byte buffer overread. The most likely result + would be an erroneous display of the certificate in text format. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3735) + [Rich Salz] + + Changes between 1.1.0e and 1.1.0f [25 May 2017] + + *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target + platform rather than 'mingw'. + [Richard Levitte] + + *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c. + VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1, + which is the minimum version we support. + [Richard Levitte] + + Changes between 1.1.0d and 1.1.0e [16 Feb 2017] + + *) Encrypt-Then-Mac renegotiation crash + + During a renegotiation handshake if the Encrypt-Then-Mac extension is + negotiated where it was not in the original handshake (or vice-versa) then + this can cause OpenSSL to crash (dependant on ciphersuite). Both clients + and servers are affected. + + This issue was reported to OpenSSL by Joe Orton (Red Hat). + (CVE-2017-3733) + [Matt Caswell] + + Changes between 1.1.0c and 1.1.0d [26 Jan 2017] + + *) Truncated packet could crash via OOB read + + If one side of an SSL/TLS path is running on a 32-bit host and a specific + cipher is being used, then a truncated packet can cause that host to + perform an out-of-bounds read, usually resulting in a crash. + + This issue was reported to OpenSSL by Robert Święcki of Google. + (CVE-2017-3731) + [Andy Polyakov] + + *) Bad (EC)DHE parameters cause a client crash + + If a malicious server supplies bad parameters for a DHE or ECDHE key + exchange then this can result in the client attempting to dereference a + NULL pointer leading to a client crash. This could be exploited in a Denial + of Service attack. + + This issue was reported to OpenSSL by Guido Vranken. + (CVE-2017-3730) + [Matt Caswell] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very + similar to CVE-2015-3193 but must be treated as a separate problem. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3732) + [Andy Polyakov] + + Changes between 1.1.0b and 1.1.0c [10 Nov 2016] + + *) ChaCha20/Poly1305 heap-buffer-overflow + + TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to + a DoS attack by corrupting larger payloads. This can result in an OpenSSL + crash. This issue is not considered to be exploitable beyond a DoS. + + This issue was reported to OpenSSL by Robert Święcki (Google Security Team) + (CVE-2016-7054) + [Richard Levitte] + + *) CMS Null dereference + + Applications parsing invalid CMS structures can crash with a NULL pointer + dereference. This is caused by a bug in the handling of the ASN.1 CHOICE + type in OpenSSL 1.1.0 which can result in a NULL value being passed to the + structure callback if an attempt is made to free certain invalid encodings. + Only CHOICE structures using a callback which do not handle NULL value are + affected. + + This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure. + (CVE-2016-7053) + [Stephen Henson] + + *) Montgomery multiplication may produce incorrect results + + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an input + of the attacker's direct choice. Otherwise the bug can manifest itself as + transient authentication and key negotiation failures or reproducible + erroneous outcome of public-key operations with specially crafted input. + Among EC algorithms only Brainpool P-512 curves are affected and one + presumably can attack ECDH key negotiation. Impact was not analyzed in + detail, because pre-requisites for attack are considered unlikely. Namely + multiple clients have to choose the curve in question and the server has to + share the private key among them, neither of which is default behaviour. + Even then only clients that chose the curve will be affected. + + This issue was publicly reported as transient failures and was not + initially recognized as a security issue. Thanks to Richard Morgan for + providing reproducible case. + (CVE-2016-7055) + [Andy Polyakov] + + *) Removed automatic addition of RPATH in shared libraries and executables, + as this was a remainder from OpenSSL 1.0.x and isn't needed any more. + [Richard Levitte] + + Changes between 1.1.0a and 1.1.0b [26 Sep 2016] + + *) Fix Use After Free for large message sizes + + The patch applied to address CVE-2016-6307 resulted in an issue where if a + message larger than approx 16k is received then the underlying buffer to + store the incoming message is reallocated and moved. Unfortunately a + dangling pointer to the old location is left which results in an attempt to + write to the previously freed location. This is likely to result in a + crash, however it could potentially lead to execution of arbitrary code. + + This issue only affects OpenSSL 1.1.0a. + + This issue was reported to OpenSSL by Robert Święcki. + (CVE-2016-6309) + [Matt Caswell] + + Changes between 1.1.0 and 1.1.0a [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth + + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp" build time option are not affected. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6304) + [Matt Caswell] + + *) SSL_peek() hang on empty record + + OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer + sends an empty record. This could be exploited by a malicious peer in a + Denial Of Service attack. + + This issue was reported to OpenSSL by Alex Gaynor. + (CVE-2016-6305) + [Matt Caswell] + + *) Excessive allocation of memory in tls_get_message_header() and + dtls1_preprocess_fragment() + + A (D)TLS message includes 3 bytes for its length in the header for the + message. This would allow for messages up to 16Mb in length. Messages of + this length are excessive and OpenSSL includes a check to ensure that a + peer is sending reasonably sized messages in order to avoid too much memory + being consumed to service a connection. A flaw in the logic of version + 1.1.0 means that memory for the message is allocated too early, prior to + the excessive message length check. Due to way memory is allocated in + OpenSSL this could mean an attacker could force up to 21Mb to be allocated + to service a connection. This could lead to a Denial of Service through + memory exhaustion. However, the excessive message length check still takes + place, and this would cause the connection to immediately fail. Assuming + that the application calls SSL_free() on the failed connection in a timely + manner then the 21Mb of allocated memory will then be immediately freed + again. Therefore the excessive memory allocation will be transitory in + nature. This then means that there is only a security impact if: + + 1) The application does not call SSL_free() in a timely manner in the event + that the connection fails + or + 2) The application is working in a constrained environment where there is + very little free memory + or + 3) The attacker initiates multiple connection attempts such that there are + multiple connections in a state where memory has been allocated for the + connection; SSL_free() has not yet been called; and there is insufficient + memory to service the multiple requests. + + Except in the instance of (1) above any Denial Of Service is likely to be + transitory because as soon as the connection fails the memory is + subsequently freed again in the SSL_free() call. However there is an + increased risk during this period of application crashes due to the lack of + memory - which would then mean a more serious Denial of Service. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6307 and CVE-2016-6308) + [Matt Caswell] + + *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler, + had to be removed. Primary reason is that vendor assembler can't + assemble our modules with -KPIC flag. As result it, assembly + support, was not even available as option. But its lack means + lack of side-channel resistant code, which is incompatible with + security by todays standards. Fortunately gcc is readily available + prepackaged option, which we firmly point at... + [Andy Polyakov] + + Changes between 1.0.2h and 1.1.0 [25 Aug 2016] + + *) Windows command-line tool supports UTF-8 opt-in option for arguments + and console input. Setting OPENSSL_WIN32_UTF8 environment variable + (to any value) allows Windows user to access PKCS#12 file generated + with Windows CryptoAPI and protected with non-ASCII password, as well + as files generated under UTF-8 locale on Linux also protected with + non-ASCII password. + [Andy Polyakov] + + *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites + have been disabled by default and removed from DEFAULT, just like RC4. + See the RC4 item below to re-enable both. + [Rich Salz] + + *) The method for finding the storage location for the Windows RAND seed file + has changed. First we check %RANDFILE%. If that is not set then we check + the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If + all else fails we fall back to C:\. + [Matt Caswell] + + *) The EVP_EncryptUpdate() function has had its return type changed from void + to int. A return of 0 indicates and error while a return of 1 indicates + success. + [Matt Caswell] + + *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and + DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch + off the constant time implementation for RSA, DSA and DH have been made + no-ops and deprecated. + [Matt Caswell] + + *) Windows RAND implementation was simplified to only get entropy by + calling CryptGenRandom(). Various other RAND-related tickets + were also closed. + [Joseph Wylie Yandle, Rich Salz] + + *) The stack and lhash API's were renamed to start with OPENSSL_SK_ + and OPENSSL_LH_, respectively. The old names are available + with API compatibility. They new names are now completely documented. + [Rich Salz] + + *) Unify TYPE_up_ref(obj) methods signature. + SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(), + X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an + int (instead of void) like all others TYPE_up_ref() methods. + So now these methods also check the return value of CRYPTO_atomic_add(), + and the validity of object reference counter. + [fdasilvayy@gmail.com] + + *) With Windows Visual Studio builds, the .pdb files are installed + alongside the installed libraries and executables. For a static + library installation, ossl_static.pdb is the associate compiler + generated .pdb file to be used when linking programs. + [Richard Levitte] + + *) Remove openssl.spec. Packaging files belong with the packagers. + [Richard Levitte] + + *) Automatic Darwin/OSX configuration has had a refresh, it will now + recognise x86_64 architectures automatically. You can still decide + to build for a different bitness with the environment variable + KERNEL_BITS (can be 32 or 64), for example: + + KERNEL_BITS=32 ./config + + [Richard Levitte] + + *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0, + 256 bit AES and HMAC with SHA256. + [Steve Henson] + + *) Remove support for MIPS o32 ABI on IRIX (and IRIX only). + [Andy Polyakov] + + *) Triple-DES ciphers have been moved from HIGH to MEDIUM. + [Rich Salz] + + *) To enable users to have their own config files and build file templates, + Configure looks in the directory indicated by the environment variable + OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/ + directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical + name and is used as is. + [Richard Levitte] + + *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX, + X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type + X509_CERT_FILE_CTX was removed. + [Rich Salz] + + *) "shared" builds are now the default. To create only static libraries use + the "no-shared" Configure option. + [Matt Caswell] *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options. All of these option have not worked for some while and are fundamental @@ -121,19 +717,13 @@ [Emilia Käsper] *) Add X25519 support. - Integrate support for X25519 into EC library. This includes support + Add ASN.1 and EVP_PKEY methods for X25519. This includes support for public and private key encoding using the format documented in - draft-josefsson-pkix-newcurves-01: specifically X25519 uses the - OID from that draft, encodes public keys using little endian - format in the ECPoint structure and private keys using - little endian form in the privateKey field of the ECPrivateKey - structure. TLS support complies with draft-ietf-tls-rfc4492bis-06 - and uses X25519(29). + draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports + key generation and key derivation. - Note: the current version supports key generation, public and - private key encoding and ECDH key agreement using the EC API. - Low level point operations such as EC_POINT_add(), EC_POINT_mul() - are NOT supported. + TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses + X25519(29). [Steve Henson] *) Deprecate SRP_VBASE_get_by_user. @@ -213,6 +803,12 @@ template in Configurations, like unix-Makefile.tmpl or descrip.mms.tmpl. + With this change, the library names were also renamed on Windows + and on VMS. They now have names that are closer to the standard + on Unix, and include the major version number, and in certain + cases, the architecture they are built for. See "Notes on shared + libraries" in INSTALL. + We rely heavily on the perl module Text::Template. [Richard Levitte] @@ -367,7 +963,7 @@ *) Add support for setting the minimum and maximum supported protocol. It can bet set via the SSL_set_min_proto_version() and SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and - MaxProtcol. It's recommended to use the new APIs to disable + MaxProtocol. It's recommended to use the new APIs to disable protocols instead of disabling individual protocols using SSL_set_options() or SSL_CONF's Protocol. This change also removes support for disabling TLS 1.2 in the OpenSSL TLS @@ -628,7 +1224,7 @@ done while fixing the error code for the key-too-small case. [Annie Yousar ] - *) CA.sh has been removmed; use CA.pl instead. + *) CA.sh has been removed; use CA.pl instead. [Rich Salz] *) Removed old DES API. @@ -717,13 +1313,13 @@ [Steve Henson] *) Experimental encrypt-then-mac support. - + Experimental support for encrypt then mac from draft-gutmann-tls-encrypt-then-mac-02.txt To enable it set the appropriate extension number (0x42 for the test server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 - + For non-compliant peers (i.e. just about everything) this should have no effect. @@ -774,7 +1370,7 @@ *) Use separate DRBG fields for internal and external flags. New function FIPS_drbg_health_check() to perform on demand health checking. Add - generation tests to fips_test_suite with reduced health check interval to + generation tests to fips_test_suite with reduced health check interval to demonstrate periodic health checking. Add "nodh" option to fips_test_suite to skip very slow DH test. [Steve Henson] @@ -788,11 +1384,7 @@ combination: call this in fips_test_suite. [Steve Henson] - *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test - and POST to handle Dual EC cases. - [Steve Henson] - - *) Add support for canonical generation of DSA parameter 'g'. See + *) Add support for canonical generation of DSA parameter 'g'. See FIPS 186-3 A.2.3. *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and @@ -816,7 +1408,7 @@ requested amount of entropy. [Steve Henson] - *) Add PRNG security strength checks to RSA, DSA and ECDSA using + *) Add PRNG security strength checks to RSA, DSA and ECDSA using information in FIPS186-3, SP800-57 and SP800-131A. [Steve Henson] @@ -908,7 +1500,7 @@ can be set or retrieved with a ctrl. The IV length is by default 12 bytes (96 bits) but can be set to an alternative value. If the IV length exceeds the maximum IV length (currently 16 bytes) it cannot be - set before the key. + set before the key. [Steve Henson] *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the @@ -951,7 +1543,7 @@ Add CMAC pkey methods. [Steve Henson] - *) Experimental renegotiation in s_server -www mode. If the client + *) Experimental renegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] @@ -971,7 +1563,7 @@ *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h - whose return value is often ignored. + whose return value is often ignored. [Steve Henson] *) New -noct, -requestct, -requirect and -ctlogfile options for s_client. @@ -979,6 +1571,103 @@ validated when establishing a connection. [Rob Percival ] + Changes between 1.0.2g and 1.0.2h [3 May 2016] + + *) Prevent padding oracle in AES-NI CBC MAC check + + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. + + This issue was introduced as part of the fix for Lucky 13 padding + attack (CVE-2013-0169). The padding check was rewritten to be in + constant time by making sure that always the same bytes are read and + compared against either the MAC or padding bytes. But it no longer + checked that there was enough data to have both the MAC and padding + bytes. + + This issue was reported by Juraj Somorovsky using TLS-Attacker. + (CVE-2016-2107) + [Kurt Roeckx] + + *) Fix EVP_EncodeUpdate overflow + + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. + + Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by + the PEM_write_bio* family of functions. These are mainly used within the + OpenSSL command line applications, so any application which processes data + from an untrusted source and outputs it as a PEM file should be considered + vulnerable to this issue. User applications that call these APIs directly + with large amounts of untrusted data may also be vulnerable. + + This issue was reported by Guido Vranken. + (CVE-2016-2105) + [Matt Caswell] + + *) Fix EVP_EncryptUpdate overflow + + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. Following an analysis of all OpenSSL + internal usage of the EVP_EncryptUpdate() function all usage is one of two + forms. The first form is where the EVP_EncryptUpdate() call is known to be + the first called function after an EVP_EncryptInit(), and therefore that + specific call must be safe. The second form is where the length passed to + EVP_EncryptUpdate() can be seen from the code to be some small value and + therefore there is no possibility of an overflow. Since all instances are + one of these two forms, it is believed that there can be no overflows in + internal code due to this problem. It should be noted that + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances + of these calls have also been analysed too and it is believed there are no + instances in internal usage where an overflow could occur. + + This issue was reported by Guido Vranken. + (CVE-2016-2106) + [Matt Caswell] + + *) Prevent ASN.1 BIO excessive memory allocation + + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can cause allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. + + Any application parsing untrusted data through d2i BIO functions is + affected. The memory based functions such as d2i_X509() are *not* affected. + Since the memory based functions are used by the TLS library, TLS + applications are not affected. + + This issue was reported by Brian Carpenter. + (CVE-2016-2109) + [Stephen Henson] + + *) EBCDIC overread + + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. + + This issue was reported by Guido Vranken. + (CVE-2016-2176) + [Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + [Kurt Roeckx] + + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. @@ -1217,7 +1906,7 @@ *) Alternate chains certificate forgery - During certificate verfification, OpenSSL will attempt to find an + During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be @@ -1475,7 +2164,7 @@ *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. ARMv5 through ARMv8, as opposite to "locking" it to single one. - So far those who have to target multiple plaforms would compromise + So far those who have to target multiple platforms would compromise and argue that binary targeting say ARMv5 would still execute on ARMv8. "Universal" build resolves this compromise by providing near-optimal performance even on newer platforms. @@ -1535,7 +2224,7 @@ [Steve Henson] *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): - this fixes a limiation in previous versions of OpenSSL. + this fixes a limitation in previous versions of OpenSSL. [Steve Henson] *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, @@ -1644,9 +2333,9 @@ *) Add support for certificate stores in CERT structure. This makes it possible to have different stores per SSL structure or one store in - the parent SSL_CTX. Include distint stores for certificate chain + the parent SSL_CTX. Include distinct stores for certificate chain verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN - to build and store a certificate chain in CERT structure: returing + to build and store a certificate chain in CERT structure: returning an error if the chain cannot be built: this will allow applications to test if a chain is correctly configured. @@ -1679,7 +2368,7 @@ [Steve Henson] *) Add new "valid_flags" field to CERT_PKEY structure which determines what - the certificate can be used for (if anything). Set valid_flags field + the certificate can be used for (if anything). Set valid_flags field in new tls1_check_chain function. Simplify ssl_set_cert_masks which used to have similar checks in it. @@ -1707,7 +2396,7 @@ [Steve Henson] *) Integrate hostname, email address and IP address checking with certificate - verification. New verify options supporting checking in opensl utility. + verification. New verify options supporting checking in openssl utility. [Steve Henson] *) Fixes and wildcard matching support to hostname and email checking @@ -1722,7 +2411,7 @@ *) Fix OCSP checking. [Rob Stradling and Ben Laurie] - *) Initial experimental support for explicitly trusted non-root CAs. + *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first setting is used: whether to trust (e.g., -addtrust option to the x509 @@ -1773,7 +2462,7 @@ to set list of supported curves. [Steve Henson] - *) New ctrls to retrieve supported signature algorithms and + *) New ctrls to retrieve supported signature algorithms and supported curve values as an array of NIDs. Extend openssl utility to print out received values. [Steve Henson] @@ -1889,7 +2578,7 @@ 3. Check DSA/ECDSA signatures use DER. - Reencode DSA/ECDSA signatures and compare with the original received + Re-encode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature @@ -1978,8 +2667,8 @@ [Adam Langley, Bodo Moeller] *) Add additional DigestInfo checks. - - Reencode DigestInto in DER and check against the original when + + Re-encode DigestInto in DER and check against the original when verifying RSA signature: this will reject any improperly encoded DigestInfo structures. @@ -2148,7 +2837,7 @@ Changes between 1.0.1e and 1.0.1f [6 Jan 2014] - *) Fix for TLS record tampering bug. A carefully crafted invalid + *) Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. Thanks to Anton Johansson for reporting this issues. (CVE-2013-4353) @@ -2176,9 +2865,9 @@ *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. - This addresses the flaw in CBC record processing discovered by + This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found - at: http://www.isg.rhul.ac.uk/tls/ + at: http://www.isg.rhul.ac.uk/tls/ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London @@ -2238,7 +2927,7 @@ *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately mean any application compiled against OpenSSL 1.0.0 headers setting - SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng + SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 0x10000000L Any application which was previously compiled against OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 @@ -2247,7 +2936,7 @@ in unlike event, limit maximum offered version to TLS 1.0 [see below]. [Steve Henson] - *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not + *) In order to ensure interoperability SSL_OP_NO_protocolX does not disable just protocol X, but all protocols above X *if* there are protocols *below* X still enabled. In more practical terms it means that if application wants to disable TLS1.0 in favor of TLS1.1 and @@ -2296,7 +2985,7 @@ *) The format used for MDC2 RSA signatures is inconsistent between EVP and the RSA_sign/RSA_verify functions. This was made more apparent when OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular - those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect + those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect the correct format in RSA_verify so both forms transparently work. [Steve Henson] @@ -2369,7 +3058,7 @@ *) New -sigopt option to the ca, req and x509 utilities. Additional signature parameters can be passed using this option and in - particular PSS. + particular PSS. [Steve Henson] *) Add RSA PSS signing function. This will generate and set the @@ -2394,7 +3083,7 @@ [Steve Henson, Martin Kaiser ] *) Add algorithm specific signature printing. An individual ASN1 method - can now print out signatures instead of the standard hex dump. + can now print out signatures instead of the standard hex dump. More complex signatures (e.g. PSS) can print out more meaningful information. Include DSA version that prints out the signature @@ -2431,7 +3120,7 @@ *) Add GCM support to TLS library. Some custom code is needed to split the IV between the fixed (from PRF) and explicit (from TLS record) - portions. This adds all GCM ciphersuites supported by RFC5288 and + portions. This adds all GCM ciphersuites supported by RFC5288 and RFC5289. Generalise some AES* cipherstrings to include GCM and add a special AESGCM string for GCM only. [Steve Henson] @@ -2485,10 +3174,10 @@ to use them can use the private_* version instead. [Steve Henson] - *) Redirect cipher operations to FIPS module for FIPS builds. + *) Redirect cipher operations to FIPS module for FIPS builds. [Steve Henson] - *) Redirect digest operations to FIPS module for FIPS builds. + *) Redirect digest operations to FIPS module for FIPS builds. [Steve Henson] *) Update build system to add "fips" flag which will link in fipscanister.o @@ -2500,7 +3189,7 @@ This should be configurable so applications can judge speed vs strength. [Steve Henson] - *) Add TLS v1.2 server support for client authentication. + *) Add TLS v1.2 server support for client authentication. [Steve Henson] *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers @@ -2576,14 +3265,14 @@ in CMS and PKCS7 code. When RSA decryption fails use a random key for content decryption and always return the same error. Note: this attack needs on average 2^20 messages so it only affects automated senders. The - old behaviour can be reenabled in the CMS code by setting the + old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where an MMA defence is not necessary. Thanks to Ivan Nestlerode for discovering this issue. (CVE-2012-0884) [Steve Henson] - *) Fix CVE-2011-4619: make sure we really are receiving a + *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to Ivan Nestlerode for discovering this bug. [Steve Henson] @@ -2710,12 +3399,12 @@ [Steve Henson] *) Fix WIN32 build system to correctly link an ENGINE directory into - a DLL. + a DLL. [Steve Henson] Changes between 1.0.0 and 1.0.0a [01 Jun 2010] - *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover + *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover (CVE-2010-1633) [Steve Henson, Peter-Michael Hager ] @@ -2784,7 +3473,7 @@ retrieve a digest flags is by accessing the structure directly. Update EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest or cipher is registered as in the "from" argument. Print out all - registered digests in the dgst usage message instead of manually + registered digests in the dgst usage message instead of manually attempting to work them out. [Steve Henson] @@ -2818,7 +3507,7 @@ *) Update Gost ENGINE to support parameter files. [Victor B. Wagner ] - *) Support GeneralizedTime in ca utility. + *) Support GeneralizedTime in ca utility. [Oliver Martin , Steve Henson] *) Enhance the hash format used for certificate directory links. The new @@ -2872,7 +3561,7 @@ as part of the CRL checking and indicate a new error "CRL path validation error" in this case. Applications wanting additional details can use the verify callback and check the new "parent" field. If this is not - NULL CRL path validation is taking place. Existing applications wont + NULL CRL path validation is taking place. Existing applications won't see this because it requires extended CRL support which is off by default. @@ -3015,7 +3704,7 @@ SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the opaque PRF input value to use in the handshake. This will create - an interal copy of the length-'len' string at 'src', and will + an internal copy of the length-'len' string at 'src', and will return non-zero for success. To get more control and flexibility, provide a callback function @@ -3056,7 +3745,7 @@ [Bodo Moeller] *) Update ssl code to support digests other than SHA1+MD5 for handshake - MAC. + MAC. [Victor B. Wagner ] @@ -3068,7 +3757,7 @@ If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION. - + The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification. @@ -3105,7 +3794,7 @@ *) New option -sigopt to dgst utility. Update dgst to use EVP_Digest{Sign,Verify}*. These two changes make it possible to use - alternative signing parameters such as X9.31 or PSS in the dgst + alternative signing parameters such as X9.31 or PSS in the dgst utility. [Steve Henson] @@ -3125,8 +3814,8 @@ most recently disabled ciphersuites when "HIGH" is parsed). Also, change ssl_create_cipher_list() (using this new - funcionality) such that between otherwise identical - cihpersuites, ephemeral ECDH is preferred over ephemeral DH in + functionality) such that between otherwise identical + ciphersuites, ephemeral ECDH is preferred over ephemeral DH in the default order. [Bodo Moeller] @@ -3176,14 +3865,14 @@ *) Initial incomplete changes to avoid need for function casts in OpenSSL some compilers (gcc 4.2 and later) reject their use. Safestack is - reimplemented. Update ASN1 to avoid use of legacy functions. + reimplemented. Update ASN1 to avoid use of legacy functions. [Steve Henson] *) Win32/64 targets are linked with Winsock2. [Andy Polyakov] *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected - to external functions. This can be used to increase CRL handling + to external functions. This can be used to increase CRL handling efficiency especially when CRLs are very large by (for example) storing the CRL revoked certificates in a database. [Steve Henson] @@ -3217,7 +3906,7 @@ *) New function X509_CRL_match() to check if two CRLs are identical. Normally this would be called X509_CRL_cmp() but that name is already used by - a function that just compares CRL issuer names. Cache several CRL + a function that just compares CRL issuer names. Cache several CRL extensions in X509_CRL structure and cache CRLDP in X509. [Steve Henson] @@ -3226,7 +3915,7 @@ Name comparison can then be performed rapidly using memcmp(). [Steve Henson] - *) Non-blocking OCSP request processing. Add -timeout option to ocsp + *) Non-blocking OCSP request processing. Add -timeout option to ocsp utility. [Steve Henson] @@ -3305,7 +3994,7 @@ functional reference processing. [Steve Henson] - *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of + *) New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of EVP_{Sign,Verify}* which allow an application to customise the signature process. [Steve Henson] @@ -3352,7 +4041,7 @@ type for signing if it is not explicitly indicated. [Steve Henson] - *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New + *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant signing method from the key type. This effectively removes the link between digests and public key types. @@ -3361,7 +4050,7 @@ *) Add an OID cross reference table and utility functions. Its purpose is to translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, rsaEncryption. This will allow some of the algorithm specific hackery - needed to use the correct OID to be removed. + needed to use the correct OID to be removed. [Steve Henson] *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO @@ -3377,7 +4066,7 @@ [Steve Henson] *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support - public and private key formats. As a side effect these add additional + public and private key formats. As a side effect these add additional command line functionality not previously available: DSA signatures can be generated and verified using pkeyutl and DH key support and generation in pkey, genpkey. @@ -3398,7 +4087,7 @@ *) Add functions for main EVP_PKEY_method operations. The undocumented functions EVP_PKEY_{encrypt,decrypt} have been renamed to - EVP_PKEY_{encrypt,decrypt}_old. + EVP_PKEY_{encrypt,decrypt}_old. [Steve Henson] *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public @@ -3423,7 +4112,7 @@ type. [Steve Henson] - *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New + *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), EVP_PKEY_print_param() to print public key data from an EVP_PKEY structure. @@ -3444,11 +4133,11 @@ *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members for the psk identity [hint] and the psk callback functions to the SSL_SESSION, SSL and SSL_CTX structure. - + New ciphersuites: PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, PSK-AES256-CBC-SHA - + New functions: SSL_CTX_use_psk_identity_hint SSL_get_psk_identity_hint @@ -3517,8 +4206,8 @@ [Andy Polyakov] *) New option SSL_OP_NO_COMP to disable use of compression selectively - in SSL structures. New SSL ctrl to set maximum send fragment size. - Save memory by seeting the I/O buffer sizes dynamically instead of + in SSL structures. New SSL ctrl to set maximum send fragment size. + Save memory by setting the I/O buffer sizes dynamically instead of using the maximum available value. [Steve Henson] @@ -3571,13 +4260,13 @@ protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley ] - *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL + *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger ] Changes between 0.9.8l and 0.9.8m [25 Feb 2010] - *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) + *) Always check bn_wexpand() return values for failure. (CVE-2009-3245) [Martin Olsson, Neel Mehta] *) Fix X509_STORE locking: Every 'objs' access requires a lock (to @@ -3710,11 +4399,11 @@ is already buffered was missing. For every new message was memory allocated, allowing an attacker to perform an denial of service attack with sending out of seq handshake messages until there is no memory - left. Additionally every future messege was buffered, even if the + left. Additionally every future message was buffered, even if the sequence number made no sense and would be part of another handshake. So only messages with sequence numbers less than 10 in advance will be buffered. (CVE-2009-1378) - [Robin Seggelmann, discovered by Daniel Mentz] + [Robin Seggelmann, discovered by Daniel Mentz] *) Records are buffered if they arrive with a future epoch to be processed after finishing the corresponding handshake. There is @@ -3723,11 +4412,11 @@ memory left. This patch adds the pqueue_size() function to determine the size of a buffer and limits the record buffer to 100 entries. (CVE-2009-1377) - [Robin Seggelmann, discovered by Daniel Mentz] + [Robin Seggelmann, discovered by Daniel Mentz] *) Keep a copy of frag->msg_header.frag_len so it can be used after the parent structure is freed. (CVE-2009-1379) - [Daniel Mentz] + [Daniel Mentz] *) Handle non-blocking I/O properly in SSL_shutdown() call. [Darryl Miles ] @@ -3762,7 +4451,7 @@ a legal length. (CVE-2009-0590) [Steve Henson] - *) Set S/MIME signing as the default purpose rather than setting it + *) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. [Steve Henson] @@ -3885,21 +4574,21 @@ This work was sponsored by Logica. [Steve Henson] - *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using + *) Fix bug in X509_ATTRIBUTE creation: don't set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain - attribute creation routines such as certifcate requests and PKCS#12 + attribute creation routines such as certificate requests and PKCS#12 files. [Steve Henson] Changes between 0.9.8g and 0.9.8h [28 May 2008] *) Fix flaw if 'Server Key exchange message' is omitted from a TLS - handshake which could lead to a cilent crash as found using the - Codenomicon TLS test suite (CVE-2008-1672) + handshake which could lead to a client crash as found using the + Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox] *) Fix double free in TLS server name extensions which could lead to - a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) + a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) [Joe Orton] *) Clear error queue in SSL_CTX_use_certificate_chain_file() @@ -3962,7 +4651,7 @@ [Ian Lister (tweaked by Geoff Thorpe)] *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 - implemention in the following ways: + implementation in the following ways: Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be hard coded. @@ -4000,7 +4689,7 @@ *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() to get the expected BN_FLG_CONSTTIME behavior. [Bodo Moeller (Google)] - + *) Netware support: - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets @@ -4052,7 +4741,7 @@ (gcc 4.2 and later) reject their use. [Kurt Roeckx , Peter Hartley , Steve Henson] - + *) Add RFC4507 support to OpenSSL. This includes the corrections in RFC4507bis. The encrypted ticket format is an encrypted encoded SSL_SESSION structure, that way new session features are automatically @@ -4061,7 +4750,7 @@ If a client application caches session in an SSL_SESSION structure support is transparent because tickets are now stored in the encoded SSL_SESSION. - + The SSL_CTX structure automatically generates keys for ticket protection in servers so again support should be possible with no application modification. @@ -4160,7 +4849,7 @@ implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias. - Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general + Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias. @@ -4241,7 +4930,7 @@ *) Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson] - *) Fix buffer overflow in SSL_get_shared_ciphers() function. + *) Fix buffer overflow in SSL_get_shared_ciphers() function. (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] *) Fix SSL client code which could crash if connecting to a @@ -4328,7 +5017,7 @@ *) Disable the padding bug check when compression is in use. The padding bug check assumes the first packet is of even length, this is not - necessarily true if compresssion is enabled and can result in false + necessarily true if compression is enabled and can result in false positives causing handshake failure. The actual bug test is ancient code so it is hoped that implementations will either have fixed it by now or any which still have the bug do not support compression. @@ -4521,7 +5210,7 @@ *) New structure X509_VERIFY_PARAM which combines current verify parameters, update associated structures and add various utility functions. - Add new policy related verify parameters, include policy checking in + Add new policy related verify parameters, include policy checking in standard verify code. Enhance 'smime' application with extra parameters to support policy checking and print out. [Steve Henson] @@ -4557,7 +5246,7 @@ we can fix the problem directly in the 'ca' utility.) [Steve Henson] - *) Reduced header interdepencies by declaring more opaque objects in + *) Reduced header interdependencies by declaring more opaque objects in ossl_typ.h. As a consequence, including some headers (eg. engine.h) will give fewer recursive includes, which could break lazy source code - so this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, @@ -4570,12 +5259,12 @@ [Steve Henson] *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. - This will generate a random key of the appropriate length based on the + This will generate a random key of the appropriate length based on the cipher context. The EVP_CIPHER can provide its own random key generation - routine to support keys of a specific form. This is used in the des and + routine to support keys of a specific form. This is used in the des and 3des routines to generate a key of the correct parity. Update S/MIME code to use new functions and hence generate correct parity DES keys. - Add EVP_CHECK_DES_KEY #define to return an error if the key is not + Add EVP_CHECK_DES_KEY #define to return an error if the key is not valid (weak or incorrect parity). [Steve Henson] @@ -4688,7 +5377,7 @@ functions. [Steve Henson] - *) New function PKCS7_set0_type_other() this initializes a PKCS7 + *) New function PKCS7_set0_type_other() this initializes a PKCS7 structure of type "other". [Steve Henson] @@ -4781,7 +5470,7 @@ named like the index file with '.attr' appended to the name. [Richard Levitte] - *) Generate muti valued AVAs using '+' notation in config files for + *) Generate multi-valued AVAs using '+' notation in config files for req and dirName. [Steve Henson] @@ -4864,7 +5553,7 @@ *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD and DH_METHOD (eg. by ENGINE implementations) to override the normal software implementations. For DSA and DH, parameter generation can - also be overriden by providing the appropriate method callbacks. + also be overridden by providing the appropriate method callbacks. [Geoff Thorpe] *) Change the "progress" mechanism used in key-generation and @@ -4897,7 +5586,7 @@ [Geoff Thorpe] *) Change the ZLIB compression method to be stateful, and make it - available to TLS with the number defined in + available to TLS with the number defined in draft-ietf-tls-compression-04.txt. [Richard Levitte] @@ -4921,7 +5610,7 @@ Makefile.shared, for Cygwin's sake. [Richard Levitte] - *) Extend the BIGNUM API by creating a function + *) Extend the BIGNUM API by creating a function void BN_set_negative(BIGNUM *a, int neg); and a macro that behave like int BN_is_negative(const BIGNUM *a); @@ -4947,7 +5636,7 @@ the "shared" options was given to ./Configure or ./config. Otherwise, they are inserted in libcrypto.a. /usr/local/ssl/engines is the default directory for dynamic - engines, but that can be overriden at configure time through + engines, but that can be overridden at configure time through the usual use of --prefix and/or --openssldir, and at run time with the environment variable OPENSSL_ENGINES. [Geoff Thorpe and Richard Levitte] @@ -5074,7 +5763,7 @@ *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. Polynomials are represented as BIGNUMs (where the sign bit is not - used) in the following functions [macros]: + used) in the following functions [macros]: BN_GF2m_add BN_GF2m_sub [= BN_GF2m_add] @@ -5167,7 +5856,7 @@ EC_METHOD_get_field_type() returns this value. [Nils Larsch ] - *) Add functions + *) Add functions EC_POINT_point2bn() EC_POINT_bn2point() EC_POINT_point2hex() @@ -5226,7 +5915,7 @@ EC_GROUP_set_curve_name() EC_GROUP_get_curve_name() [Nils Larsch ] @@ -5286,7 +5975,7 @@ *) Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson] - *) Fix buffer overflow in SSL_get_shared_ciphers() function. + *) Fix buffer overflow in SSL_get_shared_ciphers() function. (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] *) Fix SSL client code which could crash if connecting to a @@ -5322,7 +6011,7 @@ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there. - Also deactive the remaining ciphersuites from + Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired. [Bodo Moeller] @@ -5340,10 +6029,10 @@ *) Fixes for VC++ 2005 build under Windows. [Steve Henson] - *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make + *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make from a Windows bash shell such as MSYS. It is autodetected from the "config" script when run from a VC++ environment. Modify standard VC++ - build to use fipscanister.o from the GNU make build. + build to use fipscanister.o from the GNU make build. [Steve Henson] Changes between 0.9.7h and 0.9.7i [14 Oct 2005] @@ -5456,7 +6145,7 @@ values. The OpenSSL team would like to thank the UK NISCC for bringing this issue - to our attention. + to our attention. [Stephen Henson, reported by UK NISCC] @@ -5482,8 +6171,8 @@ [Steve Henson] *) Perform some character comparisons of different types in X509_NAME_cmp: - this is needed for some certificates that reencode DNs into UTF8Strings - (in violation of RFC3280) and can't or wont issue name rollover + this is needed for some certificates that re-encode DNs into UTF8Strings + (in violation of RFC3280) and can't or won't issue name rollover certificates. [Steve Henson] @@ -5501,7 +6190,7 @@ Changes between 0.9.7d and 0.9.7e [25 Oct 2004] - *) Avoid a race condition when CRLs are checked in a multi threaded + *) Avoid a race condition when CRLs are checked in a multi threaded environment. This would happen due to the reordering of the revoked entries during signature checking and serial number lookup. Now the encoding is cached and the serial number sort performed under a lock. @@ -5525,13 +6214,13 @@ Changes between 0.9.7c and 0.9.7d [17 Mar 2004] - *) Fix null-pointer assignment in do_change_cipher_spec() revealed - by using the Codenomicon TLS Test Tool (CVE-2004-0079) - [Joe Orton, Steve Henson] + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CVE-2004-0079) + [Joe Orton, Steve Henson] *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites (CVE-2004-0112) - [Joe Orton, Steve Henson] + [Joe Orton, Steve Henson] *) Make it possible to have multiple active certificates with the same subject in the CA index file. This is done only if the keyword @@ -5541,7 +6230,7 @@ named like the index file with '.attr' appended to the name. [Richard Levitte] - *) X509 verify fixes. Disable broken certificate workarounds when + *) X509 verify fixes. Disable broken certificate workarounds when X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if keyUsage extension present. Don't accept CRLs with unhandled critical extensions: since verify currently doesn't process CRL extensions this @@ -5550,7 +6239,7 @@ [Steve Henson] *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. - A clarification of RFC2560 will require the use of OCTET STRINGs and + A clarification of RFC2560 will require the use of OCTET STRINGs and some implementations cannot handle the current raw format. Since OpenSSL copies and compares OCSP nonces as opaque blobs without any attempt at parsing them this should not create any compatibility issues. @@ -5574,7 +6263,7 @@ Stop out of bounds reads in the ASN1 code when presented with invalid tags (CVE-2003-0543 and CVE-2003-0544). - + Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). If verify callback ignores invalid public key errors don't try to check @@ -5604,7 +6293,7 @@ blocks during encryption. [Richard Levitte] - *) Various fixes to base64 BIO and non blocking I/O. On write + *) Various fixes to base64 BIO and non blocking I/O. On write flushes were not handled properly if the BIO retried. On read data was not being buffered properly and had various logic bugs. This also affects blocking I/O when the data being decoded is a @@ -5652,7 +6341,7 @@ *) Target "mingw" now allows native Windows code to be generated in the Cygwin environment as well as with the MinGW compiler. - [Ulf Moeller] + [Ulf Moeller] Changes between 0.9.7 and 0.9.7a [19 Feb 2003] @@ -5688,7 +6377,7 @@ *) Allow an application to disable the automatic SSL chain building. Before this a rather primitive chain build was always performed in - ssl3_output_cert_chain(): an application had no way to send the + ssl3_output_cert_chain(): an application had no way to send the correct chain if the automatic operation produced an incorrect result. Now the chain builder is disabled if either: @@ -5936,7 +6625,7 @@ error in AES-CFB decryption. [Richard Levitte] - *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this + *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this allows existing EVP_CIPHER_CTX structures to be reused after calling EVP_*Final(). This behaviour is used by encryption BIOs and some applications. This has the side effect that @@ -5963,11 +6652,11 @@ [Lutz Jaenicke] *) Add an "init" command to the ENGINE config module and auto initialize - ENGINEs. Without any "init" command the ENGINE will be initialized - after all ctrl commands have been executed on it. If init=1 the - ENGINE is initailized at that point (ctrls before that point are run + ENGINEs. Without any "init" command the ENGINE will be initialized + after all ctrl commands have been executed on it. If init=1 the + ENGINE is initialized at that point (ctrls before that point are run on the uninitialized ENGINE and after on the initialized one). If - init=0 then the ENGINE will not be iniatialized at all. + init=0 then the ENGINE will not be initialized at all. [Steve Henson] *) Fix the 'app_verify_callback' interface so that the user-defined @@ -6005,7 +6694,7 @@ *) Config modules support in openssl utility. Most commands now load modules from the config file, - though in a few (such as version) this isn't done + though in a few (such as version) this isn't done because it couldn't be used for anything. In the case of ca and req the config file used is @@ -6071,7 +6760,7 @@ but report on the latest error recorded rather than the first one still in the error queue. [Ben Laurie, Bodo Moeller] - + *) default_algorithms option in ENGINE config module. This allows things like: default_algorithms = ALL @@ -6188,7 +6877,7 @@ [Richard Levitte] *) Test for certificates which contain unsupported critical extensions. - If such a certificate is found during a verify operation it is + If such a certificate is found during a verify operation it is rejected by default: this behaviour can be overridden by either handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function @@ -6224,7 +6913,7 @@ *) Major restructuring to the underlying ENGINE code. This includes reduction of linker bloat, separation of pure "ENGINE" manipulation (initialisation, etc) from functionality dealing with implementations - of specific crypto iterfaces. This change also introduces integrated + of specific crypto interfaces. This change also introduces integrated support for symmetric ciphers and digest implementations - so ENGINEs can now accelerate these by providing EVP_CIPHER and EVP_MD implementations of their own. This is detailed in crypto/engine/README @@ -6541,7 +7230,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k const ASN1_ITEM *it = &ASN1_INTEGER_it; - wont compile. This is used by the any applications that need to + won't compile. This is used by the any applications that need to declare their own ASN1 modules. This was fixed by adding the option EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly needed for static libraries under Win32. @@ -6553,7 +7242,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE - structure. These are inherited by X509_STORE_CTX when it is + structure. These are inherited by X509_STORE_CTX when it is initialised. This allows various defaults to be set in the X509_STORE structure (such as flags for CRL checking and custom purpose or trust settings) for functions which only use X509_STORE_CTX @@ -6717,7 +7406,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr operations and provides various method functions that can also - operate with faster implementations of modular arithmetic. + operate with faster implementations of modular arithmetic. EC_GFp_mont_method() reuses most functions that are part of EC_GFp_simple_method, but uses Montgomery arithmetic. @@ -6905,7 +7594,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New option -set_serial to 'req' and 'x509' this allows the serial number to use to be specified on the command line. Previously self - signed certificates were hard coded with serial number 0 and the + signed certificates were hard coded with serial number 0 and the CA options of 'x509' had to use a serial number in a file which was auto incremented. [Steve Henson] @@ -6930,7 +7619,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k option to ocsp utility. [Steve Henson] - *) New nonce behavior. The return value of OCSP_check_nonce() now + *) New nonce behavior. The return value of OCSP_check_nonce() now reflects the various checks performed. Applications can decide whether to tolerate certain situations such as an absent nonce in a response when one was present in a request: the ocsp application @@ -7004,7 +7693,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() in a single operation. X509_get0_pubkey_bitstr() extracts the public_key structure from a certificate. X509_pubkey_digest() digests the public_key - contents: this is used in various key identifiers. + contents: this is used in various key identifiers. [Steve Henson] *) Make sk_sort() tolerate a NULL argument. @@ -7142,7 +7831,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k entropy, EGD style sockets (served by EGD or PRNGD) will automatically be queried. The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and - /etc/entropy will be queried once each in this sequence, quering stops + /etc/entropy will be queried once each in this sequence, querying stops when enough entropy was collected without querying more sockets. [Lutz Jaenicke] @@ -7170,7 +7859,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k information from an OCSP_CERTID structure (which will be created when the request structure is built). These are built from lower level functions which work on OCSP_SINGLERESP structures but - wont normally be used unless the application wishes to examine + won't normally be used unless the application wishes to examine extensions in the OCSP response for example. Replace nonce routines with a pair of functions. @@ -7192,7 +7881,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Update OCSP API. Remove obsolete extensions argument from various functions. Extensions are now handled using the new - OCSP extension code. New simple OCSP HTTP function which + OCSP extension code. New simple OCSP HTTP function which can be used to send requests and parse the response. [Steve Henson] @@ -7228,7 +7917,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor - lines, recognice more "algorithms" that can be deselected, and make + lines, recognize more "algorithms" that can be deselected, and make it complain about algorithm deselection that isn't recognised. [Richard Levitte] @@ -7246,7 +7935,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New function X509V3_add1_i2d(). This automatically encodes and adds an extension. Its behaviour can be customised with various flags to append, replace or delete. Various wrappers added for - certifcates and CRLs. + certificates and CRLs. [Steve Henson] *) Fix to avoid calling the underlying ASN1 print routine when @@ -7578,7 +8267,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Stop out of bounds reads in the ASN1 code when presented with invalid tags (CVE-2003-0543 and CVE-2003-0544). - + If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. @@ -7626,7 +8315,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked - via timing by performing a MAC computation even if incorrrect + via timing by performing a MAC computation even if incorrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CVE-2003-0078) @@ -7657,7 +8346,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Zeev Lieber ] *) Undo an undocumented change introduced in 0.9.6e which caused - repeated calls to OpenSSL_add_all_ciphers() and + repeated calls to OpenSSL_add_all_ciphers() and OpenSSL_add_all_digests() to be ignored, even after calling EVP_cleanup(). [Richard Levitte] @@ -7791,7 +8480,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Nils Larsch ] *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: - an end-of-file condition would erronously be flagged, when the CRLF + an end-of-file condition would erroneously be flagged, when the CRLF was just at the end of a processed block. The bug was discovered when processing data through a buffering memory BIO handing the data to a BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov @@ -7831,7 +8520,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k a generator of the order-q subgroup is just as good, if not better. [Bodo Moeller] - + *) Map new X509 verification errors to alerts. Discovered and submitted by Tom Wu . [Lutz Jaenicke] @@ -7944,7 +8633,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Broadcom, Nalin Dahyabhai , Mark Cox] *) [In 0.9.6c-engine release:] - Add support for SureWare crypto accelerator cards from + Add support for SureWare crypto accelerator cards from Baltimore Technologies. (Use engine 'sureware') [Baltimore Technologies and Mark Cox] @@ -8287,8 +8976,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Computations, J. Cryptology 14 (2001) 2, 101-119, http://theory.stanford.edu/~dabo/papers/faults.ps.gz). [Ulf Moeller] - - *) MIPS assembler BIGNUM division bug fix. + + *) MIPS assembler BIGNUM division bug fix. [Andy Polyakov] *) Disabled incorrect Alpha assembler code. @@ -8344,7 +9033,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 3. Count how many times MemCheck_off() has been called so that - nested use can be treated correctly. This also avoids + nested use can be treated correctly. This also avoids inband-signalling in the previous code (which relied on the assumption that thread ID 0 is impossible). [Bodo Moeller] @@ -8458,7 +9147,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) rand_win.c fix for Borland C. [Ulf Möller] - + *) BN_rshift bugfix for n == 0. [Bodo Moeller] @@ -8528,7 +9217,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k and not in SSL_clear because the latter is also used by the accept/connect functions; previously, the settings made by SSL_set_read_ahead would be lost during the handshake. - [Bodo Moeller; problems reported by Anders Gertz ] + [Bodo Moeller; problems reported by Anders Gertz ] *) Correct util/mkdef.pl to be selective about disabled algorithms. Previously, it would create entries for disabled algorithms no @@ -8618,7 +9307,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k doc package contains the contents of the doc directory. The original openssl.spec was provided by Damien Miller . [Richard Levitte] - + *) Add a large number of documentation files for many SSL routines. [Lutz Jaenicke ] @@ -8664,19 +9353,19 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Allow the verify time to be set by an application, rather than always using the current time. [Steve Henson] - + *) Phase 2 verify code reorganisation. The certificate verify code now looks up an issuer certificate by a number of criteria: subject name, authority key id and key usage. It also verifies self signed certificates by the same criteria. The main comparison function is X509_check_issued() which performs these checks. - + Lot of changes were necessary in order to support this without completely rewriting the lookup code. - + Authority and subject key identifier are now cached. - + The LHASH 'certs' is X509_STORE has now been replaced by a STACK_OF(X509_OBJECT). This is mainly because an LHASH can't store or retrieve multiple objects with @@ -8686,10 +9375,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k use only) have changed to handle the new X509_STORE structure. This will break anything that messed round with X509_STORE internally. - + The functions X509_STORE_add_cert() now checks for an exact match, rather than just subject name. - + The X509_STORE API doesn't directly support the retrieval of multiple certificates matching a given criteria, however this can be worked round by performing a lookup first @@ -8697,9 +9386,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k and then examining the cache for matches. This is probably the best we can do without throwing out X509_LOOKUP entirely (maybe later...). - + The X509_VERIFY_CTX structure has been enhanced considerably. - + All certificate lookup operations now go via a get_issuer() callback. Although this currently uses an X509_STORE it can be replaced by custom lookups. This is a simple way @@ -8708,20 +9397,20 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k in future. A very simple version which uses a simple STACK for its trusted certificate store is also provided using X509_STORE_CTX_trusted_stack(). - + The verify_cb() and verify() callbacks now have equivalents in the X509_STORE_CTX structure. - + X509_STORE_CTX also has a 'flags' field which can be used to customise the verify behaviour. [Steve Henson] - - *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which + + *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which excludes S/MIME capabilities. [Steve Henson] *) When a certificate request is read in keep a copy of the - original encoding of the signed data and use it when outputing + original encoding of the signed data and use it when outputting again. Signatures then use the original encoding rather than a decoded, encoded version which may cause problems if the request is improperly encoded. @@ -8778,7 +9467,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Modification to PKCS#7 encoding routines to output definite length encoding. Since currently the whole structures are in - memory there's not real point in using indefinite length + memory there's not real point in using indefinite length constructed encoding. However if OpenSSL is compiled with the flag PKCS7_INDEFINITE_ENCODING the old form is used. [Steve Henson] @@ -8786,7 +9475,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Added BIO_vprintf() and BIO_vsnprintf(). [Richard Levitte] - *) Added more prefixes to parse for in the the strings written + *) Added more prefixes to parse for in the strings written through a logging bio, to cover all the levels that are available through syslog. The prefixes are now: @@ -8857,7 +9546,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() these print out strings and name structures based on various flags including RFC2253 support and proper handling of - multibyte characters. Added options to the 'x509' utility + multibyte characters. Added options to the 'x509' utility to allow the various flags to be set. [Steve Henson] @@ -8935,7 +9624,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k to check that it worked correctly is to look in obj_dat.h and check the array nid_objs and make sure the objects haven't moved around (this is important!). Additions are OK, as well as - consistent name changes. + consistent name changes. [Richard Levitte] *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). @@ -8959,9 +9648,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k added extra typesafe functions: these no longer exist. [Steve Henson] - *) Reorganisation of the stack code. The macros are now all + *) Reorganisation of the stack code. The macros are now all collected in safestack.h . Each macro is defined in terms of - a "stack macro" of the form SKM_(type, a, b). The + a "stack macro" of the form SKM_(type, a, b). The DEBUG_SAFESTACK is now handled in terms of function casts, this has the advantage of retaining type safety without the use of additional functions. If DEBUG_SAFESTACK is not defined @@ -8979,7 +9668,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same as the old Netscape_RSA functions except they have an additional 'sgckey' parameter which uses the modified algorithm. Also added - an -sgckey command line option to the rsa utility. Thanks to + an -sgckey command line option to the rsa utility. Thanks to Adrian Peck for posting details of the modified algorithm to openssl-dev. [Steve Henson] @@ -8991,7 +9680,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New X509_get1_email() and X509_REQ_get1_email() functions that return a STACK of email addresses from a certificate or request, these look - in the subject name and the subject alternative name extensions and + in the subject name and the subject alternative name extensions and omit any duplicate addresses. [Steve Henson] @@ -9223,7 +9912,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k ] *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length - was larger than the MD block size. + was larger than the MD block size. [Steve Henson, pointed out by Yost William ] *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument @@ -9264,7 +9953,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition to parameters -- in previous versions (since OpenSSL 0.9.3) the 'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning - you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. + you effectively got SSL_OP_SINGLE_DH_USE when using this macro. [Bodo Moeller] *) New s_client option -ign_eof: EOF at stdin is ignored, and @@ -9358,7 +10047,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add an optional second argument to the set_label() in the perl assembly language builder. If this argument exists and is set - to 1 it signals that the assembler should use a symbol whose + to 1 it signals that the assembler should use a symbol whose scope is the entire file, not just the current function. This is needed with MASM which uses the format label:: for this scope. [Steve Henson, pointed out by Peter Runestig ] @@ -9483,7 +10172,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) ./config recognizes MacOS X now. [Andy Polyakov] - *) Bug fix for BN_div() when the first words of num and divsor are + *) Bug fix for BN_div() when the first words of num and divisor are equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). [Ulf Möller] @@ -9521,7 +10210,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Source code cleanups: use const where appropriate, eliminate casts, use void * instead of char * in lhash. - [Ulf Möller] + [Ulf Möller] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of @@ -9546,7 +10235,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k loop rather than for the current invocation of the inner loop. DSA_generate_parameters additionally can call the callback function with an 'iteration count' of -1, meaning that a - candidate has passed the trial division test (when q is generated + candidate has passed the trial division test (when q is generated from an application-provided seed, trial division is skipped). [Bodo Moeller] @@ -9655,7 +10344,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add missing #ifndefs that caused missing symbols when building libssl as a shared library without RSA. Use #ifndef NO_SSL2 instead of - NO_RSA in ssl/s2*.c. + NO_RSA in ssl/s2*.c. [Kris Kennaway , modified by Ulf Möller] *) Precautions against using the PRNG uninitialized: RAND_bytes() now @@ -9697,9 +10386,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Honor the no-xxx Configure options when creating .DEF files. [Ulf Möller] - *) Add PKCS#10 attributes to field table: challengePassword, + *) Add PKCS#10 attributes to field table: challengePassword, unstructuredName and unstructuredAddress. These are taken from - draft PKCS#9 v2.0 but are compatible with v1.2 provided no + draft PKCS#9 v2.0 but are compatible with v1.2 provided no international characters are used. More changes to X509_ATTRIBUTE code: allow the setting of types @@ -9866,7 +10555,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k debugging functions are used, CRYPTO_dbg_set_options can be used to request additional information: CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting - the CRYPTO_MDEBUG_xxx macro when compiling the library. + the CRYPTO_MDEBUG_xxx macro when compiling the library. Also, things like CRYPTO_set_mem_functions will always give the expected result (the new set of functions is used for allocation @@ -10009,7 +10698,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k other than PKCS#8 should be dumped: but the other formats have to stay in the name of compatibility. - With public keys and the benefit of hindsight one standard format + With public keys and the benefit of hindsight one standard format is used which works with EVP_PKEY, RSA or DSA structures: though it clearly returns an error if you try to read the wrong kind of key. @@ -10126,7 +10815,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k will also read in any additional "auxiliary information". By doing things this way a fair degree of compatibility can be retained: existing certificates can have this information added - using the new 'x509' options. + using the new 'x509' options. Current auxiliary information includes an "alias" and some trust settings. The trust settings will ultimately be used in enhanced @@ -10142,7 +10831,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k performance improvement for 1024 bit RSA signs. [Mark Cox] - *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 + *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 handling. Most clients have the effective key size in bits equal to the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. A few however don't do this and instead use the size of the decrypted key @@ -10154,7 +10843,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k the key length and effective key length are equal. [Steve Henson] - *) Add a bunch of functions that should simplify the creation of + *) Add a bunch of functions that should simplify the creation of X509_NAME structures. Now you should be able to do: X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); and have it automatically work out the correct field type and fill in @@ -10187,7 +10876,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Use the random seed file in some applications that previously did not: ca, - dsaparam -genkey (which also ignored its '-rand' option), + dsaparam -genkey (which also ignored its '-rand' option), s_client, s_server, x509 (when signing). @@ -10224,7 +10913,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add various functions that can check a certificate's extensions to see if it usable for various purposes such as SSL client, - server or S/MIME and CAs of these types. This is currently + server or S/MIME and CAs of these types. This is currently VERY EXPERIMENTAL but will ultimately be used for certificate chain verification. Also added a -purpose flag to x509 utility to print out all the purposes. @@ -10397,7 +11086,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k provides hooks that allow the default DSA functions or functions on a "per key" basis to be replaced. This allows hardware acceleration and hardware key storage to be handled without major modification to the - library. Also added low level modexp hooks and CRYPTO_EX structure and + library. Also added low level modexp hooks and CRYPTO_EX structure and associated functions. [Steve Henson] @@ -10442,7 +11131,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] Changes between 0.9.3a and 0.9.4 [09 Aug 1999] - + *) Install libRSAglue.a when OpenSSL is built with RSAref. [Ralf S. Engelschall] @@ -10531,7 +11220,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k delete an unused file. [Ulf Möller] - *) Add support for the the free Netwide assembler (NASM) under Win32, + *) Add support for the free Netwide assembler (NASM) under Win32, since not many people have MASM (ml) and it can be hard to obtain. This is currently experimental but it seems to work OK and pass all the tests. Check out INSTALL.W32 for info. @@ -10547,7 +11236,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k for verifying the consistency of RSA keys. [Ulf Moeller, Bodo Moeller] - *) Various changes to make Win32 compile work: + *) Various changes to make Win32 compile work: 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned comparison" warnings. @@ -10571,7 +11260,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Omitting parameters is no longer recommended. The test was also the wrong way round! This was probably due to unusual behaviour in - EVP_cmp_parameters() which returns 1 if the parameters match. + EVP_cmp_parameters() which returns 1 if the parameters match. This meant that parameters were omitted when they *didn't* match and the certificate was useless. Certificates signed with 'ca' didn't have this bug. @@ -10648,7 +11337,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Complete the PEM_* macros with DECLARE_PEM versions to replace the function prototypes in pem.h, also change util/mkdef.pl to add the - necessary function names. + necessary function names. [Steve Henson] *) mk1mf.pl (used by Windows builds) did not properly read the @@ -10688,7 +11377,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add initial documentation of the X509V3 functions. [Steve Henson] - *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and + *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey() that are equivalent to PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more secure PKCS#8 private key format with a high iteration count. @@ -10830,11 +11519,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.2b and 0.9.3 [24 May 1999] *) Bignum library bug fix. IRIX 6 passes "make test" now! - This also avoids the problems with SC4.2 and unpatched SC5. + This also avoids the problems with SC4.2 and unpatched SC5. [Andy Polyakov ] *) New functions sk_num, sk_value and sk_set to replace the previous macros. - These are required because of the typesafe stack would otherwise break + These are required because of the typesafe stack would otherwise break existing code. If old code used a structure member which used to be STACK and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with sk_num or sk_value it would produce an error because the num, data members @@ -10895,7 +11584,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes - -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ + -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ [Ralf S. Engelschall] *) Various fixes to the EVP and PKCS#7 code. It may now be able to @@ -10916,7 +11605,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k in different behaviour than observed with earlier library versions: Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) does not influence s as it used to. - + In order to clean up things more thoroughly, inside SSL_SESSION we don't use CERT any longer, but a new structure SESS_CERT that holds per-session data (if available); currently, this is @@ -10964,7 +11653,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Update HPUX configuration. [Anonymous] - + *) Add missing sk__unshift() function to safestack.h [Ralf S. Engelschall] @@ -11068,11 +11757,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix lots of warnings. [Richard Levitte ] - + *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if the directory spec didn't end with a LIST_SEPARATOR_CHAR. [Richard Levitte ] - + *) Fix problems with sizeof(long) == 8. [Andy Polyakov ] @@ -11156,7 +11845,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Bugfix: In test/testenc, don't test "openssl " for ciphers that were excluded, e.g. by -DNO_IDEA. Also, test - all available cipers including rc5, which was forgotten until now. + all available ciphers including rc5, which was forgotten until now. In order to let the testing shell script know which algorithms are available, a new (up to now undocumented) command "openssl list-cipher-commands" is used. @@ -11183,7 +11872,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486. [Ulf Möller] - + *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the same as SSL2_VERSION anyway. @@ -11226,8 +11915,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k OAEP isn't supported when OpenSSL is built with RSAref. [Ulf Moeller ] - *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h - so they no longer are missing under -DNOPROTO. + *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h + so they no longer are missing under -DNOPROTO. [Soren S. Jorvang ] @@ -11384,14 +12073,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder - signed attributes when verifying signatures (this would break them), + signed attributes when verifying signatures (this would break them), the detached data encoding was wrong and public keys obtained using X509_get_pubkey() weren't freed. [Steve Henson] *) Add text documentation for the BUFFER functions. Also added a work around to a Win95 console bug. This was triggered by the password read stuff: the - last character typed gets carried over to the next fread(). If you were + last character typed gets carried over to the next fread(). If you were generating a new cert request using 'req' for example then the last character of the passphrase would be CR which would then enter the first field as blank. @@ -11400,7 +12089,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Added the new `Includes OpenSSL Cryptography Software' button as doc/openssl_button.{gif,html} which is similar in style to the old SSLeay button and can be used by applications based on OpenSSL to show the - relationship to the OpenSSL project. + relationship to the OpenSSL project. [Ralf S. Engelschall] *) Remove confusing variables in function signatures in files @@ -11431,7 +12120,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with openssl.doxy as the configuration file. [Ben Laurie] - + *) Get rid of remaining C++-style comments which strict C compilers hate. [Ralf S. Engelschall, pointed out by Carlos Amengual] @@ -11444,12 +12133,12 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k their SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed for applications which have to configure certificates on a per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis - (e.g. s_server). + (e.g. s_server). For the RSA certificate situation is makes no difference, but for the DSA certificate situation this fixes the "no shared cipher" problem where the OpenSSL cipher selection procedure failed because the temporary keys were not overtaken from the context and the API provided - no way to reconfigure them. + no way to reconfigure them. The new functions now let applications reconfigure the stuff and they are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new @@ -11596,7 +12285,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k message is now correct (it understands "crypto" and "ssl" on its command line). There is also now an "update" option. This will update the util/ssleay.num and util/libeay.num files with any new functions. - If you do a: + If you do a: perl util/mkdef.pl crypto ssl update it will update them. [Steve Henson] @@ -11647,7 +12336,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fixed ms/32all.bat script: `no_asm' -> `no-asm' [Rainer W. Gerling ] - + *) New program nseq to manipulate netscape certificate sequences [Steve Henson] @@ -11702,7 +12391,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Spelling mistake in C version of CAST-128. [Ben Laurie, reported by Jeremy Hylton ] - *) Changes to the error generation code. The perl script err-code.pl + *) Changes to the error generation code. The perl script err-code.pl now reads in the old error codes and retains the old numbers, only adding new ones if necessary. It also only changes the .err files if new codes are added. The makefiles have been modified to only insert errors @@ -11754,7 +12443,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) The function OBJ_txt2nid was broken. It was supposed to return a nid based on a text string, looking up short and long names and finally "dot" format. The "dot" format stuff didn't work. Added new function - OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote + OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the OID is not part of the table. [Steve Henson] @@ -11848,7 +12537,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix renumbering bug in X509_NAME_delete_entry(). [Ben Laurie] - *) Enhanced the err-ins.pl script so it makes the error library number + *) Enhanced the err-ins.pl script so it makes the error library number global and can add a library name. This is needed for external ASN1 and other error libraries. [Steve Henson] @@ -11856,7 +12545,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fixed sk_insert which never worked properly. [Steve Henson] - *) Fix ASN1 macros so they can handle indefinite length constructed + *) Fix ASN1 macros so they can handle indefinite length constructed EXPLICIT tags. Some non standard certificates use these: they can now be read in. [Steve Henson] @@ -11901,10 +12590,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.1b and 0.9.1c [23-Dec-1998] - *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and + *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and changed SSLeay to OpenSSL in version strings. [Ralf S. Engelschall] - + *) Some fixups to the top-level documents. [Paul Sutton] @@ -11912,7 +12601,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k because the symlink to include/ was missing. [Ralf S. Engelschall] - *) Incorporated the popular no-RSA/DSA-only patches + *) Incorporated the popular no-RSA/DSA-only patches which allow to compile a RSA-free SSLeay. [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] @@ -11920,7 +12609,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k when "ssleay" is still not found. [Ralf S. Engelschall] - *) Added more platforms to Configure: Cray T3E, HPUX 11, + *) Added more platforms to Configure: Cray T3E, HPUX 11, [Ralf S. Engelschall, Beckmann ] *) Updated the README file. @@ -11936,13 +12625,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Cleaned up the top-level documents; o new files: CHANGES and LICENSE - o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay + o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay o merged COPYRIGHT into LICENSE o removed obsolete TODO file o renamed MICROSOFT to INSTALL.W32 [Ralf S. Engelschall] - *) Removed dummy files from the 0.9.1b source tree: + *) Removed dummy files from the 0.9.1b source tree: crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f @@ -11958,7 +12647,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Young and Tim J. Hudson created while they were working for C2Net until summer 1998. [The OpenSSL Project] - + Changes between 0.9.0b and 0.9.1b [not released] @@ -11968,17 +12657,17 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Changed some BIGNUM api stuff. [Eric A. Young] - *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, + *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, DGUX x86, Linux Alpha, etc. [Eric A. Young] - *) New COMP library [crypto/comp/] for SSL Record Layer Compression: + *) New COMP library [crypto/comp/] for SSL Record Layer Compression: RLE (dummy implemented) and ZLIB (really implemented when ZLIB is available). [Eric A. Young] - *) Add -strparse option to asn1pars program which parses nested - binary structures + *) Add -strparse option to asn1pars program which parses nested + binary structures [Dr Stephen Henson ] *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. @@ -12057,7 +12746,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fixed various code and comment typos. [Eric A. Young] - *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 + *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 bytes sent in the client random. [Edward Bishop ]