[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]

     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
     and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6.  

     Change log entries are tagged as follows:
         -) applies to 0.9.6a/0.9.6b only
         *) applies to 0.9.6a/0.9.6b and 0.9.7
         +) applies to 0.9.7 only

  -) OpenSSL 0.9.6b released [9 July 2001]

  *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
     to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
     Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
     PRNG state recovery was possible based on the output of
     one PRNG request appropriately sized to gain knowledge on
     'md' followed by enough consecutive 1-byte PRNG requests
     to traverse all of 'state'.

     1. When updating 'md_local' (the current thread's copy of 'md')
        during PRNG output generation, hash all of the previous
        'md_local' value, not just the half used for PRNG output.

     2. Make the number of bytes from 'state' included into the hash
        independent from the number of PRNG bytes requested.

     The first measure alone would be sufficient to avoid
     Markku-Juhani's attack.  (Actually it had never occurred
     to me that the half of 'md_local' used for chaining was the
     half from which PRNG output bytes were taken -- I had always
     assumed that the secret half would be used.)  The second
     measure makes sure that additional data from 'state' is never
     mixed into 'md_local' in small portions; this heuristically
     further strengthens the PRNG.
     [Bodo Moeller]
  
  +) Speed up EVP routines.
     Before:
encrypt
type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
decrypt
des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
     After:
encrypt
des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
decrypt
des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Ben Laurie]

  *) Fix crypto/bn/asm/mips3.s.
     [Andy Polyakov]

  *) When only the key is given to "enc", the IV is undefined. Print out
     an error message in this case.
     [Lutz Jaenicke]

  +) Added the OS2-EMX target.
     ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]

  +) Rewrite apps to use NCONF routines instead of the old CONF. New functions
     to support NCONF routines in extension code. New function CONF_set_nconf()
     to allow functions which take an NCONF to also handle the old LHASH
     structure: this means that the old CONF compatible routines can be
     retained (in particular wrt extensions) without having to duplicate the
     code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
     [Steve Henson]

  *) Handle special case when X509_NAME is empty in X509 printing routines.
     [Steve Henson]

  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
     positive and less than q.
     [Bodo Moeller]

  +) Enhance the general user interface with mechanisms for inner control
     and with pssibilities to have yes/no kind of prompts.
     [Richard Levitte]

  +) Change all calls to low level digest routines in the library and
     applications to use EVP. Add missing calls to HMAC_cleanup() and
     don't assume HMAC_CTX can be copied using memcpy().
     [Verdon Walker <VWalker@novell.com>, Steve Henson]

  +) Add the possibility to control engines through control names but with
     arbitrary arguments instead of just a string.
     Change the key loaders to take a UI_METHOD instead of a callback
     function pointer.  NOTE: this breaks binary compatibility with earlier
     versions of OpenSSL [engine].
     Addapt the nCipher code for these new conditions and add a card insertion
     callback.
     [Richard Levitte]

  +) Enhance the general user interface with mechanisms to better support
     dialog box interfaces, application-defined prompts, the possibility
     to use defaults (for example default passwords from somewhere else)
     and interrupts/cancelations.
     [Richard Levitte]

  *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
     used: it isn't thread safe and the add_lock_callback should handle
     that itself.
     [Paul Rose <Paul.Rose@bridge.com>]

  *) Verify that incoming data obeys the block size in
     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
     [Bodo Moeller]

  +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
     attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
     [Steve Henson]

  *) Fix OAEP check.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
a9d2bc49	5	Changes between 0.9.6 and 0.9.7 [xx XXX 2001]
a43cf9fa	6
e9ad0d2c BM	7	OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
	8	and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6.
	9
a9d2bc49	10	Change log entries are tagged as follows:
e9ad0d2c BM	11	-) applies to 0.9.6a/0.9.6b only
e9ad0d2c BM	12	*) applies to 0.9.6a/0.9.6b and 0.9.7
a9d2bc49 BM	13	+) applies to 0.9.7 only
a9d2bc49 BM	14
e9ad0d2c BM	15	-) OpenSSL 0.9.6b released [9 July 2001]
	16
	17	*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
	18	to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
	19	Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
	20	PRNG state recovery was possible based on the output of
	21	one PRNG request appropriately sized to gain knowledge on
	22	'md' followed by enough consecutive 1-byte PRNG requests
	23	to traverse all of 'state'.
	24
	25	1. When updating 'md_local' (the current thread's copy of 'md')
	26	during PRNG output generation, hash all of the previous
	27	'md_local' value, not just the half used for PRNG output.
	28
	29	2. Make the number of bytes from 'state' included into the hash
	30	independent from the number of PRNG bytes requested.
	31
	32	The first measure alone would be sufficient to avoid
	33	Markku-Juhani's attack. (Actually it had never occurred
	34	to me that the half of 'md_local' used for chaining was the
	35	half from which PRNG output bytes were taken -- I had always
	36	assumed that the secret half would be used.) The second
	37	measure makes sure that additional data from 'state' is never
	38	mixed into 'md_local' in small portions; this heuristically
	39	further strengthens the PRNG.
	40	[Bodo Moeller]
	41
f31b1250 BL	42	+) Speed up EVP routines.
	43	Before:
	44	encrypt
	45	type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
	46	des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
	47	des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
	48	des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
	49	decrypt
	50	des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
	51	des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
	52	des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
	53	After:
	54	encrypt
c148d709	55	des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
f31b1250	56	decrypt
c148d709	57	des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
f31b1250 BL	58	[Ben Laurie]
f31b1250 BL	59
93dbd835 BM	60	*) Fix crypto/bn/asm/mips3.s.
	61	[Andy Polyakov]
	62
43f9391b LJ	63	*) When only the key is given to "enc", the IV is undefined. Print out
	64	an error message in this case.
	65	[Lutz Jaenicke]
	66
c80410c5 RL	67	+) Added the OS2-EMX target.
	68	["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
	69
b7a26e6d DSH	70	+) Rewrite apps to use NCONF routines instead of the old CONF. New functions
	71	to support NCONF routines in extension code. New function CONF_set_nconf()
	72	to allow functions which take an NCONF to also handle the old LHASH
	73	structure: this means that the old CONF compatible routines can be
	74	retained (in particular wrt extensions) without having to duplicate the
	75	code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
	76	[Steve Henson]
	77
1e325f61 DSH	78	*) Handle special case when X509_NAME is empty in X509 printing routines.
	79	[Steve Henson]
	80
c458a331 BM	81	*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
	82	positive and less than q.
	83	[Bodo Moeller]
	84
fd3e027f	85	+) Enhance the general user interface with mechanisms for inner control
235dd0a2 RL	86	and with pssibilities to have yes/no kind of prompts.
	87	[Richard Levitte]
	88
d63c6bd3	89	+) Change all calls to low level digest routines in the library and
323f289c DSH	90	applications to use EVP. Add missing calls to HMAC_cleanup() and
	91	don't assume HMAC_CTX can be copied using memcpy().
	92	[Verdon Walker <VWalker@novell.com>, Steve Henson]
	93
839590f5 RL	94	+) Add the possibility to control engines through control names but with
	95	arbitrary arguments instead of just a string.
	96	Change the key loaders to take a UI_METHOD instead of a callback
	97	function pointer. NOTE: this breaks binary compatibility with earlier
	98	versions of OpenSSL [engine].
	99	Addapt the nCipher code for these new conditions and add a card insertion
	100	callback.
	101	[Richard Levitte]
	102
9ad0f681 RL	103	+) Enhance the general user interface with mechanisms to better support
	104	dialog box interfaces, application-defined prompts, the possibility
	105	to use defaults (for example default passwords from somewhere else)
	106	and interrupts/cancelations.
	107	[Richard Levitte]
	108
3cc1f498 DSH	109	) Don't change pointer in CRYPTO_add_lock() is add_lock_callback is
	110	used: it isn't thread safe and the add_lock_callback should handle
	111	that itself.
	112	[Paul Rose <Paul.Rose@bridge.com>]
	113
285b4275 BM	114	*) Verify that incoming data obeys the block size in
	115	ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
	116	[Bodo Moeller]
	117
f2a253e0 DSH	118	+) Tidy up PKCS#12 attribute handling. Add support for the CSP name
	119	attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
	120	[Steve Henson]
	121
ecf18606 BM	122	*) Fix OAEP check.
	123