X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=ac48f515bcf9e05d9a20e87e89de00e060e9e3a9;hp=7a30a305e3b90abcc20ef7548df477a799ff8a02;hb=08101d72ce181349ce4ae829aada41f9c0dab1e4;hpb=5dbd3efce784cb5621de8402430eda23d1762568 diff --git a/CHANGES b/CHANGES index 7a30a305e3..ac48f515bc 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,255 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] + *) Change the "progress" mechanism used in key-generation and + primality testing to functions that take a new BN_GENCB pointer in + place of callback/argument pairs. The new API functions have "_ex" + postfixes and the older functions are reimplemented as wrappers for + the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide + declarations of the old functions to help (graceful) attempts to + migrate to the new functions. Also, the new key-generation API + functions operate on a caller-supplied key-structure and return + success/failure rather than returning a key or NULL - this is to + help make "keygen" another member function of RSA_METHOD etc. + [Geoff Thorpe] + + *) Change the ZLIB compression method to be stateful, and make it + available to TLS with the number defined in + draft-ietf-tls-compression-04.txt. + [Richard Levitte] + + *) Add the ASN.1 structures and functions for CertificatePair, which + is defined as follows (according to X.509_4thEditionDraftV6.pdf): + + CertificatePair ::= SEQUENCE { + forward [0] Certificate OPTIONAL, + reverse [1] Certificate OPTIONAL, + -- at least one of the pair shall be present -- } + + Also implement the PEM functions to read and write certificate + pairs, and defined the PEM tag as "CERTIFICATE PAIR". + + This needed to be defined, mostly for the sake of the LDAP + attribute crossCertificatePair, but may prove useful elsewhere as + well. + [Richard Levitte] + + *) Make it possible to inhibit symlinking of shared libraries in + Makefile.shared, for Cygwin's sake. + [Richard Levitte] + + *) Extend the BIGNUM API by creating new macros that behave like + functions + + void BN_set_sign(BIGNUM *a, int neg); + int BN_get_sign(const BIGNUM *a); + + and avoid the need to access 'a->neg' directly in applications. + [Nils Larsch ] + + *) Implement fast modular reduction for pseudo-Mersenne primes + used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). + EC_GROUP_new_curve_GFp() will now automatically use this + if applicable. + [Nils Larsch ] + + *) Add new lock type (CRYPTO_LOCK_BN). + [Bodo Moeller] + + *) Change the ENGINE framework to automatically load engines + dynamically from specific directories unless they could be + found to already be built in or loaded. Move all the + current engines except for the cryptodev one to a new + directory engines/. + The engines in engines/ are built as shared libraries if + the "shared" options was given to ./Configure or ./config. + Otherwise, they are inserted in libcrypto.a. + /usr/local/ssl/engines is the default directory for dynamic + engines, but that can be overriden at configure time through + the usual use of --prefix and/or --openssldir, and at run + time with the environment variable OPENSSL_ENGINES. + [Geoff Thorpe and Richard Levitte] + + *) Add Makefile.shared, a helper makefile to build shared + libraries. Addapt Makefile.org. + [Richard Levitte] + + *) Add version info to Win32 DLLs. + [Peter 'Luna' Runestig" ] + + *) Add new 'medium level' PKCS#12 API. Certificates and keys + can be added using this API to created arbitrary PKCS#12 + files while avoiding the low level API. + + New options to PKCS12_create(), key or cert can be NULL and + will then be omitted from the output file. The encryption + algorithm NIDs can be set to -1 for no encryption, the mac + iteration count can be set to 0 to omit the mac. + + Enhance pkcs12 utility by making the -nokeys and -nocerts + options work when creating a PKCS#12 file. New option -nomac + to omit the mac, NONE can be set for an encryption algorithm. + New code is modified to use the enhanced PKCS12_create() + instead of the low level API. + [Steve Henson] + + *) Extend ASN1 encoder to support indefinite length constructed + encoding. This can output sequences tags and octet strings in + this form. Modify pk7_asn1.c to support indefinite length + encoding. This is experimental and needs additional code to + be useful, such as an ASN1 bio and some enhanced streaming + PKCS#7 code. + + Extend template encode functionality so that tagging is passed + down to the template encoder. + [Steve Henson] + + *) Let 'openssl req' fail if an argument to '-newkey' is not + recognized instead of using RSA as a default. + [Bodo Moeller] + + *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. + As these are not official, they are not included in "ALL"; + the "ECCdraft" ciphersuite group alias can be used to select them. + [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] + + *) Add ECDH engine support. + [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] + + *) Add ECDH in new directory crypto/ecdh/. +TODO: more general interface (return x coordinate, not its hash) +TODO: bug: pad x with leading zeros if necessary + [Douglas Stebila (Sun Microsystems Laboratories)] + + *) Let BN_rand_range() abort with an error after 100 iterations + without success (which indicates a broken PRNG). + [Bodo Moeller] + + *) Change BN_mod_sqrt() so that it verifies that the input value + is really the square of the return value. (Previously, + BN_mod_sqrt would show GIGO behaviour.) + [Bodo Moeller] + + *) Add named elliptic curves over binary fields from X9.62, SECG, + and WAP/WTLS; add OIDs that were still missing. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Extend the EC library for elliptic curves over binary fields + (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). + New EC_METHOD: + + EC_GF2m_simple_method + + New API functions: + + EC_GROUP_new_curve_GF2m + EC_GROUP_set_curve_GF2m + EC_GROUP_get_curve_GF2m + EC_POINT_set_affine_coordinates_GF2m + EC_POINT_get_affine_coordinates_GF2m + EC_POINT_set_compressed_coordinates_GF2m + + Point compression for binary fields is disabled by default for + patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to + enable it). + + As binary polynomials are represented as BIGNUMs, various members + of the EC_GROUP and EC_POINT data structures can be shared + between the implementations for prime fields and binary fields; + the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) + are essentially identical to their ..._GFp counterparts. + (For simplicity, the '..._GFp' prefix has been dropped from + various internal method names.) + + An internal 'field_div' method (similar to 'field_mul' and + 'field_sqr') has been added; this is used only for binary fields. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() + through methods ('mul', 'precompute_mult'). + + The generic implementations (now internally called 'ec_wNAF_mul' + and 'ec_wNAF_precomputed_mult') remain the default if these + methods are undefined. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) New function EC_GROUP_get_degree, which is defined through + EC_METHOD. For curves over prime fields, this returns the bit + length of the modulus. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) New functions EC_GROUP_dup, EC_POINT_dup. + (These simply call ..._new and ..._copy). + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. + Polynomials are represented as BIGNUMs (where the sign bit is not + used) in the following functions [macros]: + + BN_GF2m_add + BN_GF2m_sub [= BN_GF2m_add] + BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] + BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] + BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] + BN_GF2m_mod_inv + BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] + BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] + BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] + BN_GF2m_cmp [= BN_ucmp] + + (Note that only the 'mod' functions are actually for fields GF(2^m). + BN_GF2m_add() is misnomer, but this is for the sake of consistency.) + + For some functions, an the irreducible polynomial defining a + field can be given as an 'unsigned int[]' with strictly + decreasing elements giving the indices of those bits that are set; + i.e., p[] represents the polynomial + f(t) = t^p[0] + t^p[1] + ... + t^p[k] + where + p[0] > p[1] > ... > p[k] = 0. + This applies to the following functions: + + BN_GF2m_mod_arr + BN_GF2m_mod_mul_arr + BN_GF2m_mod_sqr_arr + BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] + BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] + BN_GF2m_mod_exp_arr + BN_GF2m_mod_sqrt_arr + BN_GF2m_mod_solve_quad_arr + BN_GF2m_poly2arr + BN_GF2m_arr2poly + + Conversion can be performed by the following functions: + + BN_GF2m_poly2arr + BN_GF2m_arr2poly + + bntest.c has additional tests for binary polynomial arithmetic. + + Two implementations for BN_GF2m_mod_div() are available. + The default algorithm simply uses BN_GF2m_mod_inv() and + BN_GF2m_mod_mul(). The alternative algorithm is compiled in only + if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the + copyright notice in crypto/bn/bn_gf2m.c before enabling it). + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Add new error code 'ERR_R_DISABLED' that can be used when some + functionality is disabled at compile-time. + [Douglas Stebila ] + *) Change default behaviour of 'openssl asn1parse' so that more information is visible when viewing, e.g., a certificate: @@ -85,21 +334,206 @@ - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make them suitable for ECDSA where domain parameters must be - extracted before the specific public key. + extracted before the specific public key; + - ECDSA engine support has been added. [Nils Larsch ] *) Include some named elliptic curves, and add OIDs from X9.62, - SECG, and WAP/WTLS. The curves can be obtained from the new - functions - EC_GROUP_new_by_nid() - EC_GROUP_new_by_name() + SECG, and WAP/WTLS. Each curve can be obtained from the new + function + EC_GROUP_new_by_nid(), + and the list of available named curves can be obtained with + EC_get_builtin_curves(). Also add a 'curve_name' member to EC_GROUP objects, which can be accessed via EC_GROUP_set_nid() EC_GROUP_get_nid() [Nils Larsch as + PR #377. + [Lutz Jaenicke] + + *) Change the declaration of needed Kerberos libraries to use EX_LIBS + instead of the special (and badly supported) LIBKRB5. LIBKRB5 is + removed entirely. + [Richard Levitte] + + *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it + seems that in spite of existing for more than a year, many application + author have done nothing to provide the necessary callbacks, which + means that this particular engine will not work properly anywhere. + This is a very unfortunate situation which forces us, in the name + of usability, to give the hw_ncipher.c a static lock, which is part + of libcrypto. + NOTE: This is for the 0.9.7 series ONLY. This hack will never + appear in 0.9.8 or later. We EXPECT application authors to have + dealt properly with this when 0.9.8 is released (unless we actually + make such changes in the libcrypto locking code that changes will + have to be made anyway). + [Richard Levitte] + + *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content + octets have been read, EOF or an error occurs. Without this change + some truncated ASN1 structures will not produce an error. + [Steve Henson] + + *) Disable Heimdal support, since it hasn't been fully implemented. + Still give the possibility to force the use of Heimdal, but with + warnings and a request that patches get sent to openssl-dev. + [Richard Levitte] + + *) Add the VC-CE target, introduce the WINCE sysname, and add + INSTALL.WCE and appropriate conditionals to make it build. + [Steven Reddie via Richard Levitte] + + *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and + cygssl-x.y.z.dll, where x, y and z are the major, minor and + edit numbers of the version. + [Corinna Vinschen and Richard Levitte] + + *) Introduce safe string copy and catenation functions + (BUF_strlcpy() and BUF_strlcat()). + [Ben Laurie (CHATS) and Richard Levitte] + + *) Avoid using fixed-size buffers for one-line DNs. + [Ben Laurie (CHATS)] + + *) Add BUF_MEM_grow_clean() to avoid information leakage when + resizing buffers containing secrets, and use where appropriate. + [Ben Laurie (CHATS)] + + *) Avoid using fixed size buffers for configuration file location. + [Ben Laurie (CHATS)] + + *) Avoid filename truncation for various CA files. + [Ben Laurie (CHATS)] + + *) Use sizeof in preference to magic numbers. + [Ben Laurie (CHATS)] + + *) Avoid filename truncation in cert requests. + [Ben Laurie (CHATS)] + + *) Add assertions to check for (supposedly impossible) buffer + overflows. + [Ben Laurie (CHATS)] + + *) Don't cache truncated DNS entries in the local cache (this could + potentially lead to a spoofing attack). + [Ben Laurie (CHATS)] + + *) Fix various buffers to be large enough for hex/decimal + representations in a platform independent manner. + [Ben Laurie (CHATS)] + + *) Add CRYPTO_realloc_clean() to avoid information leakage when + resizing buffers containing secrets, and use where appropriate. + [Ben Laurie (CHATS)] + + *) Add BIO_indent() to avoid much slightly worrying code to do + indents. + [Ben Laurie (CHATS)] + + *) Convert sprintf()/BIO_puts() to BIO_printf(). + [Ben Laurie (CHATS)] + + *) buffer_gets() could terminate with the buffer only half + full. Fixed. + [Ben Laurie (CHATS)] + + *) Add assertions to prevent user-supplied crypto functions from + overflowing internal buffers by having large block sizes, etc. + [Ben Laurie (CHATS)] + + *) New OPENSSL_assert() macro (similar to assert(), but enabled + unconditionally). + [Ben Laurie (CHATS)] + + *) Eliminate unused copy of key in RC4. + [Ben Laurie (CHATS)] + + *) Eliminate unused and incorrectly sized buffers for IV in pem.h. + [Ben Laurie (CHATS)] + + *) Fix off-by-one error in EGD path. + [Ben Laurie (CHATS)] + + *) If RANDFILE path is too long, ignore instead of truncating. + [Ben Laurie (CHATS)] + + *) Eliminate unused and incorrectly sized X.509 structure + CBCParameter. + [Ben Laurie (CHATS)] + + *) Eliminate unused and dangerous function knumber(). + [Ben Laurie (CHATS)] + + *) Eliminate unused and dangerous structure, KSSL_ERR. + [Ben Laurie (CHATS)] + + *) Protect against overlong session ID context length in an encoded + session object. Since these are local, this does not appear to be + exploitable. + [Ben Laurie (CHATS)] + + *) Change from security patch (see 0.9.6e below) that did not affect + the 0.9.6 release series: + + Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized master key in Kerberos-enabled versions. + (CAN-2002-0657) + [Ben Laurie (CHATS)] + + *) Change the SSL kerb5 codes to match RFC 2712. + [Richard Levitte] + + *) Make -nameopt work fully for req and add -reqopt switch. + [Michael Bell , Steve Henson] + + *) The "block size" for block ciphers in CFB and OFB mode should be 1. + [Steve Henson, reported by Yngve Nysaeter Pettersen ] + + *) Make sure tests can be performed even if the corresponding algorithms + have been removed entirely. This was also the last step to make + OpenSSL compilable with DJGPP under all reasonable conditions. + [Richard Levitte, Doug Kaufman ] + + *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT + to allow version independent disabling of normally unselected ciphers, + which may be activated as a side-effect of selecting a single cipher. + + (E.g., cipher list string "RSA" enables ciphersuites that are left + out of "ALL" because they do not provide symmetric encryption. + "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) + [Lutz Jaenicke, Bodo Moeller] + + *) Add appropriate support for separate platform-dependent build + directories. The recommended way to make a platform-dependent + build directory is the following (tested on Linux), maybe with + some local tweaks: + + # Place yourself outside of the OpenSSL source tree. In + # this example, the environment variable OPENSSL_SOURCE + # is assumed to contain the absolute OpenSSL source directory. + mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" + cd objtree/"`uname -s`-`uname -r`-`uname -m`" + (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do + mkdir -p `dirname $F` + ln -s $OPENSSL_SOURCE/$F $F + done + + To be absolutely sure not to disturb the source tree, a "make clean" + is a good thing. If it isn't successfull, don't worry about it, + it probably means the source directory is very clean. + [Richard Levitte] *) Make sure any ENGINE control commands make local copies of string pointers passed to them whenever necessary. Otherwise it is possible @@ -1730,7 +2164,101 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] - Changes between 0.9.6d and 0.9.6e [XX xxx XXXX] + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] + + *) New function OPENSSL_cleanse(), which is used to cleanse a section of + memory from it's contents. This is done with a counter that will + place alternating values in each byte. This can be used to solve + two issues: 1) the removal of calls to memset() by highly optimizing + compilers, and 2) cleansing with other values than 0, since those can + be read through on certain media, for example a swap space on disk. + [Geoff Thorpe] + + *) Bugfix: client side session caching did not work with external caching, + because the session->cipher setting was not restored when reloading + from the external cache. This problem was masked, when + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. + (Found by Steve Haslam .) + [Lutz Jaenicke] + + *) Fix client_certificate (ssl/s2_clnt.c): The permissible total + length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. + [Zeev Lieber ] + + *) Undo an undocumented change introduced in 0.9.6e which caused + repeated calls to OpenSSL_add_all_ciphers() and + OpenSSL_add_all_digests() to be ignored, even after calling + EVP_cleanup(). + [Richard Levitte] + + *) Change the default configuration reader to deal with last line not + being properly terminated. + [Richard Levitte] + + *) Change X509_NAME_cmp() so it applies the special rules on handling + DN values that are of type PrintableString, as well as RDNs of type + emailAddress where the value has the type ia5String. + [stefank@valicert.com via Richard Levitte] + + *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half + the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently + doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be + the bitwise-OR of the two for use by the majority of applications + wanting this behaviour, and update the docs. The documented + behaviour and actual behaviour were inconsistent and had been + changing anyway, so this is more a bug-fix than a behavioural + change. + [Geoff Thorpe, diagnosed by Nadav Har'El] + + *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c + (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). + [Bodo Moeller] + + *) Fix initialization code race conditions in + SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), + SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), + SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), + TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), + ssl2_get_cipher_by_char(), + ssl3_get_cipher_by_char(). + [Patrick McCormick , Bodo Moeller] + + *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after + the cached sessions are flushed, as the remove_cb() might use ex_data + contents. Bug found by Sam Varshavchik + (see [openssl.org #212]). + [Geoff Thorpe, Lutz Jaenicke] + + *) Fix typo in OBJ_txt2obj which incorrectly passed the content + length, instead of the encoding length to d2i_ASN1_OBJECT. + [Steve Henson] + + Changes between 0.9.6f and 0.9.6g [9 Aug 2002] + + *) [In 0.9.6g-engine release:] + Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). + [Lynn Gazis ] + + Changes between 0.9.6e and 0.9.6f [8 Aug 2002] + + *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX + and get fix the header length calculation. + [Florian Weimer , + Alon Kantor (and others), + Steve Henson] + + *) Use proper error handling instead of 'assertions' in buffer + overflow checks added in 0.9.6e. This prevents DoS (the + assertions could call abort()). + [Arne Ansper , Bodo Moeller] + + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. + [Steve Henson, Adi Stav , James Yonan ] *) Fix cipher selection routines: ciphers without encryption had no flags for the cipher strength set and where therefore not handled correctly @@ -1753,6 +2281,35 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k applications. [Bodo Moeller] + *) Changes in security patch: + + Changes marked "(CHATS)" were sponsored by the Defense Advanced + Research Projects Agency (DARPA) and Air Force Research Laboratory, + Air Force Materiel Command, USAF, under agreement number + F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. (CAN-2002-0659) + [Steve Henson, Adi Stav , James Yonan ] + + *) Assertions for various potential buffer overflows, not known to + happen in practice. + [Ben Laurie (CHATS)] + + *) Various temporary buffers to hold ASCII versions of integers were + too small for 64 bit platforms. (CAN-2002-0655) + [Matthew Byng-Maddick and Ben Laurie (CHATS)> + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized session ID to a client. (CAN-2002-0656) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL2 protocol - an attacker could + supply an oversized client master key. (CAN-2002-0656) + [Ben Laurie (CHATS)] + Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not @@ -1839,13 +2396,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k value is 0. [Richard Levitte] - *) Add the configuration target linux-s390x. - [Neale Ferguson via Richard Levitte] - *) [In 0.9.6d-engine release:] Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] + *) Add the configuration target linux-s390x. + [Neale Ferguson via Richard Levitte] + *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag variable as an indication that a ClientHello message has been