Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
(CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certifcate requests and PKCS#12
files.
pkgsrc notes:
o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli),
Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn).
Because the Makefile system has been rewamped, other
platforms may require fixes. Please test if you can.
o OpenSSL can now be built with installation to DESTDIR.
Overview of important changes since 0.9.7i:
o Add gcc 4.2 support.
o DTLS improvements.
o RFC4507bis support.
o TLS Extensions support.
o RFC3779 support.
o New cipher Camellia
o Updated ECC cipher suite support.
o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
o Zlib compression usage fixes.
o Major work on the BIGNUM library for higher efficiency and to
make operations more streamlined and less contradictory. This
is the result of a major audit of the BIGNUM library.
o Addition of BIGNUM functions for fields GF(2^m) and NIST
curves, to support the Elliptic Crypto functions.
o Major work on Elliptic Crypto; ECDH and ECDSA added, including
the use through EVP, X509 and ENGINE.
o New ASN.1 mini-compiler that's usable through the OpenSSL
configuration file.
o Added support for ASN.1 indefinite length constructed encoding.
o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
o Complete rework of shared library construction and linking
programs with shared or static libraries, through a separate
Makefile.shared.
o Rework of the passing of parameters from one Makefile to another.
o Changed ENGINE framework to load dynamic engine modules
automatically from specifically given directories.
o New structure and ASN.1 functions for CertificatePair.
o Changed the key-generation and primality testing "progress"
mechanism to take a structure that contains the ticker
function and an argument.
o New engine module: GMP (performs private key exponentiation).
o New engine module: VIA PadLOck ACE extension in VIA C3
Nehemiah processors.
o Added support for IPv6 addresses in certificate extensions.
See RFC 1884, section 2.2.
o Added support for certificate policy mappings, policy
constraints and name constraints.
o Added support for multi-valued AVAs in the OpenSSL
configuration file.
o Added support for multiple certificates with the same subject
in the 'openssl ca' index file.
o Make it possible to create self-signed certificates using
'openssl ca -selfsign'.
o Make it possible to generate a serial number file with
'openssl ca -create_serial'.
o New binary search functions with extended functionality.
o New BUF functions.
o New STORE structure and library to provide an interface to all
sorts of data repositories. Supports storage of public and
private keys, certificates, CRLs, numbers and arbitrary blobs.
This library is unfortunately unfinished and unused withing
OpenSSL.
o New control functions for the error stack.
o Changed the PKCS#7 library to support one-pass S/MIME
processing.
o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
o New X509_VERIFY_PARAM structure to support parametrisation
of X.509 path validation.
o Change the default digest in 'openssl' commands from MD5 to
SHA-1.
o Added support for DTLS.
o New BIGNUM blinding.
o Added support for the RSA-PSS encryption scheme
o Added support for the RSA X.931 padding.
o Added support for files larger than 2GB.
o Added alternate pkg-config files.
vulnerability triggered update due to CAN-2005-2969. Changes from
version 0.9.7f include:
o Fix SSL 2.0 Rollback, CAN-2005-2969
o Allow use of fixed-length exponent on DSA signing
o Default fixed-window RSA, DSA, DH private-key operations
o More compilation issues fixed.
o Adaptation to more modern Kerberos API.
o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
o Enhanced x86_64 assembler BIGNUM module.
o More constification.
o Added processing of proxy certificates (RFC 3820).
Pkgsrc changes from version 0.9.7e include:
*) Install the man pages with names that are less likely to collide
with other packages' man pages.
*) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building
with patented algorithms. By default, this package still builds
without patented algorithms.
Major changes from version 0.9.7e include:
*) Prompt for pass phrases when appropriate for PKCS12 input format.
*) Back-port of selected performance improvements from development
branch, as well as improved support for PowerPC platforms.
*) Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
*) Add new -passin argument to dgst.
*) Make an explicit check during certificate validation to see that
the CA setting in each certificate on the chain is correct.
too numerous to be listed here, but include adding a new DES API
(support for the old one is still present).
Changes to the pkgsrc structure include:
* Install the shared libraries with a version number that matches the
OpenSSL version number
* Move some of the less often-used c_* utilities back into the examples
directory.
* Drop support for using the RSAREF library and always use the built-in
RSA code instead.
According to README, "RSA Security holds software patents on the
RC5 algorithm. If you intend to use this cipher, you must contact
RSA Security for licensing conditions." And "The IDEA algorithm is
patented by Ascom ... They should be contacted if that algorithm
is to be used." The openssl FAQ says "For patent reasons, support
for IDEA, RC5 and MDC2 is disabled in this [Red Hat Linux] version."
The FAQ lists patent numbers and expiry dates of US patents:
MDC-2: 4,908,861 13/03/2007
IDEA: 5,214,703 25/05/2010
RC5: 5,724,428 03/03/2015
Now fee-based-commercial-use ACCEPTABLE_LICENSES is not needed.
${LOCALBASE}/bin/perl.
* Refer to the make program used to drive the build and installation as
"${MAKE_PROGRAM}".
* Instead of explicitly setting PKG_SYSCONFBASE=/etc, use the pkg-specific
override PKG_SYSCONFDIR.openssl, and optionally set it so that the
user still has the option of overriding its value.
* Use bsd.pkg.install.mk to install the default config file (openssl.cnf)
and to create and remove the extra config directories. This lets us
reemove the extra lines in PLIST that do the same thing.
and also changes the ABI of "libcrypto" and "libssl". (So the shared
library majors and buildlink requirements are bumped, too.) The code
base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches
as of 2002-08-04, the optimization levels are reduced to "-O2", but
I've retained some of the processor optimization flags and different code
path #defines in the "Configure" script, just to keep things interesting.
The default "certs" directory on NetBSD is now "/etc/openssl/certs", to
give continuity to those who find themselves using the package system's
"openssl" after upgrading a package that formerly used the base system's.
[Suggested by itojun.] The best way to avoid such problems, however, is
to upgrade your base system *first*.
I'm making use of the new and improved build system as much as possible.
This gives us a cleaner way to make shared libraries and real man pages,
but loses many of the symlinks to the openssl binary.
I've culled items from the "CHANGES" file that appear to have security
implications or are particularly interesting for NetBSD users, below.
My comments are marked off with '===>'.
===> This is from the netbsd-20020804-patch
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
Alon Kantor <alonk@checkpoint.com> (and others),
Steve Henson]
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
*) New option
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
that was added in OpenSSL 0.9.6d.
As the countermeasure turned out to be incompatible with some
broken SSL implementations, the new option is part of SSL_OP_ALL.
SSL_OP_ALL is usually employed when compatibility with weird SSL
implementations is desired (e.g. '-bugs' option to 's_client' and
's_server'), so the new option is automatically set in many
applications.
[Bodo Moeller]
*) Changes in security patch:
Changes marked "(CHATS)" were sponsored by the Defense Advanced
Research Projects Agency (DARPA) and Air Force Research Laboratory,
Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
supplied buffer.
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Assertions for various potential buffer overflows, not known to
happen in practice.
[Ben Laurie (CHATS)]
*) Various temporary buffers to hold ASCII versions of integers were
too small for 64 bit platforms. (CAN-2002-0655)
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
*) Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized session ID to a client. (CAN-2002-0656)
[Ben Laurie (CHATS)]
*) Remote buffer overflow in SSL2 protocol - an attacker could
supply an oversized client master key. (CAN-2002-0656)
[Ben Laurie (CHATS)]
Changes between 0.9.6c and 0.9.6d [9 May 2002]
*) Implement a countermeasure against a vulnerability recently found
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
before application data chunks to avoid the use of known IVs
with data potentially chosen by the attacker.
[Bodo Moeller]
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
PRNG state recovery was possible based on the output of
one PRNG request appropriately sized to gain knowledge on
'md' followed by enough consecutive 1-byte PRNG requests
to traverse all of 'state'.
1. When updating 'md_local' (the current thread's copy of 'md')
during PRNG output generation, hash all of the previous
'md_local' value, not just the half used for PRNG output.
2. Make the number of bytes from 'state' included into the hash
independent from the number of PRNG bytes requested.
The first measure alone would be sufficient to avoid
Markku-Juhani's attack. (Actually it had never occurred
to me that the half of 'md_local' used for chaining was the
half from which PRNG output bytes were taken -- I had always
assumed that the secret half would be used.) The second
measure makes sure that additional data from 'state' is never
mixed into 'md_local' in small portions; this heuristically
further strengthens the PRNG.
[Bodo Moeller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
when fixing the server behaviour for backwards-compatible 'client
hello' messages. (Note that the attack is impractical against
SSL 3.0 and TLS 1.0 anyway because length and version checking
means that the probability of guessing a valid ciphertext is
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
paper.)
Before 0.9.5, the countermeasure (hide the error by generating a
random 'decryption result') did not work properly because
ERR_clear_error() was missing, meaning that SSL_get_error() would
detect the supposedly ignored error.
Both problems are now fixed.
[Bodo Moeller]
Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
===> This is our ABI change.
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
with des_encrypt() defined on some operating systems, like Solaris
and UnixWare.
[Richard Levitte]
*) Don't use getenv in library functions when run as setuid/setgid.
New function OPENSSL_issetugid().
[Ulf Moeller]
*) Store verify_result within SSL_SESSION also for client side to
avoid potential security hole. (Re-used sessions on the client side
always resulted in verify_result==X509_V_OK, not using the original
result of the server certificate verification.)
[Lutz Jaenicke]
===> package doesn't doesn't do this. We'll bump major versions
===> as necessary.
*) Make sure that shared libraries get the internal name engine with
the full version number and not just 0. This should mark the
shared libraries as not backward compatible. Of course, this should
be changed again when we can guarantee backward binary compatibility.
[Richard Levitte]
*) Rework the system to generate shared libraries:
- Make note of the expected extension for the shared libraries and
if there is a need for symbolic links from for example libcrypto.so.0
to libcrypto.so.0.9.7. There is extended info in Configure for
that.
- Make as few rebuilds of the shared libraries as possible.
- Still avoid linking the OpenSSL programs with the shared libraries.
- When installing, install the shared libraries separately from the
static ones.
Remove `-p' from mkdir arguments, it is already part of ${MKDIR}.
While here substitute a couple of ${PREFIX} by `%D' in
`@exec ${MKDIR} ...' lines and add a couple of missing `%D' in such lines too!
