aboutsummaryrefslogtreecommitdiffstats
path: root/CHANGES
diff options
context:
space:
mode:
Diffstat (limited to 'CHANGES')
-rw-r--r--CHANGES2539
1 files changed, 2047 insertions, 492 deletions
diff --git a/CHANGES b/CHANGES
index cc142508b9a4..0d66a556b7b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,540 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
+ Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
+
+ *) Add a new ClientHello callback. Provides a callback interface that gives
+ the application the ability to adjust the nascent SSL object at the
+ earliest stage of ClientHello processing, immediately after extensions have
+ been collected but before they have been processed. In particular, this
+ callback can adjust the supported TLS versions in response to the contents
+ of the ClientHello
+ [Benjamin Kaduk]
+
+ *) Add SM2 base algorithm support.
+ [Jack Lloyd]
+
+ *) s390x assembly pack: add (improved) hardware-support for the following
+ cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
+ aes-cfb/cfb8, aes-ecb.
+ [Patrick Steuer]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for prime curves. The new implementation is based on formulae from
+ differential addition-and-doubling in homogeneous projective coordinates
+ from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
+ against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
+ and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
+ to work in projective coordinates.
+ [Billy Bob Brumley, Nicola Tuveri]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
+ moving between systems, and to avoid confusion when a Windows build is
+ done with mingw vs with MSVC. For POSIX installs, there's still a
+ symlink or copy named 'tsget' to avoid that confusion as well.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
+ step for binary curves. The new implementation is based on formulae from
+ differential addition-and-doubling in mixed Lopez-Dahab projective
+ coordinates, modified to independently blind the operands.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Add a scaffold to optionally enhance the Montgomery ladder implementation
+ for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
+ EC_METHODs to implement their own specialized "ladder step", to take
+ advantage of more favorable coordinate systems or more efficient
+ differential addition-and-doubling algorithms.
+ [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
+
+ *) Modified the random device based seed sources to keep the relevant
+ file descriptors open rather than reopening them on each access.
+ This allows such sources to operate in a chroot() jail without
+ the associated device nodes being available. This behaviour can be
+ controlled using RAND_keep_random_devices_open().
+ [Paul Dale]
+
+ *) Numerous side-channel attack mitigations have been applied. This may have
+ performance impacts for some algorithms for the benefit of improved
+ security. Specific changes are noted in this change log by their respective
+ authors.
+ [Matt Caswell]
+
+ *) AIX shared library support overhaul. Switch to AIX "natural" way of
+ handling shared libraries, which means collecting shared objects of
+ different versions and bitnesses in one common archive. This allows to
+ mitigate conflict between 1.0 and 1.1 side-by-side installations. It
+ doesn't affect the way 3rd party applications are linked, only how
+ multi-version installation is managed.
+ [Andy Polyakov]
+
+ *) Make ec_group_do_inverse_ord() more robust and available to other
+ EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
+ mitigations are applied to the fallback BN_mod_inverse().
+ When using this function rather than BN_mod_inverse() directly, new
+ EC cryptosystem implementations are then safer-by-default.
+ [Billy Bob Brumley]
+
+ *) Add coordinate blinding for EC_POINT and implement projective
+ coordinate blinding for generic prime curves as a countermeasure to
+ chosen point SCA attacks.
+ [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) Enforce checking in the pkeyutl command line app to ensure that the input
+ length does not exceed the maximum supported digest length when performing
+ a sign, verify or verifyrecover operation.
+ [Matt Caswell]
+
+ *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
+ I/O in combination with something like select() or poll() will hang. This
+ can be turned off again using SSL_CTX_clear_mode().
+ Many applications do not properly handle non-application data records, and
+ TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
+ around the problems in those applications, but can also break some.
+ It's recommended to read the manpages about SSL_read(), SSL_write(),
+ SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
+ SSL_CTX_set_read_ahead() again.
+ [Kurt Roeckx]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Apply blinding to binary field modular inversion and remove patent
+ pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
+ [Billy Bob Brumley]
+
+ *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
+ binary and prime elliptic curves.
+ [Billy Bob Brumley]
+
+ *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
+ constant time fixed point multiplication.
+ [Billy Bob Brumley]
+
+ *) Revise elliptic curve scalar multiplication with timing attack
+ defenses: ec_wNAF_mul redirects to a constant time implementation
+ when computing fixed point and variable point multiplication (which
+ in OpenSSL are mostly used with secret scalars in keygen, sign,
+ ECDH derive operations).
+ [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
+ Sohaib ul Hassan]
+
+ *) Updated CONTRIBUTING
+ [Rich Salz]
+
+ *) Updated DRBG / RAND to request nonce and additional low entropy
+ randomness from the system.
+ [Matthias St. Pierre]
+
+ *) Updated 'openssl rehash' to use OpenSSL consistent default.
+ [Richard Levitte]
+
+ *) Moved the load of the ssl_conf module to libcrypto, which helps
+ loading engines that libssl uses before libssl is initialised.
+ [Matt Caswell]
+
+ *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
+ [Matt Caswell]
+
+ *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
+ [Ingo Schwarze, Rich Salz]
+
+ *) Added output of accepting IP address and port for 'openssl s_server'
+ [Richard Levitte]
+
+ *) Added a new API for TLSv1.3 ciphersuites:
+ SSL_CTX_set_ciphersuites()
+ SSL_set_ciphersuites()
+ [Matt Caswell]
+
+ *) Memory allocation failures consistenly add an error to the error
+ stack.
+ [Rich Salz]
+
+ *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
+ in libcrypto when run as setuid/setgid.
+ [Bernd Edlinger]
+
+ *) Load any config file by default when libssl is used.
+ [Matt Caswell]
+
+ *) Added new public header file <openssl/rand_drbg.h> and documentation
+ for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
+ [Matthias St. Pierre]
+
+ *) QNX support removed (cannot find contributors to get their approval
+ for the license change).
+ [Rich Salz]
+
+ *) TLSv1.3 replay protection for early data has been implemented. See the
+ SSL_read_early_data() man page for further details.
+ [Matt Caswell]
+
+ *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
+ configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
+ below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
+ In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
+ would otherwise inadvertently disable all TLSv1.3 ciphersuites the
+ configuration has been separated out. See the ciphers man page or the
+ SSL_CTX_set_ciphersuites() man page for more information.
+ [Matt Caswell]
+
+ *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
+ in responder mode now supports the new "-multi" option, which
+ spawns the specified number of child processes to handle OCSP
+ requests. The "-timeout" option now also limits the OCSP
+ responder's patience to wait to receive the full client request
+ on a newly accepted connection. Child processes are respawned
+ as needed, and the CA index file is automatically reloaded
+ when changed. This makes it possible to run the "ocsp" responder
+ as a long-running service, making the OpenSSL CA somewhat more
+ feature-complete. In this mode, most diagnostic messages logged
+ after entering the event loop are logged via syslog(3) rather than
+ written to stderr.
+ [Viktor Dukhovni]
+
+ *) Added support for X448 and Ed448. Heavily based on original work by
+ Mike Hamburg.
+ [Matt Caswell]
+
+ *) Extend OSSL_STORE with capabilities to search and to narrow the set of
+ objects loaded. This adds the functions OSSL_STORE_expect() and
+ OSSL_STORE_find() as well as needed tools to construct searches and
+ get the search data out of them.
+ [Richard Levitte]
+
+ *) Support for TLSv1.3 added. Note that users upgrading from an earlier
+ version of OpenSSL should review their configuration settings to ensure
+ that they are still appropriate for TLSv1.3. For further information see:
+ https://wiki.openssl.org/index.php/TLS1.3
+ [Matt Caswell]
+
+ *) Grand redesign of the OpenSSL random generator
+
+ The default RAND method now utilizes an AES-CTR DRBG according to
+ NIST standard SP 800-90Ar1. The new random generator is essentially
+ a port of the default random generator from the OpenSSL FIPS 2.0
+ object module. It is a hybrid deterministic random bit generator
+ using an AES-CTR bit stream and which seeds and reseeds itself
+ automatically using trusted system entropy sources.
+
+ Some of its new features are:
+ o Support for multiple DRBG instances with seed chaining.
+ o The default RAND method makes use of a DRBG.
+ o There is a public and private DRBG instance.
+ o The DRBG instances are fork-safe.
+ o Keep all global DRBG instances on the secure heap if it is enabled.
+ o The public and private DRBG instance are per thread for lock free
+ operation
+ [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
+
+ *) Changed Configure so it only says what it does and doesn't dump
+ so much data. Instead, ./configdata.pm should be used as a script
+ to display all sorts of configuration data.
+ [Richard Levitte]
+
+ *) Added processing of "make variables" to Configure.
+ [Richard Levitte]
+
+ *) Added SHA512/224 and SHA512/256 algorithm support.
+ [Paul Dale]
+
+ *) The last traces of Netware support, first removed in 1.1.0, have
+ now been removed.
+ [Rich Salz]
+
+ *) Get rid of Makefile.shared, and in the process, make the processing
+ of certain files (rc.obj, or the .def/.map/.opt files produced from
+ the ordinal files) more visible and hopefully easier to trace and
+ debug (or make silent).
+ [Richard Levitte]
+
+ *) Make it possible to have environment variable assignments as
+ arguments to config / Configure.
+ [Richard Levitte]
+
+ *) Add multi-prime RSA (RFC 8017) support.
+ [Paul Yang]
+
+ *) Add SM3 implemented according to GB/T 32905-2016
+ [ Jack Lloyd <jack.lloyd@ribose.com>,
+ Ronald Tse <ronald.tse@ribose.com>,
+ Erick Borsboom <erick.borsboom@ribose.com> ]
+
+ *) Add 'Maximum Fragment Length' TLS extension negotiation and support
+ as documented in RFC6066.
+ Based on a patch from Tomasz Moń
+ [Filipe Raimundo da Silva]
+
+ *) Add SM4 implemented according to GB/T 32907-2016.
+ [ Jack Lloyd <jack.lloyd@ribose.com>,
+ Ronald Tse <ronald.tse@ribose.com>,
+ Erick Borsboom <erick.borsboom@ribose.com> ]
+
+ *) Reimplement -newreq-nodes and ERR_error_string_n; the
+ original author does not agree with the license change.
+ [Rich Salz]
+
+ *) Add ARIA AEAD TLS support.
+ [Jon Spillett]
+
+ *) Some macro definitions to support VS6 have been removed. Visual
+ Studio 6 has not worked since 1.1.0
+ [Rich Salz]
+
+ *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
+ without clearing the errors.
+ [Richard Levitte]
+
+ *) Add "atfork" functions. If building on a system that without
+ pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
+ requirements. The RAND facility now uses/requires this.
+ [Rich Salz]
+
+ *) Add SHA3.
+ [Andy Polyakov]
+
+ *) The UI API becomes a permanent and integral part of libcrypto, i.e.
+ not possible to disable entirely. However, it's still possible to
+ disable the console reading UI method, UI_OpenSSL() (use UI_null()
+ as a fallback).
+
+ To disable, configure with 'no-ui-console'. 'no-ui' is still
+ possible to use as an alias. Check at compile time with the
+ macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still
+ possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
+ [Richard Levitte]
+
+ *) Add a STORE module, which implements a uniform and URI based reader of
+ stores that can contain keys, certificates, CRLs and numerous other
+ objects. The main API is loosely based on a few stdio functions,
+ and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
+ OSSL_STORE_error and OSSL_STORE_close.
+ The implementation uses backends called "loaders" to implement arbitrary
+ URI schemes. There is one built in "loader" for the 'file' scheme.
+ [Richard Levitte]
+
+ *) Add devcrypto engine. This has been implemented against cryptodev-linux,
+ then adjusted to work on FreeBSD 8.4 as well.
+ Enable by configuring with 'enable-devcryptoeng'. This is done by default
+ on BSD implementations, as cryptodev.h is assumed to exist on all of them.
+ [Richard Levitte]
+
+ *) Module names can prefixed with OSSL_ or OPENSSL_. This affects
+ util/mkerr.pl, which is adapted to allow those prefixes, leading to
+ error code calls like this:
+
+ OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
+
+ With this change, we claim the namespaces OSSL and OPENSSL in a manner
+ that can be encoded in C. For the foreseeable future, this will only
+ affect new modules.
+ [Richard Levitte and Tim Hudson]
+
+ *) Removed BSD cryptodev engine.
+ [Rich Salz]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) In the UI interface, make it possible to duplicate the user data. This
+ can be used by engines that need to retain the data for a longer time
+ than just the call where this user data is passed.
+ [Richard Levitte]
+
+ *) Ignore the '-named_curve auto' value for compatibility of applications
+ with OpenSSL 1.0.2.
+ [Tomas Mraz <tmraz@fedoraproject.org>]
+
+ *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
+ bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
+ alerts across multiple records (some of which could be empty). In practice
+ it make no sense to send an empty alert record, or to fragment one. TLSv1.3
+ prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ support this at all. Supporting it adds significant complexity to the
+ record layer, and its removal is unlikely to cause inter-operability
+ issues.
+ [Matt Caswell]
+
+ *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
+ with Z. These are meant to replace LONG and ZLONG and to be size safe.
+ The use of LONG and ZLONG is discouraged and scheduled for deprecation
+ in OpenSSL 1.2.0.
+ [Richard Levitte]
+
+ *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
+ 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
+ [Richard Levitte, Andy Polyakov]
+
+ *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
+ does for RSA, etc.
+ [Richard Levitte]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
+ success if they are asked to add an object which already exists
+ in the store. This change cascades to other functions which load
+ certificates and CRLs.
+ [Paul Dale]
+
+ *) x86_64 assembly pack: annotate code with DWARF CFI directives to
+ facilitate stack unwinding even from assembly subroutines.
+ [Andy Polyakov]
+
+ *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
+ Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
+ [Richard Levitte]
+
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Add support for ARIA
+ [Paul Dale]
+
+ *) s_client will now send the Server Name Indication (SNI) extension by
+ default unless the new "-noservername" option is used. The server name is
+ based on the host provided to the "-connect" option unless overridden by
+ using "-servername".
+ [Matt Caswell]
+
+ *) Add support for SipHash
+ [Todd Short]
+
+ *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
+ [Matt Caswell]
+
+ *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
+ using the algorithm defined in
+ https://www.akkadia.org/drepper/SHA-crypt.txt
+ [Richard Levitte]
+
+ *) Heartbeat support has been removed; the ABI is changed for now.
+ [Richard Levitte, Rich Salz]
+
+ *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
+ [Emilia Käsper]
+
+ *) The RSA "null" method, which was partially supported to avoid patent
+ issues, has been replaced to always returns NULL.
+ [Rich Salz]
+
+
+ Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
+
+ *) Client DoS due to large DH parameter
+
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
+
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ (CVE-2018-0732)
+ [Guido Vranken]
+
+ *) Cache timing vulnerability in RSA Key Generation
+
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
+
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ (CVE-2018-0737)
+ [Billy Brumley]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
+ line terminators to CRLF and removes additional trailing line terminators
+ at the end of a file. A bug in the canonicalisation process meant that
+ some characters, such as form-feed, were incorrectly treated as whitespace
+ and removed. This is contrary to the specification (RFC5485). This fix
+ could mean that detached text data signed with an earlier version of
+ OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+ signed with a fixed OpenSSL may fail to verify with an earlier version of
+ OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+ and use the "-binary" flag (for the "cms" command line application) or set
+ the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+ [Matt Caswell]
+
+ Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
@@ -22,30 +555,43 @@
(CVE-2018-0739)
[Matt Caswell]
- Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
+ *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
+
+ Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
+ effectively reduced to only comparing the least significant bit of each
+ byte. This allows an attacker to forge messages that would be considered as
+ authenticated in an amount of tries lower than that guaranteed by the
+ security claims of the scheme. The module can only be compiled by the
+ HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
+
+ This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
+ (IBM).
+ (CVE-2018-0733)
+ [Andy Polyakov]
- *) Read/write after SSL object in error state
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
- OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state"
- mechanism. The intent was that if a fatal error occurred during a handshake
- then OpenSSL would move into the error state and would immediately fail if
- you attempted to continue the handshake. This works as designed for the
- explicit handshake functions (SSL_do_handshake(), SSL_accept() and
- SSL_connect()), however due to a bug it does not work correctly if
- SSL_read() or SSL_write() is called directly. In that scenario, if the
- handshake fails then a fatal error will be returned in the initial function
- call. If SSL_read()/SSL_write() is subsequently called by the application
- for the same SSL object then it will succeed and the data is passed without
- being decrypted/encrypted directly from the SSL/TLS record layer.
+ *) Backport SSL_OP_NO_RENGOTIATION
- In order to exploit this issue an application bug would have to be present
- that resulted in a call to SSL_read()/SSL_write() being issued after having
- already received a fatal error.
+ OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
+ (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
+ changes this is no longer possible in 1.1.0. Therefore the new
+ SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
+ 1.1.0 to provide equivalent functionality.
- This issue was reported to OpenSSL by David Benjamin (Google).
- (CVE-2017-3737)
+ Note that if an application built against 1.1.0h headers (or above) is run
+ using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
+ accepted but nothing will happen, i.e. renegotiation will not be prevented.
[Matt Caswell]
+ *) Removed the OS390-Unix config target. It relied on a script that doesn't
+ exist.
+ [Rich Salz]
+
*) rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure
@@ -67,7 +613,7 @@
(CVE-2017-3738)
[Andy Polyakov]
- Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
+ Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
*) bn_sqrx8x_internal carry bug on x86_64
@@ -100,13 +646,31 @@
(CVE-2017-3735)
[Rich Salz]
- Changes between 1.0.2k and 1.0.2l [25 May 2017]
+ Changes between 1.1.0e and 1.1.0f [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
- Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
+ Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
+
+ *) Encrypt-Then-Mac renegotiation crash
+
+ During a renegotiation handshake if the Encrypt-Then-Mac extension is
+ negotiated where it was not in the original handshake (or vice-versa) then
+ this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
+ and servers are affected.
+
+ This issue was reported to OpenSSL by Joe Orton (Red Hat).
+ (CVE-2017-3733)
+ [Matt Caswell]
+
+ Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
*) Truncated packet could crash via OOB read
@@ -118,6 +682,17 @@
(CVE-2017-3731)
[Andy Polyakov]
+ *) Bad (EC)DHE parameters cause a client crash
+
+ If a malicious server supplies bad parameters for a DHE or ECDHE key
+ exchange then this can result in the client attempting to dereference a
+ NULL pointer leading to a client crash. This could be exploited in a Denial
+ of Service attack.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ (CVE-2017-3730)
+ [Matt Caswell]
+
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
@@ -138,6 +713,31 @@
(CVE-2017-3732)
[Andy Polyakov]
+ Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
+
+ *) ChaCha20/Poly1305 heap-buffer-overflow
+
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+
+ This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
+ (CVE-2016-7054)
+ [Richard Levitte]
+
+ *) CMS Null dereference
+
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
+ type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
+ structure callback if an attempt is made to free certain invalid encodings.
+ Only CHOICE structures using a callback which do not handle NULL value are
+ affected.
+
+ This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
+ (CVE-2016-7053)
+ [Stephen Henson]
+
*) Montgomery multiplication may produce incorrect results
There is a carry propagating bug in the Broadwell-specific Montgomery
@@ -161,25 +761,28 @@
(CVE-2016-7055)
[Andy Polyakov]
- *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
- or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
- prevent issues where no progress is being made and the peer continually
- sends unrecognised record types, using up resources processing them.
- [Matt Caswell]
+ *) Removed automatic addition of RPATH in shared libraries and executables,
+ as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
+ [Richard Levitte]
- Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
- *) Missing CRL sanity check
+ *) Fix Use After Free for large message sizes
- A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
- but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
- CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to
+ store the incoming message is reallocated and moved. Unfortunately a
+ dangling pointer to the old location is left which results in an attempt to
+ write to the previously freed location. This is likely to result in a
+ crash, however it could potentially lead to execution of arbitrary code.
- This issue only affects the OpenSSL 1.0.2i
- (CVE-2016-7052)
+ This issue only affects OpenSSL 1.1.0a.
+
+ This issue was reported to OpenSSL by Robert Święcki.
+ (CVE-2016-6309)
[Matt Caswell]
- Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
+ Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
*) OCSP Status Request extension unbounded memory growth
@@ -195,149 +798,1129 @@
(CVE-2016-6304)
[Matt Caswell]
- *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
- HIGH to MEDIUM.
+ *) SSL_peek() hang on empty record
- This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
- Leurent (INRIA)
- (CVE-2016-2183)
- [Rich Salz]
+ OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
+ sends an empty record. This could be exploited by a malicious peer in a
+ Denial Of Service attack.
- *) OOB write in MDC2_Update()
+ This issue was reported to OpenSSL by Alex Gaynor.
+ (CVE-2016-6305)
+ [Matt Caswell]
- An overflow can occur in MDC2_Update() either if called directly or
- through the EVP_DigestUpdate() function using MDC2. If an attacker
- is able to supply very large amounts of input data after a previous
- call to EVP_EncryptUpdate() with a partial block then a length check
- can overflow resulting in a heap corruption.
+ *) Excessive allocation of memory in tls_get_message_header() and
+ dtls1_preprocess_fragment()
+
+ A (D)TLS message includes 3 bytes for its length in the header for the
+ message. This would allow for messages up to 16Mb in length. Messages of
+ this length are excessive and OpenSSL includes a check to ensure that a
+ peer is sending reasonably sized messages in order to avoid too much memory
+ being consumed to service a connection. A flaw in the logic of version
+ 1.1.0 means that memory for the message is allocated too early, prior to
+ the excessive message length check. Due to way memory is allocated in
+ OpenSSL this could mean an attacker could force up to 21Mb to be allocated
+ to service a connection. This could lead to a Denial of Service through
+ memory exhaustion. However, the excessive message length check still takes
+ place, and this would cause the connection to immediately fail. Assuming
+ that the application calls SSL_free() on the failed connection in a timely
+ manner then the 21Mb of allocated memory will then be immediately freed
+ again. Therefore the excessive memory allocation will be transitory in
+ nature. This then means that there is only a security impact if:
+
+ 1) The application does not call SSL_free() in a timely manner in the event
+ that the connection fails
+ or
+ 2) The application is working in a constrained environment where there is
+ very little free memory
+ or
+ 3) The attacker initiates multiple connection attempts such that there are
+ multiple connections in a state where memory has been allocated for the
+ connection; SSL_free() has not yet been called; and there is insufficient
+ memory to service the multiple requests.
- The amount of data needed is comparable to SIZE_MAX which is impractical
- on most platforms.
+ Except in the instance of (1) above any Denial Of Service is likely to be
+ transitory because as soon as the connection fails the memory is
+ subsequently freed again in the SSL_free() call. However there is an
+ increased risk during this period of application crashes due to the lack of
+ memory - which would then mean a more serious Denial of Service.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-6303)
- [Stephen Henson]
+ (CVE-2016-6307 and CVE-2016-6308)
+ [Matt Caswell]
- *) Malformed SHA512 ticket DoS
+ *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
+ had to be removed. Primary reason is that vendor assembler can't
+ assemble our modules with -KPIC flag. As result it, assembly
+ support, was not even available as option. But its lack means
+ lack of side-channel resistant code, which is incompatible with
+ security by todays standards. Fortunately gcc is readily available
+ prepackaged option, which we firmly point at...
+ [Andy Polyakov]
- If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
- DoS attack where a malformed ticket will result in an OOB read which will
- ultimately crash.
+ Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
- The use of SHA512 in TLS session tickets is comparatively rare as it requires
- a custom server callback and ticket lookup mechanism.
+ *) Windows command-line tool supports UTF-8 opt-in option for arguments
+ and console input. Setting OPENSSL_WIN32_UTF8 environment variable
+ (to any value) allows Windows user to access PKCS#12 file generated
+ with Windows CryptoAPI and protected with non-ASCII password, as well
+ as files generated under UTF-8 locale on Linux also protected with
+ non-ASCII password.
+ [Andy Polyakov]
- This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-6302)
- [Stephen Henson]
+ *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
+ have been disabled by default and removed from DEFAULT, just like RC4.
+ See the RC4 item below to re-enable both.
+ [Rich Salz]
- *) OOB write in BN_bn2dec()
+ *) The method for finding the storage location for the Windows RAND seed file
+ has changed. First we check %RANDFILE%. If that is not set then we check
+ the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
+ all else fails we fall back to C:\.
+ [Matt Caswell]
- The function BN_bn2dec() does not check the return value of BN_div_word().
- This can cause an OOB write if an application uses this function with an
- overly large BIGNUM. This could be a problem if an overly large certificate
- or CRL is printed out from an untrusted source. TLS is not affected because
- record limits will reject an oversized certificate before it is parsed.
+ *) The EVP_EncryptUpdate() function has had its return type changed from void
+ to int. A return of 0 indicates and error while a return of 1 indicates
+ success.
+ [Matt Caswell]
- This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-2182)
- [Stephen Henson]
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
- *) OOB read in TS_OBJ_print_bio()
+ *) Windows RAND implementation was simplified to only get entropy by
+ calling CryptGenRandom(). Various other RAND-related tickets
+ were also closed.
+ [Joseph Wylie Yandle, Rich Salz]
- The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
- the total length the OID text representation would use and not the amount
- of data written. This will result in OOB reads when large OIDs are
- presented.
+ *) The stack and lhash API's were renamed to start with OPENSSL_SK_
+ and OPENSSL_LH_, respectively. The old names are available
+ with API compatibility. They new names are now completely documented.
+ [Rich Salz]
- This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-2180)
- [Stephen Henson]
+ *) Unify TYPE_up_ref(obj) methods signature.
+ SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
+ X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
+ int (instead of void) like all others TYPE_up_ref() methods.
+ So now these methods also check the return value of CRYPTO_atomic_add(),
+ and the validity of object reference counter.
+ [fdasilvayy@gmail.com]
+
+ *) With Windows Visual Studio builds, the .pdb files are installed
+ alongside the installed libraries and executables. For a static
+ library installation, ossl_static.pdb is the associate compiler
+ generated .pdb file to be used when linking programs.
+ [Richard Levitte]
+
+ *) Remove openssl.spec. Packaging files belong with the packagers.
+ [Richard Levitte]
+
+ *) Automatic Darwin/OSX configuration has had a refresh, it will now
+ recognise x86_64 architectures automatically. You can still decide
+ to build for a different bitness with the environment variable
+ KERNEL_BITS (can be 32 or 64), for example:
+
+ KERNEL_BITS=32 ./config
+
+ [Richard Levitte]
- *) Pointer arithmetic undefined behaviour
+ *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+ 256 bit AES and HMAC with SHA256.
+ [Steve Henson]
- Avoid some undefined pointer arithmetic
+ *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
+ [Andy Polyakov]
- A common idiom in the codebase is to check limits in the following manner:
- "p + len > limit"
+ *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
+ [Rich Salz]
- Where "p" points to some malloc'd data of SIZE bytes and
- limit == p + SIZE
+ *) To enable users to have their own config files and build file templates,
+ Configure looks in the directory indicated by the environment variable
+ OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
+ directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
+ name and is used as is.
+ [Richard Levitte]
- "len" here could be from some externally supplied data (e.g. from a TLS
- message).
+ *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
+ X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
+ X509_CERT_FILE_CTX was removed.
+ [Rich Salz]
- The rules of C pointer arithmetic are such that "p + len" is only well
- defined where len <= SIZE. Therefore the above idiom is actually
- undefined behaviour.
+ *) "shared" builds are now the default. To create only static libraries use
+ the "no-shared" Configure option.
+ [Matt Caswell]
- For example this could cause problems if some malloc implementation
- provides an address for "p" such that "p + len" actually overflows for
- values of len that are too big and therefore p + len < limit.
+ *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
+ All of these option have not worked for some while and are fundamental
+ algorithms.
+ [Matt Caswell]
- This issue was reported to OpenSSL by Guido Vranken
- (CVE-2016-2177)
+ *) Make various cleanup routines no-ops and mark them as deprecated. Most
+ global cleanup functions are no longer required because they are handled
+ via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
+ Explicitly de-initing can cause problems (e.g. where a library that uses
+ OpenSSL de-inits, but an application is still using it). The affected
+ functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
+ EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
+ RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
+ COMP_zlib_cleanup().
[Matt Caswell]
- *) Constant time flag not preserved in DSA signing
-
- Operations in the DSA signing algorithm should run in constant time in
- order to avoid side channel attacks. A flaw in the OpenSSL DSA
- implementation means that a non-constant time codepath is followed for
- certain operations. This has been demonstrated through a cache-timing
- attack to be sufficient for an attacker to recover the private DSA key.
-
- This issue was reported by César Pereida (Aalto University), Billy Brumley
- (Tampere University of Technology), and Yuval Yarom (The University of
- Adelaide and NICTA).
- (CVE-2016-2178)
- [César Pereida]
-
- *) DTLS buffered message DoS
-
- In a DTLS connection where handshake messages are delivered out-of-order
- those messages that OpenSSL is not yet ready to process will be buffered
- for later use. Under certain circumstances, a flaw in the logic means that
- those messages do not get removed from the buffer even though the handshake
- has been completed. An attacker could force up to approx. 15 messages to
- remain in the buffer when they are no longer required. These messages will
- be cleared when the DTLS connection is closed. The default maximum size for
- a message is 100k. Therefore the attacker could force an additional 1500k
- to be consumed per connection. By opening many simulataneous connections an
- attacker could cause a DoS attack through memory exhaustion.
-
- This issue was reported to OpenSSL by Quan Luo.
- (CVE-2016-2179)
+ *) --strict-warnings no longer enables runtime debugging options
+ such as REF_DEBUG. Instead, debug options are automatically
+ enabled with '--debug' builds.
+ [Andy Polyakov, Emilia Käsper]
+
+ *) Made DH and DH_METHOD opaque. The structures for managing DH objects
+ have been moved out of the public header files. New functions for managing
+ these have been added.
[Matt Caswell]
- *) DTLS replay protection DoS
+ *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
+ objects have been moved out of the public header files. New
+ functions for managing these have been added.
+ [Richard Levitte]
+
+ *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
+ have been moved out of the public header files. New functions for managing
+ these have been added.
+ [Matt Caswell]
- A flaw in the DTLS replay attack protection mechanism means that records
- that arrive for future epochs update the replay protection "window" before
- the MAC for the record has been validated. This could be exploited by an
- attacker by sending a record for the next epoch (which does not have to
- decrypt or have a valid MAC), with a very large sequence number. This means
- that all subsequent legitimate packets are dropped causing a denial of
- service for a specific DTLS connection.
+ *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
+ moved out of the public header files. New functions for managing these
+ have been added.
+ [Matt Caswell]
- This issue was reported to OpenSSL by the OCAP audit team.
- (CVE-2016-2181)
+ *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
[Matt Caswell]
- *) Certificate message OOB reads
+ *) Removed the mk1mf build scripts.
+ [Richard Levitte]
+
+ *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
+ it is always safe to #include a header now.
+ [Rich Salz]
+
+ *) Removed the aged BC-32 config and all its supporting scripts
+ [Richard Levitte]
- In OpenSSL 1.0.2 and earlier some missing message length checks can result
- in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
- theoretical DoS risk but this has not been observed in practice on common
- platforms.
+ *) Removed support for Ultrix, Netware, and OS/2.
+ [Rich Salz]
- The messages affected are client certificate, client certificate request
- and server certificate. As a result the attack can only be performed
- against a client or a server which enables client authentication.
+ *) Add support for HKDF.
+ [Alessandro Ghedini]
- This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
- (CVE-2016-6306)
- [Stephen Henson]
+ *) Add support for blake2b and blake2s
+ [Bill Cox]
+
+ *) Added support for "pipelining". Ciphers that have the
+ EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
+ encryptions/decryptions simultaneously. There are currently no built-in
+ ciphers with this property but the expectation is that engines will be able
+ to offer it to significantly improve throughput. Support has been extended
+ into libssl so that multiple records for a single connection can be
+ processed in one go (for >=TLS 1.1).
+ [Matt Caswell]
+
+ *) Added the AFALG engine. This is an async capable engine which is able to
+ offload work to the Linux kernel. In this initial version it only supports
+ AES128-CBC. The kernel must be version 4.1.0 or greater.
+ [Catriona Lucey]
+
+ *) OpenSSL now uses a new threading API. It is no longer necessary to
+ set locking callbacks to use OpenSSL in a multi-threaded environment. There
+ are two supported threading models: pthreads and windows threads. It is
+ also possible to configure OpenSSL at compile time for "no-threads". The
+ old threading API should no longer be used. The functions have been
+ replaced with "no-op" compatibility macros.
+ [Alessandro Ghedini, Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Add SSL_CIPHER queries for authentication and key-exchange.
+ [Todd Short]
+
+ *) Changes to the DEFAULT cipherlist:
+ - Prefer (EC)DHE handshakes over plain RSA.
+ - Prefer AEAD ciphers over legacy ciphers.
+ - Prefer ECDSA over RSA when both certificates are available.
+ - Prefer TLSv1.2 ciphers/PRF.
+ - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
+ default cipherlist.
+ [Emilia Käsper]
+
+ *) Change the ECC default curve list to be this, in order: x25519,
+ secp256r1, secp521r1, secp384r1.
+ [Rich Salz]
+
+ *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
+ disabled by default. They can be re-enabled using the
+ enable-weak-ssl-ciphers option to Configure.
+ [Matt Caswell]
+
+ *) If the server has ALPN configured, but supports no protocols that the
+ client advertises, send a fatal "no_application_protocol" alert.
+ This behaviour is SHALL in RFC 7301, though it isn't universally
+ implemented by other servers.
+ [Emilia Käsper]
+
+ *) Add X25519 support.
+ Add ASN.1 and EVP_PKEY methods for X25519. This includes support
+ for public and private key encoding using the format documented in
+ draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
+ key generation and key derivation.
+
+ TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
+ X25519(29).
+ [Steve Henson]
+
+ *) Deprecate SRP_VBASE_get_by_user.
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak (CVE-2016-0798),
+ SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+ seed, even if the seed is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ [Emilia Käsper]
+
+ *) Configuration change; it's now possible to build dynamic engines
+ without having to build shared libraries and vice versa. This
+ only applies to the engines in engines/, those in crypto/engine/
+ will always be built into libcrypto (i.e. "static").
+
+ Building dynamic engines is enabled by default; to disable, use
+ the configuration option "disable-dynamic-engine".
+
+ The only requirements for building dynamic engines are the
+ presence of the DSO module and building with position independent
+ code, so they will also automatically be disabled if configuring
+ with "disable-dso" or "disable-pic".
+
+ The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
+ are also taken away from openssl/opensslconf.h, as they are
+ irrelevant.
+ [Richard Levitte]
+
+ *) Configuration change; if there is a known flag to compile
+ position independent code, it will always be applied on the
+ libcrypto and libssl object files, and never on the application
+ object files. This means other libraries that use routines from
+ libcrypto / libssl can be made into shared libraries regardless
+ of how OpenSSL was configured.
+
+ If this isn't desirable, the configuration options "disable-pic"
+ or "no-pic" can be used to disable the use of PIC. This will
+ also disable building shared libraries and dynamic engines.
+ [Richard Levitte]
+
+ *) Removed JPAKE code. It was experimental and has no wide use.
+ [Rich Salz]
+
+ *) The INSTALL_PREFIX Makefile variable has been renamed to
+ DESTDIR. That makes for less confusion on what this variable
+ is for. Also, the configuration option --install_prefix is
+ removed.
+ [Richard Levitte]
+
+ *) Heartbeat for TLS has been removed and is disabled by default
+ for DTLS; configure with enable-heartbeats. Code that uses the
+ old #define's might need to be updated.
+ [Emilia Käsper, Rich Salz]
+
+ *) Rename REF_CHECK to REF_DEBUG.
+ [Rich Salz]
+
+ *) New "unified" build system
+
+ The "unified" build system is aimed to be a common system for all
+ platforms we support. With it comes new support for VMS.
+
+ This system builds supports building in a different directory tree
+ than the source tree. It produces one Makefile (for unix family
+ or lookalikes), or one descrip.mms (for VMS).
+
+ The source of information to make the Makefile / descrip.mms is
+ small files called 'build.info', holding the necessary
+ information for each directory with source to compile, and a
+ template in Configurations, like unix-Makefile.tmpl or
+ descrip.mms.tmpl.
+
+ With this change, the library names were also renamed on Windows
+ and on VMS. They now have names that are closer to the standard
+ on Unix, and include the major version number, and in certain
+ cases, the architecture they are built for. See "Notes on shared
+ libraries" in INSTALL.
+
+ We rely heavily on the perl module Text::Template.
+ [Richard Levitte]
+
+ *) Added support for auto-initialisation and de-initialisation of the library.
+ OpenSSL no longer requires explicit init or deinit routines to be called,
+ except in certain circumstances. See the OPENSSL_init_crypto() and
+ OPENSSL_init_ssl() man pages for further information.
+ [Matt Caswell]
+
+ *) The arguments to the DTLSv1_listen function have changed. Specifically the
+ "peer" argument is now expected to be a BIO_ADDR object.
+
+ *) Rewrite of BIO networking library. The BIO library lacked consistent
+ support of IPv6, and adding it required some more extensive
+ modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
+ which hold all types of addresses and chains of address information.
+ It also introduces a new API, with functions like BIO_socket,
+ BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
+ The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
+ have been adapted accordingly.
+ [Richard Levitte]
+
+ *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+ the leading 0-byte.
+ [Emilia Käsper]
+
+ *) CRIME protection: disable compression by default, even if OpenSSL is
+ compiled with zlib enabled. Applications can still enable compression
+ by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
+ using the SSL_CONF library to configure compression.
+ [Emilia Käsper]
+
+ *) The signature of the session callback configured with
+ SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
+ was explicitly marked as 'const unsigned char*' instead of
+ 'unsigned char*'.
+ [Emilia Käsper]
+
+ *) Always DPURIFY. Remove the use of uninitialized memory in the
+ RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
+ [Emilia Käsper]
+
+ *) Removed many obsolete configuration items, including
+ DES_PTR, DES_RISC1, DES_RISC2, DES_INT
+ MD2_CHAR, MD2_INT, MD2_LONG
+ BF_PTR, BF_PTR2
+ IDEA_SHORT, IDEA_LONG
+ RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
+ [Rich Salz, with advice from Andy Polyakov]
+
+ *) Many BN internals have been moved to an internal header file.
+ [Rich Salz with help from Andy Polyakov]
+
+ *) Configuration and writing out the results from it has changed.
+ Files such as Makefile include/openssl/opensslconf.h and are now
+ produced through general templates, such as Makefile.in and
+ crypto/opensslconf.h.in and some help from the perl module
+ Text::Template.
+
+ Also, the center of configuration information is no longer
+ Makefile. Instead, Configure produces a perl module in
+ configdata.pm which holds most of the config data (in the hash
+ table %config), the target data that comes from the target
+ configuration in one of the Configurations/*.conf files (in
+ %target).
+ [Richard Levitte]
+
+ *) To clarify their intended purposes, the Configure options
+ --prefix and --openssldir change their semantics, and become more
+ straightforward and less interdependent.
+
+ --prefix shall be used exclusively to give the location INSTALLTOP
+ where programs, scripts, libraries, include files and manuals are
+ going to be installed. The default is now /usr/local.
+
+ --openssldir shall be used exclusively to give the default
+ location OPENSSLDIR where certificates, private keys, CRLs are
+ managed. This is also where the default openssl.cnf gets
+ installed.
+ If the directory given with this option is a relative path, the
+ values of both the --prefix value and the --openssldir value will
+ be combined to become OPENSSLDIR.
+ The default for --openssldir is INSTALLTOP/ssl.
+
+ Anyone who uses --openssldir to specify where OpenSSL is to be
+ installed MUST change to use --prefix instead.
+ [Richard Levitte]
+
+ *) The GOST engine was out of date and therefore it has been removed. An up
+ to date GOST engine is now being maintained in an external repository.
+ See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+ support for GOST ciphersuites (these are only activated if a GOST engine
+ is present).
+ [Matt Caswell]
+
+ *) EGD is no longer supported by default; use enable-egd when
+ configuring.
+ [Ben Kaduk and Rich Salz]
+
+ *) The distribution now has Makefile.in files, which are used to
+ create Makefile's when Configure is run. *Configure must be run
+ before trying to build now.*
+ [Rich Salz]
+
+ *) The return value for SSL_CIPHER_description() for error conditions
+ has changed.
+ [Rich Salz]
+
+ *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+ Obtaining and performing DNSSEC validation of TLSA records is
+ the application's responsibility. The application provides
+ the TLSA records of its choice to OpenSSL, and these are then
+ used to authenticate the peer.
+
+ The TLSA records need not even come from DNS. They can, for
+ example, be used to implement local end-entity certificate or
+ trust-anchor "pinning", where the "pin" data takes the form
+ of TLSA records, which can augment or replace verification
+ based on the usual WebPKI public certification authorities.
+ [Viktor Dukhovni]
+
+ *) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
+ continues to support deprecated interfaces in default builds.
+ However, applications are strongly advised to compile their
+ source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+ the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+ or the 1.1.0 releases.
+
+ In environments in which all applications have been ported to
+ not use any deprecated interfaces OpenSSL's Configure script
+ should be used with the --api=1.1.0 option to entirely remove
+ support for the deprecated features from the library and
+ unconditionally disable them in the installed headers.
+ Essentially the same effect can be achieved with the "no-deprecated"
+ argument to Configure, except that this will always restrict
+ the build to just the latest API, rather than a fixed API
+ version.
+
+ As applications are ported to future revisions of the API,
+ they should update their compile-time OPENSSL_API_COMPAT define
+ accordingly, but in most cases should be able to continue to
+ compile with later releases.
+
+ The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+ 0x10000000L and 0x00908000L, respectively. However those
+ versions did not support the OPENSSL_API_COMPAT feature, and
+ so applications are not typically tested for explicit support
+ of just the undeprecated features of either release.
+ [Viktor Dukhovni]
+
+ *) Add support for setting the minimum and maximum supported protocol.
+ It can bet set via the SSL_set_min_proto_version() and
+ SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
+ MaxProtocol. It's recommended to use the new APIs to disable
+ protocols instead of disabling individual protocols using
+ SSL_set_options() or SSL_CONF's Protocol. This change also
+ removes support for disabling TLS 1.2 in the OpenSSL TLS
+ client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
+ [Kurt Roeckx]
+
+ *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
+ [Andy Polyakov]
+
+ *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
+ and integrates ECDSA and ECDH functionality into EC. Implementations can
+ now redirect key generation and no longer need to convert to or from
+ ECDSA_SIG format.
+
+ Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
+ include the ec.h header file instead.
+ [Steve Henson]
+
+ *) Remove support for all 40 and 56 bit ciphers. This includes all the export
+ ciphers who are no longer supported and drops support the ephemeral RSA key
+ exchange. The LOW ciphers currently doesn't have any ciphers in it.
+ [Kurt Roeckx]
+
+ *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
+ opaque. For HMAC_CTX, the following constructors and destructors
+ were added:
+
+ HMAC_CTX *HMAC_CTX_new(void);
+ void HMAC_CTX_free(HMAC_CTX *ctx);
+
+ For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
+ destroy such methods has been added. See EVP_MD_meth_new(3) and
+ EVP_CIPHER_meth_new(3) for documentation.
+
+ Additional changes:
+ 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
+ HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
+ EVP_MD_CTX_reset() should be called instead to reinitialise
+ an already created structure.
+ 2) For consistency with the majority of our object creators and
+ destructors, EVP_MD_CTX_(create|destroy) were renamed to
+ EVP_MD_CTX_(new|free). The old names are retained as macros
+ for deprecated builds.
+ [Richard Levitte]
+
+ *) Added ASYNC support. Libcrypto now includes the async sub-library to enable
+ cryptographic operations to be performed asynchronously as long as an
+ asynchronous capable engine is used. See the ASYNC_start_job() man page for
+ further details. Libssl has also had this capability integrated with the
+ introduction of the new mode SSL_MODE_ASYNC and associated error
+ SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
+ pages. This work was developed in partnership with Intel Corp.
+ [Matt Caswell]
+
+ *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
+ always enabled now. If you want to disable the support you should
+ exclude it using the list of supported ciphers. This also means that the
+ "-no_ecdhe" option has been removed from s_server.
+ [Kurt Roeckx]
+
+ *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
+ SSL_{CTX_}set1_curves() which can set a list.
+ [Kurt Roeckx]
+
+ *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the
+ curve you want to support using SSL_{CTX_}set1_curves().
+ [Kurt Roeckx]
+
+ *) State machine rewrite. The state machine code has been significantly
+ refactored in order to remove much duplication of code and solve issues
+ with the old code (see ssl/statem/README for further details). This change
+ does have some associated API changes. Notably the SSL_state() function
+ has been removed and replaced by SSL_get_state which now returns an
+ "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
+ altogether. The previous handshake states defined in ssl.h and ssl3.h have
+ also been removed.
+ [Matt Caswell]
+
+ *) All instances of the string "ssleay" in the public API were replaced
+ with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
+ Some error codes related to internal RSA_eay API's were renamed.
+ [Rich Salz]
+
+ *) The demo files in crypto/threads were moved to demo/threads.
+ [Rich Salz]
+
+ *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
+ sureware and ubsec.
+ [Matt Caswell, Rich Salz]
+
+ *) New ASN.1 embed macro.
+
+ New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
+ structure is not allocated: it is part of the parent. That is instead of
+
+ FOO *x;
+
+ it must be:
+
+ FOO x;
+
+ This reduces memory fragmentation and make it impossible to accidentally
+ set a mandatory field to NULL.
+
+ This currently only works for some fields specifically a SEQUENCE, CHOICE,
+ or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
+ equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
+ SEQUENCE OF.
+ [Steve Henson]
+
+ *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
+ [Emilia Käsper]
+
+ *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
+ in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
+ an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
+ DES and RC4 ciphersuites.
+ [Matt Caswell]
+
+ *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+ [Emilia Käsper]
+
+ *) Fix no-stdio build.
+ [ David Woodhouse <David.Woodhouse@intel.com> and also
+ Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
+
+ *) New testing framework
+ The testing framework has been largely rewritten and is now using
+ perl and the perl modules Test::Harness and an extended variant of
+ Test::More called OpenSSL::Test to do its work. All test scripts in
+ test/ have been rewritten into test recipes, and all direct calls to
+ executables in test/Makefile have become individual recipes using the
+ simplified testing OpenSSL::Test::Simple.
+
+ For documentation on our testing modules, do:
+
+ perldoc test/testlib/OpenSSL/Test/Simple.pm
+ perldoc test/testlib/OpenSSL/Test.pm
+
+ [Richard Levitte]
+
+ *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
+ are used; the latter aborts on memory leaks (usually checked on exit).
+ Some undocumented "set malloc, etc., hooks" functions were removed
+ and others were changed. All are now documented.
+ [Rich Salz]
+
+ *) In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+ [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
+
+ *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
+ from RFC4279, RFC4785, RFC5487, RFC5489.
+
+ Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
+ original RSA_PSK patch.
+ [Steve Henson]
+
+ *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
+ era flag was never set throughout the codebase (only read). Also removed
+ SSL3_FLAGS_POP_BUFFER which was only used if
+ SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
+ [Matt Caswell]
+
+ *) Changed the default name options in the "ca", "crl", "req" and "x509"
+ to be "oneline" instead of "compat".
+ [Richard Levitte]
+
+ *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
+ not aware of clients that still exhibit this bug, and the workaround
+ hasn't been working properly for a while.
+ [Emilia Käsper]
+
+ *) The return type of BIO_number_read() and BIO_number_written() as well as
+ the corresponding num_read and num_write members in the BIO structure has
+ changed from unsigned long to uint64_t. On platforms where an unsigned
+ long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
+ transferred.
+ [Matt Caswell]
+
+ *) Given the pervasive nature of TLS extensions it is inadvisable to run
+ OpenSSL without support for them. It also means that maintaining
+ the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
+ not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
+ [Matt Caswell]
+
+ *) Removed support for the two export grade static DH ciphersuites
+ EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
+ were newly added (along with a number of other static DH ciphersuites) to
+ 1.0.2. However the two export ones have *never* worked since they were
+ introduced. It seems strange in any case to be adding new export
+ ciphersuites, and given "logjam" it also does not seem correct to fix them.
+ [Matt Caswell]
+
+ *) Version negotiation has been rewritten. In particular SSLv23_method(),
+ SSLv23_client_method() and SSLv23_server_method() have been deprecated,
+ and turned into macros which simply call the new preferred function names
+ TLS_method(), TLS_client_method() and TLS_server_method(). All new code
+ should use the new names instead. Also as part of this change the ssl23.h
+ header file has been removed.
+ [Matt Caswell]
+
+ *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
+ code and the associated standard is no longer considered fit-for-purpose.
+ [Matt Caswell]
+
+ *) RT2547 was closed. When generating a private key, try to make the
+ output file readable only by the owner. This behavior change might
+ be noticeable when interacting with other software.
+
+ *) Documented all exdata functions. Added CRYPTO_free_ex_index.
+ Added a test.
+ [Rich Salz]
+
+ *) Added HTTP GET support to the ocsp command.
+ [Rich Salz]
+
+ *) Changed default digest for the dgst and enc commands from MD5 to
+ sha256
+ [Rich Salz]
+
+ *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
+ [Matt Caswell]
+
+ *) Added support for TLS extended master secret from
+ draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
+ initial patch which was a great help during development.
+ [Steve Henson]
+
+ *) All libssl internal structures have been removed from the public header
+ files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
+ now redundant). Users should not attempt to access internal structures
+ directly. Instead they should use the provided API functions.
+ [Matt Caswell]
+
+ *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
+ Access to deprecated functions can be re-enabled by running config with
+ "enable-deprecated". In addition applications wishing to use deprecated
+ functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
+ will, by default, disable some transitive includes that previously existed
+ in the header files (e.g. ec.h will no longer, by default, include bn.h)
+ [Matt Caswell]
+
+ *) Added support for OCB mode. OpenSSL has been granted a patent license
+ compatible with the OpenSSL license for use of OCB. Details are available
+ at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
+ for OCB can be removed by calling config with no-ocb.
+ [Matt Caswell]
+
+ *) SSLv2 support has been removed. It still supports receiving a SSLv2
+ compatible client hello.
+ [Kurt Roeckx]
+
+ *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
+ done while fixing the error code for the key-too-small case.
+ [Annie Yousar <a.yousar@informatik.hu-berlin.de>]
+
+ *) CA.sh has been removed; use CA.pl instead.
+ [Rich Salz]
+
+ *) Removed old DES API.
+ [Rich Salz]
+
+ *) Remove various unsupported platforms:
+ Sony NEWS4
+ BEOS and BEOS_R5
+ NeXT
+ SUNOS
+ MPE/iX
+ Sinix/ReliantUNIX RM400
+ DGUX
+ NCR
+ Tandem
+ Cray
+ 16-bit platforms such as WIN16
+ [Rich Salz]
+
+ *) Clean up OPENSSL_NO_xxx #define's
+ Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
+ Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
+ OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
+ OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
+ OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
+ Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
+ OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
+ OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
+ OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
+ Remove MS_STATIC; it's a relic from platforms <32 bits.
+ [Rich Salz]
+
+ *) Cleaned up dead code
+ Remove all but one '#ifdef undef' which is to be looked at.
+ [Rich Salz]
+
+ *) Clean up calling of xxx_free routines.
+ Just like free(), fix most of the xxx_free routines to accept
+ NULL. Remove the non-null checks from callers. Save much code.
+ [Rich Salz]
+
+ *) Add secure heap for storage of private keys (when possible).
+ Add BIO_s_secmem(), CBIGNUM, etc.
+ Contributed by Akamai Technologies under our Corporate CLA.
+ [Rich Salz]
+
+ *) Experimental support for a new, fast, unbiased prime candidate generator,
+ bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
+ [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
+
+ *) New output format NSS in the sess_id command line tool. This allows
+ exporting the session id and the master key in NSS keylog format.
+ [Martin Kaiser <martin@kaiser.cx>]
+
+ *) Harmonize version and its documentation. -f flag is used to display
+ compilation flags.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+ in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
+ [mancha <mancha1@zoho.com>]
+
+ *) Fix some double frees. These are not thought to be exploitable.
+ [mancha <mancha1@zoho.com>]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
+ this fixes a limitation in previous versions of OpenSSL.
+ [Steve Henson]
+
+ *) Experimental encrypt-then-mac support.
+
+ Experimental support for encrypt then mac from
+ draft-gutmann-tls-encrypt-then-mac-02.txt
+
+ To enable it set the appropriate extension number (0x42 for the test
+ server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
+
+ For non-compliant peers (i.e. just about everything) this should have no
+ effect.
+
+ WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
+
+ [Steve Henson]
+
+ *) Add EVP support for key wrapping algorithms, to avoid problems with
+ existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
+ the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
+ algorithms and include tests cases.
+ [Steve Henson]
+
+ *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
+ enveloped data.
+ [Steve Henson]
+
+ *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+ MGF1 digest and OAEP label.
+ [Steve Henson]
+
+ *) Make openssl verify return errors.
+ [Chris Palmer <palmer@google.com> and Ben Laurie]
+
+ *) New function ASN1_TIME_diff to calculate the difference between two
+ ASN1_TIME structures or one structure and the current time.
+ [Steve Henson]
+
+ *) Update fips_test_suite to support multiple command line options. New
+ test to induce all self test errors in sequence and check expected
+ failures.
+ [Steve Henson]
+
+ *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
+ sign or verify all in one operation.
+ [Steve Henson]
+
+ *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
+ test programs and fips_test_suite. Includes functionality to parse
+ the minimal script output of fipsalgest.pl directly.
+ [Steve Henson]
+
+ *) Add authorisation parameter to FIPS_module_mode_set().
+ [Steve Henson]
+
+ *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
+ [Steve Henson]
+
+ *) Use separate DRBG fields for internal and external flags. New function
+ FIPS_drbg_health_check() to perform on demand health checking. Add
+ generation tests to fips_test_suite with reduced health check interval to
+ demonstrate periodic health checking. Add "nodh" option to
+ fips_test_suite to skip very slow DH test.
+ [Steve Henson]
+
+ *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
+ based on NID.
+ [Steve Henson]
+
+ *) More extensive health check for DRBG checking many more failure modes.
+ New function FIPS_selftest_drbg_all() to handle every possible DRBG
+ combination: call this in fips_test_suite.
+ [Steve Henson]
+
+ *) Add support for canonical generation of DSA parameter 'g'. See
+ FIPS 186-3 A.2.3.
+
+ *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
+ POST to handle HMAC cases.
+ [Steve Henson]
+
+ *) Add functions FIPS_module_version() and FIPS_module_version_text()
+ to return numerical and string versions of the FIPS module number.
+ [Steve Henson]
+
+ *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
+ FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
+ outside the validated module in the FIPS capable OpenSSL.
+ [Steve Henson]
+
+ *) Minor change to DRBG entropy callback semantics. In some cases
+ there is no multiple of the block length between min_len and
+ max_len. Allow the callback to return more than max_len bytes
+ of entropy but discard any extra: it is the callback's responsibility
+ to ensure that the extra data discarded does not impact the
+ requested amount of entropy.
+ [Steve Henson]
+
+ *) Add PRNG security strength checks to RSA, DSA and ECDSA using
+ information in FIPS186-3, SP800-57 and SP800-131A.
+ [Steve Henson]
+
+ *) CCM support via EVP. Interface is very similar to GCM case except we
+ must supply all data in one chunk (i.e. no update, final) and the
+ message length must be supplied if AAD is used. Add algorithm test
+ support.
+ [Steve Henson]
+
+ *) Initial version of POST overhaul. Add POST callback to allow the status
+ of POST to be monitored and/or failures induced. Modify fips_test_suite
+ to use callback. Always run all selftests even if one fails.
+ [Steve Henson]
+
+ *) XTS support including algorithm test driver in the fips_gcmtest program.
+ Note: this does increase the maximum key length from 32 to 64 bytes but
+ there should be no binary compatibility issues as existing applications
+ will never use XTS mode.
+ [Steve Henson]
+
+ *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
+ to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
+ performs algorithm blocking for unapproved PRNG types. Also do not
+ set PRNG type in FIPS_mode_set(): leave this to the application.
+ Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
+ the standard OpenSSL PRNG: set additional data to a date time vector.
+ [Steve Henson]
+
+ *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
+ This shouldn't present any incompatibility problems because applications
+ shouldn't be using these directly and any that are will need to rethink
+ anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
+ [Steve Henson]
+
+ *) Extensive self tests and health checking required by SP800-90 DRBG.
+ Remove strength parameter from FIPS_drbg_instantiate and always
+ instantiate at maximum supported strength.
+ [Steve Henson]
+
+ *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
+ [Steve Henson]
+
+ *) New algorithm test program fips_dhvs to handle DH primitives only testing.
+ [Steve Henson]
+
+ *) New function DH_compute_key_padded() to compute a DH key and pad with
+ leading zeroes if needed: this complies with SP800-56A et al.
+ [Steve Henson]
+
+ *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
+ anything, incomplete, subject to change and largely untested at present.
+ [Steve Henson]
+
+ *) Modify fipscanisteronly build option to only build the necessary object
+ files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
+ [Steve Henson]
+
+ *) Add experimental option FIPSSYMS to give all symbols in
+ fipscanister.o and FIPS or fips prefix. This will avoid
+ conflicts with future versions of OpenSSL. Add perl script
+ util/fipsas.pl to preprocess assembly language source files
+ and rename any affected symbols.
+ [Steve Henson]
+
+ *) Add selftest checks and algorithm block of non-fips algorithms in
+ FIPS mode. Remove DES2 from selftests.
+ [Steve Henson]
+
+ *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
+ return internal method without any ENGINE dependencies. Add new
+ tiny fips sign and verify functions.
+ [Steve Henson]
+
+ *) New build option no-ec2m to disable characteristic 2 code.
+ [Steve Henson]
+
+ *) New build option "fipscanisteronly". This only builds fipscanister.o
+ and (currently) associated fips utilities. Uses the file Makefile.fips
+ instead of Makefile.org as the prototype.
+ [Steve Henson]
+
+ *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
+ Update fips_gcmtest to use IV generator.
+ [Steve Henson]
+
+ *) Initial, experimental EVP support for AES-GCM. AAD can be input by
+ setting output buffer to NULL. The *Final function must be
+ called although it will not retrieve any additional data. The tag
+ can be set or retrieved with a ctrl. The IV length is by default 12
+ bytes (96 bits) but can be set to an alternative value. If the IV
+ length exceeds the maximum IV length (currently 16 bytes) it cannot be
+ set before the key.
+ [Steve Henson]
+
+ *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
+ underlying do_cipher function handles all cipher semantics itself
+ including padding and finalisation. This is useful if (for example)
+ an ENGINE cipher handles block padding itself. The behaviour of
+ do_cipher is subtly changed if this flag is set: the return value
+ is the number of characters written to the output buffer (zero is
+ no longer an error code) or a negative error code. Also if the
+ input buffer is NULL and length 0 finalisation should be performed.
+ [Steve Henson]
+
+ *) If a candidate issuer certificate is already part of the constructed
+ path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
+ [Steve Henson]
+
+ *) Improve forward-security support: add functions
+
+ void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
+ void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
+
+ for use by SSL/TLS servers; the callback function will be called whenever a
+ new session is created, and gets to decide whether the session may be
+ cached to make it resumable (return 0) or not (return 1). (As by the
+ SSL/TLS protocol specifications, the session_id sent by the server will be
+ empty to indicate that the session is not resumable; also, the server will
+ not generate RFC 4507 (RFC 5077) session tickets.)
+
+ A simple reasonable callback implementation is to return is_forward_secure.
+ This parameter will be set to 1 or 0 depending on the ciphersuite selected
+ by the SSL/TLS server library, indicating whether it can provide forward
+ security.
+ [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
+
+ *) New -verify_name option in command line utilities to set verification
+ parameters by name.
+ [Steve Henson]
+
+ *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
+ Add CMAC pkey methods.
+ [Steve Henson]
+
+ *) Experimental renegotiation in s_server -www mode. If the client
+ browses /reneg connection is renegotiated. If /renegcert it is
+ renegotiated requesting a certificate.
+ [Steve Henson]
+
+ *) Add an "external" session cache for debugging purposes to s_server. This
+ should help trace issues which normally are only apparent in deployed
+ multi-process servers.
+ [Steve Henson]
+
+ *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
+ return value is ignored. NB. The functions RAND_add(), RAND_seed(),
+ BIO_set_cipher() and some obscure PEM functions were changed so they
+ can now return an error. The RAND changes required a change to the
+ RAND_METHOD structure.
+ [Steve Henson]
+
+ *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
+ a gcc attribute to warn if the result of a function is ignored. This
+ is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
+ whose return value is often ignored.
+ [Steve Henson]
+
+ *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
+ These allow SCTs (signed certificate timestamps) to be requested and
+ validated when establishing a connection.
+ [Rob Percival <robpercival@google.com>]
Changes between 1.0.2g and 1.0.2h [3 May 2016]
@@ -365,7 +1948,7 @@
amounts of input data then a length check can overflow resulting in a heap
corruption.
- Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
the PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes data
from an untrusted source and outputs it as a PEM file should be considered
@@ -402,7 +1985,7 @@
*) Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
- a short invalid encoding can casuse allocation of large amounts of memory
+ a short invalid encoding can cause allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
Any application parsing untrusted data through d2i BIO functions is
@@ -569,7 +2152,6 @@
[Emilia Käsper]
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
-
*) DH small subgroups
Historically OpenSSL only ever generated DH parameters based on "safe"
@@ -613,9 +2195,6 @@
(CVE-2015-3197)
[Viktor Dukhovni]
- *) Reject DH handshakes with parameters shorter than 1024 bits.
- [Kurt Roeckx]
-
Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
*) BN_mod_exp may produce incorrect results on x86_64
@@ -671,14 +2250,14 @@
[Emilia Käsper]
*) In DSA_generate_parameters_ex, if the provided seed is too short,
- use a random seed, as already documented.
+ return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
*) Alternate chains certificate forgery
- During certificate verfification, OpenSSL will attempt to find an
+ During certificate verification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
@@ -687,23 +2266,14 @@
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
- (CVE-2015-1793)
[Matt Caswell]
- *) Race condition handling PSK identify hint
-
- If PSK identity hints are received by a multi-threaded client then
- the values are wrongly updated in the parent SSL_CTX structure. This can
- result in a race condition potentially leading to a double free of the
- identify hint data.
- (CVE-2015-3196)
- [Stephen Henson]
-
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
+ [Matt Caswell]
Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
@@ -773,22 +2343,11 @@
(CVE-2015-1791)
[Matt Caswell]
- *) Removed support for the two export grade static DH ciphersuites
- EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
- were newly added (along with a number of other static DH ciphersuites) to
- 1.0.2. However the two export ones have *never* worked since they were
- introduced. It seems strange in any case to be adding new export
- ciphersuites, and given "logjam" it also does not seem correct to fix them.
- [Matt Caswell]
-
*) Only support 256-bit or stronger elliptic curves with the
'ecdh_auto' setting (server) or by default (client). Of supported
curves, prefer P-256 (both).
[Emilia Kasper]
- *) Reject DH handshakes with parameters shorter than 768 bits.
- [Kurt Roeckx and Emilia Kasper]
-
Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
*) ClientHello sigalgs DoS fix
@@ -954,13 +2513,9 @@
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
- *) Change RSA and DH/DSA key generation apps to generate 2048-bit
- keys by default.
- [Kurt Roeckx]
-
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
ARMv5 through ARMv8, as opposite to "locking" it to single one.
- So far those who have to target multiple plaforms would compromise
+ So far those who have to target multiple platforms would compromise
and argue that binary targeting say ARMv5 would still execute on
ARMv8. "Universal" build resolves this compromise by providing
near-optimal performance even on newer platforms.
@@ -1020,7 +2575,7 @@
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
- this fixes a limiation in previous versions of OpenSSL.
+ this fixes a limitation in previous versions of OpenSSL.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
@@ -1129,9 +2684,9 @@
*) Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
- the parent SSL_CTX. Include distint stores for certificate chain
+ the parent SSL_CTX. Include distinct stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
- to build and store a certificate chain in CERT structure: returing
+ to build and store a certificate chain in CERT structure: returning
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
@@ -1164,7 +2719,7 @@
[Steve Henson]
*) Add new "valid_flags" field to CERT_PKEY structure which determines what
- the certificate can be used for (if anything). Set valid_flags field
+ the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
@@ -1192,7 +2747,7 @@
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
- verification. New verify options supporting checking in opensl utility.
+ verification. New verify options supporting checking in openssl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
@@ -1207,7 +2762,7 @@
*) Fix OCSP checking.
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
- *) Initial experimental support for explicitly trusted non-root CAs.
+ *) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
setting is used: whether to trust (e.g., -addtrust option to the x509
@@ -1229,7 +2784,7 @@
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
- (often lower perfomance) FIPS implementations outside FIPS mode.
+ (often lower performance) FIPS implementations outside FIPS mode.
[Steve Henson]
*) Transparently support X9.42 DH parameters when calling
@@ -1258,7 +2813,7 @@
to set list of supported curves.
[Steve Henson]
- *) New ctrls to retrieve supported signature algorithms and
+ *) New ctrls to retrieve supported signature algorithms and
supported curve values as an array of NIDs. Extend openssl utility
to print out received values.
[Steve Henson]
@@ -1374,7 +2929,7 @@
3. Check DSA/ECDSA signatures use DER.
- Reencode DSA/ECDSA signatures and compare with the original received
+ Re-encode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
@@ -1463,8 +3018,8 @@
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
-
- Reencode DigestInto in DER and check against the original when
+
+ Re-encode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
@@ -1596,7 +3151,7 @@
[mancha <mancha1@zoho.com>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
- in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
+ in i2d_ECPrivateKey.
[mancha <mancha1@zoho.com>]
*) Fix some double frees. These are not thought to be exploitable.
@@ -1633,7 +3188,7 @@
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
- *) Fix for TLS record tampering bug. A carefully crafted invalid
+ *) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)
@@ -1661,9 +3216,9 @@
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
- This addresses the flaw in CBC record processing discovered by
+ This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
- at: http://www.isg.rhul.ac.uk/tls/
+ at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
@@ -1723,7 +3278,7 @@
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
mean any application compiled against OpenSSL 1.0.0 headers setting
- SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
+ SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
0x10000000L Any application which was previously compiled against
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
@@ -1732,7 +3287,7 @@
in unlike event, limit maximum offered version to TLS 1.0 [see below].
[Steve Henson]
- *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
+ *) In order to ensure interoperability SSL_OP_NO_protocolX does not
disable just protocol X, but all protocols above X *if* there are
protocols *below* X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
@@ -1761,12 +3316,12 @@
1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
- the number of ciphers sent in the client hello. This should be
+ the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
- TLS 1.2 client support entirely.
+ TLS 1.2 client support entirely.
[Steve Henson]
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
@@ -1781,13 +3336,13 @@
*) The format used for MDC2 RSA signatures is inconsistent between EVP
and the RSA_sign/RSA_verify functions. This was made more apparent when
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
- those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
+ those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
the correct format in RSA_verify so both forms transparently work.
[Steve Henson]
*) Some servers which support TLS 1.0 can choke if we initially indicate
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
- encrypted premaster secret. As a workaround use the maximum pemitted
+ encrypted premaster secret. As a workaround use the maximum permitted
client version in client hello, this should keep such servers happy
and still work with previous versions of OpenSSL.
[Steve Henson]
@@ -1803,12 +3358,12 @@
*) Extensive assembler packs updates, most notably:
- - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
- - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
- - x86_64: bit-sliced AES implementation;
- - ARM: NEON support, contemporary platforms optimizations;
- - s390x: z196 support;
- - *: GHASH and GF(2^m) multiplication implementations;
+ - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
+ - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
+ - x86_64: bit-sliced AES implementation;
+ - ARM: NEON support, contemporary platforms optimizations;
+ - s390x: z196 support;
+ - *: GHASH and GF(2^m) multiplication implementations;
[Andy Polyakov]
@@ -1854,7 +3409,7 @@
*) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in
- particular PSS.
+ particular PSS.
[Steve Henson]
*) Add RSA PSS signing function. This will generate and set the
@@ -1879,7 +3434,7 @@
[Steve Henson, Martin Kaiser <lists@kaiser.cx>]
*) Add algorithm specific signature printing. An individual ASN1 method
- can now print out signatures instead of the standard hex dump.
+ can now print out signatures instead of the standard hex dump.
More complex signatures (e.g. PSS) can print out more meaningful
information. Include DSA version that prints out the signature
@@ -1916,8 +3471,8 @@
*) Add GCM support to TLS library. Some custom code is needed to split
the IV between the fixed (from PRF) and explicit (from TLS record)
- portions. This adds all GCM ciphersuites supported by RFC5288 and
- RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
+ portions. This adds all GCM ciphersuites supported by RFC5288 and
+ RFC5289. Generalise some AES* cipherstrings to include GCM and
add a special AESGCM string for GCM only.
[Steve Henson]
@@ -1931,9 +3486,9 @@
[Steve Henson]
*) For FIPS capable OpenSSL interpret a NULL default public key method
- as unset and return the appopriate default but do *not* set the default.
- This means we can return the appopriate method in applications that
- swicth between FIPS and non-FIPS modes.
+ as unset and return the appropriate default but do *not* set the default.
+ This means we can return the appropriate method in applications that
+ switch between FIPS and non-FIPS modes.
[Steve Henson]
*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
@@ -1970,10 +3525,10 @@
to use them can use the private_* version instead.
[Steve Henson]
- *) Redirect cipher operations to FIPS module for FIPS builds.
+ *) Redirect cipher operations to FIPS module for FIPS builds.
[Steve Henson]
- *) Redirect digest operations to FIPS module for FIPS builds.
+ *) Redirect digest operations to FIPS module for FIPS builds.
[Steve Henson]
*) Update build system to add "fips" flag which will link in fipscanister.o
@@ -1985,7 +3540,7 @@
This should be configurable so applications can judge speed vs strength.
[Steve Henson]
- *) Add TLS v1.2 server support for client authentication.
+ *) Add TLS v1.2 server support for client authentication.
[Steve Henson]
*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
@@ -2064,14 +3619,14 @@
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
- old behaviour can be reenabled in the CMS code by setting the
+ old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
- *) Fix CVE-2011-4619: make sure we really are receiving a
+ *) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
@@ -2164,7 +3719,7 @@
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
- http://eprint.iacr.org/2011/232.pdf
+ http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
@@ -2198,12 +3753,12 @@
[Steve Henson]
*) Fix WIN32 build system to correctly link an ENGINE directory into
- a DLL.
+ a DLL.
[Steve Henson]
Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
- *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
+ *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
(CVE-2010-1633)
[Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
@@ -2272,7 +3827,7 @@
retrieve a digest flags is by accessing the structure directly. Update
EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
or cipher is registered as in the "from" argument. Print out all
- registered digests in the dgst usage message instead of manually
+ registered digests in the dgst usage message instead of manually
attempting to work them out.
[Steve Henson]
@@ -2306,7 +3861,7 @@
*) Update Gost ENGINE to support parameter files.
[Victor B. Wagner <vitus@cryptocom.ru>]
- *) Support GeneralizedTime in ca utility.
+ *) Support GeneralizedTime in ca utility.
[Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
*) Enhance the hash format used for certificate directory links. The new
@@ -2360,7 +3915,7 @@
as part of the CRL checking and indicate a new error "CRL path validation
error" in this case. Applications wanting additional details can use
the verify callback and check the new "parent" field. If this is not
- NULL CRL path validation is taking place. Existing applications wont
+ NULL CRL path validation is taking place. Existing applications won't
see this because it requires extended CRL support which is off by
default.
@@ -2503,7 +4058,7 @@
SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
opaque PRF input value to use in the handshake. This will create
- an interal copy of the length-'len' string at 'src', and will
+ an internal copy of the length-'len' string at 'src', and will
return non-zero for success.
To get more control and flexibility, provide a callback function
@@ -2544,7 +4099,7 @@
[Bodo Moeller]
*) Update ssl code to support digests other than SHA1+MD5 for handshake
- MAC.
+ MAC.
[Victor B. Wagner <vitus@cryptocom.ru>]
@@ -2556,7 +4111,7 @@
If a client application caches session in an SSL_SESSION structure
support is transparent because tickets are now stored in the encoded
SSL_SESSION.
-
+
The SSL_CTX structure automatically generates keys for ticket
protection in servers so again support should be possible
with no application modification.
@@ -2593,7 +4148,7 @@
*) New option -sigopt to dgst utility. Update dgst to use
EVP_Digest{Sign,Verify}*. These two changes make it possible to use
- alternative signing paramaters such as X9.31 or PSS in the dgst
+ alternative signing parameters such as X9.31 or PSS in the dgst
utility.
[Steve Henson]
@@ -2613,8 +4168,8 @@
most recently disabled ciphersuites when "HIGH" is parsed).
Also, change ssl_create_cipher_list() (using this new
- funcionality) such that between otherwise identical
- cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
+ functionality) such that between otherwise identical
+ ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
the default order.
[Bodo Moeller]
@@ -2664,14 +4219,14 @@
*) Initial incomplete changes to avoid need for function casts in OpenSSL
some compilers (gcc 4.2 and later) reject their use. Safestack is
- reimplemented. Update ASN1 to avoid use of legacy functions.
+ reimplemented. Update ASN1 to avoid use of legacy functions.
[Steve Henson]
*) Win32/64 targets are linked with Winsock2.
[Andy Polyakov]
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
- to external functions. This can be used to increase CRL handling
+ to external functions. This can be used to increase CRL handling
efficiency especially when CRLs are very large by (for example) storing
the CRL revoked certificates in a database.
[Steve Henson]
@@ -2705,7 +4260,7 @@
*) New function X509_CRL_match() to check if two CRLs are identical. Normally
this would be called X509_CRL_cmp() but that name is already used by
- a function that just compares CRL issuer names. Cache several CRL
+ a function that just compares CRL issuer names. Cache several CRL
extensions in X509_CRL structure and cache CRLDP in X509.
[Steve Henson]
@@ -2714,7 +4269,7 @@
Name comparison can then be performed rapidly using memcmp().
[Steve Henson]
- *) Non-blocking OCSP request processing. Add -timeout option to ocsp
+ *) Non-blocking OCSP request processing. Add -timeout option to ocsp
utility.
[Steve Henson]
@@ -2793,7 +4348,7 @@
functional reference processing.
[Steve Henson]
- *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
+ *) New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of
EVP_{Sign,Verify}* which allow an application to customise the signature
process.
[Steve Henson]
@@ -2833,14 +4388,14 @@
*) Add a ctrl to asn1 method to allow a public key algorithm to express
a default digest type to use. In most cases this will be SHA1 but some
algorithms (such as GOST) need to specify an alternative digest. The
- return value indicates how strong the prefernce is 1 means optional and
+ return value indicates how strong the preference is 1 means optional and
2 is mandatory (that is it is the only supported type). Modify
ASN1_item_sign() to accept a NULL digest argument to indicate it should
use the default md. Update openssl utilities to use the default digest
type for signing if it is not explicitly indicated.
[Steve Henson]
- *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
+ *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
signing method from the key type. This effectively removes the link
between digests and public key types.
@@ -2849,7 +4404,7 @@
*) Add an OID cross reference table and utility functions. Its purpose is to
translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
rsaEncryption. This will allow some of the algorithm specific hackery
- needed to use the correct OID to be removed.
+ needed to use the correct OID to be removed.
[Steve Henson]
*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
@@ -2865,7 +4420,7 @@
[Steve Henson]
*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
- public and private key formats. As a side effect these add additional
+ public and private key formats. As a side effect these add additional
command line functionality not previously available: DSA signatures can be
generated and verified using pkeyutl and DH key support and generation in
pkey, genpkey.
@@ -2878,7 +4433,7 @@
manual pages.
[Oliver Tappe <zooey@hirschkaefer.de>]
- *) New utility "genpkey" this is analagous to "genrsa" etc except it can
+ *) New utility "genpkey" this is analogous to "genrsa" etc except it can
generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
support key and parameter generation and add initial key generation
functionality for RSA.
@@ -2886,7 +4441,7 @@
*) Add functions for main EVP_PKEY_method operations. The undocumented
functions EVP_PKEY_{encrypt,decrypt} have been renamed to
- EVP_PKEY_{encrypt,decrypt}_old.
+ EVP_PKEY_{encrypt,decrypt}_old.
[Steve Henson]
*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
@@ -2911,7 +4466,7 @@
type.
[Steve Henson]
- *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
+ *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
EVP_PKEY_print_param() to print public key data from an EVP_PKEY
structure.
@@ -2932,11 +4487,11 @@
*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
for the psk identity [hint] and the psk callback functions to the
SSL_SESSION, SSL and SSL_CTX structure.
-
+
New ciphersuites:
PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
PSK-AES256-CBC-SHA
-
+
New functions:
SSL_CTX_use_psk_identity_hint
SSL_get_psk_identity_hint
@@ -2977,7 +4532,7 @@
'-key2 ...', '-servername_fatal' (subject to change). This allows
testing the HostName extension for a specific single host name ('-cert'
and '-key' remain fallbacks for handshakes without HostName
- negotiation). If the unrecogninzed_name alert has to be sent, this by
+ negotiation). If the unrecognized_name alert has to be sent, this by
default is a warning; it becomes fatal with the '-servername_fatal'
option.
@@ -3005,8 +4560,8 @@
[Andy Polyakov]
*) New option SSL_OP_NO_COMP to disable use of compression selectively
- in SSL structures. New SSL ctrl to set maximum send fragment size.
- Save memory by seeting the I/O buffer sizes dynamically instead of
+ in SSL structures. New SSL ctrl to set maximum send fragment size.
+ Save memory by setting the I/O buffer sizes dynamically instead of
using the maximum available value.
[Steve Henson]
@@ -3059,13 +4614,13 @@
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]
- *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
+ *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
- *) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
+ *) Always check bn_wexpand() return values for failure. (CVE-2009-3245)
[Martin Olsson, Neel Mehta]
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to
@@ -3198,24 +4753,24 @@
is already buffered was missing. For every new message was memory
allocated, allowing an attacker to perform an denial of service attack
with sending out of seq handshake messages until there is no memory
- left. Additionally every future messege was buffered, even if the
+ left. Additionally every future message was buffered, even if the
sequence number made no sense and would be part of another handshake.
So only messages with sequence numbers less than 10 in advance will be
buffered. (CVE-2009-1378)
- [Robin Seggelmann, discovered by Daniel Mentz]
+ [Robin Seggelmann, discovered by Daniel Mentz]
*) Records are buffered if they arrive with a future epoch to be
processed after finishing the corresponding handshake. There is
currently no limitation to this buffer allowing an attacker to perform
a DOS attack with sending records with future epochs until there is no
- memory left. This patch adds the pqueue_size() function to detemine
+ memory left. This patch adds the pqueue_size() function to determine
the size of a buffer and limits the record buffer to 100 entries.
(CVE-2009-1377)
- [Robin Seggelmann, discovered by Daniel Mentz]
+ [Robin Seggelmann, discovered by Daniel Mentz]
*) Keep a copy of frag->msg_header.frag_len so it can be used after the
parent structure is freed. (CVE-2009-1379)
- [Daniel Mentz]
+ [Daniel Mentz]
*) Handle non-blocking I/O properly in SSL_shutdown() call.
[Darryl Miles <darryl-mailinglists@netbauds.net>]
@@ -3250,7 +4805,7 @@
a legal length. (CVE-2009-0590)
[Steve Henson]
- *) Set S/MIME signing as the default purpose rather than setting it
+ *) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
[Steve Henson]
@@ -3321,7 +4876,7 @@
ChangeCipherSpec as first record (CVE-2009-1386).
[PR #1679]
- *) Fix a state transitition in s3_srvr.c and d1_srvr.c
+ *) Fix a state transition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
[Nagendra Modadugu]
@@ -3373,21 +4928,21 @@
This work was sponsored by Logica.
[Steve Henson]
- *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
+ *) Fix bug in X509_ATTRIBUTE creation: don't set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
- attribute creation routines such as certifcate requests and PKCS#12
+ attribute creation routines such as certificate requests and PKCS#12
files.
[Steve Henson]
Changes between 0.9.8g and 0.9.8h [28 May 2008]
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS
- handshake which could lead to a cilent crash as found using the
- Codenomicon TLS test suite (CVE-2008-1672)
+ handshake which could lead to a client crash as found using the
+ Codenomicon TLS test suite (CVE-2008-1672)
[Steve Henson, Mark Cox]
*) Fix double free in TLS server name extensions which could lead to
- a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
+ a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
[Joe Orton]
*) Clear error queue in SSL_CTX_use_certificate_chain_file()
@@ -3450,7 +5005,7 @@
[Ian Lister (tweaked by Geoff Thorpe)]
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
- implemention in the following ways:
+ implementation in the following ways:
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
hard coded.
@@ -3488,7 +5043,7 @@
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
to get the expected BN_FLG_CONSTTIME behavior.
[Bodo Moeller (Google)]
-
+
*) Netware support:
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
@@ -3540,7 +5095,7 @@
(gcc 4.2 and later) reject their use.
[Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
Steve Henson]
-
+
*) Add RFC4507 support to OpenSSL. This includes the corrections in
RFC4507bis. The encrypted ticket format is an encrypted encoded
SSL_SESSION structure, that way new session features are automatically
@@ -3549,7 +5104,7 @@
If a client application caches session in an SSL_SESSION structure
support is transparent because tickets are now stored in the encoded
SSL_SESSION.
-
+
The SSL_CTX structure automatically generates keys for ticket
protection in servers so again support should be possible
with no application modification.
@@ -3591,7 +5146,7 @@
'-key2 ...', '-servername_fatal' (subject to change). This allows
testing the HostName extension for a specific single host name ('-cert'
and '-key' remain fallbacks for handshakes without HostName
- negotiation). If the unrecogninzed_name alert has to be sent, this by
+ negotiation). If the unrecognized_name alert has to be sent, this by
default is a warning; it becomes fatal with the '-servername_fatal'
option.
@@ -3648,7 +5203,7 @@
implementation in BN_mod_exp_mont_consttime().) The old name
remains as a deprecated alias.
- Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
+ Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
constant-time implementations for more than just exponentiation.
Here too the old name is kept as a deprecated alias.
@@ -3729,7 +5284,7 @@
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937) [Steve Henson]
- *) Fix buffer overflow in SSL_get_shared_ciphers() function.
+ *) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
@@ -3800,7 +5355,7 @@
unofficial, and the ID has long expired.
[Bodo Moeller]
- *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ *) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
@@ -3816,7 +5371,7 @@
*) Disable the padding bug check when compression is in use. The padding
bug check assumes the first packet is of even length, this is not
- necessarily true if compresssion is enabled and can result in false
+ necessarily true if compression is enabled and can result in false
positives causing handshake failure. The actual bug test is ancient
code so it is hoped that implementations will either have fixed it by
now or any which still have the bug do not support compression.
@@ -3955,7 +5510,7 @@
to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
[Walter Goulet]
- *) Remove buggy and incompletet DH cert support from
+ *) Remove buggy and incomplete DH cert support from
ssl/ssl_rsa.c and ssl/s3_both.c
[Nils Larsch]
@@ -4009,7 +5564,7 @@
*) New structure X509_VERIFY_PARAM which combines current verify parameters,
update associated structures and add various utility functions.
- Add new policy related verify parameters, include policy checking in
+ Add new policy related verify parameters, include policy checking in
standard verify code. Enhance 'smime' application with extra parameters
to support policy checking and print out.
[Steve Henson]
@@ -4045,7 +5600,7 @@
we can fix the problem directly in the 'ca' utility.)
[Steve Henson]
- *) Reduced header interdepencies by declaring more opaque objects in
+ *) Reduced header interdependencies by declaring more opaque objects in
ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
give fewer recursive includes, which could break lazy source code - so
this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
@@ -4058,12 +5613,12 @@
[Steve Henson]
*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
- This will generate a random key of the appropriate length based on the
+ This will generate a random key of the appropriate length based on the
cipher context. The EVP_CIPHER can provide its own random key generation
- routine to support keys of a specific form. This is used in the des and
+ routine to support keys of a specific form. This is used in the des and
3des routines to generate a key of the correct parity. Update S/MIME
code to use new functions and hence generate correct parity DES keys.
- Add EVP_CHECK_DES_KEY #define to return an error if the key is not
+ Add EVP_CHECK_DES_KEY #define to return an error if the key is not
valid (weak or incorrect parity).
[Steve Henson]
@@ -4169,14 +5724,14 @@
[Geoff Thorpe]
*) Reorganise PKCS#7 code to separate the digest location functionality
- into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest().
+ into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
New function PKCS7_set_digest() to set the digest type for PKCS#7
digestedData type. Add additional code to correctly generate the
digestedData type and add support for this type in PKCS7 initialization
functions.
[Steve Henson]
- *) New function PKCS7_set0_type_other() this initializes a PKCS7
+ *) New function PKCS7_set0_type_other() this initializes a PKCS7
structure of type "other".
[Steve Henson]
@@ -4237,16 +5792,16 @@
takes an extra flags argument for optional functionality. Currently,
the following flags are defined:
- OBJ_BSEARCH_VALUE_ON_NOMATCH
- This one gets OBJ_bsearch_ex() to return a pointer to the first
- element where the comparing function returns a negative or zero
- number.
+ OBJ_BSEARCH_VALUE_ON_NOMATCH
+ This one gets OBJ_bsearch_ex() to return a pointer to the first
+ element where the comparing function returns a negative or zero
+ number.
- OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
- This one gets OBJ_bsearch_ex() to return a pointer to the first
- element where the comparing function returns zero. This is useful
- if there are more than one element where the comparing function
- returns zero.
+ OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
+ This one gets OBJ_bsearch_ex() to return a pointer to the first
+ element where the comparing function returns zero. This is useful
+ if there are more than one element where the comparing function
+ returns zero.
[Richard Levitte]
*) Make it possible to create self-signed certificates with 'openssl ca'
@@ -4269,7 +5824,7 @@
named like the index file with '.attr' appended to the name.
[Richard Levitte]
- *) Generate muti valued AVAs using '+' notation in config files for
+ *) Generate multi-valued AVAs using '+' notation in config files for
req and dirName.
[Steve Henson]
@@ -4352,7 +5907,7 @@
*) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
and DH_METHOD (eg. by ENGINE implementations) to override the normal
software implementations. For DSA and DH, parameter generation can
- also be overriden by providing the appropriate method callbacks.
+ also be overridden by providing the appropriate method callbacks.
[Geoff Thorpe]
*) Change the "progress" mechanism used in key-generation and
@@ -4385,7 +5940,7 @@
[Geoff Thorpe]
*) Change the ZLIB compression method to be stateful, and make it
- available to TLS with the number defined in
+ available to TLS with the number defined in
draft-ietf-tls-compression-04.txt.
[Richard Levitte]
@@ -4393,8 +5948,8 @@
is defined as follows (according to X.509_4thEditionDraftV6.pdf):
CertificatePair ::= SEQUENCE {
- forward [0] Certificate OPTIONAL,
- reverse [1] Certificate OPTIONAL,
+ forward [0] Certificate OPTIONAL,
+ reverse [1] Certificate OPTIONAL,
-- at least one of the pair shall be present -- }
Also implement the PEM functions to read and write certificate
@@ -4409,7 +5964,7 @@
Makefile.shared, for Cygwin's sake.
[Richard Levitte]
- *) Extend the BIGNUM API by creating a function
+ *) Extend the BIGNUM API by creating a function
void BN_set_negative(BIGNUM *a, int neg);
and a macro that behave like
int BN_is_negative(const BIGNUM *a);
@@ -4435,13 +5990,13 @@
the "shared" options was given to ./Configure or ./config.
Otherwise, they are inserted in libcrypto.a.
/usr/local/ssl/engines is the default directory for dynamic
- engines, but that can be overriden at configure time through
+ engines, but that can be overridden at configure time through
the usual use of --prefix and/or --openssldir, and at run
time with the environment variable OPENSSL_ENGINES.
[Geoff Thorpe and Richard Levitte]
*) Add Makefile.shared, a helper makefile to build shared
- libraries. Addapt Makefile.org.
+ libraries. Adapt Makefile.org.
[Richard Levitte]
*) Add version info to Win32 DLLs.
@@ -4562,7 +6117,7 @@
*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
Polynomials are represented as BIGNUMs (where the sign bit is not
- used) in the following functions [macros]:
+ used) in the following functions [macros]:
BN_GF2m_add
BN_GF2m_sub [= BN_GF2m_add]
@@ -4655,7 +6210,7 @@
EC_METHOD_get_field_type() returns this value.
[Nils Larsch <nla@trustcenter.de>]
- *) Add functions
+ *) Add functions
EC_POINT_point2bn()
EC_POINT_bn2point()
EC_POINT_point2hex()
@@ -4714,7 +6269,7 @@
EC_GROUP_set_curve_name()
EC_GROUP_get_curve_name()
[Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
-
+
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
was actually never needed) and in BN_mul(). The removal in BN_mul()
required a small change in bn_mul_part_recursive() and the addition
@@ -4726,7 +6281,7 @@
Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
- *) Cleanse PEM buffers before freeing them since they may contain
+ *) Cleanse PEM buffers before freeing them since they may contain
sensitive data.
[Benjamin Bennett <ben@psc.edu>]
@@ -4774,7 +6329,7 @@
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937) [Steve Henson]
- *) Fix buffer overflow in SSL_get_shared_ciphers() function.
+ *) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
@@ -4810,12 +6365,12 @@
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
appear there.
- Also deactive the remaining ciphersuites from
+ Also deactivate the remaining ciphersuites from
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
unofficial, and the ID has long expired.
[Bodo Moeller]
- *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ *) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
@@ -4828,10 +6383,10 @@
*) Fixes for VC++ 2005 build under Windows.
[Steve Henson]
- *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
+ *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
from a Windows bash shell such as MSYS. It is autodetected from the
"config" script when run from a VC++ environment. Modify standard VC++
- build to use fipscanister.o from the GNU make build.
+ build to use fipscanister.o from the GNU make build.
[Steve Henson]
Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
@@ -4920,7 +6475,7 @@
*) Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
- they must be explicitely allowed in run-time. See
+ they must be explicitly allowed in run-time. See
docs/HOWTO/proxy_certificates.txt for further information.
[Richard Levitte]
@@ -4944,7 +6499,7 @@
values.
The OpenSSL team would like to thank the UK NISCC for bringing this issue
- to our attention.
+ to our attention.
[Stephen Henson, reported by UK NISCC]
@@ -4970,8 +6525,8 @@
[Steve Henson]
*) Perform some character comparisons of different types in X509_NAME_cmp:
- this is needed for some certificates that reencode DNs into UTF8Strings
- (in violation of RFC3280) and can't or wont issue name rollover
+ this is needed for some certificates that re-encode DNs into UTF8Strings
+ (in violation of RFC3280) and can't or won't issue name rollover
certificates.
[Steve Henson]
@@ -4989,7 +6544,7 @@
Changes between 0.9.7d and 0.9.7e [25 Oct 2004]
- *) Avoid a race condition when CRLs are checked in a multi threaded
+ *) Avoid a race condition when CRLs are checked in a multi threaded
environment. This would happen due to the reordering of the revoked
entries during signature checking and serial number lookup. Now the
encoding is cached and the serial number sort performed under a lock.
@@ -5013,13 +6568,13 @@
Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
- *) Fix null-pointer assignment in do_change_cipher_spec() revealed
- by using the Codenomicon TLS Test Tool (CVE-2004-0079)
- [Joe Orton, Steve Henson]
+ *) Fix null-pointer assignment in do_change_cipher_spec() revealed
+ by using the Codenomicon TLS Test Tool (CVE-2004-0079)
+ [Joe Orton, Steve Henson]
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CVE-2004-0112)
- [Joe Orton, Steve Henson]
+ [Joe Orton, Steve Henson]
*) Make it possible to have multiple active certificates with the same
subject in the CA index file. This is done only if the keyword
@@ -5029,7 +6584,7 @@
named like the index file with '.attr' appended to the name.
[Richard Levitte]
- *) X509 verify fixes. Disable broken certificate workarounds when
+ *) X509 verify fixes. Disable broken certificate workarounds when
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
keyUsage extension present. Don't accept CRLs with unhandled critical
extensions: since verify currently doesn't process CRL extensions this
@@ -5038,7 +6593,7 @@
[Steve Henson]
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
- A clarification of RFC2560 will require the use of OCTET STRINGs and
+ A clarification of RFC2560 will require the use of OCTET STRINGs and
some implementations cannot handle the current raw format. Since OpenSSL
copies and compares OCSP nonces as opaque blobs without any attempt at
parsing them this should not create any compatibility issues.
@@ -5062,7 +6617,7 @@
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
-
+
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
If verify callback ignores invalid public key errors don't try to check
@@ -5092,7 +6647,7 @@
blocks during encryption.
[Richard Levitte]
- *) Various fixes to base64 BIO and non blocking I/O. On write
+ *) Various fixes to base64 BIO and non blocking I/O. On write
flushes were not handled properly if the BIO retried. On read
data was not being buffered properly and had various logic bugs.
This also affects blocking I/O when the data being decoded is a
@@ -5140,12 +6695,12 @@
*) Target "mingw" now allows native Windows code to be generated in
the Cygwin environment as well as with the MinGW compiler.
- [Ulf Moeller]
+ [Ulf Moeller]
Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
- via timing by performing a MAC computation even if incorrrect
+ via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CVE-2003-0078)
@@ -5176,7 +6731,7 @@
*) Allow an application to disable the automatic SSL chain building.
Before this a rather primitive chain build was always performed in
- ssl3_output_cert_chain(): an application had no way to send the
+ ssl3_output_cert_chain(): an application had no way to send the
correct chain if the automatic operation produced an incorrect result.
Now the chain builder is disabled if either:
@@ -5396,18 +6951,18 @@
build directory is the following (tested on Linux), maybe with
some local tweaks:
- # Place yourself outside of the OpenSSL source tree. In
- # this example, the environment variable OPENSSL_SOURCE
- # is assumed to contain the absolute OpenSSL source directory.
- mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
- cd objtree/"`uname -s`-`uname -r`-`uname -m`"
- (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
- mkdir -p `dirname $F`
- ln -s $OPENSSL_SOURCE/$F $F
- done
+ # Place yourself outside of the OpenSSL source tree. In
+ # this example, the environment variable OPENSSL_SOURCE
+ # is assumed to contain the absolute OpenSSL source directory.
+ mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+ cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+ (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
+ mkdir -p `dirname $F`
+ ln -s $OPENSSL_SOURCE/$F $F
+ done
To be absolutely sure not to disturb the source tree, a "make clean"
- is a good thing. If it isn't successfull, don't worry about it,
+ is a good thing. If it isn't successful, don't worry about it,
it probably means the source directory is very clean.
[Richard Levitte]
@@ -5424,7 +6979,7 @@
error in AES-CFB decryption.
[Richard Levitte]
- *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
+ *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
allows existing EVP_CIPHER_CTX structures to be reused after
calling EVP_*Final(). This behaviour is used by encryption
BIOs and some applications. This has the side effect that
@@ -5451,11 +7006,11 @@
[Lutz Jaenicke]
*) Add an "init" command to the ENGINE config module and auto initialize
- ENGINEs. Without any "init" command the ENGINE will be initialized
- after all ctrl commands have been executed on it. If init=1 the
- ENGINE is initailized at that point (ctrls before that point are run
+ ENGINEs. Without any "init" command the ENGINE will be initialized
+ after all ctrl commands have been executed on it. If init=1 the
+ ENGINE is initialized at that point (ctrls before that point are run
on the uninitialized ENGINE and after on the initialized one). If
- init=0 then the ENGINE will not be iniatialized at all.
+ init=0 then the ENGINE will not be initialized at all.
[Steve Henson]
*) Fix the 'app_verify_callback' interface so that the user-defined
@@ -5493,7 +7048,7 @@
*) Config modules support in openssl utility.
Most commands now load modules from the config file,
- though in a few (such as version) this isn't done
+ though in a few (such as version) this isn't done
because it couldn't be used for anything.
In the case of ca and req the config file used is
@@ -5559,14 +7114,14 @@
but report on the latest error recorded rather than the first one
still in the error queue.
[Ben Laurie, Bodo Moeller]
-
+
*) default_algorithms option in ENGINE config module. This allows things
like:
default_algorithms = ALL
default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
[Steve Henson]
- *) Prelminary ENGINE config module.
+ *) Preliminary ENGINE config module.
[Steve Henson]
*) New experimental application configuration code.
@@ -5676,7 +7231,7 @@
[Richard Levitte]
*) Test for certificates which contain unsupported critical extensions.
- If such a certificate is found during a verify operation it is
+ If such a certificate is found during a verify operation it is
rejected by default: this behaviour can be overridden by either
handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
@@ -5712,7 +7267,7 @@
*) Major restructuring to the underlying ENGINE code. This includes
reduction of linker bloat, separation of pure "ENGINE" manipulation
(initialisation, etc) from functionality dealing with implementations
- of specific crypto iterfaces. This change also introduces integrated
+ of specific crypto interfaces. This change also introduces integrated
support for symmetric ciphers and digest implementations - so ENGINEs
can now accelerate these by providing EVP_CIPHER and EVP_MD
implementations of their own. This is detailed in crypto/engine/README
@@ -5741,7 +7296,7 @@
*) New function SSL_renegotiate_pending(). This returns true once
renegotiation has been requested (either SSL_renegotiate() call
- or HelloRequest/ClientHello receveived from the peer) and becomes
+ or HelloRequest/ClientHello received from the peer) and becomes
false once a handshake has been completed.
(For servers, SSL_renegotiate() followed by SSL_do_handshake()
sends a HelloRequest, but does not ensure that a handshake takes
@@ -5899,8 +7454,8 @@
des_key_schedule ks;
- des_set_key_checked(..., &ks);
- des_ncbc_encrypt(..., &ks, ...);
+ des_set_key_checked(..., &ks);
+ des_ncbc_encrypt(..., &ks, ...);
(Note that a later change renames 'des_...' into 'DES_...'.)
[Ben Laurie]
@@ -6029,7 +7584,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
const ASN1_ITEM *it = &ASN1_INTEGER_it;
- wont compile. This is used by the any applications that need to
+ won't compile. This is used by the any applications that need to
declare their own ASN1 modules. This was fixed by adding the option
EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
needed for static libraries under Win32.
@@ -6041,7 +7596,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Steve Henson]
*) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
- structure. These are inherited by X509_STORE_CTX when it is
+ structure. These are inherited by X509_STORE_CTX when it is
initialised. This allows various defaults to be set in the
X509_STORE structure (such as flags for CRL checking and custom
purpose or trust settings) for functions which only use X509_STORE_CTX
@@ -6106,7 +7661,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
'-pre' and '-post' switches. '-post' is only used if '-t' is
specified and the ENGINE is successfully initialised. The syntax for
the individual commands are colon-separated, for example;
- openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
+ openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
[Geoff]
*) New dynamic control command support for ENGINEs. ENGINEs can now
@@ -6205,7 +7760,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
operations and provides various method functions that can also
- operate with faster implementations of modular arithmetic.
+ operate with faster implementations of modular arithmetic.
EC_GFp_mont_method() reuses most functions that are part of
EC_GFp_simple_method, but uses Montgomery arithmetic.
@@ -6294,16 +7849,16 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
in the source file (foo.c) like this:
- OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
- OPENSSL_IMPLEMENT_GLOBAL(double,bar);
+ OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
+ OPENSSL_IMPLEMENT_GLOBAL(double,bar);
To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
- OPENSSL_DECLARE_GLOBAL(int,foo);
- #define foo OPENSSL_GLOBAL_REF(foo)
- OPENSSL_DECLARE_GLOBAL(double,bar);
- #define bar OPENSSL_GLOBAL_REF(bar)
+ OPENSSL_DECLARE_GLOBAL(int,foo);
+ #define foo OPENSSL_GLOBAL_REF(foo)
+ OPENSSL_DECLARE_GLOBAL(double,bar);
+ #define bar OPENSSL_GLOBAL_REF(bar)
The #defines are very important, and therefore so is including the
header file everywhere where the defined globals are used.
@@ -6393,7 +7948,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New option -set_serial to 'req' and 'x509' this allows the serial
number to use to be specified on the command line. Previously self
- signed certificates were hard coded with serial number 0 and the
+ signed certificates were hard coded with serial number 0 and the
CA options of 'x509' had to use a serial number in a file which was
auto incremented.
[Steve Henson]
@@ -6418,7 +7973,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
option to ocsp utility.
[Steve Henson]
- *) New nonce behavior. The return value of OCSP_check_nonce() now
+ *) New nonce behavior. The return value of OCSP_check_nonce() now
reflects the various checks performed. Applications can decide
whether to tolerate certain situations such as an absent nonce
in a response when one was present in a request: the ocsp application
@@ -6492,7 +8047,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
structure from a certificate. X509_pubkey_digest() digests the public_key
- contents: this is used in various key identifiers.
+ contents: this is used in various key identifiers.
[Steve Henson]
*) Make sk_sort() tolerate a NULL argument.
@@ -6507,7 +8062,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
to data. This was previously part of the PKCS7 ASN1 code. This
was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
[Steve Henson, reported by Kenneth R. Robinette
- <support@securenetterm.com>]
+ <support@securenetterm.com>]
*) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
routines: without these tracing memory leaks is very painful.
@@ -6521,7 +8076,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
[Steve Henson, reported by Kenneth R. Robinette
- <support@securenetterm.com>]
+ <support@securenetterm.com>]
*) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
result in a zero length in the ASN1_INTEGER structure which was
@@ -6606,10 +8161,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
settings for extended allocation functions, the following
functions are provided:
- CRYPTO_set_mem_ex_functions
- CRYPTO_set_locked_mem_ex_functions
- CRYPTO_get_mem_ex_functions
- CRYPTO_get_locked_mem_ex_functions
+ CRYPTO_set_mem_ex_functions
+ CRYPTO_set_locked_mem_ex_functions
+ CRYPTO_get_mem_ex_functions
+ CRYPTO_get_locked_mem_ex_functions
These work the same way as CRYPTO_set_mem_functions and friends.
CRYPTO_get_[locked_]mem_functions now writes 0 where such an
@@ -6630,7 +8185,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
entropy, EGD style sockets (served by EGD or PRNGD) will automatically
be queried.
The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
- /etc/entropy will be queried once each in this sequence, quering stops
+ /etc/entropy will be queried once each in this sequence, querying stops
when enough entropy was collected without querying more sockets.
[Lutz Jaenicke]
@@ -6658,7 +8213,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
information from an OCSP_CERTID structure (which will be created
when the request structure is built). These are built from lower
level functions which work on OCSP_SINGLERESP structures but
- wont normally be used unless the application wishes to examine
+ won't normally be used unless the application wishes to examine
extensions in the OCSP response for example.
Replace nonce routines with a pair of functions.
@@ -6680,7 +8235,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Update OCSP API. Remove obsolete extensions argument from
various functions. Extensions are now handled using the new
- OCSP extension code. New simple OCSP HTTP function which
+ OCSP extension code. New simple OCSP HTTP function which
can be used to send requests and parse the response.
[Steve Henson]
@@ -6716,7 +8271,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Steve Henson]
*) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
- lines, recognice more "algorithms" that can be deselected, and make
+ lines, recognize more "algorithms" that can be deselected, and make
it complain about algorithm deselection that isn't recognised.
[Richard Levitte]
@@ -6734,7 +8289,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New function X509V3_add1_i2d(). This automatically encodes and
adds an extension. Its behaviour can be customised with various
flags to append, replace or delete. Various wrappers added for
- certifcates and CRLs.
+ certificates and CRLs.
[Steve Henson]
*) Fix to avoid calling the underlying ASN1 print routine when
@@ -6742,7 +8297,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
OCSP_SERVICELOC extension. Tidy up print OCSP format.
[Steve Henson]
- *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
+ *) Make mkdef.pl parse some of the ASN1 macros and add appropriate
entries for variables.
[Steve Henson]
@@ -6902,7 +8457,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
#if 0
- The following entry accidentily appeared in the CHANGES file
+ The following entry accidentally appeared in the CHANGES file
distributed with OpenSSL 0.9.7. The modifications described in
it do *not* apply to OpenSSL 0.9.7.
@@ -6950,11 +8505,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add the following functions:
- ENGINE_load_cswift()
- ENGINE_load_chil()
- ENGINE_load_atalla()
- ENGINE_load_nuron()
- ENGINE_load_builtin_engines()
+ ENGINE_load_cswift()
+ ENGINE_load_chil()
+ ENGINE_load_atalla()
+ ENGINE_load_nuron()
+ ENGINE_load_builtin_engines()
That way, an application can itself choose if external engines that
are built-in in OpenSSL shall ever be used or not. The benefit is
@@ -7066,7 +8621,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
-
+
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
@@ -7114,7 +8669,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
- via timing by performing a MAC computation even if incorrrect
+ via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CVE-2003-0078)
@@ -7145,7 +8700,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Zeev Lieber <zeev-l@yahoo.com>]
*) Undo an undocumented change introduced in 0.9.6e which caused
- repeated calls to OpenSSL_add_all_ciphers() and
+ repeated calls to OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digests() to be ignored, even after calling
EVP_cleanup().
[Richard Levitte]
@@ -7203,8 +8758,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
- Alon Kantor <alonk@checkpoint.com> (and others),
- Steve Henson]
+ Alon Kantor <alonk@checkpoint.com> (and others),
+ Steve Henson]
*) Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
@@ -7279,7 +8834,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Nils Larsch <nla@trustcenter.de>]
*) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
- an end-of-file condition would erronously be flagged, when the CRLF
+ an end-of-file condition would erroneously be flagged, when the CRLF
was just at the end of a processed block. The bug was discovered when
processing data through a buffering memory BIO handing the data to a
BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
@@ -7319,7 +8874,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
a generator of the order-q subgroup is just as good, if not
better.
[Bodo Moeller]
-
+
*) Map new X509 verification errors to alerts. Discovered and submitted by
Tom Wu <tom@arcot.com>.
[Lutz Jaenicke]
@@ -7432,7 +8987,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
*) [In 0.9.6c-engine release:]
- Add support for SureWare crypto accelerator cards from
+ Add support for SureWare crypto accelerator cards from
Baltimore Technologies. (Use engine 'sureware')
[Baltimore Technologies and Mark Cox]
@@ -7486,7 +9041,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
- should end in 'break', not 'goto end' which circuments various
+ should end in 'break', not 'goto end' which circumvents various
cleanups done in state SSL_ST_OK. But session related stuff
must be disabled for SSL_ST_OK in the case that we just sent a
HelloRequest.
@@ -7497,7 +9052,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
reveal whether illegal block cipher padding was found or a MAC
- verification error occured. (Neither SSLerr() codes nor alerts
+ verification error occurred. (Neither SSLerr() codes nor alerts
are directly visible to potential attackers, but the information
may leak via logfiles.)
@@ -7775,8 +9330,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Computations, J. Cryptology 14 (2001) 2, 101-119,
http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
[Ulf Moeller]
-
- *) MIPS assembler BIGNUM division bug fix.
+
+ *) MIPS assembler BIGNUM division bug fix.
[Andy Polyakov]
*) Disabled incorrect Alpha assembler code.
@@ -7832,7 +9387,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
3. Count how many times MemCheck_off() has been called so that
- nested use can be treated correctly. This also avoids
+ nested use can be treated correctly. This also avoids
inband-signalling in the previous code (which relied on the
assumption that thread ID 0 is impossible).
[Bodo Moeller]
@@ -7946,7 +9501,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) rand_win.c fix for Borland C.
[Ulf Möller]
-
+
*) BN_rshift bugfix for n == 0.
[Bodo Moeller]
@@ -8016,10 +9571,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
and not in SSL_clear because the latter is also used by the
accept/connect functions; previously, the settings made by
SSL_set_read_ahead would be lost during the handshake.
- [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
+ [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
*) Correct util/mkdef.pl to be selective about disabled algorithms.
- Previously, it would create entries for disableed algorithms no
+ Previously, it would create entries for disabled algorithms no
matter what.
[Richard Levitte]
@@ -8106,7 +9661,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
doc package contains the contents of the doc directory. The original
openssl.spec was provided by Damien Miller <djm@mindrot.org>.
[Richard Levitte]
-
+
*) Add a large number of documentation files for many SSL routines.
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
@@ -8144,7 +9699,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Sven Uszpelkat <su@celocom.de>]
*) Major change in util/mkdef.pl to include extra information
- about each symbol, as well as presentig variables as well
+ about each symbol, as well as presenting variables as well
as functions. This change means that there's n more need
to rebuild the .num files when some algorithms are excluded.
[Richard Levitte]
@@ -8152,19 +9707,19 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Allow the verify time to be set by an application,
rather than always using the current time.
[Steve Henson]
-
+
*) Phase 2 verify code reorganisation. The certificate
verify code now looks up an issuer certificate by a
number of criteria: subject name, authority key id
and key usage. It also verifies self signed certificates
by the same criteria. The main comparison function is
X509_check_issued() which performs these checks.
-
+
Lot of changes were necessary in order to support this
without completely rewriting the lookup code.
-
+
Authority and subject key identifier are now cached.
-
+
The LHASH 'certs' is X509_STORE has now been replaced
by a STACK_OF(X509_OBJECT). This is mainly because an
LHASH can't store or retrieve multiple objects with
@@ -8174,10 +9729,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
use only) have changed to handle the new X509_STORE
structure. This will break anything that messed round
with X509_STORE internally.
-
+
The functions X509_STORE_add_cert() now checks for an
exact match, rather than just subject name.
-
+
The X509_STORE API doesn't directly support the retrieval
of multiple certificates matching a given criteria, however
this can be worked round by performing a lookup first
@@ -8185,9 +9740,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
and then examining the cache for matches. This is probably
the best we can do without throwing out X509_LOOKUP
entirely (maybe later...).
-
+
The X509_VERIFY_CTX structure has been enhanced considerably.
-
+
All certificate lookup operations now go via a get_issuer()
callback. Although this currently uses an X509_STORE it
can be replaced by custom lookups. This is a simple way
@@ -8196,20 +9751,20 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
in future. A very simple version which uses a simple
STACK for its trusted certificate store is also provided
using X509_STORE_CTX_trusted_stack().
-
+
The verify_cb() and verify() callbacks now have equivalents
in the X509_STORE_CTX structure.
-
+
X509_STORE_CTX also has a 'flags' field which can be used
to customise the verify behaviour.
[Steve Henson]
-
- *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
+
+ *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
excludes S/MIME capabilities.
[Steve Henson]
*) When a certificate request is read in keep a copy of the
- original encoding of the signed data and use it when outputing
+ original encoding of the signed data and use it when outputting
again. Signatures then use the original encoding rather than
a decoded, encoded version which may cause problems if the
request is improperly encoded.
@@ -8266,7 +9821,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Modification to PKCS#7 encoding routines to output definite
length encoding. Since currently the whole structures are in
- memory there's not real point in using indefinite length
+ memory there's not real point in using indefinite length
constructed encoding. However if OpenSSL is compiled with
the flag PKCS7_INDEFINITE_ENCODING the old form is used.
[Steve Henson]
@@ -8274,27 +9829,27 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Added BIO_vprintf() and BIO_vsnprintf().
[Richard Levitte]
- *) Added more prefixes to parse for in the the strings written
+ *) Added more prefixes to parse for in the strings written
through a logging bio, to cover all the levels that are available
through syslog. The prefixes are now:
- PANIC, EMERG, EMR => LOG_EMERG
- ALERT, ALR => LOG_ALERT
- CRIT, CRI => LOG_CRIT
- ERROR, ERR => LOG_ERR
- WARNING, WARN, WAR => LOG_WARNING
- NOTICE, NOTE, NOT => LOG_NOTICE
- INFO, INF => LOG_INFO
- DEBUG, DBG => LOG_DEBUG
+ PANIC, EMERG, EMR => LOG_EMERG
+ ALERT, ALR => LOG_ALERT
+ CRIT, CRI => LOG_CRIT
+ ERROR, ERR => LOG_ERR
+ WARNING, WARN, WAR => LOG_WARNING
+ NOTICE, NOTE, NOT => LOG_NOTICE
+ INFO, INF => LOG_INFO
+ DEBUG, DBG => LOG_DEBUG
and as before, if none of those prefixes are present at the
beginning of the string, LOG_ERR is chosen.
On Win32, the LOG_* levels are mapped according to this:
- LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
- LOG_WARNING => EVENTLOG_WARNING_TYPE
- LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
+ LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
+ LOG_WARNING => EVENTLOG_WARNING_TYPE
+ LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
[Richard Levitte]
@@ -8345,7 +9900,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
these print out strings and name structures based on various
flags including RFC2253 support and proper handling of
- multibyte characters. Added options to the 'x509' utility
+ multibyte characters. Added options to the 'x509' utility
to allow the various flags to be set.
[Steve Henson]
@@ -8423,7 +9978,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
to check that it worked correctly is to look in obj_dat.h and
check the array nid_objs and make sure the objects haven't moved
around (this is important!). Additions are OK, as well as
- consistent name changes.
+ consistent name changes.
[Richard Levitte]
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
@@ -8447,9 +10002,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
added extra typesafe functions: these no longer exist.
[Steve Henson]
- *) Reorganisation of the stack code. The macros are now all
+ *) Reorganisation of the stack code. The macros are now all
collected in safestack.h . Each macro is defined in terms of
- a "stack macro" of the form SKM_<name>(type, a, b). The
+ a "stack macro" of the form SKM_<name>(type, a, b). The
DEBUG_SAFESTACK is now handled in terms of function casts,
this has the advantage of retaining type safety without the
use of additional functions. If DEBUG_SAFESTACK is not defined
@@ -8463,11 +10018,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) When some versions of IIS use the 'NET' form of private key the
key derivation algorithm is different. Normally MD5(password) is
used as a 128 bit RC4 key. In the modified case
- MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some
+ MD5(MD5(password) + "SGCKEYSALT") is used instead. Added some
new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
as the old Netscape_RSA functions except they have an additional
'sgckey' parameter which uses the modified algorithm. Also added
- an -sgckey command line option to the rsa utility. Thanks to
+ an -sgckey command line option to the rsa utility. Thanks to
Adrian Peck <bertie@ncipher.com> for posting details of the modified
algorithm to openssl-dev.
[Steve Henson]
@@ -8479,7 +10034,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New X509_get1_email() and X509_REQ_get1_email() functions that return
a STACK of email addresses from a certificate or request, these look
- in the subject name and the subject alternative name extensions and
+ in the subject name and the subject alternative name extensions and
omit any duplicate addresses.
[Steve Henson]
@@ -8711,7 +10266,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
<attili@amaxo.com>]
*) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
- was larger than the MD block size.
+ was larger than the MD block size.
[Steve Henson, pointed out by Yost William <YostW@tce.com>]
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
@@ -8751,8 +10306,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
its own key.
ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
to parameters -- in previous versions (since OpenSSL 0.9.3) the
- 'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
- you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
+ 'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
+ you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
[Bodo Moeller]
*) New s_client option -ign_eof: EOF at stdin is ignored, and
@@ -8846,7 +10401,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add an optional second argument to the set_label() in the perl
assembly language builder. If this argument exists and is set
- to 1 it signals that the assembler should use a symbol whose
+ to 1 it signals that the assembler should use a symbol whose
scope is the entire file, not just the current function. This
is needed with MASM which uses the format label:: for this scope.
[Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
@@ -8971,7 +10526,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) ./config recognizes MacOS X now.
[Andy Polyakov]
- *) Bug fix for BN_div() when the first words of num and divsor are
+ *) Bug fix for BN_div() when the first words of num and divisor are
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
[Ulf Möller]
@@ -8991,7 +10546,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
include a #define from the old name to the new. The original intent
was that statically linked binaries could for example just call
SSLeay_add_all_ciphers() to just add ciphers to the table and not
- link with digests. This never worked becayse SSLeay_add_all_digests()
+ link with digests. This never worked because SSLeay_add_all_digests()
and SSLeay_add_all_ciphers() were in the same source file so calling
one would link with the other. They are now in separate source files.
[Steve Henson]
@@ -9009,7 +10564,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Source code cleanups: use const where appropriate, eliminate casts,
use void * instead of char * in lhash.
- [Ulf Möller]
+ [Ulf Möller]
*) Bugfix: ssl3_send_server_key_exchange was not restartable
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
@@ -9034,7 +10589,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
loop rather than for the current invocation of the inner loop.
DSA_generate_parameters additionally can call the callback
function with an 'iteration count' of -1, meaning that a
- candidate has passed the trial division test (when q is generated
+ candidate has passed the trial division test (when q is generated
from an application-provided seed, trial division is skipped).
[Bodo Moeller]
@@ -9130,7 +10685,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Changes to X509_ATTRIBUTE utilities. These have been renamed from
X509_*() to X509at_*() on the grounds that they don't handle X509
- structures and behave in an analagous way to the X509v3 functions:
+ structures and behave in an analogous way to the X509v3 functions:
they shouldn't be called directly but wrapper functions should be used
instead.
@@ -9143,7 +10698,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
- NO_RSA in ssl/s2*.c.
+ NO_RSA in ssl/s2*.c.
[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
@@ -9185,9 +10740,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Honor the no-xxx Configure options when creating .DEF files.
[Ulf Möller]
- *) Add PKCS#10 attributes to field table: challengePassword,
+ *) Add PKCS#10 attributes to field table: challengePassword,
unstructuredName and unstructuredAddress. These are taken from
- draft PKCS#9 v2.0 but are compatible with v1.2 provided no
+ draft PKCS#9 v2.0 but are compatible with v1.2 provided no
international characters are used.
More changes to X509_ATTRIBUTE code: allow the setting of types
@@ -9339,9 +10894,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
With these changes, a new set of functions and macros have appeared:
- CRYPTO_set_mem_debug_functions() [F]
+ CRYPTO_set_mem_debug_functions() [F]
CRYPTO_get_mem_debug_functions() [F]
- CRYPTO_dbg_set_options() [F]
+ CRYPTO_dbg_set_options() [F]
CRYPTO_dbg_get_options() [F]
CRYPTO_malloc_debug_init() [M]
@@ -9354,7 +10909,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
debugging functions are used, CRYPTO_dbg_set_options can be used to
request additional information:
CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
- the CRYPTO_MDEBUG_xxx macro when compiling the library.
+ the CRYPTO_MDEBUG_xxx macro when compiling the library.
Also, things like CRYPTO_set_mem_functions will always give the
expected result (the new set of functions is used for allocation
@@ -9497,7 +11052,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
other than PKCS#8 should be dumped: but the other formats have to
stay in the name of compatibility.
- With public keys and the benefit of hindsight one standard format
+ With public keys and the benefit of hindsight one standard format
is used which works with EVP_PKEY, RSA or DSA structures: though
it clearly returns an error if you try to read the wrong kind of key.
@@ -9614,7 +11169,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
will also read in any additional "auxiliary information". By
doing things this way a fair degree of compatibility can be
retained: existing certificates can have this information added
- using the new 'x509' options.
+ using the new 'x509' options.
Current auxiliary information includes an "alias" and some trust
settings. The trust settings will ultimately be used in enhanced
@@ -9630,7 +11185,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
performance improvement for 1024 bit RSA signs.
[Mark Cox]
- *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2
+ *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2
handling. Most clients have the effective key size in bits equal to
the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
A few however don't do this and instead use the size of the decrypted key
@@ -9642,7 +11197,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
the key length and effective key length are equal.
[Steve Henson]
- *) Add a bunch of functions that should simplify the creation of
+ *) Add a bunch of functions that should simplify the creation of
X509_NAME structures. Now you should be able to do:
X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
and have it automatically work out the correct field type and fill in
@@ -9675,7 +11230,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Use the random seed file in some applications that previously did not:
ca,
- dsaparam -genkey (which also ignored its '-rand' option),
+ dsaparam -genkey (which also ignored its '-rand' option),
s_client,
s_server,
x509 (when signing).
@@ -9712,7 +11267,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add various functions that can check a certificate's extensions
to see if it usable for various purposes such as SSL client,
- server or S/MIME and CAs of these types. This is currently
+ server or S/MIME and CAs of these types. This is currently
VERY EXPERIMENTAL but will ultimately be used for certificate chain
verification. Also added a -purpose flag to x509 utility to
print out all the purposes.
@@ -9885,7 +11440,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
provides hooks that allow the default DSA functions or functions on a
"per key" basis to be replaced. This allows hardware acceleration and
hardware key storage to be handled without major modification to the
- library. Also added low level modexp hooks and CRYPTO_EX structure and
+ library. Also added low level modexp hooks and CRYPTO_EX structure and
associated functions.
[Steve Henson]
@@ -9904,7 +11459,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Bugfix: ssl23_get_client_hello did not work properly when called in
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
- but a retry condition occured while trying to read the rest.
+ but a retry condition occurred while trying to read the rest.
[Bodo Moeller]
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as
@@ -9930,7 +11485,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Bodo Moeller]
Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
-
+
*) Install libRSAglue.a when OpenSSL is built with RSAref.
[Ralf S. Engelschall]
@@ -10019,7 +11574,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
delete an unused file.
[Ulf Möller]
- *) Add support for the the free Netwide assembler (NASM) under Win32,
+ *) Add support for the free Netwide assembler (NASM) under Win32,
since not many people have MASM (ml) and it can be hard to obtain.
This is currently experimental but it seems to work OK and pass all
the tests. Check out INSTALL.W32 for info.
@@ -10035,7 +11590,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
for verifying the consistency of RSA keys.
[Ulf Moeller, Bodo Moeller]
- *) Various changes to make Win32 compile work:
+ *) Various changes to make Win32 compile work:
1. Casts to avoid "loss of data" warnings in p5_crpt2.c
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
comparison" warnings.
@@ -10059,7 +11614,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Omitting parameters is no longer recommended. The test was also
the wrong way round! This was probably due to unusual behaviour in
- EVP_cmp_parameters() which returns 1 if the parameters match.
+ EVP_cmp_parameters() which returns 1 if the parameters match.
This meant that parameters were omitted when they *didn't* match and
the certificate was useless. Certificates signed with 'ca' didn't have
this bug.
@@ -10136,7 +11691,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Complete the PEM_* macros with DECLARE_PEM versions to replace the
function prototypes in pem.h, also change util/mkdef.pl to add the
- necessary function names.
+ necessary function names.
[Steve Henson]
*) mk1mf.pl (used by Windows builds) did not properly read the
@@ -10176,7 +11731,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add initial documentation of the X509V3 functions.
[Steve Henson]
- *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
+ *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
PEM_write_bio_PKCS8PrivateKey() that are equivalent to
PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
secure PKCS#8 private key format with a high iteration count.
@@ -10318,11 +11873,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.2b and 0.9.3 [24 May 1999]
*) Bignum library bug fix. IRIX 6 passes "make test" now!
- This also avoids the problems with SC4.2 and unpatched SC5.
+ This also avoids the problems with SC4.2 and unpatched SC5.
[Andy Polyakov <appro@fy.chalmers.se>]
*) New functions sk_num, sk_value and sk_set to replace the previous macros.
- These are required because of the typesafe stack would otherwise break
+ These are required because of the typesafe stack would otherwise break
existing code. If old code used a structure member which used to be STACK
and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
sk_num or sk_value it would produce an error because the num, data members
@@ -10383,7 +11938,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
- -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+
+ -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+
[Ralf S. Engelschall]
*) Various fixes to the EVP and PKCS#7 code. It may now be able to
@@ -10404,7 +11959,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
in different behaviour than observed with earlier library versions:
Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
does not influence s as it used to.
-
+
In order to clean up things more thoroughly, inside SSL_SESSION
we don't use CERT any longer, but a new structure SESS_CERT
that holds per-session data (if available); currently, this is
@@ -10452,7 +12007,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Update HPUX configuration.
[Anonymous]
-
+
*) Add missing sk_<type>_unshift() function to safestack.h
[Ralf S. Engelschall]
@@ -10556,11 +12111,11 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix lots of warnings.
[Richard Levitte <levitte@stacken.kth.se>]
-
+
*) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
the directory spec didn't end with a LIST_SEPARATOR_CHAR.
[Richard Levitte <levitte@stacken.kth.se>]
-
+
*) Fix problems with sizeof(long) == 8.
[Andy Polyakov <appro@fy.chalmers.se>]
@@ -10644,7 +12199,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Bugfix: In test/testenc, don't test "openssl <cipher>" for
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
- all available cipers including rc5, which was forgotten until now.
+ all available ciphers including rc5, which was forgotten until now.
In order to let the testing shell script know which algorithms
are available, a new (up to now undocumented) command
"openssl list-cipher-commands" is used.
@@ -10671,7 +12226,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New config option to avoid instructions that are illegal on the 80386.
The default code is faster, but requires at least a 486.
[Ulf Möller]
-
+
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
SSL2_SERVER_VERSION (not used at all) macros, which are now the
same as SSL2_VERSION anyway.
@@ -10714,8 +12269,8 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
OAEP isn't supported when OpenSSL is built with RSAref.
[Ulf Moeller <ulf@fitug.de>]
- *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
- so they no longer are missing under -DNOPROTO.
+ *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
+ so they no longer are missing under -DNOPROTO.
[Soren S. Jorvang <soren@t.dk>]
@@ -10774,7 +12329,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
*) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
- advapi32.lib to Win32 build and change the pem test comparision
+ advapi32.lib to Win32 build and change the pem test comparison
to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
and crypto/des/ede_cbcm_enc.c.
@@ -10829,7 +12384,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
other platforms details on the command line without having to patch the
Configure script everytime: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
- to them (seperated by colons). This is treated as there would be a static
+ to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value
<details> and ``perl Configure <id>'' is called. So, when you want to
perform a quick test-compile under FreeBSD 3.1 with pgcc and without
@@ -10859,7 +12414,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) General source tree makefile cleanups: Made `making xxx in yyy...'
display consistent in the source tree and replaced `/bin/rm' by `rm'.
- Additonally cleaned up the `make links' target: Remove unnecessary
+ Additionally cleaned up the `make links' target: Remove unnecessary
semicolons, subsequent redundant removes, inline point.sh into mklink.sh
to speed processing and no longer clutter the display with confusing
stuff. Instead only the actually done links are displayed.
@@ -10872,14 +12427,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Ben Laurie]
*) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
- signed attributes when verifying signatures (this would break them),
+ signed attributes when verifying signatures (this would break them),
the detached data encoding was wrong and public keys obtained using
X509_get_pubkey() weren't freed.
[Steve Henson]
*) Add text documentation for the BUFFER functions. Also added a work around
to a Win95 console bug. This was triggered by the password read stuff: the
- last character typed gets carried over to the next fread(). If you were
+ last character typed gets carried over to the next fread(). If you were
generating a new cert request using 'req' for example then the last
character of the passphrase would be CR which would then enter the first
field as blank.
@@ -10888,7 +12443,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Added the new `Includes OpenSSL Cryptography Software' button as
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
button and can be used by applications based on OpenSSL to show the
- relationship to the OpenSSL project.
+ relationship to the OpenSSL project.
[Ralf S. Engelschall]
*) Remove confusing variables in function signatures in files
@@ -10919,7 +12474,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
openssl.doxy as the configuration file.
[Ben Laurie]
-
+
*) Get rid of remaining C++-style comments which strict C compilers hate.
[Ralf S. Engelschall, pointed out by Carlos Amengual]
@@ -10932,12 +12487,12 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
is needed for applications which have to configure certificates on a
per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
- (e.g. s_server).
+ (e.g. s_server).
For the RSA certificate situation is makes no difference, but
for the DSA certificate situation this fixes the "no shared cipher"
problem where the OpenSSL cipher selection procedure failed because the
temporary keys were not overtaken from the context and the API provided
- no way to reconfigure them.
+ no way to reconfigure them.
The new functions now let applications reconfigure the stuff and they
are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
@@ -11084,7 +12639,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
message is now correct (it understands "crypto" and "ssl" on its
command line). There is also now an "update" option. This will update
the util/ssleay.num and util/libeay.num files with any new functions.
- If you do a:
+ If you do a:
perl util/mkdef.pl crypto ssl update
it will update them.
[Steve Henson]
@@ -11135,7 +12690,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm'
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>]
-
+
*) New program nseq to manipulate netscape certificate sequences
[Steve Henson]
@@ -11170,7 +12725,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
error code, add initial support to X509_print() and x509 application.
[Steve Henson]
- *) Takes a deep breath and start addding X509 V3 extension support code. Add
+ *) Takes a deep breath and start adding X509 V3 extension support code. Add
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
stuff is currently isolated and isn't even compiled yet.
[Steve Henson]
@@ -11190,7 +12745,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Spelling mistake in C version of CAST-128.
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>]
- *) Changes to the error generation code. The perl script err-code.pl
+ *) Changes to the error generation code. The perl script err-code.pl
now reads in the old error codes and retains the old numbers, only
adding new ones if necessary. It also only changes the .err files if new
codes are added. The makefiles have been modified to only insert errors
@@ -11242,7 +12797,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) The function OBJ_txt2nid was broken. It was supposed to return a nid
based on a text string, looking up short and long names and finally
"dot" format. The "dot" format stuff didn't work. Added new function
- OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
+ OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
OID is not part of the table.
[Steve Henson]
@@ -11336,7 +12891,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fix renumbering bug in X509_NAME_delete_entry().
[Ben Laurie]
- *) Enhanced the err-ins.pl script so it makes the error library number
+ *) Enhanced the err-ins.pl script so it makes the error library number
global and can add a library name. This is needed for external ASN1 and
other error libraries.
[Steve Henson]
@@ -11344,7 +12899,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fixed sk_insert which never worked properly.
[Steve Henson]
- *) Fix ASN1 macros so they can handle indefinite length construted
+ *) Fix ASN1 macros so they can handle indefinite length constructed
EXPLICIT tags. Some non standard certificates use these: they can now
be read in.
[Steve Henson]
@@ -11352,7 +12907,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
into a single doc/ssleay.txt bundle. This way the information is still
preserved but no longer messes up this directory. Now it's new room for
- the new set of documenation files.
+ the new set of documentation files.
[Ralf S. Engelschall]
*) SETs were incorrectly DER encoded. This was a major pain, because they
@@ -11389,10 +12944,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
- *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
+ *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
changed SSLeay to OpenSSL in version strings.
[Ralf S. Engelschall]
-
+
*) Some fixups to the top-level documents.
[Paul Sutton]
@@ -11400,7 +12955,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
because the symlink to include/ was missing.
[Ralf S. Engelschall]
- *) Incorporated the popular no-RSA/DSA-only patches
+ *) Incorporated the popular no-RSA/DSA-only patches
which allow to compile a RSA-free SSLeay.
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall]
@@ -11408,7 +12963,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
when "ssleay" is still not found.
[Ralf S. Engelschall]
- *) Added more platforms to Configure: Cray T3E, HPUX 11,
+ *) Added more platforms to Configure: Cray T3E, HPUX 11,
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>]
*) Updated the README file.
@@ -11424,13 +12979,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Cleaned up the top-level documents;
o new files: CHANGES and LICENSE
- o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
+ o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
o merged COPYRIGHT into LICENSE
o removed obsolete TODO file
o renamed MICROSOFT to INSTALL.W32
[Ralf S. Engelschall]
- *) Removed dummy files from the 0.9.1b source tree:
+ *) Removed dummy files from the 0.9.1b source tree:
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
@@ -11446,7 +13001,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Young and Tim J. Hudson created while they were working for C2Net until
summer 1998.
[The OpenSSL Project]
-
+
Changes between 0.9.0b and 0.9.1b [not released]
@@ -11456,17 +13011,17 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Changed some BIGNUM api stuff.
[Eric A. Young]
- *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
+ *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
DGUX x86, Linux Alpha, etc.
[Eric A. Young]
- *) New COMP library [crypto/comp/] for SSL Record Layer Compression:
+ *) New COMP library [crypto/comp/] for SSL Record Layer Compression:
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
available).
[Eric A. Young]
- *) Add -strparse option to asn1pars program which parses nested
- binary structures
+ *) Add -strparse option to asn1pars program which parses nested
+ binary structures
[Dr Stephen Henson <shenson@bigfoot.com>]
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
@@ -11545,7 +13100,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Fixed various code and comment typos.
[Eric A. Young]
- *) A minor bug in ssl/s3_clnt.c where there would always be 4 0
+ *) A minor bug in ssl/s3_clnt.c where there would always be 4 0
bytes sent in the client random.
[Edward Bishop <ebishop@spyglass.com>]