CHANGES

 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]

     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  

     Change log entries are tagged as follows:
         -) applies to 0.9.6a/0.9.6b/0.9.6c only
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
         +) applies to 0.9.7 only

  +) Test for certificates which contain unsupported critical extensions.
     If such a certificate is found during a verify operation it is 
     rejected by default: this behaviour can be overridden by either
     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
     X509_supported_extension() has also been added which returns 1 if a
     particular extension is supported.
     [Steve Henson]

  +) New functions/macros

          SSL_CTX_set_msg_callback(ctx, cb)
          SSL_CTX_set_msg_callback_arg(ctx, arg)
          SSL_set_msg_callback(ssl, cb)
          SSL_set_msg_callback_arg(ssl, arg)

     to request calling a callback function

          void cb(int write_p, int version, int content_type,
                  const void *buf, size_t len, SSL *ssl, void *arg)

     whenever a protocol message has been completely received
     (write_p == 0) or sent (write_p == 1).  Here 'version' is the
     protocol version  according to which the SSL library interprets
     the current protocol message (SSL2_VERSION, SSL3_VERSION, or
     TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
     the content type as defined in the SSL 3.0/TLS 1.0 protocol
     specification (change_cipher_spec(20), alert(21), handshake(22)).
     'buf' and 'len' point to the actual message, 'ssl' to the
     SSL object, and 'arg' is the application-defined value set by
     SSL[_CTX]_set_msg_callback_arg().

     'openssl s_client' and 'openssl s_server' have new '-msg' options
     to enable a callback that displays all protocol messages.

     TODO: SSL 2.0, doc/ssl/, doc/apps/
     [Bodo Moeller]

  *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
     (sent using the client's version number) if client_version is
     smaller than the protocol version in use.  Also change
     ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
     the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
     the client will at least see that alert.
     [Bodo Moeller]

  +) Modify the behaviour of EVP cipher functions in similar way to digests
     to retain compatibility with existing code.
     [Steve Henson]

  +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
     compatibility with existing code. In particular the 'ctx' parameter is
     not assumed to be valid before the call to EVP_DigestInit() and it is tidied
     up after a call to EVP_DigestFinal(). A new function EVP_DigestFinal_ex()
     but does not free up the ctx. Also change function EVP_MD_CTX_copy() to
     assume the destination is uninitialized: EVP_MD_CTX_copy_ex() do assumes
     the destiation is valid. Also modify all the OpenSSL digest calls to call 
     EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
     [Steve Henson]

  +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
     so that complete 'Handshake' protocol structures are kept in memory
     instead of overwriting 'msg_type' and 'length' with 'body' data.
     [Bodo Moeller]

  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
     [Bodo Moeller]

  +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
     [Massimo Santin via Richard Levitte]

  +) Major restructuring to the underlying ENGINE code. This includes
     reduction of linker bloat, separation of pure "ENGINE" manipulation
     (initialisation, etc) from functionality dealing with implementations
     of specific crypto iterfaces. This change also introduces integrated
     support for symmetric ciphers and digest implementations - so ENGINEs
     can now accelerate these by providing EVP_CIPHER and EVP_MD
     implementations of their own. This is detailed in crypto/engine/README
     as it couldn't be adequately described here. However, there are a few
     API changes worth noting - some RSA, DSA, DH, and RAND functions that
     were changed in the original introduction of ENGINE code have now
     reverted back - the hooking from this code to ENGINE is now a good
     deal more passive and at run-time, operations deal directly with
     RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
     dereferencing through an ENGINE pointer any more. Also, the ENGINE
     functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
     they were not being used by the framework as there is no concept of a
     BIGNUM_METHOD and they could not be generalised to the new
     'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
     ENGINE_cpy() has been removed as it cannot be consistently defined in
     the new code.
     [Geoff Thorpe]

  +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
     [Steve Henson]

  +) Change mkdef.pl to sort symbols that get the same entry number,
     and make sure the automatically generated functions ERR_load_*
     become part of libeay.num as well.
     [Richard Levitte]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  +) New function SSL_renegotiate_pending().  This returns true once
     renegotiation has been requested (either SSL_renegotiate() call
     or HelloRequest/ClientHello receveived from the peer) and becomes
     false once a handshake has been completed.
     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
     sends a HelloRequest, but does not ensure that a handshake takes
     place.  SSL_renegotiate_pending() is useful for checking if the
     client has followed the request.)
     [Bodo Moeller]

  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     [Bodo Moeller]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  +) Add some demos for certificate and certificate request creation.
     [Steve Henson]

  +) Make maximum certificate chain size accepted from the peer application
     settable (SSL*_get/set_max_cert_list()), as proposed by
     "Douglas E. Engert" <deengert@anl.gov>.
     [Lutz Jaenicke]

  +) Add support for shared libraries for Unixware-7 and support including
     shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
     encoding parameters and hence was not vulnerable.
     [Bodo Moeller]

  +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
     be done prior to destruction. Use this to unload error strings from
     ENGINEs that load their own error strings. NB: This adds two new API
     functions to "get" and "set" this destroy handler in an ENGINE.
     [Geoff Thorpe]

  +) Alter all existing ENGINE implementations (except "openssl" and
     "openbsd") to dynamically instantiate their own error strings. This
     makes them more flexible to be built both as statically-linked ENGINEs
     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
     Also, add stub code to each that makes building them as self-contained
     shared-libraries easier (see README.ENGINE).
     [Geoff Thorpe]

  +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
     implementations into applications that are completely implemented in
     self-contained shared-libraries. The "dynamic" ENGINE exposes control
     commands that can be used to configure what shared-library to load and
     to control aspects of the way it is handled. Also, made an update to
     the README.ENGINE file that brings its information up-to-date and
     provides some information and instructions on the "dynamic" ENGINE
     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).