Skip to content
CHANGES 471 KiB
Newer Older
     Also, change ssl_create_cipher_list() (using this new
     funcionality) such that between otherwise identical
     cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
     the default order.
     [Bodo Moeller]

  *) Change ssl_create_cipher_list() so that it automatically
     arranges the ciphersuites in reasonable order before starting
     to process the rule string.  Thus, the definition for "DEFAULT"
     (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
     remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
     This makes it much easier to arrive at a reasonable default order
     in applications for which anonymous ciphers are OK (meaning
     that you can't actually use DEFAULT).
     [Bodo Moeller; suggested by Victor Duchovni]

  *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
     processing) into multiple integers instead of setting
     "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
     "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
     (These masks as well as the individual bit definitions are hidden
     away into the non-exported interface ssl/ssl_locl.h, so this
     change to the definition of the SSL_CIPHER structure shouldn't
     affect applications.)  This give us more bits for each of these
     categories, so there is no longer a need to coagulate AES128 and
     AES256 into a single algorithm bit, and to coagulate Camellia128
     and Camellia256 into a single algorithm bit, which has led to all
     kinds of kludges.

     Thus, among other things, the kludge introduced in 0.9.7m and
     0.9.8e for masking out AES256 independently of AES128 or masking
     out Camellia256 independently of AES256 is not needed here in 0.9.9.

     With the change, we also introduce new ciphersuite aliases that
     so far were missing: "AES128", "AES256", "CAMELLIA128", and
     "CAMELLIA256".
     [Bodo Moeller]

  *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
     Use the leftmost N bytes of the signature input if the input is
     larger than the prime q (with N being the size in bytes of q).
     [Nils Larsch]

  *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
     it yet and it is largely untested.
     [Steve Henson]

  *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
     [Nils Larsch]

  *) Initial incomplete changes to avoid need for function casts in OpenSSL
     some compilers (gcc 4.2 and later) reject their use. Safestack is
     reimplemented.  Update ASN1 to avoid use of legacy functions. 
  *) Win32/64 targets are linked with Winsock2.
     [Andy Polyakov]

  *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
     to external functions. This can be used to increase CRL handling 
     efficiency especially when CRLs are very large by (for example) storing
     the CRL revoked certificates in a database.
     [Steve Henson]

  *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
     new CRLs added to a directory can be used. New command line option
     -verify_return_error to s_client and s_server. This causes real errors
     to be returned by the verify callback instead of carrying on no matter
     what. This reflects the way a "real world" verify callback would behave.
     [Steve Henson]

  *) GOST engine, supporting several GOST algorithms and public key formats.
     Kindly donated by Cryptocom.
     [Cryptocom]

  *) Partial support for Issuing Distribution Point CRL extension. CRLs
     partitioned by DP are handled but no indirect CRL or reason partitioning
     (yet). Complete overhaul of CRL handling: now the most suitable CRL is
     selected via a scoring technique which handles IDP and AKID in CRLs.
     [Steve Henson]

  *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
     will ultimately be used for all verify operations: this will remove the
     X509_STORE dependency on certificate verification and allow alternative
     lookup methods.  X509_STORE based implementations of these two callbacks.
     [Steve Henson]

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
     Modify get_crl() to find a valid (unexpired) CRL if possible.
     [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical. Normally
     this would be called X509_CRL_cmp() but that name is already used by
     a function that just compares CRL issuer names. Cache several CRL 
     extensions in X509_CRL structure and cache CRLDP in X509.
     [Steve Henson]

  *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
     this maps equivalent X509_NAME structures into a consistent structure.
     Name comparison can then be performed rapidly using memcmp().
     [Steve Henson]

  *) Non-blocking OCSP request processing. Add -timeout option to ocsp 
     utility.
  *) Allow digests to supply their own micalg string for S/MIME type using
     the ctrl EVP_MD_CTRL_MICALG.
     [Steve Henson]

  *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
     EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
     ctrl. It can then customise the structure before and/or after signing
     if necessary.
     [Steve Henson]

  *) New function OBJ_add_sigid() to allow application defined signature OIDs
     to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
     to free up any added signature OIDs.
     [Steve Henson]

  *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
     EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
     digest and cipher tables. New options added to openssl utility:
     list-message-digest-algorithms and list-cipher-algorithms.
     [Steve Henson]

  *) Change the array representation of binary polynomials: the list
     of degrees of non-zero coefficients is now terminated with -1.
     Previously it was terminated with 0, which was also part of the
     value; thus, the array representation was not applicable to
     polynomials where t^0 has coefficient zero.  This change makes
     the array representation useful in a more general context.
     [Douglas Stebila]

  *) Various modifications and fixes to SSL/TLS cipher string
     handling.  For ECC, the code now distinguishes between fixed ECDH
     with RSA certificates on the one hand and with ECDSA certificates
     on the other hand, since these are separate ciphersuites.  The
     unused code for Fortezza ciphersuites has been removed.

     For consistency with EDH, ephemeral ECDH is now called "EECDH"
     (not "ECDHE").  For consistency with the code for DH
     certificates, use of ECDH certificates is now considered ECDH
     authentication, not RSA or ECDSA authentication (the latter is
     merely the CA's signing algorithm and not actively used in the
     protocol).

     The temporary ciphersuite alias "ECCdraft" is no longer
     available, and ECC ciphersuites are no longer excluded from "ALL"
     and "DEFAULT".  The following aliases now exist for RFC 4492
     ciphersuites, most of these by analogy with the DH case:

         kECDHr   - ECDH cert, signed with RSA
         kECDHe   - ECDH cert, signed with ECDSA
         kECDH    - ECDH cert (signed with either RSA or ECDSA)
         kEECDH   - ephemeral ECDH
         ECDH     - ECDH cert or ephemeral ECDH

         aECDH    - ECDH cert
         aECDSA   - ECDSA cert
         ECDSA    - ECDSA cert

         AECDH    - anonymous ECDH
         EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")

     [Bodo Moeller]

  *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
     Use correct micalg parameters depending on digest(s) in signed message.
     [Steve Henson]

  *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
     an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
     [Steve Henson]
  *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
     an engine to register a method. Add ENGINE lookups for methods and
     functional reference processing.
  *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
     EVP_{Sign,Verify}* which allow an application to customise the signature
     process.
     [Steve Henson]

  *) New -resign option to smime utility. This adds one or more signers
     to an existing PKCS#7 signedData structure. Also -md option to use an
     alternative message digest algorithm for signing.
     [Steve Henson]

  *) Tidy up PKCS#7 routines and add new functions to make it easier to
     create PKCS7 structures containing multiple signers. Update smime
     application to support multiple signers.
     [Steve Henson]

  *) New -macalg option to pkcs12 utility to allow setting of an alternative
     digest MAC.
     [Steve Henson]

  *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
     Reorganize PBE internals to lookup from a static table using NIDs,
     add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
     EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
     PRF which will be automatically used with PBES2.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Replace the algorithm specific calls to generate keys in "req" with the
  *) Update PKCS#7 enveloped data routines to use new API. This is now
     supported by any public key method supporting the encrypt operation. A
     ctrl is added to allow the public key algorithm to examine or modify
     the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
     a no op.
     [Steve Henson]
  *) Add a ctrl to asn1 method to allow a public key algorithm to express
     a default digest type to use. In most cases this will be SHA1 but some
     algorithms (such as GOST) need to specify an alternative digest. The
     return value indicates how strong the preference is 1 means optional and
     2 is mandatory (that is it is the only supported type). Modify
     ASN1_item_sign() to accept a NULL digest argument to indicate it should
     use the default md. Update openssl utilities to use the default digest
     type for signing if it is not explicitly indicated.
     [Steve Henson]

  *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
     EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
     signing method from the key type. This effectively removes the link
     between digests and public key types.
     [Steve Henson]

  *) Add an OID cross reference table and utility functions. Its purpose is to
     translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
     rsaEncryption. This will allow some of the algorithm specific hackery
     needed to use the correct OID to be removed. 
     [Steve Henson]

  *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
     structures for PKCS7_sign(). They are now set up by the relevant public
     key ASN1 method.
     [Steve Henson]

  *) Add provisional EC pkey method with support for ECDSA and ECDH.
     [Steve Henson]

  *) Add support for key derivation (agreement) in the API, DH method and
     pkeyutl.
     [Steve Henson]

  *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
     public and private key formats. As a side effect these add additional 
     command line functionality not previously available: DSA signatures can be
     generated and verified using pkeyutl and DH key support and generation in
     pkey, genpkey.
     [Steve Henson]

Ulf Möller's avatar
Ulf Möller committed
  *) BeOS support.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New make target "install_html_docs" installs HTML renditions of the
     manual pages.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New utility "genpkey" this is analogous to "genrsa" etc except it can
     generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
     support key and parameter generation and add initial key generation
     functionality for RSA.
     [Steve Henson]

  *) Add functions for main EVP_PKEY_method operations. The undocumented
     functions EVP_PKEY_{encrypt,decrypt} have been renamed to
     EVP_PKEY_{encrypt,decrypt}_old. 
     [Steve Henson]

  *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
     key API, doesn't do much yet.
     [Steve Henson]

  *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
     public key algorithms. New option to openssl utility:
     "list-public-key-algorithms" to print out info.
     [Steve Henson]

  *) Implement the Supported Elliptic Curves Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
     EVP_CIPHER structures to avoid later problems in EVP_cleanup().
     [Steve Henson]

  *) New utilities pkey and pkeyparam. These are similar to algorithm specific
     utilities such as rsa, dsa, dsaparam etc except they process any key
  *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
     functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
     EVP_PKEY_print_param() to print public key data from an EVP_PKEY
     structure.
     [Steve Henson]

  *) Initial support for pluggable public key ASN1.
     De-spaghettify the public key ASN1 handling. Move public and private
     key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
     algorithm specific handling to a single module within the relevant
     algorithm directory. Add functions to allow (near) opaque processing
     of public and private key structures.
     [Steve Henson]

  *) Implement the Supported Point Formats Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
     for the psk identity [hint] and the psk callback functions to the
     SSL_SESSION, SSL and SSL_CTX structure.
     
     New ciphersuites:
         PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
         PSK-AES256-CBC-SHA
 
     New functions:
         SSL_CTX_use_psk_identity_hint
         SSL_get_psk_identity_hint
         SSL_get_psk_identity
         SSL_use_psk_identity_hint

     [Mika Kousa and Pasi Eronen of Nokia Corporation]

  *) Add RFC 3161 compliant time stamp request creation, response generation
     and response verification functionality.
     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]

  *) Add initial support for TLS extensions, specifically for the server_name
     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
     have new members for a host name.  The SSL data structure has an
     additional member SSL_CTX *initial_ctx so that new sessions can be
     stored in that context to allow for session resumption, even after the
     SSL has been switched to a new SSL_CTX in reaction to a client's
     server_name extension.

     New functions (subject to change):

         SSL_get_servername()
         SSL_get_servername_type()
         SSL_set_SSL_CTX()

     New CTRL codes and macros (subject to change):

         SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
                                 - SSL_CTX_set_tlsext_servername_callback()
         SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
                                      - SSL_CTX_set_tlsext_servername_arg()
Nils Larsch's avatar
Nils Larsch committed
         SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
Bodo Möller's avatar
Bodo Möller committed

     openssl s_client has a new '-servername ...' option.

     openssl s_server has new options '-servername_host ...', '-cert2 ...',
     '-key2 ...', '-servername_fatal' (subject to change).  This allows
     testing the HostName extension for a specific single host name ('-cert'
     and '-key' remain fallbacks for handshakes without HostName
     negotiation).  If the unrecognized_name alert has to be sent, this by
     default is a warning; it becomes fatal with the '-servername_fatal'
     option.
Bodo Möller's avatar
Bodo Möller committed

     [Peter Sylvester,  Remy Allais, Christophe Renou]
Bodo Möller's avatar
Bodo Möller committed

  *) Whirlpool hash implementation is added.
     [Andy Polyakov]

  *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
     bn(64,32). Because of instruction set limitations it doesn't have
     any negative impact on performance. This was done mostly in order
     to make it possible to share assembler modules, such as bn_mul_mont
     implementations, between 32- and 64-bit builds without hassle.
     [Andy Polyakov]

  *) Move code previously exiled into file crypto/ec/ec2_smpt.c
     to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
     macro.
     [Bodo Moeller]

  *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
     dedicated Montgomery multiplication procedure, is introduced.
     BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
     "64-bit" performance on certain 32-bit targets.
     [Andy Polyakov]

  *) New option SSL_OP_NO_COMP to disable use of compression selectively
     in SSL structures. New SSL ctrl to set maximum send fragment size. 
     Save memory by seeting the I/O buffer sizes dynamically instead of
     using the maximum available value.
     [Steve Henson]

  *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
     in addition to the text details.
     [Bodo Moeller]

  *) Very, very preliminary EXPERIMENTAL support for printing of general
     ASN1 structures. This currently produces rather ugly output and doesn't
     handle several customised structures at all.
     [Steve Henson]

  *) Integrated support for PVK file format and some related formats such
     as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
     these in the 'rsa' and 'dsa' utilities.
     [Steve Henson]

  *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
     [Steve Henson]

  *) Remove the ancient ASN1_METHOD code. This was only ever used in one
     place for the (very old) "NETSCAPE" format certificates which are now
     handled using new ASN1 code equivalents.
  *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
     pointer and make the SSL_METHOD parameter in SSL_CTX_new,
     SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
     [Nils Larsch]

  *) Modify CRL distribution points extension code to print out previously
     unsupported fields. Enhance extension setting code to allow setting of
     all fields.
  *) Add print and set support for Issuing Distribution Point CRL extension.
  *) Change 'Configure' script to enable Camellia by default.
     [NTT]
 Changes between 0.9.8x and 0.9.8y [5 Feb 2013]

  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

     This addresses the flaw in CBC record processing discovered by 
     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
     at: http://www.isg.rhul.ac.uk/tls/     

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
     Emilia Käsper for the initial patch.
     (CVE-2013-0169)
     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]

  *) Return an error when checking OCSP signatures when key is NULL.
     This fixes a DoS attack. (CVE-2013-0166)
     [Steve Henson]

  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
     the right response is stapled. Also change SSL_get_certificate()
     so it returns the certificate actually sent.
     See http://rt.openssl.org/Ticket/Display.html?id=2836.
     (This is a backport)
     [Rob Stradling <rob.stradling@comodo.com>]

  *) Fix possible deadlock when decoding public keys.
     [Steve Henson]

 Changes between 0.9.8w and 0.9.8x [10 May 2012]

  *) Sanity check record length before skipping explicit IV in DTLS
     to fix DoS attack.

     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
     fuzzing as a service testing platform.
     (CVE-2012-2333)
     [Steve Henson]

  *) Initialise tkeylen properly when encrypting CMS messages.
     Thanks to Solar Designer of Openwall for reporting this issue.
     [Steve Henson]

 Changes between 0.9.8v and 0.9.8w [23 Apr 2012]

  *) The fix for CVE-2012-2110 did not take into account that the 
     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
     rejecting negative len parameter. (CVE-2012-2131)
     [Tomas Hoger <thoger@redhat.com>]

 Changes between 0.9.8u and 0.9.8v [19 Apr 2012]

  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
     in CRYPTO_realloc_clean.

     Thanks to Tavis Ormandy, Google Security Team, for discovering this
     issue and to Adam Langley <agl@chromium.org> for fixing it.
     (CVE-2012-2110)
     [Adam Langley (Google), Tavis Ormandy, Google Security Team]

 Changes between 0.9.8t and 0.9.8u [12 Mar 2012]

  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
     in CMS and PKCS7 code. When RSA decryption fails use a random key for
     content decryption and always return the same error. Note: this attack
     needs on average 2^20 messages so it only affects automated senders. The
     old behaviour can be reenabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
     an MMA defence is not necessary.
     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
     this issue. (CVE-2012-0884)
     [Steve Henson]

  *) Fix CVE-2011-4619: make sure we really are receiving a 
     client hello before rejecting multiple SGC restarts. Thanks to
     Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
     [Steve Henson]

 Changes between 0.9.8s and 0.9.8t [18 Jan 2012]

  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
     Thanks to Antonio Martin, Enterprise Secure Access Research and
     Development, Cisco Systems, Inc. for discovering this bug and
     preparing a fix. (CVE-2012-0050)
     [Antonio Martin]
 Changes between 0.9.8r and 0.9.8s [4 Jan 2012]

  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
     of the Vaudenay padding oracle attack on CBC mode encryption
     which enables an efficient plaintext recovery attack against
     the OpenSSL implementation of DTLS. Their attack exploits timing
     differences arising during decryption processing. A research
     paper describing this attack can be found at:
                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
     Security Group at Royal Holloway, University of London
     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
     for preparing the fix. (CVE-2011-4108)
     [Robin Seggelmann, Michael Tuexen]

  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
     [Ben Laurie, Kasper <ekasper@google.com>]

  *) Clear bytes used for block padding of SSL 3.0 records.
     (CVE-2011-4576)
     [Adam Langley (Google)]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
     Kadianakis <desnacked@gmail.com> for discovering this issue and
     Adam Langley for preparing the fix. (CVE-2011-4619)
     [Adam Langley (Google)]
 
  *) Prevent malformed RFC3779 data triggering an assertion failure.
     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
     [Rob Austein <sra@hactrn.net>]
  *) Fix ssl_ciph.c set-up race.
     [Adam Langley (Google)]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix spurious failures in ecdsatest.c.
     [Emilia Käsper (Google)]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix the BIO_f_buffer() implementation (which was mixing different
     interpretations of the '..._len' fields).
     [Adam Langley (Google)]

  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
     threads won't reuse the same blinding coefficients.

     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
     lock to call BN_BLINDING_invert_ex, and avoids one use of
     BN_BLINDING_update for each BN_BLINDING structure (previously,
     the last update always remained unused).
     [Emilia Käsper (Google)]
  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
     for multi-threaded use of ECDH.
     [Adam Langley (Google)]

  *) Fix x509_name_ex_d2i memory leak on bad inputs.
     [Bodo Moeller]

  *) Add protection against ECDSA timing attacks as mentioned in the paper
     by Billy Bob Brumley and Nicola Tuveri, see:

	http://eprint.iacr.org/2011/232.pdf

     [Billy Bob Brumley and Nicola Tuveri]

Bodo Möller's avatar
Bodo Möller committed
 Changes between 0.9.8q and 0.9.8r [8 Feb 2011]

  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]

  *) Fix bug in string printing code: if *any* escaping is enabled we must
     escape the escape character (backslash) or the resulting string is
     ambiguous.
     [Steve Henson]

 Changes between 0.9.8p and 0.9.8q [2 Dec 2010]

  *) Disable code workaround for ancient and obsolete Netscape browsers
     and servers: an attacker can use it in a ciphersuite downgrade attack.
     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
     [Steve Henson]

  *) Fixed J-PAKE implementation error, originally discovered by
     Sebastien Martini, further info and confirmation from Stefan
     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
     [Ben Laurie]

 Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
  *) Fix extension code to avoid race conditions which can result in a buffer
     overrun vulnerability: resumed sessions must not be modified as they can
     be shared by multiple threads. CVE-2010-3864
Bodo Möller's avatar
Bodo Möller committed
     [Steve Henson]
  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
     [Steve Henson]

  *) Don't reencode certificate when calculating signature: cache and use
     the original encoding instead. This makes signature verification of
     some broken encodings work correctly.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
     is also one of the inputs.
     [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]

  *) Don't repeatedly append PBE algorithms to table if they already exist.
     Sort table on each new add. This effectively makes the table read only
     after all algorithms are added and subsequent calls to PKCS12_pbe_add
     etc are non-op.
     [Steve Henson]

 Changes between 0.9.8n and 0.9.8o [01 Jun 2010]

  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
  OpenSSL 1.0.0.]
  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
     access or freeing data twice (CVE-2010-0742)
     [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>]

  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
     common in certificates and some applications which only call
     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
     [Steve Henson]

  *) VMS fixes: 
     Reduce copying into .apps and .test in makevms.com
     Don't try to use blank CA certificate in CA.com
     Allow use of C files from original directories in maketests.com
     [Steven M. Schweda" <sms@antinode.info>]

 Changes between 0.9.8m and 0.9.8n [24 Mar 2010]

  *) When rejecting SSL/TLS records due to an incorrect version number, never
     update s->server with a new major version number.  As of
     - OpenSSL 0.9.8m if 'short' is a 16-bit type,
     - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
     the previous behavior could result in a read attempt at NULL when
     receiving specific incorrect SSL/TLS records once record payload
     protection is active.  (CVE-2010-0740)
     [Bodo Moeller, Adam Langley <agl@chromium.org>]
  *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
     could be crashed if the relevant tables were not present (e.g. chrooted).
     [Tomas Hoger <thoger@redhat.com>]
 Changes between 0.9.8l and 0.9.8m [25 Feb 2010]

  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
     [Martin Olsson, Neel Mehta]
Bodo Möller's avatar
Bodo Möller committed

  *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
     accommodate for stack sorting, always a write lock!).
     [Bodo Moeller]
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) On some versions of WIN32 Heap32Next is very slow. This can cause
     excessive delays in the RAND_poll(): over a minute. As a workaround
     include a time check in the inner Heap32Next loop too.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) The code that handled flushing of data in SSL/TLS originally used the
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
     the problem outlined in PR#1949. The fix suggested there however can
     trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
     of Apache). So instead simplify the code to flush unconditionally.
     This should be fine since flushing with no data to flush is a no op.
     [Steve Henson]

  *) Handle TLS versions 2.0 and later properly and correctly use the
     highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
     off ancient servers have a habit of sticking around for a while...
     [Steve Henson]

  *) Modify compression code so it frees up structures without using the
     ex_data callbacks. This works around a problem where some applications
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
     restarting) then use compression (e.g. SSL with compression) later.
     This results in significant per-connection memory leaks and
     has caused some security issues including CVE-2008-1678 and
     CVE-2009-4355.
     [Steve Henson]

  *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
     change when encrypting or decrypting.
     [Bodo Moeller]

  *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
     connect and renegotiate with servers which do not support RI.
     Until RI is more widely deployed this option is enabled by default.
     [Steve Henson]

  *) Add "missing" ssl ctrls to clear options and mode.
     [Steve Henson]

  *) If client attempts to renegotiate and doesn't support RI respond with
     a no_renegotiation alert as required by RFC5746.  Some renegotiating
     TLS clients will continue a connection gracefully when they receive
     the alert. Unfortunately OpenSSL mishandled this alert and would hang
     waiting for a server hello which it will never receive. Now we treat a
     received no_renegotiation alert as a fatal error. This is because
     applications requesting a renegotiation might well expect it to succeed
     and would have no code in place to handle the server denying it so the
     only safe thing to do is to terminate the connection.
  *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
     peer supports secure renegotiation and 0 otherwise. Print out peer
     renegotiation support in s_client/s_server.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Replace the highly broken and deprecated SPKAC certification method with
     the updated NID creation version. This should correctly handle UTF8.
     [Steve Henson]

  *) Implement RFC5746. Re-enable renegotiation but require the extension
     as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     turns out to be a bad idea. It has been replaced by
     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
     SSL_CTX_set_options(). This is really not recommended unless you
     know what you are doing.
     [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
  *) Fixes to stateless session resumption handling. Use initial_ctx when
     issuing and attempting to decrypt tickets in case it has changed during
     servername handling. Use a non-zero length session ID when attempting
     stateless session resumption: this makes it possible to determine if
     a resumption has occurred immediately after receiving server hello
     (several places in OpenSSL subtly assume this) instead of later in
     the handshake.
     [Steve Henson]

  *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
     CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
     fixes for a few places where the return code is not checked
     correctly.
     [Julia Lawall <julia@diku.dk>]

  *) Add --strict-warnings option to Configure script to include devteam
     warnings in other configurations.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Add support for --libdir option and LIBDIR variable in makefiles. This
     makes it possible to install openssl libraries in locations which
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     have names other than "lib", for example "/usr/lib64" which some
     systems need.
     [Steve Henson, based on patch from Jeremy Utley]

  *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
     X690 8.9.12 and can produce some misleading textual output of OIDs.
     [Steve Henson, reported by Dan Kaminsky]

  *) Delete MD2 from algorithm tables. This follows the recommendation in
     several standards that it is not used in new applications due to
     several cryptographic weaknesses. For binary compatibility reasons
     the MD2 API is still compiled in by default.
     [Steve Henson]

  *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
     and restored.
     [Steve Henson]

  *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
     OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
     clash.
     [Guenter <lists@gknw.net>]

  *) Fix the server certificate chain building code to use X509_verify_cert(),
     it used to have an ad-hoc builder which was unable to cope with anything
     other than a simple chain.
     [David Woodhouse <dwmw2@infradead.org>, Steve Henson]

  *) Don't check self signed certificate signatures in X509_verify_cert()
     by default (a flag can override this): it just wastes time without
     adding any security. As a useful side effect self signed root CAs
     with non-FIPS digests are now usable in FIPS mode.
     [Steve Henson]

  *) In dtls1_process_out_of_seq_message() the check if the current message
     is already buffered was missing. For every new message was memory
     allocated, allowing an attacker to perform an denial of service attack
     with sending out of seq handshake messages until there is no memory
     left. Additionally every future messege was buffered, even if the
     sequence number made no sense and would be part of another handshake.
     So only messages with sequence numbers less than 10 in advance will be
     [Robin Seggelmann, discovered by Daniel Mentz] 	

  *) Records are buffered if they arrive with a future epoch to be
     processed after finishing the corresponding handshake. There is
     currently no limitation to this buffer allowing an attacker to perform
     a DOS attack with sending records with future epochs until there is no
     memory left. This patch adds the pqueue_size() function to determine
     the size of a buffer and limits the record buffer to 100 entries.
     [Robin Seggelmann, discovered by Daniel Mentz] 	

  *) Keep a copy of frag->msg_header.frag_len so it can be used after the
     parent structure is freed.  (CVE-2009-1379)
  *) Handle non-blocking I/O properly in SSL_shutdown() call.
     [Darryl Miles <darryl-mailinglists@netbauds.net>]

  *) Add 2.5.4.* OIDs
     [Ilya O. <vrghost@gmail.com>]

 Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]

  *) Disable renegotiation completely - this fixes a severe security
     problem (CVE-2009-3555) at the cost of breaking all
     renegotiation. Renegotiation can be re-enabled by setting
     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
     run-time. This is really not recommended unless you know what
     you're doing.
     [Ben Laurie]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
 Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
  *) Don't set val to NULL when freeing up structures, it is freed up by
     underlying code. If sizeof(void *) > sizeof(long) this can result in
     zeroing past the valid field. (CVE-2009-0789)
     [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]

  *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
     checked correctly. This would allow some invalid signed attributes to
     appear to verify correctly. (CVE-2009-0591)
     [Ivan Nestlerode <inestlerode@us.ibm.com>]

  *) Reject UniversalString and BMPString types with invalid lengths. This
     prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
     a legal length. (CVE-2009-0590)
     [Steve Henson]

  *) Set S/MIME signing as the default purpose rather than setting it 
     unconditionally. This allows applications to override it at the store
     level.
     [Steve Henson]

  *) Permit restricted recursion of ASN1 strings. This is needed in practice
     to handle some structures.
     [Steve Henson]

  *) Improve efficiency of mem_gets: don't search whole buffer each time
     for a '\n'
     [Jeremy Shapiro <jnshapir@us.ibm.com>]

  *) New -hex option for openssl rand.
     [Matthieu Herrb]

  *) Print out UTF8String and NumericString when parsing ASN1.
     [Steve Henson]

  *) Support NumericString type for name components.
     [Steve Henson]
Ben Laurie's avatar
Ben Laurie committed
  *) Allow CC in the environment to override the automatically chosen
     compiler. Note that nothing is done to ensure flags work with the
     chosen compiler.
     [Ben Laurie]
 Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]

  *) Properly check EVP_VerifyFinal() and similar return values
     (CVE-2008-5077).
     [Ben Laurie, Bodo Moeller, Google Security Team]
Ben Laurie's avatar
Ben Laurie committed
  *) Enable TLS extensions by default.
     [Ben Laurie]

  *) Allow the CHIL engine to be loaded, whether the application is
     multithreaded or not. (This does not release the developer from the
     obligation to set up the dynamic locking callbacks.)
     [Sander Temme <sander@temme.net>]

  *) Use correct exit code if there is an error in dgst command.
     [Steve Henson; problem pointed out by Roland Dirlewanger]

  *) Tweak Configure so that you need to say "experimental-jpake" to enable
     JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
     [Bodo Moeller]

  *) Add experimental JPAKE support, including demo authentication in
     s_client and s_server.
Ben Laurie's avatar
Ben Laurie committed
     [Ben Laurie]

  *) Set the comparison function in v3_addr_canonize().
     [Rob Austein <sra@hactrn.net>]

Ben Laurie's avatar
Ben Laurie committed
  *) Add support for XMPP STARTTLS in s_client.
     [Philip Paeps <philip@freebsd.org>]

  *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
     to ensure that even with this option, only ciphersuites in the
     server's preference list will be accepted.  (Note that the option
     applies only when resuming a session, so the earlier behavior was
     just about the algorithm choice for symmetric cryptography.)
     [Bodo Moeller]

 Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
  *) Fix NULL pointer dereference if a DTLS server received
     ChangeCipherSpec as first record (CVE-2009-1386).
     [PR #1679]

  *) Fix a state transition in s3_srvr.c and d1_srvr.c
Bodo Möller's avatar
Bodo Möller committed
     (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
     [Nagendra Modadugu]

  *) The fix in 0.9.8c that supposedly got rid of unsafe
     double-checked locking was incomplete for RSA blinding,
     addressing just one layer of what turns out to have been
     doubly unsafe triple-checked locking.

     So now fix this for real by retiring the MONT_HELPER macro
     in crypto/rsa/rsa_eay.c.

     [Bodo Moeller; problem pointed out by Marius Schilder]

  *) Various precautionary measures:

     - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).

     - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
       (NB: This would require knowledge of the secret session ticket key
       to exploit, in which case you'd be SOL either way.)

     - Change bn_nist.c so that it will properly handle input BIGNUMs
       outside the expected range.

     - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
       builds.

     [Neel Mehta, Bodo Moeller]

  *) Allow engines to be "soft loaded" - i.e. optionally don't die if
     the load fails. Useful for distros.
     [Ben Laurie and the FreeBSD team]

  *) Add support for Local Machine Keyset attribute in PKCS#12 files.
     [Steve Henson]

  *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
     [Huang Ying]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Expand ENGINE to support engine supplied SSL client certificate functions.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed

     This work was sponsored by Logica.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
     keystores. Support for SSL/TLS client authentication too.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     Not compiled unless enable-capieng specified to Configure.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed

     This work was sponsored by Logica.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     [Steve Henson]

  *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
     ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
     attribute creation routines such as certifcate requests and PKCS#12
Bodo Möller's avatar
Bodo Möller committed
 Changes between 0.9.8g and 0.9.8h  [28 May 2008]
Bodo Möller's avatar
Bodo Möller committed
  *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
     handshake which could lead to a cilent crash as found using the
Bodo Möller's avatar
Bodo Möller committed
     Codenomicon TLS test suite (CVE-2008-1672) 
     [Steve Henson, Mark Cox]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix double free in TLS server name extensions which could lead to
     a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
     [Joe Orton]