Lines Matching +full:int +full:- +full:array +full:- +full:variable +full:- +full:length +full:- +full:and +full:- +full:constrained +full:- +full:values
4 This is a high-level summary of the most important changes.
5 For a full list of changes, see the [git commit log][log] and
11 ----------------
13 - [OpenSSL 3.0](#openssl-30)
14 - [OpenSSL 1.1.1](#openssl-111)
15 - [OpenSSL 1.1.0](#openssl-110)
16 - [OpenSSL 1.0.2](#openssl-102)
17 - [OpenSSL 1.0.1](#openssl-101)
18 - [OpenSSL 1.0.0](#openssl-100)
19 - [OpenSSL 0.9.x](#openssl-09x)
22 -----------
27 breaking changes, and mappings for the large list of deprecated functions.
31 ### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
41 ([CVE-2024-6119])
51 ([CVE-2024-5535])
55 ### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
66 from the network and processed by OpenSSL, but the full record body
68 even though a record has only been partially processed and the buffer
72 data has been received and processed by OpenSSL but the application has
76 ([CVE-2024-4741])
93 ([CVE-2024-4603])
97 * Improved EC/DSA nonce generation routines to avoid bias and timing
100 Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
101 and Hubert Kario from Red Hat for reporting the issues.
103 *Tomáš Mráz and Paul Dale*
105 * Fixed an issue where some non-default TLS server configurations can cause
110 This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option
111 is being used (but not if early_data is also configured and the default
112 anti-replay protection is in use). In this case, under certain conditions,
113 the session cache can get into an incorrect state and it will fail to flush
119 ([CVE-2024-2511])
129 ### Changes between 3.0.12 and 3.0.13 [30 Jan 2024]
131 * A file in PKCS12 format can contain certificates and keys and may come from
141 and PKCS12_newpass().
147 ([CVE-2024-0727])
153 For valid RSA keys, n is a product of two or more large primes and this
157 An application that calls EVP_PKEY_public_check() and supplies an RSA key
164 with the "-pubin" and "-check" options on untrusted data.
169 ([CVE-2023-6237])
173 * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
174 have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
187 be various - from no consequences, if the calling application does not
188 depend on the contents of non-volatile XMM registers at all, to the worst
195 ([CVE-2023-6129])
209 ([CVE-2023-5678])
213 ### Changes between 3.0.11 and 3.0.12 [24 Oct 2023]
215 * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(),
217 that alter the key or IV length ([CVE-2023-5363]).
221 ### Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
226 does not save the contents of non-volatile XMM registers on Windows 64
230 x86_64 processors supporting the AVX512-IFMA instructions.
233 be various - from no consequences, if the calling application does not
234 depend on the contents of non-volatile XMM registers at all, to the worst
237 zeroized so the attacker cannot put arbitrary values inside, the most likely
241 ([CVE-2023-4807])
245 ### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
250 fixing CVE-2023-3446 it was discovered that a large q parameter value can
257 DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
260 ([CVE-2023-3817])
268 Trying to use a very large modulus is slow and OpenSSL will not normally use
269 a modulus which is over 10,000 bits in length.
279 ([CVE-2023-3446])
283 * Do not ignore empty associated data entries with AES-SIV.
285 The AES-SIV algorithm allows for authentication of multiple associated
288 with NULL pointer as the output buffer and 0 as the input buffer length.
289 The AES-SIV implementation in OpenSSL just returns success for such call
291 The empty data thus will not be authenticated. ([CVE-2023-2975])
295 The fix changes the authentication tag value and the ciphertext for
296 applications that use empty associated data entries with AES-SIV.
303 ### Changes between 3.0.8 and 3.0.9 [30 May 2023]
306 OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
309 numeric text form. For gigantic sub-identifiers, this would take a very
311 sub-identifier. ([CVE-2023-2650])
315 IDENTIFIER is 586 bytes or less, and fail otherwise.
318 IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
319 most 128 sub-identifiers, and that the maximum value that each sub-
320 identifier may have is 2^32-1 (4294967295 decimal).
322 For each byte of every sub-identifier, only the 7 lower bits are part of
329 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
331 trigger a crash of an application using AES-XTS decryption if the memory
334 ([CVE-2023-1255])
338 * Reworked the Fix for the Timing Oracle in RSA Decryption ([CVE-2022-4304]).
340 a severe 2-3x performance regression in the typical use case
342 code paths, and restores the previous performance level while
352 ([CVE-2023-0466])
357 silently ignored by OpenSSL and other certificate policy checks are skipped
361 ([CVE-2023-0465])
366 against CVE-2023-0464. The default limit is set to 1000 nodes, which
371 ([CVE-2023-0464])
375 ### Changes between 3.0.7 and 3.0.8 [7 Feb 2023]
386 ([CVE-2023-0401])
388 PKCS7 data is processed by the SMIME library calls and also by the
409 ([CVE-2023-0286])
424 security requirements imposed by standards such as FIPS 140-3.
425 ([CVE-2023-0217])
439 ([CVE-2023-0216])
443 * Fixed Use-after-free following BIO_new_NDEF.
447 to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
451 filter BIO onto the front of it to form a BIO chain, and then returns
454 is freed and the function returns a NULL result indicating a failure.
455 However, in this case, the BIO chain is not properly cleaned up and the
458 then a use-after-free will occur. This will most likely result in a crash.
459 ([CVE-2023-0215])
465 The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
466 decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
467 data. If the function succeeds then the "name_out", "header" and "data"
476 The functions PEM_read_bio() and PEM_read() are simple wrappers around
477 PEM_read_bio_ex() and therefore these functions are also directly affected.
480 functions including PEM_X509_INFO_read_bio_ex() and
484 ([CVE-2022-4450])
495 modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
496 ([CVE-2022-4304])
507 client authentication and a malicious client connects.
508 ([CVE-2022-4203])
514 If an X.509 certificate contains a malformed policy constraint and
520 ([CVE-2022-3996])
524 * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and
525 `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor
526 `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and
530 For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to`
531 for legacy EC and SM2 keys is also changed similarly to honor the
538 ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
544 certificate chain signature verification and requires either a CA to
551 client authentication and a malicious client connects.
557 ([CVE-2022-3786])
560 attacker-controlled bytes on the stack. This buffer overflow could
563 ([CVE-2022-3602])
570 OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
596 ### Changes between 3.0.5 and 3.0.6 [11 Oct 2022]
599 EVP_CIPHER_meth_new() function and associated function calls. This function
600 was deprecated in OpenSSL 3.0 and application authors are instead encouraged
604 passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and
606 and decryption initialisation functions). Instead of using the custom cipher
613 will match the NULL cipher as being equivalent and will fetch this from the
620 EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an
623 ([CVE-2022-3358])
632 * Fixed the linux-mips64 Configure target which was missing the
647 * Fixed detection of ktls support in cross-compile environment on Linux
651 * Fixed some regressions and test failures when running the 3.0.0 FIPS provider
656 * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
665 * For known safe primes use the minimum key length according to RFC 7919.
678 only passed to the FIPS provider and not to the default or legacy provider.
683 implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
684 32-bit lane assignment in CTR mode") for 64bit targets only, since it is
685 reportedly 2-17% slower and the silicon errata only affects 32bit targets.
695 ### Changes between 3.0.4 and 3.0.5 [5 Jul 2022]
700 incorrect on such machines and memory corruption will happen during
708 ([CVE-2022-2274])
712 * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
718 Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
720 ([CVE-2022-2097])
724 ### Changes between 3.0.3 and 3.0.4 [21 Jun 2022]
727 CVE-2022-1292, further bugs where the c_rehash script does not
731 When the CVE-2022-1292 was fixed it was not discovered that there
739 Use of the c_rehash script is considered obsolete and should be replaced
741 (CVE-2022-2068)
750 ### Changes between 3.0.2 and 3.0.3 [3 May 2022]
752 * Case insensitive string comparison is reimplemented via new locale-agnostic
765 Use of the c_rehash script is considered obsolete and should be replaced
767 (CVE-2022-1292)
773 where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
784 verifying an ocsp response with the "-no_cert_checks" option the command line
787 be accompanied by error messages showing the failure and contradicting the
789 ([CVE-2022-1343])
793 * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
796 An attacker could exploit this issue by performing a man-in-the-middle attack
800 Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
801 endpoint will always be rejected by the recipient and the connection will
804 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
807 sent in both directions. In this case both clients and servers could be
811 endpoint communicating with a non-OpenSSL 3.0 endpoint will fail to complete
815 cannot decrypt data that has been encrypted using this ciphersuite - they can
819 the RC4-MD5 ciphersuite. This ciphersuite is not compiled by default in
820 OpenSSL 3.0, and is not available within the default provider or the default
825 1) OpenSSL must have been compiled with the (non-default) compile time option
826 enable-weak-ssl-ciphers
837 6) Both endpoints must negotiate the RC4-MD5 ciphersuite in preference to any
839 (CVE-2022-1434)
848 expand without bounds and the process might be terminated by the operating
854 (CVE-2022-1473)
858 * The functions `OPENSSL_LH_stats` and `OPENSSL_LH_stats_bio` now only report
859 the `num_items`, `num_nodes` and `num_alloc_nodes` statistics. All other
865 ### Changes between 3.0.1 and 3.0.2 [15 Mar 2022]
868 for non-prime moduli.
885 - TLS clients consuming server certificates
886 - TLS servers consuming client certificates
887 - Hosting providers taking certificates or private keys from customers
888 - Certificate authorities parsing certification requests from subscribers
889 - Anything else which parses ASN.1 elliptic curve parameters
892 can control the parameter values are vulnerable to this DoS issue.
893 ([CVE-2022-0778])
897 * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
903 * Made the AES constant time code for no-asm configurations
906 builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
921 ### Changes between 3.0.0 and 3.0.1 [14 Dec 2021]
927 memory). Such a negative return value is mishandled by OpenSSL and will cause
929 success and a subsequent call to SSL_get_error() to return the value
934 totally unexpected and applications may not behave correctly as a result. The
944 ([CVE-2021-4044])
948 * Corrected a few file name and file reference bugs in the build,
949 installation and setup scripts, which lead to installation verification
968 OSSL_PARAM_INTEGER data type and return error on negative numbers
978 * Fixed detection of ARMv7 and ARM64 CPU features on FreeBSD.
995 ### Changes between 1.1.1 and 3.0.0 [7 sep 2021]
997 * TLS_MAX_VERSION, DTLS_MAX_VERSION and DTLS_MIN_VERSION constants are now
1002 * The `OPENSSL_s390xcap` environment variable can be used to set bits in the
1008 * Encrypting more than 2^64 TLS records with AES-GCM is disallowed
1009 as per FIPS 140-2 IG A.5 "Key/IV Pair Uniqueness Requirements from
1010 SP 800-38D". The communication will fail at this point.
1020 beginning of a PEM-formatted file.
1037 *OpenSSL team members and many third party contributors*
1040 "AES-128-SIV", "AES-128-CBC-CTS" and "CAMELLIA-128-CBC-CTS" which were
1049 or not. This unpredictable behavior was removed and eventual
1051 `--libdir=lib` to override the libdir if adding the postfix is
1073 be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set.
1078 * Rework and make DEBUG macros consistent. Remove unused -DCONF_DEBUG,
1079 -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for
1080 printing reference counts. Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
1081 Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set
1086 * The signatures of the functions to get and set options on SSL and
1092 * The public definitions of conf_method_st and conf_st have been
1095 *Rich Salz and Tomáš Mráz*
1097 * Client-initiated renegotiation is disabled by default. To allow it, use
1098 the -client_renegotiation option, the SSL_OP_ALLOW_CLIENT_RENEGOTIATION
1103 * Add "abspath" and "includedir" pragma's to config files, to prevent,
1108 * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
1109 validated. Please consult the README-FIPS and
1110 README-PROVIDERS files, as well as the migration guide.
1112 *OpenSSL team members and many third party contributors*
1114 * For the key types DH and DHX the allowed settable parameters are now different.
1118 * The openssl commands that read keys, certificates, and CRLs now
1121 *David von Oheimb, Richard Levitte, and Tomáš Mráz*
1133 *Boris Pismenny, John Baldwin and Andrew Gallatin*
1149 * The error return values from some control calls (ctrl) have changed.
1157 * Many functions in the EVP_ namespace that are getters of values from
1159 names. Old names are provided as macro aliases for compatibility and
1166 EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
1171 * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
1188 * Add filter BIO BIO_f_readbuffer() that allows BIO_tell() and BIO_seek() to
1196 this function would return one of the values OSSL_STORE_INFO_NAME,
1205 * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
1206 for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
1207 As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
1215 RC5, DESX and DES have been moved to the legacy provider.
1219 * The implementation of the EVP digests MD2, MD4, MDC2, WHIRLPOOL and
1220 RIPEMD-160 have been moved to the legacy provider.
1231 EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and EVP_PKEY_get0_siphash() as
1237 * A number of functions handling low-level keys or engines were deprecated
1239 EVP_PKEY_get0(), EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305() and
1248 - NID_pbeWithMD2AndDES_CBC
1249 - NID_pbeWithMD5AndDES_CBC
1250 - NID_pbeWithSHA1AndRC2_CBC
1251 - NID_pbeWithMD2AndRC2_CBC
1252 - NID_pbeWithMD5AndRC2_CBC
1253 - NID_pbeWithSHA1AndDES_CBC
1257 * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and
1262 * Deprecated obsolete EVP_PKEY_CTX_get0_dh_kdf_ukm() and
1276 algorithms. This is enabled by including the no-cached-fetch option
1281 * pkcs12 now uses defaults of PBKDF2, AES and SHA-256, with a MAC iteration
1284 *Tomáš Mráz and Sahana Prasad*
1286 * The openssl speed command does not use low-level API calls anymore.
1290 * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
1295 * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3.
1302 detected and used by libssl.
1310 * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range().
1315 SSLv2). This includes the functions RSA_padding_check_SSLv23() and
1316 RSA_padding_add_SSLv23() and the `-ssl` option in the deprecated
1326 *Viktor Dukhovni and David von Oheimb*
1329 BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and
1334 * The default key generation method for the regular 2-prime RSA keys was
1335 changed to the FIPS 186-4 B.3.6 method.
1339 * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions.
1343 * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn().
1347 * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*() and
1348 replaced with OSSL_HTTP_REQ_CTX and the functions OSSL_HTTP_REQ_CTX_*().
1350 *Rich Salz, Richard Levitte, and David von Oheimb*
1352 * Deprecated `X509_http_nbio()` and `X509_CRL_http_nbio()`.
1365 * Behavior of the `pkey` app is changed, when using the `-check` or `-pubcheck`
1371 * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites()
1376 * The `-cipher-commands` and `-digest-commands` options
1378 Instead use the `-cipher-algorithms` and `-digest-algorithms` options.
1383 The 'quick' one-shot (yet somewhat limited) function L<EVP_PKEY_Q_keygen(3)>
1384 and macros for the most common cases: <EVP_RSA_gen(3)> and L<EVP_EC_gen(3)>.
1390 *Shane Lontis, Paul Dale, Richard Levitte, and Tomáš Mráz*
1392 * Deprecated all the libcrypto and libssl error string loading
1397 * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
1398 well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
1403 * The `-crypt` option to the `passwd` command line tool has been removed.
1407 * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
1416 * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
1427 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
1432 * Added new option for 'openssl list', '-providers', which will display the
1433 list of loaded providers, their names, version and status. It optionally
1442 * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
1455 *Paul Dale and Matthias St. Pierre*
1457 * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
1462 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
1463 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
1465 TLS-based contexts. The commands can be repeated to set bounds of both
1466 types. The same applies with the corresponding "min_protocol" and
1467 "max_protocol" command-line switches, in case some application uses both TLS
1468 and DTLS.
1473 error. Now only the "version-flexible" SSL_CTX instances are subject to
1474 limits in configuration files in command-line options.
1491 *Nicola Tuveri and David von Oheimb*
1493 * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
1494 AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
1503 *Rich Salz and Richard Levitte*
1512 a non-default `OSSL_LIB_CTX`.
1525 * Deprecated `EVP_PKEY_cmp()` and `EVP_PKEY_cmp_parameters()`.
1527 *David von Oheimb and Shane Lontis*
1535 EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
1539 * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
1543 * Add CAdES-BES signature verification support, mostly derived
1548 * Add CAdES-BES signature scheme and attributes support (RFC 5126) to CMS API.
1552 * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
1557 * Deprecated EC_POINT_make_affine() and EC_POINTs_make_affine().
1561 * Deprecated EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and
1570 * Removed FIPS_mode() and FIPS_mode_set().
1578 * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and
1586 the various push functions and finally convert to a passable OSSL_PARAM
1587 array using OSSL_PARAM_BLD_to_param().
1591 * The security strength of SHA1 and MD5 based signatures in TLS has been
1601 * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated.
1620 * avoids [ATX headings][] and uses [setext headings][] instead
1621 (which works for `<h1>` and `<h2>` headings only).
1622 * avoids [inline links][] and uses [reference links][] instead.
1623 * avoids [fenced code blocks][] and uses [indented code blocks][] instead.
1625 [ATX headings]: https://github.github.com/gfm/#atx-headings
1626 [setext headings]: https://github.github.com/gfm/#setext-headings
1627 [inline links]: https://github.github.com/gfm/#inline-link
1628 [reference links]: https://github.github.com/gfm/#reference-link
1629 [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks
1630 [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks
1635 A new directory test-runs/ with subdirectories named like the
1640 * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
1641 This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
1642 See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.
1647 It supports arbitrary request and response content types, GET redirection,
1648 TLS, connections via HTTP(S) proxies, connections and exchange via
1649 user-defined BIOs (allowing implicit connections), persistent connections,
1650 and timeout checks. See L<OSSL_HTTP_transfer(3)> etc. for details.
1651 The legacy OCSP-focused (and only partly documented) API
1656 * Added `util/check-format.pl`, a tool for checking adherence to the
1658 The checks performed are incomplete and yield some false positives.
1663 * `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
1674 level 1 and above.
1678 * The command line utilities dhparam, dsa, gendsa and dsaparam have been
1680 and no new features will be added to them.
1688 * The command line utilities genrsa and rsa have been modified to use PKEY
1690 maintenance mode and no new features will be added to them.
1696 *Paul Dale and Matt Caswell*
1707 * Deprecated low level ECDH and ECDSA functions.
1711 * Deprecated EVP_PKEY_decrypt_old() and EVP_PKEY_encrypt_old().
1716 and EVP_PKEY_get_security_bits(). Especially EVP_PKEY_get_size() needed
1728 *Paul Dale and David von Oheimb*
1731 - Common options (such as -rand/-writerand, TLS version control, etc)
1732 were refactored and point to newly-enhanced descriptions in openssl.pod.
1733 - Added style conformance for all options (with help from Richard Levitte),
1735 that all options are documented and that no unimplemented options
1737 - Documented some internals, such as all use of environment variables.
1738 - Addressed all internal broken L<> references.
1746 * The low-level MD2, MD4, MD5, MDC2, RIPEMD160 and Whirlpool digest
1749 *Paul Dale and David von Oheimb*
1751 * Corrected the documentation of the return values from the `EVP_DigestSign*`
1752 set of functions. The documentation mentioned negative values for some
1753 errors, but this was never the case, so the mention of negative values
1756 Code that followed the documentation and thereby check with something
1763 *Matt Caswell and Paul Dale*
1765 * Removed include/openssl/opensslconf.h.in and replaced it with
1787 used in exponentiation with 512-bit moduli. No EC algorithms are
1788 affected. Analysis suggests that attacks against 2-prime RSA1024,
1789 3-prime RSA1536, and DSA1024 as a result of this defect would be very
1790 difficult to perform and are not believed likely. Attacks against DH512
1792 have to re-use the DH512 private key, which is not recommended anyway.
1793 Also applications directly using the low-level API BN_mod_exp may be
1795 ([CVE-2019-1551])
1799 * Most memory-debug features have been deprecated, and the functionality
1800 replaced with no-ops.
1808 * Introduced a new method type and API, OSSL_ENCODER, to represent
1810 and d2i functions do, but with support for methods supplied by
1811 providers, and the possibility for providers to support other
1816 * Introduced a new method type and API, OSSL_DECODER, to represent
1818 and i2d functions do, but with support for methods supplied by
1819 providers, and the possibility for providers to support other
1825 allow varying behavior in a supported and predictable manner.
1833 volume names and system directory names on VMS.
1841 * Change the interpretation of the '--api' configuration option to
1844 also mean to remove all deprecated symbols up to and including
1845 the given version, no requires that 'no-deprecated' is also used
1851 value is valid as before, such as -DOPENSSL_API_COMPAT=0x10100000L.
1852 For version 3.0 and on, the value is expected to be the decimal
1853 value calculated from the major and minor version like this:
1859 -DOPENSSL_API_COMPAT=30000 For 3.0
1860 -DOPENSSL_API_COMPAT=30200 For 3.2
1862 To hide declarations that are deprecated up to and including the
1863 given API compatibility level, -DOPENSSL_NO_DEPRECATED must be
1869 access to certificate and CRL stores via URIs and OSSL_STORE
1874 - X509_LOOKUP_store()
1875 - X509_STORE_load_file()
1876 - X509_STORE_load_path()
1877 - X509_STORE_load_store()
1878 - SSL_add_store_cert_subjects_to_stack()
1879 - SSL_CTX_set_default_verify_store()
1880 - SSL_CTX_load_verify_file()
1881 - SSL_CTX_load_verify_dir()
1882 - SSL_CTX_load_verify_store()
1887 The presence of this system service is determined at run-time.
1892 for methods from providers. This takes an algorithm name and a
1893 property query string and simply stores them, with the intent
1896 of application written for pre-3.0 OpenSSL easier.
1905 * Introduced the new functions EVP_DigestSignInit_ex() and
1906 EVP_DigestVerifyInit_ex(). The macros EVP_DigestSignUpdate() and
1918 * s390x assembly pack: add hardware-support for P-256, P-384, P-521,
1919 X25519, X448, Ed25519 and Ed448.
1923 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
1939 ERR_peek_error_all() and ERR_peek_last_error_all().
1942 ERR_peek_error_line_data(), ERR_peek_last_error_line_data() and
1956 * Added the `-copy_extensions` option to the `x509` command for use with
1957 `-req` and `-x509toreq`. When given with the `copy` or `copyall` argument,
1962 * Added the `-copy_extensions` option to the `req` command for use with
1963 `-x509`. When given with the `copy` or `copyall` argument,
1968 * The `x509`, `req`, and `ca` commands now make sure that X.509v3 certificates
1971 and for not self-signed certs there is an authorityKeyIdentifier extension
1974 such as `subjectKeyIdentifier = none` and `authorityKeyIdentifier = none`.
1980 (which may be done by using the CLI option `-x509_strict`):
1986 and certs without subjectAlternativeName must not be empty.
1988 * The signatureAlgorithm field and the cert signature must be consistent.
1989 * Any given authorityKeyIdentifier and any given subjectKeyIdentifier
1992 unless they are self-signed.
2002 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2006 This prevents bypass of security hardening and performance gains,
2008 By default, if a key encoded with explicit parameters is loaded and later
2015 this change, EC_GROUP_set_generator would accept order and/or cofactor as
2018 ([CVE-2019-1547])
2022 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
2026 encryption key will be replaced by garbage, and the message cannot be
2028 used and the recipient will not notice the attack.
2029 As a work around for this potential attack the length of the decrypted
2030 key must be equal to the cipher default key length, in case the
2031 certifiate is not given and all recipientInfo are tried out.
2032 The old behaviour can be re-enabled in the CMS code by setting the
2047 * Revised BN_generate_prime_ex to not avoid factors 2..17863 in p-1
2050 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2052 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2058 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2060 between EBCDIC systems with this fix, and EBCDIC systems without this
2067 libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
2072 * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`,
2073 where the former acts as a replacement for `ERR_put_error()`, and the
2075 `ERR_raise_data()` adds more flexibility by taking a format string and
2082 to check if a named provider is loaded and available. When called, it
2102 * `{CRYPTO,OPENSSL}_mem_debug_{push,pop}` are now no-ops and have been
2120 * Removed the function names from error messages and deprecated the
2125 * Removed NextStep support and the macro OPENSSL_UNISTD
2136 * RC5_32_set_key has been changed to return an int type, with 0 indicating
2137 an error and 1 indicating success. In previous versions of OpenSSL this
2143 * Support SM2 signing and verification schemes with X509 certificate.
2151 * Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
2160 * Add target VC-WIN32-UWP, VC-WIN64A-UWP, VC-WIN32-ARM-UWP and
2161 VC-WIN64-ARM-UWP in Windows OneCore target for making building libraries
2162 for Windows Store apps easier. Also, the "no-uplink" option has been added.
2166 * Join the directories crypto/x509 and crypto/x509v3
2178 * Added OPENSSL_info() to get diverse built-in OpenSSL data, such
2184 * The functions AES_ige_encrypt() and AES_bi_ige_encrypt() have been
2193 * Limit the number of blocks in a data unit for AES-XTS to 2^20 as
2194 mandated by IEEE Std 1619-2018.
2202 *Matt Eaton, Richard Levitte, and Paul Dale*
2205 little usage and doesn't seem to fulfill a valuable purpose.
2225 'enable-buildtest-c++'.
2233 * Added SSH KDF (EVP_KDF_SSHKDF) and KRB5 KDF (EVP_KDF_KRB5KDF) to EVP_KDF.
2237 * Added Single Step KDF (EVP_KDF_SS), X963 KDF, and X942 KDF to EVP_KDF.
2257 * Added EVP_KDF, an EVP layer KDF API, to simplify adding KDF and PRF
2260 (scrypt, TLS1 PRF and HKDF). The low-level KDF functions for PBKDF2
2261 and scrypt are now wrappers that call EVP_KDF.
2273 * Fix a bug in the computation of the endpoint-pair shared secret used
2275 of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
2281 re-used X509_PUBKEY object if the second PUBKEY is malformed.
2295 - Major releases (indicated by incrementing the MAJOR release number)
2297 - Minor releases (indicated by incrementing the MINOR release number)
2299 - Patch releases (indicated by incrementing the PATCH number)
2300 are intended for bug fixes and other improvements of existing
2302 and retain API/ABI compatibility.
2306 * Add support for RFC5297 SIV mode (siv128), including AES-SIV.
2310 * Remove the 'dist' target and add a tarball building script. The
2311 'dist' target has fallen out of use, and it shouldn't be
2316 * Recreate the OS390-Unix config target. It no longer relies on a
2317 special script like it did for OpenSSL pre-1.1.0.
2322 a 'build.info' keyword SUBDIRS to indicate what sub-directories to
2331 * Ported the HMAC, CMAC and SipHash EVP_PKEY_METHODs to EVP_MAC.
2338 functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
2346 * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
2347 the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
2352 * AES-XTS mode now enforces that its two keys are different to mitigate
2354 Blockciphers and Refinements to Modes OCB and PMAC" by Phillip Rogaway.
2366 * Added new option for 'openssl list', '-objects', which will display the
2371 * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
2372 allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
2377 * Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
2378 improves application performance by removing data copies and providing
2379 applications with zero-copy system calls such as sendfile and splice.
2401 functionality is designed to replace the ENGINE API and ENGINE
2402 implementations, and to be much more dynamic, allowing provider
2407 libcrypto and provider implementations. Public libcrypto functions
2411 doc/man7/provider.pod, doc/man7/provider-base.pod, and they in turn
2418 -------------
2420 ### Changes between 1.1.1l and 1.1.1m [xx XXX xxxx]
2436 ### Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
2443 can be NULL and, on exit, the "outlen" parameter is populated with the
2445 can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt()
2446 again, but this time passing a non-NULL value for the "out" parameter.
2461 ([CVE-2021-3711])
2468 structure which contains a buffer holding the string data and a field
2469 holding the buffer length. This contrasts with normal C strings which
2474 OpenSSL's own "d2i" functions (and other similar parsing functions) as
2476 function will additionally NUL terminate the byte array in the
2480 ASN1_STRING structures which do not NUL terminate the byte array by
2481 directly setting the "data" and "length" fields in the ASN1_STRING
2482 array. This can also happen by using the ASN1_STRING_set0() function.
2485 assume that the ASN1_STRING byte array will be NUL terminated, even
2488 printed, and where that ASN.1 structure contains ASN1_STRINGs that have
2495 parsing functions, and the certificate contains non NUL terminated
2497 X509_REQ_get1_email() and X509_get1_ocsp() functions.
2500 ASN1_STRING and then process it through one of the affected OpenSSL
2505 ([CVE-2021-3712])
2509 ### Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
2522 that non-CA certificates must not be able to issue other certificates.
2526 values implemented in libcrypto perform this check. Therefore, where
2528 strict flag has been used. A purpose is set by default in libssl client and
2533 X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
2536 ([CVE-2021-3450])
2545 result, leading to a crash and a denial of service attack.
2547 A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
2550 ([CVE-2021-3449])
2552 *Peter Kästle and Samuel Sapalski*
2554 ### Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
2557 create a unique hash value based on the issuer and serial number data
2561 result in a NULL pointer deref and a crash leading to a potential denial of
2563 ([CVE-2021-23841])
2567 * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
2570 CVE-2021-23839.
2574 Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
2575 functions. Previously they could overflow the output length argument in some
2576 cases where the input length is close to the maximum permissable length for
2578 call would be 1 (indicating success), but the output length value would be
2580 ([CVE-2021-23840])
2588 threat model and therefore no CVE is assigned.
2590 Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
2595 ### Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
2602 1) Comparing CRL distribution point names between an available CRL and a
2606 TS_RESP_verify_response and TS_RESP_verify_token)
2607 ([CVE-2020-1971])
2611 ### Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
2618 * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
2619 ignore TLS protocol version bounds when configuring DTLS-based contexts, and
2621 TLS-based contexts. The commands can be repeated to set bounds of both
2622 types. The same applies with the corresponding "min_protocol" and
2623 "max_protocol" command-line switches, in case some application uses both TLS
2624 and DTLS.
2629 error. Now only the "version-flexible" SSL_CTX instances are subject to
2630 limits in configuration files in command-line options.
2641 ### Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
2650 ([CVE-2020-1967])
2654 * Added AES consttime code for no-asm configurations
2656 when building openssl for no-asm.
2657 Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
2658 Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
2664 ### Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
2670 branch and will be present in the 3.0 release.
2674 * Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
2677 the 2-prime and 3-prime RSA modules were easy to distinguish, since
2679 2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
2684 ### Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
2689 an error to the stack (which means we instead return SSL_ERROR_SSL) and
2694 * Check that ed25519 and ed448 are allowed by the security level. Previously
2702 and normal handshakes, and also not quite consistent with historical
2703 behaviour. The behaviour in various scenarios has been clarified and
2710 `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas
2723 The presence of this system service is determined at run-time.
2727 * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
2732 ### Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
2736 event of a fork() system call in order to ensure that the parent and child
2742 and child process sharing state is significantly reduced.
2746 ([CVE-2019-1549])
2750 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
2754 This prevents bypass of security hardening and performance gains,
2756 By default, if a key encoded with explicit parameters is loaded and later
2763 this change, EC_GROUP_set_generator would accept order and/or cofactor as
2766 ([CVE-2019-1547])
2770 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
2774 encryption key will be replaced by garbage, and the message cannot be
2776 used and the recipient will not notice the attack.
2777 As a work around for this potential attack the length of the decrypted
2778 key must be equal to the cipher default key length, in case the
2779 certifiate is not given and all recipientInfo are tried out.
2780 The old behaviour can be re-enabled in the CMS code by setting the
2782 ([CVE-2019-1563])
2797 fix TLS connections between an EBCDIC system and a non-EBCDIC system that
2799 between EBCDIC systems with this fix, and EBCDIC systems without this
2808 ([CVE-2019-1552])
2812 * Changed DH_check to accept parameters with order q and 2q subgroups.
2831 was decided to revert this feature and leave it up to the OS
2837 ### Changes between 1.1.1b and 1.1.1c [28 May 2019]
2844 'enable-buildtest-c++'.
2848 * Enable SHA3 pre-hashing for ECDSA and DSA.
2852 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
2854 It fixes an omission in earlier changes that changed all RSA, DSA and DH
2859 * Reorganize the manual pages to consistently have RETURN VALUES,
2860 EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
2861 util/fix-doc-nits accordingly.
2869 * Have commands like `s_client` and `s_server` output the signature scheme
2882 * Prevent over long nonces in ChaCha20-Poly1305.
2884 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
2886 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
2887 and front pads the nonce with 0 bytes if it is less than 12
2889 bytes. In this case only the last 12 bytes are significant and any
2892 It is a requirement of using this cipher that nonce values are
2894 serious confidentiality and integrity attacks. If an application changes
2895 the default nonce length to be longer than 12 bytes and then makes a
2905 applications that use this cipher directly and set a non-default nonce
2906 length to be longer than 12 bytes may be vulnerable.
2910 ([CVE-2019-1543])
2928 ### Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
2930 * Change the info callback signals for the start and end of a post-handshake
2932 and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
2933 confused by this and assume that a TLSv1.2 renegotiation has started. This
2934 can break KeyUpdate handling. Instead we no longer signal the start and end
2942 ### Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
2951 ([CVE-2018-0734])
2962 ([CVE-2018-0735])
2967 if its length exceeds 4096 bytes. The limit has been raised to a buffer size
2968 of two gigabytes and the error handling improved.
2972 automatically and is fully functional even without additional randomness
2975 ### Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
2990 * s390x assembly pack: add (improved) hardware-support for the following
2991 cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
2992 aes-cfb/cfb8, aes-ecb.
3004 differential addition-and-doubling in homogeneous projective coordinates
3005 from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
3006 against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
3007 and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
3012 * Change generating and checking of primes so that the error rate of not
3014 For larger primes this will result in more rounds of Miller-Rabin.
3016 to 2^-128.
3020 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3025 moving between systems, and to avoid confusion when a Windows build is
3031 * Revert blinding in ECDSA sign and instead make problematic addition
3032 length-invariant. Switch even to fixed-length Montgomery multiplication.
3038 differential addition-and-doubling in mixed Lopez-Dahab projective
3047 differential addition-and-doubling algorithms.
3059 * Numerous side-channel attack mitigations have been applied. This may have
3068 different versions and bitnesses in one common archive. This allows to
3069 mitigate conflict between 1.0 and 1.1 side-by-side installations. It
3071 multi-version installation is managed.
3075 * Make ec_group_do_inverse_ord() more robust and available to other
3079 EC cryptosystem implementations are then safer-by-default.
3083 * Add coordinate blinding for EC_POINT and implement projective
3089 * Add blinding to ECDSA and DSA signatures to protect against side channel
3095 length does not exceed the maximum supported digest length when performing
3103 Many applications do not properly handle non-application data records, and
3107 SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
3117 * Apply blinding to binary field modular inversion and remove patent
3122 * Deprecate ec2_mult.c and unify scalar multiplication code paths for
3123 binary and prime elliptic curves.
3134 when computing fixed point and variable point multiplication (which
3144 * Updated DRBG / RAND to request nonce and additional low entropy
3158 * Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
3162 * Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
3166 * Added output of accepting IP address and port for 'openssl s_server'
3181 * Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
3190 * Added new public header file <openssl/rand_drbg.h> and documentation
3206 configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
3216 in responder mode now supports the new "-multi" option, which
3218 requests. The "-timeout" option now also limits the OCSP
3221 as needed, and the CA index file is automatically reloaded
3223 as a long-running service, making the OpenSSL CA somewhat more
3224 feature-complete. In this mode, most diagnostic messages logged
3230 * Added support for X448 and Ed448. Heavily based on original work by
3235 * Extend OSSL_STORE with capabilities to search and to narrow the set of
3236 objects loaded. This adds the functions OSSL_STORE_expect() and
3237 OSSL_STORE_find() as well as needed tools to construct searches and
3251 The default RAND method now utilizes an AES-CTR DRBG according to
3252 NIST standard SP 800-90Ar1. The new random generator is essentially
3255 using an AES-CTR bit stream and which seeds and reseeds itself
3259 - Support for multiple DRBG instances with seed chaining.
3260 - The default RAND method makes use of a DRBG.
3261 - There is a public and private DRBG instance.
3262 - The DRBG instances are fork-safe.
3263 - Keep all global DRBG instances on the secure heap if it is enabled.
3264 - The public and private DRBG instance are per thread for lock free
3269 * Changed Configure so it only says what it does and doesn't dump
3279 * Added SHA512/224 and SHA512/256 algorithm support.
3288 * Get rid of Makefile.shared, and in the process, make the processing
3290 the ordinal files) more visible and hopefully easier to trace and
3295 * Make it possible to have environment variable assignments as
3300 * Add multi-prime RSA (RFC 8017) support.
3304 * Add SM3 implemented according to GB/T 32905-2016
3309 * Add 'Maximum Fragment Length' TLS extension negotiation and support
3315 * Add SM4 implemented according to GB/T 32907-2016.
3320 * Reimplement -newreq-nodes and ERR_error_string_n; the
3349 * The UI API becomes a permanent and integral part of libcrypto, i.e.
3354 To disable, configure with 'no-ui-console'. 'no-ui' is still
3357 possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
3361 * Add a STORE module, which implements a uniform and URI based reader of
3362 stores that can contain keys, certificates, CRLs and numerous other
3364 and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
3365 OSSL_STORE_error and OSSL_STORE_close.
3371 * Add devcrypto engine. This has been implemented against cryptodev-linux,
3373 Enable by configuring with 'enable-devcryptoeng'. This is done by default
3384 With this change, we claim the namespaces OSSL and OPENSSL in a manner
3388 *Richard Levitte and Tim Hudson*
3395 and only that. This can be used to prepare everything that requires
3396 things like perl for a system that lacks perl and then move everything
3397 to that system and do the rest of the build there.
3407 * Ignore the '-named_curve auto' value for compatibility of applications
3413 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
3416 prohibits this altogether and other libraries (BoringSSL, NSS) do not
3418 record layer, and its removal is unlikely to cause interoperability
3423 * Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
3424 with Z. These are meant to replace LONG and ZLONG and to be size safe.
3425 The use of LONG and ZLONG is discouraged and scheduled for deprecation
3430 * Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
3431 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
3440 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3445 * The functions X509_STORE_add_cert and X509_STORE_add_crl return
3448 certificates and CRLs.
3458 Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
3462 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3463 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3469 compliance with RFC 5280. Fractional seconds and timezone offsets
3479 default unless the new "-noservername" option is used. The server name is
3480 based on the host provided to the "-connect" option unless overridden by
3481 using "-servername".
3490 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
3491 prevent issues where no progress is being made and the peer continually
3496 * 'openssl passwd' can now produce SHA256 and SHA512 based output,
3498 <https://www.akkadia.org/drepper/SHA-crypt.txt>
3516 -------------
3518 ### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
3520 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
3524 This prevents bypass of security hardening and performance gains,
3526 By default, if a key encoded with explicit parameters is loaded and later
3533 this change, EC_GROUP_set_generator would accept order and/or cofactor as
3536 ([CVE-2019-1547])
3540 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
3544 encryption key will be replaced by garbage, and the message cannot be
3546 used and the recipient will not notice the attack.
3547 As a work around for this potential attack the length of the decrypted
3548 key must be equal to the cipher default key length, in case the
3549 certifiate is not given and all recipientInfo are tried out.
3550 The old behaviour can be re-enabled in the CMS code by setting the
3552 ([CVE-2019-1563])
3560 ([CVE-2019-1552])
3564 ### Changes between 1.1.0j and 1.1.0k [28 May 2019]
3566 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
3568 It fixes an omission in earlier changes that changed all RSA, DSA and DH
3573 * Prevent over long nonces in ChaCha20-Poly1305.
3575 ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
3577 (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
3578 and front pads the nonce with 0 bytes if it is less than 12
3580 bytes. In this case only the last 12 bytes are significant and any
3583 It is a requirement of using this cipher that nonce values are
3585 serious confidentiality and integrity attacks. If an application changes
3586 the default nonce length to be longer than 12 bytes and then makes a
3596 applications that use this cipher directly and set a non-default nonce
3597 length to be longer than 12 bytes may be vulnerable.
3601 ([CVE-2019-1543])
3613 re-used X509_PUBKEY object if the second PUBKEY is malformed.
3621 * Remove the 'dist' target and add a tarball building script. The
3622 'dist' target has fallen out of use, and it shouldn't be
3627 ### Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
3636 ([CVE-2018-0734])
3647 ([CVE-2018-0735])
3651 * Add coordinate blinding for EC_POINT and implement projective
3657 ### Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
3668 ([CVE-2018-0732])
3680 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
3681 ([CVE-2018-0737])
3691 * Revert blinding in ECDSA sign and instead make problematic addition
3692 length-invariant. Switch even to fixed-length Montgomery multiplication.
3696 * Change generating and checking of primes so that the error rate of not
3698 For larger primes this will result in more rounds of Miller-Rabin.
3700 to 2^-128.
3704 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
3708 * Add blinding to ECDSA and DSA signatures to protect against side channel
3719 compliance with RFC 5280. Fractional seconds and timezone offsets
3729 line terminators to CRLF and removes additional trailing line terminators
3731 some characters, such as form-feed, were incorrectly treated as whitespace
3732 and removed. This is contrary to the specification (RFC5485). This fix
3737 and use the "-binary" flag (for the "cms" command line application) or set
3742 ### Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
3752 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
3754 ([CVE-2018-0739])
3758 * Incorrect CRYPTO_memcmp on HP-UX PA-RISC
3760 Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
3765 HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
3769 ([CVE-2018-0733])
3774 and only that. This can be used to prepare everything that requires
3775 things like perl for a system that lacks perl and then move everything
3776 to that system and do the rest of the build there.
3782 OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
3785 SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
3794 * Removed the OS390-Unix config target. It relied on a script that doesn't
3802 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
3803 Analysis suggests that attacks against RSA and DSA as a result of this
3804 defect would be very difficult to perform and are not believed likely.
3810 no longer an option since CVE-2016-0701.
3816 was originally found via the OSS-Fuzz project.
3817 ([CVE-2017-3738])
3821 ### Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
3827 against RSA and DSA as a result of this defect would be very difficult to
3828 perform and are not believed likely. Attacks against DH are considered just
3831 of resources required for such an attack would be very significant and
3834 private key in a scenario with persistent DH parameters and a private
3837 This only affects processors that support the BMI1, BMI2 and ADX extensions
3838 like Intel Broadwell (5th generation) and later or AMD Ryzen.
3840 This issue was reported to OpenSSL by the OSS-Fuzz project.
3841 ([CVE-2017-3736])
3848 OpenSSL could do a one-byte buffer overread. The most likely result
3851 This issue was reported to OpenSSL by the OSS-Fuzz project.
3852 ([CVE-2017-3735])
3856 ### Changes between 1.1.0e and 1.1.0f [25 May 2017]
3858 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
3863 * Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
3864 VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
3869 ### Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
3871 * Encrypt-Then-Mac renegotiation crash
3873 During a renegotiation handshake if the Encrypt-Then-Mac extension is
3874 negotiated where it was not in the original handshake (or vice-versa) then
3876 and servers are affected.
3879 ([CVE-2017-3733])
3883 ### Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
3887 If one side of an SSL/TLS path is running on a 32-bit host and a specific
3889 perform an out-of-bounds read, usually resulting in a crash.
3892 ([CVE-2017-3731])
3904 ([CVE-2017-3730])
3912 against RSA and DSA as a result of this defect would be very difficult to
3913 perform and are not believed likely. Attacks against DH are considered just
3916 of resources required for such an attack would be very significant and
3919 private key in a scenario with persistent DH parameters and a private
3922 similar to CVE-2015-3193 but must be treated as a separate problem.
3924 This issue was reported to OpenSSL by the OSS-Fuzz project.
3925 ([CVE-2017-3732])
3929 ### Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
3931 * ChaCha20/Poly1305 heap-buffer-overflow
3933 TLS connections using `*-CHACHA20-POLY1305` ciphersuites are susceptible to
3938 ([CVE-2016-7054])
3952 ([CVE-2016-7053])
3958 There is a carry propagating bug in the Broadwell-specific Montgomery
3961 and DH private keys are impossible. This is because the subroutine in
3962 question is not used in operations with the private key itself and an input
3964 transient authentication and key negotiation failures or reproducible
3965 erroneous outcome of public-key operations with specially crafted input.
3966 Among EC algorithms only Brainpool P-512 curves are affected and one
3968 detail, because pre-requisites for attack are considered unlikely. Namely
3969 multiple clients have to choose the curve in question and the server has to
3973 This issue was publicly reported as transient failures and was not
3976 ([CVE-2016-7055])
3980 * Removed automatic addition of RPATH in shared libraries and executables,
3981 as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
3985 ### Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
3989 The patch applied to address CVE-2016-6307 resulted in an issue where if a
3991 store the incoming message is reallocated and moved. Unfortunately a
3999 ([CVE-2016-6309])
4003 ### Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
4013 the "no-ocsp" build time option are not affected.
4016 ([CVE-2016-6304])
4027 ([CVE-2016-6305])
4031 * Excessive allocation of memory in tls_get_message_header() and
4034 A (D)TLS message includes 3 bytes for its length in the header for the
4035 message. This would allow for messages up to 16Mb in length. Messages of
4036 this length are excessive and OpenSSL includes a check to ensure that a
4040 the excessive message length check. Due to way memory is allocated in
4043 memory exhaustion. However, the excessive message length check still takes
4044 place, and this would cause the connection to immediately fail. Assuming
4053 2) The application is working in a constrained environment where there is
4058 connection; SSL_free() has not yet been called; and there is insufficient
4065 memory - which would then mean a more serious Denial of Service.
4068 (CVE-2016-6307 and CVE-2016-6308)
4072 * solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
4074 assemble our modules with -KPIC flag. As result it, assembly
4076 lack of side-channel resistant code, which is incompatible with
4082 ### Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
4084 * Windows command-line tool supports UTF-8 opt-in option for arguments
4085 and console input. Setting OPENSSL_WIN32_UTF8 environment variable
4087 with Windows CryptoAPI and protected with non-ASCII password, as well
4088 as files generated under UTF-8 locale on Linux also protected with
4089 non-ASCII password.
4093 * To mitigate the SWEET32 attack ([CVE-2016-2183]), 3DES cipher suites
4094 have been disabled by default and removed from DEFAULT, just like RC4.
4095 See the RC4 item below to re-enable both.
4101 the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
4107 to int. A return of 0 indicates and error while a return of 1 indicates
4112 * The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
4114 off the constant time implementation for RSA, DSA and DH have been made
4115 no-ops and deprecated.
4120 calling CryptGenRandom(). Various other RAND-related tickets
4125 * The stack and lhash API's were renamed to start with `OPENSSL_SK_`
4126 and `OPENSSL_LH_`, respectively. The old names are available
4134 int (instead of void) like all others TYPE_up_ref() methods.
4136 and the validity of object reference counter.
4141 alongside the installed libraries and executables. For a static
4153 to build for a different bitness with the environment variable
4161 256 bit AES and HMAC with SHA256.
4165 * Remove support for MIPS o32 ABI on IRIX (and IRIX only).
4169 * Triple-DES ciphers have been moved from HIGH to MEDIUM.
4173 * To enable users to have their own config files and build file templates,
4174 Configure looks in the directory indicated by the environment variable
4175 OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
4177 name and is used as is.
4182 X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
4188 the "no-shared" Configure option.
4192 * Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
4193 All of these option have not worked for some while and are fundamental
4198 * Make various cleanup routines no-ops and mark them as deprecated. Most
4200 via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
4201 Explicitly de-initing can cause problems (e.g. where a library that uses
4202 OpenSSL de-inits, but an application is still using it). The affected
4205 RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
4210 * --strict-warnings no longer enables runtime debugging options
4212 enabled with '--debug' builds.
4216 * Made DH and DH_METHOD opaque. The structures for managing DH objects
4222 * Made RSA and RSA_METHOD opaque. The structures for managing RSA
4228 * Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
4234 * Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
4240 * Removed no-rijndael as a config option. Rijndael is an old name for AES.
4253 * Removed the aged BC-32 config and all its supporting scripts
4257 * Removed support for Ultrix, Netware, and OS/2.
4265 * Add support for blake2b and blake2s
4271 encryptions/decryptions simultaneously. There are currently no built-in
4281 AES128-CBC. The kernel must be version 4.1.0 or greater.
4286 set locking callbacks to use OpenSSL in a multi-threaded environment. There
4287 are two supported threading models: pthreads and windows threads. It is
4288 also possible to configure OpenSSL at compile time for "no-threads". The
4290 replaced with "no-op" compatibility macros.
4299 * Add SSL_CIPHER queries for authentication and key-exchange.
4304 - Prefer (EC)DHE handshakes over plain RSA.
4305 - Prefer AEAD ciphers over legacy ciphers.
4306 - Prefer ECDSA over RSA when both certificates are available.
4307 - Prefer TLSv1.2 ciphers/PRF.
4308 - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
4318 * RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
4319 disabled by default. They can be re-enabled using the
4320 enable-weak-ssl-ciphers option to Configure.
4332 Add ASN.1 and EVP_PKEY methods for X25519. This includes support
4333 for public and private key encoding using the format documented in
4334 draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
4335 key generation and key derivation.
4337 TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
4344 In order to fix an unavoidable memory leak ([CVE-2016-0798]),
4352 credentials, this behaviour is not constant time and no strong
4359 without having to build shared libraries and vice versa. This
4364 the configuration option "disable-dynamic-engine".
4367 presence of the DSO module and building with position independent
4369 with "disable-dso" or "disable-pic".
4371 The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
4379 libcrypto and libssl object files, and never on the application
4384 If this isn't desirable, the configuration options "disable-pic"
4385 or "no-pic" can be used to disable the use of PIC. This will
4386 also disable building shared libraries and dynamic engines.
4390 * Removed JPAKE code. It was experimental and has no wide use.
4394 * The INSTALL_PREFIX Makefile variable has been renamed to
4395 DESTDIR. That makes for less confusion on what this variable
4396 is for. Also, the configuration option --install_prefix is
4401 * Heartbeat for TLS has been removed and is disabled by default
4402 for DTLS; configure with enable-heartbeats. Code that uses the
4422 information for each directory with source to compile, and a
4423 template in Configurations, like unix-Makefile.tmpl or
4427 and on VMS. They now have names that are closer to the standard
4428 on Unix, and include the major version number, and in certain
4436 * Added support for auto-initialisation and de-initialisation of the library.
4438 except in certain circumstances. See the OPENSSL_init_crypto() and
4447 support of IPv6, and adding it required some more extensive
4448 modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
4449 which hold all types of addresses and chains of address information.
4451 BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
4452 The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
4457 * RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
4458 the leading 0-byte.
4470 SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
4477 RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
4494 * Configuration and writing out the results from it has changed.
4495 Files such as Makefile include/openssl/opensslconf.h and are now
4496 produced through general templates, such as Makefile.in and
4497 crypto/opensslconf.h.in and some help from the perl module
4510 --prefix and --openssldir change their semantics, and become more
4511 straightforward and less interdependent.
4513 --prefix shall be used exclusively to give the location INSTALLTOP
4514 where programs, scripts, libraries, include files and manuals are
4517 --openssldir shall be used exclusively to give the default
4522 values of both the --prefix value and the --openssldir value will
4524 The default for --openssldir is INSTALLTOP/ssl.
4526 Anyone who uses --openssldir to specify where OpenSSL is to be
4527 installed MUST change to use --prefix instead.
4531 * The GOST engine was out of date and therefore it has been removed. An up
4539 * EGD is no longer supported by default; use enable-egd when
4542 *Ben Kaduk and Rich Salz*
4557 Obtaining and performing DNSSEC validation of TLSA records is
4559 the TLSA records of its choice to OpenSSL, and these are then
4563 example, be used to implement local end-entity certificate or
4564 trust-anchor "pinning", where the "pin" data takes the form
4573 source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
4579 should be used with the --api=1.1.0 option to entirely remove
4580 support for the deprecated features from the library and
4582 Essentially the same effect can be achieved with the "no-deprecated"
4588 they should update their compile-time OPENSSL_API_COMPAT define
4592 The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
4593 0x10000000L and 0x00908000L, respectively. However those
4594 versions did not support the OPENSSL_API_COMPAT feature, and
4600 * Add support for setting the minimum and maximum supported protocol.
4601 It can bet set via the SSL_set_min_proto_version() and
4602 SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
4611 * Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
4615 * New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
4616 and integrates ECDSA and ECDH functionality into EC. Implementations can
4617 now redirect key generation and no longer need to convert to or from
4620 Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
4625 * Remove support for all 40 and 56 bit ciphers. This includes all the export
4626 ciphers who are no longer supported and drops support the ephemeral RSA key
4631 * Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
4632 opaque. For HMAC_CTX, the following constructors and destructors
4638 For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
4639 destroy such methods has been added. See EVP_MD_meth_new(3) and
4643 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and
4644 `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and
4647 2) For consistency with the majority of our object creators and
4654 * Added ASYNC support. Libcrypto now includes the async sub-library to enable
4658 introduction of the new mode SSL_MODE_ASYNC and associated error
4659 SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
4664 * SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
4667 "-no_ecdhe" option has been removed from s_server.
4682 refactored in order to remove much duplication of code and solve issues
4685 Notably the SSL_state() function has been removed and replaced by
4686 SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int.
4688 defined in ssl.h and ssl3.h have also been removed.
4693 with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
4703 sureware and ubsec.
4718 This reduces memory fragmentation and make it impossible to accidentally
4728 * Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
4732 * Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
4733 in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
4735 DES and RC4 ciphersuites.
4741 though the change is mostly in the more lenient direction, and
4746 * Fix no-stdio build.
4747 *David Woodhouse <David.Woodhouse@intel.com> and also*
4751 The testing framework has been largely rewritten and is now using
4752 perl and the perl modules Test::Harness and an extended variant of
4754 test/ have been rewritten into test recipes, and all direct calls to
4765 * Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
4768 and others were changed. All are now documented.
4775 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
4777 * Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
4780 Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
4792 * Changed the default name options in the "ca", "crl", "req" and "x509"
4798 not aware of clients that still exhibit this bug, and the workaround
4803 * The return type of BIO_number_read() and BIO_number_written() as well as
4804 the corresponding num_read and num_write members in the BIO structure has
4813 the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
4819 EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
4823 ciphersuites, and given "logjam" it also does not seem correct to fix them.
4828 SSLv23_client_method() and SSLv23_server_method() have been deprecated,
4829 and turned into macros which simply call the new preferred function names
4830 TLS_method(), TLS_client_method() and TLS_server_method(). All new code
4837 code and the associated standard is no longer considered fit-for-purpose.
4854 * Changed default digest for the dgst and enc commands from MD5 to
4864 draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
4870 files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
4877 Access to deprecated functions can be re-enabled by running config with
4878 "enable-deprecated". In addition applications wishing to use deprecated
4887 at <https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf>. Support
4888 for OCB can be removed by calling config with no-ocb.
4898 done while fixing the error code for the key-too-small case.
4900 *Annie Yousar <a.yousar@informatik.hu-berlin.de>*
4912 BEOS and BEOS_R5
4921 16-bit platforms such as WIN16
4926 - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
4927 - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
4928 - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
4929 - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
4930 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
4931 - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
4935 - Remove MS_STATIC; it's a relic from platforms <32 bits.
4946 NULL. Remove the non-null checks from callers. Save much code.
4962 exporting the session id and the master key in NSS keylog format.
4966 * Harmonize version and its documentation. -f flag is used to display
4984 Thanks for Neel Mehta of Google Security for discovering this bug and to
4985 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
4986 preparing the fix ([CVE-2014-0160])
4991 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
4992 by Yuval Yarom and Naomi Benger. Details can be obtained from:
4995 Thanks to Yuval Yarom and Naomi Benger for discovering this
4996 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
4998 *Yuval Yarom and Naomi Benger*
5005 * Experimental encrypt-then-mac support.
5008 draft-gutmann-tls-encrypt-then-mac-02.txt
5011 server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
5013 For non-compliant peers (i.e. just about everything) this should have no
5022 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
5023 algorithms and include tests cases.
5027 * Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
5033 MGF1 digest and OAEP label.
5039 *Chris Palmer <palmer@google.com> and Ben Laurie*
5042 ASN1_TIME structures or one structure and the current time.
5047 test to induce all self test errors in sequence and check expected
5052 * Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
5058 test programs and fips_test_suite. Includes functionality to parse
5067 * Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
5071 * Use separate DRBG fields for internal and external flags. New function
5091 FIPS 186-3 A.2.3.
5093 * Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
5098 * Add functions FIPS_module_version() and FIPS_module_version_text()
5099 to return numerical and string versions of the FIPS module number.
5103 * Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
5104 FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
5110 there is no multiple of the block length between min_len and
5118 * Add PRNG security strength checks to RSA, DSA and ECDSA using
5119 information in FIPS186-3, SP800-57 and SP800-131A.
5124 must supply all data in one chunk (i.e. no update, final) and the
5125 message length must be supplied if AAD is used. Add algorithm test
5131 of POST to be monitored and/or failures induced. Modify fips_test_suite
5137 Note: this does increase the maximum key length from 32 to 64 bytes but
5144 to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
5147 Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
5154 shouldn't be using these directly and any that are will need to rethink
5155 anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
5159 * Extensive self tests and health checking required by SP800-90 DRBG.
5160 Remove strength parameter from FIPS_drbg_instantiate and always
5165 * Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
5173 * New function DH_compute_key_padded() to compute a DH key and pad with
5174 leading zeroes if needed: this complies with SP800-56A et al.
5178 * Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
5179 anything, incomplete, subject to change and largely untested at present.
5189 fipscanister.o and FIPS or fips prefix. This will avoid
5192 and rename any affected symbols.
5196 * Add selftest checks and algorithm block of non-fips algorithms in
5203 tiny fips sign and verify functions.
5207 * New build option no-ec2m to disable characteristic 2 code.
5212 and (currently) associated fips utilities. Uses the file Makefile.fips
5222 * Initial, experimental EVP support for AES-GCM. AAD can be input by
5225 can be set or retrieved with a ctrl. The IV length is by default 12
5227 length exceeds the maximum IV length (currently 16 bytes) it cannot be
5234 including padding and finalisation. This is useful if (for example)
5239 input buffer is NULL and length 0 finalisation should be performed.
5248 * Improve forward-security support: add functions
5251 SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
5253 SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
5256 new session is created, and gets to decide whether the session may be
5269 * New -verify_name option in command line utilities to set verification
5279 * Experimental renegotiation in s_server -www mode. If the client
5287 multi-process servers.
5293 BIO_set_cipher() and some obscure PEM functions were changed so they
5306 * New -noct, -requestct, -requirect and -ctlogfile options for s_client.
5307 These allow SCTs (signed certificate timestamps) to be requested and
5313 -------------
5315 ### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
5317 * For built-in EC curves, ensure an EC_GROUP built from the curve name is
5321 This prevents bypass of security hardening and performance gains,
5323 By default, if a key encoded with explicit parameters is loaded and later
5330 this change, EC_GROUP_set_generator would accept order and/or cofactor as
5333 ([CVE-2019-1547])
5337 * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
5341 encryption key will be replaced by garbage, and the message cannot be
5343 used and the recipient will not notice the attack.
5344 As a work around for this potential attack the length of the decrypted
5345 key must be equal to the cipher default key length, in case the
5346 certifiate is not given and all recipientInfo are tried out.
5347 The old behaviour can be re-enabled in the CMS code by setting the
5349 ([CVE-2019-1563])
5356 binaries and run-time config file.
5357 ([CVE-2019-1552])
5361 ### Changes between 1.0.2r and 1.0.2s [28 May 2019]
5363 * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
5365 It fixes an omission in earlier changes that changed all RSA, DSA and DH
5370 * Add FIPS support for Android Arm 64-bit
5372 Support for Android Arm 64-bit was added to the OpenSSL FIPS Object
5374 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be
5375 built with FIPS support on Android Arm 64-bit. This omission has been
5380 ### Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
5382 * 0-byte record padding oracle
5384 If an application encounters a fatal protocol error and then calls
5385 SSL_shutdown() twice (once to send a close_notify, and once to receive one)
5392 In order for this to be exploitable "non-stitched" ciphersuites must be in
5398 This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
5399 Aviram, with additional investigation by Steven Collison and Andrew
5401 ([CVE-2019-1559])
5409 ### Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
5413 OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
5419 Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
5421 ([CVE-2018-5407])
5432 ([CVE-2018-0734])
5438 development branch and hindering the use of ECC in FIPS mode.
5442 ### Changes between 1.0.2o and 1.0.2p [14 Aug 2018]
5453 ([CVE-2018-0732])
5465 Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
5466 ([CVE-2018-0737])
5476 * Revert blinding in ECDSA sign and instead make problematic addition
5477 length-invariant. Switch even to fixed-length Montgomery multiplication.
5481 * Change generating and checking of primes so that the error rate of not
5483 For larger primes this will result in more rounds of Miller-Rabin.
5485 to 2^-128.
5489 * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
5493 * Add blinding to ECDSA and DSA signatures to protect against side channel
5504 compliance with RFC 5280. Fractional seconds and timezone offsets
5509 ### Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
5519 This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
5521 ([CVE-2018-0739])
5525 ### Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
5531 then OpenSSL would move into the error state and would immediately fail if
5533 explicit handshake functions (SSL_do_handshake(), SSL_accept() and
5538 for the same SSL object then it will succeed and the data is passed without
5546 ([CVE-2017-3737])
5553 used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
5554 Analysis suggests that attacks against RSA and DSA as a result of this
5555 defect would be very difficult to perform and are not believed likely.
5561 no longer an option since CVE-2016-0701.
5567 was originally found via the OSS-Fuzz project.
5568 ([CVE-2017-3738])
5572 ### Changes between 1.0.2l and 1.0.2m [2 Nov 2017]
5578 against RSA and DSA as a result of this defect would be very difficult to
5579 perform and are not believed likely. Attacks against DH are considered just
5582 of resources required for such an attack would be very significant and
5585 private key in a scenario with persistent DH parameters and a private
5588 This only affects processors that support the BMI1, BMI2 and ADX extensions
5589 like Intel Broadwell (5th generation) and later or AMD Ryzen.
5591 This issue was reported to OpenSSL by the OSS-Fuzz project.
5592 ([CVE-2017-3736])
5599 OpenSSL could do a one-byte buffer overread. The most likely result
5602 This issue was reported to OpenSSL by the OSS-Fuzz project.
5606 ### Changes between 1.0.2k and 1.0.2l [25 May 2017]
5608 * Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
5613 ### Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
5617 If one side of an SSL/TLS path is running on a 32-bit host and a specific
5619 perform an out-of-bounds read, usually resulting in a crash.
5622 ([CVE-2017-3731])
5630 against RSA and DSA as a result of this defect would be very difficult to
5631 perform and are not believed likely. Attacks against DH are considered just
5634 of resources required for such an attack would be very significant and
5637 private key in a scenario with persistent DH parameters and a private
5640 similar to CVE-2015-3193 but must be treated as a separate problem.
5642 This issue was reported to OpenSSL by the OSS-Fuzz project.
5643 ([CVE-2017-3732])
5649 There is a carry propagating bug in the Broadwell-specific Montgomery
5652 and DH private keys are impossible. This is because the subroutine in
5653 question is not used in operations with the private key itself and an input
5655 transient authentication and key negotiation failures or reproducible
5656 erroneous outcome of public-key operations with specially crafted input.
5657 Among EC algorithms only Brainpool P-512 curves are affected and one
5659 detail, because pre-requisites for attack are considered unlikely. Namely
5660 multiple clients have to choose the curve in question and the server has to
5664 This issue was publicly reported as transient failures and was not
5667 ([CVE-2016-7055])
5672 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
5673 prevent issues where no progress is being made and the peer continually
5678 ### Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
5687 ([CVE-2016-7052])
5691 ### Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
5701 the "no-ocsp" build time option are not affected.
5704 ([CVE-2016-6304])
5711 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
5713 ([CVE-2016-2183])
5722 call to EVP_EncryptUpdate() with a partial block then a length check
5729 ([CVE-2016-6303])
5740 a custom server callback and ticket lookup mechanism.
5743 ([CVE-2016-6302])
5756 ([CVE-2016-2182])
5763 the total length the OID text representation would use and not the amount
5768 ([CVE-2016-2180])
5779 Where "p" points to some malloc'd data of SIZE bytes and
5791 values of len that are too big and therefore p + len < limit.
5794 ([CVE-2016-2177])
5802 implementation means that a non-constant time codepath is followed for
5803 certain operations. This has been demonstrated through a cache-timing
5807 (Tampere University of Technology), and Yuval Yarom (The University of
5808 Adelaide and NICTA).
5809 ([CVE-2016-2178])
5815 In a DTLS connection where handshake messages are delivered out-of-order
5827 ([CVE-2016-2179])
5842 ([CVE-2016-2181])
5848 In OpenSSL 1.0.2 and earlier some missing message length checks can result
5854 and server certificate. As a result the attack can only be performed
5858 ([CVE-2016-6306])
5862 ### Changes between 1.0.2g and 1.0.2h [3 May 2016]
5864 * Prevent padding oracle in AES-NI CBC MAC check
5867 when the connection uses an AES CBC cipher and the server support
5868 AES-NI.
5871 attack ([CVE-2013-0169]). The padding check was rewritten to be in
5872 constant time by making sure that always the same bytes are read and
5874 checked that there was enough data to have both the MAC and padding
5877 This issue was reported by Juraj Somorovsky using TLS-Attacker.
5885 amounts of input data then a length check can overflow resulting in a heap
5891 from an untrusted source and outputs it as a PEM file should be considered
5896 ([CVE-2016-2105])
5904 EVP_EncryptUpdate() with a partial block then a length check can overflow
5908 the first called function after an EVP_EncryptInit(), and therefore that
5909 specific call must be safe. The second form is where the length passed to
5910 EVP_EncryptUpdate() can be seen from the code to be some small value and
5916 of these calls have also been analysed too and it is believed there are no
5920 ([CVE-2016-2106])
5936 ([CVE-2016-2109])
5947 ([CVE-2016-2176])
5961 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
5962 methods are enabled and ssl2 is disabled the methods return NULL.
5966 ### Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
5968 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
5969 Builds that are not configured with "enable-weak-ssl-ciphers" will not
5974 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
5975 is by default disabled at build-time. Builds that are not configured with
5976 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
5977 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
5985 explicitly uses the version-specific SSLv2_method() or its client and
5987 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
5988 ciphers, and SSLv2 56-bit DES are no longer available.
5989 ([CVE-2016-0800])
5993 * Fix a double-free in DSA code
5996 keys and could lead to a DoS attack or memory corruption for applications
6002 ([CVE-2016-0705])
6019 credentials, this behaviour is not constant time and no strong
6022 ([CVE-2016-0798])
6029 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
6030 large values of `i` this can result in `bn_expand` not allocating any
6032 field as NULL leading to a subsequent NULL ptr deref. For very large values
6047 ([CVE-2016-0797])
6054 the `BIO_*printf` functions could overflow while calculating the length of a
6055 string and cause an OOB read when printing very long strings.
6059 memory allocation failure. In 1.0.2 and below this could be caused where
6068 functions when printing out human-readable dumps of ASN.1 data. Therefore
6079 ([CVE-2016-0799])
6085 A side-channel attack was found which makes use of cache-bank conflicts on
6086 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
6089 hyper-threaded core as the victim thread which is performing decryptions.
6092 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
6095 ([CVE-2016-0702])
6099 * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
6106 ### Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
6123 reuses the same private DH exponent for the life of the server process and
6125 applications do set this option and would therefore not be at risk.
6129 only known attack, and is the only possible defense for static DH
6133 default and cannot be disabled. This could have some performance impact.
6136 ([CVE-2016-0701])
6143 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
6148 and Sebastian Schinzel.
6149 ([CVE-2015-3197])
6153 ### Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
6159 against RSA and DSA as a result of this defect would be very difficult to
6160 perform and are not believed likely. Attacks against DH are considered just
6163 of resources required for such an attack would be very significant and
6166 private key in a scenario with persistent DH parameters and a private
6171 ([CVE-2015-3193])
6179 algorithm and absent mask generation function parameter. Since these
6181 used to crash any certificate verification operation and exploited in a
6183 vulnerable including OpenSSL clients and servers which enable client
6187 ([CVE-2015-3194])
6194 memory. This structure is used by the PKCS#7 and CMS routines so any
6200 ([CVE-2015-3195])
6206 though the change is mostly in the more lenient direction, and
6214 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
6216 ### Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
6225 certificate to act as a CA and "issue" an invalid certificate.
6232 ### Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
6240 ### Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
6250 certificates. This includes TLS clients and TLS servers with
6253 This issue was reported to OpenSSL by Joseph Barr-Pixton.
6254 ([CVE-2015-1788])
6258 * Exploitable out-of-bounds read in X509_cmp_time
6260 X509_cmp_time does not properly check the length of the ASN1_TIME
6261 string and can read a few bytes out of bounds. In addition,
6265 An attacker can use this to craft malformed certificates and CRLs of
6266 various sizes and potentially cause a segmentation fault, resulting in
6268 that verify CRLs are affected. TLS clients and servers with client
6272 This issue was reported to OpenSSL by Robert Swiecki (Google), and
6274 ([CVE-2015-1789])
6281 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
6282 with missing content and trigger a NULL pointer dereference on parsing.
6285 structures from untrusted sources are affected. OpenSSL clients and
6289 ([CVE-2015-1790])
6300 ([CVE-2015-1792])
6306 If a NewSessionTicket is received by a multi-threaded client when attempting to
6309 ([CVE-2015-1791])
6313 * Only support 256-bit or stronger elliptic curves with the
6315 curves, prefer P-256 (both).
6319 ### Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
6323 If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
6329 ([CVE-2015-0291])
6331 *Stephen Henson and Matt Caswell*
6339 using non-blocking IO. Typically, when the user application is using a
6344 This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
6345 ([CVE-2015-0290])
6351 The DTLSv1_listen function is intended to be stateless and processes the
6362 ([CVE-2015-0207])
6371 certificate verification operation and exploited in a DoS attack. Any
6373 OpenSSL clients and servers which enable client authentication.
6374 ([CVE-2015-0286])
6382 algorithm and invalid parameters. Since these routines are used to verify
6384 certificate verification operation and exploited in a DoS attack. Any
6386 OpenSSL clients and servers which enable client authentication.
6389 ([CVE-2015-0208])
6396 memory corruption via an invalid write. Such reuse is and has been
6397 strongly discouraged and is believed to be rare.
6400 components may be affected. Certificate parsing (d2i_X509 and related
6401 functions) are however not affected. OpenSSL clients and servers are
6403 ([CVE-2015-0287])
6410 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
6411 missing content and trigger a NULL pointer dereference on parsing.
6415 affected. OpenSSL clients and servers are not affected.
6418 ([CVE-2015-0289])
6425 servers that both support SSLv2 and enable export cipher suites by sending
6426 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
6428 This issue was discovered by Sean Burford (Google) and Emilia Käsper
6430 ([CVE-2015-0293])
6434 * Empty CKE with client auth and DHE fix
6437 ciphersuite being selected and a zero length ClientKeyExchange message
6439 ([CVE-2015-1787])
6447 - The client is on a platform where the PRNG has not been seeded
6448 automatically, and the user has not seeded manually
6449 - A protocol specific client method version has been used (i.e. not
6451 - A ciphersuite is used that does not require additional random data from
6452 the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
6455 have been generated from a PRNG with insufficient entropy and therefore the
6461 openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
6462 ([CVE-2015-0285])
6471 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
6475 This issue was discovered by the BoringSSL project and fixed in their
6477 ([CVE-2015-0209])
6487 ([CVE-2015-0288])
6495 ### Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
6500 and argue that binary targeting say ARMv5 would still execute on
6502 near-optimal performance even on newer platforms.
6506 * Accelerated NIST P-256 elliptic curve implementation for x86_64
6511 * Add support for the SignedCertificateTimestampList certificate and
6518 bogus results, with non-infinity inputs mapped to infinity too.)
6523 This covers AES, SHA256/512 and GHASH. "Initial" means that most
6524 common cases are optimized and there still is room for further
6529 * Add support for little-endian ppc64 Linux target.
6534 SHA1, SHA256 and GHASH. "Initial" means that most common cases
6535 are optimized and there still is room for further improvements.
6536 Both 32- and 64-bit modes are supported.
6546 SHA256/512, MD5, GHASH and modular exponentiation.
6555 * Support for new and upcoming Intel processors, including AVX2,
6556 BMI and SHA ISA extensions. This includes additional "stitched"
6557 implementations, AESNI-SHA256 and GCM, and multi-buffer support
6565 supports both DTLS 1.2 and 1.0 and should use whatever version the peer
6566 supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
6576 MGF1 digest and OAEP label.
6582 the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
6583 algorithms and include tests cases.
6587 * Add functions to allocate and set the fields of an ECDSA_METHOD
6592 * New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
6593 difference in days and seconds between two tm or ASN1_TIME structures.
6597 * Add -rev test option to s_server to just reverse order of characters
6598 received by client and send back to server. Also prints an abbreviated
6603 * New option -brief for s_client and s_server to print out a brief summary
6610 *Trevor Perrin <trevp@trevp.net> and Ben Laurie*
6612 * New option -crl_download in several openssl utilities to download CRLs
6617 * New options -CRL and -CRLform for s_client and s_server for CRLs.
6626 * New functions to set lookup_crls function and to retrieve
6631 * Print out deprecated issuer and subject unique ID fields in
6652 message callback and prints the results. Needs compile time option
6653 "enable-ssl-trace". New options to s_client and s_server to enable
6658 * New ctrl and macro to retrieve supported points extensions.
6659 Print out extension in s_server and s_client.
6663 * New functions to retrieve certificate signature and signature
6668 * Add functions to retrieve and manipulate the raw cipherlist sent by a
6673 * New Suite B modes for TLS code. These use and enforce the requirements
6674 of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
6687 certificates: checks for matching certificate type and issuer name
6706 verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
6707 to build and store a certificate chain in CERT structure: returning
6718 hello and checking the requested ciphersuite.
6722 * New ctrls to retrieve and set certificate types in a certificate
6723 request message. Print out received values in s_client. If certificate
6724 types is not set with custom values set sensible values based on
6729 * Support for distinct client and server supported signature algorithms.
6737 This fixes many of the problems and restrictions of the existing client
6739 certificate and specify the whole chain.
6748 Add new "cert_flags" field to CERT structure and include a "strict mode".
6756 * Update and tidy signature algorithm extension processing. Work out
6757 shared signature algorithms based on preferences and peer algorithms
6758 and print them out in s_client and s_server. Abort handshake if no
6764 for SSL and SSL_CTX structures. Add options to s_client and s_server
6775 * Integrate hostname, email address and IP address checking with certificate
6780 * Fixes and wildcard matching support to hostname and email checking
6793 *Rob Stradling <rob.stradling@comodo.com> and Ben Laurie*
6795 * Initial experimental support for explicitly trusted non-root CAs.
6798 setting is used: whether to trust (e.g., -addtrust option to the x509
6803 * Add -trusted_first option which attempts to find certificates in the
6808 * MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
6809 platform support for Linux and Android.
6813 * Support for linux-x32, ILP32 environment in x86_64 framework.
6817 * Experimental multi-implementation support for FIPS capable OpenSSL.
6843 SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
6844 support ECDH and use the most appropriate parameters.
6848 * Enhance and tidy EC curve and point format TLS extension code. Use
6849 static structures instead of allocation if default values are used.
6850 New ctrls to set curves we wish to support and to retrieve shared curves.
6851 Print out shared curves in s_server. New options to s_server and s_client
6856 * New ctrls to retrieve supported signature algorithms and
6857 supported curve values as an array of NIDs. Extend openssl utility
6858 to print out received values.
6862 * Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
6863 between NIDs and the more common NIST names such as "P-256". Enhance
6864 ecparam utility and ECC method to recognise the NIST names for curves.
6874 server and client use DH certificates with common parameters.
6883 * New function i2d_re_X509_tbs for re-encoding the TBS portion of
6885 Note: Related 1.0.2-beta specific macros X509_get_cert_info,
6886 X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
6890 -------------
6892 ### Changes between 1.0.1t and 1.0.1u [22 Sep 2016]
6902 the "no-ocsp" build time option are not affected.
6905 ([CVE-2016-6304])
6912 This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
6914 ([CVE-2016-2183])
6923 call to EVP_EncryptUpdate() with a partial block then a length check
6930 ([CVE-2016-6303])
6941 a custom server callback and ticket lookup mechanism.
6944 ([CVE-2016-6302])
6957 ([CVE-2016-2182])
6964 the total length the OID text representation would use and not the amount
6969 ([CVE-2016-2180])
6980 Where "p" points to some malloc'd data of SIZE bytes and
6992 values of len that are too big and therefore p + len < limit.
6995 ([CVE-2016-2177])
7003 implementation means that a non-constant time codepath is followed for
7004 certain operations. This has been demonstrated through a cache-timing
7008 (Tampere University of Technology), and Yuval Yarom (The University of
7009 Adelaide and NICTA).
7010 ([CVE-2016-2178])
7016 In a DTLS connection where handshake messages are delivered out-of-order
7028 ([CVE-2016-2179])
7043 ([CVE-2016-2181])
7049 In OpenSSL 1.0.2 and earlier some missing message length checks can result
7055 and server certificate. As a result the attack can only be performed
7059 ([CVE-2016-6306])
7063 ### Changes between 1.0.1s and 1.0.1t [3 May 2016]
7065 * Prevent padding oracle in AES-NI CBC MAC check
7068 when the connection uses an AES CBC cipher and the server support
7069 AES-NI.
7072 attack ([CVE-2013-0169]). The padding check was rewritten to be in
7073 constant time by making sure that always the same bytes are read and
7075 checked that there was enough data to have both the MAC and padding
7078 This issue was reported by Juraj Somorovsky using TLS-Attacker.
7079 ([CVE-2016-2107])
7087 amounts of input data then a length check can overflow resulting in a heap
7093 from an untrusted source and outputs it as a PEM file should be considered
7098 ([CVE-2016-2105])
7106 EVP_EncryptUpdate() with a partial block then a length check can overflow
7110 the first called function after an EVP_EncryptInit(), and therefore that
7111 specific call must be safe. The second form is where the length passed to
7112 EVP_EncryptUpdate() can be seen from the code to be some small value and
7118 of these calls have also been analysed too and it is believed there are no
7122 ([CVE-2016-2106])
7138 ([CVE-2016-2109])
7149 ([CVE-2016-2176])
7163 * Only remove the SSLv2 methods with the no-ssl2-method option. When the
7164 methods are enabled and ssl2 is disabled the methods return NULL.
7168 ### Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
7170 * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
7171 Builds that are not configured with "enable-weak-ssl-ciphers" will not
7176 * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
7177 is by default disabled at build-time. Builds that are not configured with
7178 "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
7179 users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
7187 explicitly uses the version-specific SSLv2_method() or its client and
7189 recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
7190 ciphers, and SSLv2 56-bit DES are no longer available.
7191 ([CVE-2016-0800])
7195 * Fix a double-free in DSA code
7198 keys and could lead to a DoS attack or memory corruption for applications
7204 ([CVE-2016-0705])
7221 credentials, this behaviour is not constant time and no strong
7224 ([CVE-2016-0798])
7231 int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
7232 large values of `i` this can result in `bn_expand` not allocating any
7234 field as NULL leading to a subsequent NULL ptr deref. For very large values
7249 ([CVE-2016-0797])
7256 the `BIO_*printf` functions could overflow while calculating the length of a
7257 string and cause an OOB read when printing very long strings.
7261 memory allocation failure. In 1.0.2 and below this could be caused where
7270 functions when printing out human-readable dumps of ASN.1 data. Therefore
7281 ([CVE-2016-0799])
7287 A side-channel attack was found which makes use of cache-bank conflicts on
7288 the Intel Sandy-Bridge microarchitecture which could lead to the recovery
7291 hyper-threaded core as the victim thread which is performing decryptions.
7294 Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
7297 ([CVE-2016-0702])
7301 * Change the req command to generate a 2048-bit RSA/DSA key by default,
7308 ### Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
7313 switched on by default and cannot be disabled. This could have some
7321 the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
7326 and Sebastian Schinzel.
7327 ([CVE-2015-3197])
7335 ### Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
7341 algorithm and absent mask generation function parameter. Since these
7343 used to crash any certificate verification operation and exploited in a
7345 vulnerable including OpenSSL clients and servers which enable client
7349 ([CVE-2015-3194])
7356 memory. This structure is used by the PKCS#7 and CMS routines so any
7362 ([CVE-2015-3195])
7368 though the change is mostly in the more lenient direction, and
7376 *Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>*
7378 ### Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
7387 certificate to act as a CA and "issue" an invalid certificate.
7391 ([CVE-2015-1793])
7397 If PSK identity hints are received by a multi-threaded client then
7398 the values are wrongly updated in the parent SSL_CTX structure. This can
7401 ([CVE-2015-3196])
7405 ### Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
7411 ### Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
7421 certificates. This includes TLS clients and TLS servers with
7424 This issue was reported to OpenSSL by Joseph Barr-Pixton.
7425 ([CVE-2015-1788])
7429 * Exploitable out-of-bounds read in X509_cmp_time
7431 X509_cmp_time does not properly check the length of the ASN1_TIME
7432 string and can read a few bytes out of bounds. In addition,
7436 An attacker can use this to craft malformed certificates and CRLs of
7437 various sizes and potentially cause a segmentation fault, resulting in
7439 that verify CRLs are affected. TLS clients and servers with client
7443 This issue was reported to OpenSSL by Robert Swiecki (Google), and
7445 ([CVE-2015-1789])
7452 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
7453 with missing content and trigger a NULL pointer dereference on parsing.
7456 structures from untrusted sources are affected. OpenSSL clients and
7460 ([CVE-2015-1790])
7471 ([CVE-2015-1792])
7477 If a NewSessionTicket is received by a multi-threaded client when attempting to
7480 ([CVE-2015-1791])
7486 *Kurt Roeckx and Emilia Kasper*
7488 * dhparam: generate 2048-bit parameters by default.
7490 *Kurt Roeckx and Emilia Kasper*
7492 ### Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
7499 certificate verification operation and exploited in a DoS attack. Any
7501 OpenSSL clients and servers which enable client authentication.
7502 ([CVE-2015-0286])
7509 memory corruption via an invalid write. Such reuse is and has been
7510 strongly discouraged and is believed to be rare.
7513 components may be affected. Certificate parsing (d2i_X509 and related
7514 functions) are however not affected. OpenSSL clients and servers are
7516 ([CVE-2015-0287])
7523 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
7524 missing content and trigger a NULL pointer dereference on parsing.
7528 affected. OpenSSL clients and servers are not affected.
7531 ([CVE-2015-0289])
7538 servers that both support SSLv2 and enable export cipher suites by sending
7539 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
7541 This issue was discovered by Sean Burford (Google) and Emilia Käsper
7543 ([CVE-2015-0293])
7552 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
7556 This issue was discovered by the BoringSSL project and fixed in their
7558 ([CVE-2015-0209])
7568 ([CVE-2015-0288])
7576 ### Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
7578 * Build fixes for the Windows and OpenVMS platforms
7580 *Matt Caswell and Richard Levitte*
7582 ### Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
7588 ([CVE-2014-3571])
7598 ([CVE-2015-0206])
7602 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
7603 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
7606 ([CVE-2014-3569])
7615 ([CVE-2014-3572])
7619 * Remove non-export ephemeral RSA code on client and server. This code
7621 non-export ciphersuites and could be used by a server to effectively
7622 downgrade the RSA key length used to a value smaller than the server
7625 ([CVE-2015-0204])
7634 containing DH keys: these are extremely rare and hardly ever encountered.
7637 ([CVE-2015-0205])
7645 and can vary with the CTX.
7651 By using non-DER or invalid encodings outside the signed portion of a
7672 Re-encode DSA/ECDSA signatures and compare with the original received
7676 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
7677 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
7680 Further analysis was conducted and fixes were developed by Stephen Henson
7683 ([CVE-2014-8275])
7689 with a very low probability, and is not known to be exploitable in any
7691 Wuille (Blockstream) who reported this issue and also suggested an initial
7692 fix. Further analysis was conducted by the OpenSSL development team and
7695 ([CVE-2014-3570])
7702 sanity and breaks all known clients.
7712 * Tighten client-side session ticket handling during renegotiation:
7715 reuse the old extension state and thus accept a session ticket if one was
7724 ### Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
7732 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
7737 ([CVE-2014-3513])
7749 ([CVE-2014-3567])
7753 * Build option no-ssl3 is incomplete.
7755 When OpenSSL is configured with "no-ssl3" as a build option, servers
7756 could accept and complete a SSL 3.0 handshake, and clients could be
7758 ([CVE-2014-3568])
7760 *Akamai and the OpenSSL team*
7765 ([CVE-2014-3566])
7771 Re-encode DigestInto in DER and check against the original when
7775 Note: this is a precautionary measure and no attacks are currently known.
7779 ### Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
7785 Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
7787 ([CVE-2014-3512])
7793 is badly fragmented. This allows a man-in-the-middle attacker to force a
7794 downgrade to TLS 1.0 even if both the server and the client support a
7797 Thanks to David Benjamin and Adam Langley (Google) for discovering and
7799 ([CVE-2014-3511])
7806 ciphersuite and sending carefully crafted handshake messages.
7808 Thanks to Felix Gröbert (Google) for discovering and researching this
7810 ([CVE-2014-3510])
7816 Thanks to Adam Langley for discovering and researching this issue.
7817 ([CVE-2014-3507])
7824 Thanks to Adam Langley for discovering and researching this issue.
7825 ([CVE-2014-3506])
7832 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
7834 ([CVE-2014-3505])
7839 session and the server sends an ec point format extension it could write
7842 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
7844 ([CVE-2014-3509])
7853 Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
7854 discovering and researching this issue.
7855 ([CVE-2014-5139])
7865 ([CVE-2014-3508])
7867 *Emilia Käsper, and Steve Henson*
7871 bogus results, with non-infinity inputs mapped to infinity too.)
7875 ### Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
7879 SSL/TLS clients and servers.
7881 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
7882 researching this issue. ([CVE-2014-0224])
7890 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
7891 ([CVE-2014-0221])
7900 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
7907 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
7908 this issue. ([CVE-2014-3470])
7912 * Harmonize version and its documentation. -f flag is used to display
7926 ### Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
7932 Thanks for Neel Mehta of Google Security for discovering this bug and to
7933 Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
7934 preparing the fix ([CVE-2014-0160])
7939 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
7940 by Yuval Yarom and Naomi Benger. Details can be obtained from:
7943 Thanks to Yuval Yarom and Naomi Benger for discovering this
7944 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
7946 *Yuval Yarom and Naomi Benger*
7948 * TLS pad extension: draft-agl-tls-padding-03
7950 Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
7951 TLS client Hello record length value would otherwise be > 255 and
7957 ### Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
7962 ([CVE-2013-4353])
7964 * Keep original DTLS digest and encryption contexts in retransmission
7966 to be resent. ([CVE-2013-6450])
7971 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
7973 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
7975 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
7979 ### Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
7981 * Correct fix for CVE-2013-0169. The original didn't work on AES-NI
7986 ### Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
7988 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
7991 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
7994 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
7996 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
7998 ([CVE-2013-0169])
8002 * Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
8004 Thanks go to and to Adam Langley <agl@chromium.org> for discovering
8005 and detecting this bug and to Wolfgang Ettlinger
8007 ([CVE-2012-2686])
8012 This fixes a DoS attack. ([CVE-2013-0166])
8018 *Chris Palmer <palmer@google.com> and Ben Laurie*
8036 ### Changes between 1.0.1b and 1.0.1c [10 May 2012]
8038 * Sanity check record length before skipping explicit IV in TLS
8039 1.2, 1.1 and DTLS to fix DoS attack.
8041 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8043 ([CVE-2012-2333])
8057 ### Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
8059 * OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
8065 OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
8067 inability to disable specifically TLS 1.1 and in client context,
8075 that if application wants to disable TLS1.0 in favor of TLS1.1 and
8082 ### Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
8085 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
8089 issue and to Adam Langley <agl@chromium.org> for fixing it.
8090 ([CVE-2012-2110])
8094 * Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
8099 record length exceeds 255 bytes.
8106 -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
8117 ### Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
8125 and the RSA_sign/RSA_verify functions. This was made more apparent when
8127 those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
8133 support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
8136 and still work with previous versions of OpenSSL.
8142 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8146 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8154 - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
8155 - x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
8156 - x86_64: bit-sliced AES implementation;
8157 - ARM: NEON support, contemporary platforms optimizations;
8158 - s390x: z196 support;
8159 - `*`: GHASH and GF(2^m) multiplication implementations;
8163 * Make TLS-SRP code conformant with RFC 5054 API cleanup
8172 * Add DTLS-SRTP negotiation from RFC 5764.
8177 <http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00>. Can be
8178 disabled with a no-npn flag to config or Configure. Code donated
8181 *Adam Langley <agl@google.com> and Ben Laurie*
8183 * Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
8184 NIST-P256, NIST-P521, with constant-time single point multiplication on
8186 required to use this (present in gcc 4.4 and later, for 64-bit builds).
8189 Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
8190 line to include this in your build of OpenSSL, and run "make depend" (or
8209 * New -sigopt option to the ca, req and x509 utilities. Additional
8210 signature parameters can be passed using this option and in
8215 * Add RSA PSS signing function. This will generate and set the
8222 New function ASN1_item_sign_ctx() signs a pre-initialised
8223 EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
8254 * Split password based encryption into PBES2 and PBKDF2 functions. This
8255 neatly separates the code into cipher and PBE sections and is required
8261 * Session-handling fixes:
8262 - Fix handling of connections that are resuming with a session ID,
8264 - Fix a bug that suppressed issuing of a new ticket if the client
8266 - Try to set the ticket lifetime hint to something reasonable.
8267 - Make tickets shorter by excluding irrelevant information.
8268 - On the client side, don't ignore renewed tickets.
8276 * Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
8283 the IV between the fixed (from PRF) and explicit (from TLS record)
8284 portions. This adds all GCM ciphersuites supported by RFC5288 and
8285 RFC5289. Generalise some `AES*` cipherstrings to include GCM and
8291 field on decrypt and retrieval of invocation field only on encrypt.
8302 as unset and return the appropriate default but do *not* set the default.
8304 switch between FIPS and non-FIPS modes.
8308 * Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
8310 keep original code iff non-FIPS operations are allowed.
8314 * Add -attime option to openssl utilities.
8316 *Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson*
8318 * Redirect DSA and DH operations to FIPS module in FIPS mode.
8322 * Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
8327 * New build option no-ec2m to disable characteristic 2 code.
8331 * Backport libcrypto audit of return value checking from 1.1.0-dev; not
8337 encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
8341 * Add similar low-level API blocking to ciphers.
8345 * low-level digest APIs are not approved in FIPS mode: any attempt
8360 for static and shared library builds embedding a signature if needed.
8374 * Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
8375 and enable MD5.
8379 * Functions FIPS_mode_set() and FIPS_mode() which call the underlying
8400 support yet and no support for client certificates.
8405 to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
8407 TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
8409 and version checking.
8421 Sylvester and Christophe Renou) was integrated.
8423 <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
8426 * Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
8433 *Robin Seggelmann <seggelmann@fh-muenster.de>*
8443 *Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson*
8457 -------------
8459 ### Changes between 1.0.0s and 1.0.0t [3 Dec 2015]
8464 memory. This structure is used by the PKCS#7 and CMS routines so any
8470 ([CVE-2015-3195])
8476 If PSK identity hints are received by a multi-threaded client then
8477 the values are wrongly updated in the parent SSL_CTX structure. This can
8480 ([CVE-2015-3196])
8484 ### Changes between 1.0.0r and 1.0.0s [11 Jun 2015]
8494 certificates. This includes TLS clients and TLS servers with
8497 This issue was reported to OpenSSL by Joseph Barr-Pixton.
8498 ([CVE-2015-1788])
8502 * Exploitable out-of-bounds read in X509_cmp_time
8504 X509_cmp_time does not properly check the length of the ASN1_TIME
8505 string and can read a few bytes out of bounds. In addition,
8509 An attacker can use this to craft malformed certificates and CRLs of
8510 various sizes and potentially cause a segmentation fault, resulting in
8512 that verify CRLs are affected. TLS clients and servers with client
8516 This issue was reported to OpenSSL by Robert Swiecki (Google), and
8518 ([CVE-2015-1789])
8525 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
8526 with missing content and trigger a NULL pointer dereference on parsing.
8529 structures from untrusted sources are affected. OpenSSL clients and
8533 ([CVE-2015-1790])
8544 ([CVE-2015-1792])
8550 If a NewSessionTicket is received by a multi-threaded client when attempting to
8553 ([CVE-2015-1791])
8557 ### Changes between 1.0.0q and 1.0.0r [19 Mar 2015]
8564 certificate verification operation and exploited in a DoS attack. Any
8566 OpenSSL clients and servers which enable client authentication.
8567 ([CVE-2015-0286])
8574 memory corruption via an invalid write. Such reuse is and has been
8575 strongly discouraged and is believed to be rare.
8578 components may be affected. Certificate parsing (d2i_X509 and related
8579 functions) are however not affected. OpenSSL clients and servers are
8581 ([CVE-2015-0287])
8588 correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
8589 missing content and trigger a NULL pointer dereference on parsing.
8593 affected. OpenSSL clients and servers are not affected.
8596 ([CVE-2015-0289])
8603 servers that both support SSLv2 and enable export cipher suites by sending
8604 a specially crafted SSLv2 CLIENT-MASTER-KEY message.
8606 This issue was discovered by Sean Burford (Google) and Emilia Käsper
8608 ([CVE-2015-0293])
8617 or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
8621 This issue was discovered by the BoringSSL project and fixed in their
8623 ([CVE-2015-0209])
8633 ([CVE-2015-0288])
8641 ### Changes between 1.0.0p and 1.0.0q [15 Jan 2015]
8643 * Build fixes for the Windows and OpenVMS platforms
8645 *Matt Caswell and Richard Levitte*
8647 ### Changes between 1.0.0o and 1.0.0p [8 Jan 2015]
8653 ([CVE-2014-3571])
8663 ([CVE-2015-0206])
8667 * Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
8668 built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
8671 ([CVE-2014-3569])
8680 ([CVE-2014-3572])
8684 * Remove non-export ephemeral RSA code on client and server. This code
8686 non-export ciphersuites and could be used by a server to effectively
8687 downgrade the RSA key length used to a value smaller than the server
8690 ([CVE-2015-0204])
8699 containing DH keys: these are extremely rare and hardly ever encountered.
8702 ([CVE-2015-0205])
8708 with a very low probability, and is not known to be exploitable in any
8710 Wuille (Blockstream) who reported this issue and also suggested an initial
8711 fix. Further analysis was conducted by the OpenSSL development team and
8714 ([CVE-2014-3570])
8720 By using non-DER or invalid encodings outside the signed portion of a
8741 Reencode DSA/ECDSA signatures and compare with the original received
8745 (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
8746 program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
8749 Further analysis was conducted and fixes were developed by Stephen Henson
8752 ([CVE-2014-8275])
8756 ### Changes between 1.0.0n and 1.0.0o [15 Oct 2014]
8766 ([CVE-2014-3567])
8770 * Build option no-ssl3 is incomplete.
8772 When OpenSSL is configured with "no-ssl3" as a build option, servers
8773 could accept and complete a SSL 3.0 handshake, and clients could be
8775 ([CVE-2014-3568])
8777 *Akamai and the OpenSSL team*
8782 ([CVE-2014-3566])
8788 Reencode DigestInto in DER and check against the original when
8792 Note: this is a precautionary measure and no attacks are currently known.
8796 ### Changes between 1.0.0m and 1.0.0n [6 Aug 2014]
8801 ciphersuite and sending carefully crafted handshake messages.
8803 Thanks to Felix Gröbert (Google) for discovering and researching this
8805 ([CVE-2014-3510])
8811 Thanks to Adam Langley for discovering and researching this issue.
8812 ([CVE-2014-3507])
8819 Thanks to Adam Langley for discovering and researching this issue.
8820 ([CVE-2014-3506])
8827 Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
8829 ([CVE-2014-3505])
8834 session and the server sends an ec point format extension it could write
8837 Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
8839 ([CVE-2014-3509])
8849 ([CVE-2014-3508])
8851 *Emilia Käsper, and Steve Henson*
8855 bogus results, with non-infinity inputs mapped to infinity too.)
8859 ### Changes between 1.0.0l and 1.0.0m [5 Jun 2014]
8863 SSL/TLS clients and servers.
8865 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
8866 researching this issue. ([CVE-2014-0224])
8874 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
8875 ([CVE-2014-0221])
8884 Thanks to Jüri Aedla for reporting this issue. ([CVE-2014-0195])
8891 Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
8892 this issue. ([CVE-2014-3470])
8896 * Harmonize version and its documentation. -f flag is used to display
8911 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
8912 by Yuval Yarom and Naomi Benger. Details can be obtained from:
8915 Thanks to Yuval Yarom and Naomi Benger for discovering this
8916 flaw and to Yuval Yarom for supplying a fix ([CVE-2014-0076])
8918 *Yuval Yarom and Naomi Benger*
8920 ### Changes between 1.0.0k and 1.0.0l [6 Jan 2014]
8922 * Keep original DTLS digest and encryption contexts in retransmission
8924 to be resent. ([CVE-2013-6450])
8929 avoids preferring ECDHE-ECDSA ciphers when the client appears to be
8931 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
8933 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
8937 ### Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
8939 * Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
8942 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
8945 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
8947 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
8949 ([CVE-2013-0169])
8954 This fixes a DoS attack. ([CVE-2013-0166])
8970 ### Changes between 1.0.0i and 1.0.0j [10 May 2012]
8972 [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
8975 * Sanity check record length before skipping explicit IV in DTLS
8978 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
8980 ([CVE-2012-2333])
8989 ### Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
8992 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
8996 issue and to Adam Langley <agl@chromium.org> for fixing it.
8997 ([CVE-2012-2110])
9001 ### Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
9004 in CMS and PKCS7 code. When RSA decryption fails use a random key for
9005 content decryption and always return the same error. Note: this attack
9007 old behaviour can be re-enabled in the CMS code by setting the
9008 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
9011 this issue. ([CVE-2012-0884])
9015 * Fix CVE-2011-4619: make sure we really are receiving a
9021 ### Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
9023 * Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
9024 Thanks to Antonio Martin, Enterprise Secure Access Research and
9025 Development, Cisco Systems, Inc. for discovering this bug and
9026 preparing a fix. ([CVE-2012-0050])
9030 ### Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
9032 * Nadhem Alfardan and Kenny Paterson have discovered an extension
9039 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
9041 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
9042 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
9043 for preparing the fix. ([CVE-2011-4108])
9048 ([CVE-2011-4576])
9053 Kadianakis <desnacked@gmail.com> for discovering this issue and
9054 Adam Langley for preparing the fix. ([CVE-2011-4619])
9058 * Check parameters are not NULL in GOST ENGINE. ([CVE-2012-0027])
9064 and Rob Austein <sra@hactrn.net> for fixing it. ([CVE-2011-4577])
9072 * Fix ssl_ciph.c set-up race.
9090 lock to call BN_BLINDING_invert_ex, and avoids one use of
9096 * In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
9100 ### Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
9103 by initialising X509_STORE_CTX properly. ([CVE-2011-3207])
9108 for multi-threaded use of ECDH. ([CVE-2011-3210])
9116 * Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
9123 by Billy Bob Brumley and Nicola Tuveri, see:
9126 *Billy Bob Brumley and Nicola Tuveri*
9128 ### Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
9130 * Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
9140 ### Changes between 1.0.0b and 1.0.0c [2 Dec 2010]
9142 * Disable code workaround for ancient and obsolete Netscape browsers
9143 and servers: an attacker can use it in a ciphersuite downgrade attack.
9144 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
9148 * Fixed J-PAKE implementation error, originally discovered by
9149 Sebastien Martini, further info and confirmation from Stefan
9150 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
9154 ### Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
9158 be shared by multiple threads. CVE-2010-3864
9167 ### Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
9170 ([CVE-2010-1633])
9172 *Steve Henson, Peter-Michael Hager <hager@dortmund.net>*
9174 ### Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
9186 * Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
9212 * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it
9213 needlessly dereferenced structures, used obsolete functions and
9222 * In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
9225 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
9226 it handles reference counts correctly and doesn't zero out the I/O bio
9239 * Add ECDHE and PSK support to DTLS.
9241 *Michael Tuexen <tuexen@fh-muenster.de>*
9250 `EVP_MD_do_all*()` and `EVP_CIPHER_do_all*()` to include the name a digest
9258 this allows the use of compression and extensions. Change default cipher
9265 key ids to find matching certificates and keys but some PKCS#12 files
9266 don't follow the (somewhat unwritten) rules and this strategy fails.
9267 Now just gather all certificates together and the first private key
9272 * Support use of registered digest and cipher names for dgst and cipher
9280 openssl dgst -sha256 foo
9282 and this works for ENGINE based algorithms too.
9296 even if they aren't identical) and uses SHA1 instead of MD5. This form
9297 is incompatible with the older format and as a result c_rehash should
9303 traditional format. This form is standardised, more secure and doesn't
9313 * Add session ticket override functionality for use by EAP-FAST.
9322 * Type-checked OBJ_bsearch_ex.
9326 * Type-checked OBJ_bsearch. Also some constification necessitated
9327 by type-checking. Still to come: TXT_DB, bsearch(?),
9333 * New function OPENSSL_gmtime_adj() to add a specific number of days and
9337 and X509_time_adj_ex() to cover the extended range. The existing
9338 X509_time_adj() is still usable and will no longer have any date issues.
9343 and search any appropriate delta CRLs available.
9350 code and add additional score elements. Validate alternate CRL paths
9351 as part of the CRL checking and indicate a new error "CRL path validation
9353 the verify callback and check the new "parent" field. If this is not
9369 passed directly and not via lookup. Process certificate issuer
9370 CRL entry extension and lookup CRL entries by bother issuer name
9371 and serial number. Check and process CRL issuer entry in IDP extension.
9377 * Add support for distinct certificate and CRL paths. The CRL issuer
9393 policy processing to align with RFC3280 and PKITS tests.
9400 and URI types are currently supported.
9406 * To cater for systems that provide a pointer-based thread ID rather
9407 than numeric, deprecate the current numeric thread ID mechanism and
9408 replace it with a structure and associated callback type. This
9410 either case, and on platforms where pointers are larger than 'long',
9413 as a pointer-based thread ID to distinguish between threads.
9425 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
9426 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
9437 simple case where the self issued certificates in the chain exist and
9448 * Revamp of STACK to provide stronger type-checking. Still to come:
9459 * Revamp of LHASH to provide stronger type-checking. Still to come:
9465 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
9466 support for data, signedData, compressedData, digestedData and
9468 RFC4134 examples draft and interop and consistency checks of many
9469 content types and variants.
9477 * Extend mk1mf to support importing of options and assembly language
9478 files from Configure script, currently only included in VC-WIN32.
9493 * ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
9499 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
9500 official specification yet and no extension type assignment by
9505 -DTLSEXT_TYPE_opaque_prf_input=0x9527
9509 and unofficial assignment based on the MD5 hash of the Internet
9516 an internal copy of the length-'len' string at 'src', and will
9517 return non-zero for success.
9519 To get more control and flexibility, provide a callback function
9527 int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
9530 Callback function 'cb' will be called in handshakes, and is
9535 has to return non-zero to report success: usually 1 to use opaque
9540 Arguments 'peerinput' and 'len' given to the callback function
9541 will always be NULL and 0 in the case of a client. A server will
9543 available (NULL and 0 otherwise). Note that if the server
9544 provides an opaque PRF input, the length must be the same as the
9545 length of the client's opaque PRF input.
9549 previously negotiated), and will not be called in SSL 2.0
9595 * Add option -stream to use PKCS#7 streaming in smime utility. New
9596 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
9597 to output in BER and PEM format.
9604 ENGINE support for HMAC keys which are unextractable. New -mac and
9605 -macopt options to dgst utility.
9609 * New option -sigopt to dgst utility. Update dgst to use
9618 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
9626 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
9652 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
9654 away into the non-exported interface ssl/ssl_locl.h, so this
9657 categories, so there is no longer a need to coagulate AES128 and
9658 AES256 into a single algorithm bit, and to coagulate Camellia128
9659 and Camellia256 into a single algorithm bit, which has led to all
9662 Thus, among other things, the kludge introduced in 0.9.7m and
9667 so far were missing: "AES128", "AES256", "CAMELLIA128", and
9672 * Add support for dsa-with-SHA224 and dsa-with-SHA256.
9679 it yet and it is largely untested.
9683 * Add support for the ecdsa-with-SHA224/256/384/512 signature types.
9688 some compilers (gcc 4.2 and later) reject their use. Safestack is
9706 -verify_return_error to s_client and s_server. This causes real errors
9712 * GOST engine, supporting several GOST algorithms and public key formats.
9720 selected via a scoring technique which handles IDP and AKID in CRLs.
9724 * New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
9726 X509_STORE dependency on certificate verification and allow alternative
9739 extensions in X509_CRL structure and cache CRLDP in X509.
9749 * Non-blocking OCSP request processing. Add -timeout option to ocsp
9760 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
9761 ctrl. It can then customise the structure before and/or after signing
9773 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
9774 digest and cipher tables. New options added to openssl utility:
9775 list-message-digest-algorithms and list-cipher-algorithms.
9779 * Change the array representation of binary polynomials: the list
9780 of degrees of non-zero coefficients is now terminated with -1.
9782 value; thus, the array representation was not applicable to
9784 the array representation useful in a more general context.
9788 * Various modifications and fixes to SSL/TLS cipher string
9790 with RSA certificates on the one hand and with ECDSA certificates
9798 merely the CA's signing algorithm and not actively used in the
9802 available, and ECC ciphersuites are no longer excluded from "ALL"
9803 and "DEFAULT". The following aliases now exist for RFC 4492
9806 kECDHr - ECDH cert, signed with RSA
9807 kECDHe - ECDH cert, signed with ECDSA
9808 kECDH - ECDH cert (signed with either RSA or ECDSA)
9809 kEECDH - ephemeral ECDH
9810 ECDH - ECDH cert or ephemeral ECDH
9812 aECDH - ECDH cert
9813 aECDSA - ECDSA cert
9814 ECDSA - ECDSA cert
9816 AECDH - anonymous ECDH
9817 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
9821 * Add additional S/MIME capabilities for AES and GOST ciphers if supported.
9832 an engine to register a method. Add ENGINE lookups for methods and
9843 * New -resign option to smime utility. This adds one or more signers
9844 to an existing PKCS#7 signedData structure. Also -md option to use an
9849 * Tidy up PKCS#7 routines and add new functions to make it easier to
9855 * New -macalg option to pkcs12 utility to allow setting of an alternative
9884 return value indicates how strong the preference is 1 means optional and
9892 * Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
9895 between digests and public key types.
9899 * Add an OID cross reference table and utility functions. Its purpose is to
9900 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
9912 * Add provisional EC pkey method with support for ECDSA and ECDH.
9916 * Add support for key derivation (agreement) in the API, DH method and
9921 * Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
9922 public and private key formats. As a side effect these add additional
9924 generated and verified using pkeyutl and DH key support and generation in
9939 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
9940 support key and parameter generation and add initial key generation
9958 "list-public-key-algorithms" to print out info.
9963 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
9972 * New utilities pkey and pkeyparam. These are similar to algorithm specific
9986 De-spaghettify the public key ASN1 handling. Move public and private
9990 of public and private key structures.
9995 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
10000 for the psk identity [hint] and the psk callback functions to the
10001 SSL_SESSION, SSL and SSL_CTX structure.
10004 PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
10005 PSK-AES256-CBC-SHA
10013 *Mika Kousa and Pasi Eronen of Nokia Corporation*
10016 and response verification functionality.
10021 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
10034 New CTRL codes and macros (subject to change):
10037 - SSL_CTX_set_tlsext_servername_callback()
10039 - SSL_CTX_set_tlsext_servername_arg()
10040 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10042 openssl s_client has a new '-servername ...' option.
10044 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10045 '-key2 ...', '-servername_fatal' (subject to change). This allows
10046 testing the HostName extension for a specific single host name ('-cert'
10047 and '-key' remain fallbacks for handshakes without HostName
10049 default is a warning; it becomes fatal with the '-servername_fatal'
10058 * BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
10062 implementations, between 32- and 64-bit builds without hassle.
10067 to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
10075 "64-bit" performance on certain 32-bit targets.
10086 * New option -V for 'openssl ciphers'. This prints the ciphersuite code
10092 ASN1 structures. This currently produces rather ugly output and doesn't
10097 * Integrated support for PVK file format and some related formats such
10098 as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
10099 these in the 'rsa' and 'dsa' utilities.
10114 pointer and make the SSL_METHOD parameter in SSL_CTX_new,
10115 SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
10125 * Add print and set support for Issuing Distribution Point CRL extension.
10134 -------------
10136 ### Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
10139 update s->server with a new major version number. As of
10140 - OpenSSL 0.9.8m if 'short' is a 16-bit type,
10141 - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
10144 protection is active. ([CVE-2010-0740])
10148 * Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
10153 ### Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
10155 * Always check bn_wexpand() return values for failure. ([CVE-2009-3245])
10179 * Handle TLS versions 2.0 and later properly and correctly use the
10189 This results in significant per-connection memory leaks and
10190 has caused some security issues including CVE-2008-1678 and
10191 CVE-2009-4355.
10201 connect and renegotiate with servers which do not support RI.
10206 * Add "missing" ssl ctrls to clear options and mode.
10210 * If client attempts to renegotiate and doesn't support RI respond with
10213 the alert. Unfortunately OpenSSL mishandled this alert and would hang
10217 and would have no code in place to handle the server denying it so the
10223 peer supports secure renegotiation and 0 otherwise. Print out peer
10228 * Replace the highly broken and deprecated SPKAC certification method with
10233 * Implement RFC5746. Re-enable renegotiation but require the extension
10243 issuing and attempting to decrypt tickets in case it has changed during
10244 servername handling. Use a non-zero length session ID when attempting
10253 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
10259 * Add --strict-warnings option to Configure script to include devteam
10264 * Add support for --libdir option and LIBDIR variable in makefiles. This
10272 X690 8.9.12 and can produce some misleading textual output of OIDs.
10284 and restored.
10288 * Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
10295 it used to have an ad-hoc builder which was unable to cope with anything
10303 with non-FIPS digests are now usable in FIPS mode.
10312 sequence number made no sense and would be part of another handshake.
10314 buffered. ([CVE-2009-1378])
10323 the size of a buffer and limits the record buffer to 100 entries.
10324 ([CVE-2009-1377])
10328 * Keep a copy of frag->msg_header.frag_len so it can be used after the
10329 parent structure is freed. ([CVE-2009-1379])
10333 * Handle non-blocking I/O properly in SSL_shutdown() call.
10335 *Darryl Miles <darryl-mailinglists@netbauds.net>*
10341 ### Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
10343 * Disable renegotiation completely - this fixes a severe security
10344 problem ([CVE-2009-3555]) at the cost of breaking all
10345 renegotiation. Renegotiation can be re-enabled by setting
10346 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
10347 run-time. This is really not recommended unless you know what
10352 ### Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
10356 zeroing past the valid field. ([CVE-2009-0789])
10362 appear to verify correctly. ([CVE-2009-0591])
10366 * Reject UniversalString and BMPString types with invalid lengths. This
10368 a legal length. ([CVE-2009-0590])
10388 * New -hex option for openssl rand.
10392 * Print out UTF8String and NumericString when parsing ASN1.
10406 ### Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
10408 * Properly check EVP_VerifyFinal() and similar return values
10409 ([CVE-2008-5077]).
10427 * Tweak Configure so that you need to say "experimental-jpake" to enable
10428 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
10433 s_client and s_server.
10445 * Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
10453 ### Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
10456 ChangeCipherSpec as first record ([CVE-2009-1386]).
10460 * Fix a state transition in s3_srvr.c and d1_srvr.c
10466 double-checked locking was incomplete for RSA blinding,
10468 doubly unsafe triple-checked locking.
10477 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
10479 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
10483 - Change bn_nist.c so that it will properly handle input BIGNUMs
10486 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
10491 * Allow engines to be "soft loaded" - i.e. optionally don't die if
10494 *Ben Laurie and the FreeBSD team*
10500 * Fix BN_GF2m_mod_arr() top-bit cleanup code.
10510 * Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
10512 Not compiled unless enable-capieng specified to Configure.
10520 attribute creation routines such as certificate requests and PKCS#12
10525 ### Changes between 0.9.8g and 0.9.8h [28 May 2008]
10529 Codenomicon TLS test suite ([CVE-2008-1672])
10534 a remote crash found by Codenomicon TLS test suite ([CVE-2008-0891])
10547 The OpenSSL project does not recommend any specific CA and does not
10558 the 'db' section contains nothing but zeroes (there is a one-byte
10563 * Partial backport from 0.9.9-dev:
10567 While 0.9.9-dev uses assembler for various architectures, only
10568 x86_64 is available by default here in the 0.9.8 branch, and
10569 32-bit x86 is available through a compile-time setting.
10571 To try the 32-bit x86 assembler implementation, use Configure
10572 option "enable-montasm" (which exists only for this backport).
10574 As "enable-montasm" for 32-bit x86 disclaims code stability
10576 backported from 0.9.9-dev for further performance improvements,
10578 e.g. x86_64, try `-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD`.)
10583 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
10584 values. This is useful for key rollover for example where several key
10589 * Reverse ENGINE-internal logic for caching default ENGINE handles.
10594 behaviour and the documentation. With this fix, when an ENGINE is
10596 'uptodate' flag is reset so that auto-discovery will be used next
10612 CMS support is disabled by default and must be explicitly enabled
10613 with the enable-cms configuration option.
10617 * Update the GMP engine glue to do direct copies between BIGNUM and
10618 mpz_t when openssl and GMP use the same limb size. Otherwise the
10623 * Zlib compression BIO. This is a filter BIO which compressed and
10628 * Add AES_wrap_key() and AES_unwrap_key() functions to implement
10634 sets string data without copying. X509_ALGOR_set0() and
10635 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
10638 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
10643 * Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
10650 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
10651 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
10652 - added some more tests to do_tests.pl
10653 - fixed RunningProcess usage so that it works with newer LIBC NDKs too
10654 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
10655 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
10656 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
10657 - various changes to netware.pl to enable gcc-cross builds on Win32
10659 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
10660 - various changes to fix missing prototype warnings
10661 - fixed x86nasm.pl to create correct asm files for NASM COFF output
10662 - added AES, WHIRLPOOL and CPUID assembler code to build files
10663 - added missing AES assembler make rules to mk1mf.pl
10664 - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply
10669 A client can set the appropriate parameters and receive the encoded
10671 and set the encoded OCSP response in the callback. Add simplified examples
10672 to s_client and s_server.
10676 ### Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
10680 + DTLS interoperation with non-compliant servers
10686 ### Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
10692 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
10695 This update even addresses CVE-2007-4995.
10700 (gcc 4.2 and later) reject their use.
10728 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
10741 New CTRL codes and macros (subject to change):
10744 - SSL_CTX_set_tlsext_servername_callback()
10746 - SSL_CTX_set_tlsext_servername_arg()
10747 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
10749 openssl s_client has a new '-servername ...' option.
10751 openssl s_server has new options '-servername_host ...', '-cert2 ...',
10752 '-key2 ...', '-servername_fatal' (subject to change). This allows
10753 testing the HostName extension for a specific single host name ('-cert'
10754 and '-key' remain fallbacks for handshakes without HostName
10756 default is a warning; it becomes fatal with the '-servername_fatal'
10761 * Add AES and SSE2 assembly language support to VC++ build.
10782 * Add the Korean symmetric 128-bit cipher SEED (see
10783 <http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp>) and
10786 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
10787 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
10788 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
10789 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
10793 is configured with 'enable-seed'.
10801 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
10802 and Necessary Software Countermeasures"). The core of the change
10803 are new versions BN_div_no_branch() and
10804 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
10805 respectively, which are slower, but avoid the security-relevant
10807 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
10820 constant-time implementations for more than just exponentiation.
10826 BN_BLINDING_new() and to BN_BLINDING_create_param() now
10837 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
10848 authentication-only ciphersuites.
10852 * Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
10853 not complete and could lead to a possible single byte overflow
10854 ([CVE-2007-5135]) [Ben Laurie]
10856 ### Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
10858 * Since AES128 and AES256 (and similarly Camellia128 and
10861 kludge to work properly if AES128 is available and AES256 isn't
10862 (or if Camellia128 is available and Camellia256 isn't).
10888 static variable. This allows them to be cleanly unloaded and reloaded.
10893 * extend SMTP and IMAP protocol emulation in s_client to use EHLO
10896 *Goetz Babin-Ebell*
10898 ### Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
10901 cause a denial of service. ([CVE-2006-2940])
10906 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
10909 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
10912 malicious SSLv2 server. ([CVE-2006-4343])
10914 *Tavis Ormandy and Will Drewry, Google Security Team*
10917 match only those. Before that, "AES256-SHA" would be interpreted
10918 as a pattern and match "AES128-SHA" too (since AES128-SHA got
10922 "RC4-MD5" that intentionally matched multiple ciphersuites --
10927 ciphersuite selects this one ciphersuite, and any other similar
10929 Thus, "RC4-MD5" again will properly select both the SSL 2.0
10930 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
10934 The proper fix will be to use different bits for AES128 and
10939 multiple values to extend the available space.
10943 ### Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
10946 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
10948 * Add AES IGE and biIGE modes.
10956 *Darryl Miles via Richard Levitte and Bodo Moeller*
10961 However, please upgrade to OpenSSL 0.9.9[-dev] for
10962 non-experimental use of the ECC ciphersuites to get TLS extension
10963 support, which is required for curve and point format negotiation
10970 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
10971 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
10972 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
10975 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
10979 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
10980 unofficial, and the ID has long expired.
10985 dual-core machines) and other potential thread-safety issues.
10989 * Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
10990 versions), which is now available for royalty-free use
10996 is configured with 'enable-camellia'.
11001 bug check assumes the first packet is of even length, this is not
11002 necessarily true if compression is enabled and can result in false
11009 ### Changes between 0.9.8a and 0.9.8b [04 May 2006]
11012 cipher suite and only match that one cipher suite if it is.
11020 * Update support for ECC-based TLS ciphersuites according to
11021 draft-ietf-tls-ecc-12.txt with proposed changes (but without
11027 * New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
11032 * Fixes and enhancements to zlib compression code. We now only use
11033 "zlib1.dll" and use the default `__cdecl` calling convention on Win32
11036 Static zlib linking now works on Windows and the new --with-zlib-include
11037 --with-zlib-lib options to Configure can be used to supply the location
11038 of the headers and library. Gracefully handle case where zlib library
11043 * Several fixes and enhancements to the OID generation code. The old code
11045 handle numbers larger than ULONG_MAX, truncated printing and had a
11060 ### Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
11064 countermeasure against man-in-the-middle protocol-version
11066 idea. ([CVE-2005-2969])
11070 Science and Technology [AIST], Japan)*
11072 * Add two function to clear and return the verify parameter flags.
11081 * Avoid some small subgroup attacks in Diffie-Hellman.
11083 *Nick Mathewson and Ben Laurie*
11085 * Add functions for well-known primes.
11091 *Satoshi Nakamura and Andy Polyakov*
11104 ### Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
11106 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
11109 * Add libcrypto.pc and libssl.pc for those who feel they need them.
11113 * Change CA.sh and CA.pl so they don't bundle the CSR and the private
11118 * Add initial support for Win64, both IA64 and AMD64/x64 flavors.
11122 * Add -utf8 command line and config file option to 'ca'.
11131 * Correct naming of the 'chil' and '4758cca' ENGINEs. This
11132 involves renaming the source and generated shared-libs for
11134 ('ncipher' and '4758_cca' respectively) when binding. NB,
11137 *Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe*
11140 PKCS12_create() to recognize a CSP name attribute and
11141 use it. Make -CSP option work again in pkcs12 utility.
11146 - automatic re-creation of the BN_BLINDING parameters after
11148 - add new function for parameter creation
11149 - introduce flags to control the update behaviour of the
11151 - hide BN_BLINDING structure
11160 *Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie*
11163 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
11167 * Remove buggy and incomplete DH cert support from
11168 ssl/ssl_rsa.c and ssl/s3_both.c
11172 * Use SHA-1 instead of MD5 as the default digest algorithm for
11177 * Compile clean with "-Wall -Wmissing-prototypes
11178 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
11184 The new counterpiece to "no-xxx" is "enable-xxx".
11186 The patented RC5 and MDC2 algorithms will now be disabled unless
11187 "enable-rc5" and "enable-mdc2", respectively, are specified.
11190 is frequently required for interoperability, and there is no license
11191 fee for non-commercial use. As before, "no-idea" can be used to
11197 sponsored by KTH (The Royal Institute of Technology in Stockholm) and
11198 EGEE (Enabling Grids for E-science in Europe).
11203 as Intel P4, IA-64 and AMD64.
11207 * New utility extract-section.pl. This can be used specify an alternative
11218 * New arguments -certform, -keyform and -pass for s_client and s_server
11219 to allow alternative format key and certificate files and passphrase
11225 update associated structures and add various utility functions.
11229 to support policy checking and print out.
11243 * New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
11245 *Andy Polyakov and a number of other people*
11259 moved from CA.pl to the 'ca' utility with a new option -create_serial.
11264 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
11272 give fewer recursive includes, which could break lazy source code - so
11274 developers should define this symbol when building and using openssl to
11276 backwards-compatible behaviour prevails when this isn't defined.
11284 * Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
11285 This will generate a random key of the appropriate length based on the
11287 routine to support keys of a specific form. This is used in the des and
11289 code to use new functions and hence generate correct parity DES keys.
11312 information can now expand as required, and rather than having a single
11313 static array of bignums, BN_CTX now uses a linked-list of such arrays
11324 * Preliminary support for certificate policy evaluation and checking. This
11330 * bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
11331 remained unused and not that useful. A variety of other little bignum
11332 tweaks and fixes have also been made continuing on from the audit (see
11337 * Constify all or almost all d2i, c2i, s2i and r2i functions, along with
11338 associated ASN1, EVP and SSL functions and old ASN1 macros.
11342 * BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
11343 and this should never fail. So the return value from the use of
11349 * BN_CTX_get() should return zero-valued bignums, providing the same
11360 is considered valid when processing BIGNUMs, and causes execution to
11363 structures to try and expose faulty code further on. For now, openssl will
11365 forms that it has tolerated in the past, but authors and packagers should
11366 consider trying openssl and their own applications when compiled with
11368 their own code, and will improve the test coverage for OpenSSL itself. At
11370 maintainability, though the assert()s and other overheads will remain only
11378 to overwrite an existing structure (and cause memory leaks).
11382 * Because of the callback-based approach for implementing LHASH as a
11383 template type, lh_insert() adds opaque objects to hash-tables and
11386 (and losing the object pointers). So some over-zealous constifications in
11388 objects as "const" and the `lh_doall[_arg]` callback wrappers are not
11390 given (and so aren't required to cast them away any more).
11394 * The tmdiff.h API was so ugly and minimal that our own timing utility
11398 `char *`. This may still change yet if someone realises MS_TM and
11400 aren't necessarily the greatest nomenclatures - but this is what was used
11406 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
11407 the self-tests were still using deprecated key-generation functions so
11416 digestedData type and add support for this type in PKCS7 initialization
11427 sure the loop does correctly stop and breaking ("division by zero")
11428 modulus operations are not performed. The (pre-generated) prime
11430 re-generated on some platforms because of the "division by zero"
11435 * Update support for ECC-based TLS ciphersuites according to
11436 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
11437 SHA-1 now is only used for "small" curves (where the
11444 * Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
11451 *Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte*
11453 * Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
11463 to certificate and key stores, be they simple file-based stores, or
11464 HSM-type store, or LDAP stores, or...
11465 NOTE: The code is currently UNTESTED and isn't really used anywhere.
11475 * Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup()
11477 a string. The copy gets NUL-terminated. BUF_memdup() duplicates
11485 searched-for key would be inserted to preserve sorting order.
11506 * Make it possible to create self-signed certificates with 'openssl ca'
11507 in such a way that the self-signed certificate becomes part of the
11508 CA database and uses the same mechanisms for serial number generation
11509 as all other certificate signing. The new flag '-selfsign' enables
11510 this functionality. Adapt CA.sh and CA.pl.in.
11516 request can be signed by that key (self-signing).
11529 * Generate multi-valued AVAs using '+' notation in config files for
11530 req and dirName.
11547 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
11548 and change its own handlers to be NULL so as to remove unnecessary
11567 and the signed data does not need to be all held in memory.
11570 PKCS7_sign() only initializes the PKCS7 structure and the actual signing
11571 is done after the data is output (and digests calculated) in
11576 * Add full support for -rpath/-R, both in shared libraries and
11599 exponentiations with the GMP library. The conversions to and from
11601 cached, and on x86 it appears OpenSSL's own performance has caught up.
11604 specified at Configure time and should be accompanied by the necessary
11606 ./config -DOPENSSL_USE_GMP -lgmp
11611 testing availability of engines with "-t" - the old behaviour is
11612 produced by increasing the feature's verbosity with "-tt".
11618 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
11623 * Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
11624 and DH_METHOD (eg. by ENGINE implementations) to override the normal
11625 software implementations. For DSA and DH, parameter generation can
11630 * Change the "progress" mechanism used in key-generation and
11633 postfixes and the older functions are reimplemented as wrappers for
11636 migrate to the new functions. Also, the new key-generation API
11637 functions operate on a caller-supplied key-structure and return
11638 success/failure rather than returning a key or NULL - this is to
11643 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
11652 * cb will point to my_cb; my_arg can be retrieved as cb->arg.
11659 * Change the ZLIB compression method to be stateful, and make it
11661 draft-ietf-tls-compression-04.txt.
11665 * Add the ASN.1 structures and functions for CertificatePair, which
11671 -- at least one of the pair shall be present -- }
11673 Also implement the PEM functions to read and write certificate
11674 pairs, and defined the PEM tag as "CERTIFICATE PAIR".
11688 void BN_set_negative(BIGNUM *a, int neg);
11689 and a macro that behave like
11690 int BN_is_negative(const BIGNUM *a);
11692 to avoid the need to access 'a->neg' directly in applications.
11696 * Implement fast modular reduction for pseudo-Mersenne primes
11717 the usual use of --prefix and/or --openssldir, and at run
11718 time with the environment variable OPENSSL_ENGINES.
11720 *Geoff Thorpe and Richard Levitte*
11731 * Add new 'medium level' PKCS#12 API. Certificates and keys
11733 files while avoiding the low-level API.
11735 New options to PKCS12_create(), key or cert can be NULL and
11737 algorithm NIDs can be set to -1 for no encryption, the mac
11740 Enhance pkcs12 utility by making the -nokeys and -nocerts
11741 options work when creating a PKCS#12 file. New option -nomac
11744 instead of the low-level API.
11748 * Extend ASN1 encoder to support indefinite length constructed
11749 encoding. This can output sequences tags and octet strings in
11750 this form. Modify pk7_asn1.c to support indefinite length
11751 encoding. This is experimental and needs additional code to
11752 be useful, such as an ASN1 bio and some enhanced streaming
11760 * Let 'openssl req' fail if an argument to '-newkey' is not
11765 * Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
11769 *Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)*
11773 *Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)*
11791 and WAP/WTLS; add OIDs that were still missing.
11793 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11815 of the EC_GROUP and EC_POINT data structures can be shared
11816 between the implementations for prime fields and binary fields;
11822 An internal 'field_div' method (similar to 'field_mul' and
11825 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11831 and 'ec_wNAF_precomputed_mult') remain the default if these
11834 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11838 length of the modulus.
11840 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11843 (These simply call ..._new and ..._copy).
11845 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11866 field can be given as an 'unsigned int[]' with strictly
11893 The default algorithm simply uses BN_GF2m_mod_inv() and
11898 *Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)*
11901 functionality is disabled at compile-time.
11908 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
11909 mode the content of non-printable OCTET STRINGs is output in a
11915 * Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
11922 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
11924 - Points are encoded in uncompressed form by default; options for
11930 Also add 'seed' and 'seed_len' members to EC_GROUP with access
11950 providing useful interfaces to EC_POINT_point2oct() and
11960 are implemented directly in crypto/ec/ec_lib.c and not dispatched
11967 arithmetic, and such that modified wNAFs are generated
11968 (which avoid length expansion in many cases).
11973 EC_METHOD) that verifies that the curve discriminant is non-zero.
11976 on a EC_GROUP, its generator and order. This includes
11983 Add applications 'openssl ecparam' and 'openssl ecdsa'
11984 (these are based on 'openssl dsaparam' and 'openssl dsa').
11988 - 'openssl req' now has a '-newkey ecdsa:file' option;
11989 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
11990 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
11994 - ECDSA engine support has been added.
11998 * Include some named elliptic curves, and add OIDs from X9.62,
11999 SECG, and WAP/WTLS. Each curve can be obtained from the new
12002 and the list of available named curves can be obtained with
12012 was actually never needed) and in BN_mul(). The removal in BN_mul()
12013 required a small change in bn_mul_part_recursive() and the addition
12014 of the functions bn_cmp_part_words(), bn_sub_part_words() and
12016 bn_sub_words() and bn_add_words() except they take arrays with
12021 ### Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
12030 authentication-only ciphersuites.
12034 * Since AES128 and AES256 share a single mask bit in the logic of
12036 kludge to work properly if AES128 is available and AES256 isn't.
12067 static variable. This allows them to be cleanly unloaded and reloaded.
12071 ### Changes between 0.9.7k and 0.9.7l [28 Sep 2006]
12074 cause a denial of service. ([CVE-2006-2940])
12079 in a denial of service. ([CVE-2006-2937]) [Steve Henson]
12082 ([CVE-2006-3738]) [Tavis Ormandy and Will Drewry, Google Security Team]
12085 malicious SSLv2 server. ([CVE-2006-4343])
12087 *Tavis Ormandy and Will Drewry, Google Security Team*
12090 ciphersuite selects this one ciphersuite (so that "AES256-SHA"
12091 will no longer include "AES128-SHA"), and any other similar
12093 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
12095 changes from 0.9.8b and 0.9.8d.
12099 ### Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
12102 ([CVE-2006-4339]) [Ben Laurie and Google Security Team]
12108 *Darryl Miles via Richard Levitte and Bodo Moeller*
12112 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
12113 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
12114 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
12117 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
12121 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
12122 unofficial, and the ID has long expired.
12127 dual-core machines) and other potential thread-safety issues.
12131 ### Changes between 0.9.7i and 0.9.7j [04 May 2006]
12133 * Adapt fipsld and the build system to link against the validated FIPS
12142 * Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
12149 ### Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
12154 safely run with a non-FIPSed libcrypto, as it may crash because of
12159 ### Changes between 0.9.7g and 0.9.7h [11 Oct 2005]
12163 countermeasure against man-in-the-middle protocol-version
12165 idea. ([CVE-2005-2969])
12169 Science and Technology [AIST, Japan)]*
12171 * Minimal support for X9.31 signatures and PSS padding modes. This is
12172 mainly for FIPS compliance and not fully integrated at this stage.
12177 the exponentiation using a fixed-length exponent. (Otherwise,
12184 * Make a new fixed-window mod_exp implementation the default for
12185 RSA, DSA, and DH private-key operations so that the sequence of
12186 squares and multiplies and the memory access pattern are
12188 cache-timing and potential related attacks.
12191 and this is automatically used by BN_mod_exp_mont() if the new flag
12192 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH
12199 * Change the client implementation for SSLv23_method() and
12207 * Add support for smime-type MIME parameter in S/MIME messages which some
12213 a threadsafe manner. Modify rsa code to use new function and add calls
12214 to dsa and dh code (which had race conditions before).
12224 ### Changes between 0.9.7f and 0.9.7g [11 Apr 2005]
12226 [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
12230 the 'length' field is signed on one version and unsigned on another
12244 they must be explicitly allowed in run-time. See
12249 ### Changes between 0.9.7e and 0.9.7f [22 Mar 2005]
12251 * Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
12252 server and client random values. Previously
12253 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
12258 1. Server and client random values still have 24 bytes of pseudo random
12261 2. Server and client random values are sent in the clear in the initial
12265 size for static RSA ciphersuites) as well as client server and random
12266 values.
12286 * Back-port of selected performance improvements from development
12292 failure and freeing up memory if a failure occurs.
12296 * Add new -passin argument to dgst.
12301 this is needed for some certificates that re-encode DNs into UTF8Strings
12302 (in violation of RFC3280) and can't or won't issue name rollover
12312 - if there is an unhandled critical extension (unless the user
12314 - if the path length has been exceeded (if one is set at all)
12315 - that certain extensions fit the associated purpose (if one has
12320 ### Changes between 0.9.7d and 0.9.7e [25 Oct 2004]
12324 entries during signature checking and serial number lookup. Now the
12325 encoding is cached and the serial number sort performed under a lock.
12338 * Reduce the chances of duplicate issuer name and serial numbers (in
12342 certificate is created using 'openssl req -x509'. The initial serial
12343 number file is created using 'openssl x509 -next_serial' in CA.pl
12348 ### Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
12350 * Fix null-pointer assignment in do_change_cipher_spec() revealed
12351 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
12356 ([CVE-2004-0112])
12379 A clarification of RFC2560 will require the use of OCTET STRINGs and
12381 copies and compares OCSP nonces as opaque blobs without any attempt at
12388 this HMAC (and other) operations are several times slower than OpenSSL
12393 * Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
12401 ### Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
12406 invalid tags (CVE-2003-0543 and CVE-2003-0544).
12408 Free up ASN1_TYPE correctly if ANY type is invalid ([CVE-2003-0545]).
12415 * New -ignore_err option in ocsp application to stop the server
12421 if the server requested one: as stated in TLS 1.0 and SSL 3.0
12442 * Various fixes to base64 BIO and non blocking I/O. On write
12444 data was not being buffered properly and had various logic bugs.
12450 * Various S/MIME bugfixes and compatibility changes:
12459 ### Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
12461 * Countermeasure against the Klima-Pokorny-Rosa extension of
12471 They would be ill-advised to do so in most cases.
12477 an unpredictable seed -- if it is not unpredictable, there
12478 is no point in blinding anyway). Make RSA blinding thread-safe
12479 by remembering the creator's thread ID in rsa->blinding and
12480 having all other threads use local one-time blinding factors
12481 (this requires more computation than sharing rsa->blinding, but
12482 avoids excessive locking; and if an RSA object is not shared
12499 ### Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
12505 between bad padding and a MAC verification error. ([CVE-2003-0078])
12508 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
12511 * Make the no-err option work as intended. The intention with no-err
12513 libcrypto, it's only intended to remove all the function name and
12519 used by default when no-err is given.
12532 *Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte*
12547 present and it might also want a means of sending no additional
12548 certificates (for example the chain has two certificates and the
12564 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
12579 * IA-32 assembler support enhancements: unified ELF targets, support
12585 FreeBSD on non-x86 processors is separate from x86 processors on
12590 ### Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
12592 [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
12596 code (06) was taken as the first octet of the session ID and the last
12599 client and server.
12606 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
12634 warnings and a request that patches get sent to openssl-dev.
12638 * Add the VC-CE target, introduce the WINCE sysname, and add
12639 INSTALL.WCE and appropriate conditionals to make it build.
12643 * Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
12644 cygssl-x.y.z.dll, where x, y and z are the major, minor and
12647 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
12649 * Introduce safe string copy and catenation functions
12650 (BUF_strlcpy() and BUF_strlcat()).
12652 *Ben Laurie (CHATS) and Richard Levitte*
12654 * Avoid using fixed-size buffers for one-line DNs.
12659 resizing buffers containing secrets, and use where appropriate.
12695 resizing buffers containing secrets, and use where appropriate.
12713 * Add assertions to prevent user-supplied crypto functions from
12727 * Eliminate unused and incorrectly sized buffers for IV in pem.h.
12731 * Fix off-by-one error in EGD path.
12739 * Eliminate unused and incorrectly sized X.509 structure
12744 * Eliminate unused and dangerous function knumber().
12748 * Eliminate unused and dangerous structure, KSSL_ERR.
12752 * Protect against overlong session ID context length in an encoded
12761 Remote buffer overflow in SSL3 protocol - an attacker could
12762 supply an oversized master key in Kerberos-enabled versions.
12763 ([CVE-2002-0657])
12771 * Make -nameopt work fully for req and add -reqopt switch.
12773 *Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson*
12775 * The "block size" for block ciphers in CFB and OFB mode should be 1.
12785 * Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
12787 which may be activated as a side-effect of selecting a single cipher.
12795 * Add appropriate support for separate platform-dependent build
12796 directories. The recommended way to make a platform-dependent
12801 # this example, the environment variable OPENSSL_SOURCE
12803 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
12804 cd objtree/"`uname -s`-`uname -r`-`uname -m`"
12805 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
12806 mkdir -p `dirname $F`
12807 ln -s $OPENSSL_SOURCE/$F $F
12819 data when a later ENGINE operation tries to use the stored values.
12821 *Götz Babin-Ebell <babinebell@trustcenter.de>*
12823 * Improve diagnostics in file reading and command-line digests.
12825 *Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>*
12827 * Add AES modes CFB and OFB to the object database. Correct an
12828 error in AES-CFB decryption.
12835 BIOs and some applications. This has the side effect that
12841 * Check the values of dna and dnb in bn_mul_recursive before calling
12843 n2 elements) and fallback to bn_mul_normal if either is not zero.
12847 * Fix escaping of non-ASCII characters when using the -subj option
12858 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
12862 * Add an "init" command to the ENGINE config module and auto initialize
12866 on the uninitialized ENGINE and after on the initialized one). If
12871 * Fix the 'app_verify_callback' interface so that the user-defined
12875 int (*cb)()
12877 int (*cb)(X509_STORE_CTX *,void *);
12879 i=s->ctx->app_verify_callback(&ctx)
12881 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
12892 * Add and OPENSSL_LOAD_CONF define which will cause
12895 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
12897 load the config file and OPENSSL_add_all_algorithms_conf() which will
12902 * Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
12903 Adjust NIDs and EVP layer.
12905 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
12913 In the case of ca and req the config file used is
12914 the same as the utility itself: that is the -config
12927 and move code to CONF_modules_load_file().
12933 The support was copied from 0.9.6c [engine] and adapted/corrected
12936 *AEP Inc. and Richard Levitte*
12940 The support was copied from 0.9.6c [engine] and adapted
12945 * Have the CHIL engine fork-safe (as defined by nCipher) and actually
12948 *Toomas Kiisk <vix@cyber.ee> and Richard Levitte*
12954 * Add the configuration target debug-linux-ppro.
12956 implemented in `apps.c`, and make those routines able to
12957 handle the key format FORMAT_NETSCAPE and the variant
12962 * Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
12966 * Add -keyform to rsautl, and document -engine.
13005 symmetric ciphers, and behave the same way. Move everything to
13008 *Stephen Sprunk <stephen@sprunk.org> and Richard Levitte*
13012 *Ben Laurie and Theo de Raadt*
13019 (up to about 10% better than before for P-192 and P-224).
13032 void cb(int write_p, int version, int content_type,
13042 'buf' and 'len' point to the actual message, 'ssl' to the
13043 SSL object, and 'arg' is the application-defined value set by
13046 'openssl s_client' and 'openssl s_server' have new '-msg' options
13052 soon as the corresponding static library is finished, and thereby get
13053 openssl and the test programs linked against the shared library.
13057 NOTE: shared library support is still an experimental thing, and
13060 *"Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte*
13072 * New command line and configuration option 'utf8' for the req command.
13073 This allows field values to be specified as UTF8 strings.
13077 * Add -multi and -mr options to "openssl speed" - giving multiple parallel
13078 runs for the former and machine-readable output for the latter.
13082 * Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
13083 of the e-mail address in the DN (i.e., it will go into a certificate
13102 There are also macros that enable and disable the support of old
13104 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those
13113 time in the future, des_old.h and the libdes compatibility functions
13115 default), and then completely removed.
13134 * Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
13136 not have to be to be initialized before the call to EVP_DigestInit() and
13140 initialized valid and new function EVP_MD_CTX_copy_ex() added which
13144 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
13148 * Change ssl3_get_message (ssl/s3_both.c) and the functions using it
13150 instead of overwriting 'msg_type' and 'length' with 'body' data.
13162 support for symmetric ciphers and digest implementations - so ENGINEs
13163 can now accelerate these by providing EVP_CIPHER and EVP_MD
13167 API changes worth noting - some RSA, DSA, DH, and RAND functions that
13169 reverted back - the hooking from this code to ENGINE is now a good
13170 deal more passive and at run-time, operations deal directly with
13173 functions dealing with `BN_MOD_EXP[_CRT]` handlers have been removed -
13175 BIGNUM_METHOD and they could not be generalised to the new
13187 and make sure the automatically generated functions `ERR_load_*`
13194 or HelloRequest/ClientHello received from the peer) and becomes
13214 * Add some demos for certificate and certificate request creation.
13224 * Add support for shared libraries for Unixware-7
13232 functions to "get" and "set" this destroy handler in an ENGINE.
13236 * Alter all existing ENGINE implementations (except "openssl" and
13238 makes them more flexible to be built both as statically-linked ENGINEs
13239 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
13240 Also, add stub code to each that makes building them as self-contained
13241 shared-libraries easier (see [README-Engine.md](README-Engine.md)).
13247 self-contained shared-libraries. The "dynamic" ENGINE exposes control
13248 commands that can be used to configure what shared-library to load and
13250 the [README-Engine.md](README-Engine.md) file
13251 that brings its information up-to-date and
13252 provides some information and instructions on the "dynamic" ENGINE
13253 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
13271 * Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
13275 is only going to provide a single chunk of data, and hence the
13281 functions. This change also alters the storage and management of global
13282 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
13283 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
13286 and counter, and there is now an API function to dynamically create new
13288 thread-safety problems that existed, and (b) makes it possible to clean
13290 such data would previously have always leaked in application code and
13303 global state (2 LHASH tables and 2 locks) is only used by the "default"
13304 implementation. This change also adds two functions to "get" and "set"
13307 pass the return value to a module it has just loaded, and that module
13309 module's "ERR" operations will use (and modify) the error state in the
13310 application and not in its own statically linked copy of OpenSSL code.
13314 * Give DH, DSA, and RSA types their own `*_up_ref()` function to increment
13316 the operation, and provides a more encapsulated way for external code
13317 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
13334 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
13345 for their choice and can explicitly enable this option.
13383 ASN1 code. Grouping together similar functions and splitting unrelated
13392 * Change historical references to `{NID,SN,LN}_des_ede` and ede3 to add the
13414 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
13415 and authenticator structs; see crypto/krb5/.
13421 * Cause 'openssl speed' to use fully hard-coded DSA keys as it
13423 values for each of the key sizes rather than having just
13424 parameters (and 'speed' generating keys each time).
13432 s-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
13433 s-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
13434 s-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
13436 s-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
13437 s-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
13438 s-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
13441 s-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
13443 s-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
13447 * Added the OS2-EMX target.
13449 *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*
13462 and with possibilities to have yes/no kind of prompts.
13466 * Change all calls to low-level digest routines in the library and
13467 applications to use EVP. Add missing calls to HMAC_cleanup() and
13477 Adapt the nCipher code for these new conditions and add a card insertion
13483 dialog box interfaces, application-defined prompts, the possibility
13485 and interrupts/cancellations.
13490 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
13528 * New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
13529 setting of purpose and trust fields. New X509_STORE trust and
13530 purpose functions and tidy up setting in other SSL functions.
13534 * Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
13537 X509_STORE structure (such as flags for CRL checking and custom
13541 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
13543 purposes and trust (in S/MIME for example) to override any set by default.
13545 Add command line options for CRL checking to smime, s_client and s_server
13551 are set then the CRL is looked up in the X509_STORE structure and
13552 its validity and signature checked, then if the certificate is found
13561 by subject name) and ultimately more complete V2 CRL extension
13567 to replace things like des_read_password and friends (backward
13571 a window system and the like.
13576 per-structure level rather than having to store it globally.
13586 this case have no functional references and the return value is the single
13588 by ENGINE_by_id() normally, when it is incremented on the pre-existing
13593 * Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
13600 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
13602 - executing control commands from command line arguments using the
13603 '-pre' and '-post' switches. '-post' is only used if '-t' is
13604 specified and the ENGINE is successfully initialised. The syntax for
13605 the individual commands are colon-separated, for example;
13606 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
13612 and input types for run-time discovery by calling applications. A
13614 depending on their input type, and only these can be invoked through
13615 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
13618 result and can only support numeric or string input, whereas some
13623 unambiguously defined by ENGINEs and used consistently across any
13624 OpenSSL-based application. Commands have been added to all the
13625 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
13626 control over shared-library paths without source code alterations.
13640 should already have non-const pointers to it (ie. they should only
13646 - "atalla" and "ubsec" string definitions were moved from header files
13648 rather than hard-coded - allowing parameterisation of these values
13650 - Removed unused "#if 0"'d code.
13651 - Fixed engine list iteration code so it uses ENGINE_free() to release
13653 - Constified the RAND_METHOD element of ENGINE structures.
13654 - Constified various get/set functions as appropriate and added
13655 missing functions (including a catch-all ENGINE_cpy that duplicates
13656 all ENGINE values onto a new ENGINE except reference counts/state).
13657 - Removed NULL parameter checks in get/set functions. Setting a method
13660 and doesn't justify the extra error symbols and code.
13661 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
13663 - Changed prototypes for ENGINE handler functions (init(), finish(),
13664 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
13670 used only if the modulus is odd. On 32-bit systems, it is faster
13671 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
13672 roughly 5-15% for 256-bit moduli), so we use it only for moduli
13673 up to 450 bits. In 64-bit environments, the binary algorithm
13689 * Allow multiple 'certopt' and 'nameopt' options to be separated
13690 by commas. Add 'namopt' and 'certopt' options to the 'ca' config
13693 or excluded and extension details. The old system didn't display
13695 and couldn't display additional details such as extensions.
13713 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
13714 operations and provides various method functions that can also
13720 *Bodo Moeller; point addition and point doubling
13722 Lenka Fibikova <fibikova@exp-math.uni-essen.de>*
13738 * Add the -HTTP option to s_server. It is similar to -WWW, but requires
13743 * Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
13744 change the def and num file printf format specifier from "%-40sXXX"
13745 to "%-39s XXX". The latter will always guarantee a space after the
13751 * Constify the cipher and digest 'method' functions and structures
13752 and modify related functions to take constant EVP_MD and EVP_CIPHER
13762 * Modify `EVP_Digest*()` routines so they now return values. Although the
13768 * Clean up crypto/err/err.h and change some error codes to avoid conflicts:
13770 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
13792 * New option '-subj arg' for 'openssl req' and 'openssl ca'. This
13796 and
13799 Add options '-batch' and '-verbose' to 'openssl req'.
13810 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
13813 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
13816 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
13817 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
13819 OPENSSL_DECLARE_GLOBAL(int,foo);
13824 The #defines are very important, and therefore so is including the
13831 better and easier to understand logic to choose which symbols should
13832 go into the Windows .def files as well as a number of fixes and code
13840 and produce the wrong result if 'num' is negative: this caused
13841 problems with BN_mod() and BN_nnmod().
13846 OCSP request and verifies the signer certificate. The signer
13847 certificate is just checked for a generic purpose and OCSP request
13853 responses. OCSP responses are prepared in real time and may only
13855 between thisUpdate and nextUpdate max reject otherwise valid responses
13857 we allow thisUpdate and nextUpdate to fall within a certain period of
13859 checked. Two new options -validity_period and -status_age added to
13869 * Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
13892 the arbitrary values chosen for use as session IDs, particularly as it
13893 can be useful for session caching in multiple-server environments. A
13894 command-line switch for testing this (and any client code that wishes
13899 * Modify mkdef.pl to recognise and parse preprocessor conditionals
13900 of the form `#if defined(...) || defined(...) || ...` and
13908 with `OPENSSL_` to avoid conflicts with other packages and by making
13909 sure e_os2.h will cover all platform-specific cases together with
13911 Additionally, it is now possible to define configuration/platform-
13915 from `OPENSSL_SYSNAME_*` or compiler-specific macros depending on
13920 * New option -set_serial to 'req' and 'x509' this allows the serial
13922 signed certificates were hard coded with serial number 0 and the
13929 Currently CRL reason, invalidity date and hold instruction are
13930 supported. Add new CRL extensions to V3 code and some new objects.
13937 not padded in any way and so the total length much be a multiple
13947 port and path components: primarily to parse OCSP URLs. New -url
13958 the request is nonce-less.
13964 e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.
13968 * Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
13975 the clients preferred ciphersuites and rather use its own preferences.
13983 to aes and add a new 'exist' option to print out symbols that don't
13988 * Additional options to ocsp utility to allow flags to be set and
13993 * Add the option -VAfile to 'openssl ocsp', so the user can give the
13999 * Update Rijndael code to version 3.0 and change EVP AES ciphers to
14006 not enabled by default and were not part of the "ALL" ciphersuite
14010 alias is called "AES" and is part of "ALL".)
14020 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
14022 creates a response and optionally adds a basic response structure.
14024 response and returns the OCSP_SINGLERESP structure just added (to allow
14026 certificate to a basic response and OCSP_basic_sign() signs a basic
14028 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
14046 response then it is assumed to be valid and is not verified.
14052 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
14056 * Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
14058 Fix leaks in PKCS12 and PKCS7 routines.
14065 is initialised to -1 but X509_time_adj() now has to check the value
14066 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
14072 result in a zero length in the ASN1_INTEGER structure which was
14074 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
14075 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
14081 convert status values to strings have been renamed to:
14082 OCSP_response_status_str(), OCSP_cert_status_str() and
14083 OCSP_crl_reason_str() and are no longer static. New options
14084 to verify nonce values and to disable verification. OCSP response
14095 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
14101 and related routines. This uses the standard OpenSSL certificate
14102 verify routines to perform initial checks (just CA validity) and
14111 * New '-extfile ...' option to 'openssl ca' for reading X.509v3
14114 the '-extensions ...' option may be used for specifying the
14120 read. The request can be sent to a responder and the output
14127 `openssl ca -status <serial>` prints the status of the cert with
14129 `openssl ca -updatedb` updates the expiry status of certificates
14134 * New '-newreq-nodes' command option to CA.pl. This is like
14135 '-newreq', but calls 'openssl req' with the '-nodes' option
14146 certificate and verifies the signature on the response.
14150 * New SSLeay_version code SSLEAY_DIR to determine the compiled-in
14151 value of OPENSSLDIR. This is available via the new '-d' option
14152 to 'openssl version', and is also included in 'openssl version -a'.
14157 file name and line number information in additional arguments
14158 (a `const char*` and an int). The basic functionality remains, as
14160 realloc() and free() by functions that do not know about these
14161 additional arguments. To register and find out the current
14170 These work the same way as CRYPTO_set_mem_functions and friends.
14179 There should no longer be any prototype-casting required when using
14180 the LHASH abstraction, and any casts that remain are "bugs". See
14181 the callback types and macros at the head of lhash.h for details
14182 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
14190 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
14199 (select timeout) and read in non-blocking mode. DEVRANDOM now
14204 For VMS, there's a currently-empty rand_vms.c.
14210 to issue a request to an OCSP responder and analyse the
14217 from response. OCSP_resp_find_status(): finds and extracts status
14225 OCSP_request_add1_nonce() adds a nonce value and optionally
14232 This doesn't copy the supplied OCSP_CERTID and avoids the
14237 is now in OCSP_REQUEST_new() (and the case insensitive name
14246 can be used to send requests and parse the response.
14251 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
14253 and reorder them to match the encoded order. This resolves a long
14264 * Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
14265 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
14273 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
14275 ASN1_ITEM and no wrapper functions.
14279 * New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
14281 the `*_d2i_bio()` and `*_d2i_fp()` functions to use these.
14286 lines, recognize more "algorithms" that can be deselected, and make
14291 * New ASN1 functions to handle dup, sign, verify, digest, pack and
14300 same conventions as certificates and CRLs.
14304 * New function X509V3_add1_i2d(). This automatically encodes and
14307 certificates and CRLs.
14317 * Make mkdef.pl parse some of the ASN1 macros and add appropriate
14323 problems: As the program is single-threaded, all we have
14324 to do is register a locking callback using an array for
14331 ssl_verify_cert_chain() and thus can be called at any time
14332 during TLS/SSL handshakes so that thread-safety is essential.
14334 for multi-threaded use, so it probably should be abolished.
14340 *Broadcom, tweaked and integrated by Geoff Thorpe*
14343 X509V3_print_extensions(). Reorganise OCSP print routines and
14353 * Add a special meaning when SET OF and SEQUENCE OF flags are both
14374 encoder and decoder which interprets an ASN1_ITEM structure describing
14383 so that BN_mod_exp_mont and BN_mod_exp_mont_word work
14388 * Fix BN_uadd and BN_usub: Always return non-negative results instead
14393 * BN_div bugfix: If the result is 0, the sign (res->neg) must not be
14398 * Changed the LHASH code to use prototypes for callbacks, and created
14399 macros to declare and implement thin (optionally static) functions
14400 that provide type-safety and avoid function pointer casting for the
14401 type-specific callbacks.
14410 * Reformat the FAQ so the different questions and answers can be divided
14421 (using the probabilistic Tonelli-Shanks algorithm unless
14425 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14445 * Fix BN_is_word() and BN_is_one() macros to take into account the
14454 BN_is_one(), and BN_is_word().
14468 * Change BN_mod_mul so that the result is always non-negative.
14476 and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`)
14477 and add new functions:
14490 These functions always generate non-negative results.
14496 `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`]
14499 *Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
14501 <!--
14507 was actually never needed) and in BN_mul(). The removal in BN_mul()
14508 required a small change in bn_mul_part_recursive() and the addition
14509 of the functions bn_cmp_part_words(), bn_sub_part_words() and
14511 bn_sub_words() and bn_add_words() except they take arrays with
14515 -->
14518 unless the '-salt' option is used (which usually means that
14521 or the new '-noverify' option is used.
14524 non-interactive use of 'openssl passwd' (passwords on the command
14525 line, '-stdin' option, '-in ...' option) and thus should not
14534 * Make DSO load along a path given through an environment variable
14540 Also constify the RSA code and most things related to it. In a
14542 casts back to non-const were required (to be solved at a later
14564 are built-in in OpenSSL shall ever be used or not. The benefit is
14586 * Add engine application. It can currently list engines by name and
14587 identity, and test if they are actually available.
14591 * Improve RPM specification file by forcing symbolic linking and making
14618 * Rework the filename-translation in the DSO code. It is now possible to
14620 depending on the operating environment and any oddities about the
14625 * Support threads on FreeBSD-elf in Configure.
14638 NCONF_get_number_e() is defined (`_e` for "error checking") and is
14661 X509_NAME_print_ex() in 'req' and X509_print_ex() function
14672 ### Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
14674 * Fix null-pointer assignment in do_change_cipher_spec() revealed
14675 by using the Codenomicon TLS Test Tool ([CVE-2004-0079])
14679 ### Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
14684 certain ASN.1 tags ([CVE-2003-0851])
14688 ### Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
14693 invalid tags (CVE-2003-0543 and CVE-2003-0544).
14701 if the server requested one: as stated in TLS 1.0 and SSL 3.0
14717 ### Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
14719 * Countermeasure against the Klima-Pokorny-Rosa extension of
14729 They would be ill-advised to do so in most cases.
14735 an unpredictable seed -- if it is not unpredictable, there
14736 is no point in blinding anyway). Make RSA blinding thread-safe
14737 by remembering the creator's thread ID in rsa->blinding and
14738 having all other threads use local one-time blinding factors
14739 (this requires more computation than sharing rsa->blinding, but
14740 avoids excessive locking; and if an RSA object is not shared
14745 ### Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
14751 between bad padding and a MAC verification error. ([CVE-2003-0078])
14754 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
14757 ### Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
14761 place alternating values in each byte. This can be used to solve
14763 compilers, and 2) cleansing with other values than 0, since those can
14769 because the session->cipher setting was not restored when reloading
14777 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
14779 *Zeev Lieber <zeev-l@yahoo.com>*
14782 repeated calls to OpenSSL_add_all_ciphers() and
14794 DN values that are of type PrintableString, as well as RDNs of type
14802 the bitwise-OR of the two for use by the majority of applications
14803 wanting this behaviour, and update the docs. The documented
14804 behaviour and actual behaviour were inconsistent and had been
14805 changing anyway, so this is more a bug-fix than a behavioural
14810 * Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
14811 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
14827 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
14833 length, instead of the encoding length to d2i_ASN1_OBJECT.
14837 ### Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
14839 * [In 0.9.6g-engine release:]
14844 ### Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
14847 and get fix the header length calculation.
14848 *Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
14849 Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson*
14857 ### Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
14860 the ASN1 length bytes if they exceed sizeof(long), will appear
14861 negative or the content length exceeds the length of the
14867 for the cipher strength set and where therefore not handled correctly
14884 implementations is desired (e.g. '-bugs' option to 's_client' and
14893 Research Projects Agency (DARPA) and Air Force Research Laboratory,
14895 F30602-01-2-0537.
14898 the ASN1 length bytes if they exceed sizeof(long), will appear
14899 negative or the content length exceeds the length of the
14900 supplied buffer. ([CVE-2002-0659])
14910 too small for 64 bit platforms. ([CVE-2002-0655])
14911 *Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>*
14913 * Remote buffer overflow in SSL3 protocol - an attacker could
14914 supply an oversized session ID to a client. ([CVE-2002-0656])
14918 * Remote buffer overflow in SSL2 protocol - an attacker could
14919 supply an oversized client master key. ([CVE-2002-0656])
14923 ### Changes between 0.9.6c and 0.9.6d [9 May 2002]
14926 encoded as NULL) with id-dsa-with-sha1.
14930 * Check various `X509_...()` return values in `apps/req.c`.
14935 an end-of-file condition would erroneously be flagged, when the CRLF
14938 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
14939 <ptsekov@syntrex.com> and Nedelcho Stanev.
14950 * Fix length checks in ssl3_get_client_hello().
14954 * TLS/SSL library bugfix: use s->s3->in_read_app_data differently
14957 processing was enabled when in fact s->s3->in_read_app_data was
14962 * Fix object definitions for Private and Enterprise: they were not
14970 * Fix DH_generate_parameters() so that it works for 'non-standard'
14971 generators, i.e. generators other than 2 and 5. (Previously, the
14972 code did not properly initialise the 'add' and 'rem' values to
14977 a generator of the order-q subgroup is just as good, if not
14982 * Map new X509 verification errors to alerts. Discovered and submitted by
14988 returning non-zero before the data has been completely received
14989 when using non-blocking I/O.
15002 * Add information about CygWin 1.3 and on, and preserve proper
15005 *Corinna Vinschen <vinschen@redhat.com> and Richard Levitte*
15008 check whether we deal with a copy of a session and do not delete from
15025 * [In 0.9.6d-engine release:]
15026 Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
15030 * Add the configuration target linux-s390x.
15032 *Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte*
15036 variable as an indication that a ClientHello message has been
15038 invocations of ssl3_accept when using non-blocking I/O, the
15043 To avoid this problem, we now set s->new_session to 2 instead of
15044 using a local variable.
15048 * Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
15062 type, we must throw them away by setting rr->length to 0.
15066 ### Changes between 0.9.6b and 0.9.6c [21 dec 2001]
15070 worked incorrectly for those cases where range = `10..._2` and
15080 * Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
15082 Also some ip-pda OIDs in crypto/objects/objects.txt were
15092 * [In 0.9.6c-engine release:]
15093 Fix mutex callback return values in crypto/engine/hw_ncipher.c.
15097 * [In 0.9.6c-engine release:]
15101 *Cryptographic Appliances and Geoff Thorpe*
15105 rearranged (all '-L' options must appear before the first object
15110 * [In 0.9.6c-engine release:]
15116 * [In 0.9.6c-engine release:]
15120 *Baltimore Technologies and Mark Cox*
15122 * [In 0.9.6c-engine release:]
15126 *AEP Inc. and Mark Cox*
15132 * Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
15133 messages are stored in a single piece (fixed-length part and
15134 variable-length part combined) and fix various bugs found on the way.
15154 * Fix SSL handshake functions and SSL_clear() such that SSL_clear()
15155 never resets s->method to s->ctx->method when called from within
15190 * Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
15198 and the extra bytes are just ignored. However ssl/s2_pkt.c
15204 * Add OpenUNIX-8 support including shared libraries
15213 encoding parameters and hence was not vulnerable.
15221 * Rabin-Miller test analyses assume uniformly distributed witnesses,
15243 * Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
15248 * Rework the configuration and shared library support for Tru64 Unix.
15249 The configuration part makes use of modern compiler features and
15252 uses the RPATH feature, and is available through the special
15253 configuration target "alpha-cc-rpath", which will never be selected
15265 * Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
15272 ignored and the verify_callback() set in the SSL_CTX at the time of
15278 * Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
15285 * In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
15286 dh->length and always used
15288 BN_rand_range(priv_key, dh->p).
15290 BN_rand_range() is not necessary for Diffie-Hellman, and this
15291 specific range makes Diffie-Hellman unnecessarily inefficient if
15292 dh->length (recommended exponent length) is much smaller than the
15293 length of dh->p. We could use BN_rand_range() if the order of
15295 dh->length.
15301 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
15319 * In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
15322 variable) is not atomic.
15334 *Albert Chin-A-Young <china@thewrittenword.com>*
15336 * Add configuration option to build on Linux on both big-endian and
15337 little-endian MIPS.
15339 *Ralf Baechle <ralf@uni-koblenz.de>*
15341 * Add the possibility to create shared libraries on HP-UX.
15345 ### Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
15349 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
15352 'md' followed by enough consecutive 1-byte PRNG requests
15363 Markku-Juhani's attack. (Actually it had never occurred
15365 half from which PRNG output bytes were taken -- I had always
15386 * In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
15387 positive and less than q.
15392 used: it isn't thread safe and the add_lock_callback should handle
15398 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
15408 when fixing the server behaviour for backwards-compatible 'client
15410 SSL 3.0 and TLS 1.0 anyway because length and version checking
15412 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
15434 * Fix for blowfish EVP: its a variable length cipher.
15439 parameters in DSA public key structures and return an error in the
15460 combination of a flag and a thread ID variable.
15463 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
15468 * Change bctest again: '-x' expressions are not available in all
15473 ### Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
15479 * Change Configure and Makefiles to provide EXE_EXT, which will contain
15481 scripts that use symlink() to test if it really exists and use "cp"
15482 if it doesn't. All this made OpenSSL compilable and installable in
15487 * Fix for asn1_GetSequence() for indefinite length constructed data.
15488 If SEQUENCE is length is indefinite just set c->slen to the total
15495 * Change bctest to avoid here-documents inside command substitution
15504 and UnixWare.
15508 * Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
15510 Computations, J. Cryptology 14 (2001) 2, 101-119,
15523 * Fix PKCS#7 decode routines so they correctly update the length
15537 * Enhance bctest to search for a working bc along $PATH and print
15577 due to incorrect handling of multi-threading:
15585 inband-signalling in the previous code (which relied on the
15590 * Add "-rand" option also to s_client and s_server.
15595 *Kurt Hockenbury <khockenb@stevens-tech.edu> and
15611 * Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
15614 to be set and top=0 forces the highest bit to be set; top=-1 is new
15615 and leaves the highest bit random.
15619 * In the `NCONF_...`-based implementations for `CONF_...` queries
15623 Instead, use NULL for the CONF pointer in CONF_get_string and
15624 CONF_get_number (which may use environment variables) and directly
15633 * Tolerate nonRepudiation as being valid for S/MIME signing and certSign
15638 * Make SMIME_write_PKCS7() write mail header values with a format that
15640 some programs can't parse those values properly otherwise. Also make
15648 and break the signature.
15675 * Fix 'openssl passwd -1'.
15680 terminated strings whose length is passed in the passlen
15682 by adding an extra length parameter to asc2uni().
15686 * Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
15691 * Fix to uni2asc() to cope with zero length Unicode strings.
15696 * Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
15702 * In `RSA_eay_public_{en,ed}crypt` and RSA_eay_mod_exp (rsa_eay.c),
15703 obtain lock CRYPTO_LOCK_RSA before setting `rsa->_method_mod_{n,p,q}`.
15733 avoid potential security hole. (Re-used sessions on the client side
15739 * Fix ssl3_pending: If the record in s->s3->rrec is not of type
15746 Both ssl2_peek and ssl3_peek, which were totally broken in earlier
15747 releases, have been re-implemented by renaming the previous
15748 implementations of ssl2_read and ssl3_read to ssl2_read_internal
15749 and ssl3_read_internal, respectively, and adding 'peek' parameters
15758 the method-specific "init()" handler. Also clean up ex_data after
15759 calling the method-specific "finish()" handler. Previously, this was
15770 the full version number and not just 0. This should mark the
15778 *Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>*
15782 - Make note of the expected extension for the shared libraries and
15787 - Make as few rebuilds of the shared libraries as possible.
15789 - Still avoid linking the OpenSSL programs with the shared libraries.
15791 - When installing, install the shared libraries separately from the
15799 and not in SSL_clear because the latter is also used by the
15815 ### Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
15836 what it is doing and can handle the new informational codes
15845 counterpart and unknown types were just rejected. Changed so that the
15846 tagged and unknown types are handled in the same way as a SEQUENCE:
15855 in a record-oriented fashion. That means that every write() will
15860 text until a linefeed is reached, and then write everything a
15862 not chunks of lines and not (usually doesn't happen, but I've
15866 Currently, it's a VMS-only method, because that's where it has
15874 but it was in 0.9.6-beta[12].)
15880 include zero length content when signing messages.
15898 * Add RPM specification openssl.spec and modify it to build three
15900 documentation and run-time libraries. The devel package contains
15901 include files, static libraries and function documentation. The
15909 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
15924 and s_server that use select() to determine when to use SSL_read;
15935 * Add a few more EBCDIC conditionals that make `req` and `x509`
15940 * Add two demo programs for PKCS12_parse() and PKCS12_create().
15941 Update PKCS12_parse() so it copies the friendlyName and the
15966 and key usage. It also verifies self signed certificates
15973 Authority and subject key identifier are now cached.
15992 and then examining the cache for matches. This is probably
16002 work and makes it possible to use more efficient techniques
16007 The verify_cb() and verify() callbacks now have equivalents
16021 original encoding of the signed data and use it when outputting
16032 In BIO_puts, increment b->num_write as in BIO_write.
16037 BN_zero, we may not return a BIGNUM with an array consisting of
16049 used for low-level RSA operations. DER public key
16054 * New Configure entry and patches for compiling on QNX 4.
16056 *Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>*
16058 * A demo state-machine implementation was sponsored by
16059 Nuron (<http://www.nuron.com/>) and is now available in
16065 generation and verification.
16071 types to be stored as a "blob" and an application can
16072 encode and decode it manually.
16082 length if passed a buffer. ASN1_INTEGER_to_BN failed
16083 if passed a NULL BN and its argument was negative.
16088 length encoding. Since currently the whole structures are in
16089 memory there's not real point in using indefinite length
16095 * Added BIO_vprintf() and BIO_vsnprintf().
16112 and as before, if none of those prefixes are present at the
16125 are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
16126 and are retrieved from there when reconfiguring.
16134 * Add the arguments -CAfile and -CApath to the pkcs12 utility.
16142 names and add quotes on output. It was also omitting some
16145 value as LN and vice versa), these are now added on the
16156 * Fix SSL 2.0 rollback checking: Due to an off-by-one error in
16158 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
16161 In s23_clnt.c, don't use special rollback-attack detection padding
16169 asn1parse'. By implication, the functions ASN1_parse_dump() and
16174 * New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
16175 these print out strings and name structures based on various
16176 flags including RFC2253 support and proper handling of
16183 Also change the functions X509_cmp_current_time() and
16209 default is static libraries only, and the OpenSSL programs
16212 This has been tested on Linux and Tru64.
16227 * New options to smime application. -inform and -outform
16229 PEM and DER. The -content option allows the content to be
16239 * New ASN1 functions, `i2c_*` and `c2i_*` for INTEGER and BIT
16240 STRING types. These convert content octets to and from the
16241 underlying type. The actual tag and length octets are
16242 already assumed to have been read in and checked. These
16248 and ASN1_INTEGER are identical apart from the tag.
16254 - New object identifiers are inserted in objects.txt, following
16256 - objects.pl is used to process obj_mac.num and create a new
16258 - obj_dat.pl is used to create a new obj_dat.h, using the data in
16261 This is currently kind of a hack, and the perl code in objects.pl
16263 to check that it worked correctly is to look in obj_dat.h and
16264 check the array nid_objs and make sure the objects haven't moved
16270 * Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
16274 * Addition of the command line parameter '-rand file' to 'openssl req'.
16277 environment variable, or the default random state file.
16303 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
16305 and PKCS12_STACK_OF.
16316 an -sgckey command line option to the rsa utility. Thanks to
16318 algorithm to openssl-dev.
16328 * New X509_get1_email() and X509_REQ_get1_email() functions that return
16330 in the subject name and the subject alternative name extensions and
16335 * Re-implement BN_mod_exp2_mont using independent (and larger) windows.
16341 (meaning that now 2^5 values will be precomputed, which is only 4 KB
16366 * The type-safe stack code has been rejigged. It is now only compiled
16367 in when OpenSSL is configured with the DEBUG_SAFESTACK option and
16368 by default all type-specific stack functions are "#define"d back to
16370 but retains the type-safety checking possibilities of the original
16375 * The STACK code has been cleaned up, and certain type declarations
16378 map type-safe stack functions onto their plain stack counterparts.
16387 (The PRNG state consists of two parts, the large pool 'state' and 'md',
16391 chaining variable. However, the output function chains only half
16393 all of 'md', and seeding with STATE_SIZE dummy bytes will result
16394 in all of 'state' being rewritten, with the new values depending
16399 * In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
16408 parameters to be set in the EVP interface. Support added for variable
16409 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
16410 setting of RC2 and RC5 parameters.
16412 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
16417 cipher mode. They also all do nothing if the 'key' parameter is NULL and
16418 for CFB and OFB modes they zero ctx->num.
16422 Most of the routines have the same form and so can be declared in terms
16444 i.e. non-zero for export ciphersuites, zero otherwise.
16456 and so on that are implemented in OpenSSL.
16461 with the same subject name hash and wouldn't handle CRLs at all.
16462 Added -fingerprint option to crl utility, to support new c_rehash
16467 * Eliminate non-ANSI declarations in crypto.h and stack.h.
16480 double NULL a zero length password would end up as just the
16481 double NULL. However no password at all is different and is
16483 treats a blank password as zero length. MSIE treats it as no
16485 the same: PKCS12_parse() tries zero length and no password if
16491 * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
16498 it in ERR_remove_state if appropriate, and change ERR_get_state
16504 * Bugfix for linux-elf makefile.one.
16518 that are sufficiently small and have no path information
16551 NCONF_default and NCONF_WIN32 are method (or "class") choosers,
16564 * Add '-tls1' option to 'openssl ciphers', which was already
16571 * Initial DSO code added into libcrypto for letting OpenSSL (and
16572 OpenSSL-based applications) load shared libraries and bind to
16577 ### Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
16579 * Make sure _lrotl and _lrotr are only used with MSVC.
16584 * Rename openssl x509 option '-crlext', which was added in 0.9.5,
16585 to '-clrext' (= clear extensions), as intended and documented.
16589 * Fix for HMAC. It wasn't zeroing the rest of the block if the key length
16603 *Ulf Möller, using the problem description in krb4-0.9.7, where
16612 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
16614 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
16615 the output goes to stdout and nothing is printed to stderr.
16619 the 'no-cipher' compilation switches can be tested this way.
16621 ('openssl no-XXX' is not able to detect pseudo-commands such
16622 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
16626 * Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
16634 to parameters -- in previous versions (since OpenSSL 0.9.3) the
16640 * New s_client option -ign_eof: EOF at stdin is ignored, and
16641 'Q' and 'R' lose their special meanings (quit/renegotiate).
16642 This is part of what -quiet does; unlike -quiet, -ign_eof
16647 * Add compatibility options to the purpose and trust code. The
16652 X509_TRUST_COMPAT is the old trust behaviour: only and
16655 a purpose has no associated trust setting and it should instead
16661 and fix a memory leak.
16667 the default to have only downcase letters (and digits) in
16675 case where small numbers are errno values, not library numbers.
16679 * Add '-dsaparam' option to 'openssl dhparam' application. This
16685 * Include 'length' (recommended exponent length) in C code generated
16686 by 'openssl dhparam -C'.
16696 * In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
16697 instead of RAND_bytes for encryption IVs and salts.
16712 * New 'rand' application for creating pseudo-random output.
16726 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous*
16732 ### Changes between 0.9.4 and 0.9.5 [28 Feb 2000]
16735 were added manually and by SMIME_crlf_copy().
16749 assembly language builder. If this argument exists and is set
16765 and has to call `..._free`; 'get0' returns a pointer to some
16769 Similarly, 'set1' and 'add1' functions increase reference
16775 the code used to assume it always worked and crashed on failure.
16784 RAND_egd() and RAND_status(). In the command line application,
16786 or -rand.
16795 * Remove the SSL_ALLOW_ADH compile option and set the default cipher
16804 EVP_MD_md(). Change code that uses it and update docs.
16818 sections with information on -D... compiler switches used for
16820 one of these sections, a pre-processor symbol `OPENSSL_..._DEFINES`
16826 *Richard Levitte, Ulf and Bodo Möller*
16828 * Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
16839 * Add some PEM_write_X509_REQ_NEW() functions and a command line
16847 obtained from various sources. Delete the PEM_cb function and make
16848 it the default behaviour: i.e. if the callback is NULL and the
16850 phrase. If usrdata and the callback are NULL then the pass phrase
16857 autodetect the card and use it if present.
16859 *Ben Laurie and Compaq Inc.*
16862 and server done in one record. Since this is perfectly legal in the
16863 SSL/TLS protocol it isn't a "bug" option and is on by default. See
16868 * HP-UX tune-up: new unified configs, HP C compiler bug workaround.
16872 * Add -rand argument to smime and pkcs12 applications and read/write
16877 * New 'passwd' tool for crypt(3) and apr1 password hashes.
16890 * More tests in bntest.c, and changed test_bn output.
16898 * Bug fix for BN_div() when the first words of num and divisor are
16899 equal (it gave wrong results if `(rem=(n1-q*d0)&BN_MASK2) < d0)`.
16903 * Add support for various broken PKCS#8 formats, and command line
16908 * New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
16913 * Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
16918 * Change the `SSLeay_add_all_*()` functions to `OpenSSL_add_all_*()` and
16921 SSLeay_add_all_ciphers() to just add ciphers to the table and not
16923 and SSLeay_add_all_ciphers() were in the same source file so calling
16928 * Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
16932 * Use a less unusual form of the Miller-Rabin primality test (it used
16933 a binary algorithm for exponentiation integrated into the Miller-Rabin
16948 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
16955 using 50 iterations of the Rabin-Miller test.
16958 iterations of the Rabin-Miller test as required by the appendix
16959 to FIPS PUB 186[-1]) instead of DSA_is_prime.
16964 and DSA_generate_parameters: The callback function is called once
16965 for each positive witness in the Rabin-Miller test, not just
16966 occasionally in the inner loop; and the parameters to the
16970 function with an 'iteration count' of -1, meaning that a
16972 from an application-provided seed, trial division is skipped).
16977 division before starting the Rabin-Miller test and has
16980 'callback(1, -1, cb_arg)' is called when a number has passed the
16990 * New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
16998 * Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
17000 SSLeay 0.9.0 (the word based version is faster anyway), and clean up
17012 by stat(). RAND_load_file(..., -1) is new and uses the complete file
17018 used `char *` instead of `void *` and had casts all over the place.
17029 Rabin-Miller iterations.
17033 * Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
17039 * Merge the functionality of "dh" and "gendh" programs into a new program
17045 * Make the ciphers, s_server and s_client programs check the return values
17055 cipher-strength (using the strength_bits hard coded in the tables).
17058 Fix a bug in the cipher-command parser: when supplying a cipher command
17060 *A-Za-z0-9*, ssl_set_cipher_list used to hang in an endless loop. Now
17063 Due to the strength-sorting extension, the code of the
17065 the readability was also increased :-)
17067 *Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>*
17069 * Minor change to 'x509' utility. The -CAcreateserial option now uses 1
17070 for the first serial number and places 2 in the serial number file. This
17071 avoids problems when the root CA is created with serial number zero and
17072 the first user certificate has the same issuer name and serial number
17084 structures and behave in an analogous way to the X509v3 functions:
17090 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
17091 things. Some of these need some d2i or i2d and print functionality
17112 * Do more iterations of Rabin-Miller probable prime test (specifically,
17113 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
17116 false-positive rate of at most 2^-80 for random input.
17126 from an X509_CTX structure with a dup of the stack and all
17138 -nomaciter option is used. This improves file security and
17143 * Honor the no-xxx Configure options when creating .DEF files.
17148 unstructuredName and unstructuredAddress. These are taken from
17161 file containing all the field values and have req construct the
17165 used all over the place including certificate requests and PKCS#7
17169 attributes to be looked up by NID and added.
17172 automatically handle the encoding, decoding and printing of the
17180 (as in countryName) and using the mask might result in no valid
17185 * Clean up 'Finished' handling, and add functions SSL_get_finished and
17192 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
17199 the host supports BWX extension and if Compaq C is present on the
17200 $PATH. Just exploiting of the BWX extension results in 20-30%
17201 performance kick for some algorithms, e.g. DES and RC4 to mention
17202 a couple. Compaq C in turn generates ~20% faster code for MD5 and
17209 weak crypto and after checking the certificate is SGC a second one
17211 the server certificate message and sends a second client hello. Since
17235 (the worst that can happen is a handshake failure, and 'correct'
17249 * Add OIDs for idea and blowfish in CBC mode. This will allow both
17250 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to
17252 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
17257 * Simplify the trust setting structure and code. Now we just have
17258 two sequences of OIDs for trusted and rejected settings. These will
17259 typically have values the same as the extended key usage extension
17260 and any application specific purposes.
17265 for a given id. SSL client, server and email already have functions
17266 in place for compatibility: they check the NID and also return "trusted"
17283 * Add a bunch of DER and PEM functions to handle PKCS#8 format private
17284 keys. Add some short names for PKCS#8 PBE algorithms and allow them
17285 to be specified on the command line for the pkcs8 and pkcs12 utilities.
17292 and produce an error if it couldn't. For compatibility we also have
17293 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
17303 * Rebuild of the memory allocation routines used by OpenSSL code and
17305 provide hooks so anyone can build a separate set of allocation and
17308 since Malloc(), Realloc() and Free() were defined as macros having
17309 the values malloc, realloc and free, respectively (except for Win32
17314 With these changes, a new set of functions and macros have appeared:
17335 and deallocation) at all times, regardless of platform and compiler
17339 way than through macros have a new API and new semantic:
17347 *Richard Levitte and Bodo Moeller*
17350 ordering of SMIMECapabilities wasn't in "strength order" and there
17356 * Some ASN1 types with illegal zero length encoding (INTEGER,
17357 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
17363 functionality to handle multipart/signed properly) and a utility
17370 * Add variants des_set_key_checked and des_set_key_unchecked of
17371 des_set_key (aka des_key_sched). Global variable des_check_key
17373 des_check_key behaves as it always did, but applications and
17384 * Modify X509_TRUST and X509_PURPOSE so it also uses a static and
17386 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
17387 functions so they accept a list of the field values and the
17393 * Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
17401 and the application can add dynamic ones if needed. The file
17403 updated whenever a new extension is added to the core code and kept
17409 can be looked up immediately and no longer need to be "added" using
17426 * Fixes and enhancements to the 'x509' utility. It allowed a message
17430 -fingerprint and -x509toreq options. Also -x509toreq choked if a
17437 when the X509_STORE_CTX structure is set up) and checks the pathlength.
17441 every previous version of OpenSSL and SSLeay made no checks at all.
17450 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
17454 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
17456 and vice versa.
17458 Two new options to the verify program: -untrusted allows a set of
17459 untrusted certificates to be passed in and -purpose which sets the
17469 * Modify RSA and DSA PEM read routines to transparently handle
17481 formats some of which are standard and some OpenSSL specific and
17482 require various evil hacks to allow partial transparent handling and
17487 With public keys and the benefit of hindsight one standard format
17491 Added a -pubkey option to the 'x509' utility to output the public key.
17493 (renamed to `EVP_PKEY_get1_*()` in the OpenSSL 0.9.5 release) and add
17501 * Fixes to crypto/x509/by_file.c the code to read in certificates and
17503 added a new function to read in both types and return the number
17505 DER versions of the certificate and CRL reader would always fail
17506 because it isn't possible to mix certificates and CRLs in DER format
17510 attempting to read in certificates from NULL pointers and ignoring
17511 any errors: this is one reason why the cert and CRL reader seemed
17530 openssl verify -CAfile ss.pem ss.pem
17536 (and add it to external session representation).
17538 but an application-provided verification callback (set by
17540 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
17542 ssl->verify_result to the appropriate error code to avoid
17551 *Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson*
17555 -S option to allow a salt to be input on the command line.
17561 hash and comparing that. X509_cmp() will be needed by the trust
17572 Also change the X509_LOOKUP and X509_INFO code to handle
17577 * Add support for 40 and 64 bit RC2 and RC4 algorithms: document
17585 the string plus current file name and line number to a per-thread
17588 Also updated memory leak detection code to be multi-thread-safe.
17592 * Add options -text and -noout to pkcs7 utility and delete the
17600 manpages and fix a few bugs.
17608 * Fix the -revoke option in ca. It was freeing up memory twice,
17609 leaking and not finding already revoked certificates.
17614 This involves the use of X509_CERT_AUX structure and X509_AUX
17622 Current auxiliary information includes an "alias" and some trust
17625 can only be trusted if it is self signed and then it is trusted
17633 with non-optimised assembler. Even so, this now gives around 95%
17640 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
17641 A few however don't do this and instead use the size of the decrypted key
17642 to determine the RC2 key length and the AlgorithmIdentifier to determine
17643 the effective key length. In this case the effective key length can still
17644 be 40 bits but the key length can be 168 bits for example. This is fixed
17647 the key length and effective key length are equal.
17653 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
17654 and have it automatically work out the correct field type and fill in
17656 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
17657 and it will (hopefully) work out the correct multibyte encoding.
17661 * Change the 'req' utility to use the new field handling and multibyte
17663 way in req, ca, and x509 which was rather broken and didn't support
17672 - Assure unique random numbers after fork().
17673 - Make sure that concurrent threads access the global counter and
17677 the additional locking could be a performance killer, and
17687 dsaparam -genkey (which also ignored its '-rand' option),
17692 seed file at least for key creation, DSA signing, and for DH exchanges;
17695 gendh and gendsa (unlike genrsa) used to read only the first byte
17696 of each file listed in the '-rand' option. The function as previously
17697 found in genrsa is now in app_rand.c and is used by all programs
17698 that support '-rand'.
17715 and it chooses the "minimal" type to use or an error if not type
17729 server or S/MIME and CAs of these types. This is currently
17731 verification. Also added a -purpose flag to x509 utility to
17736 * Add a CRYPTO_EX_DATA to X509 certificate structure and associated
17742 for, obtain and decode and extension and obtain its critical flag.
17748 * RC4 tune-up featuring 30-40% performance improvement on most RISC
17753 * New -noout option to asn1parse. This causes no output to be produced
17754 its main use is when combined with -strparse and -out to extract data
17764 * New option -dhparam in s_server. This allows a DH parameter file to be
17771 * Add -pubin and -pubout options to the rsa and dsa commands. These allow
17773 openssl rsa -in key.pem -pubout -out pubkey.pem
17791 data and it contains EOF it will end up returning an error. This is
17795 do a flag is set and it starts again knowing it can pass all the
17798 is made to pass two EOFs through the context and this causes the
17800 usual with these problems it takes *ages* to find and the fix is
17805 * Ugly workaround to get s_client and s_server working under Windows. The
17806 old code wouldn't work because it needed to select() on sockets and the
17807 tty (for keypresses and to see if data could be written). Win32 only
17809 sockets and then see if any characters are waiting to be read, if none
17812 received a complete line of data and it is effectively polling the
17814 working at all :-) A dedicated Windows application might handle this
17820 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
17821 will be called when RSA_sign() and RSA_verify() are used. This is useful
17822 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
17823 For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
17824 should *not* be used: RSA_sign() and RSA_verify() must be used instead.
17826 for SSL signatures and modifications to the SSL library to use it instead
17827 of calling RSA_public_decrypt() and RSA_private_encrypt().
17831 * Add new -verify -CAfile and -CApath options to the crl program, these
17832 will lookup a CRL issuers certificate and verify the signature in a
17840 * Initialize all non-automatic variables each time one of the openssl
17841 sub-programs is started (this is necessary as they may be started
17849 by the RSA patent while allowing storage and parsing of RSA keys and RSA
17854 * Non-copying interface to BIO pairs.
17864 * New functions UTF8_getc() and UTF8_putc() that parse and generate
17870 (s23_srvr.c) and for RSA client key exchange verification
17877 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
17878 print, verify and generate SPKACs. Based on an original idea from
17883 * RIPEMD160 is operational on all platforms and is back in 'make test'.
17889 <madwolf@comune.modena.it>. The new option is called -extensions
17890 and can be applied to ca, req and x509. Also -reqexts to override
17891 the request extensions in req and -crlexts to override the crl extensions
17906 config file. They can be printed out with the -text option to req but
17925 * Initial support for DSA_METHOD. This is based on the RSA_METHOD and
17927 "per key" basis to be replaced. This allows hardware acceleration and
17929 library. Also added low-level modexp hooks and CRYPTO_EX structure and
17935 as "read only": it can't be written to and the buffer it points to will
17939 to create a memory BIO and write the data to it, this results in two
17940 copies of the data and an O(n^2) reading algorithm. There is a new
17949 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
17957 the encrypted data type: this is a more sensible place to put it and it
17963 * Changed obj_dat.pl script so it takes its input and output files on
17971 extensions to be obtained and added.
17975 * -crlf option to s_client and s_server for sending newlines as
17980 ### Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
17990 * Fix -startdate and -enddate (which was missing) arguments to 'ca'
17997 DH parameters contain its length).
17999 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
18001 where `p = 2*q + 1`), and also the smaller q makes DH computations
18002 much more efficient (160-bit exponentiation instead of 1024-bit
18018 * Allow the -k option to be used more than once in the enc program:
18033 no private key components need be present and it might store extra data
18045 typedef int pem_password_cb(char *buf, int size, int rwflag);
18047 ....(char *buf, int size, int rwflag, void *userdata);
18049 The `PEM[_ASN1]_{read,write}...` functions and macros now take an
18061 happens to be on the stack as its last argument, and the callback
18065 * The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
18069 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
18078 * More DES library cleanups: remove references to srand/rand and
18084 since not many people have MASM (ml) and it can be hard to obtain.
18085 This is currently experimental but it seems to work OK and pass all
18090 * Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
18092 and connections with temporary keys did not free everything in case
18097 * New function RSA_check_key and new openssl rsa option -check
18104 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
18106 3. Add `sk_<TYPE>_sort` to DEF file generator and do make update.
18111 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
18121 keys when the signing key was also DSA and the parameters didn't match.
18130 This meant that parameters were omitted when they *didn't* match and
18136 * Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
18145 to disable memory-checking temporarily.
18147 Some inconsistent states that previously were possible (and were
18150 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
18154 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
18156 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
18178 * Fix problems with no-hmac etc.
18182 * New functions RSA_get_default_method(), RSA_set_method() and
18188 * Fix memory leaks in DSA_do_sign and DSA_is_prime.
18189 Also really enable memory leak checks in openssl.c and in some
18194 * Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
18195 up the length of negative integers. This has now been simplified to just
18196 store the length when it is first determined and use it later, rather
18197 than trying to keep track of where data is copied and updating it to
18199 *Steve Henson, reported by Brien Wheeler <bwheeler@authentica-security.com>*
18205 case: certificates can be omitted from a PKCS#7 structure and be
18217 options set by Configure in the top level Makefile, and Configure
18219 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
18223 * New functions CONF_load_bio() and CONF_load_fp() to allow a config
18230 Whoever hopes to achieve shared-library compatibility across versions
18231 must use this, not the compile-time macro.
18234 Note: All this applies only to multi-threaded programs, others don't
18239 * Add missing case to s3_clnt.c state machine -- one of the new SSL tests
18252 for the encoded length.
18260 * Add a new pair of functions PEM_write_PKCS8PrivateKey() and
18262 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
18273 wrong with it but it was very old and did things like calling
18274 PEM_ASN1_read() directly and used MD5 for the hash not to mention some
18279 * Fix demos/selfsign.c: it used obsolete and deleted functions, changed
18292 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
18302 Changing the behaviour of the former might break existing programs --
18308 fails, it needs to cause bc to give a non-zero result or make test carries
18321 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
18326 * Instead of "mkdir -p", which is not fully portable, use new
18327 Perl script "util/mkdir-p.pl".
18333 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
18338 'parameter' argument instead of literal salt and iteration count values
18339 and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
18344 and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
18347 value was just used as a "magic string" and not used directly its
18357 * "linux-sparc64" configuration (ultrapenguin).
18360 "linux-sparc" configuration.
18362 *Christian Forster <fo@hawo.stw.uni-erlangen.de>*
18364 * config now generates no-xxx options for missing ciphers.
18373 * Support BS2000/OSD-POSIX.
18389 * New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
18393 ### Changes between 0.9.3 and 0.9.3a [29 May 1999]
18395 * New configuration variant "sco5-gcc".
18418 * SHA library changes for irix64-mips4-cc.
18426 ### Changes between 0.9.2b and 0.9.3 [24 May 1999]
18429 This also avoids the problems with SC4.2 and unpatched SC5.
18433 * New functions sk_num, sk_value and sk_set to replace the previous macros.
18436 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
18441 that does this will no longer work (and should use sk_set instead) but
18453 to des_cblock * (meaning pointer to array with 8 char elements),
18461 * Reorganise the PKCS#7 library and get rid of some of the more obvious
18463 and initialise the ASN1 structures properly based on passed cipher.
18471 * Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
18472 to and from BNs: it was completely broken. New compilation option
18478 * Reorganize and speed up MD5.
18486 * New option -out to asn1parse to allow the parsed structure to be
18487 output to a file. This is most useful when combined with the -strparse
18492 * Make SSL library a little more fool-proof by not requiring any longer
18496 intended anyway -- now it really works as intended).
18504 * Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall
18505 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
18506 -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+
18510 * Various fixes to the EVP and PKCS#7 code. It may now be able to
18517 various ways (and thus what used to be known as ctx->default_cert
18518 is now called ctx->cert, since we don't resort to `s->ctx->[default_]cert`
18519 any longer when s->cert does not give us what we need).
18522 we have solved a couple of bugs of the earlier code where s->cert
18532 that holds per-session data (if available); currently, this is
18533 the peer's certificate chain and, for clients, the server's certificate
18534 and temporary key. CERT holds only those values that can have
18541 evil casts and set the enc_dig_alg field properly based on the signing
18549 and 'x509').
18555 VeriSign uses it and IE5 only recognises this form. Document 'x509'
18560 * Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
18561 without disallowing inline assembler and the like for non-pedantic builds.
18573 * SHA-1 cleanups and performance enhancements.
18581 * Accept any -xxx and +xxx compiler options in Configure.
18596 DER-encoded.)
18601 x509_vfy.c had what can be considered an off-by-one-error:
18629 * New Configure options "threads" and "no-threads". For systems
18631 and Linux), "threads" is the default.
18640 $(INSTALLTOP)/bin -- they shouldn't clutter directories
18645 * "make linux-shared" to build shared libraries.
18649 * New Configure option `no-<cipher>` (rsa, idea, rc5, ...).
18658 * Remove NOPROTO sections and error code comments.
18667 * New Configure options --prefix=DIR and --openssldir=DIR.
18673 header rewriting and C source file generation. It should be much better
18676 aren't needed for error creation any more) and do a better job of
18678 in a comment' is no longer necessary and it doesn't use .err files which
18688 * Change behaviour of ssl2_read when facing length-0 packets: Don't return
18698 Policies and CRL distribution points documentation.
18706 * Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
18708 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
18741 * Support for Certificate Policies extension: both print and set.
18746 * A lot of constification, and fix a bug in X509_NAME_oneline() that could
18751 * Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
18752 types DirectoryString and DisplayText.
18757 add an LHASH database driver and add several ctx helper functions.
18775 * Delete various functions and files that belonged to the (now obsolete)
18784 * Don't auto-generate pem.h.
18788 * Introduce type-safe ASN.1 SETs.
18792 * Convert various additional casted stacks to type-safe STACK_OF() variants.
18796 * Introduce type-safe STACKs. This will almost certainly break lots of code
18798 not: the conversion is trivial, and it eliminates loads of evil casts. A
18804 * Add `openssl ca -revoke <certfile>` facility which revokes a certificate
18807 revoking a certificate. The -revoke option does the gory details now.
18811 * Fix `openssl crl -noout -text` combination where `-noout` killed the
18812 `-text` option at all and this way the `-noout -text` combination was
18824 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
18828 `openssl list-cipher-commands` is used.
18837 * New functions DSA_do_sign and DSA_do_verify to provide access to
18838 the raw DSA values prior to ASN.1 encoding.
18851 * New variables $(RANLIB) and $(PERL) in the Makefiles.
18860 * Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
18866 * New "-showcerts" option for s_client.
18871 application. Various cleanups and fixes.
18875 * More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
18876 modify error routines to work internally. Add error codes and PBE init
18881 * Further PKCS#12 integration. Added password based encryption, PKCS#8 and
18882 packing functions to asn1 and evp. Changed function names and error
18887 * PKCS12 integration: and so it begins... First of several patches to
18894 and display support for Thawte strong extranet extension.
18902 * Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
18905 *Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie*
18907 * Make sure the RSA OAEP test is skipped under -DRSAref because
18913 so they no longer are missing under -DNOPROTO.
18917 ### Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
18926 client certs and session caches in multiple contexts NEEDS PATCHING to
18929 *Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)*
18932 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
18933 permission on "config" script to be executable) and a fix for the INSTALL
18938 * Remove some legacy and erroneous uses of malloc, free instead of
18943 * Make rsa_oaep_test return non-zero on error.
18948 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
18966 externally generated keys because OpenSSL (and SSLeay) ensure p > q.
18970 * Be less restrictive and allow also `perl util/perlpath.pl
18978 * Let util/clean-depend.pl work also with older Perl 5.00x versions.
18983 advapi32.lib to Win32 build and change the pem test comparison
18985 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
18986 and crypto/des/ede_cbcm_enc.c.
18990 * DES quad checksum was broken on big-endian architectures. Fixed.
19001 in e_os.h. Audit of header files to check ANSI and non ANSI
19002 sections: 10 functions were absent from non ANSI section and not exported
19012 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
19018 fine under Unix and passes some trivial tests I've now added. But the
19022 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
19040 Currently only issuerAltName and AuthorityKeyIdentifier make any sense
19045 * Add a useful kludge to allow package maintainers to specify compiler and
19051 pre-configured entry in Configure's %table under key `<id>` with value
19052 `<details>` and `perl Configure <id>` is called. So, when you want to
19053 perform a quick test-compile under FreeBSD 3.1 with pgcc and without
19054 assembler stuff you can use `perl Configure "FreeBSD-elf:pgcc:-O6:::"`
19055 now, which overrides the FreeBSD-elf entry on-the-fly.
19063 * Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
19070 * Remarkably, export ciphers were totally broken and no-one had noticed!
19076 questions now is the OpenSSL core team under openssl-core@openssl.org.
19077 And add a paragraph about the dual-license situation to make sure people
19084 display consistent in the source tree and replaced `/bin/rm` by `rm`.
19087 to speed processing and no longer clutter the display with confusing
19101 the detached data encoding was wrong and public keys obtained using
19117 button and can be used by applications based on OpenSSL to show the
19123 ssl/ssl_lib.c and ssl/ssl.h.
19132 functions that return function pointers and has support for NT specific
19133 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
19134 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from
19140 SSL_add_dir_cert_subjects_to_stack() and
19142 SSL_load_client_CA_file(), and can be used to add multiple certs easily
19144 This means that Apache-SSL and similar packages don't have to mess around
19151 See <http://www.stack.nl/~dimitri/doxygen/index.html>, and run doxygen with
19156 * Get rid of remaining C++-style comments which strict C compilers hate.
19165 * Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
19166 DH private keys and/or callback functions which directly correspond to
19167 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
19169 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
19174 temporary keys were not overtaken from the context and the API provided
19176 The new functions now let applications reconfigure the stuff and they
19178 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
19179 non-public-API function ssl_cert_instantiate() is used as a helper
19180 function and also to reduce code redundancy inside ssl_rsa.c.
19184 * Move s_server -dcert and -dkey options out of the undocumented feature
19185 area because they are useful for the DSA situation and should be
19192 SSL_EXP_MASK. So, the original variable has to be used instead of the
19193 already masked variable.
19197 * Fix `port` variable from `int` to `unsigned int` in crypto/bio/b_sock.c
19201 * Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
19202 from `int` to `unsigned int` because it is a length and initialized by
19203 EVP_DigestFinal() which expects an `unsigned int *`.
19207 * Don't hard-code path to Perl interpreter on shebang line of Configure
19208 script. Instead use the usual Shell->Perl transition trick.
19212 * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
19214 -noout -modulus` as it's already the case for `openssl rsa -noout
19215 -modulus`. For RSA the -modulus is the real "modulus" while for DSA
19217 `openssl dsa -modulus` in the past) which serves a similar purpose.
19218 Additionally the NO_RSA no longer completely removes the whole -modulus
19224 * Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
19229 * Dump the old yucky req code that tried (and failed) to allow raw OIDs
19230 to be added. Now both 'req' and 'ca' can use new objects defined in the
19240 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
19241 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
19242 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
19259 for some CRL extensions and new objects added.
19264 key usage extension and fuller support for authority key id.
19272 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
19274 *Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
19290 in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`.
19300 * Make sure latest Perl versions don't interpret some generated C array
19301 code as Perl array code in the crypto/err/err_genc.pl script.
19303 *Lars Weber <3weber@informatik.uni-hamburg.de>*
19306 not many people have the assembler. Various Win32 compilation fixes and
19313 file under Win32 and also build pem.h from pem.org. New script
19320 and purity. As a result, many evil casts evaporated, and some weirdness,
19340 * Correct calculation of key length for export ciphers (too much space was
19346 message is now correct (it understands "crypto" and "ssl" on its
19348 the util/ssleay.num and util/libeay.num files with any new functions.
19356 - ported BN stuff to OpenSSL's different BN library
19357 - made the perl/ source tree CVS-aware
19358 - renamed the package from SSLeay to OpenSSL (the files still contain
19360 - removed obsolete files (the test scripts will be replaced
19367 where we collect the old documents and readme texts.
19372 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
19377 * More extension code. Incomplete support for subject and issuer alt
19378 name, issuer and authority key id. Change the i2v function parameters
19379 and add an extra 'crl' parameter in the X509V3_CTX structure: guess
19380 what that's for :-) Fix to ASN1 macro which messed up
19381 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
19407 * Fixed ms/32all.bat script: `no_asm` -> `no-asm`
19409 *Rainer W. Gerling <gerling@mpg-gv.mpg.de>*
19415 * Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
19422 doing certificate verification and some other functions.
19426 * Add ASN1 and PEM code to support netscape certificate sequences.
19430 * Add ASN1 and PEM code to support netscape certificate sequences.
19434 * Add several PKIX and private extended key usage OIDs.
19444 and add a sample to openssl.cnf so req -x509 now adds appropriate
19450 error code, add initial support to X509_print() and x509 application.
19454 * Takes a deep breath and start adding X509 V3 extension support code. Add
19456 stuff is currently isolated and isn't even compiled yet.
19460 * Continuing patches for GeneralizedTime. Fix up certificate and CRL
19461 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
19469 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
19474 * Spelling mistake in C version of CAST-128.
19478 * Changes to the error generation code. The perl script err-code.pl
19479 now reads in the old error codes and retains the old numbers, only
19485 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
19490 * CAST-128 was incorrectly implemented for short keys. The C version has
19492 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
19494 *Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
19501 * Beginning of support for GeneralizedTime. d2i, i2d, check and print
19537 based on a text string, looking up short and long names and finally
19539 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
19554 * Get the `gendsa` command working and add it to the `list` command. Remove
19571 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19573 * Don't blow it for numeric `-newkey` arguments to `apps/req`.
19575 *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*
19586 * Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
19607 * Make sure the already existing X509_STORE->depth variable is initialized
19608 in X509_STORE_new(), but document the fact that this variable is still
19613 * Fix the various library and `apps/` files to free up pkeys obtained from
19621 *Steve Henson and Ben Laurie*
19624 `openssl` and second, the shortcut symlinks for the `openssl <command>`
19625 are no longer created. This way we have a single and consistent command
19628 *Ralf S. Engelschall, Paul Sutton and Ben Laurie*
19639 * Make the top-level INSTALL documentation easier to understand.
19643 * Makefiles updated to exit if an error occurs in a sub-directory
19650 * Fix build order of pem and err to allow for generated pem.h.
19658 * Enhanced the err-ins.pl script so it makes the error library number
19659 global and can add a library name. This is needed for external ASN1 and
19668 * Fix ASN1 macros so they can handle indefinite length constructed
19695 *Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>*
19703 ncr-scde
19704 unixware-2.0
19705 unixware-2.0-pentium
19706 sco5-cc.
19719 ### Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
19721 * Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
19726 * Some fixups to the top-level documents.
19730 * Fixed the nasty bug where rsaref.h was not found under compile-time
19735 * Incorporated the popular no-RSA/DSA-only patches
19736 which allow to compile an RSA-free SSLeay.
19740 * Fixed nasty rehash problem under `make -f Makefile.ssl links`
19758 * Recompiled the error-definition header files and added
19763 * Cleaned up the top-level documents;
19764 o new files: CHANGES and LICENSE
19765 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
19787 Young and Tim J. Hudson created while they were working for C2Net until
19792 ### Changes between 0.9.0b and 0.9.1b [not released]
19808 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
19813 * Add -strparse option to asn1pars program which parses nested
19818 * Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
19826 * Added "-genkey" option to "dsaparam" program.
19834 * Added -a (all) option to "ssleay version" command.
19858 * Fixed the weak key values in DES library
19914 * Fixed various code and comment typos.
19923 <!-- Links -->
19925 [CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
19926 [CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
19927 [CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
19928 [CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
19929 [CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511
19930 [CVE-2024-0727]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-0727
19931 [CVE-2023-6237]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6237
19932 [CVE-2023-6129]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-6129
19933 [CVE-2023-5678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5678
19934 [CVE-2023-5363]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363
19935 [CVE-2023-4807]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-4807
19936 [CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
19937 [CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
19938 [CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
19939 [RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
19940 [CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
19941 [CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
19942 [CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
19943 [CVE-2023-0465]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465
19944 [CVE-2023-0464]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0464
19945 [CVE-2023-0401]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0401
19946 [CVE-2023-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0286
19947 [CVE-2023-0217]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0217
19948 [CVE-2023-0216]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0216
19949 [CVE-2023-0215]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0215
19950 [CVE-2022-4450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4450
19951 [CVE-2022-4304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4304
19952 [CVE-2022-4203]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-4203
19953 [CVE-2022-3996]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-3996
19954 [CVE-2022-2274]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2274
19955 [CVE-2022-2097]: https://www.openssl.org/news/vulnerabilities.html#CVE-2022-2097
19956 [CVE-2020-1971]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1971
19957 [CVE-2020-1967]: https://www.openssl.org/news/vulnerabilities.html#CVE-2020-1967
19958 [CVE-2019-1563]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1563
19959 [CVE-2019-1559]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1559
19960 [CVE-2019-1552]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1552
19961 [CVE-2019-1551]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1551
19962 [CVE-2019-1549]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1549
19963 [CVE-2019-1547]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1547
19964 [CVE-2019-1543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2019-1543
19965 [CVE-2018-5407]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-5407
19966 [CVE-2018-0739]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0739
19967 [CVE-2018-0737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0737
19968 [CVE-2018-0735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0735
19969 [CVE-2018-0734]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0734
19970 [CVE-2018-0733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0733
19971 [CVE-2018-0732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2018-0732
19972 [CVE-2017-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3738
19973 [CVE-2017-3737]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3737
19974 [CVE-2017-3736]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3736
19975 [CVE-2017-3735]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3735
19976 [CVE-2017-3733]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3733
19977 [CVE-2017-3732]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3732
19978 [CVE-2017-3731]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3731
19979 [CVE-2017-3730]: https://www.openssl.org/news/vulnerabilities.html#CVE-2017-3730
19980 [CVE-2016-7055]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7055
19981 [CVE-2016-7054]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7054
19982 [CVE-2016-7053]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7053
19983 [CVE-2016-7052]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-7052
19984 [CVE-2016-6309]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6309
19985 [CVE-2016-6308]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6308
19986 [CVE-2016-6307]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6307
19987 [CVE-2016-6306]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6306
19988 [CVE-2016-6305]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6305
19989 [CVE-2016-6304]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6304
19990 [CVE-2016-6303]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6303
19991 [CVE-2016-6302]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-6302
19992 [CVE-2016-2183]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2183
19993 [CVE-2016-2182]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2182
19994 [CVE-2016-2181]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2181
19995 [CVE-2016-2180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2180
19996 [CVE-2016-2179]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2179
19997 [CVE-2016-2178]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2178
19998 [CVE-2016-2177]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2177
19999 [CVE-2016-2176]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2176
20000 [CVE-2016-2109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2109
20001 [CVE-2016-2107]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2107
20002 [CVE-2016-2106]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2106
20003 [CVE-2016-2105]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-2105
20004 [CVE-2016-0800]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0800
20005 [CVE-2016-0799]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0799
20006 [CVE-2016-0798]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0798
20007 [CVE-2016-0797]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0797
20008 [CVE-2016-0705]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0705
20009 [CVE-2016-0702]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0702
20010 [CVE-2016-0701]: https://www.openssl.org/news/vulnerabilities.html#CVE-2016-0701
20011 [CVE-2015-3197]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3197
20012 [CVE-2015-3196]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3196
20013 [CVE-2015-3195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3195
20014 [CVE-2015-3194]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3194
20015 [CVE-2015-3193]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-3193
20016 [CVE-2015-1793]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1793
20017 [CVE-2015-1792]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1792
20018 [CVE-2015-1791]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1791
20019 [CVE-2015-1790]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1790
20020 [CVE-2015-1789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1789
20021 [CVE-2015-1788]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1788
20022 [CVE-2015-1787]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-1787
20023 [CVE-2015-0293]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0293
20024 [CVE-2015-0291]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0291
20025 [CVE-2015-0290]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0290
20026 [CVE-2015-0289]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0289
20027 [CVE-2015-0288]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0288
20028 [CVE-2015-0287]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0287
20029 [CVE-2015-0286]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0286
20030 [CVE-2015-0285]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0285
20031 [CVE-2015-0209]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0209
20032 [CVE-2015-0208]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0208
20033 [CVE-2015-0207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0207
20034 [CVE-2015-0206]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0206
20035 [CVE-2015-0205]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0205
20036 [CVE-2015-0204]: https://www.openssl.org/news/vulnerabilities.html#CVE-2015-0204
20037 [CVE-2014-8275]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-8275
20038 [CVE-2014-5139]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-5139
20039 [CVE-2014-3572]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3572
20040 [CVE-2014-3571]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3571
20041 [CVE-2014-3570]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3570
20042 [CVE-2014-3569]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3569
20043 [CVE-2014-3568]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3568
20044 [CVE-2014-3567]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3567
20045 [CVE-2014-3566]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3566
20046 [CVE-2014-3513]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3513
20047 [CVE-2014-3512]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3512
20048 [CVE-2014-3511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3511
20049 [CVE-2014-3510]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3510
20050 [CVE-2014-3509]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3509
20051 [CVE-2014-3508]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3508
20052 [CVE-2014-3507]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3507
20053 [CVE-2014-3506]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3506
20054 [CVE-2014-3505]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3505
20055 [CVE-2014-3470]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
20056 [CVE-2014-0224]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
20057 [CVE-2014-0221]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
20058 [CVE-2014-0195]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0195
20059 [CVE-2014-0160]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0160
20060 [CVE-2014-0076]: https://www.openssl.org/news/vulnerabilities.html#CVE-2014-0076
20061 [CVE-2013-6450]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-6450
20062 [CVE-2013-4353]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-4353
20063 [CVE-2013-0169]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0169
20064 [CVE-2013-0166]: https://www.openssl.org/news/vulnerabilities.html#CVE-2013-0166
20065 [CVE-2012-2686]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2686
20066 [CVE-2012-2333]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2333
20067 [CVE-2012-2110]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-2110
20068 [CVE-2012-0884]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0884
20069 [CVE-2012-0050]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0050
20070 [CVE-2012-0027]: https://www.openssl.org/news/vulnerabilities.html#CVE-2012-0027
20071 [CVE-2011-4619]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4619
20072 [CVE-2011-4577]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4577
20073 [CVE-2011-4576]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4576
20074 [CVE-2011-4109]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4109
20075 [CVE-2011-4108]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-4108
20076 [CVE-2011-3210]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3210
20077 [CVE-2011-3207]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-3207
20078 [CVE-2011-0014]: https://www.openssl.org/news/vulnerabilities.html#CVE-2011-0014
20079 [CVE-2010-4252]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4252
20080 [CVE-2010-4180]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-4180
20081 [CVE-2010-3864]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-3864
20082 [CVE-2010-1633]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-1633
20083 [CVE-2010-0740]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0740
20084 [CVE-2010-0433]: https://www.openssl.org/news/vulnerabilities.html#CVE-2010-0433
20085 [CVE-2009-4355]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-4355
20086 [CVE-2009-3555]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3555
20087 [CVE-2009-3245]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-3245
20088 [CVE-2009-1386]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1386
20089 [CVE-2009-1379]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1379
20090 [CVE-2009-1378]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1378
20091 [CVE-2009-1377]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-1377
20092 [CVE-2009-0789]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0789
20093 [CVE-2009-0591]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0591
20094 [CVE-2009-0590]: https://www.openssl.org/news/vulnerabilities.html#CVE-2009-0590
20095 [CVE-2008-5077]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-5077
20096 [CVE-2008-1678]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1678
20097 [CVE-2008-1672]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-1672
20098 [CVE-2008-0891]: https://www.openssl.org/news/vulnerabilities.html#CVE-2008-0891
20099 [CVE-2007-5135]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-5135
20100 [CVE-2007-4995]: https://www.openssl.org/news/vulnerabilities.html#CVE-2007-4995
20101 [CVE-2006-4343]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4343
20102 [CVE-2006-4339]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-4339
20103 [CVE-2006-3738]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-3738
20104 [CVE-2006-2940]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2940
20105 [CVE-2006-2937]: https://www.openssl.org/news/vulnerabilities.html#CVE-2006-2937
20106 [CVE-2005-2969]: https://www.openssl.org/news/vulnerabilities.html#CVE-2005-2969
20107 [CVE-2004-0112]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0112
20108 [CVE-2004-0079]: https://www.openssl.org/news/vulnerabilities.html#CVE-2004-0079
20109 [CVE-2003-0851]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0851
20110 [CVE-2003-0545]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0545
20111 [CVE-2003-0544]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0544
20112 [CVE-2003-0543]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0543
20113 [CVE-2003-0078]: https://www.openssl.org/news/vulnerabilities.html#CVE-2003-0078
20114 [CVE-2002-0659]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0659
20115 [CVE-2002-0657]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0657
20116 [CVE-2002-0656]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0656
20117 [CVE-2002-0655]: https://www.openssl.org/news/vulnerabilities.html#CVE-2002-0655