Skip to content
CHANGES 362 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.8f and 0.9.9  [xx XXX xxxx]
  *) Add RFC4507 support to OpenSSL. This includes the corrections in
     RFC4507bis. The encrypted ticket format is an encrypted encoded
     SSL_SESSION structure, that way new session features are automatically
     supported.

     If a client application caches session in an SSL_SESSION support it
     should automatically be supported because an extension includes the
     ticket in the structure. The SSL_CTX structure automatically generates
     keys for ticket protection in servers so again support should be possible
     with no application modification.

     If a client or server wishes to disable RFC4507 support then the option
     SSL_OP_NO_TICKET can be set.

     Add a TLS extension debugging callback to allow the contents of any client
     or server extensions to be examined.
     [Steve Henson]

  *) Final changes to avoid use of pointer pointer casts in OpenSSL.
     OpenSSL should now compile cleanly on gcc 4.2
     [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]

  *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
     support including streaming MAC support: this is required for GOST
     ciphersuite support.
     [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]

  *) Add option -stream to use PKCS#7 streaming in smime utility. New
     function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
     to output in BER and PEM format.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Experimental support for use of HMAC via EVP_PKEY interface. This
     allows HMAC to be handled via the EVP_DigestSign*() interface. The
     EVP_PKEY "key" in this case is the HMAC key, potentially allowing
     ENGINE support for HMAC keys which are unextractable. New -mac and
     -macopt options to dgst utility.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

  *) New option -sigopt to dgst utility. Update dgst to use
     EVP_Digest{Sign,Verify}*. These two changes make it possible to use
     alternative signing paramaters such as X9.31 or PSS in the dgst 
     utility.
     [Steve Henson]

  *) Change ssl_cipher_apply_rule(), the internal function that does
     the work each time a ciphersuite string requests enabling
     ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
     removing ("!foo+bar") a class of ciphersuites: Now it maintains
     the order of disabled ciphersuites such that those ciphersuites
     that most recently went from enabled to disabled not only stay
     in order with respect to each other, but also have higher priority
     than other disabled ciphersuites the next time ciphersuites are
     enabled again.

     This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
     the same ciphersuites as with "HIGH" alone, but in a specific
     order where the PSK ciphersuites come first (since they are the
     most recently disabled ciphersuites when "HIGH" is parsed).

     Also, change ssl_create_cipher_list() (using this new
     funcionality) such that between otherwise identical
     cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
     the default order.
     [Bodo Moeller]

  *) Change ssl_create_cipher_list() so that it automatically
     arranges the ciphersuites in reasonable order before starting
     to process the rule string.  Thus, the definition for "DEFAULT"
     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
     This makes it much easier to arrive at a reasonable default order
     in applications for which anonymous ciphers are OK (meaning
     that you can't actually use DEFAULT).
     [Bodo Moeller; suggested by Victor Duchovni]

  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
     processing) into multiple integers instead of setting
     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
     "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
     (These masks as well as the individual bit definitions are hidden
     away into the non-exported interface ssl/ssl_locl.h, so this
     change to the definition of the SSL_CIPHER structure shouldn't
     affect applications.)  This give us more bits for each of these
     categories, so there is no longer a need to coagulate AES128 and
     AES256 into a single algorithm bit, and to coagulate Camellia128
     and Camellia256 into a single algorithm bit, which has led to all
     kinds of kludges.

     Thus, among other things, the kludge introduced in 0.9.7m and
     0.9.8e for masking out AES256 independently of AES128 or masking
     out Camellia256 independently of AES256 is not needed here in 0.9.9.

     With the change, we also introduce new ciphersuite aliases that
     so far were missing: "AES128", "AES256", "CAMELLIA128", and
     "CAMELLIA256".
     [Bodo Moeller]

  *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
     Use the leftmost N bytes of the signature input if the input is
     larger than the prime q (with N being the size in bytes of q).
     [Nils Larsch]

  *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
     it yet and it is largely untested.
     [Steve Henson]

  *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
     [Nils Larsch]

  *) Initial incomplete changes to avoid need for function casts in OpenSSL
     some compilers (gcc 4.2 and later) reject their use. Safestack is
     reimplemented using inline functions: tests show that these calls are
     typically optimized away by compilers so they have no additional overhead.
     Update ASN1 to avoid use of legacy functions. 
  *) Win32/64 targets are linked with Winsock2.
     [Andy Polyakov]

  *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
     to external functions. This can be used to increase CRL handling 
     efficiency especially when CRLs are very large by (for example) storing
     the CRL revoked certificates in a database.
     [Steve Henson]

  *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
     new CRLs added to a directory can be used. New command line option
     -verify_return_error to s_client and s_server. This causes real errors
     to be returned by the verify callback instead of carrying on no matter
     what. This reflects the way a "real world" verify callback would behave.
     [Steve Henson]

  *) GOST engine, supporting several GOST algorithms and public key formats.
     Kindly donated by Cryptocom.
     [Cryptocom]

  *) Partial support for Issuing Distribution Point CRL extension. CRLs
     partitioned by DP are handled but no indirect CRL or reason partitioning
     (yet). Complete overhaul of CRL handling: now the most suitable CRL is
     selected via a scoring technique which handles IDP and AKID in CRLs.
     [Steve Henson]

  *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
     will ultimately be used for all verify operations: this will remove the
     X509_STORE dependency on certificate verification and allow alternative
     lookup methods.  X509_STORE based implementations of these two callbacks.
     [Steve Henson]

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
     Modify get_crl() to find a valid (unexpired) CRL if possible.
     [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical. Normally
     this would be called X509_CRL_cmp() but that name is already used by
     a function that just compares CRL issuer names. Cache several CRL 
     extensions in X509_CRL structure and cache CRLDP in X509.
     [Steve Henson]

  *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
     this maps equivalent X509_NAME structures into a consistent structure.
     Name comparison can then be performed rapidly using memcmp().
     [Steve Henson]

  *) Non-blocking OCSP request processing. Add -timeout option to ocsp 
     utility.
  *) Allow digests to supply their own micalg string for S/MIME type using
     the ctrl EVP_MD_CTRL_MICALG.
     [Steve Henson]

  *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
     EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
     ctrl. It can then customise the structure before and/or after signing
     if necessary.
     [Steve Henson]

  *) New function OBJ_add_sigid() to allow application defined signature OIDs
     to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
     to free up any added signature OIDs.
     [Steve Henson]

  *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
     EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
     digest and cipher tables. New options added to openssl utility:
     list-message-digest-algorithms and list-cipher-algorithms.
     [Steve Henson]

  *) In addition to the numerical (unsigned long) thread ID, provide
     for a pointer (void *) thread ID.  This helps accomodate systems
     that do not provide an unsigned long thread ID.  OpenSSL assumes
     it is in the same thread iff both the numerical and the pointer
     thread ID agree; so applications are just required to define one
     of them appropriately (e.g., by using a pointer to a per-thread
     memory object malloc()ed by the application for the pointer-type
     thread ID).  Exactly analoguous to the existing functions

        void CRYPTO_set_id_callback(unsigned long (*func)(void));
        unsigned long (*CRYPTO_get_id_callback(void))(void);
        unsigned long CRYPTO_thread_id(void);

     we now have additional functions

        void CRYPTO_set_idptr_callback(void *(*func)(void));
        void *(*CRYPTO_get_idptr_callback(void))(void);
        void *CRYPTO_thread_idptr(void);

     also in <openssl/crypto.h>.  The default value for
     CRYPTO_thread_idptr() if the application has not provided its own
     callback is &errno.
     [Bodo Moeller]

  *) Change the array representation of binary polynomials: the list
     of degrees of non-zero coefficients is now terminated with -1.
     Previously it was terminated with 0, which was also part of the
     value; thus, the array representation was not applicable to
     polynomials where t^0 has coefficient zero.  This change makes
     the array representation useful in a more general context.
     [Douglas Stebila]

  *) Various modifications and fixes to SSL/TLS cipher string
     handling.  For ECC, the code now distinguishes between fixed ECDH
     with RSA certificates on the one hand and with ECDSA certificates
     on the other hand, since these are separate ciphersuites.  The
     unused code for Fortezza ciphersuites has been removed.

     For consistency with EDH, ephemeral ECDH is now called "EECDH"
     (not "ECDHE").  For consistency with the code for DH
     certificates, use of ECDH certificates is now considered ECDH
     authentication, not RSA or ECDSA authentication (the latter is
     merely the CA's signing algorithm and not actively used in the
     protocol).

     The temporary ciphersuite alias "ECCdraft" is no longer
     available, and ECC ciphersuites are no longer excluded from "ALL"
     and "DEFAULT".  The following aliases now exist for RFC 4492
     ciphersuites, most of these by analogy with the DH case:

         kECDHr   - ECDH cert, signed with RSA
         kECDHe   - ECDH cert, signed with ECDSA
         kECDH    - ECDH cert (signed with either RSA or ECDSA)
         kEECDH   - ephemeral ECDH
         ECDH     - ECDH cert or ephemeral ECDH

         aECDH    - ECDH cert
         aECDSA   - ECDSA cert
         ECDSA    - ECDSA cert

         AECDH    - anonymous ECDH
         EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")

     [Bodo Moeller]

  *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
     Use correct micalg parameters depending on digest(s) in signed message.
     [Steve Henson]

  *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
     an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
     [Steve Henson]
  *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
     an engine to register a method. Add ENGINE lookups for methods and
     functional reference processing.
  *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
     EVP_{Sign,Verify}* which allow an application to customise the signature
     process.
     [Steve Henson]

  *) New -resign option to smime utility. This adds one or more signers
     to an existing PKCS#7 signedData structure. Also -md option to use an
     alternative message digest algorithm for signing.
     [Steve Henson]

  *) Tidy up PKCS#7 routines and add new functions to make it easier to
     create PKCS7 structures containing multiple signers. Update smime
     application to support multiple signers.
     [Steve Henson]

  *) New -macalg option to pkcs12 utility to allow setting of an alternative
     digest MAC.
     [Steve Henson]

  *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
     Reorganize PBE internals to lookup from a static table using NIDs,
     add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
     EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
     PRF which will be automatically used with PBES2.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Replace the algorithm specific calls to generate keys in "req" with the
  *) Update PKCS#7 enveloped data routines to use new API. This is now
     supported by any public key method supporting the encrypt operation. A
     ctrl is added to allow the public key algorithm to examine or modify
     the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
     a no op.
     [Steve Henson]
  *) Add a ctrl to asn1 method to allow a public key algorithm to express
     a default digest type to use. In most cases this will be SHA1 but some
     algorithms (such as GOST) need to specify an alternative digest. The
     return value indicates how strong the prefernce is 1 means optional and
     2 is mandatory (that is it is the only supported type). Modify
     ASN1_item_sign() to accept a NULL digest argument to indicate it should
     use the default md. Update openssl utilities to use the default digest
     type for signing if it is not explicitly indicated.
     [Steve Henson]

  *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
     EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
     signing method from the key type. This effectively removes the link
     between digests and public key types.
     [Steve Henson]

  *) Add an OID cross reference table and utility functions. Its purpose is to
     translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
     rsaEncryption. This will allow some of the algorithm specific hackery
     needed to use the correct OID to be removed. 
     [Steve Henson]

  *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
     structures for PKCS7_sign(). They are now set up by the relevant public
     key ASN1 method.
     [Steve Henson]

  *) Add provisional EC pkey method with support for ECDSA and ECDH.
     [Steve Henson]

  *) Add support for key derivation (agreement) in the API, DH method and
     pkeyutl.
     [Steve Henson]

  *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
     public and private key formats. As a side effect these add additional 
     command line functionality not previously available: DSA signatures can be
     generated and verified using pkeyutl and DH key support and generation in
     pkey, genpkey.
     [Steve Henson]

Ulf Möller's avatar
Ulf Möller committed
  *) BeOS support.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New make target "install_html_docs" installs HTML renditions of the
     manual pages.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New utility "genpkey" this is analagous to "genrsa" etc except it can
     generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
     support key and parameter generation and add initial key generation
     functionality for RSA.
     [Steve Henson]

  *) Add functions for main EVP_PKEY_method operations. The undocumented
     functions EVP_PKEY_{encrypt,decrypt} have been renamed to
     EVP_PKEY_{encrypt,decrypt}_old. 
     [Steve Henson]

  *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
     key API, doesn't do much yet.
     [Steve Henson]

  *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
     public key algorithms. New option to openssl utility:
     "list-public-key-algorithms" to print out info.
     [Steve Henson]

  *) Implement the Supported Elliptic Curves Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
     EVP_CIPHER structures to avoid later problems in EVP_cleanup().
     [Steve Henson]

  *) New utilities pkey and pkeyparam. These are similar to algorithm specific
     utilities such as rsa, dsa, dsaparam etc except they process any key
  *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
     functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
     EVP_PKEY_print_param() to print public key data from an EVP_PKEY
     structure.
     [Steve Henson]

  *) Initial support for pluggable public key ASN1.
     De-spaghettify the public key ASN1 handling. Move public and private
     key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
     algorithm specific handling to a single module within the relevant
     algorithm directory. Add functions to allow (near) opaque processing
     of public and private key structures.
     [Steve Henson]

  *) Implement the Supported Point Formats Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
     for the psk identity [hint] and the psk callback functions to the
     SSL_SESSION, SSL and SSL_CTX structure.
     
     New ciphersuites:
         PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
         PSK-AES256-CBC-SHA
 
     New functions:
         SSL_CTX_use_psk_identity_hint
         SSL_get_psk_identity_hint
         SSL_get_psk_identity
         SSL_use_psk_identity_hint

     [Mika Kousa and Pasi Eronen of Nokia Corporation]

  *) Add RFC 3161 compliant time stamp request creation, response generation
     and response verification functionality.
     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]

  *) Add initial support for TLS extensions, specifically for the server_name
     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
     have new members for a host name.  The SSL data structure has an
     additional member SSL_CTX *initial_ctx so that new sessions can be
     stored in that context to allow for session resumption, even after the
     SSL has been switched to a new SSL_CTX in reaction to a client's
     server_name extension.

     New functions (subject to change):

         SSL_get_servername()
         SSL_get_servername_type()
         SSL_set_SSL_CTX()

     New CTRL codes and macros (subject to change):

         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
                                 - SSL_CTX_set_tlsext_servername_callback()
         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
                                      - SSL_CTX_set_tlsext_servername_arg()
Nils Larsch's avatar
Nils Larsch committed
         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
Bodo Möller's avatar
Bodo Möller committed

     openssl s_client has a new '-servername ...' option.

     openssl s_server has new options '-servername_host ...', '-cert2 ...',
     '-key2 ...', '-servername_fatal' (subject to change).  This allows
     testing the HostName extension for a specific single host name ('-cert'
     and '-key' remain fallbacks for handshakes without HostName
     negotiation).  If the unrecogninzed_name alert has to be sent, this by
     default is a warning; it becomes fatal with the '-servername_fatal'
     option.
Bodo Möller's avatar
Bodo Möller committed

     [Peter Sylvester,  Remy Allais, Christophe Renou]
Bodo Möller's avatar
Bodo Möller committed

  *) Whirlpool hash implementation is added.
     [Andy Polyakov]

  *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
     bn(64,32). Because of instruction set limitations it doesn't have
     any negative impact on performance. This was done mostly in order
     to make it possible to share assembler modules, such as bn_mul_mont
     implementations, between 32- and 64-bit builds without hassle.
     [Andy Polyakov]

  *) Move code previously exiled into file crypto/ec/ec2_smpt.c
     to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
     macro.
     [Bodo Moeller]

  *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
     dedicated Montgomery multiplication procedure, is introduced.
     BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
     "64-bit" performance on certain 32-bit targets.
     [Andy Polyakov]

  *) New option SSL_OP_NO_COMP to disable use of compression selectively
     in SSL structures. New SSL ctrl to set maximum send fragment size. 
     Save memory by seeting the I/O buffer sizes dynamically instead of
     using the maximum available value.
     [Steve Henson]

  *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
     in addition to the text details.
     [Bodo Moeller]

  *) Very, very preliminary EXPERIMENTAL support for printing of general
     ASN1 structures. This currently produces rather ugly output and doesn't
     handle several customised structures at all.
     [Steve Henson]

  *) Integrated support for PVK file format and some related formats such
     as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
     these in the 'rsa' and 'dsa' utilities.
     [Steve Henson]

  *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
     [Steve Henson]

  *) Remove the ancient ASN1_METHOD code. This was only ever used in one
     place for the (very old) "NETSCAPE" format certificates which are now
     handled using new ASN1 code equivalents.
  *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
     pointer and make the SSL_METHOD parameter in SSL_CTX_new,
     SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
     [Nils Larsch]

  *) Modify CRL distribution points extension code to print out previously
     unsupported fields. Enhance extension setting code to allow setting of
     all fields.
  *) Add print and set support for Issuing Distribution Point CRL extension.
  *) Change 'Configure' script to enable Camellia by default.
     [NTT]

 Changes between 0.9.8e and 0.9.8f  [xx XXX xxxx]

  *) Mitigate attack on final subtraction in Montgomery reduction.
     [Andy Polyakov]

  *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
     (which previously caused an internal error).
     [Bodo Moeller]

Ben Laurie's avatar
Ben Laurie committed
  *) Squeeze another 10% out of IGE mode when in != out.
     [Ben Laurie]

Ben Laurie's avatar
Ben Laurie committed
  *) AES IGE mode speedup.
     [Dean Gaudet (Google)]

  *) Add the Korean symmetric 128-bit cipher SEED (see
     http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
     add SEED ciphersuites from RFC 4162:

        TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
        TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
        TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
        TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"

     To minimize changes between patchlevels in the OpenSSL 0.9.8
     series, SEED remains excluded from compilation unless OpenSSL
     is configured with 'enable-seed'.
     [KISA, Bodo Moeller]

  *) Mitigate branch prediction attacks, which can be practical if a
     single processor is shared, allowing a spy process to extract
     information.  For detailed background information, see
     http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
     J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
     and Necessary Software Countermeasures").  The core of the change
     are new versions BN_div_no_branch() and
     BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
     respectively, which are slower, but avoid the security-relevant
     conditional branches.  These are automatically called by BN_div()
     and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
     of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
     remove a conditional branch.

     BN_FLG_CONSTTIME is the new name for the previous
     BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
     modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
     in the exponent causes BN_mod_exp_mont() to use the alternative
     implementation in BN_mod_exp_mont_consttime().)  The old name
     remains as a deprecated alias.

     Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
     RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
     constant-time implementations for more than just exponentiation.
     Here too the old name is kept as a deprecated alias.

     BN_BLINDING_new() will now use BN_dup() for the modulus so that
     the BN_BLINDING structure gets an independent copy of the
     modulus.  This means that the previous "BIGNUM *m" argument to
     BN_BLINDING_new() and to BN_BLINDING_create_param() now
     essentially becomes "const BIGNUM *m", although we can't actually
     change this in the header file before 0.9.9.  It allows
     RSA_setup_blinding() to use BN_with_flags() on the modulus to
     enable BN_FLG_CONSTTIME.

     [Matthew D Wood (Intel Corp)]

  *) In the SSL/TLS server implementation, be strict about session ID
     context matching (which matters if an application uses a single
     external cache for different purposes).  Previously,
     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
     set.  This did ensure strict client verification, but meant that,
     with applications using a single external cache for quite
     different requirements, clients could circumvent ciphersuite
     restrictions for a given session ID context by starting a session
     in a different context.
     [Bodo Moeller]
  *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
     a ciphersuite string such as "DEFAULT:RSA" cannot enable
     authentication-only ciphersuites.
     [Bodo Moeller]

 Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]

  *) Since AES128 and AES256 (and similarly Camellia128 and
     Camellia256) share a single mask bit in the logic of
     ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
     kludge to work properly if AES128 is available and AES256 isn't
     (or if Camellia128 is available and Camellia256 isn't).
     [Victor Duchovni]

  *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
     (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
     When a point or a seed is encoded in a BIT STRING, we need to
     prevent the removal of trailing zero bits to get the proper DER
     encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
     of a NamedBitList, for which trailing 0 bits need to be removed.)
     [Bodo Moeller]

  *) Have SSL/TLS server implementation tolerate "mismatched" record
     protocol version while receiving ClientHello even if the
     ClientHello is fragmented.  (The server can't insist on the
     particular protocol version it has chosen before the ServerHello
     message has informed the client about his choice.)
     [Bodo Moeller]

Ben Laurie's avatar
Ben Laurie committed
  *) Add RFC 3779 support.
     [Rob Austein for ARIN, Ben Laurie]

  *) Load error codes if they are not already present instead of using a
     static variable. This allows them to be cleanly unloaded and reloaded.
     Improve header file function name parsing.
     [Steve Henson]

  *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
     or CAPABILITY handshake as required by RFCs.
     [Goetz Babin-Ebell]

 Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
  *) Introduce limits to prevent malicious keys being able to
     cause a denial of service.  (CVE-2006-2940)
     [Steve Henson, Bodo Moeller]

  *) Fix ASN.1 parsing of certain invalid structures that can result
     in a denial of service.  (CVE-2006-2937)  [Steve Henson]

  *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
     (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]

  *) Fix SSL client code which could crash if connecting to a
     malicious SSLv2 server.  (CVE-2006-4343)
     [Tavis Ormandy and Will Drewry, Google Security Team]

  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
     match only those.  Before that, "AES256-SHA" would be interpreted
Bodo Möller's avatar
Bodo Möller committed
     as a pattern and match "AES128-SHA" too (since AES128-SHA got
     the same strength classification in 0.9.7h) as we currently only
     have a single AES bit in the ciphersuite description bitmap.
     That change, however, also applied to ciphersuite strings such as
     "RC4-MD5" that intentionally matched multiple ciphersuites --
     namely, SSL 2.0 ciphersuites in addition to the more common ones
     from SSL 3.0/TLS 1.0.

     So we change the selection algorithm again: Naming an explicit
     ciphersuite selects this one ciphersuite, and any other similar
     ciphersuite (same bitmap) from *other* protocol versions.
     Thus, "RC4-MD5" again will properly select both the SSL 2.0
     ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.

     Since SSL 2.0 does not have any ciphersuites for which the
     128/256 bit distinction would be relevant, this works for now.
     The proper fix will be to use different bits for AES128 and
     AES256, which would have avoided the problems from the beginning;
     however, bits are scarce, so we can only do this in a new release
     (not just a patchlevel) when we can change the SSL_CIPHER
     definition to split the single 'unsigned long mask' bitmap into
     multiple values to extend the available space.

     [Bodo Moeller]

 Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]

  *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
     (CVE-2006-4339)  [Ben Laurie and Google Security Team]
Ben Laurie's avatar
Ben Laurie committed
  *) Add AES IGE and biIGE modes.
     [Ben Laurie]

  *) Change the Unix randomness entropy gathering to use poll() when
     possible instead of select(), since the latter has some
     undesirable limitations.
     [Darryl Miles via Richard Levitte and Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
     treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
     cannot be implicitly activated as part of, e.g., the "AES" alias.
     However, please upgrade to OpenSSL 0.9.9[-dev] for
     non-experimental use of the ECC ciphersuites to get TLS extension
     support, which is required for curve and point format negotiation
     to avoid potential handshake problems.
  *) Disable rogue ciphersuites:

      - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
      - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
      - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")

     The latter two were purportedly from
     draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
     appear there.

Nils Larsch's avatar
Nils Larsch committed
     Also deactivate the remaining ciphersuites from
     draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
     unofficial, and the ID has long expired.
     [Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix RSA blinding Heisenbug (problems sometimes occured on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]

  *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
     versions), which is now available for royalty-free use
     (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
     Also, add Camellia TLS ciphersuites from RFC 4132.

     To minimize changes between patchlevels in the OpenSSL 0.9.8
     series, Camellia remains excluded from compilation unless OpenSSL
     is configured with 'enable-camellia'.
     [NTT]

  *) Disable the padding bug check when compression is in use. The padding
     bug check assumes the first packet is of even length, this is not
     necessarily true if compresssion is enabled and can result in false
     positives causing handshake failure. The actual bug test is ancient
     code so it is hoped that implementations will either have fixed it by
     now or any which still have the bug do not support compression.
     [Steve Henson]

 Changes between 0.9.8a and 0.9.8b  [04 May 2006]
Richard Levitte's avatar
Richard Levitte committed

  *) When applying a cipher rule check to see if string match is an explicit
     cipher suite and only match that one cipher suite if it is.
     [Steve Henson]

  *) Link in manifests for VC++ if needed.
     [Austin Ziegler <halostatue@gmail.com>]

Bodo Möller's avatar
Bodo Möller committed
  *) Update support for ECC-based TLS ciphersuites according to
Bodo Möller's avatar
Bodo Möller committed
     draft-ietf-tls-ecc-12.txt with proposed changes (but without
     TLS extensions, which are supported starting with the 0.9.9
     branch, not in the OpenSSL 0.9.8 branch).
Bodo Möller's avatar
Bodo Möller committed
     [Douglas Stebila]

  *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
     opaque EVP_CIPHER_CTX handling.
     [Steve Henson]

  *) Fixes and enhancements to zlib compression code. We now only use
     "zlib1.dll" and use the default __cdecl calling convention on Win32
     to conform with the standards mentioned here:
           http://www.zlib.net/DLL_FAQ.txt
     Static zlib linking now works on Windows and the new --with-zlib-include
     --with-zlib-lib options to Configure can be used to supply the location
     of the headers and library. Gracefully handle case where zlib library
     can't be loaded.
     [Steve Henson]

  *) Several fixes and enhancements to the OID generation code. The old code
     sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
     handle numbers larger than ULONG_MAX, truncated printing and had a
     non standard OBJ_obj2txt() behaviour.
     [Steve Henson]

  *) Add support for building of engines under engine/ as shared libraries
     under VC++ build system.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  *) Corrected the numerous bugs in the Win32 path splitter in DSO.
     Hopefully, we will not see any false combination of paths any more.
     [Richard Levitte]

 Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]

  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
     (part of SSL_OP_ALL).  This option used to disable the
     countermeasure against man-in-the-middle protocol-version
     rollback in the SSL 2.0 server implementation, which is a bad
Mark J. Cox's avatar
Mark J. Cox committed
     idea.  (CVE-2005-2969)

     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
     for Information Security, National Institute of Advanced Industrial
     Science and Technology [AIST], Japan)]
  *) Add two function to clear and return the verify parameter flags.
     [Steve Henson]

  *) Keep cipherlists sorted in the source instead of sorting them at
     runtime, thus removing the need for a lock.
     [Nils Larsch]

  *) Avoid some small subgroup attacks in Diffie-Hellman.
     [Nick Mathewson and Ben Laurie]

  *) Add functions for well-known primes.
     [Nick Mathewson]

Andy Polyakov's avatar
Andy Polyakov committed
  *) Extended Windows CE support.
     [Satoshi Nakamura and Andy Polyakov]
  *) Initialize SSL_METHOD structures at compile time instead of during
     runtime, thus removing the need for a lock.
     [Steve Henson]

  *) Make PKCS7_decrypt() work even if no certificate is supplied by
     attempting to decrypt each encrypted key in turn. Add support to
     smime utility.
     [Steve Henson]

 Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
Bodo Möller's avatar
Bodo Möller committed
  [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
  OpenSSL 0.9.8.]

  *) Add libcrypto.pc and libssl.pc for those who feel they need them.
     [Richard Levitte]

  *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
     key into the same file any more.
     [Richard Levitte]

  *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
     [Andy Polyakov]

  *) Add -utf8 command line and config file option to 'ca'.
     [Stefan <stf@udoma.org]

  *) Removed the macro des_crypt(), as it seems to conflict with some
     libraries.  Use DES_crypt().
     [Richard Levitte]

  *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
     involves renaming the source and generated shared-libs for
     both. The engines will accept the corrected or legacy ids
     ('ncipher' and '4758_cca' respectively) when binding. NB,
     this only applies when building 'shared'.
     [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]

  *) Add attribute functions to EVP_PKEY structure. Modify
     PKCS12_create() to recognize a CSP name attribute and
     use it. Make -CSP option work again in pkcs12 utility.
     [Steve Henson]

  *) Add new functionality to the bn blinding code:
     - automatic re-creation of the BN_BLINDING parameters after
       a fixed number of uses (currently 32)
     - add new function for parameter creation
     - introduce flags to control the update behaviour of the
       BN_BLINDING parameters
     - hide BN_BLINDING structure
     Add a second BN_BLINDING slot to the RSA structure to improve
     performance when a single RSA object is shared among several
     threads.
     [Nils Larsch]

Ben Laurie's avatar
Ben Laurie committed
  *) Add support for DTLS.
     [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]

  *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
     to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
     [Walter Goulet]

  *) Remove buggy and incompletet DH cert support from
     ssl/ssl_rsa.c and ssl/s3_both.c
     [Nils Larsch]

  *) Use SHA-1 instead of MD5 as the default digest algorithm for
     the apps/openssl applications.
     [Nils Larsch]
Bodo Möller's avatar
Bodo Möller committed

  *) Compile clean with "-Wall -Wmissing-prototypes
     -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
     DEBUG_SAFESTACK must also be set.
     [Ben Laurie]

  *) Change ./Configure so that certain algorithms can be disabled by default.
     The new counterpiece to "no-xxx" is "enable-xxx".

     The patented RC5 and MDC2 algorithms will now be disabled unless
     "enable-rc5" and "enable-mdc2", respectively, are specified.

     (IDEA remains enabled despite being patented.  This is because IDEA
     is frequently required for interoperability, and there is no license
     fee for non-commercial use.  As before, "no-idea" can be used to
     avoid this algorithm.)

  *) Add processing of proxy certificates (see RFC 3820).  This work was
     sponsored by KTH (The Royal Institute of Technology in Stockholm) and
     EGEE (Enabling Grids for E-science in Europe).
     [Richard Levitte]

  *) RC4 performance overhaul on modern architectures/implementations, such
     as Intel P4, IA-64 and AMD64.
     [Andy Polyakov]

  *) New utility extract-section.pl. This can be used specify an alternative
     section number in a pod file instead of having to treat each file as
     a separate case in Makefile. This can be done by adding two lines to the
     pod file:

     =for comment openssl_section:XXX

     The blank line is mandatory.

     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) New arguments -certform, -keyform and -pass for s_client and s_server
     to allow alternative format key and certificate files and passphrase
     sources.
     [Steve Henson]

  *) New structure X509_VERIFY_PARAM which combines current verify parameters,
     update associated structures and add various utility functions.

     Add new policy related verify parameters, include policy checking in 
     standard verify code. Enhance 'smime' application with extra parameters
     to support policy checking and print out.
     [Steve Henson]

  *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
     Nehemiah processors. These extensions support AES encryption in hardware
     as well as RNG (though RNG support is currently disabled).
     [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]

  *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
     [Geoff Thorpe]

  *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
     [Andy Polyakov and a number of other people]

  *) Improved PowerPC platform support. Most notably BIGNUM assembler
     implementation contributed by IBM.
     [Suresh Chari, Peter Waltenberg, Andy Polyakov]

  *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
     exponent rather than 'unsigned long'. There is a corresponding change to
     the new 'rsa_keygen' element of the RSA_METHOD structure.
     [Jelte Jansen, Geoff Thorpe]

  *) Functionality for creating the initial serial number file is now
     moved from CA.pl to the 'ca' utility with a new option -create_serial.

     (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
     number file to 1, which is bound to cause problems.  To avoid
     the problems while respecting compatibility between different 0.9.7
     patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
     CA.pl for serial number initialization.  With the new release 0.9.8,
     we can fix the problem directly in the 'ca' utility.)
  *) Reduced header interdepencies by declaring more opaque objects in
     ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
     give fewer recursive includes, which could break lazy source code - so
     this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
     developers should define this symbol when building and using openssl to
     ensure they track the recommended behaviour, interfaces, [etc], but
     backwards-compatible behaviour prevails when this isn't defined.
     [Geoff Thorpe]

  *) New function X509_POLICY_NODE_print() which prints out policy nodes.
     [Steve Henson]

  *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
     This will generate a random key of the appropriate length based on the 
     cipher context. The EVP_CIPHER can provide its own random key generation
     routine to support keys of a specific form. This is used in the des and 
     3des routines to generate a key of the correct parity. Update S/MIME
     code to use new functions and hence generate correct parity DES keys.
     Add EVP_CHECK_DES_KEY #define to return an error if the key is not 
     valid (weak or incorrect parity).
     [Steve Henson]

  *) Add a local set of CRLs that can be used by X509_verify_cert() as well
     as looking them up. This is useful when the verified structure may contain
     CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
     present unless the new PKCS7_NO_CRL flag is asserted.
     [Steve Henson]

  *) Extend ASN1 oid configuration module. It now additionally accepts the