X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=231986b27bfef42aa401b3c8d981ed78b8d88e6c;hp=5c490406bf6f9a79744f59611b9568c3a7b29bee;hb=7a8645d1716d7f84435b0f3d8d2fd122d6f75113;hpb=458c29175ec2a7e9a76792fdf7324a20e04fdf08 diff --git a/CHANGES b/CHANGES index 5c490406bf..231986b27b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,12 +4,165 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] - *) Add 'nid' and 'asn1_flag' members to EC_GROUP, and functions - EC_GROUP_get_nid() - EC_GROUP_get_set_asn1_flag() - EC_GROUP_get_get_asn1_flag() - 'nid' is an optional NID for named curves. 'asn1_flag' - determines the encoding to be used for ASN1 purposes. + *) Let BN_rand_range() abort with an error after 100 iterations + without success (which indicates a broken PRNG). + [Bodo Moeller] + + *) Change BN_mod_sqrt() so that it verifies that the input value + is really the square of the return value. (Previously, + BN_mod_sqrt would show GIGO behaviour.) + [Bodo Moeller] + + *) Add named elliptic curves over binary fields from X9.62, SECG, + and WAP/WTLS; add OIDs that were still missing. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Extend the EC library for elliptic curves over binary fields + (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). + New EC_METHOD: + + EC_GF2m_simple_method + + New API functions: + + EC_GROUP_new_curve_GF2m + EC_GROUP_set_curve_GF2m + EC_GROUP_get_curve_GF2m + EC_POINT_set_affine_coordinates_GF2m + EC_POINT_get_affine_coordinates_GF2m + EC_POINT_set_compressed_coordinates_GF2m + + Point compression for binary fields is disabled by default for + patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to + enable it). + + As binary polynomials are represented as BIGNUMs, various members + of the EC_GROUP and EC_POINT data structures can be shared + between the implementations for prime fields and binary fields; + the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) + are essentially identical to their ..._GFp counterparts. + (For simplicity, the '..._GFp' prefix has been dropped from + various internal method names.) + + An internal 'field_div' method (similar to 'field_mul' and + 'field_sqr') has been added; this is used only for binary fields. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() + through methods ('mul', 'precompute_mult'). + + The generic implementations (now internally called 'ec_wNAF_mul' + and 'ec_wNAF_precomputed_mult') remain the default if these + methods are undefined. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) New function EC_GROUP_get_degree, which is defined through + EC_METHOD. For curves over prime fields, this returns the bit + length of the modulus. + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) New functions EC_GROUP_dup, EC_POINT_dup. + (These simply call ..._new and ..._copy). + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. + Polynomials are represented as BIGNUMs (where the sign bit is not + used) in the following functions [macros]: + + BN_GF2m_add + BN_GF2m_sub [= BN_GF2m_add] + BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] + BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] + BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] + BN_GF2m_mod_inv + BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] + BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] + BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] + BN_GF2m_cmp [= BN_ucmp] + + (Note that only the 'mod' functions are actually for fields GF(2^m). + BN_GF2m_add() is misnomer, but this is for the sake of consistency.) + + For some functions, an the irreducible polynomial defining a + field can be given as an 'unsigned int[]' with strictly + decreasing elements giving the indices of those bits that are set; + i.e., p[] represents the polynomial + f(t) = t^p[0] + t^p[1] + ... + t^p[k] + where + p[0] > p[1] > ... > p[k] = 0. + This applies to the following functions: + + BN_GF2m_mod_arr + BN_GF2m_mod_mul_arr + BN_GF2m_mod_sqr_arr + BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] + BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] + BN_GF2m_mod_exp_arr + BN_GF2m_mod_sqrt_arr + BN_GF2m_mod_solve_quad_arr + BN_GF2m_poly2arr + BN_GF2m_arr2poly + + Conversion can be performed by the following functions: + + BN_GF2m_poly2arr + BN_GF2m_arr2poly + + bntest.c has additional tests for binary polynomial arithmetic. + + Two implementations for BN_GF2m_mod_div() are available. + The default algorithm simply uses BN_GF2m_mod_inv() and + BN_GF2m_mod_mul(). The alternative algorithm is compiled in only + if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the + copyright notice in crypto/bn/bn_gf2m.c before enabling it). + + [Sheueling Chang Shantz and Douglas Stebila + (Sun Microsystems Laboratories)] + + *) Add new error code 'ERR_R_DISABLED' that can be used when some + functionality is disabled at compile-time. + [Douglas Stebila ] + + *) Change default behaviour of 'openssl asn1parse' so that more + information is visible when viewing, e.g., a certificate: + + Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' + mode the content of non-printable OCTET STRINGs is output in a + style similar to INTEGERs, but with '[HEX DUMP]' prepended to + avoid the appearance of a printable string. + [Nils Larsch ] + + *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access + functions + EC_GROUP_set_asn1_flag() + EC_GROUP_get_asn1_flag() + EC_GROUP_set_point_conversion_form() + EC_GROUP_get_point_conversion_form() + These control ASN1 encoding details: + - Curves (i.e., groups) are encoded explicitly unless asn1_flag + has been set to OPENSSL_EC_NAMED_CURVE. + - Points are encoded in uncompressed form by default; options for + asn1_for are as for point2oct, namely + POINT_CONVERSION_COMPRESSED + POINT_CONVERSION_UNCOMPRESSED + POINT_CONVERSION_HYBRID + + Also add 'seed' and 'seed_len' members to EC_GROUP with access + functions + EC_GROUP_set_seed() + EC_GROUP_get0_seed() + EC_GROUP_get_seed_len() + This is used only for ASN1 purposes (so far). [Nils Larsch ] *) Add 'field_type' member to EC_METHOD, which holds the NID @@ -51,8 +204,8 @@ *) Add ECDSA in new directory crypto/ecdsa/. - Add applications 'openssl ecdsaparam' and 'openssl ecdsa' - (these are variants of 'openssl dsaparam' and 'openssl dsa'). + Add applications 'openssl ecparam' and 'openssl ecdsa' + (these are based on 'openssl dsaparam' and 'openssl dsa'). ECDSA support is also included in various other files across the library. Most notably, @@ -69,13 +222,56 @@ functions EC_GROUP_new_by_nid() EC_GROUP_new_by_name() - Also add a 'nid' field to EC_GROUP objects, which can be accessed - via + Also add a 'curve_name' member to EC_GROUP objects, which can be + accessed via EC_GROUP_set_nid() EC_GROUP_get_nid() [Nils Larsch ] + + *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT + to allow version independent disabling of normally unselected ciphers, + which may be activated as a side-effect of selecting a single cipher. + + (E.g., cipher list string "RSA" enables ciphersuites that are left + out of "ALL" because they do not provide symmetric encryption. + "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) + [Lutz Jaenicke, Bodo Moeller] + + *) Add appropriate support for separate platform-dependent build + directories. The recommended way to make a platform-dependent + build directory is the following (tested on Linux), maybe with + some local tweaks: + + # Place yourself outside of the OpenSSL source tree. In + # this example, the environment variable OPENSSL_SOURCE + # is assumed to contain the absolute OpenSSL source directory. + mkdir -p objtree/`uname -s`-`uname -r`-`uname -m` + cd objtree/`uname -s`-`uname -r`-`uname -m` + (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do + mkdir -p `dirname $F` + ln -s $OPENSSL_SOURCE/$F $F + done + + To be absolutely sure not to disturb the source tree, a "make clean" + is a good thing. If it isn't successfull, don't worry about it, + it probably means the source directory is very clean. + [Richard Levitte] + + *) Make sure any ENGINE control commands make local copies of string + pointers passed to them whenever necessary. Otherwise it is possible + the caller may have overwritten (or deallocated) the original string + data when a later ENGINE operation tries to use the stored values. + [Götz Babin-Ebell ] + + *) Improve diagnostics in file reading and command-line digests. + [Ben Laurie aided and abetted by Solar Designer ] *) Add AES modes CFB and OFB to the object database. Correct an error in AES-CFB decryption. @@ -102,6 +298,8 @@ form for "surname", serialNumber has no short form. Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; therefore remove "mail" short name for "internet 7". + The OID for unique identifiers in X509 certificates is + x500UniqueIdentifier, not uniqueIdentifier. Some more OID additions. (Michael Bell ) [Lutz Jaenicke] @@ -408,6 +606,10 @@ By default, clients may request session resumption even during renegotiation (if session ID contexts permit); with this option, session resumption is possible only in the first handshake. + + SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes + more bits available for options that should not be part of + SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). [Bodo Moeller] *) Add some demos for certificate and certificate request creation. @@ -528,8 +730,8 @@ [Bodo Moeller, Lutz Jaenicke] *) Rationalise EVP so it can be extended: don't include a union of - cipher/digest structures, add init/cleanup functions. This also reduces - the number of header dependencies. + cipher/digest structures, add init/cleanup functions for EVP_MD_CTX + (similar to those existing for EVP_CIPHER_CTX). Usage example: EVP_MD_CTX md; @@ -1113,14 +1315,15 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k handle the new API. Currently only ECB, CBC modes supported. Add new AES OIDs. - Add TLS AES ciphersuites as described in the "AES Ciphersuites - for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet - official, they are not enabled by default and are not even part - of the "ALL" ciphersuite alias; for now, they must be explicitly - requested by specifying the new "AESdraft" ciphersuite alias. If - you want the default ciphersuite list plus the new ciphersuites, - use "DEFAULT:AESdraft:@STRENGTH". - [Ben Laurie, Steve Henson, Bodo Moeller] + Add TLS AES ciphersuites as described in RFC3268, "Advanced + Encryption Standard (AES) Ciphersuites for Transport Layer + Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were + not enabled by default and were not part of the "ALL" ciphersuite + alias because they were not yet official; they could be + explicitly requested by specifying the "AESdraft" ciphersuite + group alias. In the final release of OpenSSL 0.9.7, the group + alias is called "AES" and is part of "ALL".) + [Ben Laurie, Steve Henson, Bodo Moeller] *) New function OCSP_copy_nonce() to copy nonce value (if present) from request to response. @@ -1690,11 +1893,82 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] - Changes between 0.9.6d and 0.9.6e [XX xxx XXXX] + Changes between 0.9.6e and 0.9.6f [XX xxx XXXX] + + *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX + and get fix the header length calculation. + [Florian Weimer , + Alon Kantor (and others), + Steve Henson] + + *) Use proper error handling instead of 'assertions' in buffer + overflow checks added in 0.9.6e. This prevents DoS (the + assertions could call abort()). + [Arne Ansper , Bodo Moeller] + + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. + [Steve Henson, Adi Stav , James Yonan ] + + *) Fix cipher selection routines: ciphers without encryption had no flags + for the cipher strength set and where therefore not handled correctly + by the selection routines (PR #130). + [Lutz Jaenicke] *) Fix EVP_dsa_sha macro. [Nils Larsch] + *) New option + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure + that was added in OpenSSL 0.9.6d. + + As the countermeasure turned out to be incompatible with some + broken SSL implementations, the new option is part of SSL_OP_ALL. + SSL_OP_ALL is usually employed when compatibility with weird SSL + implementations is desired (e.g. '-bugs' option to 's_client' and + 's_server'), so the new option is automatically set in many + applications. + [Bodo Moeller] + + *) Changes in security patch: + + Changes marked "(CHATS)" were sponsored by the Defense Advanced + Research Projects Agency (DARPA) and Air Force Research Laboratory, + Air Force Materiel Command, USAF, under agreement number + F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. (CAN-2002-0659) + [Steve Henson, Adi Stav , James Yonan ] + + *) Assertions for various potential buffer overflows, not known to + happen in practice. + [Ben Laurie (CHATS)] + + *) Various temporary buffers to hold ASCII versions of integers were + too small for 64 bit platforms. (CAN-2002-0655) + [Matthew Byng-Maddick and Ben Laurie (CHATS)> + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized master key in Kerberos-enabled versions. + (CAN-2002-0657) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized session ID to a client. (CAN-2002-0656) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL2 protocol - an attacker could + supply an oversized client master key. (CAN-2002-0656) + [Ben Laurie (CHATS)] + Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not