X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=bd2e52ce2c202a0c6e40f77f58c2d3893a9b17ed;hp=fae11230fc8891bb8c2b51f5ed45ca527f0a90fe;hb=6b01bed206156dbcb1ab150f618c8b24c01fb0d0;hpb=3b061a00e39d2e4ad524ff01cbdc0c53fe8171ee diff --git a/CHANGES b/CHANGES index fae11230fc..bd2e52ce2c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,11 +2,243 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + Changes between 1.0.2e and 1.1.0 [xx XXX xxxx] + + *) EGD is no longer supported by default; use enable-egd when + configuring. + [Ben Kaduk and Rich Salz] + + *) The distribution now has Makefile.in files, which are used to + create Makefile's when Configure is run. *Configure must be run + before trying to build now.* + [Rich Salz] + + *) The return value for SSL_CIPHER_description() for error conditions + has changed. + [Rich Salz] + + *) Support for RFC6698/RFC7671 DANE TLSA peer authentication. + + Obtaining and performing DNSSEC validation of TLSA records is + the application's responsibility. The application provides + the TLSA records of its choice to OpenSSL, and these are then + used to authenticate the peer. + + The TLSA records need not even come from DNS. They can, for + example, be used to implement local end-entity certificate or + trust-anchor "pinning", where the "pin" data takes the form + of TLSA records, which can augment or replace verification + based on the usual WebPKI public certification authorities. + [Viktor Dukhovni] + + *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL + continues to support deprecated interfaces in default builds. + However, applications are strongly advised to compile their + source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides + the declarations of all interfaces deprecated in 0.9.8, 1.0.0 + or the 1.1.0 releases. + + In environments in which all applications have been ported to + not use any deprecated interfaces OpenSSL's Configure script + should be used with the --api=1.1.0 option to entirely remove + support for the deprecated features from the library and + unconditionally disable them in the installed headers. + Essentially the same effect can be achieved with the "no-deprecated" + argument to Configure, except that this will always restrict + the build to just the latest API, rather than a fixed API + version. + + As applications are ported to future revisions of the API, + they should update their compile-time OPENSSL_API_COMPAT define + accordingly, but in most cases should be able to continue to + compile with later releases. + + The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are + 0x10000000L and 0x00908000L, respectively. However those + versions did not support the OPENSSL_API_COMPAT feature, and + so applications are not typically tested for explicit support + of just the undeprecated features of either release. + [Viktor Dukhovni] + + *) Add support for setting the minimum and maximum supported protocol. + It can bet set via the SSL_set_min_proto_version() and + SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and + MaxProtcol. It's recommended to use the new APIs to disable + protocols instead of disabling individual protocols using + SSL_set_options() or SSL_CONF's Protocol. This change also + removes support for disabling TLS 1.2 in the OpenSSL TLS + client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT. + [Kurt Roeckx] + + *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl. + [Andy Polyakov] + + *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD + and integrates ECDSA and ECDH functionality into EC. Implementations can + now redirect key generation and no longer need to convert to or from + ECDSA_SIG format. + + Note: the ecdsa.h and ecdh.h headers are now no longer needed and just + include the ec.h header file instead. + [Steve Henson] + + *) Remove support for all 40 and 56 bit ciphers. This includes all the export + ciphers who are no longer supported and drops support the ephemeral RSA key + exchange. The LOW ciphers currently doesn't have any ciphers in it. + [Kurt Roeckx] + + *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX + opaque. For HMAC_CTX, the following constructors and destructors + were added: + + HMAC_CTX *HMAC_CTX_new(void); + void HMAC_CTX_free(HMAC_CTX *ctx); + + For EVP_MD and EVP_CIPHER, complete APIs to create, fill and + destroy such methods has been added. See EVP_MD_meth_new(3) and + EVP_CIPHER_meth_new(3) for documentation. + + Additional changes: + 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and + HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and + EVP_MD_CTX_reset() should be called instead to reinitialise + an already created structure. + 2) For consistency with the majority of our object creators and + destructors, EVP_MD_CTX_(create|destroy) were renamed to + EVP_MD_CTX_(new|free). The old names are retained as macros + for deprecated builds. + [Richard Levitte] + + *) Added ASYNC support. Libcrypto now includes the async sub-library to enable + cryptographic operations to be performed asynchronously as long as an + asynchronous capable engine is used. See the ASYNC_start_job() man page for + further details. Libssl has also had this capability integrated with the + introduction of the new mode SSL_MODE_ASYNC and associated error + SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man + pages. This work was developed in partnership with Intel Corp. + [Matt Caswell] + + *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is + always enabled now. If you want to disable the support you should + exclude it using the list of supported ciphers. This also means that the + "-no_ecdhe" option has been removed from s_server. + [Kurt Roeckx] + + *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls + SSL_{CTX_}set1_curves() which can set a list. + [Kurt Roeckx] + + *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the + curve you want to support using SSL_{CTX_}set1_curves(). + [Kurt Roeckx] + + *) State machine rewrite. The state machine code has been significantly + refactored in order to remove much duplication of code and solve issues + with the old code (see ssl/statem/README for further details). This change + does have some associated API changes. Notably the SSL_state() function + has been removed and replaced by SSL_get_state which now returns an + "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed + altogether. The previous handshake states defined in ssl.h and ssl3.h have + also been removed. + [Matt Caswell] + + *) All instances of the string "ssleay" in the public API were replaced + with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's) + Some error codes related to internal RSA_eay API's were renamed. + [Rich Salz] + + *) The demo files in crypto/threads were moved to demo/threads. + [Rich Salz] + + *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp, + and sureware. + [Matt Caswell, Rich Salz] + + *) New ASN.1 embed macro. + + New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the + structure is not allocated: it is part of the parent. That is instead of + + FOO *x; + + it must be: + + FOO x; + + This reduces memory fragmentation and make it impossible to accidentally + set a mandatory field to NULL. + + This currently only works for some fields specifically a SEQUENCE, CHOICE, + or ASN1_STRING type which is part of a parent SEQUENCE. Since it is + equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or + SEQUENCE OF. + [Steve Henson] + + *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled. + [Emilia Käsper] + + *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although + in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also + an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add + DES and RC4 ciphersuites. + [Matt Caswell] + + *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. + This changes the decoding behaviour for some invalid messages, + though the change is mostly in the more lenient direction, and + legacy behaviour is preserved as much as possible. + [Emilia Käsper] + + *) Fix no-stdio build. + [ David Woodhouse and also + Ivan Nestlerode ] + + *) New testing framework + The testing framework has been largely rewritten and is now using + perl and the perl modules Test::Harness and an extended variant of + Test::More called OpenSSL::Test to do its work. All test scripts in + test/ have been rewritten into test recipes, and all direct calls to + executables in test/Makefile have become individual recipes using the + simplified testing OpenSSL::Test::Simple. + + For documentation on our testing modules, do: + + perldoc test/testlib/OpenSSL/Test/Simple.pm + perldoc test/testlib/OpenSSL/Test.pm + + [Richard Levitte] + + *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT + are used; the latter aborts on memory leaks (usually checked on exit). + Some undocumented "set malloc, etc., hooks" functions were removed + and others were changed. All are now documented. + [Rich Salz] + + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen ] + + *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites + from RFC4279, RFC4785, RFC5487, RFC5489. + + Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the + original RSA_PSK patch. + [Steve Henson] + + *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay + era flag was never set throughout the codebase (only read). Also removed + SSL3_FLAGS_POP_BUFFER which was only used if + SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. + [Matt Caswell] + + *) Changed the default name options in the "ca", "crl", "req" and "x509" + to be "oneline" instead of "compat". + [Richard Levitte] + *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're not aware of clients that still exhibit this bug, and the workaround hasn't been working properly for a while. - [Emilia Käsper] + [Emilia Käsper] *) The return type of BIO_number_read() and BIO_number_written() as well as the corresponding num_read and num_write members in the BIO structure has @@ -45,9 +277,17 @@ output file readable only by the owner. This behavior change might be noticeable when interacting with other software. + *) Documented all exdata functions. Added CRYPTO_free_ex_index. + Added a test. + [Rich Salz] + *) Added HTTP GET support to the ocsp command. [Rich Salz] + *) Changed default digest for the dgst and enc commands from MD5 to + sha256 + [Rich Salz] + *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. [Matt Caswell] @@ -72,7 +312,7 @@ *) Added support for OCB mode. OpenSSL has been granted a patent license compatible with the OpenSSL license for use of OCB. Details are available - at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support + at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support for OCB can be removed by calling config with no-ocb. [Matt Caswell] @@ -126,6 +366,11 @@ NULL. Remove the non-null checks from callers. Save much code. [Rich Salz] + *) Add secure heap for storage of private keys (when possible). + Add BIO_s_secmem(), CBIGNUM, etc. + Contributed by Akamai Technologies under our Corporate CLA. + [Rich Salz] + *) Experimental support for a new, fast, unbiased prime candidate generator, bn_probable_prime_dh_coprime(). Not currently used by any prime generator. [Felix Laurie von Massenbach ] @@ -139,7 +384,7 @@ [mancha ] *) Fix eckey_priv_encode so it immediately returns an error upon a failure - in i2d_ECPrivateKey. + in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. [mancha ] *) Fix some double frees. These are not thought to be exploitable. @@ -392,7 +637,7 @@ This parameter will be set to 1 or 0 depending on the ciphersuite selected by the SSL/TLS server library, indicating whether it can provide forward security. - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) New -verify_name option in command line utilities to set verification parameters by name. @@ -425,7 +670,87 @@ whose return value is often ignored. [Steve Henson] - Changes between 1.0.2a and 1.0.2b [xx XXX xxxx] + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. + + This issue was reported to OpenSSL by Hanno Böck. + (CVE-2015-3193) + [Andy Polyakov] + + *) Certificate verify crash with missing PSS parameter + + The signature verification routines will crash with a NULL pointer + dereference if presented with an ASN.1 signature using the RSA PSS + algorithm and absent mask generation function parameter. Since these + routines are used to verify certificate signature algorithms this can be + used to crash any certificate verification operation and exploited in a + DoS attack. Any application which performs certificate verification is + vulnerable including OpenSSL clients and servers which enable client + authentication. + + This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). + (CVE-2015-3194) + [Stephen Henson] + + *) X509_ATTRIBUTE memory leak + + When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak + memory. This structure is used by the PKCS#7 and CMS routines so any + application which reads PKCS#7 or CMS data from untrusted sources is + affected. SSL/TLS is not affected. + + This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using + libFuzzer. + (CVE-2015-3195) + [Stephen Henson] + + *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. + This changes the decoding behaviour for some invalid messages, + though the change is mostly in the more lenient direction, and + legacy behaviour is preserved as much as possible. + [Emilia Käsper] + + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen ] + + Changes between 1.0.2c and 1.0.2d [9 Jul 2015] + + *) Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. + + This issue was reported to OpenSSL by Adam Langley/David Benjamin + (Google/BoringSSL). + [Matt Caswell] + + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + [Matt Caswell] + + Changes between 1.0.2a and 1.0.2b [11 Jun 2015] *) Malformed ECParameters causes infinite loop @@ -457,9 +782,9 @@ callbacks. This issue was reported to OpenSSL by Robert Swiecki (Google), and - independently by Hanno Böck. + independently by Hanno Böck. (CVE-2015-1789) - [Emilia Käsper] + [Emilia Käsper] *) PKCS7 crash with missing EnvelopedContent @@ -473,7 +798,7 @@ This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-1790) - [Emilia Käsper] + [Emilia Käsper] *) CMS verify infinite loop with unknown hash function @@ -592,7 +917,7 @@ This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-0289) - [Emilia Käsper] + [Emilia Käsper] *) DoS via reachable assert in SSLv2 servers fix @@ -600,10 +925,10 @@ servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. - This issue was discovered by Sean Burford (Google) and Emilia Käsper + This issue was discovered by Sean Burford (Google) and Emilia Käsper (OpenSSL development team). (CVE-2015-0293) - [Emilia Käsper] + [Emilia Käsper] *) Empty CKE with client auth and DHE fix @@ -1108,12 +1433,12 @@ version does not match the session's version. Resuming with a different version, while not strictly forbidden by the RFC, is of questionable sanity and breaks all known clients. - [David Benjamin, Emilia Käsper] + [David Benjamin, Emilia Käsper] *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) - [Emilia Käsper] + [Emilia Käsper] *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends @@ -1124,7 +1449,7 @@ Similarly, ensure that the client requires a session ticket if one was advertised in the ServerHello. Previously, a TLS client would ignore a missing NewSessionTicket message. - [Emilia Käsper] + [Emilia Käsper] Changes between 1.0.1i and 1.0.1j [15 Oct 2014] @@ -1204,10 +1529,10 @@ with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. - Thanks to Felix Gröbert (Google) for discovering and researching this + Thanks to Felix Gröbert (Google) for discovering and researching this issue. (CVE-2014-3510) - [Emilia Käsper] + [Emilia Käsper] *) By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. @@ -1244,7 +1569,7 @@ properly negotiated with the client. This can be exploited through a Denial of Service attack. - Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for + Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and researching this issue. (CVE-2014-5139) [Steve Henson] @@ -1256,7 +1581,7 @@ Thanks to Ivan Fratric (Google) for discovering this issue. (CVE-2014-3508) - [Emilia Käsper, and Steve Henson] + [Emilia Käsper, and Steve Henson] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to @@ -1286,15 +1611,15 @@ client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) - [Jüri Aedla, Steve Henson] + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. - Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. (CVE-2014-3470) - [Felix Gröbert, Ivan Fratric, Steve Henson] + [Felix Gröbert, Ivan Fratric, Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. @@ -1373,9 +1698,9 @@ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. + Emilia Käsper for the initial patch. (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode ciphersuites which can be exploited in a denial of service attack. @@ -1550,7 +1875,7 @@ EC_GROUP_new_by_curve_name() will automatically use these (while EC_GROUP_new_curve_GFp() currently prefers the more flexible implementations). - [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] + [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public @@ -1826,7 +2151,7 @@ [Adam Langley (Google)] *) Fix spurious failures in ecdsatest.c. - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). @@ -1840,7 +2165,7 @@ lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] @@ -2649,7 +2974,7 @@ *) Add RFC 3161 compliant time stamp request creation, response generation and response verification functionality. - [Zoltán Glózik , The OpenTSA Project] + [Zoltán Glózik , The OpenTSA Project] *) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now @@ -3817,7 +4142,7 @@ *) BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new(). - [Geoff Thorpe, suggested by Ulf Möller] + [Geoff Thorpe, suggested by Ulf Möller] *) Support for inhibitAnyPolicy certificate extension. [Steve Henson] @@ -3836,7 +4161,7 @@ some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details. - [Geoff Thorpe, Nils Larsch, Ulf Möller] + [Geoff Thorpe, Nils Larsch, Ulf Möller] *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly @@ -3903,7 +4228,7 @@ [Douglas Stebila (Sun Microsystems Laboratories)] *) Add the possibility to load symbols globally with DSO. - [Götz Babin-Ebell via Richard Levitte] + [Götz Babin-Ebell via Richard Levitte] *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better control of the error stack. @@ -4618,7 +4943,7 @@ [Steve Henson] *) Undo Cygwin change. - [Ulf Möller] + [Ulf Möller] *) Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, @@ -4651,11 +4976,11 @@ [Stephen Henson, reported by UK NISCC] *) Use Windows randomness collection on Cygwin. - [Ulf Möller] + [Ulf Möller] *) Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD. - [Darren Tucker via Lutz Jänicke, resolves #1014] + [Darren Tucker via Lutz Jänicke, resolves #1014] *) Prompt for pass phrases when appropriate for PKCS12 input format. [Steve Henson] @@ -5117,7 +5442,7 @@ pointers passed to them whenever necessary. Otherwise it is possible the caller may have overwritten (or deallocated) the original string data when a later ENGINE operation tries to use the stored values. - [Götz Babin-Ebell ] + [Götz Babin-Ebell ] *) Improve diagnostics in file reading and command-line digests. [Ben Laurie aided and abetted by Solar Designer ] @@ -7222,7 +7547,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) BN_sqr() bug fix. - [Ulf Möller, reported by Jim Ellis ] + [Ulf Möller, reported by Jim Ellis ] *) Rabin-Miller test analyses assume uniformly distributed witnesses, so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() @@ -7382,7 +7707,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Fix OAEP check. - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 @@ -7644,10 +7969,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Use better test patterns in bntest. - [Ulf Möller] + [Ulf Möller] *) rand_win.c fix for Borland C. - [Ulf Möller] + [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] @@ -7792,14 +8117,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR BIO_ctrl (for BIO pairs). - [Bodo Möller] + [Bodo Möller] *) Add DSO method for VMS. [Richard Levitte] *) Bug fix: Montgomery multiplication could produce results with the wrong sign. - [Ulf Möller] + [Ulf Möller] *) Add RPM specification openssl.spec and modify it to build three packages. The default package contains applications, application @@ -7817,7 +8142,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Don't set the two most significant bits to one when generating a random number < q in the DSA library. - [Ulf Möller] + [Ulf Möller] *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if @@ -8083,7 +8408,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Randomness polling function for Win9x, as described in: Peter Gutmann, Software Generation of Practically Strong Random Numbers. - [Ulf Möller] + [Ulf Möller] *) Fix so PRNG is seeded in req if using an already existing DSA key. @@ -8303,7 +8628,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Eliminate non-ANSI declarations in crypto.h and stack.h. - [Ulf Möller] + [Ulf Möller] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present @@ -8335,7 +8660,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Bugfix for linux-elf makefile.one. - [Ulf Möller] + [Ulf Möller] *) RSA_get_default_method() will now cause a default RSA_METHOD to be chosen if one doesn't exist already. @@ -8424,7 +8749,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) des_quad_cksum() byte order bug fix. - [Ulf Möller, using the problem description in krb4-0.9.7, where + [Ulf Möller, using the problem description in krb4-0.9.7, where the solution is attributed to Derrick J Brashear ] *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly @@ -8525,7 +8850,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Rolf Haberrecker ] *) Assembler module support for Mingw32. - [Ulf Möller] + [Ulf Möller] *) Shared library support for HPUX (in shlib/). [Lutz Jaenicke and Anonymous] @@ -8544,7 +8869,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] case was implemented. This caused BN_div_recp() to fail occasionally. - [Ulf Möller] + [Ulf Möller] *) Add an optional second argument to the set_label() in the perl assembly language builder. If this argument exists and is set @@ -8574,14 +8899,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Fix potential buffer overrun problem in BIO_printf(). - [Ulf Möller, using public domain code by Patrick Powell; problem + [Ulf Möller, using public domain code by Patrick Powell; problem pointed out by David Sacerdote ] *) Support EGD . New functions RAND_egd() and RAND_status(). In the command line application, the EGD socket can be specified like a seed file using RANDFILE or -rand. - [Ulf Möller] + [Ulf Möller] *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. Some CAs (e.g. Verisign) distribute certificates in this form. @@ -8614,7 +8939,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k #define OPENSSL_ALGORITHM_DEFINES #include defines all pertinent NO_ symbols, such as NO_IDEA, NO_RSA, etc. - [Richard Levitte, Ulf and Bodo Möller] + [Richard Levitte, Ulf and Bodo Möller] *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS record layer. @@ -8665,17 +8990,17 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Bug fix for BN_div_recp() for numerators with an even number of bits. - [Ulf Möller] + [Ulf Möller] *) More tests in bntest.c, and changed test_bn output. - [Ulf Möller] + [Ulf Möller] *) ./config recognizes MacOS X now. [Andy Polyakov] *) Bug fix for BN_div() when the first words of num and divsor are equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). - [Ulf Möller] + [Ulf Möller] *) Add support for various broken PKCS#8 formats, and command line options to produce them. @@ -8683,11 +9008,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to get temporary BIGNUMs from a BN_CTX. - [Ulf Möller] + [Ulf Möller] *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() for p == 0. - [Ulf Möller] + [Ulf Möller] *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and include a #define from the old name to the new. The original intent @@ -8711,7 +9036,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Source code cleanups: use const where appropriate, eliminate casts, use void * instead of char * in lhash. - [Ulf Möller] + [Ulf Möller] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of @@ -8756,13 +9081,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New function BN_pseudo_rand(). - [Ulf Möller] + [Ulf Möller] *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) bignum version of BN_from_montgomery() with the working code from SSLeay 0.9.0 (the word based version is faster anyway), and clean up the comments. - [Ulf Möller] + [Ulf Möller] *) Avoid a race condition in s2_clnt.c (function get_server_hello) that made it impossible to use the same SSL_SESSION data structure in @@ -8772,25 +9097,25 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) The return value of RAND_load_file() no longer counts bytes obtained by stat(). RAND_load_file(..., -1) is new and uses the complete file to seed the PRNG (previously an explicit byte count was required). - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes used (char *) instead of (void *) and had casts all over the place. [Steve Henson] *) Make BN_generate_prime() return NULL on error if ret!=NULL. - [Ulf Möller] + [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. - [Ulf Möller] + [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to DH_CHECK_P_NOT_SAFE_PRIME. (Check if this is true? OpenPGP calls them "strong".) - [Ulf Möller] + [Ulf Möller] *) Merge the functionality of "dh" and "gendh" programs into a new program "dhparam". The old programs are retained for now but will handle DH keys @@ -8846,7 +9171,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Add missing #ifndefs that caused missing symbols when building libssl as a shared library without RSA. Use #ifndef NO_SSL2 instead of NO_RSA in ssl/s2*.c. - [Kris Kennaway , modified by Ulf Möller] + [Kris Kennaway , modified by Ulf Möller] *) Precautions against using the PRNG uninitialized: RAND_bytes() now has a return value which indicates the quality of the random data @@ -8855,7 +9180,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k guaranteed to be unique but not unpredictable. RAND_add is like RAND_seed, but takes an extra argument for an entropy estimate (RAND_seed always assumes full entropy). - [Ulf Möller] + [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes @@ -8885,7 +9210,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Honor the no-xxx Configure options when creating .DEF files. - [Ulf Möller] + [Ulf Möller] *) Add PKCS#10 attributes to field table: challengePassword, unstructuredName and unstructuredAddress. These are taken from @@ -9719,7 +10044,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) More DES library cleanups: remove references to srand/rand and delete an unused file. - [Ulf Möller] + [Ulf Möller] *) Add support for the the free Netwide assembler (NASM) under Win32, since not many people have MASM (ml) and it can be hard to obtain. @@ -9808,7 +10133,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k worked. *) Fix problems with no-hmac etc. - [Ulf Möller, pointed out by Brian Wellington ] + [Ulf Möller, pointed out by Brian Wellington ] *) New functions RSA_get_default_method(), RSA_set_method() and RSA_get_method(). These allows replacement of RSA_METHODs without having @@ -9925,7 +10250,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) DES library cleanups. - [Ulf Möller] + [Ulf Möller] *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit @@ -9968,7 +10293,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Christian Forster ] *) config now generates no-xxx options for missing ciphers. - [Ulf Möller] + [Ulf Möller] *) Support the EBCDIC character set (work in progress). File ebcdic.c not yet included because it has a different license. @@ -10081,7 +10406,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Move openssl.cnf out of lib/. - [Ulf Möller] + [Ulf Möller] *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes @@ -10138,10 +10463,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ben Laurie] *) Support Borland C++ builder. - [Janez Jere , modified by Ulf Möller] + [Janez Jere , modified by Ulf Möller] *) Support Mingw32. - [Ulf Möller] + [Ulf Möller] *) SHA-1 cleanups and performance enhancements. [Andy Polyakov ] @@ -10150,7 +10475,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Andy Polyakov ] *) Accept any -xxx and +xxx compiler options in Configure. - [Ulf Möller] + [Ulf Möller] *) Update HPUX configuration. [Anonymous] @@ -10183,7 +10508,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) OAEP decoding bug fix. - [Ulf Möller] + [Ulf Möller] *) Support INSTALL_PREFIX for package builders, as proposed by David Harris. @@ -10206,21 +10531,21 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Niels Poppe ] *) New Configure option no- (rsa, idea, rc5, ...). - [Ulf Möller] + [Ulf Möller] *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for extension adding in x509 utility. [Steve Henson] *) Remove NOPROTO sections and error code comments. - [Ulf Möller] + [Ulf Möller] *) Partial rewrite of the DEF file generator to now parse the ANSI prototypes. [Steve Henson] *) New Configure options --prefix=DIR and --openssldir=DIR. - [Ulf Möller] + [Ulf Möller] *) Complete rewrite of the error code script(s). It is all now handled by one script at the top level which handles error code gathering, @@ -10249,7 +10574,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Move the autogenerated header file parts to crypto/opensslconf.h. - [Ulf Möller] + [Ulf Möller] *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 8 of keying material. Merlin has also confirmed interop with this fix @@ -10267,13 +10592,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Andy Polyakov ] *) Change functions to ANSI C. - [Ulf Möller] + [Ulf Möller] *) Fix typos in error codes. - [Martin Kraemer , Ulf Möller] + [Martin Kraemer , Ulf Möller] *) Remove defunct assembler files from Configure. - [Ulf Möller] + [Ulf Möller] *) SPARC v8 assembler BIGNUM implementation. [Andy Polyakov ] @@ -10310,7 +10635,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New Configure option "rsaref". - [Ulf Möller] + [Ulf Möller] *) Don't auto-generate pem.h. [Bodo Moeller] @@ -10358,7 +10683,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) New functions DSA_do_sign and DSA_do_verify to provide access to the raw DSA values prior to ASN.1 encoding. - [Ulf Möller] + [Ulf Möller] *) Tweaks to Configure [Niels Poppe ] @@ -10368,11 +10693,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) New variables $(RANLIB) and $(PERL) in the Makefiles. - [Ulf Möller] + [Ulf Möller] *) New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486. - [Ulf Möller] + [Ulf Möller] *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the @@ -10911,7 +11236,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Hagino ] *) File was opened incorrectly in randfile.c. - [Ulf Möller ] + [Ulf Möller ] *) Beginning of support for GeneralizedTime. d2i, i2d, check and print functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or @@ -10921,7 +11246,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] *) Correct Linux 1 recognition in config. - [Ulf Möller ] + [Ulf Möller ] *) Remove pointless MD5 hash when using DSA keys in ca. [Anonymous ] @@ -11068,7 +11393,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but was already fixed by Eric for 0.9.1 it seems. - [Ben Laurie - pointed out by Ulf Möller ] + [Ben Laurie - pointed out by Ulf Möller ] *) Autodetect FreeBSD3. [Ben Laurie]