OpenSSL CHANGES
_______________
- Changes between 0.9.7 and 0.9.8 [xx XXX 2002]
-
- *) Let 'openssl req' fail if an argument to '-newkey' is not
- recognized instead of using RSA as a default.
- [Bodo Moeller]
-
- *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
- As these are not official, they are not included in "ALL";
- the "ECCdraft" ciphersuite group alias can be used to select them.
- [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
-
- *) Add ECDH engine support.
- [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
-
- *) Add ECDH in new directory crypto/ecdh/.
-TODO: more general interface (return x coordinate, not its hash)
-TODO: bug: pad x with leading zeros if necessary
- [Douglas Stebila (Sun Microsystems Laboratories)]
-
- *) Let BN_rand_range() abort with an error after 100 iterations
- without success (which indicates a broken PRNG).
- [Bodo Moeller]
+ Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
+
+ *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
+ code (06) was taken as the first octet of the session ID and the last
+ octet was ignored consequently. As a result SSLv2 client side session
+ caching could not have worked due to the session ID mismatch between
+ client and server.
+ Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+ PR #377.
+ [Lutz Jaenicke]
- *) Change BN_mod_sqrt() so that it verifies that the input value
- is really the square of the return value. (Previously,
- BN_mod_sqrt would show GIGO behaviour.)
- [Bodo Moeller]
+ *) Change the declaration of needed Kerberos libraries to use EX_LIBS
+ instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
+ removed entirely.
+ [Richard Levitte]
- *) Add named elliptic curves over binary fields from X9.62, SECG,
- and WAP/WTLS; add OIDs that were still missing.
+ *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it
+ seems that in spite of existing for more than a year, many application
+ author have done nothing to provide the necessary callbacks, which
+ means that this particular engine will not work properly anywhere.
+ This is a very unfortunate situation which forces us, in the name
+ of usability, to give the hw_ncipher.c a static lock, which is part
+ of libcrypto.
+ NOTE: This is for the 0.9.7 series ONLY. This hack will never
+ appear in 0.9.8 or later. We EXPECT application authors to have
+ dealt properly with this when 0.9.8 is released (unless we actually
+ make such changes in the libcrypto locking code that changes will
+ have to be made anyway).
+ [Richard Levitte]
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
+ *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
+ octets have been read, EOF or an error occurs. Without this change
+ some truncated ASN1 structures will not produce an error.
+ [Steve Henson]
- *) Extend the EC library for elliptic curves over binary fields
- (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
- New EC_METHOD:
+ *) Disable Heimdal support, since it hasn't been fully implemented.
+ Still give the possibility to force the use of Heimdal, but with
+ warnings and a request that patches get sent to openssl-dev.
+ [Richard Levitte]
- EC_GF2m_simple_method
+ *) Add the VC-CE target, introduce the WINCE sysname, and add
+ INSTALL.WCE and appropriate conditionals to make it build.
+ [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
- New API functions:
+ *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
+ cygssl-x.y.z.dll, where x, y and z are the major, minor and
+ edit numbers of the version.
+ [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
- EC_GROUP_new_curve_GF2m
- EC_GROUP_set_curve_GF2m
- EC_GROUP_get_curve_GF2m
- EC_POINT_set_affine_coordinates_GF2m
- EC_POINT_get_affine_coordinates_GF2m
- EC_POINT_set_compressed_coordinates_GF2m
+ *) Introduce safe string copy and catenation functions
+ (BUF_strlcpy() and BUF_strlcat()).
+ [Ben Laurie (CHATS) and Richard Levitte]
- Point compression for binary fields is disabled by default for
- patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
- enable it).
+ *) Avoid using fixed-size buffers for one-line DNs.
+ [Ben Laurie (CHATS)]
- As binary polynomials are represented as BIGNUMs, various members
- of the EC_GROUP and EC_POINT data structures can be shared
- between the implementations for prime fields and binary fields;
- the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
- are essentially identical to their ..._GFp counterparts.
- (For simplicity, the '..._GFp' prefix has been dropped from
- various internal method names.)
+ *) Add BUF_MEM_grow_clean() to avoid information leakage when
+ resizing buffers containing secrets, and use where appropriate.
+ [Ben Laurie (CHATS)]
- An internal 'field_div' method (similar to 'field_mul' and
- 'field_sqr') has been added; this is used only for binary fields.
+ *) Avoid using fixed size buffers for configuration file location.
+ [Ben Laurie (CHATS)]
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
+ *) Avoid filename truncation for various CA files.
+ [Ben Laurie (CHATS)]
- *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
- through methods ('mul', 'precompute_mult').
+ *) Use sizeof in preference to magic numbers.
+ [Ben Laurie (CHATS)]
- The generic implementations (now internally called 'ec_wNAF_mul'
- and 'ec_wNAF_precomputed_mult') remain the default if these
- methods are undefined.
+ *) Avoid filename truncation in cert requests.
+ [Ben Laurie (CHATS)]
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
+ *) Add assertions to check for (supposedly impossible) buffer
+ overflows.
+ [Ben Laurie (CHATS)]
- *) New function EC_GROUP_get_degree, which is defined through
- EC_METHOD. For curves over prime fields, this returns the bit
- length of the modulus.
+ *) Don't cache truncated DNS entries in the local cache (this could
+ potentially lead to a spoofing attack).
+ [Ben Laurie (CHATS)]
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
+ *) Fix various buffers to be large enough for hex/decimal
+ representations in a platform independent manner.
+ [Ben Laurie (CHATS)]
- *) New functions EC_GROUP_dup, EC_POINT_dup.
- (These simply call ..._new and ..._copy).
+ *) Add CRYPTO_realloc_clean() to avoid information leakage when
+ resizing buffers containing secrets, and use where appropriate.
+ [Ben Laurie (CHATS)]
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
+ *) Add BIO_indent() to avoid much slightly worrying code to do
+ indents.
+ [Ben Laurie (CHATS)]
- *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
- Polynomials are represented as BIGNUMs (where the sign bit is not
- used) in the following functions [macros]:
+ *) Convert sprintf()/BIO_puts() to BIO_printf().
+ [Ben Laurie (CHATS)]
- BN_GF2m_add
- BN_GF2m_sub [= BN_GF2m_add]
- BN_GF2m_mod [wrapper for BN_GF2m_mod_arr]
- BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr]
- BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr]
- BN_GF2m_mod_inv
- BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr]
- BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr]
- BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr]
- BN_GF2m_cmp [= BN_ucmp]
+ *) buffer_gets() could terminate with the buffer only half
+ full. Fixed.
+ [Ben Laurie (CHATS)]
- (Note that only the 'mod' functions are actually for fields GF(2^m).
- BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
-
- For some functions, an the irreducible polynomial defining a
- field can be given as an 'unsigned int[]' with strictly
- decreasing elements giving the indices of those bits that are set;
- i.e., p[] represents the polynomial
- f(t) = t^p[0] + t^p[1] + ... + t^p[k]
- where
- p[0] > p[1] > ... > p[k] = 0.
- This applies to the following functions:
+ *) Add assertions to prevent user-supplied crypto functions from
+ overflowing internal buffers by having large block sizes, etc.
+ [Ben Laurie (CHATS)]
- BN_GF2m_mod_arr
- BN_GF2m_mod_mul_arr
- BN_GF2m_mod_sqr_arr
- BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv]
- BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div]
- BN_GF2m_mod_exp_arr
- BN_GF2m_mod_sqrt_arr
- BN_GF2m_mod_solve_quad_arr
- BN_GF2m_poly2arr
- BN_GF2m_arr2poly
-
- Conversion can be performed by the following functions:
-
- BN_GF2m_poly2arr
- BN_GF2m_arr2poly
-
- bntest.c has additional tests for binary polynomial arithmetic.
-
- Two implementations for BN_GF2m_mod_div() are available.
- The default algorithm simply uses BN_GF2m_mod_inv() and
- BN_GF2m_mod_mul(). The alternative algorithm is compiled in only
- if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
- copyright notice in crypto/bn/bn_gf2m.c before enabling it).
-
- [Sheueling Chang Shantz and Douglas Stebila
- (Sun Microsystems Laboratories)]
-
- *) Add new error code 'ERR_R_DISABLED' that can be used when some
- functionality is disabled at compile-time.
- [Douglas Stebila <douglas.stebila@sun.com>]
-
- *) Change default behaviour of 'openssl asn1parse' so that more
- information is visible when viewing, e.g., a certificate:
-
- Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
- mode the content of non-printable OCTET STRINGs is output in a
- style similar to INTEGERs, but with '[HEX DUMP]' prepended to
- avoid the appearance of a printable string.
- [Nils Larsch <nla@trustcenter.de>]
+ *) New OPENSSL_assert() macro (similar to assert(), but enabled
+ unconditionally).
+ [Ben Laurie (CHATS)]
- *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
- functions
- EC_GROUP_set_asn1_flag()
- EC_GROUP_get_asn1_flag()
- EC_GROUP_set_point_conversion_form()
- EC_GROUP_get_point_conversion_form()
- These control ASN1 encoding details:
- - Curves (i.e., groups) are encoded explicitly unless asn1_flag
- has been set to OPENSSL_EC_NAMED_CURVE.
- - Points are encoded in uncompressed form by default; options for
- asn1_for are as for point2oct, namely
- POINT_CONVERSION_COMPRESSED
- POINT_CONVERSION_UNCOMPRESSED
- POINT_CONVERSION_HYBRID
-
- Also add 'seed' and 'seed_len' members to EC_GROUP with access
- functions
- EC_GROUP_set_seed()
- EC_GROUP_get0_seed()
- EC_GROUP_get_seed_len()
- This is used only for ASN1 purposes (so far).
- [Nils Larsch <nla@trustcenter.de>]
+ *) Eliminate unused copy of key in RC4.
+ [Ben Laurie (CHATS)]
- *) Add 'field_type' member to EC_METHOD, which holds the NID
- of the appropriate field type OID. The new function
- EC_METHOD_get_field_type() returns this value.
- [Nils Larsch <nla@trustcenter.de>]
+ *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
+ [Ben Laurie (CHATS)]
- *) Add functions
- EC_POINT_point2bn()
- EC_POINT_bn2point()
- EC_POINT_point2hex()
- EC_POINT_hex2point()
- providing useful interfaces to EC_POINT_point2oct() and
- EC_POINT_oct2point().
- [Nils Larsch <nla@trustcenter.de>]
+ *) Fix off-by-one error in EGD path.
+ [Ben Laurie (CHATS)]
- *) Change internals of the EC library so that the functions
- EC_GROUP_set_generator()
- EC_GROUP_get_generator()
- EC_GROUP_get_order()
- EC_GROUP_get_cofactor()
- are implemented directly in crypto/ec/ec_lib.c and not dispatched
- to methods, which would lead to unnecessary code duplication when
- adding different types of curves.
- [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
+ *) If RANDFILE path is too long, ignore instead of truncating.
+ [Ben Laurie (CHATS)]
- *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
- arithmetic, and such that modified wNAFs are generated
- (which avoid length expansion in many cases).
- [Bodo Moeller]
+ *) Eliminate unused and incorrectly sized X.509 structure
+ CBCParameter.
+ [Ben Laurie (CHATS)]
- *) Add a function EC_GROUP_check_discriminant() (defined via
- EC_METHOD) that verifies that the curve discriminant is non-zero.
+ *) Eliminate unused and dangerous function knumber().
+ [Ben Laurie (CHATS)]
- Add a function EC_GROUP_check() that makes some sanity tests
- on a EC_GROUP, its generator and order. This includes
- EC_GROUP_check_discriminant().
- [Nils Larsch <nla@trustcenter.de>]
+ *) Eliminate unused and dangerous structure, KSSL_ERR.
+ [Ben Laurie (CHATS)]
- *) Add ECDSA in new directory crypto/ecdsa/.
+ *) Protect against overlong session ID context length in an encoded
+ session object. Since these are local, this does not appear to be
+ exploitable.
+ [Ben Laurie (CHATS)]
- Add applications 'openssl ecparam' and 'openssl ecdsa'
- (these are based on 'openssl dsaparam' and 'openssl dsa').
+ *) Change from security patch (see 0.9.6e below) that did not affect
+ the 0.9.6 release series:
- ECDSA support is also included in various other files across the
- library. Most notably,
- - 'openssl req' now has a '-newkey ecdsa:file' option;
- - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
- - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
- d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
- them suitable for ECDSA where domain parameters must be
- extracted before the specific public key;
- - ECDSA engine support has been added.
- [Nils Larsch <nla@trustcenter.de>]
+ Remote buffer overflow in SSL3 protocol - an attacker could
+ supply an oversized master key in Kerberos-enabled versions.
+ (CAN-2002-0657)
+ [Ben Laurie (CHATS)]
- *) Include some named elliptic curves, and add OIDs from X9.62,
- SECG, and WAP/WTLS. Each curve can be obtained from the new
- function
- EC_GROUP_new_by_nid(),
- and the list of available named curves can be obtained with
- EC_get_builtin_curves().
- Also add a 'curve_name' member to EC_GROUP objects, which can be
- accessed via
- EC_GROUP_set_nid()
- EC_GROUP_get_nid()
- [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
-
- Changes between 0.9.6g and 0.9.7 [XX xxx 2002]
+ *) Change the SSL kerb5 codes to match RFC 2712.
+ [Richard Levitte]
*) Make -nameopt work fully for req and add -reqopt switch.
[Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
*) The "block size" for block ciphers in CFB and OFB mode should be 1.
[Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
- *) The "block size" for block ciphers in CFB and OFB mode should be 1.
- [Steve Henson]
-
*) Make sure tests can be performed even if the corresponding algorithms
have been removed entirely. This was also the last step to make
OpenSSL compilable with DJGPP under all reasonable conditions.
# Place yourself outside of the OpenSSL source tree. In
# this example, the environment variable OPENSSL_SOURCE
# is assumed to contain the absolute OpenSSL source directory.
- mkdir -p objtree/`uname -s`-`uname -r`-`uname -m`
- cd objtree/`uname -s`-`uname -r`-`uname -m`
+ mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+ cd objtree/"`uname -s`-`uname -r`-`uname -m`"
(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
mkdir -p `dirname $F`
ln -s $OPENSSL_SOURCE/$F $F
*) Clean old EAY MD5 hack from e_os.h.
[Richard Levitte]
- Changes between 0.9.6g and 0.9.6h [xx XXX xxxx]
+ Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
+
+ *) New function OPENSSL_cleanse(), which is used to cleanse a section of
+ memory from it's contents. This is done with a counter that will
+ place alternating values in each byte. This can be used to solve
+ two issues: 1) the removal of calls to memset() by highly optimizing
+ compilers, and 2) cleansing with other values than 0, since those can
+ be read through on certain media, for example a swap space on disk.
+ [Geoff Thorpe]
+
+ *) Bugfix: client side session caching did not work with external caching,
+ because the session->cipher setting was not restored when reloading
+ from the external cache. This problem was masked, when
+ SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
+ (Found by Steve Haslam <steve@araqnid.ddts.net>.)
+ [Lutz Jaenicke]
+
+ *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
+ length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
+ [Zeev Lieber <zeev-l@yahoo.com>]
+
+ *) Undo an undocumented change introduced in 0.9.6e which caused
+ repeated calls to OpenSSL_add_all_ciphers() and
+ OpenSSL_add_all_digests() to be ignored, even after calling
+ EVP_cleanup().
+ [Richard Levitte]
+
+ *) Change the default configuration reader to deal with last line not
+ being properly terminated.
+ [Richard Levitte]
+
+ *) Change X509_NAME_cmp() so it applies the special rules on handling
+ DN values that are of type PrintableString, as well as RDNs of type
+ emailAddress where the value has the type ia5String.
+ [stefank@valicert.com via Richard Levitte]
+
+ *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+ the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
+ doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
+ the bitwise-OR of the two for use by the majority of applications
+ wanting this behaviour, and update the docs. The documented
+ behaviour and actual behaviour were inconsistent and had been
+ changing anyway, so this is more a bug-fix than a behavioural
+ change.
+ [Geoff Thorpe, diagnosed by Nadav Har'El]
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
[Bodo Moeller]
- *) Fix race condition in SSLv3_client_method().
- [Bodo Moeller]
+ *) Fix initialization code race conditions in
+ SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
+ SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
+ SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
+ TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
+ ssl2_get_cipher_by_char(),
+ ssl3_get_cipher_by_char().
+ [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
the cached sessions are flushed, as the remove_cb() might use ex_data
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()).
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
-
+
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
*) Add various sanity checks to asn1_get_length() to reject
too small for 64 bit platforms. (CAN-2002-0655)
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
- *) Remote buffer overflow in SSL3 protocol - an attacker could
- supply an oversized master key in Kerberos-enabled versions.
- (CAN-2002-0657)
- [Ben Laurie (CHATS)]
-
*) Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized session ID to a client. (CAN-2002-0656)
[Ben Laurie (CHATS)]
value is 0.
[Richard Levitte]
- *) Add the configuration target linux-s390x.
- [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
-
*) [In 0.9.6d-engine release:]
Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
+ *) Add the configuration target linux-s390x.
+ [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
+
*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
variable as an indication that a ClientHello message has been
projects / oweals / openssl.git / blobdiff