]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
8537943e | 5 | Changes between 0.9.7a and 0.9.8 [xx XXX xxxx] |
4d94ae00 | 6 | |
37c660ff | 7 | *) In crypto/ec/ec_mult.c, implement fast point multiplication with |
24893ca9 | 8 | precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() |
37c660ff | 9 | will now compute a table of multiples of the generator that |
24893ca9 | 10 | makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() |
37c660ff BM |
11 | faster (notably in the case of a single point multiplication, |
12 | scalar * generator). | |
13 | [Nils Larsch, Bodo Moeller] | |
14 | ||
4e5d3a7f DSH |
15 | *) IPv6 support for certificate extensions. The various extensions |
16 | which use the IP:a.b.c.d can now take IPv6 addresses using the | |
17 | formats of RFC1884 2.2 . IPv6 addresses are now also displayed | |
18 | correctly. | |
19 | [Steve Henson] | |
20 | ||
96f7065f GT |
21 | *) Added an ENGINE that implements RSA by performing private key |
22 | exponentiations with the GMP library. The conversions to and from | |
23 | GMP's mpz_t format aren't optimised nor are any montgomery forms | |
24 | cached, and on x86 it appears OpenSSL's own performance has caught up. | |
25 | However there are likely to be other architectures where GMP could | |
26 | provide a boost. This ENGINE is not built in by default, but it can be | |
27 | specified at Configure time and should be accompanied by the necessary | |
28 | linker additions, eg; | |
29 | ./config -DOPENSSL_USE_GMP -lgmp | |
30 | [Geoff Thorpe] | |
31 | ||
32 | *) "openssl engine" will not display ENGINE/DSO load failure errors when | |
33 | testing availability of engines with "-t" - the old behaviour is | |
34 | produced by increasing the feature's verbosity with "-tt". | |
35 | [Geoff Thorpe] | |
36 | ||
a74333f9 LJ |
37 | *) ECDSA routines: under certain error conditions uninitialized BN objects |
38 | could be freed. Solution: make sure initialization is performed early | |
39 | enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> | |
40 | via PR#459) | |
41 | [Lutz Jaenicke] | |
42 | ||
0e4aa0d2 GT |
43 | *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD |
44 | and DH_METHOD (eg. by ENGINE implementations) to override the normal | |
45 | software implementations. For DSA and DH, parameter generation can | |
46 | also be overriden by providing the appropriate method callbacks. | |
47 | [Geoff Thorpe] | |
48 | ||
e9224c71 GT |
49 | *) Change the "progress" mechanism used in key-generation and |
50 | primality testing to functions that take a new BN_GENCB pointer in | |
51 | place of callback/argument pairs. The new API functions have "_ex" | |
52 | postfixes and the older functions are reimplemented as wrappers for | |
53 | the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide | |
54 | declarations of the old functions to help (graceful) attempts to | |
55 | migrate to the new functions. Also, the new key-generation API | |
56 | functions operate on a caller-supplied key-structure and return | |
57 | success/failure rather than returning a key or NULL - this is to | |
58 | help make "keygen" another member function of RSA_METHOD etc. | |
9d5390a0 BM |
59 | |
60 | Example for using the new callback interface: | |
61 | ||
62 | int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; | |
63 | void *my_arg = ...; | |
64 | BN_GENCB my_cb; | |
65 | ||
66 | BN_GENCB_set(&my_cb, my_callback, my_arg); | |
67 | ||
68 | return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); | |
69 | /* For the meaning of a, b in calls to my_callback(), see the | |
70 | * documentation of the function that calls the callback. | |
71 | * cb will point to my_cb; my_arg can be retrieved as cb->arg. | |
72 | * my_callback should return 1 if it wants BN_is_prime_ex() | |
73 | * to continue, or 0 to stop. | |
74 | */ | |
75 | ||
e9224c71 GT |
76 | [Geoff Thorpe] |
77 | ||
fdaea9ed RL |
78 | *) Change the ZLIB compression method to be stateful, and make it |
79 | available to TLS with the number defined in | |
80 | draft-ietf-tls-compression-04.txt. | |
81 | [Richard Levitte] | |
82 | ||
20199ca8 RL |
83 | *) Add the ASN.1 structures and functions for CertificatePair, which |
84 | is defined as follows (according to X.509_4thEditionDraftV6.pdf): | |
85 | ||
86 | CertificatePair ::= SEQUENCE { | |
9d5390a0 BM |
87 | forward [0] Certificate OPTIONAL, |
88 | reverse [1] Certificate OPTIONAL, | |
89 | -- at least one of the pair shall be present -- } | |
20199ca8 RL |
90 | |
91 | Also implement the PEM functions to read and write certificate | |
92 | pairs, and defined the PEM tag as "CERTIFICATE PAIR". | |
93 | ||
94 | This needed to be defined, mostly for the sake of the LDAP | |
95 | attribute crossCertificatePair, but may prove useful elsewhere as | |
96 | well. | |
97 | [Richard Levitte] | |
98 | ||
6f17f16f RL |
99 | *) Make it possible to inhibit symlinking of shared libraries in |
100 | Makefile.shared, for Cygwin's sake. | |
101 | [Richard Levitte] | |
102 | ||
b53e44e5 BM |
103 | *) Extend the BIGNUM API by creating new macros that behave like |
104 | functions | |
105 | ||
106 | void BN_set_sign(BIGNUM *a, int neg); | |
107 | int BN_get_sign(const BIGNUM *a); | |
108 | ||
109 | and avoid the need to access 'a->neg' directly in applications. | |
110 | [Nils Larsch <nla@trustcenter.de>] | |
111 | ||
5c6bf031 BM |
112 | *) Implement fast modular reduction for pseudo-Mersenne primes |
113 | used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). | |
114 | EC_GROUP_new_curve_GFp() will now automatically use this | |
115 | if applicable. | |
116 | [Nils Larsch <nla@trustcenter.de>] | |
117 | ||
19b8d06a BM |
118 | *) Add new lock type (CRYPTO_LOCK_BN). |
119 | [Bodo Moeller] | |
120 | ||
6f7c2cb3 RL |
121 | *) Change the ENGINE framework to automatically load engines |
122 | dynamically from specific directories unless they could be | |
123 | found to already be built in or loaded. Move all the | |
124 | current engines except for the cryptodev one to a new | |
125 | directory engines/. | |
126 | The engines in engines/ are built as shared libraries if | |
127 | the "shared" options was given to ./Configure or ./config. | |
128 | Otherwise, they are inserted in libcrypto.a. | |
129 | /usr/local/ssl/engines is the default directory for dynamic | |
874fee47 RL |
130 | engines, but that can be overriden at configure time through |
131 | the usual use of --prefix and/or --openssldir, and at run | |
132 | time with the environment variable OPENSSL_ENGINES. | |
6f7c2cb3 RL |
133 | [Geoff Thorpe and Richard Levitte] |
134 | ||
30afcc07 RL |
135 | *) Add Makefile.shared, a helper makefile to build shared |
136 | libraries. Addapt Makefile.org. | |
137 | [Richard Levitte] | |
138 | ||
fc6a6a10 DSH |
139 | *) Add version info to Win32 DLLs. |
140 | [Peter 'Luna' Runestig" <peter@runestig.com>] | |
141 | ||
9a48b07e DSH |
142 | *) Add new 'medium level' PKCS#12 API. Certificates and keys |
143 | can be added using this API to created arbitrary PKCS#12 | |
144 | files while avoiding the low level API. | |
145 | ||
146 | New options to PKCS12_create(), key or cert can be NULL and | |
147 | will then be omitted from the output file. The encryption | |
148 | algorithm NIDs can be set to -1 for no encryption, the mac | |
149 | iteration count can be set to 0 to omit the mac. | |
150 | ||
151 | Enhance pkcs12 utility by making the -nokeys and -nocerts | |
152 | options work when creating a PKCS#12 file. New option -nomac | |
153 | to omit the mac, NONE can be set for an encryption algorithm. | |
154 | New code is modified to use the enhanced PKCS12_create() | |
155 | instead of the low level API. | |
156 | [Steve Henson] | |
157 | ||
230fd6b7 DSH |
158 | *) Extend ASN1 encoder to support indefinite length constructed |
159 | encoding. This can output sequences tags and octet strings in | |
160 | this form. Modify pk7_asn1.c to support indefinite length | |
161 | encoding. This is experimental and needs additional code to | |
162 | be useful, such as an ASN1 bio and some enhanced streaming | |
163 | PKCS#7 code. | |
164 | ||
165 | Extend template encode functionality so that tagging is passed | |
166 | down to the template encoder. | |
167 | [Steve Henson] | |
168 | ||
9226e218 BM |
169 | *) Let 'openssl req' fail if an argument to '-newkey' is not |
170 | recognized instead of using RSA as a default. | |
171 | [Bodo Moeller] | |
172 | ||
ea262260 BM |
173 | *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. |
174 | As these are not official, they are not included in "ALL"; | |
175 | the "ECCdraft" ciphersuite group alias can be used to select them. | |
176 | [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] | |
177 | ||
e172d60d BM |
178 | *) Add ECDH engine support. |
179 | [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] | |
180 | ||
181 | *) Add ECDH in new directory crypto/ecdh/. | |
49a0f778 BM |
182 | TODO: more general interface (return x coordinate, not its hash) |
183 | TODO: bug: pad x with leading zeros if necessary | |
e172d60d BM |
184 | [Douglas Stebila (Sun Microsystems Laboratories)] |
185 | ||
95ecacf8 BM |
186 | *) Let BN_rand_range() abort with an error after 100 iterations |
187 | without success (which indicates a broken PRNG). | |
188 | [Bodo Moeller] | |
189 | ||
6fb60a84 BM |
190 | *) Change BN_mod_sqrt() so that it verifies that the input value |
191 | is really the square of the return value. (Previously, | |
192 | BN_mod_sqrt would show GIGO behaviour.) | |
193 | [Bodo Moeller] | |
194 | ||
7793f30e BM |
195 | *) Add named elliptic curves over binary fields from X9.62, SECG, |
196 | and WAP/WTLS; add OIDs that were still missing. | |
197 | ||
198 | [Sheueling Chang Shantz and Douglas Stebila | |
199 | (Sun Microsystems Laboratories)] | |
200 | ||
201 | *) Extend the EC library for elliptic curves over binary fields | |
202 | (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). | |
203 | New EC_METHOD: | |
204 | ||
205 | EC_GF2m_simple_method | |
206 | ||
207 | New API functions: | |
208 | ||
209 | EC_GROUP_new_curve_GF2m | |
210 | EC_GROUP_set_curve_GF2m | |
211 | EC_GROUP_get_curve_GF2m | |
7793f30e BM |
212 | EC_POINT_set_affine_coordinates_GF2m |
213 | EC_POINT_get_affine_coordinates_GF2m | |
214 | EC_POINT_set_compressed_coordinates_GF2m | |
215 | ||
216 | Point compression for binary fields is disabled by default for | |
217 | patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to | |
218 | enable it). | |
219 | ||
220 | As binary polynomials are represented as BIGNUMs, various members | |
221 | of the EC_GROUP and EC_POINT data structures can be shared | |
222 | between the implementations for prime fields and binary fields; | |
223 | the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) | |
224 | are essentially identical to their ..._GFp counterparts. | |
9e4f9b36 BM |
225 | (For simplicity, the '..._GFp' prefix has been dropped from |
226 | various internal method names.) | |
7793f30e BM |
227 | |
228 | An internal 'field_div' method (similar to 'field_mul' and | |
229 | 'field_sqr') has been added; this is used only for binary fields. | |
230 | ||
231 | [Sheueling Chang Shantz and Douglas Stebila | |
232 | (Sun Microsystems Laboratories)] | |
233 | ||
9e4f9b36 | 234 | *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() |
7793f30e BM |
235 | through methods ('mul', 'precompute_mult'). |
236 | ||
237 | The generic implementations (now internally called 'ec_wNAF_mul' | |
238 | and 'ec_wNAF_precomputed_mult') remain the default if these | |
239 | methods are undefined. | |
240 | ||
241 | [Sheueling Chang Shantz and Douglas Stebila | |
242 | (Sun Microsystems Laboratories)] | |
243 | ||
244 | *) New function EC_GROUP_get_degree, which is defined through | |
245 | EC_METHOD. For curves over prime fields, this returns the bit | |
246 | length of the modulus. | |
247 | ||
248 | [Sheueling Chang Shantz and Douglas Stebila | |
249 | (Sun Microsystems Laboratories)] | |
250 | ||
251 | *) New functions EC_GROUP_dup, EC_POINT_dup. | |
252 | (These simply call ..._new and ..._copy). | |
253 | ||
254 | [Sheueling Chang Shantz and Douglas Stebila | |
255 | (Sun Microsystems Laboratories)] | |
256 | ||
1dc920c8 BM |
257 | *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. |
258 | Polynomials are represented as BIGNUMs (where the sign bit is not | |
259 | used) in the following functions [macros]: | |
260 | ||
261 | BN_GF2m_add | |
262 | BN_GF2m_sub [= BN_GF2m_add] | |
263 | BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] | |
264 | BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] | |
265 | BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] | |
266 | BN_GF2m_mod_inv | |
267 | BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] | |
268 | BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] | |
269 | BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] | |
270 | BN_GF2m_cmp [= BN_ucmp] | |
271 | ||
272 | (Note that only the 'mod' functions are actually for fields GF(2^m). | |
273 | BN_GF2m_add() is misnomer, but this is for the sake of consistency.) | |
274 | ||
275 | For some functions, an the irreducible polynomial defining a | |
276 | field can be given as an 'unsigned int[]' with strictly | |
277 | decreasing elements giving the indices of those bits that are set; | |
278 | i.e., p[] represents the polynomial | |
279 | f(t) = t^p[0] + t^p[1] + ... + t^p[k] | |
280 | where | |
281 | p[0] > p[1] > ... > p[k] = 0. | |
282 | This applies to the following functions: | |
283 | ||
284 | BN_GF2m_mod_arr | |
285 | BN_GF2m_mod_mul_arr | |
286 | BN_GF2m_mod_sqr_arr | |
287 | BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] | |
288 | BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] | |
289 | BN_GF2m_mod_exp_arr | |
290 | BN_GF2m_mod_sqrt_arr | |
291 | BN_GF2m_mod_solve_quad_arr | |
292 | BN_GF2m_poly2arr | |
293 | BN_GF2m_arr2poly | |
294 | ||
295 | Conversion can be performed by the following functions: | |
296 | ||
297 | BN_GF2m_poly2arr | |
298 | BN_GF2m_arr2poly | |
299 | ||
300 | bntest.c has additional tests for binary polynomial arithmetic. | |
301 | ||
909abce8 BM |
302 | Two implementations for BN_GF2m_mod_div() are available. |
303 | The default algorithm simply uses BN_GF2m_mod_inv() and | |
304 | BN_GF2m_mod_mul(). The alternative algorithm is compiled in only | |
305 | if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the | |
306 | copyright notice in crypto/bn/bn_gf2m.c before enabling it). | |
1dc920c8 BM |
307 | |
308 | [Sheueling Chang Shantz and Douglas Stebila | |
309 | (Sun Microsystems Laboratories)] | |
310 | ||
16dc1cfb BM |
311 | *) Add new error code 'ERR_R_DISABLED' that can be used when some |
312 | functionality is disabled at compile-time. | |
313 | [Douglas Stebila <douglas.stebila@sun.com>] | |
314 | ||
ea4f109c BM |
315 | *) Change default behaviour of 'openssl asn1parse' so that more |
316 | information is visible when viewing, e.g., a certificate: | |
317 | ||
318 | Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' | |
319 | mode the content of non-printable OCTET STRINGs is output in a | |
320 | style similar to INTEGERs, but with '[HEX DUMP]' prepended to | |
321 | avoid the appearance of a printable string. | |
322 | [Nils Larsch <nla@trustcenter.de>] | |
323 | ||
254ef80d BM |
324 | *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access |
325 | functions | |
326 | EC_GROUP_set_asn1_flag() | |
327 | EC_GROUP_get_asn1_flag() | |
328 | EC_GROUP_set_point_conversion_form() | |
329 | EC_GROUP_get_point_conversion_form() | |
330 | These control ASN1 encoding details: | |
b8e0e123 BM |
331 | - Curves (i.e., groups) are encoded explicitly unless asn1_flag |
332 | has been set to OPENSSL_EC_NAMED_CURVE. | |
5f3d6f70 | 333 | - Points are encoded in uncompressed form by default; options for |
254ef80d BM |
334 | asn1_for are as for point2oct, namely |
335 | POINT_CONVERSION_COMPRESSED | |
336 | POINT_CONVERSION_UNCOMPRESSED | |
337 | POINT_CONVERSION_HYBRID | |
5f3d6f70 BM |
338 | |
339 | Also add 'seed' and 'seed_len' members to EC_GROUP with access | |
340 | functions | |
341 | EC_GROUP_set_seed() | |
342 | EC_GROUP_get0_seed() | |
343 | EC_GROUP_get_seed_len() | |
344 | This is used only for ASN1 purposes (so far). | |
458c2917 BM |
345 | [Nils Larsch <nla@trustcenter.de>] |
346 | ||
347 | *) Add 'field_type' member to EC_METHOD, which holds the NID | |
348 | of the appropriate field type OID. The new function | |
349 | EC_METHOD_get_field_type() returns this value. | |
350 | [Nils Larsch <nla@trustcenter.de>] | |
351 | ||
6cbe6382 BM |
352 | *) Add functions |
353 | EC_POINT_point2bn() | |
354 | EC_POINT_bn2point() | |
355 | EC_POINT_point2hex() | |
356 | EC_POINT_hex2point() | |
357 | providing useful interfaces to EC_POINT_point2oct() and | |
358 | EC_POINT_oct2point(). | |
359 | [Nils Larsch <nla@trustcenter.de>] | |
360 | ||
b6db386f BM |
361 | *) Change internals of the EC library so that the functions |
362 | EC_GROUP_set_generator() | |
363 | EC_GROUP_get_generator() | |
364 | EC_GROUP_get_order() | |
365 | EC_GROUP_get_cofactor() | |
366 | are implemented directly in crypto/ec/ec_lib.c and not dispatched | |
367 | to methods, which would lead to unnecessary code duplication when | |
368 | adding different types of curves. | |
6cbe6382 | 369 | [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] |
b6db386f | 370 | |
47234cd3 BM |
371 | *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM |
372 | arithmetic, and such that modified wNAFs are generated | |
373 | (which avoid length expansion in many cases). | |
374 | [Bodo Moeller] | |
375 | ||
82652aaf BM |
376 | *) Add a function EC_GROUP_check_discriminant() (defined via |
377 | EC_METHOD) that verifies that the curve discriminant is non-zero. | |
378 | ||
379 | Add a function EC_GROUP_check() that makes some sanity tests | |
380 | on a EC_GROUP, its generator and order. This includes | |
381 | EC_GROUP_check_discriminant(). | |
382 | [Nils Larsch <nla@trustcenter.de>] | |
383 | ||
4d94ae00 BM |
384 | *) Add ECDSA in new directory crypto/ecdsa/. |
385 | ||
5dbd3efc BM |
386 | Add applications 'openssl ecparam' and 'openssl ecdsa' |
387 | (these are based on 'openssl dsaparam' and 'openssl dsa'). | |
4d94ae00 BM |
388 | |
389 | ECDSA support is also included in various other files across the | |
390 | library. Most notably, | |
391 | - 'openssl req' now has a '-newkey ecdsa:file' option; | |
392 | - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; | |
393 | - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and | |
394 | d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make | |
395 | them suitable for ECDSA where domain parameters must be | |
e172d60d BM |
396 | extracted before the specific public key; |
397 | - ECDSA engine support has been added. | |
f8e21776 | 398 | [Nils Larsch <nla@trustcenter.de>] |
4d94ae00 | 399 | |
af28dd6c | 400 | *) Include some named elliptic curves, and add OIDs from X9.62, |
ed5e37c3 | 401 | SECG, and WAP/WTLS. Each curve can be obtained from the new |
7eb18f12 | 402 | function |
ed5e37c3 BM |
403 | EC_GROUP_new_by_nid(), |
404 | and the list of available named curves can be obtained with | |
405 | EC_get_builtin_curves(). | |
254ef80d BM |
406 | Also add a 'curve_name' member to EC_GROUP objects, which can be |
407 | accessed via | |
4d94ae00 BM |
408 | EC_GROUP_set_nid() |
409 | EC_GROUP_get_nid() | |
410 | [Nils Larsch <nla@trustcenter.de, Bodo Moeller] | |
411 | ||
c1862f91 BM |
412 | *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
413 | was actually never needed) and in BN_mul(). The removal in BN_mul() | |
414 | required a small change in bn_mul_part_recursive() and the addition | |
415 | of the functions bn_cmp_part_words(), bn_sub_part_words() and | |
416 | bn_add_part_words(), which do the same thing as bn_cmp_words(), | |
417 | bn_sub_words() and bn_add_words() except they take arrays with | |
418 | differing sizes. | |
419 | [Richard Levitte] | |
420 | ||
7a1c6aa2 | 421 | Changes between 0.9.7 and 0.9.7a [XX xxx 2003] |
948dcdb8 | 422 | |
0b13e9f0 RL |
423 | *) Add the possibility to build without the ENGINE framework. |
424 | [Steven Reddie <smr@essemer.com.au> via Richard Levitte] | |
425 | ||
d3b5cb53 DSH |
426 | *) Under Win32 gmtime() can return NULL: check return value in |
427 | OPENSSL_gmtime(). Add error code for case where gmtime() fails. | |
428 | [Steve Henson] | |
429 | ||
a74333f9 LJ |
430 | *) DSA routines: under certain error conditions uninitialized BN objects |
431 | could be freed. Solution: make sure initialization is performed early | |
432 | enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, | |
433 | Nils Larsch <nla@trustcenter.de> via PR#459) | |
434 | [Lutz Jaenicke] | |
435 | ||
8ec16ce7 LJ |
436 | *) Another fix for SSLv2 session ID handling: the session ID was incorrectly |
437 | checked on reconnect on the client side, therefore session resumption | |
438 | could still fail with a "ssl session id is different" error. This | |
439 | behaviour is masked when SSL_OP_ALL is used due to | |
440 | SSL_OP_MICROSOFT_SESS_ID_BUG being set. | |
441 | Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as | |
442 | followup to PR #377. | |
443 | [Lutz Jaenicke] | |
444 | ||
04aff67d RL |
445 | *) IA-32 assembler support enhancements: unified ELF targets, support |
446 | for SCO/Caldera platforms, fix for Cygwin shared build. | |
447 | [Andy Polyakov] | |
448 | ||
afd41c9f RL |
449 | *) Add support for FreeBSD on sparc64. As a consequence, support for |
450 | FreeBSD on non-x86 processors is separate from x86 processors on | |
451 | the config script, much like the NetBSD support. | |
452 | [Richard Levitte & Kris Kennaway <kris@obsecurity.org>] | |
948dcdb8 | 453 | |
08101d72 | 454 | Changes between 0.9.6h and 0.9.7 [31 Dec 2002] |
3e06fb75 | 455 | |
21cde7a4 LJ |
456 | *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED |
457 | code (06) was taken as the first octet of the session ID and the last | |
458 | octet was ignored consequently. As a result SSLv2 client side session | |
459 | caching could not have worked due to the session ID mismatch between | |
460 | client and server. | |
461 | Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as | |
462 | PR #377. | |
463 | [Lutz Jaenicke] | |
464 | ||
9cd16b1d RL |
465 | *) Change the declaration of needed Kerberos libraries to use EX_LIBS |
466 | instead of the special (and badly supported) LIBKRB5. LIBKRB5 is | |
467 | removed entirely. | |
468 | [Richard Levitte] | |
469 | ||
14676ffc | 470 | *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it |
a1457874 RL |
471 | seems that in spite of existing for more than a year, many application |
472 | author have done nothing to provide the necessary callbacks, which | |
14676ffc RL |
473 | means that this particular engine will not work properly anywhere. |
474 | This is a very unfortunate situation which forces us, in the name | |
475 | of usability, to give the hw_ncipher.c a static lock, which is part | |
476 | of libcrypto. | |
477 | NOTE: This is for the 0.9.7 series ONLY. This hack will never | |
478 | appear in 0.9.8 or later. We EXPECT application authors to have | |
479 | dealt properly with this when 0.9.8 is released (unless we actually | |
480 | make such changes in the libcrypto locking code that changes will | |
481 | have to be made anyway). | |
482 | [Richard Levitte] | |
483 | ||
2053c43d DSH |
484 | *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content |
485 | octets have been read, EOF or an error occurs. Without this change | |
486 | some truncated ASN1 structures will not produce an error. | |
487 | [Steve Henson] | |
488 | ||
17582ccf RL |
489 | *) Disable Heimdal support, since it hasn't been fully implemented. |
490 | Still give the possibility to force the use of Heimdal, but with | |
491 | warnings and a request that patches get sent to openssl-dev. | |
492 | [Richard Levitte] | |
493 | ||
0bf23d9b RL |
494 | *) Add the VC-CE target, introduce the WINCE sysname, and add |
495 | INSTALL.WCE and appropriate conditionals to make it build. | |
496 | [Steven Reddie <smr@essemer.com.au> via Richard Levitte] | |
497 | ||
6f17f16f RL |
498 | *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and |
499 | cygssl-x.y.z.dll, where x, y and z are the major, minor and | |
500 | edit numbers of the version. | |
501 | [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] | |
502 | ||
54a656ef BL |
503 | *) Introduce safe string copy and catenation functions |
504 | (BUF_strlcpy() and BUF_strlcat()). | |
505 | [Ben Laurie (CHATS) and Richard Levitte] | |
506 | ||
507 | *) Avoid using fixed-size buffers for one-line DNs. | |
508 | [Ben Laurie (CHATS)] | |
509 | ||
510 | *) Add BUF_MEM_grow_clean() to avoid information leakage when | |
511 | resizing buffers containing secrets, and use where appropriate. | |
512 | [Ben Laurie (CHATS)] | |
513 | ||
514 | *) Avoid using fixed size buffers for configuration file location. | |
515 | [Ben Laurie (CHATS)] | |
516 | ||
517 | *) Avoid filename truncation for various CA files. | |
518 | [Ben Laurie (CHATS)] | |
519 | ||
520 | *) Use sizeof in preference to magic numbers. | |
521 | [Ben Laurie (CHATS)] | |
522 | ||
523 | *) Avoid filename truncation in cert requests. | |
524 | [Ben Laurie (CHATS)] | |
525 | ||
54a656ef BL |
526 | *) Add assertions to check for (supposedly impossible) buffer |
527 | overflows. | |
528 | [Ben Laurie (CHATS)] | |
529 | ||
530 | *) Don't cache truncated DNS entries in the local cache (this could | |
531 | potentially lead to a spoofing attack). | |
532 | [Ben Laurie (CHATS)] | |
533 | ||
534 | *) Fix various buffers to be large enough for hex/decimal | |
535 | representations in a platform independent manner. | |
536 | [Ben Laurie (CHATS)] | |
537 | ||
538 | *) Add CRYPTO_realloc_clean() to avoid information leakage when | |
539 | resizing buffers containing secrets, and use where appropriate. | |
540 | [Ben Laurie (CHATS)] | |
541 | ||
542 | *) Add BIO_indent() to avoid much slightly worrying code to do | |
543 | indents. | |
544 | [Ben Laurie (CHATS)] | |
545 | ||
546 | *) Convert sprintf()/BIO_puts() to BIO_printf(). | |
547 | [Ben Laurie (CHATS)] | |
548 | ||
549 | *) buffer_gets() could terminate with the buffer only half | |
550 | full. Fixed. | |
551 | [Ben Laurie (CHATS)] | |
552 | ||
553 | *) Add assertions to prevent user-supplied crypto functions from | |
554 | overflowing internal buffers by having large block sizes, etc. | |
555 | [Ben Laurie (CHATS)] | |
556 | ||
2b2ab523 BM |
557 | *) New OPENSSL_assert() macro (similar to assert(), but enabled |
558 | unconditionally). | |
559 | [Ben Laurie (CHATS)] | |
560 | ||
54a656ef BL |
561 | *) Eliminate unused copy of key in RC4. |
562 | [Ben Laurie (CHATS)] | |
563 | ||
564 | *) Eliminate unused and incorrectly sized buffers for IV in pem.h. | |
565 | [Ben Laurie (CHATS)] | |
566 | ||
567 | *) Fix off-by-one error in EGD path. | |
568 | [Ben Laurie (CHATS)] | |
569 | ||
570 | *) If RANDFILE path is too long, ignore instead of truncating. | |
571 | [Ben Laurie (CHATS)] | |
572 | ||
573 | *) Eliminate unused and incorrectly sized X.509 structure | |
574 | CBCParameter. | |
575 | [Ben Laurie (CHATS)] | |
576 | ||
577 | *) Eliminate unused and dangerous function knumber(). | |
578 | [Ben Laurie (CHATS)] | |
579 | ||
580 | *) Eliminate unused and dangerous structure, KSSL_ERR. | |
581 | [Ben Laurie (CHATS)] | |
582 | ||
583 | *) Protect against overlong session ID context length in an encoded | |
584 | session object. Since these are local, this does not appear to be | |
585 | exploitable. | |
586 | [Ben Laurie (CHATS)] | |
587 | ||
3e06fb75 BM |
588 | *) Change from security patch (see 0.9.6e below) that did not affect |
589 | the 0.9.6 release series: | |
590 | ||
591 | Remote buffer overflow in SSL3 protocol - an attacker could | |
592 | supply an oversized master key in Kerberos-enabled versions. | |
593 | (CAN-2002-0657) | |
594 | [Ben Laurie (CHATS)] | |
dc014d43 | 595 | |
7ba3a4c3 RL |
596 | *) Change the SSL kerb5 codes to match RFC 2712. |
597 | [Richard Levitte] | |
598 | ||
ba111217 BM |
599 | *) Make -nameopt work fully for req and add -reqopt switch. |
600 | [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] | |
601 | ||
3f6db7f5 DSH |
602 | *) The "block size" for block ciphers in CFB and OFB mode should be 1. |
603 | [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] | |
604 | ||
f013c7f2 RL |
605 | *) Make sure tests can be performed even if the corresponding algorithms |
606 | have been removed entirely. This was also the last step to make | |
607 | OpenSSL compilable with DJGPP under all reasonable conditions. | |
608 | [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] | |
609 | ||
648765ba | 610 | *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT |
c6ccf055 LJ |
611 | to allow version independent disabling of normally unselected ciphers, |
612 | which may be activated as a side-effect of selecting a single cipher. | |
648765ba BM |
613 | |
614 | (E.g., cipher list string "RSA" enables ciphersuites that are left | |
615 | out of "ALL" because they do not provide symmetric encryption. | |
616 | "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) | |
c6ccf055 LJ |
617 | [Lutz Jaenicke, Bodo Moeller] |
618 | ||
041843e4 RL |
619 | *) Add appropriate support for separate platform-dependent build |
620 | directories. The recommended way to make a platform-dependent | |
621 | build directory is the following (tested on Linux), maybe with | |
622 | some local tweaks: | |
623 | ||
624 | # Place yourself outside of the OpenSSL source tree. In | |
625 | # this example, the environment variable OPENSSL_SOURCE | |
626 | # is assumed to contain the absolute OpenSSL source directory. | |
3e06fb75 BM |
627 | mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" |
628 | cd objtree/"`uname -s`-`uname -r`-`uname -m`" | |
4a9476dd | 629 | (cd $OPENSSL_SOURCE; find . -type f) | while read F; do |
041843e4 RL |
630 | mkdir -p `dirname $F` |
631 | ln -s $OPENSSL_SOURCE/$F $F | |
632 | done | |
633 | ||
634 | To be absolutely sure not to disturb the source tree, a "make clean" | |
635 | is a good thing. If it isn't successfull, don't worry about it, | |
636 | it probably means the source directory is very clean. | |
637 | [Richard Levitte] | |
638 | ||
a6c6874a GT |
639 | *) Make sure any ENGINE control commands make local copies of string |
640 | pointers passed to them whenever necessary. Otherwise it is possible | |
641 | the caller may have overwritten (or deallocated) the original string | |
642 | data when a later ENGINE operation tries to use the stored values. | |
643 |