[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]

     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
     and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6.  

     Change log entries are tagged as follows:
         -) applies to 0.9.6a/0.9.6b only
         *) applies to 0.9.6a/0.9.6b and 0.9.7
         +) applies to 0.9.7 only

  +) Add configuration choices to get zlib compression for TLS.
     [Richard Levitte]

  +) Changes to Kerberos SSL for RFC 2712 compliance:
     1.  Implemented real KerberosWrapper, instead of just using
         KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
     2.  Implemented optional authenticator field of KerberosWrapper.

     Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
     and authenticator structs; see crypto/krb5/.

     Generalized Kerberos calls to support multiple Kerberos libraries.
     [Vern Staats <staatsvr@asc.hpc.mil>,
      Jeffrey Altman <jaltman@columbia.edu>
      via Richard Levitte]

  +) Cause 'openssl speed' to use fully hard-coded DSA keys as it
     already does with RSA. testdsa.h now has 'priv_key/pub_key'
     values for each of the key sizes rather than having just
     parameters (and 'speed' generating keys each time).
     [Geoff Thorpe]

  -) OpenSSL 0.9.6b released [9 July 2001]

  *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
     to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
     Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
     PRNG state recovery was possible based on the output of
     one PRNG request appropriately sized to gain knowledge on
     'md' followed by enough consecutive 1-byte PRNG requests
     to traverse all of 'state'.

     1. When updating 'md_local' (the current thread's copy of 'md')
        during PRNG output generation, hash all of the previous
        'md_local' value, not just the half used for PRNG output.

     2. Make the number of bytes from 'state' included into the hash
        independent from the number of PRNG bytes requested.

     The first measure alone would be sufficient to avoid
     Markku-Juhani's attack.  (Actually it had never occurred
     to me that the half of 'md_local' used for chaining was the
     half from which PRNG output bytes were taken -- I had always
     assumed that the secret half would be used.)  The second
     measure makes sure that additional data from 'state' is never
     mixed into 'md_local' in small portions; this heuristically
     further strengthens the PRNG.
     [Bodo Moeller]
  
  +) Speed up EVP routines.
     Before:
encrypt
type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
decrypt
des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
     After:
encrypt
des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
decrypt
des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
     [Ben Laurie]

  *) Fix crypto/bn/asm/mips3.s.
     [Andy Polyakov]

  *) When only the key is given to "enc", the IV is undefined. Print out
     an error message in this case.
     [Lutz Jaenicke]

  +) Added the OS2-EMX target.
     ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]

  +) Rewrite apps to use NCONF routines instead of the old CONF. New functions
     to support NCONF routines in extension code. New function CONF_set_nconf()
     to allow functions which take an NCONF to also handle the old LHASH
     structure: this means that the old CONF compatible routines can be
     retained (in particular wrt extensions) without having to duplicate the
     code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
     [Steve Henson]

  *) Handle special case when X509_NAME is empty in X509 printing routines.
     [Steve Henson]

  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
     positive and less than q.
     [Bodo Moeller]

  +) Enhance the general user interface with mechanisms for inner control
     and with pssibilities to have yes/no kind of prompts.
     [Richard Levitte]

  +) Change all calls to low level digest routines in the library and
     applications to use EVP. Add missing calls to HMAC_cleanup() and
     don't assume HMAC_CTX can be copied using memcpy().
     [Verdon Walker <VWalker@novell.com>, Steve Henson]

  +) Add the possibility to control engines through control names but with
     arbitrary arguments instead of just a string.
     Change the key loaders to take a UI_METHOD instead of a callback
     function pointer.  NOTE: this breaks binary compatibility with earlier
     versions of OpenSSL [engine].
     Addapt the nCipher code for these new conditions and add a card insertion
     callback.
     [Richard Levitte]

  +) Enhance the general user interface with mechanisms to better support
     dialog box interfaces, application-defined prompts, the possibility
     to use defaults (for example default passwords from somewhere else)
     and interrupts/cancelations.
     [Richard Levitte]

  *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
     used: it isn't thread safe and the add_lock_callback should handle
     that itself.
     [Paul Rose <Paul.Rose@bridge.com>]

  *) Verify that incoming data obeys the block size in
     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
     [Bodo Moeller]

  +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
     attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
     [Steve Henson]

  *) Fix OAEP check.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
a9d2bc49	5	Changes between 0.9.6 and 0.9.7 [xx XXX 2001]
a43cf9fa	6
e9ad0d2c BM	7	OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
	8	and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6.
	9
a9d2bc49	10	Change log entries are tagged as follows:
e9ad0d2c BM	11	-) applies to 0.9.6a/0.9.6b only
e9ad0d2c BM	12	*) applies to 0.9.6a/0.9.6b and 0.9.7
a9d2bc49 BM	13	+) applies to 0.9.7 only
a9d2bc49 BM	14
e452de9d RL	15	+) Add configuration choices to get zlib compression for TLS.
	16	[Richard Levitte]
	17
0665dd68 RL	18	+) Changes to Kerberos SSL for RFC 2712 compliance:
	19	1. Implemented real KerberosWrapper, instead of just using
	20	KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
	21	2. Implemented optional authenticator field of KerberosWrapper.
	22
	23	Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
	24	and authenticator structs; see crypto/krb5/.
	25
	26	Generalized Kerberos calls to support multiple Kerberos libraries.
	27	[Vern Staats <staatsvr@asc.hpc.mil>,
	28	Jeffrey Altman <jaltman@columbia.edu>
	29	via Richard Levitte]
	30
af436bc1 GT	31	+) Cause 'openssl speed' to use fully hard-coded DSA keys as it
	32	already does with RSA. testdsa.h now has 'priv_key/pub_key'
	33	values for each of the key sizes rather than having just
	34	parameters (and 'speed' generating keys each time).
	35	[Geoff Thorpe]
	36
e9ad0d2c BM	37	-) OpenSSL 0.9.6b released [9 July 2001]
	38
	39	*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
	40	to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
	41	Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
	42	PRNG state recovery was possible based on the output of
	43	one PRNG request appropriately sized to gain knowledge on
	44	'md' followed by enough consecutive 1-byte PRNG requests
	45	to traverse all of 'state'.
	46
	47	1. When updating 'md_local' (the current thread's copy of 'md')
	48	during PRNG output generation, hash all of the previous
	49	'md_local' value, not just the half used for PRNG output.
	50
	51	2. Make the number of bytes from 'state' included into the hash
	52	independent from the number of PRNG bytes requested.
	53
	54	The first measure alone would be sufficient to avoid
	55	Markku-Juhani's attack. (Actually it had never occurred
	56	to me that the half of 'md_local' used for chaining was the
	57	half from which PRNG output bytes were taken -- I had always
	58	assumed that the secret half would be used.) The second
	59	measure makes sure that additional data from 'state' is never
	60	mixed into 'md_local' in small portions; this heuristically
	61	further strengthens the PRNG.
	62	[Bodo Moeller]
	63
f31b1250 BL	64	+) Speed up EVP routines.
	65	Before:
	66	encrypt
	67	type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
	68	des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
	69	des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
	70	des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
	71	decrypt
	72	des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
	73	des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
	74	des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
	75	After:
	76	encrypt
c148d709	77	des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
f31b1250	78	decrypt
c148d709	79	des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
f31b1250 BL	80	[Ben Laurie]
f31b1250 BL	81
93dbd835 BM	82	*) Fix crypto/bn/asm/mips3.s.
	83	[Andy Polyakov]
	84
43f9391b LJ	85	*) When only the key is given to "enc", the IV is undefined. Print out
	86	an error message in this case.
	87	[Lutz Jaenicke]
	88
c80410c5 RL	89	+) Added the OS2-EMX target.
	90	["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
	91
b7a26e6d DSH	92	+) Rewrite apps to use NCONF routines instead of the old CONF. New functions
	93	to support NCONF routines in extension code. New function CONF_set_nconf()
	94	to allow functions which take an NCONF to also handle the old LHASH
	95	structure: this means that the old CONF compatible routines can be
	96	retained (in particular wrt extensions) without having to duplicate the
	97	code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
	98	[Steve Henson]
	99
1e325f61 DSH	100	*) Handle special case when X509_NAME is empty in X509 printing routines.
	101	[Steve Henson]
	102
c458a331 BM	103	*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
	104	positive and less than q.
	105	[Bodo Moeller]
	106
fd3e027f	107	+) Enhance the general user interface with mechanisms for inner control
235dd0a2 RL	108	and with pssibilities to have yes/no kind of prompts.
	109	[Richard Levitte]
	110
d63c6bd3	111	+) Change all calls to low level digest routines in the library and
323f289c DSH	112	applications to use EVP. Add missing calls to HMAC_cleanup() and
	113	don't assume HMAC_CTX can be copied using memcpy().
	114	[Verdon Walker <VWalker@novell.com>, Steve Henson]
	115
839590f5 RL	116	+) Add the possibility to control engines through control names but with
	117	arbitrary arguments instead of just a string.
	118	Change the key loaders to take a UI_METHOD instead of a callback
	119	function pointer. NOTE: this breaks binary compatibility with earlier
	120	versions of OpenSSL [engine].
	121	Addapt the nCipher code for these new conditions and add a card insertion
	122	callback.
	123	[Richard Levitte]
	124
9ad0f681 RL	125	+) Enhance the general user interface with mechanisms to better support
	126	dialog box interfaces, application-defined prompts, the possibility
	127	to use defaults (for example default passwords from somewhere else)
	128	and interrupts/cancelations.
	129	[Richard Levitte]
	130
3cc1f498 DSH	131	) Don't change pointer in CRYPTO_add_lock() is add_lock_callback is
	132	used: it isn't thread safe and the add_lock_callback should handle
	133	that itself.
	134	[Paul Rose <Paul.Rose@bridge.com>]
	135
285b4275 BM	136	*) Verify that incoming data obeys the block size in
	137	ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
	138	[Bodo Moeller]
	139
f2a253e0 DSH	140	+) Tidy up PKCS#12 attribute handling. Add support for the CSP name
	141	attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
	142	[Steve Henson]
	143
ecf18606 BM	144	*) Fix OAEP check.
	145