]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
a9d2bc49 | 5 | Changes between 0.9.6 and 0.9.7 [xx XXX 2001] |
a43cf9fa | 6 | |
e9ad0d2c | 7 | OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001) |
e3fefbfd | 8 | and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6. |
e9ad0d2c | 9 | |
a9d2bc49 | 10 | Change log entries are tagged as follows: |
daba492c BM |
11 | -) applies to 0.9.6a/0.9.6b/0.9.6c only |
12 | *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 | |
a9d2bc49 BM |
13 | +) applies to 0.9.7 only |
14 | ||
bc37d996 DSH |
15 | +) New experimental application configuration code. |
16 | [Steve Henson] | |
17 | ||
d59fb0dd BM |
18 | *) New 'shared_ldflag' column in Configure platform table. |
19 | [Richard Levitte] | |
20 | ||
e5d6528a BM |
21 | *) Fix EVP_CIPHER_mode macro. |
22 | ["Dan S. Camper" <dan@bti.net>] | |
23 | ||
6f9079fd RL |
24 | +) Change the AES code to follow the same name structure as all other |
25 | symmetric ciphers, and behave the same way. Move everything to | |
26 | the directory crypto/aes, thereby obsoleting crypto/rijndael. | |
27 | [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] | |
28 | ||
dcbbf83d UM |
29 | *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown |
30 | type, we must throw them away by setting rr->length to 0. | |
31 | [D P Chang <dpc@qualys.com>] | |
32 | ||
3c89d78d BM |
33 | -) OpenSSL 0.9.6c released [21 dec 2001] |
34 | ||
7c517a04 BL |
35 | +) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. |
36 | [Ben Laurie and Theo de Raadt] | |
37 | ||
66df02fd BM |
38 | *) Fix BN_rand_range bug pointed out by Dominikus Scherkl |
39 | <Dominikus.Scherkl@biodata.com>. (The previous implementation | |
40 | worked incorrectly for those cases where range = 10..._2 and | |
41 | 3*range is two bits longer than range.) | |
42 | [Bodo Moeller] | |
43 | ||
b5348a09 BM |
44 | *) Only add signing time to PKCS7 structures if it is not already |
45 | present. | |
f3e24bad DSH |
46 | [Steve Henson] |
47 | ||
35e25255 BM |
48 | *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", |
49 | OBJ_ld_ce should be OBJ_id_ce. | |
50 | Also some ip-pda OIDs in crypto/objects/objects.txt were | |
51 | incorrect (cf. RFC 3039). | |
52 | [Matt Cooper, Frederic Giudicelli, Bodo Moeller] | |
53 | ||
21a85f19 DSH |
54 | +) Add option to output public keys in req command. |
55 | [Massimiliano Pala madwolf@openca.org] | |
56 | ||
883b0c22 BM |
57 | *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() |
58 | returns early because it has nothing to do. | |
59 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
60 | ||
61 | *) [In 0.9.6c-engine and 0.9.7 release:] | |
62 | Fix mutex callback return values in crypto/engine/hw_ncipher.c. | |
63 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
64 | ||
898f856c BM |
65 | -) [In 0.9.6c-engine release:] |
66 | Add support for Cryptographic Appliance's keyserver technology. | |
67 | (Use engine 'keyclient') | |
68 | [Cryptographic Appliances and Geoff Thorpe] | |
69 | ||
1d4581c2 BM |
70 | *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' |
71 | is called via tools/c89.sh because arguments have to be | |
72 | rearranged (all '-L' options must appear before the first object | |
73 | modules). | |
74 | [Richard Shapiro <rshapiro@abinitio.com>] | |
75 | ||
76c4336c BM |
76 | +) Use wNAFs in EC_POINTs_mul() for improved efficiency |
77 | (up to about 10% better than before for P-192 and P-224). | |
3ba1f111 BM |
78 | [Bodo Moeller] |
79 | ||
83978bd3 BM |
80 | -) [In 0.9.6c-engine release:] |
81 | Add support for Broadcom crypto accelerator cards, backported | |
82 | from 0.9.7. | |
83 | [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] | |
84 | ||
85 | -) [In 0.9.6c-engine release:] | |
86 | Add support for SureWare crypto accelerator cards from | |
87 | Baltimore Technologies. (Use engine 'sureware') | |
88 | [Baltimore Technologies and Mark Cox] | |
89 | ||
90 | -) [In 0.9.6c-engine release:] | |
91 | Add support for crypto accelerator cards from Accelerated | |
92 | Encryption Processing, www.aep.ie. (Use engine 'aep') | |
93 | [AEP Inc. and Mark Cox] | |
94 | ||
c5571db0 BM |
95 | *) Add a configuration entry for gcc on UnixWare. |
96 | [Gary Benson <gbenson@redhat.com>] | |
97 | ||
7aa983c6 BM |
98 | +) New functions/macros |
99 | ||
100 | SSL_CTX_set_msg_callback(ctx, cb) | |
101 | SSL_CTX_set_msg_callback_arg(ctx, arg) | |
102 | SSL_set_msg_callback(ssl, cb) | |
103 | SSL_set_msg_callback_arg(ssl, arg) | |
104 | ||
105 | to request calling a callback function | |
106 | ||
107 | void cb(int write_p, int version, int content_type, | |
108 | const void *buf, size_t len, SSL *ssl, void *arg) | |
109 | ||
110 | whenever a protocol message has been completely received | |
111 | (write_p == 0) or sent (write_p == 1). Here 'version' is the | |
112 | protocol version according to which the SSL library interprets | |
113 | the current protocol message (SSL2_VERSION, SSL3_VERSION, or | |
114 | TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or | |
115 | the content type as defined in the SSL 3.0/TLS 1.0 protocol | |
116 | specification (change_cipher_spec(20), alert(21), handshake(22)). | |
117 | 'buf' and 'len' point to the actual message, 'ssl' to the | |
118 | SSL object, and 'arg' is the application-defined value set by | |
119 | SSL[_CTX]_set_msg_callback_arg(). | |
120 | ||
121 | 'openssl s_client' and 'openssl s_server' have new '-msg' options | |
122 | to enable a callback that displays all protocol messages. | |
123 | [Bodo Moeller] | |
124 | ||
125 | *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake | |
126 | messages are stored in a single piece (fixed-length part and | |
127 | variable-length part combined) and fix various bugs found on the way. | |
128 | [Bodo Moeller] | |
129 | ||
a7b42009 RL |
130 | +) Change the shared library support so shared libraries are built as |
131 | soon as the corresponding static library is finished, and thereby get | |
132 | openssl and the test programs linked against the shared library. | |
133 | This still only happens when the keyword "shard" has been given to | |
134 | the configuration scripts. | |
135 | ||
136 | NOTE: shared library support is still an experimental thing, and | |
137 | backward binary compatibility is still not guaranteed. | |
138 | ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] | |
139 | ||
7d5b04db DSH |
140 | +) Add support for Subject Information Access extension. |
141 | [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] | |
142 | ||
48b0cf8b BM |
143 | +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero |
144 | additional bytes when new memory had to be allocated, not just | |
145 | when reusing an existing buffer. | |
146 | [Bodo Moeller] | |
147 | ||
c602e7f4 BM |
148 | *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() |
149 | instead. BIO_gethostbyname() does not know what timeouts are | |
48b0cf8b | 150 | appropriate, so entries would stay in cache even when they have |
c602e7f4 BM |
151 | become invalid. |
152 | [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> | |
153 | ||
1fc6d41b DSH |
154 | +) New command line and configuration option 'utf8' for the req command. |
155 | This allows field values to be specified as UTF8 strings. | |
156 | [Steve Henson] | |
157 | ||
0e211563 BL |
158 | +) Add -multi and -mr options to "openssl speed" - giving multiple parallel |
159 | runs for the former and machine-readable output for the latter. | |
160 | [Ben Laurie] | |
161 | ||
89da653f BM |
162 | +) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion |
163 | of the e-mail address in the DN (i.e., it will go into a certificate | |
164 | extension only). The new configuration file option 'email_in_dn = no' | |
165 | has the same effect. | |
166 | [Massimiliano Pala madwolf@openca.org] | |
167 | ||
ba1c6022 BM |
168 | *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when |
169 | faced with a pathologically small ClientHello fragment that does | |
170 | not contain client_version: Instead of aborting with an error, | |
171 | simply choose the highest available protocol version (i.e., | |
172 | TLS 1.0 unless it is disabled). In practice, ClientHello | |
173 | messages are never sent like this, but this change gives us | |
174 | strictly correct behaviour at least for TLS. | |
175 | [Bodo Moeller] | |
176 | ||
c2e4f17c RL |
177 | +) Change all functions with names starting with des_ to be starting |
178 | with DES_ instead. This because there are increasing clashes with | |
179 | libdes and other des libraries that are currently used by other | |
180 | projects. The old libdes interface is provided, as well as crypt(), | |
181 | if openssl/des_old.h is included. Note that crypt() is no longer | |
182 | declared in openssl/des.h. | |
183 | ||
184 | NOTE: This is a major break of an old API into a new one. Software | |
185 | authors are encouraged to switch to the DES_ style functions. Some | |
186 | time in the future, des_old.h and the libdes compatibility functions | |
187 | will be completely removed. | |
188 | [Richard Levitte] | |
189 | ||
979689aa BM |
190 | *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() |
191 | never resets s->method to s->ctx->method when called from within | |
192 | one of the SSL handshake functions. | |
193 | [Bodo Moeller; problem pointed out by Niko Baric] | |
194 | ||
f1558bb4 DSH |
195 | +) Test for certificates which contain unsupported critical extensions. |
196 | If such a certificate is found during a verify operation it is | |
197 | rejected by default: this behaviour can be overridden by either | |
198 | handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or | |
199 | by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function | |
200 | X509_supported_extension() has also been added which returns 1 if a | |
201 | particular extension is supported. | |
202 | [Steve Henson] | |
203 | ||
a661b653 BM |
204 | *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert |
205 | (sent using the client's version number) if client_version is | |
206 | smaller than the protocol version in use. Also change | |
207 | ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if | |
208 | the client demanded SSL 3.0 but only TLS 1.0 is enabled; then | |
209 | the client will at least see that alert. | |
210 | [Bodo Moeller] | |
211 | ||
581f1c84 DSH |
212 | +) Modify the behaviour of EVP cipher functions in similar way to digests |
213 | to retain compatibility with existing code. | |
214 | [Steve Henson] | |
215 | ||
20d2186c | 216 | +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain |
50d194af DSH |
217 | compatibility with existing code. In particular the 'ctx' parameter does |
218 | not have to be to be initialized before the call to EVP_DigestInit() and | |
219 | it is tidied up after a call to EVP_DigestFinal(). New function | |
220 | EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function | |
221 | EVP_MD_CTX_copy() changed to not require the destination to be | |
222 | initialized valid and new function EVP_MD_CTX_copy_ex() added which | |
223 | requires the destination to be valid. | |
224 | ||
225 | Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), | |
226 | EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). | |
20d2186c DSH |
227 | [Steve Henson] |
228 | ||
48948d53 BM |
229 | +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it |
230 | so that complete 'Handshake' protocol structures are kept in memory | |
231 | instead of overwriting 'msg_type' and 'length' with 'body' data. | |
232 | [Bodo Moeller] | |
233 | ||
234 | *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation | |
235 | correctly. | |
236 | [Bodo Moeller] | |
237 | ||
285046ec RL |
238 | +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. |
239 | [Massimo Santin via Richard Levitte] | |
240 | ||
07cee702 GT |
241 | +) Major restructuring to the underlying ENGINE code. This includes |
242 | reduction of linker bloat, separation of pure "ENGINE" manipulation | |
243 | (initialisation, etc) from functionality dealing with implementations | |
244 | of specific crypto iterfaces. This change also introduces integrated | |
245 | support for symmetric ciphers and digest implementations - so ENGINEs | |
246 | can now accelerate these by providing EVP_CIPHER and EVP_MD | |
247 | implementations of their own. This is detailed in crypto/engine/README | |
248 | as it couldn't be adequately described here. However, there are a few | |
249 | API changes worth noting - some RSA, DSA, DH, and RAND functions that | |
250 | were changed in the original introduction of ENGINE code have now | |
251 | reverted back - the hooking from this code to ENGINE is now a good | |
252 | deal more passive and at run-time, operations deal directly with | |
253 | RSA_METHODs, DSA_METHODs (etc) as they did before, rather than | |
254 | dereferencing through an ENGINE pointer any more. Also, the ENGINE | |
255 | functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - | |
256 | they were not being used by the framework as there is no concept of a | |
257 | BIGNUM_METHOD and they could not be generalised to the new | |
258 | 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, | |
259 | ENGINE_cpy() has been removed as it cannot be consistently defined in | |
260 | the new code. | |
261 | [Geoff Thorpe] | |
262 | ||
d46c1a81 DSH |
263 | +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. |
264 | [Steve Henson] | |
265 | ||
89eeccac RL |
266 | +) Change mkdef.pl to sort symbols that get the same entry number, |
267 | and make sure the automatically generated functions ERR_load_* | |
268 | become part of libeay.num as well. | |
269 | [Richard Levitte] | |
270 | ||
3b0b5aba BM |
271 | *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a |
272 | client receives HelloRequest while in a handshake. | |
273 | [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] | |
274 | ||
6b0e9fac BM |
275 | +) New function SSL_renegotiate_pending(). This returns true once |
276 | renegotiation has been requested (either SSL_renegotiate() call | |
277 | or HelloRequest/ClientHello receveived from the peer) and becomes | |
278 | false once a handshake has been completed. | |
279 | (For servers, SSL_renegotiate() followed by SSL_do_handshake() | |
280 | sends a HelloRequest, but does not ensure that a handshake takes | |
281 | place. SSL_renegotiate_pending() is useful for checking if the | |
282 | client has followed the request.) | |
283 | [Bodo Moeller] | |
284 | ||
285 | +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. | |
286 | By default, clients may request session resumption even during | |
287 | renegotiation (if session ID contexts permit); with this option, | |
288 | session resumption is possible only in the first handshake. | |
289 | [Bodo Moeller] | |
290 | ||
2260ad21 BM |
291 | *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C |
292 | should end in 'break', not 'goto end' which circuments various | |
b49124f6 BM |
293 | cleanups done in state SSL_ST_OK. But session related stuff |
294 | must be disabled for SSL_ST_OK in the case that we just sent a | |
295 | HelloRequest. | |
2260ad21 BM |
296 | |
297 | Also avoid some overhead by not calling ssl_init_wbio_buffer() | |
298 | before just sending a HelloRequest. | |
b49124f6 | 299 | [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] |
8e2f6b79 | 300 | |
ee60d9fb BM |
301 | *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't |
302 | reveal whether illegal block cipher padding was found or a MAC | |
303 | verification error occured. (Neither SSLerr() codes nor alerts | |
304 | are directly visible to potential attackers, but the information | |
305 | may leak via logfiles.) | |
306 | ||
307 | Similar changes are not required for the SSL 2.0 implementation | |
308 | because the number of padding bytes is sent in clear for SSL 2.0, | |
309 | and the extra bytes are just ignored. However ssl/s2_pkt.c | |
310 | failed to verify that the purported number of padding bytes is in | |
311 | the legal range. | |
312 | [Bodo Moeller] | |
313 | ||
96bd6f73 DSH |
314 | +) Add some demos for certificate and certificate request creation. |
315 | [Steve Henson] | |
316 | ||
c0f5dd07 LJ |
317 | +) Make maximum certificate chain size accepted from the peer application |
318 | settable (SSL*_get/set_max_cert_list()), as proposed by | |
319 | "Douglas E. Engert" <deengert@anl.gov>. | |
320 | [Lutz Jaenicke] | |
321 | ||
b26ca340 BM |
322 | +) Add support for shared libraries for Unixware-7 |
323 | (Boyd Lynn Gerber <gerberb@zenez.com>). | |
6c36f7a9 LJ |
324 | [Lutz Jaenicke] |
325 | ||
b26ca340 BM |
326 | *) Add OpenUNIX-8 support including shared libraries |
327 | (Boyd Lynn Gerber <gerberb@zenez.com>). | |
c5571db0 BM |
328 | [Lutz Jaenicke] |
329 | ||
a9ed4da8 BM |
330 | *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid |
331 | 'wristwatch attack' using huge encoding parameters (cf. | |
332 | James H. Manger's CRYPTO 2001 paper). Note that the | |
333 | RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use | |
e3fefbfd | 334 | encoding parameters and hence was not vulnerable. |
a9ed4da8 BM |
335 | [Bodo Moeller] |
336 | ||
4450107a | 337 | +) Add a "destroy" handler to ENGINEs that allows structural cleanup to |
908efd3b GT |
338 | be done prior to destruction. Use this to unload error strings from |
339 | ENGINEs that load their own error strings. NB: This adds two new API | |
340 | functions to "get" and "set" this destroy handler in an ENGINE. | |
a9ed4da8 | 341 | [Geoff Thorpe] |
908efd3b | 342 | |
4450107a | 343 | +) Alter all existing ENGINE implementations (except "openssl" and |
541814c4 GT |
344 | "openbsd") to dynamically instantiate their own error strings. This |
345 | makes them more flexible to be built both as statically-linked ENGINEs | |
346 | and self-contained shared-libraries loadable via the "dynamic" ENGINE. | |
347 | Also, add stub code to each that makes building them as self-contained | |
348 | shared-libraries easier (see README.ENGINE). | |
349 | [Geoff Thorpe] | |
350 | ||
4450107a | 351 | +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE |
541814c4 GT |
352 | implementations into applications that are completely implemented in |
353 | self-contained shared-libraries. The "dynamic" ENGINE exposes control | |
354 | commands that can be used to configure what shared-library to load and | |
355 | to control aspects of the way it is handled. Also, made an update to | |
356 | the README.ENGINE file that brings its information up-to-date and | |
357 | provides some information and instructions on the "dynamic" ENGINE | |
358 | (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). | |
359 | [Geoff Thorpe] | |
360 | ||
d98a4b73 UM |
361 | *) BN_sqr() bug fix. |
362 |