Skip to content
CHANGES 238 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]
Bodo Möller's avatar
Bodo Möller committed
     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
Ulf Möller's avatar
Ulf Möller committed
     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  
Bodo Möller's avatar
Bodo Möller committed

     Change log entries are tagged as follows:
Bodo Möller's avatar
Bodo Möller committed
         -) applies to 0.9.6a/0.9.6b/0.9.6c only
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
  *) Add a configuration entry for gcc on UnixWare.
     [Gary Benson <gbenson@redhat.com>]

  +) New functions/macros

          SSL_CTX_set_msg_callback(ctx, cb)
          SSL_CTX_set_msg_callback_arg(ctx, arg)
          SSL_set_msg_callback(ssl, cb)
          SSL_set_msg_callback_arg(ssl, arg)

     to request calling a callback function

          void cb(int write_p, int version, int content_type,
                  const void *buf, size_t len, SSL *ssl, void *arg)

     whenever a protocol message has been completely received
     (write_p == 0) or sent (write_p == 1).  Here 'version' is the
     protocol version  according to which the SSL library interprets
     the current protocol message (SSL2_VERSION, SSL3_VERSION, or
     TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
     the content type as defined in the SSL 3.0/TLS 1.0 protocol
     specification (change_cipher_spec(20), alert(21), handshake(22)).
     'buf' and 'len' point to the actual message, 'ssl' to the
     SSL object, and 'arg' is the application-defined value set by
     SSL[_CTX]_set_msg_callback_arg().

     'openssl s_client' and 'openssl s_server' have new '-msg' options
     to enable a callback that displays all protocol messages.
     [Bodo Moeller]

  *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
     messages are stored in a single piece (fixed-length part and
     variable-length part combined) and fix various bugs found on the way.
     [Bodo Moeller]

  +) Change the shared library support so shared libraries are built as
     soon as the corresponding static library is finished, and thereby get
     openssl and the test programs linked against the shared library.
     This still only happens when the keyword "shard" has been given to
     the configuration scripts.

     NOTE: shared library support is still an experimental thing, and
     backward binary compatibility is still not guaranteed.
     ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]

  +) Add support for Subject Information Access extension.
     [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]

  +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
     additional bytes when new memory had to be allocated, not just
     when reusing an existing buffer.
     [Bodo Moeller]

  *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
     instead.  BIO_gethostbyname() does not know what timeouts are
     appropriate, so entries would stay in cache even when they have
     become invalid.
     [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>

  +) New command line and configuration option 'utf8' for the req command.
     This allows field values to be specified as UTF8 strings.
     [Steve Henson]

  +) Add -multi and -mr options to "openssl speed" - giving multiple parallel
     runs for the former and machine-readable output for the latter.
     [Ben Laurie]

  +) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
     of the e-mail address in the DN (i.e., it will go into a certificate
     extension only).  The new configuration file option 'email_in_dn = no'
     has the same effect.
     [Massimiliano Pala madwolf@openca.org]

  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
     faced with a pathologically small ClientHello fragment that does
     not contain client_version: Instead of aborting with an error,
     simply choose the highest available protocol version (i.e.,
     TLS 1.0 unless it is disabled).  In practice, ClientHello
     messages are never sent like this, but this change gives us
     strictly correct behaviour at least for TLS.
     [Bodo Moeller]

  +) Change all functions with names starting with des_ to be starting
     with DES_ instead.  This because there are increasing clashes with
     libdes and other des libraries that are currently used by other
     projects.  The old libdes interface is provided, as well as crypt(),
     if openssl/des_old.h is included.  Note that crypt() is no longer
     declared in openssl/des.h.

     NOTE: This is a major break of an old API into a new one.  Software
     authors are encouraged to switch to the DES_ style functions.  Some
     time in the future, des_old.h and the libdes compatibility functions
     will be completely removed.
     [Richard Levitte]

  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
     never resets s->method to s->ctx->method when called from within
     one of the SSL handshake functions.
     [Bodo Moeller; problem pointed out by Niko Baric]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Test for certificates which contain unsupported critical extensions.
     If such a certificate is found during a verify operation it is 
     rejected by default: this behaviour can be overridden by either
     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
     X509_supported_extension() has also been added which returns 1 if a
     particular extension is supported.
     [Steve Henson]

  *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
     (sent using the client's version number) if client_version is
     smaller than the protocol version in use.  Also change
     ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
     the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
     the client will at least see that alert.
     [Bodo Moeller]

  +) Modify the behaviour of EVP cipher functions in similar way to digests
     to retain compatibility with existing code.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
     compatibility with existing code. In particular the 'ctx' parameter does
     not have to be to be initialized before the call to EVP_DigestInit() and
     it is tidied up after a call to EVP_DigestFinal(). New function
     EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
     EVP_MD_CTX_copy() changed to not require the destination to be
     initialized valid and new function EVP_MD_CTX_copy_ex() added which
     requires the destination to be valid.

     Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
     EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     [Steve Henson]

  +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
     so that complete 'Handshake' protocol structures are kept in memory
     instead of overwriting 'msg_type' and 'length' with 'body' data.
     [Bodo Moeller]

  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
     [Bodo Moeller]

  +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
     [Massimo Santin via Richard Levitte]

  +) Major restructuring to the underlying ENGINE code. This includes
     reduction of linker bloat, separation of pure "ENGINE" manipulation
     (initialisation, etc) from functionality dealing with implementations
     of specific crypto iterfaces. This change also introduces integrated
     support for symmetric ciphers and digest implementations - so ENGINEs
     can now accelerate these by providing EVP_CIPHER and EVP_MD
     implementations of their own. This is detailed in crypto/engine/README
     as it couldn't be adequately described here. However, there are a few
     API changes worth noting - some RSA, DSA, DH, and RAND functions that
     were changed in the original introduction of ENGINE code have now
     reverted back - the hooking from this code to ENGINE is now a good
     deal more passive and at run-time, operations deal directly with
     RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
     dereferencing through an ENGINE pointer any more. Also, the ENGINE
     functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
     they were not being used by the framework as there is no concept of a
     BIGNUM_METHOD and they could not be generalised to the new
     'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
     ENGINE_cpy() has been removed as it cannot be consistently defined in
     the new code.
     [Geoff Thorpe]

  +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  +) Change mkdef.pl to sort symbols that get the same entry number,
     and make sure the automatically generated functions ERR_load_*
     become part of libeay.num as well.
     [Richard Levitte]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  +) New function SSL_renegotiate_pending().  This returns true once
     renegotiation has been requested (either SSL_renegotiate() call
     or HelloRequest/ClientHello receveived from the peer) and becomes
     false once a handshake has been completed.
     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
     sends a HelloRequest, but does not ensure that a handshake takes
     place.  SSL_renegotiate_pending() is useful for checking if the
     client has followed the request.)
     [Bodo Moeller]

  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     [Bodo Moeller]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  +) Add some demos for certificate and certificate request creation.
     [Steve Henson]

  +) Make maximum certificate chain size accepted from the peer application
     settable (SSL*_get/set_max_cert_list()), as proposed by
     "Douglas E. Engert" <deengert@anl.gov>.
     [Lutz Jaenicke]

  ?) Add support for shared libraries for Unixware-7 and support including
     shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  -) OpenUNIX-8 support (Boyd Lynn Gerber <gerberb@zenez.com>)
     [Lutz Jaenicke]

Bodo Möller's avatar
Bodo Möller committed
  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
Ulf Möller's avatar
Ulf Möller committed
     encoding parameters and hence was not vulnerable.
Bodo Möller's avatar
Bodo Möller committed
     [Bodo Moeller]

  +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
     be done prior to destruction. Use this to unload error strings from
     ENGINEs that load their own error strings. NB: This adds two new API
     functions to "get" and "set" this destroy handler in an ENGINE.
Bodo Möller's avatar
Bodo Möller committed
     [Geoff Thorpe]
  +) Alter all existing ENGINE implementations (except "openssl" and
     "openbsd") to dynamically instantiate their own error strings. This
     makes them more flexible to be built both as statically-linked ENGINEs
     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
     Also, add stub code to each that makes building them as self-contained
     shared-libraries easier (see README.ENGINE).
     [Geoff Thorpe]

  +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
     implementations into applications that are completely implemented in
     self-contained shared-libraries. The "dynamic" ENGINE exposes control
     commands that can be used to configure what shared-library to load and
     to control aspects of the way it is handled. Also, made an update to
     the README.ENGINE file that brings its information up-to-date and
     provides some information and instructions on the "dynamic" ENGINE
     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
     [Geoff Thorpe]

  *) BN_sqr() bug fix.
     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]

  *) Make it possible to unload ranges of ERR strings with a new
     "ERR_unload_strings" function.
     [Geoff Thorpe]

  *) Rabin-Miller test analyses assume uniformly distributed witnesses,
     so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
     followed by modular reduction.
     [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]

  *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
Ulf Möller's avatar
Ulf Möller committed
     equivalent based on BN_pseudo_rand() instead of BN_rand().
  +) Add a copy() function to EVP_MD.
     [Ben Laurie]

  +) Make EVP_MD routines take a context pointer instead of just the
Ulf Möller's avatar
Ulf Möller committed
     md_data void pointer.
     [Ben Laurie]

  +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
     that the digest can only process a single chunk of data
     (typically because it is provided by a piece of
     hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
     is only going to provide a single chunk of data, and hence the
     framework needn't accumulate the data for oneshot drivers.
     [Ben Laurie]

  +) As with "ERR", make it possible to replace the underlying "ex_data"
     functions. This change also alters the storage and management of global
     ex_data state - it's now all inside ex_data.c and all "class" code (eg.
     RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
     index counters. The API functions that use this state have been changed
     to take a "class_index" rather than pointers to the class's local STACK
     and counter, and there is now an API function to dynamically create new
     classes. This centralisation allows us to (a) plug a lot of the
     thread-safety problems that existed, and (b) makes it possible to clean
     up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
     such data would previously have always leaked in application code and
     workarounds were in place to make the memory debugging turn a blind eye
     to it. Application code that doesn't use this new function will still
     leak as before, but their memory debugging output will announce it now
     rather than letting it slide.

     Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
     induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
     has a return value to indicate success or failure.
     [Geoff Thorpe]

Geoff Thorpe's avatar
Geoff Thorpe committed
  +) Make it possible to replace the underlying "ERR" functions such that the
     global state (2 LHASH tables and 2 locks) is only used by the "default"
     implementation. This change also adds two functions to "get" and "set"
     the implementation prior to it being automatically set the first time
     any other ERR function takes place. Ie. an application can call "get",
     pass the return value to a module it has just loaded, and that module
     can call its own "set" function using that value. This means the
     module's "ERR" operations will use (and modify) the error state in the
     application and not in its own statically linked copy of OpenSSL code.
     [Geoff Thorpe]

  +) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
     reference counts. This performs normal REF_PRINT/REF_CHECK macros on
     the operation, and provides a more encapsulated way for external code
     (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
     to use these functions rather than manually incrementing the counts.

     Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
     [Geoff Thorpe]

  *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
     This function was broken, as the check for a new client hello message
     to handle SGC did not allow these large messages.
     (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
     [Lutz Jaenicke]

  *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
     [Lutz Jaenicke]

Ben Laurie's avatar
Ben Laurie committed
  +) Add EVP test program.
     [Ben Laurie]

  +) Add symmetric cipher support to ENGINE. Expect the API to change!
     [Ben Laurie]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
     X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
     X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
     These allow a CRL to be built without having to access X509_CRL fields
     directly. Modify 'ca' application to use new functions.
     [Steve Henson]

  *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
     for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
     [Lutz Jaenicke]

  *) Rework the configuration and shared library support for Tru64 Unix.
     The configuration part makes use of modern compiler features and
     still retains old compiler behavior for those that run older versions
     of the OS.  The shared library support part includes a variant that
Ulf Möller's avatar
Ulf Möller committed
     uses the RPATH feature, and is available through the special
     configuration target "alpha-cc-rpath", which will never be selected
     automatically.
     [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]

  *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
     with the same message size as in ssl3_get_certificate_request().
     Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
     messages might inadvertently be reject as too long.
     [Petr Lampa <lampa@fee.vutbr.cz>]

  +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
     bug workarounds. Rollback attack detection is a security feature.
Bodo Möller's avatar
Bodo Möller committed
     The problem will only arise on OpenSSL servers when TLSv1 is not
     available (sslv3_server_method() or SSL_OP_NO_TLSv1).
     Software authors not wanting to support TLSv1 will have special reasons
     for their choice and can explicitly enable this option.
     [Bodo Moeller, Lutz Jaenicke]

  +) Rationalise EVP so it can be extended: don't include a union of
     cipher/digest structures, add init/cleanup functions. This also reduces
     the number of header dependencies.
     [Ben Laurie]

Ben Laurie's avatar
Ben Laurie committed
  +) Make DES key schedule conform to the usual scheme, as well as
     correcting its structure. This means that calls to DES functions
     now have to pass a pointer to a des_key_schedule instead of a
     plain des_key_schedule (which was actually always a pointer
     anyway).
  *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
  *) Modified SSL library such that the verify_callback that has been set
     specificly for an SSL object with SSL_set_verify() is actually being
     used. Before the change, a verify_callback set with this function was
     ignored and the verify_callback() set in the SSL_CTX at the time of
     the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
     to allow the necessary settings.
     [Lutz Jaenicke]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Initial reduction of linker bloat: the use of some functions, such as
     PEM causes large amounts of unused functions to be linked in due to
     poor organisation. For example pem_all.c contains every PEM function
     which has a knock on effect of linking in large amounts of (unused)
     ASN1 code. Grouping together similar functions and splitting unrelated
     functions prevents this.
     [Steve Henson]

  *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
Ulf Möller's avatar
Ulf Möller committed
     explicitly to NULL, as at least on Solaris 8 this seems not always to be
     done automatically (in contradiction to the requirements of the C
     standard). This made problems when used from OpenSSH.
  *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
     dh->length and always used

          BN_rand_range(priv_key, dh->p).

     BN_rand_range() is not necessary for Diffie-Hellman, and this
     specific range makes Diffie-Hellman unnecessarily inefficient if
     dh->length (recommended exponent length) is much smaller than the
     length of dh->p.  We could use BN_rand_range() if the order of
     the subgroup was stored in the DH structure, but we only have
     dh->length.

     So switch back to

          BN_rand(priv_key, l, ...)

     where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
     otherwise.
     [Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) In

          RSA_eay_public_encrypt
          RSA_eay_private_decrypt
          RSA_eay_private_encrypt (signing)
          RSA_eay_public_decrypt (signature verification)

     (default implementations for RSA_public_encrypt,
     RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
     always reject numbers >= n.
     [Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
     to synchronize access to 'locking_thread'.  This is necessary on
     systems where access to 'locking_thread' (an 'unsigned long'
     variable) is not atomic.
     [Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
     *before* setting the 'crypto_lock_rand' flag.  The previous code had
     a race condition if 0 is a valid thread ID.
     [Travis Vitek <vitek@roguewave.com>]

  +) Cleanup of EVP macros.
     [Ben Laurie]

  +) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
     correct _ecb suffix.
     [Ben Laurie]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Add initial OCSP responder support to ocsp application. The
     revocation information is handled using the text based index
     use by the ca application. The responder can either handle
     requests generated internally, supplied in files (for example
     via a CGI script) or using an internal minimal server.
     [Steve Henson]

  +) Add configuration choices to get zlib compression for TLS.
     [Richard Levitte]

  +) Changes to Kerberos SSL for RFC 2712 compliance:
     1.  Implemented real KerberosWrapper, instead of just using
         KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
     2.  Implemented optional authenticator field of KerberosWrapper.

     Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
     and authenticator structs; see crypto/krb5/.

     Generalized Kerberos calls to support multiple Kerberos libraries.
     [Vern Staats <staatsvr@asc.hpc.mil>,
      Jeffrey Altman <jaltman@columbia.edu>
      via Richard Levitte]

  +) Cause 'openssl speed' to use fully hard-coded DSA keys as it
     already does with RSA. testdsa.h now has 'priv_key/pub_key'
     values for each of the key sizes rather than having just
     parameters (and 'speed' generating keys each time).
     [Geoff Thorpe]

Bodo Möller's avatar
Bodo Möller committed
  -) OpenSSL 0.9.6b released [9 July 2001]

  *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
     to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
     Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
     PRNG state recovery was possible based on the output of
     one PRNG request appropriately sized to gain knowledge on
     'md' followed by enough consecutive 1-byte PRNG requests
     to traverse all of 'state'.

     1. When updating 'md_local' (the current thread's copy of 'md')
        during PRNG output generation, hash all of the previous
        'md_local' value, not just the half used for PRNG output.

     2. Make the number of bytes from 'state' included into the hash
        independent from the number of PRNG bytes requested.

     The first measure alone would be sufficient to avoid
     Markku-Juhani's attack.  (Actually it had never occurred
     to me that the half of 'md_local' used for chaining was the
     half from which PRNG output bytes were taken -- I had always
     assumed that the secret half would be used.)  The second
     measure makes sure that additional data from 'state' is never
     mixed into 'md_local' in small portions; this heuristically
     further strengthens the PRNG.
     [Bodo Moeller]
  
  +) Speed up EVP routines.
     Before:
encrypt
type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
decrypt
des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
     After:
encrypt
des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Fix crypto/bn/asm/mips3.s.
     [Andy Polyakov]

  *) When only the key is given to "enc", the IV is undefined. Print out
     an error message in this case.
     [Lutz Jaenicke]

Richard Levitte's avatar
Richard Levitte committed
  +) Added the OS2-EMX target.
     ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Rewrite apps to use NCONF routines instead of the old CONF. New functions
     to support NCONF routines in extension code. New function CONF_set_nconf()
     to allow functions which take an NCONF to also handle the old LHASH
     structure: this means that the old CONF compatible routines can be
     retained (in particular wrt extensions) without having to duplicate the
     code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
     [Steve Henson]

  *) Handle special case when X509_NAME is empty in X509 printing routines.
     [Steve Henson]

  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
     positive and less than q.
     [Bodo Moeller]

  +) Enhance the general user interface with mechanisms for inner control
Ulf Möller's avatar
Ulf Möller committed
     and with possibilities to have yes/no kind of prompts.
     [Richard Levitte]

  +) Change all calls to low level digest routines in the library and
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     applications to use EVP. Add missing calls to HMAC_cleanup() and
     don't assume HMAC_CTX can be copied using memcpy().
     [Verdon Walker <VWalker@novell.com>, Steve Henson]

  +) Add the possibility to control engines through control names but with
     arbitrary arguments instead of just a string.
     Change the key loaders to take a UI_METHOD instead of a callback
     function pointer.  NOTE: this breaks binary compatibility with earlier
     versions of OpenSSL [engine].
Ulf Möller's avatar
Ulf Möller committed
     Adapt the nCipher code for these new conditions and add a card insertion
  +) Enhance the general user interface with mechanisms to better support
     dialog box interfaces, application-defined prompts, the possibility
     to use defaults (for example default passwords from somewhere else)
Ulf Möller's avatar
Ulf Möller committed
     and interrupts/cancellations.
  *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
     used: it isn't thread safe and the add_lock_callback should handle
     that itself.
     [Paul Rose <Paul.Rose@bridge.com>]

  *) Verify that incoming data obeys the block size in
     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
     [Bodo Moeller]

  +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
     attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix OAEP check.
     [Ulf Möller, Bodo Möller]

  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
Ulf Möller's avatar
Ulf Möller committed
     RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
     when fixing the server behaviour for backwards-compatible 'client
     hello' messages.  (Note that the attack is impractical against
     SSL 3.0 and TLS 1.0 anyway because length and version checking
     means that the probability of guessing a valid ciphertext is
     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
     paper.)

     Before 0.9.5, the countermeasure (hide the error by generating a
     random 'decryption result') did not work properly because
     ERR_clear_error() was missing, meaning that SSL_get_error() would
     detect the supposedly ignored error.

     Both problems are now fixed.
     [Bodo Moeller]

  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
     (previously it was 1024).
     [Bodo Moeller]

  +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
Ulf Möller's avatar
Ulf Möller committed
     tidy up some unnecessarily weird code in 'sk_new()').
     [Geoff, reported by Diego Tartara <dtartara@novamens.com>]

  +) Change the key loading routines for ENGINEs to use the same kind
     callback (pem_password_cb) as all other routines that need this
     kind of callback.
     [Richard Levitte]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Fix for compatibility mode trust settings: ignore trust settings
     unless some valid trust or reject settings are present.
     [Steve Henson]

  *) Fix for blowfish EVP: its a variable length cipher.
     [Steve Henson]

  +) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
     256 bit (=32 byte) keys. Of course seeding with more entropy bytes
     than this minimum value is recommended.
Richard Levitte's avatar
Richard Levitte committed
  +) New random seeder for OpenVMS, using the system process statistics
     that are easily reachable.
     [Richard Levitte]

  +) Windows apparently can't transparently handle global
     variables defined in DLLs. Initialisations such as:

        const ASN1_ITEM *it = &ASN1_INTEGER_it;

     wont compile. This is used by the any applications that need to
Ulf Möller's avatar
Ulf Möller committed
     declare their own ASN1 modules. This was fixed by adding the option
     EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
     needed for static libraries under Win32.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
     setting of purpose and trust fields. New X509_STORE trust and
     purpose functions and tidy up setting in other SSL functions.
     [Steve Henson]

  +) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
     structure. These are inherited by X509_STORE_CTX when it is 
     initialised. This allows various defaults to be set in the
     X509_STORE structure (such as flags for CRL checking and custom
     purpose or trust settings) for functions which only use X509_STORE_CTX
     internally such as S/MIME.

     Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
     trust settings if they are not set in X509_STORE. This allows X509_STORE
     purposes and trust (in S/MIME for example) to override any set by default.

     Add command line options for CRL checking to smime, s_client and s_server
     applications.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Initial CRL based revocation checking. If the CRL checking flag(s)
     are set then the CRL is looked up in the X509_STORE structure and
     its validity and signature checked, then if the certificate is found
     in the CRL the verify fails with a revoked error.

     Various new CRL related callbacks added to X509_STORE_CTX structure.

     Command line options added to 'verify' application to support this.

     This needs some additional work, such as being able to handle multiple
     CRLs with different times, extension based lookup (rather than just
     by subject name) and ultimately more complete V2 CRL extension
     handling.
     [Steve Henson]

  +) Add a general user interface API (crypto/ui/).  This is designed
     to replace things like des_read_password and friends (backward
     compatibility functions using this new API are provided).
     The purpose is to remove prompting functions from the DES code
     section as well as provide for prompting through dialog boxes in
     a window system and the like.
  *) Fix various bugs related to DSA S/MIME verification. Handle missing
     parameters in DSA public key structures and return an error in the
     DSA routines if parameters are absent.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
     in the current directory if neither $RANDFILE nor $HOME was set.
     RAND_file_name() in 0.9.6a returned NULL in this case.  This has
     caused some confusion to Windows users who haven't defined $HOME.
     Thus RAND_file_name() is changed again: e_os.h can define a
     DEFAULT_HOME, which will be used if $HOME is not set.
     For Windows, we use "C:"; on other platforms, we still require
     environment variables.

  +) Add "ex_data" support to ENGINE so implementations can add state at a
     per-structure level rather than having to store it globally.
     [Geoff]

  +) Make it possible for ENGINE structures to be copied when retrieved by
     ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
     This causes the "original" ENGINE structure to act like a template,
     analogous to the RSA vs. RSA_METHOD type of separation. Because of this
     operational state can be localised to each ENGINE structure, despite the
     fact they all share the same "methods". New ENGINE structures returned in
     this case have no functional references and the return value is the single
     structural reference. This matches the single structural reference returned
     by ENGINE_by_id() normally, when it is incremented on the pre-existing
     ENGINE structure.
     [Geoff]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
     needs to match any other type at all we need to manually clear the
     tag cache.
     [Steve Henson]

  +) Changes to the "openssl engine" utility to include;
     - verbosity levels ('-v', '-vv', and '-vvv') that provide information
       about an ENGINE's available control commands.
     - executing control commands from command line arguments using the
       '-pre' and '-post' switches. '-post' is only used if '-t' is
       specified and the ENGINE is successfully initialised. The syntax for
       the individual commands are colon-separated, for example;
	 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
     [Geoff]

  +) New dynamic control command support for ENGINEs. ENGINEs can now
     declare their own commands (numbers), names (strings), descriptions,
     and input types for run-time discovery by calling applications. A
     subset of these commands are implicitly classed as "executable"
     depending on their input type, and only these can be invoked through
     the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
     can be based on user input, config files, etc). The distinction is
     that "executable" commands cannot return anything other than a boolean
     result and can only support numeric or string input, whereas some
     discoverable commands may only be for direct use through
     ENGINE_ctrl(), eg. supporting the exchange of binary data, function
     pointers, or other custom uses. The "executable" commands are to
     support parameterisations of ENGINE behaviour that can be
     unambiguously defined by ENGINEs and used consistently across any
     OpenSSL-based application. Commands have been added to all the
     existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
     control over shared-library paths without source code alterations.
     [Geoff]

  +) Changed all ENGINE implementations to dynamically allocate their
     ENGINEs rather than declaring them statically. Apart from this being
     necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
     this also allows the implementations to compile without using the
     internal engine_int.h header.
     [Geoff]

  +) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
     'const' value. Any code that should be able to modify a RAND_METHOD
     should already have non-const pointers to it (ie. they should only
     modify their own ones).
     [Geoff]

  +) Made a variety of little tweaks to the ENGINE code.
     - "atalla" and "ubsec" string definitions were moved from header files
       to C code. "nuron" string definitions were placed in variables
       rather than hard-coded - allowing parameterisation of these values
       later on via ctrl() commands.
     - Removed unused "#if 0"'d code.
     - Fixed engine list iteration code so it uses ENGINE_free() to release
       structural references.
     - Constified the RAND_METHOD element of ENGINE structures.
     - Constified various get/set functions as appropriate and added
       missing functions (including a catch-all ENGINE_cpy that duplicates
       all ENGINE values onto a new ENGINE except reference counts/state).
     - Removed NULL parameter checks in get/set functions. Setting a method
       or function to NULL is a way of cancelling out a previously set
       value.  Passing a NULL ENGINE parameter is just plain stupid anyway
       and doesn't justify the extra error symbols and code.
     - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
       flags from engine_int.h to engine.h.
     - Changed prototypes for ENGINE handler functions (init(), finish(),
       ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
     [Geoff]

Bodo Möller's avatar
Bodo Möller committed
  *) Move 'if (!initialized) RAND_poll()' into regions protected by
     CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
Bodo Möller's avatar
Bodo Möller committed
     having multiple threads call RAND_poll() concurrently.
Bodo Möller's avatar
Bodo Möller committed
     [Bodo Moeller]

  *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
     combination of a flag and a thread ID variable.
     Otherwise while one thread is in ssleay_rand_bytes (which sets the
     flag), *other* threads can enter ssleay_add_bytes without obeying
Ulf Möller's avatar
Ulf Möller committed
     the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
Bodo Möller's avatar
Bodo Möller committed
     that they do not hold after the first thread unsets add_do_not_lock).
     [Bodo Moeller]

  +) Implement binary inversion algorithm for BN_mod_inverse in addition
Ulf Möller's avatar
Ulf Möller committed
     to the algorithm using long division.  The binary algorithm can be
     used only if the modulus is odd.  On 32-bit systems, it is faster
     only for relatively small moduli (roughly 20-30% for 128-bit moduli,
     roughly 5-15% for 256-bit moduli), so we use it only for moduli
     up to 450 bits.  In 64-bit environments, the binary algorithm
     appears to be advantageous for much longer moduli; here we use it
     for moduli up to 2048 bits.
  *) Change bctest again: '-x' expressions are not available in all
     versions of 'test'.
     [Bodo Moeller]

  -) OpenSSL 0.9.6a released [5 Apr 2001]

  *) Fix a couple of memory leaks in PKCS7_dataDecode()
     [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]

  *) Change Configure and Makefiles to provide EXE_EXT, which will contain
     the default extension for executables, if any.  Also, make the perl
     scripts that use symlink() to test if it really exists and use "cp"
     if it doesn't.  All this made OpenSSL compilable and installable in
     CygWin.
     [Richard Levitte]

  +) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
     could not support the combine flag in choice fields.
     [Steve Henson]

  -) Fix for asn1_GetSequence() for indefinite length constructed data.
     If SEQUENCE is length is indefinite just set c->slen to the total
     amount of data available.
     [Steve Henson, reported by shige@FreeBSD.org]
     [This change does not apply to 0.9.7.]

  *) Change bctest to avoid here-documents inside command substitution
     (workaround for FreeBSD /bin/sh bug).
Bodo Möller's avatar
Bodo Möller committed
     For compatibility with Ultrix, avoid shell functions (introduced
     in the bctest version that searches along $PATH).
  *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
     with des_encrypt() defined on some operating systems, like Solaris
     and UnixWare.
     [Richard Levitte]

Ulf Möller's avatar
Ulf Möller committed
  *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
     On the Importance of Eliminating Errors in Cryptographic
     Computations, J. Cryptology 14 (2001) 2, 101-119,
     http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
     [Ulf Moeller]
Ulf Möller's avatar
Ulf Möller committed
  
  *) MIPS assembler BIGNUM division bug fix. 
Ulf Möller's avatar
Ulf Möller committed
     [Andy Polyakov]

Ulf Möller's avatar
Ulf Möller committed
  *) Disabled incorrect Alpha assembler code.
     [Richard Levitte]

  -) Fix PKCS#7 decode routines so they correctly update the length
     after reading an EOC for the EXPLICIT tag.
     [Steve Henson]
     [This change does not apply to 0.9.7.]

  *) Fix bug in PKCS#12 key generation routines. This was triggered
     if a 3DES key was generated with a 0 initial byte. Include
     PKCS12_BROKEN_KEYGEN compilation option to retain the old
     (but broken) behaviour.
     [Steve Henson]

  *) Enhance bctest to search for a working bc along $PATH and print
     it when found.
     [Tim Rice <tim@multitalents.net> via Richard Levitte]

  +) Add a 'copy_extensions' option to the 'ca' utility. This copies
     extensions from a certificate request to the certificate.
     [Steve Henson]

  +) Allow multiple 'certopt' and 'nameopt' options to be separated
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     by commas. Add 'namopt' and 'certopt' options to the 'ca' config
     file: this allows the display of the certificate about to be
     signed to be customised, to allow certain fields to be included
     or excluded and extension details. The old system didn't display
     multicharacter strings properly, omitted fields not in the policy
     and couldn't display additional details such as extensions.
     [Steve Henson]

  *) Fix memory leaks in err.c: free err_data string if necessary;
     don't write to the wrong index in ERR_set_error_data.
Bodo Möller's avatar
Bodo Möller committed
     [Bodo Moeller]

  +) Function EC_POINTs_mul for simultaneous scalar multiplication
     of an arbitrary number of elliptic curve points, optionally
     including the generator defined for the EC_GROUP.
     EC_POINT_mul is a simple wrapper function for the typical case
     that the point list has just one item (besides the optional
     generator).
  +) First EC_METHODs for curves over GF(p):

     EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
     operations and provides various method functions that can also
     operate with faster implementations of modular arithmetic.     

     EC_GFp_mont_method() reuses most functions that are part of
     EC_GFp_simple_method, but uses Montgomery arithmetic.

     [Bodo Moeller; point addition and point doubling
     implementation directly derived from source code provided by
     Lenka Fibikova <fibikova@exp-math.uni-essen.de>]

  +) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
     Curves are EC_GROUP objects (with an optional group generator)
     based on EC_METHODs that are built into the library.

     Points are EC_POINT objects based on EC_GROUP objects.

     Most of the framework would be able to handle curves over arbitrary
     finite fields, but as there are no obvious types for fields other
     than GF(p), some functions are limited to that for now.
  +) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
     that the file contains a complete HTTP response.
     [Richard Levitte]

  +) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     change the def and num file printf format specifier from "%-40sXXX"
     to "%-39s XXX". The latter will always guarantee a space after the
     field while the former will cause them to run together if the field
     is 40 of more characters long.
     [Steve Henson]

  +) Constify the cipher and digest 'method' functions and structures
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     and modify related functions to take constant EVP_MD and EVP_CIPHER
     pointers.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) Implement ssl23_peek (analogous to ssl23_read), which previously
     did not exist.
     [Bodo Moeller]

  *) Replace rdtsc with _emit statements for VC++ version 5.
     [Jeremy Cooper <jeremy@baymoo.org>]
  +) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
     in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
     [Bodo Moeller]

  +) Modify EVP_Digest*() routines so they now return values. Although the
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     internal software routines can never fail additional hardware versions
     might.
     [Steve Henson]

  +) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
Bodo Möller's avatar
Bodo Möller committed

     Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
     (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.