[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]

     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  

     Change log entries are tagged as follows:
         -) applies to 0.9.6a/0.9.6b/0.9.6c only
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

  +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
     [Steve Henson]

  +) Change mkdef.pl to sort symbols that get the same entry number,
     and make sure the automatically generated functions ERR_load_*
     become part of libeay.num as well.
     [Richard Levitte]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  +) New function SSL_renegotiate_pending().  This returns true once
     renegotiation has been requested (either SSL_renegotiate() call
     or HelloRequest/ClientHello receveived from the peer) and becomes
     false once a handshake has been completed.
     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
     sends a HelloRequest, but does not ensure that a handshake takes
     place.  SSL_renegotiate_pending() is useful for checking if the
     client has followed the request.)
     [Bodo Moeller]

  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     [Bodo Moeller]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  +) Add some demos for certificate and certificate request creation.
     [Steve Henson]

  +) Make maximum certificate chain size accepted from the peer application
     settable (SSL*_get/set_max_cert_list()), as proposed by
     "Douglas E. Engert" <deengert@anl.gov>.
     [Lutz Jaenicke]

  +) Add support for shared libraries for Unixware-7 and support including
     shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
     encoding parameters and hence was not vulnerable.
     [Bodo Moeller]

  +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
     be done prior to destruction. Use this to unload error strings from
     ENGINEs that load their own error strings. NB: This adds two new API
     functions to "get" and "set" this destroy handler in an ENGINE.
     [Geoff Thorpe]

  +) Alter all existing ENGINE implementations (except "openssl" and
     "openbsd") to dynamically instantiate their own error strings. This
     makes them more flexible to be built both as statically-linked ENGINEs
     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
     Also, add stub code to each that makes building them as self-contained
     shared-libraries easier (see README.ENGINE).
     [Geoff Thorpe]

  +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
     implementations into applications that are completely implemented in
     self-contained shared-libraries. The "dynamic" ENGINE exposes control
     commands that can be used to configure what shared-library to load and
     to control aspects of the way it is handled. Also, made an update to
     the README.ENGINE file that brings its information up-to-date and
     provides some information and instructions on the "dynamic" ENGINE
     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
     [Geoff Thorpe]

  *) BN_sqr() bug fix.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
a9d2bc49	5	Changes between 0.9.6 and 0.9.7 [xx XXX 2001]
a43cf9fa	6
e9ad0d2c	7	OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
e3fefbfd	8	and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.
e9ad0d2c	9
a9d2bc49	10	Change log entries are tagged as follows:
daba492c BM	11	-) applies to 0.9.6a/0.9.6b/0.9.6c only
daba492c BM	12	*) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
a9d2bc49 BM	13	+) applies to 0.9.7 only
a9d2bc49 BM	14
d46c1a81 DSH	15	+) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
	16	[Steve Henson]
	17
89eeccac RL	18	+) Change mkdef.pl to sort symbols that get the same entry number,
	19	and make sure the automatically generated functions ERR_load_*
	20	become part of libeay.num as well.
	21	[Richard Levitte]
	22
3b0b5aba BM	23	*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
	24	client receives HelloRequest while in a handshake.
	25	[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
	26
6b0e9fac BM	27	+) New function SSL_renegotiate_pending(). This returns true once
	28	renegotiation has been requested (either SSL_renegotiate() call
	29	or HelloRequest/ClientHello receveived from the peer) and becomes
	30	false once a handshake has been completed.
	31	(For servers, SSL_renegotiate() followed by SSL_do_handshake()
	32	sends a HelloRequest, but does not ensure that a handshake takes
	33	place. SSL_renegotiate_pending() is useful for checking if the
	34	client has followed the request.)
	35	[Bodo Moeller]
	36
	37	+) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
	38	By default, clients may request session resumption even during
	39	renegotiation (if session ID contexts permit); with this option,
	40	session resumption is possible only in the first handshake.
	41	[Bodo Moeller]
	42
2260ad21 BM	43	*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
2260ad21 BM	44	should end in 'break', not 'goto end' which circuments various
b49124f6 BM	45	cleanups done in state SSL_ST_OK. But session related stuff
	46	must be disabled for SSL_ST_OK in the case that we just sent a
	47	HelloRequest.
2260ad21 BM	48
	49	Also avoid some overhead by not calling ssl_init_wbio_buffer()
	50	before just sending a HelloRequest.
b49124f6	51	[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
8e2f6b79	52
ee60d9fb BM	53	*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
	54	reveal whether illegal block cipher padding was found or a MAC
	55	verification error occured. (Neither SSLerr() codes nor alerts
	56	are directly visible to potential attackers, but the information
	57	may leak via logfiles.)
	58
	59	Similar changes are not required for the SSL 2.0 implementation
	60	because the number of padding bytes is sent in clear for SSL 2.0,
	61	and the extra bytes are just ignored. However ssl/s2_pkt.c
	62	failed to verify that the purported number of padding bytes is in
	63	the legal range.
	64	[Bodo Moeller]
	65
96bd6f73 DSH	66	+) Add some demos for certificate and certificate request creation.
	67	[Steve Henson]
	68
c0f5dd07 LJ	69	+) Make maximum certificate chain size accepted from the peer application
	70	settable (SSL*_get/set_max_cert_list()), as proposed by
	71	"Douglas E. Engert" <deengert@anl.gov>.
	72	[Lutz Jaenicke]
	73
6c36f7a9 LJ	74	+) Add support for shared libraries for Unixware-7 and support including
	75	shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
	76	[Lutz Jaenicke]
	77
a9ed4da8 BM	78	*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
	79	'wristwatch attack' using huge encoding parameters (cf.
	80	James H. Manger's CRYPTO 2001 paper). Note that the
	81	RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
e3fefbfd	82	encoding parameters and hence was not vulnerable.
a9ed4da8 BM	83	[Bodo Moeller]
a9ed4da8 BM	84
4450107a	85	+) Add a "destroy" handler to ENGINEs that allows structural cleanup to
908efd3b GT	86	be done prior to destruction. Use this to unload error strings from
	87	ENGINEs that load their own error strings. NB: This adds two new API
	88	functions to "get" and "set" this destroy handler in an ENGINE.
a9ed4da8	89	[Geoff Thorpe]
908efd3b	90
4450107a	91	+) Alter all existing ENGINE implementations (except "openssl" and
541814c4 GT	92	"openbsd") to dynamically instantiate their own error strings. This
	93	makes them more flexible to be built both as statically-linked ENGINEs
	94	and self-contained shared-libraries loadable via the "dynamic" ENGINE.
	95	Also, add stub code to each that makes building them as self-contained
	96	shared-libraries easier (see README.ENGINE).
	97	[Geoff Thorpe]
	98
4450107a	99	+) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
541814c4 GT	100	implementations into applications that are completely implemented in
	101	self-contained shared-libraries. The "dynamic" ENGINE exposes control
	102	commands that can be used to configure what shared-library to load and
	103	to control aspects of the way it is handled. Also, made an update to
	104	the README.ENGINE file that brings its information up-to-date and
	105	provides some information and instructions on the "dynamic" ENGINE
	106	(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
	107	[Geoff Thorpe]
	108
d98a4b73 UM	109	*) BN_sqr() bug fix.
	110