Skip to content
CHANGES 232 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.6 and 0.9.7  [xx XXX 2001]
Bodo Möller's avatar
Bodo Möller committed
     OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
Ulf Möller's avatar
Ulf Möller committed
     and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.  
Bodo Möller's avatar
Bodo Möller committed

     Change log entries are tagged as follows:
Bodo Möller's avatar
Bodo Möller committed
         -) applies to 0.9.6a/0.9.6b/0.9.6c only
         *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
  +) Modify the behaviour of EVP cipher functions in similar way to digests
     to retain compatibility with existing code.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
     compatibility with existing code. In particular the 'ctx' parameter is
     not assumed to be valid before the call to EVP_DigestInit() and it is tidied
     up after a call to EVP_DigestFinal(). A new function EVP_DigestFinal_ex()
     but does not free up the ctx. Also change function EVP_MD_CTX_copy() to
     assume the destination is uninitialized: EVP_MD_CTX_copy_ex() do assumes
     the destiation is valid. Also modify all the OpenSSL digest calls to call 
     EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
     [Steve Henson]

  +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
     so that complete 'Handshake' protocol structures are kept in memory
     instead of overwriting 'msg_type' and 'length' with 'body' data.
     [Bodo Moeller]

  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
     [Bodo Moeller]

  +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
     [Massimo Santin via Richard Levitte]

  +) Major restructuring to the underlying ENGINE code. This includes
     reduction of linker bloat, separation of pure "ENGINE" manipulation
     (initialisation, etc) from functionality dealing with implementations
     of specific crypto iterfaces. This change also introduces integrated
     support for symmetric ciphers and digest implementations - so ENGINEs
     can now accelerate these by providing EVP_CIPHER and EVP_MD
     implementations of their own. This is detailed in crypto/engine/README
     as it couldn't be adequately described here. However, there are a few
     API changes worth noting - some RSA, DSA, DH, and RAND functions that
     were changed in the original introduction of ENGINE code have now
     reverted back - the hooking from this code to ENGINE is now a good
     deal more passive and at run-time, operations deal directly with
     RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
     dereferencing through an ENGINE pointer any more. Also, the ENGINE
     functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
     they were not being used by the framework as there is no concept of a
     BIGNUM_METHOD and they could not be generalised to the new
     'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
     ENGINE_cpy() has been removed as it cannot be consistently defined in
     the new code.
     [Geoff Thorpe]

  +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  +) Change mkdef.pl to sort symbols that get the same entry number,
     and make sure the automatically generated functions ERR_load_*
     become part of libeay.num as well.
     [Richard Levitte]

  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
     [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]

  +) New function SSL_renegotiate_pending().  This returns true once
     renegotiation has been requested (either SSL_renegotiate() call
     or HelloRequest/ClientHello receveived from the peer) and becomes
     false once a handshake has been completed.
     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
     sends a HelloRequest, but does not ensure that a handshake takes
     place.  SSL_renegotiate_pending() is useful for checking if the
     client has followed the request.)
     [Bodo Moeller]

  +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
     By default, clients may request session resumption even during
     renegotiation (if session ID contexts permit); with this option,
     session resumption is possible only in the first handshake.
     [Bodo Moeller]

  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.

     Also avoid some overhead by not calling ssl_init_wbio_buffer()
     before just sending a HelloRequest.
     [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

     Similar changes are not required for the SSL 2.0 implementation
     because the number of padding bytes is sent in clear for SSL 2.0,
     and the extra bytes are just ignored.  However ssl/s2_pkt.c
     failed to verify that the purported number of padding bytes is in
     the legal range.
     [Bodo Moeller]

  +) Add some demos for certificate and certificate request creation.
     [Steve Henson]

  +) Make maximum certificate chain size accepted from the peer application
     settable (SSL*_get/set_max_cert_list()), as proposed by
     "Douglas E. Engert" <deengert@anl.gov>.
     [Lutz Jaenicke]

  +) Add support for shared libraries for Unixware-7 and support including
     shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
     [Lutz Jaenicke]

Bodo Möller's avatar
Bodo Möller committed
  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
Ulf Möller's avatar
Ulf Möller committed
     encoding parameters and hence was not vulnerable.
Bodo Möller's avatar
Bodo Möller committed
     [Bodo Moeller]

  +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
     be done prior to destruction. Use this to unload error strings from
     ENGINEs that load their own error strings. NB: This adds two new API
     functions to "get" and "set" this destroy handler in an ENGINE.
Bodo Möller's avatar
Bodo Möller committed
     [Geoff Thorpe]
  +) Alter all existing ENGINE implementations (except "openssl" and
     "openbsd") to dynamically instantiate their own error strings. This
     makes them more flexible to be built both as statically-linked ENGINEs
     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
     Also, add stub code to each that makes building them as self-contained
     shared-libraries easier (see README.ENGINE).
     [Geoff Thorpe]

  +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
     implementations into applications that are completely implemented in
     self-contained shared-libraries. The "dynamic" ENGINE exposes control
     commands that can be used to configure what shared-library to load and
     to control aspects of the way it is handled. Also, made an update to
     the README.ENGINE file that brings its information up-to-date and
     provides some information and instructions on the "dynamic" ENGINE
     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
     [Geoff Thorpe]

  *) BN_sqr() bug fix.
     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]

  *) Make it possible to unload ranges of ERR strings with a new
     "ERR_unload_strings" function.
     [Geoff Thorpe]

  *) Rabin-Miller test analyses assume uniformly distributed witnesses,
     so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
     followed by modular reduction.
     [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]

  *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
Ulf Möller's avatar
Ulf Möller committed
     equivalent based on BN_pseudo_rand() instead of BN_rand().
  +) Add a copy() function to EVP_MD.
     [Ben Laurie]

  +) Make EVP_MD routines take a context pointer instead of just the
Ulf Möller's avatar
Ulf Möller committed
     md_data void pointer.
     [Ben Laurie]

  +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
     that the digest can only process a single chunk of data
     (typically because it is provided by a piece of
     hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
     is only going to provide a single chunk of data, and hence the
     framework needn't accumulate the data for oneshot drivers.
     [Ben Laurie]

  +) As with "ERR", make it possible to replace the underlying "ex_data"
     functions. This change also alters the storage and management of global
     ex_data state - it's now all inside ex_data.c and all "class" code (eg.
     RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
     index counters. The API functions that use this state have been changed
     to take a "class_index" rather than pointers to the class's local STACK
     and counter, and there is now an API function to dynamically create new
     classes. This centralisation allows us to (a) plug a lot of the
     thread-safety problems that existed, and (b) makes it possible to clean
     up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
     such data would previously have always leaked in application code and
     workarounds were in place to make the memory debugging turn a blind eye
     to it. Application code that doesn't use this new function will still
Loading full blame...