]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
a9d2bc49 | 5 | Changes between 0.9.6 and 0.9.7 [xx XXX 2001] |
a43cf9fa | 6 | |
e9ad0d2c BM |
7 | OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001) |
8 | and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6. | |
9 | ||
a9d2bc49 | 10 | Change log entries are tagged as follows: |
daba492c BM |
11 | -) applies to 0.9.6a/0.9.6b/0.9.6c only |
12 | *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 | |
a9d2bc49 BM |
13 | +) applies to 0.9.7 only |
14 | ||
983495c4 BM |
15 | *) Rabin-Miller test analyses assume uniformly distributed witnesses, |
16 | so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() | |
17 | followed by modular reduction. | |
18 | [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] | |
19 | ||
20 | *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() | |
21 | requivalent based on BN_pseudo_rand() instead of BN_rand(). | |
22 | [Bodo Moeller] | |
23 | ||
26188931 BL |
24 | +) Add a copy() function to EVP_MD. |
25 | [Ben Laurie] | |
26 | ||
27 | +) Make EVP_MD routines take a context pointer instead of just the | |
28 | md_data voud pointer. | |
29 | [Ben Laurie] | |
30 | ||
31 | +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates | |
32 | that the digest can only process a single chunk of data | |
33 | (typically because it is provided by a piece of | |
34 | hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application | |
35 | is only going to provide a single chunk of data, and hence the | |
36 | framework needn't accumulate the data for oneshot drivers. | |
37 | [Ben Laurie] | |
38 | ||
36026dfc GT |
39 | +) As with "ERR", make it possible to replace the underlying "ex_data" |
40 | functions. This change also alters the storage and management of global | |
41 | ex_data state - it's now all inside ex_data.c and all "class" code (eg. | |
42 | RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class | |
43 | index counters. The API functions that use this state have been changed | |
44 | to take a "class_index" rather than pointers to the class's local STACK | |
45 | and counter, and there is now an API function to dynamically create new | |
46 | classes. This centralisation allows us to (a) plug a lot of the | |
47 | thread-safety problems that existed, and (b) makes it possible to clean | |
48 | up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) | |
49 | such data would previously have always leaked in application code and | |
50 | workarounds were in place to make the memory debugging turn a blind eye | |
51 | to it. Application code that doesn't use this new function will still | |
52 | leak as before, but their memory debugging output will announce it now | |
53 | rather than letting it slide. | |
54 | [Geoff Thorpe] | |
55 | ||
0783bf15 GT |
56 | +) Make it possible to replace the underlying "ERR" functions such that the |
57 | global state (2 LHASH tables and 2 locks) is only used by the "default" | |
58 | implementation. This change also adds two functions to "get" and "set" | |
59 | the implementation prior to it being automatically set the first time | |
60 | any other ERR function takes place. Ie. an application can call "get", | |
61 | pass the return value to a module it has just loaded, and that module | |
62 | can call its own "set" function using that value. This means the | |
63 | module's "ERR" operations will use (and modify) the error state in the | |
64 | application and not in its own statically linked copy of OpenSSL code. | |
65 | [Geoff Thorpe] | |
66 | ||
eb6dc02b GT |
67 | +) Give DH, DSA, and RSA types their own "**_up()" function to increment |
68 | reference counts. This performs normal REF_PRINT/REF_CHECK macros on | |
69 | the operation, and provides a more encapsulated way for external code | |
70 | (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code | |
71 | to use these functions rather than manually incrementing the counts. | |
72 | [Geoff Thorpe] | |
73 | ||
e7cf7fcd LJ |
74 | *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). |
75 | This function was broken, as the check for a new client hello message | |
76 | to handle SGC did not allow these large messages. | |
77 | (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) | |
78 | [Lutz Jaenicke] | |
79 | ||
a403188f LJ |
80 | *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). |
81 | [Lutz Jaenicke] | |
82 | ||
0e360199 BL |
83 | +) Add EVP test program. |
84 | [Ben Laurie] | |
85 | ||
354c3ace BL |
86 | +) Add symmetric cipher support to ENGINE. Expect the API to change! |
87 | [Ben Laurie] | |
88 | ||
35bf3541 DSH |
89 | +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() |
90 | X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), | |
91 | X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). | |
92 | These allow a CRL to be built without having to access X509_CRL fields | |
93 | directly. Modify 'ca' application to use new functions. | |
94 | [Steve Henson] | |
95 | ||
54fbc77d LJ |
96 | *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() |
97 | for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). | |
98 | [Lutz Jaenicke] | |
99 | ||
6bc847e4 RL |
100 | *) Rework the configuration and shared library support for Tru64 Unix. |
101 | The configuration part makes use of modern compiler features and | |
102 | still retains old compiler behavior for those that run older versions | |
103 | of the OS. The shared library support part includes a variant that | |
104 | uses the RPATH feature, and is available through the speciel | |
105 | configuration target "alpha-cc-rpath", which will never be selected | |
106 | automatically. | |
107 | [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] | |
108 | ||
37a7cd1a BM |
109 | *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() |
110 | with the same message size as in ssl3_get_certificate_request(). | |
111 | Otherwise, if no ServerKeyExchange message occurs, CertificateRequest | |
112 | messages might inadvertently be reject as too long. | |
113 | [Petr Lampa <lampa@fee.vutbr.cz>] | |
114 | ||
06da6e49 LJ |
115 | +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended |
116 | bug workarounds. Rollback attack detection is a security feature. | |
6383bbe5 | 117 | The problem will only arise on OpenSSL servers when TLSv1 is not |
06da6e49 LJ |
118 | available (sslv3_server_method() or SSL_OP_NO_TLSv1). |
119 | Software authors not wanting to support TLSv1 will have special reasons | |
120 | for their choice and can explicitly enable this option. | |
121 | [Bodo Moeller, Lutz Jaenicke] | |
122 | ||
dbad1690 BL |
123 | +) Rationalise EVP so it can be extended: don't include a union of |
124 | cipher/digest structures, add init/cleanup functions. This also reduces | |
125 | the number of header dependencies. | |
126 | [Ben Laurie] | |
127 | ||
8408f4fb BL |
128 | +) Make DES key schedule conform to the usual scheme, as well as |
129 | correcting its structure. This means that calls to DES functions | |
130 | now have to pass a pointer to a des_key_schedule instead of a | |
131 | plain des_key_schedule (which was actually always a pointer | |
132 | anyway). | |
dbad1690 BL |
133 | [Ben Laurie] |
134 | ||
6d03b73e AP |
135 | +) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). |
136 | [Andy Polyakov] | |
137 | ||
1f0c9ad7 LJ |
138 | *) Modified SSL library such that the verify_callback that has been set |
139 | specificly for an SSL object with SSL_set_verify() is actually being | |
140 | used. Before the change, a verify_callback set with this function was | |
141 | ignored and the verify_callback() set in the SSL_CTX at the time of | |
142 | the call was used. New function X509_STORE_CTX_set_verify_cb() introduced | |
143 | to allow the necessary settings. | |
144 | [Lutz Jaenicke] | |
145 | ||
19da1300 DSH |
146 | +) Initial reduction of linker bloat: the use of some functions, such as |
147 | PEM causes large amounts of unused functions to be linked in due to | |
148 | poor organisation. For example pem_all.c contains every PEM function | |
149 | which has a knock on effect of linking in large amounts of (unused) | |
150 | ASN1 code. Grouping together similar functions and splitting unrelated | |
151 | functions prevents this. | |
152 | [Steve Henson] | |
153 | ||
06efc222 LJ |
154 | *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c |
155 | explicitely to NULL, as at least on Solaris 8 this seems not always to be | |
156 | done automatically (in contradiction to the requirements of the C | |
157 | standard). This made problems when used from OpenSSH. | |
a75b1915 LJ |
158 | [Lutz Jaenicke] |
159 | ||
6aecef81 BM |
160 | *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored |
161 | dh->length and always used | |
162 | ||
163 | BN_rand_range(priv_key, dh->p). | |
164 | ||
165 | BN_rand_range() is not necessary for Diffie-Hellman, and this | |
166 | specific range makes Diffie-Hellman unnecessarily inefficient if | |
167 | dh->length (recommended exponent length) is much smaller than the | |
168 | length of dh->p. We could use BN_rand_range() if the order of | |
169 | the subgroup was stored in the DH structure, but we only have | |
170 | dh->length. | |
171 | ||
172 | So switch back to | |
173 | ||
174 | BN_rand(priv_key, l, ...) | |
175 | ||
176 | where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 | |
177 | otherwise. | |
178 | [Bodo Moeller] | |
179 | ||
24cff6ce BM |
180 | *) In |
181 | ||
182 | RSA_eay_public_encrypt | |
183 | RSA_eay_private_decrypt | |
184 | RSA_eay_private_encrypt (signing) | |
185 | RSA_eay_public_decrypt (signature verification) | |
186 | ||
187 | (default implementations for RSA_public_encrypt, | |
188 | RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), | |
189 | always reject numbers >= n. | |
190 | [Bodo Moeller] | |
191 | ||
daba492c BM |
192 | *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 |
193 | to synchronize access to 'locking_thread'. This is necessary on | |
194 | systems where access to 'locking_thread' (an 'unsigned long' | |
195 | variable) is not atomic. | |
196 | [Bodo Moeller] | |
197 | ||
badb910f BM |
198 | *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID |
199 | *before* setting the 'crypto_lock_rand' flag. The previous code had | |
200 | a race condition if 0 is a valid thread ID. | |
201 | [Travis Vitek <vitek@roguewave.com>] | |
202 | ||
c518ade1 BL |
203 | +) Cleanup of EVP macros. |
204 | [Ben Laurie] | |
205 | ||
206 | +) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the | |
207 | correct _ecb suffix. | |
208 | [Ben Laurie] | |
209 | ||
ee306a13 DSH |
210 | +) Add initial OCSP responder support to ocsp application. The |
211 | revocation information is handled using the text based index | |
212 | use by the ca application. The responder can either handle | |
213 | requests generated internally, supplied in files (for example | |
214 | via a CGI script) or using an internal minimal server. | |
215 | [Steve Henson] | |
216 | ||
e452de9d RL |
217 | +) Add configuration choices to get zlib compression for TLS. |
218 | [Richard Levitte] | |
219 | ||
0665dd68 RL |
220 | +) Changes to Kerberos SSL for RFC 2712 compliance: |
221 | 1. Implemented real KerberosWrapper, instead of just using | |
222 | KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] | |
223 | 2. Implemented optional authenticator field of KerberosWrapper. | |
224 | ||
225 | Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, | |
226 | and authenticator structs; see crypto/krb5/. | |
227 | ||
228 | Generalized Kerberos calls to support multiple Kerberos libraries. | |
229 | [Vern Staats <staatsvr@asc.hpc.mil>, | |
230 | Jeffrey Altman <jaltman@columbia.edu> | |
231 | via Richard Levitte] | |
232 | ||
af436bc1 GT |
233 | +) Cause 'openssl speed' to use fully hard-coded DSA keys as it |
234 | already does with RSA. testdsa.h now has 'priv_key/pub_key' | |
235 | values for each of the key sizes rather than having just | |
236 | parameters (and 'speed' generating keys each time). | |
237 | [Geoff Thorpe] | |
238 | ||
e9ad0d2c BM |
239 | -) OpenSSL 0.9.6b released [9 July 2001] |
240 | ||
241 | *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) | |
242 | to avoid a SSLeay/OpenSSL PRNG weakness pointed out by | |
243 | Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: | |
244 | PRNG state recovery was possible based on the output of | |
245 | one PRNG request appropriately sized to gain knowledge on | |
246 | 'md' followed by enough consecutive 1-byte PRNG requests | |
247 | to traverse all of 'state'. | |
248 | ||
249 | 1. When updating 'md_local' (the current thread's copy of 'md') | |
250 | during PRNG output generation, hash all of the previous | |
251 | 'md_local' value, not just the half used for PRNG output. | |
252 | ||
253 | 2. Make the number of bytes from 'state' included into the hash | |
254 | independent from the number of PRNG bytes requested. | |
255 | ||
256 | The first measure alone would be sufficient to avoid | |
257 | Markku-Juhani's attack. (Actually it had never occurred | |
258 | to me that the half of 'md_local' used for chaining was the | |
259 | half from which PRNG output bytes were taken -- I had always | |
260 | assumed that the secret half would be used.) The second | |
261 | measure makes sure that additional data from 'state' is never | |
262 | mixed into 'md_local' in small portions; this heuristically | |
263 | further strengthens the PRNG. | |
264 | [Bodo Moeller] | |
265 | ||
f31b1250 BL |
266 | +) Speed up EVP routines. |
267 | Before: | |
268 | encrypt | |
269 | type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes | |
270 | des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k | |
271 | des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k | |
272 | des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k | |
273 | decrypt | |
274 | des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k | |
275 | des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k | |
276 | des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k | |
277 | After: | |
278 | encrypt | |
c148d709 | 279 | des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k |
f31b1250 | 280 | decrypt |
c148d709 | 281 | des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
f31b1250 BL |
282 | [Ben Laurie] |
283 | ||
93dbd835 BM |
284 | *) Fix crypto/bn/asm/mips3.s. |
285 | [Andy Polyakov] | |
286 | ||
43f9391b LJ |
287 | *) When only the key is given to "enc", the IV is undefined. Print out |
288 | an error message in this case. | |
289 | [Lutz Jaenicke] | |
290 | ||
c80410c5 RL |
291 | +) Added the OS2-EMX target. |
292 | ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] | |
293 | ||
b7a26e6d DSH |
294 | +) Rewrite apps to use NCONF routines instead of the old CONF. New functions |
295 | to support NCONF routines in extension code. New function CONF_set_nconf() | |
296 | to allow functions which take an NCONF to also handle the old LHASH | |
297 | structure: this means that the old CONF compatible routines can be | |
298 | retained (in particular wrt extensions) without having to duplicate the | |
299 | code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. | |
300 | [Steve Henson] | |
301 | ||
1e325f61 DSH |
302 | *) Handle special case when X509_NAME is empty in X509 printing routines. |
303 | [Steve Henson] | |
304 | ||
c458a331 BM |
305 | *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are |
306 | positive and less than q. | |
307 | [Bodo Moeller] | |
308 | ||
fd3e027f | 309 | +) Enhance the general user interface with mechanisms for inner control |
235dd0a2 RL |
310 | and with pssibilities to have yes/no kind of prompts. |
311 | [Richard Levitte] | |
312 | ||
d63c6bd3 | 313 | +) Change all calls to low level digest routines in the library and |
323f289c DSH |
314 | applications to use EVP. Add missing calls to HMAC_cleanup() and |
315 | don't assume HMAC_CTX can be copied using memcpy(). | |
316 | [Verdon Walker <VWalker@novell.com>, Steve Henson] | |
317 | ||
839590f5 RL |
318 | +) Add the possibility to control engines through control names but with |
319 | arbitrary arguments instead of just a string. | |
320 | Change the key loaders to take a UI_METHOD instead of a callback | |
321 | function pointer. NOTE: this breaks binary compatibility with earlier | |
322 | versions of OpenSSL [engine]. | |
323 | Addapt the nCipher code for these new conditions and add a card insertion | |
324 | callback. | |
325 | [Richard Levitte] | |
326 | ||
9ad0f681 RL |
327 | +) Enhance the general user interface with mechanisms to better support |
328 | dialog box interfaces, application-defined prompts, the possibility | |
329 | to use defaults (for example default passwords from somewhere else) | |
330 | and interrupts/cancelations. | |
331 | [Richard Levitte] | |
332 | ||
3cc1f498 DSH |
333 | *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is |
334 | used: it isn't thread safe and the add_lock_callback should handle | |
335 | that itself. | |
336 | [Paul Rose <Paul.Rose@bridge.com>] | |
337 | ||
285b4275 BM |
338 | *) Verify that incoming data obeys the block size in |
339 | ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). | |
340 | [Bodo Moeller] | |
341 | ||
f2a253e0 DSH |
342 | +) Tidy up PKCS#12 attribute handling. Add support for the CSP name |
343 | attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. | |
344 | [Steve Henson] | |
345 | ||
ecf18606 BM |
346 | *) Fix OAEP check. |
347 |