X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=7ae61a558ffa7a7560609b325547ba397266b0a5;hp=48daf2e2a35537efeb07b0432f864781cd85aaaf;hb=16e819e1d8916aab302625c065aba567cc403f41;hpb=924875e53bda2ea5057070c9365ee5c0b3f0d6d5 diff --git a/CHANGES b/CHANGES index 48daf2e2a3..7ae61a558f 100644 --- a/CHANGES +++ b/CHANGES @@ -5,13 +5,192 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2001] OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001) - and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6. + and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6. Change log entries are tagged as follows: -) applies to 0.9.6a/0.9.6b/0.9.6c only *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + +) Add support for shared libraries for Unixware-7 and support including + shared libraries for OpenUNIX-8 (Boyd Lynn Gerber ). + [Lutz Jaenicke] + + *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid + 'wristwatch attack' using huge encoding parameters (cf. + James H. Manger's CRYPTO 2001 paper). Note that the + RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use + encoding parameters and hence was not vulnerable. + [Bodo Moeller] + + +) Add a "destroy" handler to ENGINEs that allows structural cleanup to + be done prior to destruction. Use this to unload error strings from + ENGINEs that load their own error strings. NB: This adds two new API + functions to "get" and "set" this destroy handler in an ENGINE. + [Geoff Thorpe] + + +) Alter all existing ENGINE implementations (except "openssl" and + "openbsd") to dynamically instantiate their own error strings. This + makes them more flexible to be built both as statically-linked ENGINEs + and self-contained shared-libraries loadable via the "dynamic" ENGINE. + Also, add stub code to each that makes building them as self-contained + shared-libraries easier (see README.ENGINE). + [Geoff Thorpe] + + +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE + implementations into applications that are completely implemented in + self-contained shared-libraries. The "dynamic" ENGINE exposes control + commands that can be used to configure what shared-library to load and + to control aspects of the way it is handled. Also, made an update to + the README.ENGINE file that brings its information up-to-date and + provides some information and instructions on the "dynamic" ENGINE + (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). + [Geoff Thorpe] + + *) BN_sqr() bug fix. + [Ulf Möller, reported by Jim Ellis ] + + *) Make it possible to unload ranges of ERR strings with a new + "ERR_unload_strings" function. + [Geoff Thorpe] + + *) Rabin-Miller test analyses assume uniformly distributed witnesses, + so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() + followed by modular reduction. + [Bodo Moeller; pointed out by Adam Young ] + + *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() + equivalent based on BN_pseudo_rand() instead of BN_rand(). + [Bodo Moeller] + + +) Add a copy() function to EVP_MD. + [Ben Laurie] + + +) Make EVP_MD routines take a context pointer instead of just the + md_data void pointer. + [Ben Laurie] + + +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates + that the digest can only process a single chunk of data + (typically because it is provided by a piece of + hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application + is only going to provide a single chunk of data, and hence the + framework needn't accumulate the data for oneshot drivers. + [Ben Laurie] + + +) As with "ERR", make it possible to replace the underlying "ex_data" + functions. This change also alters the storage and management of global + ex_data state - it's now all inside ex_data.c and all "class" code (eg. + RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class + index counters. The API functions that use this state have been changed + to take a "class_index" rather than pointers to the class's local STACK + and counter, and there is now an API function to dynamically create new + classes. This centralisation allows us to (a) plug a lot of the + thread-safety problems that existed, and (b) makes it possible to clean + up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) + such data would previously have always leaked in application code and + workarounds were in place to make the memory debugging turn a blind eye + to it. Application code that doesn't use this new function will still + leak as before, but their memory debugging output will announce it now + rather than letting it slide. + + Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change + induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now + has a return value to indicate success or failure. + [Geoff Thorpe] + + +) Make it possible to replace the underlying "ERR" functions such that the + global state (2 LHASH tables and 2 locks) is only used by the "default" + implementation. This change also adds two functions to "get" and "set" + the implementation prior to it being automatically set the first time + any other ERR function takes place. Ie. an application can call "get", + pass the return value to a module it has just loaded, and that module + can call its own "set" function using that value. This means the + module's "ERR" operations will use (and modify) the error state in the + application and not in its own statically linked copy of OpenSSL code. + [Geoff Thorpe] + + +) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment + reference counts. This performs normal REF_PRINT/REF_CHECK macros on + the operation, and provides a more encapsulated way for external code + (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code + to use these functions rather than manually incrementing the counts. + + Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". + [Geoff Thorpe] + + *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). + This function was broken, as the check for a new client hello message + to handle SGC did not allow these large messages. + (Tracked down by "Douglas E. Engert" .) + [Lutz Jaenicke] + + *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). + [Lutz Jaenicke] + + +) Add EVP test program. + [Ben Laurie] + + +) Add symmetric cipher support to ENGINE. Expect the API to change! + [Ben Laurie] + + +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() + X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), + X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). + These allow a CRL to be built without having to access X509_CRL fields + directly. Modify 'ca' application to use new functions. + [Steve Henson] + + *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() + for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" ). + [Lutz Jaenicke] + + *) Rework the configuration and shared library support for Tru64 Unix. + The configuration part makes use of modern compiler features and + still retains old compiler behavior for those that run older versions + of the OS. The shared library support part includes a variant that + uses the RPATH feature, and is available through the special + configuration target "alpha-cc-rpath", which will never be selected + automatically. + [Tim Mooney via Richard Levitte] + + *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() + with the same message size as in ssl3_get_certificate_request(). + Otherwise, if no ServerKeyExchange message occurs, CertificateRequest + messages might inadvertently be reject as too long. + [Petr Lampa ] + + +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended + bug workarounds. Rollback attack detection is a security feature. + The problem will only arise on OpenSSL servers when TLSv1 is not + available (sslv3_server_method() or SSL_OP_NO_TLSv1). + Software authors not wanting to support TLSv1 will have special reasons + for their choice and can explicitly enable this option. + [Bodo Moeller, Lutz Jaenicke] + + +) Rationalise EVP so it can be extended: don't include a union of + cipher/digest structures, add init/cleanup functions. This also reduces + the number of header dependencies. + [Ben Laurie] + + +) Make DES key schedule conform to the usual scheme, as well as + correcting its structure. This means that calls to DES functions + now have to pass a pointer to a des_key_schedule instead of a + plain des_key_schedule (which was actually always a pointer + anyway). + [Ben Laurie] + + +) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). + [Andy Polyakov] + + *) Modified SSL library such that the verify_callback that has been set + specificly for an SSL object with SSL_set_verify() is actually being + used. Before the change, a verify_callback set with this function was + ignored and the verify_callback() set in the SSL_CTX at the time of + the call was used. New function X509_STORE_CTX_set_verify_cb() introduced + to allow the necessary settings. + [Lutz Jaenicke] + +) Initial reduction of linker bloat: the use of some functions, such as PEM causes large amounts of unused functions to be linked in due to poor organisation. For example pem_all.c contains every PEM function @@ -20,10 +199,10 @@ functions prevents this. [Steve Henson] - *) Initialize static variable in crypto/dsa/dsa_lib.c explicitely to - NULL, as at least on Solaris 8 this seems not to be done automatically - (in contradiction to the requirements of the C standard). - This made problems when used from OpenSSH. + *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c + explicitly to NULL, as at least on Solaris 8 this seems not always to be + done automatically (in contradiction to the requirements of the C + standard). This made problems when used from OpenSSH. [Lutz Jaenicke] *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored @@ -176,7 +355,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] +) Enhance the general user interface with mechanisms for inner control - and with pssibilities to have yes/no kind of prompts. + and with possibilities to have yes/no kind of prompts. [Richard Levitte] +) Change all calls to low level digest routines in the library and @@ -189,14 +368,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Change the key loaders to take a UI_METHOD instead of a callback function pointer. NOTE: this breaks binary compatibility with earlier versions of OpenSSL [engine]. - Addapt the nCipher code for these new conditions and add a card insertion + Adapt the nCipher code for these new conditions and add a card insertion callback. [Richard Levitte] +) Enhance the general user interface with mechanisms to better support dialog box interfaces, application-defined prompts, the possibility to use defaults (for example default passwords from somewhere else) - and interrupts/cancelations. + and interrupts/cancellations. [Richard Levitte] *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is @@ -216,7 +395,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 - RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 + RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking @@ -237,7 +416,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also - tidy up some unecessarily weird code in 'sk_new()'). + tidy up some unnecessarily weird code in 'sk_new()'). [Geoff, reported by Diego Tartara ] +) Change the key loading routines for ENGINEs to use the same kind @@ -267,7 +446,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k const ASN1_ITEM *it = &ASN1_INTEGER_it; wont compile. This is used by the any applications that need to - delcare their own ASN1 modules. This was fixed by adding the option + declare their own ASN1 modules. This was fixed by adding the option EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly needed for static libraries under Win32. [Steve Henson] @@ -423,12 +602,12 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k combination of a flag and a thread ID variable. Otherwise while one thread is in ssleay_rand_bytes (which sets the flag), *other* threads can enter ssleay_add_bytes without obeying - the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock + the CRYPTO_LOCK_RAND lock (and may even illegally release the lock that they do not hold after the first thread unsets add_do_not_lock). [Bodo Moeller] +) Implement binary inversion algorithm for BN_mod_inverse in addition - to the algorithm using long divison. The binary algorithm can be + to the algorithm using long division. The binary algorithm can be used only if the modulus is odd. On 32-bit systems, it is faster only for relatively small moduli (roughly 20-30% for 128-bit moduli, roughly 5-15% for 256-bit moduli), so we use it only for moduli @@ -641,10 +820,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k #define bar OPENSSL_GLOBAL_REF(bar) The #defines are very important, and therefore so is including the - header file everywere where the defined globals are used. + header file everywhere where the defined globals are used. The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition - of ASN.1 items, but that structure is a bt different. + of ASN.1 items, but that structure is a bit different. The largest change is in util/mkdef.pl which has been enhanced with better and easier to understand logic to choose which symbols should @@ -673,7 +852,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k responses. OCSP responses are prepared in real time and may only be a few seconds old. Simply checking that the current time lies between thisUpdate and nextUpdate max reject otherwise valid responses - caused by either OCSP responder or client clock innacuracy. Instead + caused by either OCSP responder or client clock inaccuracy. Instead we allow thisUpdate and nextUpdate to fall within a certain period of the current time. The age of the response can also optionally be checked. Two new options -validity_period and -status_age added to @@ -681,7 +860,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Steve Henson] +) If signature or public key algorithm is unrecognized print out its - OID rather that just UNKOWN. + OID rather that just UNKNOWN. [Steve Henson] *) Avoid coredump with unsupported or invalid public keys by checking if @@ -716,7 +895,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k to use such a feature) has been added to "s_server". [Geoff Thorpe, Lutz Jaenicke] - +) Modify mkdef.pl to recognise and parse prprocessor conditionals + +) Modify mkdef.pl to recognise and parse preprocessor conditionals of the form '#if defined(...) || defined(...) || ...' and '#if !defined(...) && !defined(...) && ...'. This also avoids the growing number of special cases it was previously handling. @@ -819,6 +998,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k the clients preferred ciphersuites and rather use its own preferences. Should help to work around M$ SGC (Server Gated Cryptography) bug in Internet Explorer by ensuring unchanged hash method during stepup. + (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) [Lutz Jaenicke] +) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael @@ -869,7 +1049,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k extract information from a certificate request. OCSP_response_create() creates a response and optionally adds a basic response structure. OCSP_basic_add1_status() adds a complete single response to a basic - reponse and returns the OCSP_SINGLERESP structure just added (to allow + response and returns the OCSP_SINGLERESP structure just added (to allow extensions to be included for example). OCSP_basic_add1_cert() adds a certificate to a basic response and OCSP_basic_sign() signs a basic response with various flags. New helper functions ASN1_TIME_check() @@ -879,7 +1059,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k +) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() in a single operation. X509_get0_pubkey_bitstr() extracts the public_key - structure from a certificate. X509_pubkey_digest() digests tha public_key + structure from a certificate. X509_pubkey_digest() digests the public_key contents: this is used in various key identifiers. [Steve Henson] @@ -899,7 +1079,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k +) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates passed by the function are trusted implicitly. If any of them signed the - reponse then it is assumed to be valid and is not verified. + response then it is assumed to be valid and is not verified. [Steve Henson] -) Make the CRL encoding routines work with empty SEQUENCE OF. The @@ -1940,7 +2120,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k default is static libraries only, and the OpenSSL programs are always statically linked for now, but there are preparations for dynamic linking in place. - This has been tested on Linux and True64. + This has been tested on Linux and Tru64. [Richard Levitte] *) Randomness polling function for Win9x, as described in: