Skip to content
CHANGES 471 KiB
Newer Older
     (Use engine 'keyclient')
     [Cryptographic Appliances and Geoff Thorpe]

  *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
     is called via tools/c89.sh because arguments have to be
     rearranged (all '-L' options must appear before the first object
     modules).
     [Richard Shapiro <rshapiro@abinitio.com>]

  *) [In 0.9.6c-engine release:]
     Add support for Broadcom crypto accelerator cards, backported
     from 0.9.7.
     [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]

  *) [In 0.9.6c-engine release:]
     Add support for SureWare crypto accelerator cards from 
     Baltimore Technologies.  (Use engine 'sureware')
     [Baltimore Technologies and Mark Cox]

  *) [In 0.9.6c-engine release:]
     Add support for crypto accelerator cards from Accelerated
     Encryption Processing, www.aep.ie.  (Use engine 'aep')
     [AEP Inc. and Mark Cox]

  *) Add a configuration entry for gcc on UnixWare.
     [Gary Benson <gbenson@redhat.com>]

  *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
     messages are stored in a single piece (fixed-length part and
     variable-length part combined) and fix various bugs found on the way.
     [Bodo Moeller]

  *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
     instead.  BIO_gethostbyname() does not know what timeouts are
     appropriate, so entries would stay in cache even when they have
     become invalid.
     [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>

  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
     faced with a pathologically small ClientHello fragment that does
     not contain client_version: Instead of aborting with an error,
     simply choose the highest available protocol version (i.e.,
     TLS 1.0 unless it is disabled).  In practice, ClientHello
     messages are never sent like this, but this change gives us
     strictly correct behaviour at least for TLS.
     [Bodo Moeller]

  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
     never resets s->method to s->ctx->method when called from within
     one of the SSL handshake functions.
     [Bodo Moeller; problem pointed out by Niko Baric]

  *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
     (sent using the client's version number) if client_version is
     smaller than the protocol version in use.  Also change
     ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
     the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
     the client will at least see that alert.
     [Bodo Moeller]

  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
     [Bodo Moeller]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circumvents various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7101 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7113 7114 7115 7116 7117 7118 7119 7120 7121 7122 7123 7124 7125 7126 7127 7128 7129 7130 7131 7132 7133 7134 7135 7136 7137 7138 7139 7140 7141 7142 7143 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7156 7157 7158 7159 7160 7161 7162 7163 7164 7165 7166 7167 7168 7169 7170 7171 7172 7173 7174 7175 7176 7177 7178 7179 7180 7181 7182 7183 7184 7185 7186 7187 7188 7189 7190 7191 7192 7193 7194 7195 7196 7197 7198 7199 7200 7201 7202 7203 7204 7205 7206 7207 7208 7209 7210 7211 7212 7213 7214 7215 7216 7217 7218 7219 7220 7221 7222 7223 7224 7225 7226 7227 7228 7229 7230 7231 7232 7233 7234 7235 7236 7237 7238 7239 7240 7241 7242 7243 7244 7245 7246 7247 7248 7249 7250 7251 7252 7253 7254 7255 7256 7257 7258 7259 7260 7261 7262 7263 7264 7265 7266 7267 7268 7269 7270 7271 7272 7273 7274 7275 7276 7277 7278 7279 7280 7281 7282 7283 7284 7285 7286 7287 7288 7289 7290 7291 7292 7293 7294 7295 7296 7297 7298 7299 7300 7301 7302 7303 7304 7305 7306 7307 7308 7309 7310 7311 7312 7313 7314 7315 7316 7317 7318 7319 7320 7321 7322 7323 7324 7325 7326 7327 7328 7329 7330 7331 7332 7333 7334 7335 7336 7337 7338 7339 7340 7341 7342 7343 7344 7345 7346 7347 7348 7349 7350 7351 7352 7353 7354 7355 7356 7357 7358 7359 7360 7361 7362 7363 7364 7365 7366 7367 7368 7369 7370 7371 7372 7373 7374 7375 7376 7377 7378 7379 7380 7381 7382 7383 7384 7385 7386 7387 7388 7389 7390 7391 7392 7393 7394 7395 7396 7397 7398 7399 7400 7401 7402 7403 7404 7405 7406 7407 7408 7409 7410 7411 7412 7413 7414 7415 7416 7417 7418 7419 7420 7421 7422 7423 7424 7425 7426 7427 7428 7429 7430 7431 7432 7433 7434 7435 7436 7437 7438 7439 7440 7441 7442 7443 7444 7445 7446 7447 7448 7449 7450 7451 7452 7453 7454 7455 7456 7457 7458 7459 7460 7461 7462 7463 7464 7465 7466 7467 7468 7469 7470 7471 7472 7473 7474 7475 7476 7477 7478 7479 7480 7481 7482 7483 7484 7485 7486 7487 7488 7489 7490 7491 7492 7493 7494 7495 7496 7497 7498 7499 7500 7501 7502 7503 7504 7505 7506 7507 7508 7509 7510 7511 7512 7513 7514 7515 7516 7517 7518 7519 7520 7521 7522 7523 7524 7525 7526 7527 7528 7529 7530 7531 7532 7533 7534 7535 7536 7537 7538 7539 7540 7541 7542 7543 7544 7545 7546 7547 7548 7549 7550 7551 7552 7553 7554 7555 7556 7557 7558 7559 7560 7561 7562 7563 7564 7565 7566 7567 7568 7569 7570 7571 7572 7573 7574 7575 7576 7577 7578 7579 7580 7581 7582 7583 7584 7585 7586 7587 7588 7589 7590 7591 7592 7593
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  *) Add OpenUNIX-8 support including shared libraries
     (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
     encoding parameters and hence was not vulnerable.
     [Bodo Moeller]

  *) BN_sqr() bug fix.
     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]

  *) Rabin-Miller test analyses assume uniformly distributed witnesses,
     so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
     followed by modular reduction.
     [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]

  *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
     equivalent based on BN_pseudo_rand() instead of BN_rand().
     [Bodo Moeller]

  *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
     This function was broken, as the check for a new client hello message
     to handle SGC did not allow these large messages.
     (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
     [Lutz Jaenicke]

  *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
     [Lutz Jaenicke]

  *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
     for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
     [Lutz Jaenicke]

  *) Rework the configuration and shared library support for Tru64 Unix.
     The configuration part makes use of modern compiler features and
     still retains old compiler behavior for those that run older versions
     of the OS.  The shared library support part includes a variant that
     uses the RPATH feature, and is available through the special
     configuration target "alpha-cc-rpath", which will never be selected
     automatically.
     [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]

  *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
     with the same message size as in ssl3_get_certificate_request().
     Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
     messages might inadvertently be reject as too long.
     [Petr Lampa <lampa@fee.vutbr.cz>]

  *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
     [Andy Polyakov]

  *) Modified SSL library such that the verify_callback that has been set
     specificly for an SSL object with SSL_set_verify() is actually being
     used. Before the change, a verify_callback set with this function was
     ignored and the verify_callback() set in the SSL_CTX at the time of
     the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
     to allow the necessary settings.
     [Lutz Jaenicke]

  *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
     explicitly to NULL, as at least on Solaris 8 this seems not always to be
     done automatically (in contradiction to the requirements of the C
     standard). This made problems when used from OpenSSH.
     [Lutz Jaenicke]

  *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
     dh->length and always used

          BN_rand_range(priv_key, dh->p).

     BN_rand_range() is not necessary for Diffie-Hellman, and this
     specific range makes Diffie-Hellman unnecessarily inefficient if
     dh->length (recommended exponent length) is much smaller than the
     length of dh->p.  We could use BN_rand_range() if the order of
     the subgroup was stored in the DH structure, but we only have
     dh->length.

     So switch back to

          BN_rand(priv_key, l, ...)

     where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
     otherwise.
     [Bodo Moeller]

  *) In

          RSA_eay_public_encrypt
          RSA_eay_private_decrypt
          RSA_eay_private_encrypt (signing)
          RSA_eay_public_decrypt (signature verification)

     (default implementations for RSA_public_encrypt,
     RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
     always reject numbers >= n.
     [Bodo Moeller]

  *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
     to synchronize access to 'locking_thread'.  This is necessary on
     systems where access to 'locking_thread' (an 'unsigned long'
     variable) is not atomic.
     [Bodo Moeller]

  *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
     *before* setting the 'crypto_lock_rand' flag.  The previous code had
     a race condition if 0 is a valid thread ID.
     [Travis Vitek <vitek@roguewave.com>]

  *) Add support for shared libraries under Irix.
     [Albert Chin-A-Young <china@thewrittenword.com>]

  *) Add configuration option to build on Linux on both big-endian and
     little-endian MIPS.
     [Ralf Baechle <ralf@uni-koblenz.de>]

  *) Add the possibility to create shared libraries on HP-UX.
     [Richard Levitte]

 Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]

  *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
     to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
     Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
     PRNG state recovery was possible based on the output of
     one PRNG request appropriately sized to gain knowledge on
     'md' followed by enough consecutive 1-byte PRNG requests
     to traverse all of 'state'.

     1. When updating 'md_local' (the current thread's copy of 'md')
        during PRNG output generation, hash all of the previous
        'md_local' value, not just the half used for PRNG output.

     2. Make the number of bytes from 'state' included into the hash
        independent from the number of PRNG bytes requested.

     The first measure alone would be sufficient to avoid
     Markku-Juhani's attack.  (Actually it had never occurred
     to me that the half of 'md_local' used for chaining was the
     half from which PRNG output bytes were taken -- I had always
     assumed that the secret half would be used.)  The second
     measure makes sure that additional data from 'state' is never
     mixed into 'md_local' in small portions; this heuristically
     further strengthens the PRNG.
     [Bodo Moeller]

  *) Fix crypto/bn/asm/mips3.s.
     [Andy Polyakov]

  *) When only the key is given to "enc", the IV is undefined. Print out
     an error message in this case.
     [Lutz Jaenicke]

  *) Handle special case when X509_NAME is empty in X509 printing routines.
     [Steve Henson]

  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
     positive and less than q.
     [Bodo Moeller]

  *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
     used: it isn't thread safe and the add_lock_callback should handle
     that itself.
     [Paul Rose <Paul.Rose@bridge.com>]

  *) Verify that incoming data obeys the block size in
     ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
     [Bodo Moeller]

  *) Fix OAEP check.
     [Ulf Möller, Bodo Möller]

  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
     RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
     when fixing the server behaviour for backwards-compatible 'client
     hello' messages.  (Note that the attack is impractical against
     SSL 3.0 and TLS 1.0 anyway because length and version checking
     means that the probability of guessing a valid ciphertext is
     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
     paper.)

     Before 0.9.5, the countermeasure (hide the error by generating a
     random 'decryption result') did not work properly because
     ERR_clear_error() was missing, meaning that SSL_get_error() would
     detect the supposedly ignored error.

     Both problems are now fixed.
     [Bodo Moeller]

  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
     (previously it was 1024).
     [Bodo Moeller]

  *) Fix for compatibility mode trust settings: ignore trust settings
     unless some valid trust or reject settings are present.
     [Steve Henson]

  *) Fix for blowfish EVP: its a variable length cipher.
     [Steve Henson]

  *) Fix various bugs related to DSA S/MIME verification. Handle missing
     parameters in DSA public key structures and return an error in the
     DSA routines if parameters are absent.
     [Steve Henson]

  *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
     in the current directory if neither $RANDFILE nor $HOME was set.
     RAND_file_name() in 0.9.6a returned NULL in this case.  This has
     caused some confusion to Windows users who haven't defined $HOME.
     Thus RAND_file_name() is changed again: e_os.h can define a
     DEFAULT_HOME, which will be used if $HOME is not set.
     For Windows, we use "C:"; on other platforms, we still require
     environment variables.

  *) Move 'if (!initialized) RAND_poll()' into regions protected by
     CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
     having multiple threads call RAND_poll() concurrently.
     [Bodo Moeller]

  *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
     combination of a flag and a thread ID variable.
     Otherwise while one thread is in ssleay_rand_bytes (which sets the
     flag), *other* threads can enter ssleay_add_bytes without obeying
     the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
     that they do not hold after the first thread unsets add_do_not_lock).
     [Bodo Moeller]

  *) Change bctest again: '-x' expressions are not available in all
     versions of 'test'.
     [Bodo Moeller]

 Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]

  *) Fix a couple of memory leaks in PKCS7_dataDecode()
     [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]

  *) Change Configure and Makefiles to provide EXE_EXT, which will contain
     the default extension for executables, if any.  Also, make the perl
     scripts that use symlink() to test if it really exists and use "cp"
     if it doesn't.  All this made OpenSSL compilable and installable in
     CygWin.
     [Richard Levitte]

  *) Fix for asn1_GetSequence() for indefinite length constructed data.
     If SEQUENCE is length is indefinite just set c->slen to the total
     amount of data available.
     [Steve Henson, reported by shige@FreeBSD.org]
     [This change does not apply to 0.9.7.]

  *) Change bctest to avoid here-documents inside command substitution
     (workaround for FreeBSD /bin/sh bug).
     For compatibility with Ultrix, avoid shell functions (introduced
     in the bctest version that searches along $PATH).
     [Bodo Moeller]

  *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
     with des_encrypt() defined on some operating systems, like Solaris
     and UnixWare.
     [Richard Levitte]

  *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
     On the Importance of Eliminating Errors in Cryptographic
     Computations, J. Cryptology 14 (2001) 2, 101-119,
     http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
     [Ulf Moeller]
  
  *) MIPS assembler BIGNUM division bug fix. 
     [Andy Polyakov]

  *) Disabled incorrect Alpha assembler code.
     [Richard Levitte]

  *) Fix PKCS#7 decode routines so they correctly update the length
     after reading an EOC for the EXPLICIT tag.
     [Steve Henson]
     [This change does not apply to 0.9.7.]

  *) Fix bug in PKCS#12 key generation routines. This was triggered
     if a 3DES key was generated with a 0 initial byte. Include
     PKCS12_BROKEN_KEYGEN compilation option to retain the old
     (but broken) behaviour.
     [Steve Henson]

  *) Enhance bctest to search for a working bc along $PATH and print
     it when found.
     [Tim Rice <tim@multitalents.net> via Richard Levitte]

  *) Fix memory leaks in err.c: free err_data string if necessary;
     don't write to the wrong index in ERR_set_error_data.
     [Bodo Moeller]

  *) Implement ssl23_peek (analogous to ssl23_read), which previously
     did not exist.
     [Bodo Moeller]

  *) Replace rdtsc with _emit statements for VC++ version 5.
     [Jeremy Cooper <jeremy@baymoo.org>]

  *) Make it possible to reuse SSLv2 sessions.
     [Richard Levitte]

  *) In copy_email() check for >= 0 as a return value for
     X509_NAME_get_index_by_NID() since 0 is a valid index.
     [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]

  *) Avoid coredump with unsupported or invalid public keys by checking if
     X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
     PKCS7_verify() fails with non detached data.
     [Steve Henson]

  *) Don't use getenv in library functions when run as setuid/setgid.
     New function OPENSSL_issetugid().
     [Ulf Moeller]

  *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
     due to incorrect handling of multi-threading:

     1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().

     2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().

     3. Count how many times MemCheck_off() has been called so that
        nested use can be treated correctly.  This also avoids 
        inband-signalling in the previous code (which relied on the
        assumption that thread ID 0 is impossible).
     [Bodo Moeller]

  *) Add "-rand" option also to s_client and s_server.
     [Lutz Jaenicke]

  *) Fix CPU detection on Irix 6.x.
     [Kurt Hockenbury <khockenb@stevens-tech.edu> and
      "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]

  *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
     was empty.
     [Steve Henson]
     [This change does not apply to 0.9.7.]

  *) Use the cached encoding of an X509_NAME structure rather than
     copying it. This is apparently the reason for the libsafe "errors"
     but the code is actually correct.
     [Steve Henson]

  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
     Bleichenbacher's DSA attack.
     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
     to be set and top=0 forces the highest bit to be set; top=-1 is new
     and leaves the highest bit random.
     [Ulf Moeller, Bodo Moeller]

  *) In the NCONF_...-based implementations for CONF_... queries
     (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
     a temporary CONF structure with the data component set to NULL
     (which gives segmentation faults in lh_retrieve).
     Instead, use NULL for the CONF pointer in CONF_get_string and
     CONF_get_number (which may use environment variables) and directly
     return NULL from CONF_get_section.
     [Bodo Moeller]

  *) Fix potential buffer overrun for EBCDIC.
     [Ulf Moeller]

  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
     keyUsage if basicConstraints absent for a CA.
     [Steve Henson]

  *) Make SMIME_write_PKCS7() write mail header values with a format that
     is more generally accepted (no spaces before the semicolon), since
     some programs can't parse those values properly otherwise.  Also make
     sure BIO's that break lines after each write do not create invalid
     headers.
     [Richard Levitte]

  *) Make the CRL encoding routines work with empty SEQUENCE OF. The
     macros previously used would not encode an empty SEQUENCE OF
     and break the signature.
     [Steve Henson]
     [This change does not apply to 0.9.7.]

  *) Zero the premaster secret after deriving the master secret in
     DH ciphersuites.
     [Steve Henson]

  *) Add some EVP_add_digest_alias registrations (as found in
     OpenSSL_add_all_digests()) to SSL_library_init()
     aka OpenSSL_add_ssl_algorithms().  This provides improved
     compatibility with peers using X.509 certificates
     with unconventional AlgorithmIdentifier OIDs.
     [Bodo Moeller]

  *) Fix for Irix with NO_ASM.
     ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]

  *) ./config script fixes.
     [Ulf Moeller, Richard Levitte]

  *) Fix 'openssl passwd -1'.
     [Bodo Moeller]

  *) Change PKCS12_key_gen_asc() so it can cope with non null
     terminated strings whose length is passed in the passlen
     parameter, for example from PEM callbacks. This was done
     by adding an extra length parameter to asc2uni().
     [Steve Henson, reported by <oddissey@samsung.co.kr>]

  *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
     call failed, free the DSA structure.
     [Bodo Moeller]

  *) Fix to uni2asc() to cope with zero length Unicode strings.
     These are present in some PKCS#12 files.
     [Steve Henson]

  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
     when writing a 32767 byte record.
     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]

  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.

     (RSA objects have a reference count access to which is protected
     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
     so they are meant to be shared between threads.)
     [Bodo Moeller, Geoff Thorpe; original patch submitted by
     "Reddie, Steven" <Steven.Reddie@ca.com>]

  *) Fix a deadlock in CRYPTO_mem_leaks().
     [Bodo Moeller]

  *) Use better test patterns in bntest.
     [Ulf Möller]

  *) rand_win.c fix for Borland C.
     [Ulf Möller]
 
  *) BN_rshift bugfix for n == 0.
     [Bodo Moeller]

  *) Add a 'bctest' script that checks for some known 'bc' bugs
     so that 'make test' does not abort just because 'bc' is broken.
     [Bodo Moeller]

  *) Store verify_result within SSL_SESSION also for client side to
     avoid potential security hole. (Re-used sessions on the client side
     always resulted in verify_result==X509_V_OK, not using the original
     result of the server certificate verification.)
     [Lutz Jaenicke]

  *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
     SSL3_RT_APPLICATION_DATA, return 0.
     Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
     [Bodo Moeller]

  *) Fix SSL_peek:
     Both ssl2_peek and ssl3_peek, which were totally broken in earlier
     releases, have been re-implemented by renaming the previous
     implementations of ssl2_read and ssl3_read to ssl2_read_internal
     and ssl3_read_internal, respectively, and adding 'peek' parameters
     to them.  The new ssl[23]_{read,peek} functions are calls to
     ssl[23]_read_internal with the 'peek' flag set appropriately.
     A 'peek' parameter has also been added to ssl3_read_bytes, which
     does the actual work for ssl3_read_internal.
     [Bodo Moeller]

  *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
     the method-specific "init()" handler. Also clean up ex_data after
     calling the method-specific "finish()" handler. Previously, this was
     happening the other way round.
     [Geoff Thorpe]

  *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
     The previous value, 12, was not always sufficient for BN_mod_exp().
     [Bodo Moeller]

  *) Make sure that shared libraries get the internal name engine with
     the full version number and not just 0.  This should mark the
     shared libraries as not backward compatible.  Of course, this should
     be changed again when we can guarantee backward binary compatibility.
     [Richard Levitte]

  *) Fix typo in get_cert_by_subject() in by_dir.c
     [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]

  *) Rework the system to generate shared libraries:

     - Make note of the expected extension for the shared libraries and
       if there is a need for symbolic links from for example libcrypto.so.0
       to libcrypto.so.0.9.7.  There is extended info in Configure for
       that.

     - Make as few rebuilds of the shared libraries as possible.

     - Still avoid linking the OpenSSL programs with the shared libraries.

     - When installing, install the shared libraries separately from the
       static ones.
     [Richard Levitte]

  *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.

     Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
     and not in SSL_clear because the latter is also used by the
     accept/connect functions; previously, the settings made by
     SSL_set_read_ahead would be lost during the handshake.
     [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]     

Richard Levitte's avatar
Richard Levitte committed
  *) Correct util/mkdef.pl to be selective about disabled algorithms.
     Previously, it would create entries for disableed algorithms no
     matter what.
     [Richard Levitte]
  *) Added several new manual pages for SSL_* function.
     [Lutz Jaenicke]

 Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
Bodo Möller's avatar
Bodo Möller committed
  *) In ssl23_get_client_hello, generate an error message when faced
     with an initial SSL 3.0/TLS record that is too small to contain the
     first two bytes of the ClientHello message, i.e. client_version.
     (Note that this is a pathologic case that probably has never happened
     in real life.)  The previous approach was to use the version number
Bodo Möller's avatar
Bodo Möller committed
     from the record header as a substitute; but our protocol choice
Bodo Möller's avatar
Bodo Möller committed
     should not depend on that one because it is not authenticated
     by the Finished messages.
     [Bodo Moeller]

Ulf Möller's avatar
Ulf Möller committed
  *) More robust randomness gathering functions for Windows.
     [Jeffrey Altman <jaltman@columbia.edu>]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
     not set then we don't setup the error code for issuer check errors
     to avoid possibly overwriting other errors which the callback does
     handle. If an application does set the flag then we assume it knows
     what it is doing and can handle the new informational codes
     appropriately.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
     a general "ANY" type, as such it should be able to decode anything
     including tagged types. However it didn't check the class so it would
     wrongly interpret tagged types in the same way as their universal
     counterpart and unknown types were just rejected. Changed so that the
     tagged and unknown types are handled in the same way as a SEQUENCE:
     that is the encoding is stored intact. There is also a new type
     "V_ASN1_OTHER" which is used when the class is not universal, in this
     case we have no idea what the actual type is so we just lump them all
     together.
     [Steve Henson]

  *) On VMS, stdout may very well lead to a file that is written to
     in a record-oriented fashion.  That means that every write() will
     write a separate record, which will be read separately by the
     programs trying to read from it.  This can be very confusing.

     The solution is to put a BIO filter in the way that will buffer
     text until a linefeed is reached, and then write everything a
     line at a time, so every record written will be an actual line,
     not chunks of lines and not (usually doesn't happen, but I've
     seen it once) several lines in one record.  BIO_f_linebuffer() is
     the answer.

     Currently, it's a VMS-only method, because that's where it has
     been tested well enough.
     [Richard Levitte]

  *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
     it can return incorrect results.
     (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
     but it was in 0.9.6-beta[12].)
  *) Disable the check for content being present when verifying detached
     signatures in pk7_smime.c. Some versions of Netscape (wrongly)
     include zero length content when signing messages.
     [Steve Henson]

  *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
     BIO_ctrl (for BIO pairs).
Ulf Möller's avatar
Ulf Möller committed
     [Bodo Möller]
  *) Add DSO method for VMS.
     [Richard Levitte]

  *) Bug fix: Montgomery multiplication could produce results with the
     wrong sign.
     [Ulf Möller]

  *) Add RPM specification openssl.spec and modify it to build three
     packages.  The default package contains applications, application
     documentation and run-time libraries.  The devel package contains
     include files, static libraries and function documentation.  The
     doc package contains the contents of the doc directory.  The original
     openssl.spec was provided by Damien Miller <djm@mindrot.org>.
     [Richard Levitte]
     
  *) Add a large number of documentation files for many SSL routines.
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]

  *) Add a configuration entry for Sony News 4.
     [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]

Ulf Möller's avatar
Ulf Möller committed
  *) Don't set the two most significant bits to one when generating a
     random number < q in the DSA library.
Ulf Möller's avatar
Ulf Möller committed

  *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
     behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
     the underlying transport is blocking) if a handshake took place.
     (The default behaviour is needed by applications such as s_client
     and s_server that use select() to determine when to use SSL_read;
     but for applications that know in advance when to expect data, it
     just makes things more complicated.)
     [Bodo Moeller]

Ben Laurie's avatar
Ben Laurie committed
  *) Add RAND_egd_bytes(), which gives control over the number of bytes read
     from EGD.
     [Ben Laurie]

  *) Add a few more EBCDIC conditionals that make `req' and `x509'
     work better on such systems.
     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]

  *) Add two demo programs for PKCS12_parse() and PKCS12_create().
     Update PKCS12_parse() so it copies the friendlyName and the
     keyid to the certificates aux info.
     [Steve Henson]

  *) Fix bug in PKCS7_verify() which caused an infinite loop
     if there was more than one signature.
     [Sven Uszpelkat <su@celocom.de>]

  *) Major change in util/mkdef.pl to include extra information
     about each symbol, as well as presenting variables as well
     as functions.  This change means that there's n more need
     to rebuild the .num files when some algorithms are excluded.
     [Richard Levitte]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Allow the verify time to be set by an application,
     rather than always using the current time.
     [Steve Henson]
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Phase 2 verify code reorganisation. The certificate
     verify code now looks up an issuer certificate by a
     number of criteria: subject name, authority key id
     and key usage. It also verifies self signed certificates
     by the same criteria. The main comparison function is
     X509_check_issued() which performs these checks.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     Lot of changes were necessary in order to support this
     without completely rewriting the lookup code.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     Authority and subject key identifier are now cached.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The LHASH 'certs' is X509_STORE has now been replaced
     by a STACK_OF(X509_OBJECT). This is mainly because an
     LHASH can't store or retrieve multiple objects with
     the same hash value.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     As a result various functions (which were all internal
     use only) have changed to handle the new X509_STORE
     structure. This will break anything that messed round
     with X509_STORE internally.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The functions X509_STORE_add_cert() now checks for an
     exact match, rather than just subject name.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The X509_STORE API doesn't directly support the retrieval
     of multiple certificates matching a given criteria, however
     this can be worked round by performing a lookup first
     (which will fill the cache with candidate certificates)
     and then examining the cache for matches. This is probably
     the best we can do without throwing out X509_LOOKUP
     entirely (maybe later...).
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The X509_VERIFY_CTX structure has been enhanced considerably.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     All certificate lookup operations now go via a get_issuer()
     callback. Although this currently uses an X509_STORE it
     can be replaced by custom lookups. This is a simple way
     to bypass the X509_STORE hackery necessary to make this
     work and makes it possible to use more efficient techniques
     in future. A very simple version which uses a simple
     STACK for its trusted certificate store is also provided
     using X509_STORE_CTX_trusted_stack().
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The verify_cb() and verify() callbacks now have equivalents
     in the X509_STORE_CTX structure.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     X509_STORE_CTX also has a 'flags' field which can be used
     to customise the verify behaviour.
     [Steve Henson]
  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
     excludes S/MIME capabilities.
     [Steve Henson]

  *) When a certificate request is read in keep a copy of the
     original encoding of the signed data and use it when outputing
     again. Signatures then use the original encoding rather than
     a decoded, encoded version which may cause problems if the
     request is improperly encoded.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) For consistency with other BIO_puts implementations, call
     buffer_write(b, ...) directly in buffer_puts instead of calling
     BIO_write(b, ...).
Bodo Möller's avatar
Bodo Möller committed

     In BIO_puts, increment b->num_write as in BIO_write.
Bodo Möller's avatar
Bodo Möller committed
     [Peter.Sylvester@EdelWeb.fr]

  *) Fix BN_mul_word for the case where the word is 0. (We have to use
     BN_zero, we may not return a BIGNUM with an array consisting of
     words set to zero.)
     [Bodo Moeller]

  *) Avoid calling abort() from within the library when problems are
     detected, except if preprocessor symbols have been defined
     (such as REF_CHECK, BN_DEBUG etc.).
     [Bodo Moeller]

  *) New openssl application 'rsautl'. This utility can be
     used for low level RSA operations. DER public key
     BIO/fp routines also added.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) New Configure entry and patches for compiling on QNX 4.
     [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]

Ben Laurie's avatar
Ben Laurie committed
  *) A demo state-machine implementation was sponsored by
     Nuron (http://www.nuron.com/) and is now available in
     demos/state_machine.
     [Ben Laurie]

  *) New options added to the 'dgst' utility for signature
     generation and verification.
     [Steve Henson]

  *) Unrecognized PKCS#7 content types are now handled via a
     catch all ASN1_TYPE structure. This allows unsupported
     types to be stored as a "blob" and an application can
     encode and decode it manually.
     [Steve Henson]

  *) Fix various signed/unsigned issues to make a_strex.c
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     compile under VC++.
     [Oscar Jacobsson <oscar.jacobsson@celocom.com>]

  *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
     length if passed a buffer. ASN1_INTEGER_to_BN failed
     if passed a NULL BN and its argument was negative.
     [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Modification to PKCS#7 encoding routines to output definite
     length encoding. Since currently the whole structures are in
     memory there's not real point in using indefinite length 
     constructed encoding. However if OpenSSL is compiled with
     the flag PKCS7_INDEFINITE_ENCODING the old form is used.
     [Steve Henson]

  *) Added BIO_vprintf() and BIO_vsnprintf().
     [Richard Levitte]

  *) Added more prefixes to parse for in the the strings written
     through a logging bio, to cover all the levels that are available
     through syslog.  The prefixes are now:

	PANIC, EMERG, EMR	=>	LOG_EMERG
	ALERT, ALR		=>	LOG_ALERT
	CRIT, CRI		=>	LOG_CRIT
	ERROR, ERR		=>	LOG_ERR
	WARNING, WARN, WAR	=>	LOG_WARNING
	NOTICE, NOTE, NOT	=>	LOG_NOTICE
	INFO, INF		=>	LOG_INFO
	DEBUG, DBG		=>	LOG_DEBUG

     and as before, if none of those prefixes are present at the
     beginning of the string, LOG_ERR is chosen.

     On Win32, the LOG_* levels are mapped according to this:

	LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR	=> EVENTLOG_ERROR_TYPE
	LOG_WARNING				=> EVENTLOG_WARNING_TYPE
	LOG_NOTICE, LOG_INFO, LOG_DEBUG		=> EVENTLOG_INFORMATION_TYPE

     [Richard Levitte]

  *) Made it possible to reconfigure with just the configuration
     argument "reconf" or "reconfigure".  The command line arguments
     are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
     and are retrieved from there when reconfiguring.
     [Richard Levitte]

     [Assar Westerlund <assar@sics.se>, Richard Levitte]
  *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
     [Richard Levitte]

  *) The obj_dat.pl script was messing up the sorting of object
     names. The reason was that it compared the quoted version
     of strings as a result "OCSP" > "OCSP Signing" because
     " > SPACE. Changed script to store unquoted versions of
     names and add quotes on output. It was also omitting some
     names from the lookup table if they were given a default
     value (that is if SN is missing it is given the same
     value as LN and vice versa), these are now added on the
     grounds that if an object has a name we should be able to
     look it up. Finally added warning output when duplicate
     short or long names are found.
     [Steve Henson]

Ulf Möller's avatar
Ulf Möller committed
     [Scott Uroff <scott@xypro.com>]
Bodo Möller's avatar
Bodo Möller committed
  *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
     RSA_padding_check_SSLv23(), special padding was never detected
     and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
     version rollback attacks was not effective.

     In s23_clnt.c, don't use special rollback-attack detection padding
     (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
     client; similarly, in s23_srvr.c, don't do the rollback check if
     SSL 2.0 is the only protocol enabled in the server.
     [Bodo Moeller]

  *) Make it possible to get hexdumps of unprintable data with 'openssl
     asn1parse'.  By implication, the functions ASN1_parse_dump() and
     BIO_dump_indent() are added.
     [Richard Levitte]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
     these print out strings and name structures based on various
     flags including RFC2253 support and proper handling of
     multibyte characters. Added options to the 'x509' utility 
     to allow the various flags to be set.
     [Steve Henson]

  *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
     Also change the functions X509_cmp_current_time() and
     X509_gmtime_adj() work with an ASN1_TIME structure,
     this will enable certificates using GeneralizedTime in validity
     dates to be checked.
     [Steve Henson]

  *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
     negative public key encodings) on by default,
     NO_NEG_PUBKEY_BUG can be set to disable it.
     [Steve Henson]

  *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
     content octets. An i2c_ASN1_OBJECT is unnecessary because
     the encoding can be trivially obtained from the structure.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
     not read locks (CRYPTO_r_[un]lock).
     [Bodo Moeller]

  *) A first attempt at creating official support for shared
     libraries through configuration.  I've kept it so the
     default is static libraries only, and the OpenSSL programs
     are always statically linked for now, but there are
     preparations for dynamic linking in place.
     This has been tested on Linux and Tru64.
  *) Randomness polling function for Win9x, as described in:
     Peter Gutmann, Software Generation of Practically Strong
     Random Numbers.
     [Ulf Möller]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Fix so PRNG is seeded in req if using an already existing
     DSA key.
     [Steve Henson]

  *) New options to smime application. -inform and -outform
     allow alternative formats for the S/MIME message including
     PEM and DER. The -content option allows the content to be
     specified separately. This should allow things like Netscape
     form signing output easier to verify.
     [Steve Henson]

  *) Fix the ASN1 encoding of tags using the 'long form'.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
     STRING types. These convert content octets to and from the
     underlying type. The actual tag and length octets are
     already assumed to have been read in and checked. These
     are needed because all other string types have virtually
     identical handling apart from the tag. By having versions
     of the ASN1 functions that just operate on content octets
     IMPLICIT tagging can be handled properly. It also allows
     the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
     and ASN1_INTEGER are identical apart from the tag.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  *) Change the handling of OID objects as follows:

     - New object identifiers are inserted in objects.txt, following
       the syntax given in objects.README.
     - objects.pl is used to process obj_mac.num and create a new
       obj_mac.h.
     - obj_dat.pl is used to create a new obj_dat.h, using the data in
       obj_mac.h.