Skip to content
CHANGES 105 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]

  *) Apply Lutz Behnke's 56bit cipher patch. This should fix the problems with cipher
     ordering and the new EXPORT1024 ciphers. Only two minor changes have been
     made, the error reason codes have been altered and the @STRENGTH sorting
     behaviour changed so eNULL ciphers are also sorted (if present).

     One other addition: the "ciphers" program didn't check the return code
     of SSL_CTX_set_cipher_list().
     [Lutz Behnke <behnke@trustcenter.de>, minor changes by Steve Henson]

  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
     for the first serial number and places 2 in the serial number file. This
     avoids problems when the root CA is created with serial number zero and
     the first user certificate has the same issuer name and serial number
     as the root CA.
     [Steve Henson]

  *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
     the new code. Add documentation for this stuff.
     [Steve Henson]

  *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
     X509_*() to X509at_*() on the grounds that they don't handle X509
     structures and behave in an analagous way to the X509v3 functions:
     they shouldn't be called directly but wrapper functions should be used
     instead.

     So we also now have some wrapper functions that call the X509at functions
     when passed certificate requests. (TO DO: similar things can be done with
     PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
     things. Some of these need some d2i or i2d and print functionality
     because they handle more complex structures.)
  *) Add missing #ifndefs that caused missing symbols when building libssl
     as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
     NO_RSA in ssl/s2*.c. 
     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]

  *) Precautions against using the PRNG uninitialized: RAND_bytes() now
     has a return value which indicates the quality of the random data
     (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
     error queue. New function RAND_pseudo_bytes() generates output that is
     guaranteed to be unique but not unpredictable.
  *) Do more iterations of Rabin-Miller probable prime test (specifically,
     3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
     instead of only 2 for all lengths; see BN_prime_checks definition
     in crypto/bn/bn.h for the complete table).  This guarantees a
     false-positive rate of at most 2^-80 (actually less because we are
     additionally doing trial division) for random input.
     [Bodo Moeller]

  *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
     [Bodo Moeller]

  *) New function X509_CTX_rget_chain(), this returns the chain
     from an X509_CTX structure with a dup of the stack and all
     the X509 reference counts upped: so the stack will exist
     after X509_CTX_cleanup() has been called. Modify pkcs12.c
     to use this.

     Also make SSL_SESSION_print() print out the verify return
     code.
     [Steve Henson]

  *) Add manpage for the pkcs12 command. Also change the default
     behaviour so MAC iteration counts are used unless the new
     -nomaciter option is used. This improves file security and
     only older versions of MSIE (4.0 for example) need it.
     [Steve Henson]

  *) Honor the no-xxx Configure options when creating .DEF files.
     [Ulf Möller]

  *) Add PKCS#10 attributes to field table: challengePassword, 
     unstructuredName and unstructuredAddress. These are taken from
     draft PKCS#9 v2.0 but are compatible with v1.2 provided no 
     international characters are used.

     More changes to X509_ATTRIBUTE code: allow the setting of types
     based on strings. Remove the 'loc' parameter when adding
     attributes because these will be a SET OF encoding which is sorted
     in ASN1 order.
     [Steve Henson]

  *) Initial changes to the 'req' utility to allow request generation
     automation. This will allow an application to just generate a template
     file containing all the field values and have req construct the
     request.

     Initial support for X509_ATTRIBUTE handling. Stacks of these are
     used all over the place including certificate requests and PKCS#7
     structures. They are currently handled manually where necessary with
     some primitive wrappers for PKCS#7. The new functions behave in a
     manner analogous to the X509 extension functions: they allow
     attributes to be looked up by NID and added.

     Later something similar to the X509V3 code would be desirable to
     automatically handle the encoding, decoding and printing of the
     more complex types. The string types like challengePassword can
     be handled by the string table functions.

     Also modified the multi byte string table handling. Now there is
     a 'global mask' which masks out certain types. The table itself
     can use the flag STABLE_NO_MASK to ignore the mask setting: this
     is useful when for example there is only one permissible type
     (as in countryName) and using the mask might result in no valid
     types at all.
     [Steve Henson]

  *) Clean up 'Finished' handling, and add functions SSL_get_finished and
     SSL_get_peer_finished to allow applications to obtain the latest
     Finished messages sent to the peer or expected from the peer,
     respectively.  (SSL_get_peer_finished is usually the Finished message
     actually received from the peer, otherwise the protocol will be aborted.)

     As the Finished message are message digests of the complete handshake
     (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
     be used for external authentication procedures when the authentication
     provided by SSL/TLS is not desired or is not enough.
  *) Enhanced support for Alpha Linux is added. Now ./config checks if
     the host supports BWX extension and if Compaq C is present on the
     $PATH. Just exploiting of the BWX extension results in 20-30%
     performance kick for some algorithms, e.g. DES and RC4 to mention
     a couple. Compaq C in turn generates ~20% faster code for MD5 and
     SHA1.
     [Andy Polyakov]

  *) Add support for MS "fast SGC". This is arguably a violation of the
     SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
     weak crypto and after checking the certificate is SGC a second one
     with strong crypto. MS SGC stops the first handshake after receiving
     the server certificate message and sends a second client hello. Since
     a server will typically do all the time consuming operations before
     expecting any further messages from the client (server key exchange
     is the most expensive) there is little difference between the two.

     To get OpenSSL to support MS SGC we have to permit a second client
     hello message after we have sent server done. In addition we have to
     reset the MAC if we do get this second client hello and include the
     data just received.
     [Steve Henson]

  *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
     if a DER encoded private key is RSA or DSA traditional format. Changed
     d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
     format DER encoded private key. Newer code should use PKCS#8 format which
     has the key type encoded in the ASN1 structure. Added DER private key
     support to pkcs8 application.
     [Steve Henson]

  *) SSL 3/TLS 1 servers now don't request certificates when an anonymous
     ciphersuites has been selected (as required by the SSL 3/TLS 1
     specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
     is set, we interpret this as a request to violate the specification
     (the worst that can happen is a handshake failure, and 'correct'
     behaviour would result in a handshake failure anyway).
     [Bodo Moeller]

  *) In SSL_CTX_add_session, take into account that there might be multiple
     SSL_SESSION structures with the same session ID (e.g. when two threads
     concurrently obtain them from an external cache).
     The internal cache can handle only one SSL_SESSION with a given ID,
     so if there's a conflict, we now throw out the old one to achieve
     consistency.
     [Bodo Moeller]

  *) Add OIDs for idea and blowfish in CBC mode. This will allow both
     to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
     some routines that use cipher OIDs: some ciphers do not have OIDs
     defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
     example.
     [Steve Henson]

  *) Simplify the trust setting structure and code. Now we just have
     two sequences of OIDs for trusted and rejected settings. These will
     typically have values the same as the extended key usage extension
     and any application specific purposes.

     The trust checking code now has a default behaviour: it will just
     check for an object with the same NID as the passed id. Functions can
     be provided to override either the default behaviour or the behaviour
     for a given id. SSL client, server and email already have functions
     in place for compatibility: they check the NID and also return "trusted"
     if the certificate is self signed.
     [Steve Henson]

  *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
     traditional format into an EVP_PKEY structure.
     [Steve Henson]

Loading full blame...