Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist Import openssl-1.0.1q
details: https://anonhg.NetBSD.org/src/rev/7aa7007dc2b5
branches: trunk
changeset: 342111:7aa7007dc2b5
user: christos <christos%NetBSD.org@localhost>
date: Sun Dec 06 21:45:41 2015 +0000
description:
Import openssl-1.0.1q
OpenSSL Security Advisory [3 Dec 2015] - Updated [4 Dec 2015]
=============================================================
[Updated 4 Dec 2015]: This advisory has been updated to include the details of
CVE-2015-1794, a Low severity issue affecting OpenSSL 1.0.2 which had a fix
included in the released packages but was missed from the advisory text.
NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 13 2015 by Hanno
B?ck. The fix was developed by Andy Polyakov of the OpenSSL
development team.
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================
Severity: Moderate
The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.
This issue affects OpenSSL versions 1.0.2 and 1.0.1.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
This issue was reported to OpenSSL on August 27 2015 by Lo?c Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.
X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================
Severity: Moderate
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.
This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh
This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.
Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================
Severity: Low
If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.
This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.
OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t
The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).
The fix was developed by Dr. Stephen Henson of the OpenSSL development team.
Anon DH ServerKeyExchange with 0 p parameter (CVE-2015-1794)
============================================================
Severity: Low
If a client receives a ServerKeyExchange for an anonymous DH ciphersuite with
the value of p set to 0 then a seg fault can occur leading to a possible denial
of service attack.
This issue affects OpenSSL version 1.0.2.
OpenSSL 1.0.2 users should upgrade to 1.0.2e
This issue was reported to OpenSSL on August 3 2015 by Guy Leaver (Cisco). The
fix was developed by Matt Caswell of the OpenSSL development team.
Note
====
As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
diffstat:
crypto/external/bsd/openssl/dist/CONTRIBUTING | 38 +
crypto/external/bsd/openssl/dist/FAQ | 1041 +---------
crypto/external/bsd/openssl/dist/Makefile.org | 31 +-
crypto/external/bsd/openssl/dist/apps/Makefile | 2 +-
crypto/external/bsd/openssl/dist/apps/apps.c | 9 +-
crypto/external/bsd/openssl/dist/apps/asn1pars.c | 4 +-
crypto/external/bsd/openssl/dist/apps/ecparam.c | 7 +-
crypto/external/bsd/openssl/dist/apps/engine.c | 5 -
crypto/external/bsd/openssl/dist/apps/pkcs12.c | 14 +-
crypto/external/bsd/openssl/dist/appveyor.yml | 60 +
crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-586.pl | 6 +-
crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/asn1/asn1_par.c | 10 +
crypto/external/bsd/openssl/dist/crypto/asn1/d2i_pr.c | 15 +-
crypto/external/bsd/openssl/dist/crypto/asn1/x_bignum.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/asn1/x_pubkey.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/asn1/x_x509.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/bio/b_dump.c | 1 -
crypto/external/bsd/openssl/dist/crypto/bn/asm/armv4-gf2m.pl | 24 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/ia64.S | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/s390x-gf2m.pl | 6 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86-gf2m.pl | 16 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_gcd.c | 2 +
crypto/external/bsd/openssl/dist/crypto/bn/bn_gf2m.c | 11 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_recp.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_x931p.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/buffer/buf_str.c | 21 +-
crypto/external/bsd/openssl/dist/crypto/buffer/buffer.h | 6 +
crypto/external/bsd/openssl/dist/crypto/cms/cms_enc.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/conf/conf_sap.c | 1 +
crypto/external/bsd/openssl/dist/crypto/dsa/dsa_gen.c | 21 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_key.c | 12 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c | 1 +
crypto/external/bsd/openssl/dist/crypto/evp/e_des3.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/encode.c | 208 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_key.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_lib.c | 33 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_pbe.c | 16 +-
crypto/external/bsd/openssl/dist/crypto/evp/p_lib.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/pmeth_gn.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/hmac/hm_ameth.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/jpake/jpake.c | 4 +
crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-armv4.pl | 6 +-
crypto/external/bsd/openssl/dist/crypto/modes/asm/ghash-x86.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/ocsp/ocsp_lib.c | 6 -
crypto/external/bsd/openssl/dist/crypto/ocsp/ocsp_prn.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/opensslconf.h.in | 2 +-
crypto/external/bsd/openssl/dist/crypto/pem/pem_info.c | 6 +
crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_add.c | 27 +-
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_crpt.c | 3 +
crypto/external/bsd/openssl/dist/crypto/pkcs12/p12_mutl.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_gen.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_test.c | 32 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-586.pl | 4 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha256-586.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-586.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-parisc.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/srp/srp_vfy.c | 34 +-
crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_verify.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/whrlpool/asm/wp-mmx.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c | 15 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c | 2 -
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_cpols.c | 4 +
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_ncons.c | 2 +
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_pci.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_pcia.c | 2 +-
crypto/external/bsd/openssl/dist/demos/easy_tls/README | 2 +-
crypto/external/bsd/openssl/dist/demos/engines/zencod/hw_zencod.c | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/ciphers.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/genrsa.pod | 6 -
crypto/external/bsd/openssl/dist/doc/apps/req.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/x509.pod | 3 +-
crypto/external/bsd/openssl/dist/doc/crypto/BIO_read.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/crypto/BN_rand.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/crypto/DSA_generate_parameters.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_SignInit.pod | 3 +-
crypto/external/bsd/openssl/dist/doc/crypto/buffer.pod | 47 +-
crypto/external/bsd/openssl/dist/doc/crypto/d2i_X509_NAME.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/dir-locals.example.el | 15 +
crypto/external/bsd/openssl/dist/doc/openssl-c-indent.el | 62 +
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 35 +-
crypto/external/bsd/openssl/dist/engines/e_chil.c | 4 +
crypto/external/bsd/openssl/dist/ssl/bio_ssl.c | 4 +
crypto/external/bsd/openssl/dist/ssl/clienthellotest.c | 218 ++
crypto/external/bsd/openssl/dist/ssl/d1_clnt.c | 23 +-
crypto/external/bsd/openssl/dist/ssl/ssl_asn1.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/ssl_cert.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/ssl_rsa.c | 23 +-
crypto/external/bsd/openssl/dist/ssl/ssl_sess.c | 4 +-
crypto/external/bsd/openssl/dist/util/indent.pro | 16 +
crypto/external/bsd/openssl/dist/util/mkrc.pl | 2 +-
crypto/external/bsd/openssl/dist/util/mkstack.pl | 2 +-
crypto/external/bsd/openssl/dist/util/pl/VC-32.pl | 7 +-
crypto/external/bsd/openssl/dist/util/selftest.pl | 1 +
crypto/external/bsd/openssl/dist/util/toutf8.sh | 17 +
98 files changed, 990 insertions(+), 1406 deletions(-)
diffs (truncated from 4062 to 300 lines):
diff -r af10b78e5a23 -r 7aa7007dc2b5 crypto/external/bsd/openssl/dist/CONTRIBUTING
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/crypto/external/bsd/openssl/dist/CONTRIBUTING Sun Dec 06 21:45:41 2015 +0000
@@ -0,0 +1,38 @@
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
+
+Development is coordinated on the openssl-dev mailing list (see
+http://www.openssl.org for information on subscribing). If you
+would like to submit a patch, send it to rt%openssl.org@localhost with
+the string "[PATCH]" in the subject. Please be sure to include a
+textual explanation of what your patch does.
+
+You can also make GitHub pull requests. If you do this, please also send
+mail to rt%openssl.org@localhost with a brief description and a link to the PR so
+that we can more easily keep track of it.
+
+If you are unsure as to whether a feature will be useful for the general
+OpenSSL community please discuss it on the openssl-dev mailing list first.
+Someone may be already working on the same thing or there may be a good
+reason as to why that feature isn't implemented.
+
+Patches should be as up to date as possible, preferably relative to the
+current Git or the last snapshot. They should follow our coding style
+(see https://www.openssl.org/policies/codingstyle.html) and compile without
+warnings using the --strict-warnings flag. OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
+
+Our preferred format for patch files is "git format-patch" output. For example
+to provide a patch file containing the last commit in your local git repository
+use the following command:
+
+# git format-patch --stdout HEAD^ >mydiffs.patch
+
+Another method of creating an acceptable patch file without using git is as
+follows:
+
+# cd openssl-work
+# [your changes]
+# ./Configure dist; make clean
+# cd ..
+# diff -ur openssl-orig openssl-work > mydiffs.patch
diff -r af10b78e5a23 -r 7aa7007dc2b5 crypto/external/bsd/openssl/dist/FAQ
--- a/crypto/external/bsd/openssl/dist/FAQ Sun Dec 06 14:43:59 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/FAQ Sun Dec 06 21:45:41 2015 +0000
@@ -1,1039 +1,2 @@
-OpenSSL - Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software?
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1e was released on Feb 11th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers. Be sure to read the
-documentation of the application you want to use. The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions. It is described in the openssl(1)
-manpage. Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt. It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL. Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
- md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
- pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-The patents section of the README file lists patents that may apply to
-you if you want to use OpenSSL. For information on intellectual
-property rights, please consult a lawyer. The OpenSSL team does not
-offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed." If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly. Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.) Some broken applications do
-not do this. As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness. If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly. OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details. Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
Home |
Main Index |
Thread Index |
Old Index