155714Skris 255714Skris OpenSSL CHANGES 355714Skris _______________ 455714Skris 5325337Sjkim This is a high-level summary of the most important changes. 6325337Sjkim For a full list of changes, see the git commit log; for example, 7325337Sjkim https://github.com/openssl/openssl/commits/ and pick the appropriate 8325337Sjkim release branch. 9325337Sjkim 10356290Sjkim Changes between 1.0.2t and 1.0.2u [20 Dec 2019] 11356290Sjkim 12356290Sjkim *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure 13356290Sjkim used in exponentiation with 512-bit moduli. No EC algorithms are 14356290Sjkim affected. Analysis suggests that attacks against 2-prime RSA1024, 15356290Sjkim 3-prime RSA1536, and DSA1024 as a result of this defect would be very 16356290Sjkim difficult to perform and are not believed likely. Attacks against DH512 17356290Sjkim are considered just feasible. However, for an attack the target would 18356290Sjkim have to re-use the DH512 private key, which is not recommended anyway. 19356290Sjkim Also applications directly using the low level API BN_mod_exp may be 20356290Sjkim affected if they use BN_FLG_CONSTTIME. 21356290Sjkim (CVE-2019-1551) 22356290Sjkim [Andy Polyakov] 23356290Sjkim 24352193Sjkim Changes between 1.0.2s and 1.0.2t [10 Sep 2019] 25352193Sjkim 26352193Sjkim *) For built-in EC curves, ensure an EC_GROUP built from the curve name is 27352193Sjkim used even when parsing explicit parameters, when loading a serialized key 28352193Sjkim or calling `EC_GROUP_new_from_ecpkparameters()`/ 29352193Sjkim `EC_GROUP_new_from_ecparameters()`. 30352193Sjkim This prevents bypass of security hardening and performance gains, 31352193Sjkim especially for curves with specialized EC_METHODs. 32352193Sjkim By default, if a key encoded with explicit parameters is loaded and later 33352193Sjkim serialized, the output is still encoded with explicit parameters, even if 34352193Sjkim internally a "named" EC_GROUP is used for computation. 35352193Sjkim [Nicola Tuveri] 36352193Sjkim 37352193Sjkim *) Compute ECC cofactors if not provided during EC_GROUP construction. Before 38352193Sjkim this change, EC_GROUP_set_generator would accept order and/or cofactor as 39352193Sjkim NULL. After this change, only the cofactor parameter can be NULL. It also 40352193Sjkim does some minimal sanity checks on the passed order. 41352193Sjkim (CVE-2019-1547) 42352193Sjkim [Billy Bob Brumley] 43352193Sjkim 44352193Sjkim *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. 45352193Sjkim An attack is simple, if the first CMS_recipientInfo is valid but the 46352193Sjkim second CMS_recipientInfo is chosen ciphertext. If the second 47352193Sjkim recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct 48352193Sjkim encryption key will be replaced by garbage, and the message cannot be 49352193Sjkim decoded, but if the RSA decryption fails, the correct encryption key is 50352193Sjkim used and the recipient will not notice the attack. 51352193Sjkim As a work around for this potential attack the length of the decrypted 52352193Sjkim key must be equal to the cipher default key length, in case the 53352193Sjkim certifiate is not given and all recipientInfo are tried out. 54352193Sjkim The old behaviour can be re-enabled in the CMS code by setting the 55352193Sjkim CMS_DEBUG_DECRYPT flag. 56352193Sjkim (CVE-2019-1563) 57352193Sjkim [Bernd Edlinger] 58352193Sjkim 59352193Sjkim *) Document issue with installation paths in diverse Windows builds 60352193Sjkim 61352193Sjkim '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL 62352193Sjkim binaries and run-time config file. 63352193Sjkim (CVE-2019-1552) 64352193Sjkim [Richard Levitte] 65352193Sjkim 66348343Sjkim Changes between 1.0.2r and 1.0.2s [28 May 2019] 67348343Sjkim 68348343Sjkim *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. 69348343Sjkim This changes the size when using the genpkey app when no size is given. It 70348343Sjkim fixes an omission in earlier changes that changed all RSA, DSA and DH 71348343Sjkim generation apps to use 2048 bits by default. 72348343Sjkim [Kurt Roeckx] 73348343Sjkim 74348343Sjkim *) Add FIPS support for Android Arm 64-bit 75348343Sjkim 76348343Sjkim Support for Android Arm 64-bit was added to the OpenSSL FIPS Object 77348343Sjkim Module in Version 2.0.10. For some reason, the corresponding target 78348343Sjkim 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be 79348343Sjkim built with FIPS support on Android Arm 64-bit. This omission has been 80348343Sjkim fixed. 81348343Sjkim [Matthias St. Pierre] 82348343Sjkim 83344604Sjkim Changes between 1.0.2q and 1.0.2r [26 Feb 2019] 84344604Sjkim 85344604Sjkim *) 0-byte record padding oracle 86344604Sjkim 87344604Sjkim If an application encounters a fatal protocol error and then calls 88344604Sjkim SSL_shutdown() twice (once to send a close_notify, and once to receive one) 89344604Sjkim then OpenSSL can respond differently to the calling application if a 0 byte 90344604Sjkim record is received with invalid padding compared to if a 0 byte record is 91344604Sjkim received with an invalid MAC. If the application then behaves differently 92344604Sjkim based on that in a way that is detectable to the remote peer, then this 93344604Sjkim amounts to a padding oracle that could be used to decrypt data. 94344604Sjkim 95344604Sjkim In order for this to be exploitable "non-stitched" ciphersuites must be in 96344604Sjkim use. Stitched ciphersuites are optimised implementations of certain 97344604Sjkim commonly used ciphersuites. Also the application must call SSL_shutdown() 98344604Sjkim twice even if a protocol error has occurred (applications should not do 99344604Sjkim this but some do anyway). 100344604Sjkim 101344604Sjkim This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod 102344604Sjkim Aviram, with additional investigation by Steven Collison and Andrew 103344604Sjkim Hourselt. It was reported to OpenSSL on 10th December 2018. 104344604Sjkim (CVE-2019-1559) 105344604Sjkim [Matt Caswell] 106344604Sjkim 107344604Sjkim *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). 108344604Sjkim [Richard Levitte] 109344604Sjkim 110340704Sjkim Changes between 1.0.2p and 1.0.2q [20 Nov 2018] 111340704Sjkim 112340704Sjkim *) Microarchitecture timing vulnerability in ECC scalar multiplication 113340704Sjkim 114340704Sjkim OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been 115340704Sjkim shown to be vulnerable to a microarchitecture timing side channel attack. 116340704Sjkim An attacker with sufficient access to mount local timing attacks during 117340704Sjkim ECDSA signature generation could recover the private key. 118340704Sjkim 119340704Sjkim This issue was reported to OpenSSL on 26th October 2018 by Alejandro 120340704Sjkim Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and 121340704Sjkim Nicola Tuveri. 122340704Sjkim (CVE-2018-5407) 123340704Sjkim [Billy Brumley] 124340704Sjkim 125340704Sjkim *) Timing vulnerability in DSA signature generation 126340704Sjkim 127340704Sjkim The OpenSSL DSA signature algorithm has been shown to be vulnerable to a 128340704Sjkim timing side channel attack. An attacker could use variations in the signing 129340704Sjkim algorithm to recover the private key. 130340704Sjkim 131340704Sjkim This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. 132340704Sjkim (CVE-2018-0734) 133340704Sjkim [Paul Dale] 134340704Sjkim 135340704Sjkim *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object 136340704Sjkim Module, accidentally introduced while backporting security fixes from the 137340704Sjkim development branch and hindering the use of ECC in FIPS mode. 138340704Sjkim [Nicola Tuveri] 139340704Sjkim 140337982Sjkim Changes between 1.0.2o and 1.0.2p [14 Aug 2018] 141337982Sjkim 142337982Sjkim *) Client DoS due to large DH parameter 143337982Sjkim 144337982Sjkim During key agreement in a TLS handshake using a DH(E) based ciphersuite a 145337982Sjkim malicious server can send a very large prime value to the client. This will 146337982Sjkim cause the client to spend an unreasonably long period of time generating a 147337982Sjkim key for this prime resulting in a hang until the client has finished. This 148337982Sjkim could be exploited in a Denial Of Service attack. 149337982Sjkim 150337982Sjkim This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken 151337982Sjkim (CVE-2018-0732) 152337982Sjkim [Guido Vranken] 153337982Sjkim 154337982Sjkim *) Cache timing vulnerability in RSA Key Generation 155337982Sjkim 156337982Sjkim The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to 157337982Sjkim a cache timing side channel attack. An attacker with sufficient access to 158337982Sjkim mount cache timing attacks during the RSA key generation process could 159337982Sjkim recover the private key. 160337982Sjkim 161337982Sjkim This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera 162337982Sjkim Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. 163337982Sjkim (CVE-2018-0737) 164337982Sjkim [Billy Brumley] 165337982Sjkim 166337982Sjkim *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str 167337982Sjkim parameter is no longer accepted, as it leads to a corrupt table. NULL 168337982Sjkim pem_str is reserved for alias entries only. 169337982Sjkim [Richard Levitte] 170337982Sjkim 171337982Sjkim *) Revert blinding in ECDSA sign and instead make problematic addition 172337982Sjkim length-invariant. Switch even to fixed-length Montgomery multiplication. 173337982Sjkim [Andy Polyakov] 174337982Sjkim 175337982Sjkim *) Change generating and checking of primes so that the error rate of not 176337982Sjkim being prime depends on the intended use based on the size of the input. 177337982Sjkim For larger primes this will result in more rounds of Miller-Rabin. 178337982Sjkim The maximal error rate for primes with more than 1080 bits is lowered 179337982Sjkim to 2^-128. 180337982Sjkim [Kurt Roeckx, Annie Yousar] 181337982Sjkim 182337982Sjkim *) Increase the number of Miller-Rabin rounds for DSA key generating to 64. 183337982Sjkim [Kurt Roeckx] 184337982Sjkim 185337982Sjkim *) Add blinding to ECDSA and DSA signatures to protect against side channel 186337982Sjkim attacks discovered by Keegan Ryan (NCC Group). 187337982Sjkim [Matt Caswell] 188337982Sjkim 189337982Sjkim *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we 190337982Sjkim now allow empty (zero character) pass phrases. 191337982Sjkim [Richard Levitte] 192337982Sjkim 193337982Sjkim *) Certificate time validation (X509_cmp_time) enforces stricter 194337982Sjkim compliance with RFC 5280. Fractional seconds and timezone offsets 195337982Sjkim are no longer allowed. 196337982Sjkim [Emilia K��sper] 197337982Sjkim 198331638Sjkim Changes between 1.0.2n and 1.0.2o [27 Mar 2018] 199331638Sjkim 200331638Sjkim *) Constructed ASN.1 types with a recursive definition could exceed the stack 201331638Sjkim 202331638Sjkim Constructed ASN.1 types with a recursive definition (such as can be found 203331638Sjkim in PKCS7) could eventually exceed the stack given malicious input with 204331638Sjkim excessive recursion. This could result in a Denial Of Service attack. There 205331638Sjkim are no such structures used within SSL/TLS that come from untrusted sources 206331638Sjkim so this is considered safe. 207331638Sjkim 208331638Sjkim This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz 209331638Sjkim project. 210331638Sjkim (CVE-2018-0739) 211331638Sjkim [Matt Caswell] 212331638Sjkim 213326663Sjkim Changes between 1.0.2m and 1.0.2n [7 Dec 2017] 214326663Sjkim 215326663Sjkim *) Read/write after SSL object in error state 216326663Sjkim 217326663Sjkim OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" 218326663Sjkim mechanism. The intent was that if a fatal error occurred during a handshake 219326663Sjkim then OpenSSL would move into the error state and would immediately fail if 220326663Sjkim you attempted to continue the handshake. This works as designed for the 221326663Sjkim explicit handshake functions (SSL_do_handshake(), SSL_accept() and 222326663Sjkim SSL_connect()), however due to a bug it does not work correctly if 223326663Sjkim SSL_read() or SSL_write() is called directly. In that scenario, if the 224326663Sjkim handshake fails then a fatal error will be returned in the initial function 225326663Sjkim call. If SSL_read()/SSL_write() is subsequently called by the application 226326663Sjkim for the same SSL object then it will succeed and the data is passed without 227326663Sjkim being decrypted/encrypted directly from the SSL/TLS record layer. 228326663Sjkim 229326663Sjkim In order to exploit this issue an application bug would have to be present 230326663Sjkim that resulted in a call to SSL_read()/SSL_write() being issued after having 231326663Sjkim already received a fatal error. 232326663Sjkim 233326663Sjkim This issue was reported to OpenSSL by David Benjamin (Google). 234326663Sjkim (CVE-2017-3737) 235326663Sjkim [Matt Caswell] 236326663Sjkim 237326663Sjkim *) rsaz_1024_mul_avx2 overflow bug on x86_64 238326663Sjkim 239326663Sjkim There is an overflow bug in the AVX2 Montgomery multiplication procedure 240326663Sjkim used in exponentiation with 1024-bit moduli. No EC algorithms are affected. 241326663Sjkim Analysis suggests that attacks against RSA and DSA as a result of this 242326663Sjkim defect would be very difficult to perform and are not believed likely. 243326663Sjkim Attacks against DH1024 are considered just feasible, because most of the 244326663Sjkim work necessary to deduce information about a private key may be performed 245326663Sjkim offline. The amount of resources required for such an attack would be 246326663Sjkim significant. However, for an attack on TLS to be meaningful, the server 247326663Sjkim would have to share the DH1024 private key among multiple clients, which is 248326663Sjkim no longer an option since CVE-2016-0701. 249326663Sjkim 250326663Sjkim This only affects processors that support the AVX2 but not ADX extensions 251326663Sjkim like Intel Haswell (4th generation). 252326663Sjkim 253326663Sjkim This issue was reported to OpenSSL by David Benjamin (Google). The issue 254326663Sjkim was originally found via the OSS-Fuzz project. 255326663Sjkim (CVE-2017-3738) 256326663Sjkim [Andy Polyakov] 257326663Sjkim 258325337Sjkim Changes between 1.0.2l and 1.0.2m [2 Nov 2017] 259325337Sjkim 260325337Sjkim *) bn_sqrx8x_internal carry bug on x86_64 261325337Sjkim 262325337Sjkim There is a carry propagating bug in the x86_64 Montgomery squaring 263325337Sjkim procedure. No EC algorithms are affected. Analysis suggests that attacks 264325337Sjkim against RSA and DSA as a result of this defect would be very difficult to 265325337Sjkim perform and are not believed likely. Attacks against DH are considered just 266325337Sjkim feasible (although very difficult) because most of the work necessary to 267325337Sjkim deduce information about a private key may be performed offline. The amount 268325337Sjkim of resources required for such an attack would be very significant and 269325337Sjkim likely only accessible to a limited number of attackers. An attacker would 270325337Sjkim additionally need online access to an unpatched system using the target 271325337Sjkim private key in a scenario with persistent DH parameters and a private 272325337Sjkim key that is shared between multiple clients. 273325337Sjkim 274325337Sjkim This only affects processors that support the BMI1, BMI2 and ADX extensions 275325337Sjkim like Intel Broadwell (5th generation) and later or AMD Ryzen. 276325337Sjkim 277325337Sjkim This issue was reported to OpenSSL by the OSS-Fuzz project. 278325337Sjkim (CVE-2017-3736) 279325337Sjkim [Andy Polyakov] 280325337Sjkim 281325337Sjkim *) Malformed X.509 IPAddressFamily could cause OOB read 282325337Sjkim 283325337Sjkim If an X.509 certificate has a malformed IPAddressFamily extension, 284325337Sjkim OpenSSL could do a one-byte buffer overread. The most likely result 285325337Sjkim would be an erroneous display of the certificate in text format. 286325337Sjkim 287325337Sjkim This issue was reported to OpenSSL by the OSS-Fuzz project. 288325337Sjkim (CVE-2017-3735) 289325337Sjkim [Rich Salz] 290325337Sjkim 291325335Sjkim Changes between 1.0.2k and 1.0.2l [25 May 2017] 292325335Sjkim 293325335Sjkim *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target 294325335Sjkim platform rather than 'mingw'. 295325335Sjkim [Richard Levitte] 296325335Sjkim 297312826Sjkim Changes between 1.0.2j and 1.0.2k [26 Jan 2017] 298312826Sjkim 299312826Sjkim *) Truncated packet could crash via OOB read 300312826Sjkim 301312826Sjkim If one side of an SSL/TLS path is running on a 32-bit host and a specific 302312826Sjkim cipher is being used, then a truncated packet can cause that host to 303312826Sjkim perform an out-of-bounds read, usually resulting in a crash. 304312826Sjkim 305312826Sjkim This issue was reported to OpenSSL by Robert ��wi��cki of Google. 306312826Sjkim (CVE-2017-3731) 307312826Sjkim [Andy Polyakov] 308312826Sjkim 309312826Sjkim *) BN_mod_exp may produce incorrect results on x86_64 310312826Sjkim 311312826Sjkim There is a carry propagating bug in the x86_64 Montgomery squaring 312312826Sjkim procedure. No EC algorithms are affected. Analysis suggests that attacks 313312826Sjkim against RSA and DSA as a result of this defect would be very difficult to 314312826Sjkim perform and are not believed likely. Attacks against DH are considered just 315312826Sjkim feasible (although very difficult) because most of the work necessary to 316312826Sjkim deduce information about a private key may be performed offline. The amount 317312826Sjkim of resources required for such an attack would be very significant and 318312826Sjkim likely only accessible to a limited number of attackers. An attacker would 319312826Sjkim additionally need online access to an unpatched system using the target 320312826Sjkim private key in a scenario with persistent DH parameters and a private 321312826Sjkim key that is shared between multiple clients. For example this can occur by 322312826Sjkim default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very 323312826Sjkim similar to CVE-2015-3193 but must be treated as a separate problem. 324312826Sjkim 325312826Sjkim This issue was reported to OpenSSL by the OSS-Fuzz project. 326312826Sjkim (CVE-2017-3732) 327312826Sjkim [Andy Polyakov] 328312826Sjkim 329312826Sjkim *) Montgomery multiplication may produce incorrect results 330312826Sjkim 331312826Sjkim There is a carry propagating bug in the Broadwell-specific Montgomery 332312826Sjkim multiplication procedure that handles input lengths divisible by, but 333312826Sjkim longer than 256 bits. Analysis suggests that attacks against RSA, DSA 334312826Sjkim and DH private keys are impossible. This is because the subroutine in 335312826Sjkim question is not used in operations with the private key itself and an input 336312826Sjkim of the attacker's direct choice. Otherwise the bug can manifest itself as 337312826Sjkim transient authentication and key negotiation failures or reproducible 338312826Sjkim erroneous outcome of public-key operations with specially crafted input. 339312826Sjkim Among EC algorithms only Brainpool P-512 curves are affected and one 340312826Sjkim presumably can attack ECDH key negotiation. Impact was not analyzed in 341312826Sjkim detail, because pre-requisites for attack are considered unlikely. Namely 342312826Sjkim multiple clients have to choose the curve in question and the server has to 343312826Sjkim share the private key among them, neither of which is default behaviour. 344312826Sjkim Even then only clients that chose the curve will be affected. 345312826Sjkim 346312826Sjkim This issue was publicly reported as transient failures and was not 347312826Sjkim initially recognized as a security issue. Thanks to Richard Morgan for 348312826Sjkim providing reproducible case. 349312826Sjkim (CVE-2016-7055) 350312826Sjkim [Andy Polyakov] 351312826Sjkim 352312826Sjkim *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 353312826Sjkim or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to 354312826Sjkim prevent issues where no progress is being made and the peer continually 355312826Sjkim sends unrecognised record types, using up resources processing them. 356312826Sjkim [Matt Caswell] 357312826Sjkim 358306343Sjkim Changes between 1.0.2i and 1.0.2j [26 Sep 2016] 359306343Sjkim 360306343Sjkim *) Missing CRL sanity check 361306343Sjkim 362306343Sjkim A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 363306343Sjkim but was omitted from OpenSSL 1.0.2i. As a result any attempt to use 364306343Sjkim CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. 365306343Sjkim 366306343Sjkim This issue only affects the OpenSSL 1.0.2i 367306343Sjkim (CVE-2016-7052) 368306343Sjkim [Matt Caswell] 369306343Sjkim 370306195Sjkim Changes between 1.0.2h and 1.0.2i [22 Sep 2016] 371306195Sjkim 372306195Sjkim *) OCSP Status Request extension unbounded memory growth 373306195Sjkim 374306195Sjkim A malicious client can send an excessively large OCSP Status Request 375306195Sjkim extension. If that client continually requests renegotiation, sending a 376306195Sjkim large OCSP Status Request extension each time, then there will be unbounded 377306195Sjkim memory growth on the server. This will eventually lead to a Denial Of 378306195Sjkim Service attack through memory exhaustion. Servers with a default 379306195Sjkim configuration are vulnerable even if they do not support OCSP. Builds using 380306195Sjkim the "no-ocsp" build time option are not affected. 381306195Sjkim 382306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 383306195Sjkim (CVE-2016-6304) 384306195Sjkim [Matt Caswell] 385306195Sjkim 386306195Sjkim *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from 387306195Sjkim HIGH to MEDIUM. 388306195Sjkim 389306195Sjkim This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan 390306195Sjkim Leurent (INRIA) 391306195Sjkim (CVE-2016-2183) 392306195Sjkim [Rich Salz] 393306195Sjkim 394306195Sjkim *) OOB write in MDC2_Update() 395306195Sjkim 396306195Sjkim An overflow can occur in MDC2_Update() either if called directly or 397306195Sjkim through the EVP_DigestUpdate() function using MDC2. If an attacker 398306195Sjkim is able to supply very large amounts of input data after a previous 399306195Sjkim call to EVP_EncryptUpdate() with a partial block then a length check 400306195Sjkim can overflow resulting in a heap corruption. 401306195Sjkim 402306195Sjkim The amount of data needed is comparable to SIZE_MAX which is impractical 403306195Sjkim on most platforms. 404306195Sjkim 405306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 406306195Sjkim (CVE-2016-6303) 407306195Sjkim [Stephen Henson] 408306195Sjkim 409306195Sjkim *) Malformed SHA512 ticket DoS 410306195Sjkim 411306195Sjkim If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a 412306195Sjkim DoS attack where a malformed ticket will result in an OOB read which will 413306195Sjkim ultimately crash. 414306195Sjkim 415306195Sjkim The use of SHA512 in TLS session tickets is comparatively rare as it requires 416306195Sjkim a custom server callback and ticket lookup mechanism. 417306195Sjkim 418306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 419306195Sjkim (CVE-2016-6302) 420306195Sjkim [Stephen Henson] 421306195Sjkim 422306195Sjkim *) OOB write in BN_bn2dec() 423306195Sjkim 424306195Sjkim The function BN_bn2dec() does not check the return value of BN_div_word(). 425306195Sjkim This can cause an OOB write if an application uses this function with an 426306195Sjkim overly large BIGNUM. This could be a problem if an overly large certificate 427306195Sjkim or CRL is printed out from an untrusted source. TLS is not affected because 428306195Sjkim record limits will reject an oversized certificate before it is parsed. 429306195Sjkim 430306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 431306195Sjkim (CVE-2016-2182) 432306195Sjkim [Stephen Henson] 433306195Sjkim 434306195Sjkim *) OOB read in TS_OBJ_print_bio() 435306195Sjkim 436306195Sjkim The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is 437306195Sjkim the total length the OID text representation would use and not the amount 438306195Sjkim of data written. This will result in OOB reads when large OIDs are 439306195Sjkim presented. 440306195Sjkim 441306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 442306195Sjkim (CVE-2016-2180) 443306195Sjkim [Stephen Henson] 444306195Sjkim 445306195Sjkim *) Pointer arithmetic undefined behaviour 446306195Sjkim 447306195Sjkim Avoid some undefined pointer arithmetic 448306195Sjkim 449306195Sjkim A common idiom in the codebase is to check limits in the following manner: 450306195Sjkim "p + len > limit" 451306195Sjkim 452306195Sjkim Where "p" points to some malloc'd data of SIZE bytes and 453306195Sjkim limit == p + SIZE 454306195Sjkim 455306195Sjkim "len" here could be from some externally supplied data (e.g. from a TLS 456306195Sjkim message). 457306195Sjkim 458306195Sjkim The rules of C pointer arithmetic are such that "p + len" is only well 459306195Sjkim defined where len <= SIZE. Therefore the above idiom is actually 460306195Sjkim undefined behaviour. 461306195Sjkim 462306195Sjkim For example this could cause problems if some malloc implementation 463306195Sjkim provides an address for "p" such that "p + len" actually overflows for 464306195Sjkim values of len that are too big and therefore p + len < limit. 465306195Sjkim 466306195Sjkim This issue was reported to OpenSSL by Guido Vranken 467306195Sjkim (CVE-2016-2177) 468306195Sjkim [Matt Caswell] 469306195Sjkim 470306195Sjkim *) Constant time flag not preserved in DSA signing 471306195Sjkim 472306195Sjkim Operations in the DSA signing algorithm should run in constant time in 473306195Sjkim order to avoid side channel attacks. A flaw in the OpenSSL DSA 474306195Sjkim implementation means that a non-constant time codepath is followed for 475306195Sjkim certain operations. This has been demonstrated through a cache-timing 476306195Sjkim attack to be sufficient for an attacker to recover the private DSA key. 477306195Sjkim 478306195Sjkim This issue was reported by C��sar Pereida (Aalto University), Billy Brumley 479306195Sjkim (Tampere University of Technology), and Yuval Yarom (The University of 480306195Sjkim Adelaide and NICTA). 481306195Sjkim (CVE-2016-2178) 482306195Sjkim [C��sar Pereida] 483306195Sjkim 484306195Sjkim *) DTLS buffered message DoS 485306195Sjkim 486306195Sjkim In a DTLS connection where handshake messages are delivered out-of-order 487306195Sjkim those messages that OpenSSL is not yet ready to process will be buffered 488306195Sjkim for later use. Under certain circumstances, a flaw in the logic means that 489306195Sjkim those messages do not get removed from the buffer even though the handshake 490306195Sjkim has been completed. An attacker could force up to approx. 15 messages to 491306195Sjkim remain in the buffer when they are no longer required. These messages will 492306195Sjkim be cleared when the DTLS connection is closed. The default maximum size for 493306195Sjkim a message is 100k. Therefore the attacker could force an additional 1500k 494306195Sjkim to be consumed per connection. By opening many simulataneous connections an 495306195Sjkim attacker could cause a DoS attack through memory exhaustion. 496306195Sjkim 497306195Sjkim This issue was reported to OpenSSL by Quan Luo. 498306195Sjkim (CVE-2016-2179) 499306195Sjkim [Matt Caswell] 500306195Sjkim 501306195Sjkim *) DTLS replay protection DoS 502306195Sjkim 503306195Sjkim A flaw in the DTLS replay attack protection mechanism means that records 504306195Sjkim that arrive for future epochs update the replay protection "window" before 505306195Sjkim the MAC for the record has been validated. This could be exploited by an 506306195Sjkim attacker by sending a record for the next epoch (which does not have to 507306195Sjkim decrypt or have a valid MAC), with a very large sequence number. This means 508306195Sjkim that all subsequent legitimate packets are dropped causing a denial of 509306195Sjkim service for a specific DTLS connection. 510306195Sjkim 511306195Sjkim This issue was reported to OpenSSL by the OCAP audit team. 512306195Sjkim (CVE-2016-2181) 513306195Sjkim [Matt Caswell] 514306195Sjkim 515306195Sjkim *) Certificate message OOB reads 516306195Sjkim 517306195Sjkim In OpenSSL 1.0.2 and earlier some missing message length checks can result 518306195Sjkim in OOB reads of up to 2 bytes beyond an allocated buffer. There is a 519306195Sjkim theoretical DoS risk but this has not been observed in practice on common 520306195Sjkim platforms. 521306195Sjkim 522306195Sjkim The messages affected are client certificate, client certificate request 523306195Sjkim and server certificate. As a result the attack can only be performed 524306195Sjkim against a client or a server which enables client authentication. 525306195Sjkim 526306195Sjkim This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) 527306195Sjkim (CVE-2016-6306) 528306195Sjkim [Stephen Henson] 529306195Sjkim 530298998Sjkim Changes between 1.0.2g and 1.0.2h [3 May 2016] 531298998Sjkim 532298998Sjkim *) Prevent padding oracle in AES-NI CBC MAC check 533298998Sjkim 534298998Sjkim A MITM attacker can use a padding oracle attack to decrypt traffic 535298998Sjkim when the connection uses an AES CBC cipher and the server support 536298998Sjkim AES-NI. 537298998Sjkim 538298998Sjkim This issue was introduced as part of the fix for Lucky 13 padding 539298998Sjkim attack (CVE-2013-0169). The padding check was rewritten to be in 540298998Sjkim constant time by making sure that always the same bytes are read and 541298998Sjkim compared against either the MAC or padding bytes. But it no longer 542298998Sjkim checked that there was enough data to have both the MAC and padding 543298998Sjkim bytes. 544298998Sjkim 545298998Sjkim This issue was reported by Juraj Somorovsky using TLS-Attacker. 546298998Sjkim (CVE-2016-2107) 547298998Sjkim [Kurt Roeckx] 548298998Sjkim 549298998Sjkim *) Fix EVP_EncodeUpdate overflow 550298998Sjkim 551298998Sjkim An overflow can occur in the EVP_EncodeUpdate() function which is used for 552298998Sjkim Base64 encoding of binary data. If an attacker is able to supply very large 553298998Sjkim amounts of input data then a length check can overflow resulting in a heap 554298998Sjkim corruption. 555298998Sjkim 556298998Sjkim Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by 557298998Sjkim the PEM_write_bio* family of functions. These are mainly used within the 558298998Sjkim OpenSSL command line applications, so any application which processes data 559298998Sjkim from an untrusted source and outputs it as a PEM file should be considered 560298998Sjkim vulnerable to this issue. User applications that call these APIs directly 561298998Sjkim with large amounts of untrusted data may also be vulnerable. 562298998Sjkim 563298998Sjkim This issue was reported by Guido Vranken. 564298998Sjkim (CVE-2016-2105) 565298998Sjkim [Matt Caswell] 566298998Sjkim 567298998Sjkim *) Fix EVP_EncryptUpdate overflow 568298998Sjkim 569298998Sjkim An overflow can occur in the EVP_EncryptUpdate() function. If an attacker 570298998Sjkim is able to supply very large amounts of input data after a previous call to 571298998Sjkim EVP_EncryptUpdate() with a partial block then a length check can overflow 572298998Sjkim resulting in a heap corruption. Following an analysis of all OpenSSL 573298998Sjkim internal usage of the EVP_EncryptUpdate() function all usage is one of two 574298998Sjkim forms. The first form is where the EVP_EncryptUpdate() call is known to be 575298998Sjkim the first called function after an EVP_EncryptInit(), and therefore that 576298998Sjkim specific call must be safe. The second form is where the length passed to 577298998Sjkim EVP_EncryptUpdate() can be seen from the code to be some small value and 578298998Sjkim therefore there is no possibility of an overflow. Since all instances are 579298998Sjkim one of these two forms, it is believed that there can be no overflows in 580298998Sjkim internal code due to this problem. It should be noted that 581298998Sjkim EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. 582298998Sjkim Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances 583298998Sjkim of these calls have also been analysed too and it is believed there are no 584298998Sjkim instances in internal usage where an overflow could occur. 585298998Sjkim 586298998Sjkim This issue was reported by Guido Vranken. 587298998Sjkim (CVE-2016-2106) 588298998Sjkim [Matt Caswell] 589298998Sjkim 590298998Sjkim *) Prevent ASN.1 BIO excessive memory allocation 591298998Sjkim 592298998Sjkim When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() 593298998Sjkim a short invalid encoding can casuse allocation of large amounts of memory 594298998Sjkim potentially consuming excessive resources or exhausting memory. 595298998Sjkim 596298998Sjkim Any application parsing untrusted data through d2i BIO functions is 597298998Sjkim affected. The memory based functions such as d2i_X509() are *not* affected. 598298998Sjkim Since the memory based functions are used by the TLS library, TLS 599298998Sjkim applications are not affected. 600298998Sjkim 601298998Sjkim This issue was reported by Brian Carpenter. 602298998Sjkim (CVE-2016-2109) 603298998Sjkim [Stephen Henson] 604298998Sjkim 605298998Sjkim *) EBCDIC overread 606298998Sjkim 607298998Sjkim ASN1 Strings that are over 1024 bytes can cause an overread in applications 608298998Sjkim using the X509_NAME_oneline() function on EBCDIC systems. This could result 609298998Sjkim in arbitrary stack data being returned in the buffer. 610298998Sjkim 611298998Sjkim This issue was reported by Guido Vranken. 612298998Sjkim (CVE-2016-2176) 613298998Sjkim [Matt Caswell] 614298998Sjkim 615298998Sjkim *) Modify behavior of ALPN to invoke callback after SNI/servername 616298998Sjkim callback, such that updates to the SSL_CTX affect ALPN. 617298998Sjkim [Todd Short] 618298998Sjkim 619298998Sjkim *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the 620298998Sjkim default. 621298998Sjkim [Kurt Roeckx] 622298998Sjkim 623298998Sjkim *) Only remove the SSLv2 methods with the no-ssl2-method option. When the 624298998Sjkim methods are enabled and ssl2 is disabled the methods return NULL. 625298998Sjkim [Kurt Roeckx] 626298998Sjkim 627296279Sjkim Changes between 1.0.2f and 1.0.2g [1 Mar 2016] 628296279Sjkim 629296279Sjkim * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. 630296279Sjkim Builds that are not configured with "enable-weak-ssl-ciphers" will not 631296279Sjkim provide any "EXPORT" or "LOW" strength ciphers. 632296279Sjkim [Viktor Dukhovni] 633296279Sjkim 634296279Sjkim * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 635296279Sjkim is by default disabled at build-time. Builds that are not configured with 636296279Sjkim "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, 637296279Sjkim users who want to negotiate SSLv2 via the version-flexible SSLv23_method() 638296279Sjkim will need to explicitly call either of: 639296279Sjkim 640296279Sjkim SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); 641296279Sjkim or 642296279Sjkim SSL_clear_options(ssl, SSL_OP_NO_SSLv2); 643296279Sjkim 644296279Sjkim as appropriate. Even if either of those is used, or the application 645296279Sjkim explicitly uses the version-specific SSLv2_method() or its client and 646296279Sjkim server variants, SSLv2 ciphers vulnerable to exhaustive search key 647296279Sjkim recovery have been removed. Specifically, the SSLv2 40-bit EXPORT 648296279Sjkim ciphers, and SSLv2 56-bit DES are no longer available. 649296279Sjkim (CVE-2016-0800) 650296279Sjkim [Viktor Dukhovni] 651296279Sjkim 652296279Sjkim *) Fix a double-free in DSA code 653296279Sjkim 654296279Sjkim A double free bug was discovered when OpenSSL parses malformed DSA private 655296279Sjkim keys and could lead to a DoS attack or memory corruption for applications 656296279Sjkim that receive DSA private keys from untrusted sources. This scenario is 657296279Sjkim considered rare. 658296279Sjkim 659296279Sjkim This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using 660296279Sjkim libFuzzer. 661296279Sjkim (CVE-2016-0705) 662296279Sjkim [Stephen Henson] 663296279Sjkim 664296279Sjkim *) Disable SRP fake user seed to address a server memory leak. 665296279Sjkim 666296279Sjkim Add a new method SRP_VBASE_get1_by_user that handles the seed properly. 667296279Sjkim 668296279Sjkim SRP_VBASE_get_by_user had inconsistent memory management behaviour. 669296279Sjkim In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user 670296279Sjkim was changed to ignore the "fake user" SRP seed, even if the seed 671296279Sjkim is configured. 672296279Sjkim 673296279Sjkim Users should use SRP_VBASE_get1_by_user instead. Note that in 674296279Sjkim SRP_VBASE_get1_by_user, caller must free the returned value. Note 675296279Sjkim also that even though configuring the SRP seed attempts to hide 676296279Sjkim invalid usernames by continuing the handshake with fake 677296279Sjkim credentials, this behaviour is not constant time and no strong 678296279Sjkim guarantees are made that the handshake is indistinguishable from 679296279Sjkim that of a valid user. 680296279Sjkim (CVE-2016-0798) 681296279Sjkim [Emilia K��sper] 682296279Sjkim 683296279Sjkim *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption 684296279Sjkim 685296279Sjkim In the BN_hex2bn function the number of hex digits is calculated using an 686296279Sjkim int value |i|. Later |bn_expand| is called with a value of |i * 4|. For 687296279Sjkim large values of |i| this can result in |bn_expand| not allocating any 688296279Sjkim memory because |i * 4| is negative. This can leave the internal BIGNUM data 689296279Sjkim field as NULL leading to a subsequent NULL ptr deref. For very large values 690296279Sjkim of |i|, the calculation |i * 4| could be a positive value smaller than |i|. 691296279Sjkim In this case memory is allocated to the internal BIGNUM data field, but it 692296279Sjkim is insufficiently sized leading to heap corruption. A similar issue exists 693296279Sjkim in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn 694296279Sjkim is ever called by user applications with very large untrusted hex/dec data. 695296279Sjkim This is anticipated to be a rare occurrence. 696296279Sjkim 697296279Sjkim All OpenSSL internal usage of these functions use data that is not expected 698296279Sjkim to be untrusted, e.g. config file data or application command line 699296279Sjkim arguments. If user developed applications generate config file data based 700296279Sjkim on untrusted data then it is possible that this could also lead to security 701296279Sjkim consequences. This is also anticipated to be rare. 702296279Sjkim 703296279Sjkim This issue was reported to OpenSSL by Guido Vranken. 704296279Sjkim (CVE-2016-0797) 705296279Sjkim [Matt Caswell] 706296279Sjkim 707296279Sjkim *) Fix memory issues in BIO_*printf functions 708296279Sjkim 709296279Sjkim The internal |fmtstr| function used in processing a "%s" format string in 710296279Sjkim the BIO_*printf functions could overflow while calculating the length of a 711296279Sjkim string and cause an OOB read when printing very long strings. 712296279Sjkim 713296279Sjkim Additionally the internal |doapr_outch| function can attempt to write to an 714296279Sjkim OOB memory location (at an offset from the NULL pointer) in the event of a 715296279Sjkim memory allocation failure. In 1.0.2 and below this could be caused where 716296279Sjkim the size of a buffer to be allocated is greater than INT_MAX. E.g. this 717296279Sjkim could be in processing a very long "%s" format string. Memory leaks can 718296279Sjkim also occur. 719296279Sjkim 720296279Sjkim The first issue may mask the second issue dependent on compiler behaviour. 721296279Sjkim These problems could enable attacks where large amounts of untrusted data 722296279Sjkim is passed to the BIO_*printf functions. If applications use these functions 723296279Sjkim in this way then they could be vulnerable. OpenSSL itself uses these 724296279Sjkim functions when printing out human-readable dumps of ASN.1 data. Therefore 725296279Sjkim applications that print this data could be vulnerable if the data is from 726296279Sjkim untrusted sources. OpenSSL command line applications could also be 727296279Sjkim vulnerable where they print out ASN.1 data, or if untrusted data is passed 728296279Sjkim as command line arguments. 729296279Sjkim 730296279Sjkim Libssl is not considered directly vulnerable. Additionally certificates etc 731296279Sjkim received via remote connections via libssl are also unlikely to be able to 732296279Sjkim trigger these issues because of message size limits enforced within libssl. 733296279Sjkim 734296279Sjkim This issue was reported to OpenSSL Guido Vranken. 735296279Sjkim (CVE-2016-0799) 736296279Sjkim [Matt Caswell] 737296279Sjkim 738296279Sjkim *) Side channel attack on modular exponentiation 739296279Sjkim 740296279Sjkim A side-channel attack was found which makes use of cache-bank conflicts on 741296279Sjkim the Intel Sandy-Bridge microarchitecture which could lead to the recovery 742296279Sjkim of RSA keys. The ability to exploit this issue is limited as it relies on 743296279Sjkim an attacker who has control of code in a thread running on the same 744296279Sjkim hyper-threaded core as the victim thread which is performing decryptions. 745296279Sjkim 746296279Sjkim This issue was reported to OpenSSL by Yuval Yarom, The University of 747296279Sjkim Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and 748296279Sjkim Nadia Heninger, University of Pennsylvania with more information at 749296279Sjkim http://cachebleed.info. 750296279Sjkim (CVE-2016-0702) 751296279Sjkim [Andy Polyakov] 752296279Sjkim 753296279Sjkim *) Change the req app to generate a 2048-bit RSA/DSA key by default, 754296279Sjkim if no keysize is specified with default_bits. This fixes an 755296279Sjkim omission in an earlier change that changed all RSA/DSA key generation 756296279Sjkim apps to use 2048 bits by default. 757296279Sjkim [Emilia K��sper] 758296279Sjkim 759295009Sjkim Changes between 1.0.2e and 1.0.2f [28 Jan 2016] 760295009Sjkim 761295009Sjkim *) DH small subgroups 762295009Sjkim 763295009Sjkim Historically OpenSSL only ever generated DH parameters based on "safe" 764295009Sjkim primes. More recently (in version 1.0.2) support was provided for 765295009Sjkim generating X9.42 style parameter files such as those required for RFC 5114 766295009Sjkim support. The primes used in such files may not be "safe". Where an 767295009Sjkim application is using DH configured with parameters based on primes that are 768295009Sjkim not "safe" then an attacker could use this fact to find a peer's private 769295009Sjkim DH exponent. This attack requires that the attacker complete multiple 770295009Sjkim handshakes in which the peer uses the same private DH exponent. For example 771295009Sjkim this could be used to discover a TLS server's private DH exponent if it's 772295009Sjkim reusing the private DH exponent or it's using a static DH ciphersuite. 773295009Sjkim 774295009Sjkim OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in 775295009Sjkim TLS. It is not on by default. If the option is not set then the server 776295009Sjkim reuses the same private DH exponent for the life of the server process and 777295009Sjkim would be vulnerable to this attack. It is believed that many popular 778295009Sjkim applications do set this option and would therefore not be at risk. 779295009Sjkim 780295009Sjkim The fix for this issue adds an additional check where a "q" parameter is 781295009Sjkim available (as is the case in X9.42 based parameters). This detects the 782295009Sjkim only known attack, and is the only possible defense for static DH 783295009Sjkim ciphersuites. This could have some performance impact. 784295009Sjkim 785295009Sjkim Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by 786295009Sjkim default and cannot be disabled. This could have some performance impact. 787295009Sjkim 788295009Sjkim This issue was reported to OpenSSL by Antonio Sanso (Adobe). 789295009Sjkim (CVE-2016-0701) 790295009Sjkim [Matt Caswell] 791295009Sjkim 792295009Sjkim *) SSLv2 doesn't block disabled ciphers 793295009Sjkim 794295009Sjkim A malicious client can negotiate SSLv2 ciphers that have been disabled on 795295009Sjkim the server and complete SSLv2 handshakes even if all SSLv2 ciphers have 796295009Sjkim been disabled, provided that the SSLv2 protocol was not also disabled via 797295009Sjkim SSL_OP_NO_SSLv2. 798295009Sjkim 799295009Sjkim This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram 800295009Sjkim and Sebastian Schinzel. 801295009Sjkim (CVE-2015-3197) 802295009Sjkim [Viktor Dukhovni] 803295009Sjkim 804295009Sjkim *) Reject DH handshakes with parameters shorter than 1024 bits. 805295009Sjkim [Kurt Roeckx] 806295009Sjkim 807291719Sjkim Changes between 1.0.2d and 1.0.2e [3 Dec 2015] 808291719Sjkim 809291719Sjkim *) BN_mod_exp may produce incorrect results on x86_64 810291719Sjkim 811291719Sjkim There is a carry propagating bug in the x86_64 Montgomery squaring 812291719Sjkim procedure. No EC algorithms are affected. Analysis suggests that attacks 813291719Sjkim against RSA and DSA as a result of this defect would be very difficult to 814291719Sjkim perform and are not believed likely. Attacks against DH are considered just 815291719Sjkim feasible (although very difficult) because most of the work necessary to 816291719Sjkim deduce information about a private key may be performed offline. The amount 817291719Sjkim of resources required for such an attack would be very significant and 818291719Sjkim likely only accessible to a limited number of attackers. An attacker would 819291719Sjkim additionally need online access to an unpatched system using the target 820291719Sjkim private key in a scenario with persistent DH parameters and a private 821291719Sjkim key that is shared between multiple clients. For example this can occur by 822291719Sjkim default in OpenSSL DHE based SSL/TLS ciphersuites. 823291719Sjkim 824291719Sjkim This issue was reported to OpenSSL by Hanno B��ck. 825291719Sjkim (CVE-2015-3193) 826291719Sjkim [Andy Polyakov] 827291719Sjkim 828291719Sjkim *) Certificate verify crash with missing PSS parameter 829291719Sjkim 830291719Sjkim The signature verification routines will crash with a NULL pointer 831291719Sjkim dereference if presented with an ASN.1 signature using the RSA PSS 832291719Sjkim algorithm and absent mask generation function parameter. Since these 833291719Sjkim routines are used to verify certificate signature algorithms this can be 834291719Sjkim used to crash any certificate verification operation and exploited in a 835291719Sjkim DoS attack. Any application which performs certificate verification is 836291719Sjkim vulnerable including OpenSSL clients and servers which enable client 837291719Sjkim authentication. 838291719Sjkim 839291719Sjkim This issue was reported to OpenSSL by Lo��c Jonas Etienne (Qnective AG). 840291719Sjkim (CVE-2015-3194) 841291719Sjkim [Stephen Henson] 842291719Sjkim 843291719Sjkim *) X509_ATTRIBUTE memory leak 844291719Sjkim 845291719Sjkim When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak 846291719Sjkim memory. This structure is used by the PKCS#7 and CMS routines so any 847291719Sjkim application which reads PKCS#7 or CMS data from untrusted sources is 848291719Sjkim affected. SSL/TLS is not affected. 849291719Sjkim 850291719Sjkim This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using 851291719Sjkim libFuzzer. 852291719Sjkim (CVE-2015-3195) 853291719Sjkim [Stephen Henson] 854291719Sjkim 855291719Sjkim *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. 856291719Sjkim This changes the decoding behaviour for some invalid messages, 857291719Sjkim though the change is mostly in the more lenient direction, and 858291719Sjkim legacy behaviour is preserved as much as possible. 859291719Sjkim [Emilia K��sper] 860291719Sjkim 861291719Sjkim *) In DSA_generate_parameters_ex, if the provided seed is too short, 862296279Sjkim use a random seed, as already documented. 863291719Sjkim [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] 864291719Sjkim 865290207Sjkim Changes between 1.0.2c and 1.0.2d [9 Jul 2015] 866285329Sjkim 867285329Sjkim *) Alternate chains certificate forgery 868285329Sjkim 869285329Sjkim During certificate verfification, OpenSSL will attempt to find an 870285329Sjkim alternative certificate chain if the first attempt to build such a chain 871285329Sjkim fails. An error in the implementation of this logic can mean that an 872285329Sjkim attacker could cause certain checks on untrusted certificates to be 873285329Sjkim bypassed, such as the CA flag, enabling them to use a valid leaf 874285329Sjkim certificate to act as a CA and "issue" an invalid certificate. 875285329Sjkim 876285329Sjkim This issue was reported to OpenSSL by Adam Langley/David Benjamin 877285329Sjkim (Google/BoringSSL). 878291719Sjkim (CVE-2015-1793) 879285329Sjkim [Matt Caswell] 880285329Sjkim 881291719Sjkim *) Race condition handling PSK identify hint 882291719Sjkim 883291719Sjkim If PSK identity hints are received by a multi-threaded client then 884291719Sjkim the values are wrongly updated in the parent SSL_CTX structure. This can 885291719Sjkim result in a race condition potentially leading to a double free of the 886291719Sjkim identify hint data. 887291719Sjkim (CVE-2015-3196) 888291719Sjkim [Stephen Henson] 889291719Sjkim 890290207Sjkim Changes between 1.0.2b and 1.0.2c [12 Jun 2015] 891284329Sjkim 892284329Sjkim *) Fix HMAC ABI incompatibility. The previous version introduced an ABI 893284329Sjkim incompatibility in the handling of HMAC. The previous ABI has now been 894284329Sjkim restored. 895284329Sjkim 896290207Sjkim Changes between 1.0.2a and 1.0.2b [11 Jun 2015] 897284283Sjkim 898284283Sjkim *) Malformed ECParameters causes infinite loop 899284283Sjkim 900284283Sjkim When processing an ECParameters structure OpenSSL enters an infinite loop 901284283Sjkim if the curve specified is over a specially malformed binary polynomial 902284283Sjkim field. 903284283Sjkim 904284283Sjkim This can be used to perform denial of service against any 905284283Sjkim system which processes public keys, certificate requests or 906284283Sjkim certificates. This includes TLS clients and TLS servers with 907284283Sjkim client authentication enabled. 908284283Sjkim 909284283Sjkim This issue was reported to OpenSSL by Joseph Barr-Pixton. 910284283Sjkim (CVE-2015-1788) 911284283Sjkim [Andy Polyakov] 912284283Sjkim 913284283Sjkim *) Exploitable out-of-bounds read in X509_cmp_time 914284283Sjkim 915284283Sjkim X509_cmp_time does not properly check the length of the ASN1_TIME 916284283Sjkim string and can read a few bytes out of bounds. In addition, 917284283Sjkim X509_cmp_time accepts an arbitrary number of fractional seconds in the 918284283Sjkim time string. 919284283Sjkim 920284283Sjkim An attacker can use this to craft malformed certificates and CRLs of 921284283Sjkim various sizes and potentially cause a segmentation fault, resulting in 922284283Sjkim a DoS on applications that verify certificates or CRLs. TLS clients 923284283Sjkim that verify CRLs are affected. TLS clients and servers with client 924284283Sjkim authentication enabled may be affected if they use custom verification 925284283Sjkim callbacks. 926284283Sjkim 927284283Sjkim This issue was reported to OpenSSL by Robert Swiecki (Google), and 928291719Sjkim independently by Hanno B��ck. 929284283Sjkim (CVE-2015-1789) 930291719Sjkim [Emilia K��sper] 931284283Sjkim 932284283Sjkim *) PKCS7 crash with missing EnvelopedContent 933284283Sjkim 934284283Sjkim The PKCS#7 parsing code does not handle missing inner EncryptedContent 935284283Sjkim correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs 936284283Sjkim with missing content and trigger a NULL pointer dereference on parsing. 937284283Sjkim 938284283Sjkim Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 939284283Sjkim structures from untrusted sources are affected. OpenSSL clients and 940284283Sjkim servers are not affected. 941284283Sjkim 942284283Sjkim This issue was reported to OpenSSL by Michal Zalewski (Google). 943284283Sjkim (CVE-2015-1790) 944291719Sjkim [Emilia K��sper] 945284283Sjkim 946284283Sjkim *) CMS verify infinite loop with unknown hash function 947284283Sjkim 948284283Sjkim When verifying a signedData message the CMS code can enter an infinite loop 949284283Sjkim if presented with an unknown hash function OID. This can be used to perform 950284283Sjkim denial of service against any system which verifies signedData messages using 951284283Sjkim the CMS code. 952284283Sjkim This issue was reported to OpenSSL by Johannes Bauer. 953284283Sjkim (CVE-2015-1792) 954284283Sjkim [Stephen Henson] 955284283Sjkim 956284283Sjkim *) Race condition handling NewSessionTicket 957284283Sjkim 958284283Sjkim If a NewSessionTicket is received by a multi-threaded client when attempting to 959284283Sjkim reuse a previous ticket then a race condition can occur potentially leading to 960284283Sjkim a double free of the ticket data. 961284283Sjkim (CVE-2015-1791) 962284283Sjkim [Matt Caswell] 963284283Sjkim 964290207Sjkim *) Removed support for the two export grade static DH ciphersuites 965290207Sjkim EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites 966290207Sjkim were newly added (along with a number of other static DH ciphersuites) to 967290207Sjkim 1.0.2. However the two export ones have *never* worked since they were 968290207Sjkim introduced. It seems strange in any case to be adding new export 969290207Sjkim ciphersuites, and given "logjam" it also does not seem correct to fix them. 970290207Sjkim [Matt Caswell] 971290207Sjkim 972290207Sjkim *) Only support 256-bit or stronger elliptic curves with the 973290207Sjkim 'ecdh_auto' setting (server) or by default (client). Of supported 974290207Sjkim curves, prefer P-256 (both). 975290207Sjkim [Emilia Kasper] 976290207Sjkim 977284283Sjkim *) Reject DH handshakes with parameters shorter than 768 bits. 978284283Sjkim [Kurt Roeckx and Emilia Kasper] 979284283Sjkim 980290207Sjkim Changes between 1.0.2 and 1.0.2a [19 Mar 2015] 981280297Sjkim 982290207Sjkim *) ClientHello sigalgs DoS fix 983290207Sjkim 984290207Sjkim If a client connects to an OpenSSL 1.0.2 server and renegotiates with an 985290207Sjkim invalid signature algorithms extension a NULL pointer dereference will 986290207Sjkim occur. This can be exploited in a DoS attack against the server. 987290207Sjkim 988290207Sjkim This issue was was reported to OpenSSL by David Ramos of Stanford 989290207Sjkim University. 990290207Sjkim (CVE-2015-0291) 991290207Sjkim [Stephen Henson and Matt Caswell] 992290207Sjkim 993290207Sjkim *) Multiblock corrupted pointer fix 994290207Sjkim 995290207Sjkim OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This 996290207Sjkim feature only applies on 64 bit x86 architecture platforms that support AES 997290207Sjkim NI instructions. A defect in the implementation of "multiblock" can cause 998290207Sjkim OpenSSL's internal write buffer to become incorrectly set to NULL when 999290207Sjkim using non-blocking IO. Typically, when the user application is using a 1000290207Sjkim socket BIO for writing, this will only result in a failed connection. 1001290207Sjkim However if some other BIO is used then it is likely that a segmentation 1002290207Sjkim fault will be triggered, thus enabling a potential DoS attack. 1003290207Sjkim 1004290207Sjkim This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. 1005290207Sjkim (CVE-2015-0290) 1006290207Sjkim [Matt Caswell] 1007290207Sjkim 1008290207Sjkim *) Segmentation fault in DTLSv1_listen fix 1009290207Sjkim 1010290207Sjkim The DTLSv1_listen function is intended to be stateless and processes the 1011290207Sjkim initial ClientHello from many peers. It is common for user code to loop 1012290207Sjkim over the call to DTLSv1_listen until a valid ClientHello is received with 1013290207Sjkim an associated cookie. A defect in the implementation of DTLSv1_listen means 1014290207Sjkim that state is preserved in the SSL object from one invocation to the next 1015290207Sjkim that can lead to a segmentation fault. Errors processing the initial 1016290207Sjkim ClientHello can trigger this scenario. An example of such an error could be 1017290207Sjkim that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only 1018290207Sjkim server. 1019290207Sjkim 1020290207Sjkim This issue was reported to OpenSSL by Per Allansson. 1021290207Sjkim (CVE-2015-0207) 1022290207Sjkim [Matt Caswell] 1023290207Sjkim 1024280297Sjkim *) Segmentation fault in ASN1_TYPE_cmp fix 1025280297Sjkim 1026280297Sjkim The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is 1027280297Sjkim made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check 1028280297Sjkim certificate signature algorithm consistency this can be used to crash any 1029280297Sjkim certificate verification operation and exploited in a DoS attack. Any 1030280297Sjkim application which performs certificate verification is vulnerable including 1031280297Sjkim OpenSSL clients and servers which enable client authentication. 1032280297Sjkim (CVE-2015-0286) 1033280297Sjkim [Stephen Henson] 1034280297Sjkim 1035290207Sjkim *) Segmentation fault for invalid PSS parameters fix 1036290207Sjkim 1037290207Sjkim The signature verification routines will crash with a NULL pointer 1038290207Sjkim dereference if presented with an ASN.1 signature using the RSA PSS 1039290207Sjkim algorithm and invalid parameters. Since these routines are used to verify 1040290207Sjkim certificate signature algorithms this can be used to crash any 1041290207Sjkim certificate verification operation and exploited in a DoS attack. Any 1042290207Sjkim application which performs certificate verification is vulnerable including 1043290207Sjkim OpenSSL clients and servers which enable client authentication. 1044290207Sjkim 1045290207Sjkim This issue was was reported to OpenSSL by Brian Carpenter. 1046290207Sjkim (CVE-2015-0208) 1047290207Sjkim [Stephen Henson] 1048290207Sjkim 1049280297Sjkim *) ASN.1 structure reuse memory corruption fix 1050280297Sjkim 1051280297Sjkim Reusing a structure in ASN.1 parsing may allow an attacker to cause 1052280297Sjkim memory corruption via an invalid write. Such reuse is and has been 1053280297Sjkim strongly discouraged and is believed to be rare. 1054280297Sjkim 1055280297Sjkim Applications that parse structures containing CHOICE or ANY DEFINED BY 1056280297Sjkim components may be affected. Certificate parsing (d2i_X509 and related 1057280297Sjkim functions) are however not affected. OpenSSL clients and servers are 1058280297Sjkim not affected. 1059280297Sjkim (CVE-2015-0287) 1060280297Sjkim [Stephen Henson] 1061280297Sjkim 1062280297Sjkim *) PKCS7 NULL pointer dereferences fix 1063280297Sjkim 1064280297Sjkim The PKCS#7 parsing code does not handle missing outer ContentInfo 1065280297Sjkim correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with 1066280297Sjkim missing content and trigger a NULL pointer dereference on parsing. 1067280297Sjkim 1068280297Sjkim Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or 1069280297Sjkim otherwise parse PKCS#7 structures from untrusted sources are 1070280297Sjkim affected. OpenSSL clients and servers are not affected. 1071280297Sjkim 1072280297Sjkim This issue was reported to OpenSSL by Michal Zalewski (Google). 1073280297Sjkim (CVE-2015-0289) 1074291719Sjkim [Emilia K��sper] 1075280297Sjkim 1076280297Sjkim *) DoS via reachable assert in SSLv2 servers fix 1077280297Sjkim 1078280297Sjkim A malicious client can trigger an OPENSSL_assert (i.e., an abort) in 1079280297Sjkim servers that both support SSLv2 and enable export cipher suites by sending 1080280297Sjkim a specially crafted SSLv2 CLIENT-MASTER-KEY message. 1081280297Sjkim 1082291719Sjkim This issue was discovered by Sean Burford (Google) and Emilia K��sper 1083280297Sjkim (OpenSSL development team). 1084280297Sjkim (CVE-2015-0293) 1085291719Sjkim [Emilia K��sper] 1086280297Sjkim 1087290207Sjkim *) Empty CKE with client auth and DHE fix 1088290207Sjkim 1089290207Sjkim If client auth is used then a server can seg fault in the event of a DHE 1090290207Sjkim ciphersuite being selected and a zero length ClientKeyExchange message 1091290207Sjkim being sent by the client. This could be exploited in a DoS attack. 1092290207Sjkim (CVE-2015-1787) 1093290207Sjkim [Matt Caswell] 1094290207Sjkim 1095290207Sjkim *) Handshake with unseeded PRNG fix 1096290207Sjkim 1097290207Sjkim Under certain conditions an OpenSSL 1.0.2 client can complete a handshake 1098290207Sjkim with an unseeded PRNG. The conditions are: 1099290207Sjkim - The client is on a platform where the PRNG has not been seeded 1100290207Sjkim automatically, and the user has not seeded manually 1101290207Sjkim - A protocol specific client method version has been used (i.e. not 1102290207Sjkim SSL_client_methodv23) 1103290207Sjkim - A ciphersuite is used that does not require additional random data from 1104290207Sjkim the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). 1105290207Sjkim 1106290207Sjkim If the handshake succeeds then the client random that has been used will 1107290207Sjkim have been generated from a PRNG with insufficient entropy and therefore the 1108290207Sjkim output may be predictable. 1109290207Sjkim 1110290207Sjkim For example using the following command with an unseeded openssl will 1111290207Sjkim succeed on an unpatched platform: 1112290207Sjkim 1113290207Sjkim openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA 1114290207Sjkim (CVE-2015-0285) 1115290207Sjkim [Matt Caswell] 1116290207Sjkim 1117280297Sjkim *) Use After Free following d2i_ECPrivatekey error fix 1118280297Sjkim 1119280297Sjkim A malformed EC private key file consumed via the d2i_ECPrivateKey function 1120280297Sjkim could cause a use after free condition. This, in turn, could cause a double 1121280297Sjkim free in several private key parsing functions (such as d2i_PrivateKey 1122280297Sjkim or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption 1123280297Sjkim for applications that receive EC private keys from untrusted 1124280297Sjkim sources. This scenario is considered rare. 1125280297Sjkim 1126280297Sjkim This issue was discovered by the BoringSSL project and fixed in their 1127280297Sjkim commit 517073cd4b. 1128280297Sjkim (CVE-2015-0209) 1129280297Sjkim [Matt Caswell] 1130280297Sjkim 1131280297Sjkim *) X509_to_X509_REQ NULL pointer deref fix 1132280297Sjkim 1133280297Sjkim The function X509_to_X509_REQ will crash with a NULL pointer dereference if 1134280297Sjkim the certificate key is invalid. This function is rarely used in practice. 1135280297Sjkim 1136280297Sjkim This issue was discovered by Brian Carpenter. 1137280297Sjkim (CVE-2015-0288) 1138280297Sjkim [Stephen Henson] 1139280297Sjkim 1140280297Sjkim *) Removed the export ciphers from the DEFAULT ciphers 1141280297Sjkim [Kurt Roeckx] 1142280297Sjkim 1143290207Sjkim Changes between 1.0.1l and 1.0.2 [22 Jan 2015] 1144290207Sjkim 1145291719Sjkim *) Change RSA and DH/DSA key generation apps to generate 2048-bit 1146291719Sjkim keys by default. 1147291719Sjkim [Kurt Roeckx] 1148291719Sjkim 1149290207Sjkim *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. 1150290207Sjkim ARMv5 through ARMv8, as opposite to "locking" it to single one. 1151290207Sjkim So far those who have to target multiple plaforms would compromise 1152290207Sjkim and argue that binary targeting say ARMv5 would still execute on 1153290207Sjkim ARMv8. "Universal" build resolves this compromise by providing 1154290207Sjkim near-optimal performance even on newer platforms. 1155290207Sjkim [Andy Polyakov] 1156290207Sjkim 1157290207Sjkim *) Accelerated NIST P-256 elliptic curve implementation for x86_64 1158290207Sjkim (other platforms pending). 1159290207Sjkim [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov] 1160290207Sjkim 1161290207Sjkim *) Add support for the SignedCertificateTimestampList certificate and 1162290207Sjkim OCSP response extensions from RFC6962. 1163290207Sjkim [Rob Stradling] 1164290207Sjkim 1165290207Sjkim *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 1166290207Sjkim for corner cases. (Certain input points at infinity could lead to 1167290207Sjkim bogus results, with non-infinity inputs mapped to infinity too.) 1168290207Sjkim [Bodo Moeller] 1169290207Sjkim 1170290207Sjkim *) Initial support for PowerISA 2.0.7, first implemented in POWER8. 1171290207Sjkim This covers AES, SHA256/512 and GHASH. "Initial" means that most 1172290207Sjkim common cases are optimized and there still is room for further 1173290207Sjkim improvements. Vector Permutation AES for Altivec is also added. 1174290207Sjkim [Andy Polyakov] 1175290207Sjkim 1176290207Sjkim *) Add support for little-endian ppc64 Linux target. 1177290207Sjkim [Marcelo Cerri (IBM)] 1178290207Sjkim 1179290207Sjkim *) Initial support for AMRv8 ISA crypto extensions. This covers AES, 1180290207Sjkim SHA1, SHA256 and GHASH. "Initial" means that most common cases 1181290207Sjkim are optimized and there still is room for further improvements. 1182290207Sjkim Both 32- and 64-bit modes are supported. 1183290207Sjkim [Andy Polyakov, Ard Biesheuvel (Linaro)] 1184290207Sjkim 1185290207Sjkim *) Improved ARMv7 NEON support. 1186290207Sjkim [Andy Polyakov] 1187290207Sjkim 1188290207Sjkim *) Support for SPARC Architecture 2011 crypto extensions, first 1189290207Sjkim implemented in SPARC T4. This covers AES, DES, Camellia, SHA1, 1190290207Sjkim SHA256/512, MD5, GHASH and modular exponentiation. 1191290207Sjkim [Andy Polyakov, David Miller] 1192290207Sjkim 1193290207Sjkim *) Accelerated modular exponentiation for Intel processors, a.k.a. 1194290207Sjkim RSAZ. 1195290207Sjkim [Shay Gueron & Vlad Krasnov (Intel Corp)] 1196290207Sjkim 1197290207Sjkim *) Support for new and upcoming Intel processors, including AVX2, 1198290207Sjkim BMI and SHA ISA extensions. This includes additional "stitched" 1199290207Sjkim implementations, AESNI-SHA256 and GCM, and multi-buffer support 1200290207Sjkim for TLS encrypt. 1201290207Sjkim 1202290207Sjkim This work was sponsored by Intel Corp. 1203290207Sjkim [Andy Polyakov] 1204290207Sjkim 1205290207Sjkim *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method() 1206290207Sjkim supports both DTLS 1.2 and 1.0 and should use whatever version the peer 1207290207Sjkim supports and DTLSv1_2_*_method() which supports DTLS 1.2 only. 1208290207Sjkim [Steve Henson] 1209290207Sjkim 1210290207Sjkim *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): 1211290207Sjkim this fixes a limiation in previous versions of OpenSSL. 1212290207Sjkim [Steve Henson] 1213290207Sjkim 1214290207Sjkim *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, 1215290207Sjkim MGF1 digest and OAEP label. 1216290207Sjkim [Steve Henson] 1217290207Sjkim 1218290207Sjkim *) Add EVP support for key wrapping algorithms, to avoid problems with 1219290207Sjkim existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in 1220290207Sjkim the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap 1221290207Sjkim algorithms and include tests cases. 1222290207Sjkim [Steve Henson] 1223290207Sjkim 1224290207Sjkim *) Add functions to allocate and set the fields of an ECDSA_METHOD 1225290207Sjkim structure. 1226290207Sjkim [Douglas E. Engert, Steve Henson] 1227290207Sjkim 1228290207Sjkim *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the 1229290207Sjkim difference in days and seconds between two tm or ASN1_TIME structures. 1230290207Sjkim [Steve Henson] 1231290207Sjkim 1232290207Sjkim *) Add -rev test option to s_server to just reverse order of characters 1233290207Sjkim received by client and send back to server. Also prints an abbreviated 1234290207Sjkim summary of the connection parameters. 1235290207Sjkim [Steve Henson] 1236290207Sjkim 1237290207Sjkim *) New option -brief for s_client and s_server to print out a brief summary 1238290207Sjkim of connection parameters. 1239290207Sjkim [Steve Henson] 1240290207Sjkim 1241290207Sjkim *) Add callbacks for arbitrary TLS extensions. 1242290207Sjkim [Trevor Perrin <trevp@trevp.net> and Ben Laurie] 1243290207Sjkim 1244290207Sjkim *) New option -crl_download in several openssl utilities to download CRLs 1245290207Sjkim from CRLDP extension in certificates. 1246290207Sjkim [Steve Henson] 1247290207Sjkim 1248290207Sjkim *) New options -CRL and -CRLform for s_client and s_server for CRLs. 1249290207Sjkim [Steve Henson] 1250290207Sjkim 1251290207Sjkim *) New function X509_CRL_diff to generate a delta CRL from the difference 1252290207Sjkim of two full CRLs. Add support to "crl" utility. 1253290207Sjkim [Steve Henson] 1254290207Sjkim 1255290207Sjkim *) New functions to set lookup_crls function and to retrieve 1256290207Sjkim X509_STORE from X509_STORE_CTX. 1257290207Sjkim [Steve Henson] 1258290207Sjkim 1259290207Sjkim *) Print out deprecated issuer and subject unique ID fields in 1260290207Sjkim certificates. 1261290207Sjkim [Steve Henson] 1262290207Sjkim 1263290207Sjkim *) Extend OCSP I/O functions so they can be used for simple general purpose 1264290207Sjkim HTTP as well as OCSP. New wrapper function which can be used to download 1265290207Sjkim CRLs using the OCSP API. 1266290207Sjkim [Steve Henson] 1267290207Sjkim 1268290207Sjkim *) Delegate command line handling in s_client/s_server to SSL_CONF APIs. 1269290207Sjkim [Steve Henson] 1270290207Sjkim 1271290207Sjkim *) SSL_CONF* functions. These provide a common framework for application 1272290207Sjkim configuration using configuration files or command lines. 1273290207Sjkim [Steve Henson] 1274290207Sjkim 1275290207Sjkim *) SSL/TLS tracing code. This parses out SSL/TLS records using the 1276290207Sjkim message callback and prints the results. Needs compile time option 1277290207Sjkim "enable-ssl-trace". New options to s_client and s_server to enable 1278290207Sjkim tracing. 1279290207Sjkim [Steve Henson] 1280290207Sjkim 1281290207Sjkim *) New ctrl and macro to retrieve supported points extensions. 1282290207Sjkim Print out extension in s_server and s_client. 1283290207Sjkim [Steve Henson] 1284290207Sjkim 1285290207Sjkim *) New functions to retrieve certificate signature and signature 1286290207Sjkim OID NID. 1287290207Sjkim [Steve Henson] 1288290207Sjkim 1289290207Sjkim *) Add functions to retrieve and manipulate the raw cipherlist sent by a 1290290207Sjkim client to OpenSSL. 1291290207Sjkim [Steve Henson] 1292290207Sjkim 1293290207Sjkim *) New Suite B modes for TLS code. These use and enforce the requirements 1294290207Sjkim of RFC6460: restrict ciphersuites, only permit Suite B algorithms and 1295290207Sjkim only use Suite B curves. The Suite B modes can be set by using the 1296290207Sjkim strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring. 1297290207Sjkim [Steve Henson] 1298290207Sjkim 1299290207Sjkim *) New chain verification flags for Suite B levels of security. Check 1300290207Sjkim algorithms are acceptable when flags are set in X509_verify_cert. 1301290207Sjkim [Steve Henson] 1302290207Sjkim 1303290207Sjkim *) Make tls1_check_chain return a set of flags indicating checks passed 1304290207Sjkim by a certificate chain. Add additional tests to handle client 1305290207Sjkim certificates: checks for matching certificate type and issuer name 1306290207Sjkim comparison. 1307290207Sjkim [Steve Henson] 1308290207Sjkim 1309290207Sjkim *) If an attempt is made to use a signature algorithm not in the peer 1310290207Sjkim preference list abort the handshake. If client has no suitable 1311290207Sjkim signature algorithms in response to a certificate request do not 1312290207Sjkim use the certificate. 1313290207Sjkim [Steve Henson] 1314290207Sjkim 1315290207Sjkim *) If server EC tmp key is not in client preference list abort handshake. 1316290207Sjkim [Steve Henson] 1317290207Sjkim 1318290207Sjkim *) Add support for certificate stores in CERT structure. This makes it 1319290207Sjkim possible to have different stores per SSL structure or one store in 1320290207Sjkim the parent SSL_CTX. Include distint stores for certificate chain 1321290207Sjkim verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN 1322290207Sjkim to build and store a certificate chain in CERT structure: returing 1323290207Sjkim an error if the chain cannot be built: this will allow applications 1324290207Sjkim to test if a chain is correctly configured. 1325290207Sjkim 1326290207Sjkim Note: if the CERT based stores are not set then the parent SSL_CTX 1327290207Sjkim store is used to retain compatibility with existing behaviour. 1328290207Sjkim 1329290207Sjkim [Steve Henson] 1330290207Sjkim 1331290207Sjkim *) New function ssl_set_client_disabled to set a ciphersuite disabled 1332290207Sjkim mask based on the current session, check mask when sending client 1333290207Sjkim hello and checking the requested ciphersuite. 1334290207Sjkim [Steve Henson] 1335290207Sjkim 1336290207Sjkim *) New ctrls to retrieve and set certificate types in a certificate 1337290207Sjkim request message. Print out received values in s_client. If certificate 1338290207Sjkim types is not set with custom values set sensible values based on 1339290207Sjkim supported signature algorithms. 1340290207Sjkim [Steve Henson] 1341290207Sjkim 1342290207Sjkim *) Support for distinct client and server supported signature algorithms. 1343290207Sjkim [Steve Henson] 1344290207Sjkim 1345290207Sjkim *) Add certificate callback. If set this is called whenever a certificate 1346290207Sjkim is required by client or server. An application can decide which 1347290207Sjkim certificate chain to present based on arbitrary criteria: for example 1348290207Sjkim supported signature algorithms. Add very simple example to s_server. 1349290207Sjkim This fixes many of the problems and restrictions of the existing client 1350290207Sjkim certificate callback: for example you can now clear an existing 1351290207Sjkim certificate and specify the whole chain. 1352290207Sjkim [Steve Henson] 1353290207Sjkim 1354290207Sjkim *) Add new "valid_flags" field to CERT_PKEY structure which determines what 1355290207Sjkim the certificate can be used for (if anything). Set valid_flags field 1356290207Sjkim in new tls1_check_chain function. Simplify ssl_set_cert_masks which used 1357290207Sjkim to have similar checks in it. 1358290207Sjkim 1359290207Sjkim Add new "cert_flags" field to CERT structure and include a "strict mode". 1360290207Sjkim This enforces some TLS certificate requirements (such as only permitting 1361290207Sjkim certificate signature algorithms contained in the supported algorithms 1362290207Sjkim extension) which some implementations ignore: this option should be used 1363290207Sjkim with caution as it could cause interoperability issues. 1364290207Sjkim [Steve Henson] 1365290207Sjkim 1366290207Sjkim *) Update and tidy signature algorithm extension processing. Work out 1367290207Sjkim shared signature algorithms based on preferences and peer algorithms 1368290207Sjkim and print them out in s_client and s_server. Abort handshake if no 1369290207Sjkim shared signature algorithms. 1370290207Sjkim [Steve Henson] 1371290207Sjkim 1372290207Sjkim *) Add new functions to allow customised supported signature algorithms 1373290207Sjkim for SSL and SSL_CTX structures. Add options to s_client and s_server 1374290207Sjkim to support them. 1375290207Sjkim [Steve Henson] 1376290207Sjkim 1377290207Sjkim *) New function SSL_certs_clear() to delete all references to certificates 1378290207Sjkim from an SSL structure. Before this once a certificate had been added 1379290207Sjkim it couldn't be removed. 1380290207Sjkim [Steve Henson] 1381290207Sjkim 1382290207Sjkim *) Integrate hostname, email address and IP address checking with certificate 1383290207Sjkim verification. New verify options supporting checking in opensl utility. 1384290207Sjkim [Steve Henson] 1385290207Sjkim 1386290207Sjkim *) Fixes and wildcard matching support to hostname and email checking 1387290207Sjkim functions. Add manual page. 1388290207Sjkim [Florian Weimer (Red Hat Product Security Team)] 1389290207Sjkim 1390290207Sjkim *) New functions to check a hostname email or IP address against a 1391290207Sjkim certificate. Add options x509 utility to print results of checks against 1392290207Sjkim a certificate. 1393290207Sjkim [Steve Henson] 1394290207Sjkim 1395290207Sjkim *) Fix OCSP checking. 1396290207Sjkim [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie] 1397290207Sjkim 1398290207Sjkim *) Initial experimental support for explicitly trusted non-root CAs. 1399290207Sjkim OpenSSL still tries to build a complete chain to a root but if an 1400290207Sjkim intermediate CA has a trust setting included that is used. The first 1401290207Sjkim setting is used: whether to trust (e.g., -addtrust option to the x509 1402290207Sjkim utility) or reject. 1403290207Sjkim [Steve Henson] 1404290207Sjkim 1405290207Sjkim *) Add -trusted_first option which attempts to find certificates in the 1406290207Sjkim trusted store even if an untrusted chain is also supplied. 1407290207Sjkim [Steve Henson] 1408290207Sjkim 1409290207Sjkim *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE, 1410290207Sjkim platform support for Linux and Android. 1411290207Sjkim [Andy Polyakov] 1412290207Sjkim 1413290207Sjkim *) Support for linux-x32, ILP32 environment in x86_64 framework. 1414290207Sjkim [Andy Polyakov] 1415290207Sjkim 1416290207Sjkim *) Experimental multi-implementation support for FIPS capable OpenSSL. 1417290207Sjkim When in FIPS mode the approved implementations are used as normal, 1418290207Sjkim when not in FIPS mode the internal unapproved versions are used instead. 1419290207Sjkim This means that the FIPS capable OpenSSL isn't forced to use the 1420290207Sjkim (often lower perfomance) FIPS implementations outside FIPS mode. 1421290207Sjkim [Steve Henson] 1422290207Sjkim 1423290207Sjkim *) Transparently support X9.42 DH parameters when calling 1424290207Sjkim PEM_read_bio_DHparameters. This means existing applications can handle 1425290207Sjkim the new parameter format automatically. 1426290207Sjkim [Steve Henson] 1427290207Sjkim 1428290207Sjkim *) Initial experimental support for X9.42 DH parameter format: mainly 1429290207Sjkim to support use of 'q' parameter for RFC5114 parameters. 1430290207Sjkim [Steve Henson] 1431290207Sjkim 1432290207Sjkim *) Add DH parameters from RFC5114 including test data to dhtest. 1433290207Sjkim [Steve Henson] 1434290207Sjkim 1435290207Sjkim *) Support for automatic EC temporary key parameter selection. If enabled 1436290207Sjkim the most preferred EC parameters are automatically used instead of 1437290207Sjkim hardcoded fixed parameters. Now a server just has to call: 1438290207Sjkim SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically 1439290207Sjkim support ECDH and use the most appropriate parameters. 1440290207Sjkim [Steve Henson] 1441290207Sjkim 1442290207Sjkim *) Enhance and tidy EC curve and point format TLS extension code. Use 1443290207Sjkim static structures instead of allocation if default values are used. 1444290207Sjkim New ctrls to set curves we wish to support and to retrieve shared curves. 1445290207Sjkim Print out shared curves in s_server. New options to s_server and s_client 1446290207Sjkim to set list of supported curves. 1447290207Sjkim [Steve Henson] 1448290207Sjkim 1449290207Sjkim *) New ctrls to retrieve supported signature algorithms and 1450290207Sjkim supported curve values as an array of NIDs. Extend openssl utility 1451290207Sjkim to print out received values. 1452290207Sjkim [Steve Henson] 1453290207Sjkim 1454290207Sjkim *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert 1455290207Sjkim between NIDs and the more common NIST names such as "P-256". Enhance 1456290207Sjkim ecparam utility and ECC method to recognise the NIST names for curves. 1457290207Sjkim [Steve Henson] 1458290207Sjkim 1459290207Sjkim *) Enhance SSL/TLS certificate chain handling to support different 1460290207Sjkim chains for each certificate instead of one chain in the parent SSL_CTX. 1461290207Sjkim [Steve Henson] 1462290207Sjkim 1463290207Sjkim *) Support for fixed DH ciphersuite client authentication: where both 1464290207Sjkim server and client use DH certificates with common parameters. 1465290207Sjkim [Steve Henson] 1466290207Sjkim 1467290207Sjkim *) Support for fixed DH ciphersuites: those requiring DH server 1468290207Sjkim certificates. 1469290207Sjkim [Steve Henson] 1470290207Sjkim 1471290207Sjkim *) New function i2d_re_X509_tbs for re-encoding the TBS portion of 1472290207Sjkim the certificate. 1473290207Sjkim Note: Related 1.0.2-beta specific macros X509_get_cert_info, 1474290207Sjkim X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and 1475290207Sjkim X509_CINF_get_signature were reverted post internal team review. 1476290207Sjkim 1477277270Sjkim Changes between 1.0.1k and 1.0.1l [15 Jan 2015] 1478277270Sjkim 1479277270Sjkim *) Build fixes for the Windows and OpenVMS platforms 1480277270Sjkim [Matt Caswell and Richard Levitte] 1481277270Sjkim 1482276861Sjkim Changes between 1.0.1j and 1.0.1k [8 Jan 2015] 1483276861Sjkim 1484276861Sjkim *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS 1485276861Sjkim message can cause a segmentation fault in OpenSSL due to a NULL pointer 1486276861Sjkim dereference. This could lead to a Denial Of Service attack. Thanks to 1487276861Sjkim Markus Stenberg of Cisco Systems, Inc. for reporting this issue. 1488276861Sjkim (CVE-2014-3571) 1489276861Sjkim [Steve Henson] 1490276861Sjkim 1491276861Sjkim *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the 1492276861Sjkim dtls1_buffer_record function under certain conditions. In particular this 1493276861Sjkim could occur if an attacker sent repeated DTLS records with the same 1494276861Sjkim sequence number but for the next epoch. The memory leak could be exploited 1495276861Sjkim by an attacker in a Denial of Service attack through memory exhaustion. 1496276861Sjkim Thanks to Chris Mueller for reporting this issue. 1497276861Sjkim (CVE-2015-0206) 1498276861Sjkim [Matt Caswell] 1499276861Sjkim 1500276861Sjkim *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is 1501276861Sjkim built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl 1502276861Sjkim method would be set to NULL which could later result in a NULL pointer 1503276861Sjkim dereference. Thanks to Frank Schmirler for reporting this issue. 1504276861Sjkim (CVE-2014-3569) 1505276861Sjkim [Kurt Roeckx] 1506276861Sjkim 1507276861Sjkim *) Abort handshake if server key exchange message is omitted for ephemeral 1508276861Sjkim ECDH ciphersuites. 1509276861Sjkim 1510276861Sjkim Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for 1511276861Sjkim reporting this issue. 1512276861Sjkim (CVE-2014-3572) 1513276861Sjkim [Steve Henson] 1514276861Sjkim 1515276861Sjkim *) Remove non-export ephemeral RSA code on client and server. This code 1516276861Sjkim violated the TLS standard by allowing the use of temporary RSA keys in 1517276861Sjkim non-export ciphersuites and could be used by a server to effectively 1518276861Sjkim downgrade the RSA key length used to a value smaller than the server 1519276861Sjkim certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at 1520276861Sjkim INRIA or reporting this issue. 1521276861Sjkim (CVE-2015-0204) 1522276861Sjkim [Steve Henson] 1523276861Sjkim 1524276861Sjkim *) Fixed issue where DH client certificates are accepted without verification. 1525276861Sjkim An OpenSSL server will accept a DH certificate for client authentication 1526276861Sjkim without the certificate verify message. This effectively allows a client to 1527276861Sjkim authenticate without the use of a private key. This only affects servers 1528276861Sjkim which trust a client certificate authority which issues certificates 1529276861Sjkim containing DH keys: these are extremely rare and hardly ever encountered. 1530276861Sjkim Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting 1531276861Sjkim this issue. 1532276861Sjkim (CVE-2015-0205) 1533276861Sjkim [Steve Henson] 1534276861Sjkim 1535276861Sjkim *) Ensure that the session ID context of an SSL is updated when its 1536276861Sjkim SSL_CTX is updated via SSL_set_SSL_CTX. 1537276861Sjkim 1538276861Sjkim The session ID context is typically set from the parent SSL_CTX, 1539276861Sjkim and can vary with the CTX. 1540276861Sjkim [Adam Langley] 1541276861Sjkim 1542276861Sjkim *) Fix various certificate fingerprint issues. 1543276861Sjkim 1544276861Sjkim By using non-DER or invalid encodings outside the signed portion of a 1545276861Sjkim certificate the fingerprint can be changed without breaking the signature. 1546276861Sjkim Although no details of the signed portion of the certificate can be changed 1547276861Sjkim this can cause problems with some applications: e.g. those using the 1548276861Sjkim certificate fingerprint for blacklists. 1549276861Sjkim 1550276861Sjkim 1. Reject signatures with non zero unused bits. 1551276861Sjkim 1552276861Sjkim If the BIT STRING containing the signature has non zero unused bits reject 1553276861Sjkim the signature. All current signature algorithms require zero unused bits. 1554276861Sjkim 1555276861Sjkim 2. Check certificate algorithm consistency. 1556276861Sjkim 1557276861Sjkim Check the AlgorithmIdentifier inside TBS matches the one in the 1558276861Sjkim certificate signature. NB: this will result in signature failure 1559276861Sjkim errors for some broken certificates. 1560276861Sjkim 1561276861Sjkim Thanks to Konrad Kraszewski from Google for reporting this issue. 1562276861Sjkim 1563276861Sjkim 3. Check DSA/ECDSA signatures use DER. 1564276861Sjkim 1565276861Sjkim Reencode DSA/ECDSA signatures and compare with the original received 1566276861Sjkim signature. Return an error if there is a mismatch. 1567276861Sjkim 1568276861Sjkim This will reject various cases including garbage after signature 1569276861Sjkim (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS 1570276861Sjkim program for discovering this case) and use of BER or invalid ASN.1 INTEGERs 1571276861Sjkim (negative or with leading zeroes). 1572276861Sjkim 1573276861Sjkim Further analysis was conducted and fixes were developed by Stephen Henson 1574276861Sjkim of the OpenSSL core team. 1575276861Sjkim 1576276861Sjkim (CVE-2014-8275) 1577276861Sjkim [Steve Henson] 1578276861Sjkim 1579276861Sjkim *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect 1580276861Sjkim results on some platforms, including x86_64. This bug occurs at random 1581276861Sjkim with a very low probability, and is not known to be exploitable in any 1582276861Sjkim way, though its exact impact is difficult to determine. Thanks to Pieter 1583276861Sjkim Wuille (Blockstream) who reported this issue and also suggested an initial 1584276861Sjkim fix. Further analysis was conducted by the OpenSSL development team and 1585276861Sjkim Adam Langley of Google. The final fix was developed by Andy Polyakov of 1586276861Sjkim the OpenSSL core team. 1587276861Sjkim (CVE-2014-3570) 1588276861Sjkim [Andy Polyakov] 1589276861Sjkim 1590276861Sjkim *) Do not resume sessions on the server if the negotiated protocol 1591276861Sjkim version does not match the session's version. Resuming with a different 1592276861Sjkim version, while not strictly forbidden by the RFC, is of questionable 1593276861Sjkim sanity and breaks all known clients. 1594291719Sjkim [David Benjamin, Emilia K��sper] 1595276861Sjkim 1596276861Sjkim *) Tighten handling of the ChangeCipherSpec (CCS) message: reject 1597276861Sjkim early CCS messages during renegotiation. (Note that because 1598276861Sjkim renegotiation is encrypted, this early CCS was not exploitable.) 1599291719Sjkim [Emilia K��sper] 1600276861Sjkim 1601276861Sjkim *) Tighten client-side session ticket handling during renegotiation: 1602276861Sjkim ensure that the client only accepts a session ticket if the server sends 1603276861Sjkim the extension anew in the ServerHello. Previously, a TLS client would 1604276861Sjkim reuse the old extension state and thus accept a session ticket if one was 1605276861Sjkim announced in the initial ServerHello. 1606276861Sjkim 1607276861Sjkim Similarly, ensure that the client requires a session ticket if one 1608276861Sjkim was advertised in the ServerHello. Previously, a TLS client would 1609276861Sjkim ignore a missing NewSessionTicket message. 1610291719Sjkim [Emilia K��sper] 1611276861Sjkim 1612273144Sjkim Changes between 1.0.1i and 1.0.1j [15 Oct 2014] 1613273144Sjkim 1614273144Sjkim *) SRTP Memory Leak. 1615273144Sjkim 1616273144Sjkim A flaw in the DTLS SRTP extension parsing code allows an attacker, who 1617273144Sjkim sends a carefully crafted handshake message, to cause OpenSSL to fail 1618273144Sjkim to free up to 64k of memory causing a memory leak. This could be 1619273144Sjkim exploited in a Denial Of Service attack. This issue affects OpenSSL 1620273144Sjkim 1.0.1 server implementations for both SSL/TLS and DTLS regardless of 1621273144Sjkim whether SRTP is used or configured. Implementations of OpenSSL that 1622273144Sjkim have been compiled with OPENSSL_NO_SRTP defined are not affected. 1623273144Sjkim 1624273144Sjkim The fix was developed by the OpenSSL team. 1625273144Sjkim (CVE-2014-3513) 1626273144Sjkim [OpenSSL team] 1627273144Sjkim 1628273144Sjkim *) Session Ticket Memory Leak. 1629273144Sjkim 1630273144Sjkim When an OpenSSL SSL/TLS/DTLS server receives a session ticket the 1631273144Sjkim integrity of that ticket is first verified. In the event of a session 1632273144Sjkim ticket integrity check failing, OpenSSL will fail to free memory 1633273144Sjkim causing a memory leak. By sending a large number of invalid session 1634273144Sjkim tickets an attacker could exploit this issue in a Denial Of Service 1635273144Sjkim attack. 1636273144Sjkim (CVE-2014-3567) 1637273144Sjkim [Steve Henson] 1638273144Sjkim 1639273144Sjkim *) Build option no-ssl3 is incomplete. 1640273144Sjkim 1641273144Sjkim When OpenSSL is configured with "no-ssl3" as a build option, servers 1642273144Sjkim could accept and complete a SSL 3.0 handshake, and clients could be 1643273144Sjkim configured to send them. 1644273144Sjkim (CVE-2014-3568) 1645273144Sjkim [Akamai and the OpenSSL team] 1646273144Sjkim 1647273144Sjkim *) Add support for TLS_FALLBACK_SCSV. 1648273144Sjkim Client applications doing fallback retries should call 1649273144Sjkim SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). 1650273144Sjkim (CVE-2014-3566) 1651273144Sjkim [Adam Langley, Bodo Moeller] 1652273144Sjkim 1653273144Sjkim *) Add additional DigestInfo checks. 1654273144Sjkim 1655273144Sjkim Reencode DigestInto in DER and check against the original when 1656273144Sjkim verifying RSA signature: this will reject any improperly encoded 1657273144Sjkim DigestInfo structures. 1658273144Sjkim 1659273144Sjkim Note: this is a precautionary measure and no attacks are currently known. 1660273144Sjkim 1661273144Sjkim [Steve Henson] 1662273144Sjkim 1663269682Sjkim Changes between 1.0.1h and 1.0.1i [6 Aug 2014] 1664269682Sjkim 1665269682Sjkim *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the 1666269682Sjkim SRP code can be overrun an internal buffer. Add sanity check that 1667269682Sjkim g, A, B < N to SRP code. 1668269682Sjkim 1669269682Sjkim Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC 1670269682Sjkim Group for discovering this issue. 1671269682Sjkim (CVE-2014-3512) 1672269682Sjkim [Steve Henson] 1673269682Sjkim 1674269682Sjkim *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate 1675269682Sjkim TLS 1.0 instead of higher protocol versions when the ClientHello message 1676269682Sjkim is badly fragmented. This allows a man-in-the-middle attacker to force a 1677269682Sjkim downgrade to TLS 1.0 even if both the server and the client support a 1678269682Sjkim higher protocol version, by modifying the client's TLS records. 1679269682Sjkim 1680269682Sjkim Thanks to David Benjamin and Adam Langley (Google) for discovering and 1681269682Sjkim researching this issue. 1682269682Sjkim (CVE-2014-3511) 1683269682Sjkim [David Benjamin] 1684269682Sjkim 1685269682Sjkim *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject 1686269682Sjkim to a denial of service attack. A malicious server can crash the client 1687269682Sjkim with a null pointer dereference (read) by specifying an anonymous (EC)DH 1688269682Sjkim ciphersuite and sending carefully crafted handshake messages. 1689269682Sjkim 1690291719Sjkim Thanks to Felix Gr��bert (Google) for discovering and researching this 1691269682Sjkim issue. 1692269682Sjkim (CVE-2014-3510) 1693291719Sjkim [Emilia K��sper] 1694269682Sjkim 1695269682Sjkim *) By sending carefully crafted DTLS packets an attacker could cause openssl 1696269682Sjkim to leak memory. This can be exploited through a Denial of Service attack. 1697269682Sjkim Thanks to Adam Langley for discovering and researching this issue. 1698269682Sjkim (CVE-2014-3507) 1699269682Sjkim [Adam Langley] 1700269682Sjkim 1701269682Sjkim *) An attacker can force openssl to consume large amounts of memory whilst 1702269682Sjkim processing DTLS handshake messages. This can be exploited through a 1703269682Sjkim Denial of Service attack. 1704269682Sjkim Thanks to Adam Langley for discovering and researching this issue. 1705269682Sjkim (CVE-2014-3506) 1706269682Sjkim [Adam Langley] 1707269682Sjkim 1708269682Sjkim *) An attacker can force an error condition which causes openssl to crash 1709269682Sjkim whilst processing DTLS packets due to memory being freed twice. This 1710269682Sjkim can be exploited through a Denial of Service attack. 1711269682Sjkim Thanks to Adam Langley and Wan-Teh Chang for discovering and researching 1712269682Sjkim this issue. 1713269682Sjkim (CVE-2014-3505) 1714269682Sjkim [Adam Langley] 1715269682Sjkim 1716269682Sjkim *) If a multithreaded client connects to a malicious server using a resumed 1717269682Sjkim session and the server sends an ec point format extension it could write 1718269682Sjkim up to 255 bytes to freed memory. 1719269682Sjkim 1720269682Sjkim Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this 1721269682Sjkim issue. 1722269682Sjkim (CVE-2014-3509) 1723269682Sjkim [Gabor Tyukasz] 1724269682Sjkim 1725269682Sjkim *) A malicious server can crash an OpenSSL client with a null pointer 1726269682Sjkim dereference (read) by specifying an SRP ciphersuite even though it was not 1727269682Sjkim properly negotiated with the client. This can be exploited through a 1728269682Sjkim Denial of Service attack. 1729269682Sjkim 1730291719Sjkim Thanks to Joonas Kuorilehto and Riku Hietam��ki (Codenomicon) for 1731269682Sjkim discovering and researching this issue. 1732269682Sjkim (CVE-2014-5139) 1733269682Sjkim [Steve Henson] 1734269682Sjkim 1735269682Sjkim *) A flaw in OBJ_obj2txt may cause pretty printing functions such as 1736269682Sjkim X509_name_oneline, X509_name_print_ex et al. to leak some information 1737269682Sjkim from the stack. Applications may be affected if they echo pretty printing 1738269682Sjkim output to the attacker. 1739269682Sjkim 1740269682Sjkim Thanks to Ivan Fratric (Google) for discovering this issue. 1741269682Sjkim (CVE-2014-3508) 1742291719Sjkim [Emilia K��sper, and Steve Henson] 1743269682Sjkim 1744269682Sjkim *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) 1745269682Sjkim for corner cases. (Certain input points at infinity could lead to 1746269682Sjkim bogus results, with non-infinity inputs mapped to infinity too.) 1747269682Sjkim [Bodo Moeller] 1748269682Sjkim 1749267256Sjkim Changes between 1.0.1g and 1.0.1h [5 Jun 2014] 1750267256Sjkim 1751267256Sjkim *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 1752267256Sjkim handshake can force the use of weak keying material in OpenSSL 1753267256Sjkim SSL/TLS clients and servers. 1754267256Sjkim 1755267256Sjkim Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 1756267256Sjkim researching this issue. (CVE-2014-0224) 1757267256Sjkim [KIKUCHI Masashi, Steve Henson] 1758267256Sjkim 1759267256Sjkim *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 1760267256Sjkim OpenSSL DTLS client the code can be made to recurse eventually crashing 1761267256Sjkim in a DoS attack. 1762267256Sjkim 1763267256Sjkim Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 1764267256Sjkim (CVE-2014-0221) 1765267256Sjkim [Imre Rad, Steve Henson] 1766267256Sjkim 1767267256Sjkim *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 1768267256Sjkim be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 1769267256Sjkim client or server. This is potentially exploitable to run arbitrary 1770267256Sjkim code on a vulnerable client or server. 1771267256Sjkim 1772291719Sjkim Thanks to J��ri Aedla for reporting this issue. (CVE-2014-0195) 1773291719Sjkim [J��ri Aedla, Steve Henson] 1774267256Sjkim 1775267256Sjkim *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 1776267256Sjkim are subject to a denial of service attack. 1777267256Sjkim 1778291719Sjkim Thanks to Felix Gr��bert and Ivan Fratric at Google for discovering 1779267256Sjkim this issue. (CVE-2014-3470) 1780291719Sjkim [Felix Gr��bert, Ivan Fratric, Steve Henson] 1781267256Sjkim 1782267256Sjkim *) Harmonize version and its documentation. -f flag is used to display 1783267256Sjkim compilation flags. 1784267256Sjkim [mancha <mancha1@zoho.com>] 1785267256Sjkim 1786267256Sjkim *) Fix eckey_priv_encode so it immediately returns an error upon a failure 1787291719Sjkim in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. 1788267256Sjkim [mancha <mancha1@zoho.com>] 1789267256Sjkim 1790267256Sjkim *) Fix some double frees. These are not thought to be exploitable. 1791267256Sjkim [mancha <mancha1@zoho.com>] 1792267256Sjkim 1793264278Sjkim Changes between 1.0.1f and 1.0.1g [7 Apr 2014] 1794264278Sjkim 1795264278Sjkim *) A missing bounds check in the handling of the TLS heartbeat extension 1796264278Sjkim can be used to reveal up to 64k of memory to a connected client or 1797264278Sjkim server. 1798264278Sjkim 1799264278Sjkim Thanks for Neel Mehta of Google Security for discovering this bug and to 1800264278Sjkim Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for 1801264278Sjkim preparing the fix (CVE-2014-0160) 1802264278Sjkim [Adam Langley, Bodo Moeller] 1803264278Sjkim 1804264278Sjkim *) Fix for the attack described in the paper "Recovering OpenSSL 1805264278Sjkim ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 1806264278Sjkim by Yuval Yarom and Naomi Benger. Details can be obtained from: 1807264278Sjkim http://eprint.iacr.org/2014/140 1808264278Sjkim 1809264278Sjkim Thanks to Yuval Yarom and Naomi Benger for discovering this 1810264278Sjkim flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) 1811264278Sjkim [Yuval Yarom and Naomi Benger] 1812264278Sjkim 1813264278Sjkim *) TLS pad extension: draft-agl-tls-padding-03 1814264278Sjkim 1815264278Sjkim Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the 1816264278Sjkim TLS client Hello record length value would otherwise be > 255 and 1817264278Sjkim less that 512 pad with a dummy extension containing zeroes so it 1818264278Sjkim is at least 512 bytes long. 1819264278Sjkim 1820264278Sjkim [Adam Langley, Steve Henson] 1821264278Sjkim 1822261037Sjkim Changes between 1.0.1e and 1.0.1f [6 Jan 2014] 1823261037Sjkim 1824261037Sjkim *) Fix for TLS record tampering bug. A carefully crafted invalid 1825261037Sjkim handshake could crash OpenSSL with a NULL pointer exception. 1826261037Sjkim Thanks to Anton Johansson for reporting this issues. 1827261037Sjkim (CVE-2013-4353) 1828261037Sjkim 1829261037Sjkim *) Keep original DTLS digest and encryption contexts in retransmission 1830261037Sjkim structures so we can use the previous session parameters if they need 1831261037Sjkim to be resent. (CVE-2013-6450) 1832261037Sjkim [Steve Henson] 1833261037Sjkim 1834261037Sjkim *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 1835261037Sjkim avoids preferring ECDHE-ECDSA ciphers when the client appears to be 1836261037Sjkim Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 1837261037Sjkim several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 1838261037Sjkim is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 1839261037Sjkim 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 1840261037Sjkim [Rob Stradling, Adam Langley] 1841261037Sjkim 1842246772Sjkim Changes between 1.0.1d and 1.0.1e [11 Feb 2013] 1843246772Sjkim 1844261037Sjkim *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI 1845261037Sjkim supporting platforms or when small records were transferred. 1846261037Sjkim [Andy Polyakov, Steve Henson] 1847246772Sjkim 1848246772Sjkim Changes between 1.0.1c and 1.0.1d [5 Feb 2013] 1849246772Sjkim 1850246772Sjkim *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 1851246772Sjkim 1852246772Sjkim This addresses the flaw in CBC record processing discovered by 1853246772Sjkim Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 1854246772Sjkim at: http://www.isg.rhul.ac.uk/tls/ 1855246772Sjkim 1856246772Sjkim Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 1857246772Sjkim Security Group at Royal Holloway, University of London 1858246772Sjkim (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 1859291719Sjkim Emilia K��sper for the initial patch. 1860246772Sjkim (CVE-2013-0169) 1861291719Sjkim [Emilia K��sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] 1862246772Sjkim 1863246772Sjkim *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode 1864246772Sjkim ciphersuites which can be exploited in a denial of service attack. 1865246772Sjkim Thanks go to and to Adam Langley <agl@chromium.org> for discovering 1866246772Sjkim and detecting this bug and to Wolfgang Ettlinger 1867246772Sjkim <wolfgang.ettlinger@gmail.com> for independently discovering this issue. 1868246772Sjkim (CVE-2012-2686) 1869246772Sjkim [Adam Langley] 1870246772Sjkim 1871246772Sjkim *) Return an error when checking OCSP signatures when key is NULL. 1872246772Sjkim This fixes a DoS attack. (CVE-2013-0166) 1873246772Sjkim [Steve Henson] 1874246772Sjkim 1875246772Sjkim *) Make openssl verify return errors. 1876246772Sjkim [Chris Palmer <palmer@google.com> and Ben Laurie] 1877246772Sjkim 1878246772Sjkim *) Call OCSP Stapling callback after ciphersuite has been chosen, so 1879246772Sjkim the right response is stapled. Also change SSL_get_certificate() 1880246772Sjkim so it returns the certificate actually sent. 1881246772Sjkim See http://rt.openssl.org/Ticket/Display.html?id=2836. 1882246772Sjkim [Rob Stradling <rob.stradling@comodo.com>] 1883246772Sjkim 1884246772Sjkim *) Fix possible deadlock when decoding public keys. 1885246772Sjkim [Steve Henson] 1886246772Sjkim 1887246772Sjkim *) Don't use TLS 1.0 record version number in initial client hello 1888246772Sjkim if renegotiating. 1889246772Sjkim [Steve Henson] 1890246772Sjkim 1891238405Sjkim Changes between 1.0.1b and 1.0.1c [10 May 2012] 1892237657Sjkim 1893238405Sjkim *) Sanity check record length before skipping explicit IV in TLS 1894238405Sjkim 1.2, 1.1 and DTLS to fix DoS attack. 1895237657Sjkim 1896237657Sjkim Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 1897237657Sjkim fuzzing as a service testing platform. 1898237657Sjkim (CVE-2012-2333) 1899237657Sjkim [Steve Henson] 1900237657Sjkim 1901237657Sjkim *) Initialise tkeylen properly when encrypting CMS messages. 1902237657Sjkim Thanks to Solar Designer of Openwall for reporting this issue. 1903237657Sjkim [Steve Henson] 1904237657Sjkim 1905238405Sjkim *) In FIPS mode don't try to use composite ciphers as they are not 1906238405Sjkim approved. 1907238405Sjkim [Steve Henson] 1908237657Sjkim 1909238405Sjkim Changes between 1.0.1a and 1.0.1b [26 Apr 2012] 1910237657Sjkim 1911238405Sjkim *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and 1912238405Sjkim 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately 1913238405Sjkim mean any application compiled against OpenSSL 1.0.0 headers setting 1914238405Sjkim SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng 1915238405Sjkim TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to 1916238405Sjkim 0x10000000L Any application which was previously compiled against 1917238405Sjkim OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 1918238405Sjkim will need to be recompiled as a result. Letting be results in 1919238405Sjkim inability to disable specifically TLS 1.1 and in client context, 1920238405Sjkim in unlike event, limit maximum offered version to TLS 1.0 [see below]. 1921238405Sjkim [Steve Henson] 1922237657Sjkim 1923238405Sjkim *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not 1924238405Sjkim disable just protocol X, but all protocols above X *if* there are 1925238405Sjkim protocols *below* X still enabled. In more practical terms it means 1926238405Sjkim that if application wants to disable TLS1.0 in favor of TLS1.1 and 1927238405Sjkim above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass 1928238405Sjkim SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to 1929238405Sjkim client side. 1930238405Sjkim [Andy Polyakov] 1931238405Sjkim 1932238405Sjkim Changes between 1.0.1 and 1.0.1a [19 Apr 2012] 1933238405Sjkim 1934237657Sjkim *) Check for potentially exploitable overflows in asn1_d2i_read_bio 1935237657Sjkim BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 1936237657Sjkim in CRYPTO_realloc_clean. 1937237657Sjkim 1938237657Sjkim Thanks to Tavis Ormandy, Google Security Team, for discovering this 1939237657Sjkim issue and to Adam Langley <agl@chromium.org> for fixing it. 1940237657Sjkim (CVE-2012-2110) 1941237657Sjkim [Adam Langley (Google), Tavis Ormandy, Google Security Team] 1942237657Sjkim 1943238405Sjkim *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. 1944238405Sjkim [Adam Langley] 1945237657Sjkim 1946238405Sjkim *) Workarounds for some broken servers that "hang" if a client hello 1947238405Sjkim record length exceeds 255 bytes. 1948238405Sjkim 1949238405Sjkim 1. Do not use record version number > TLS 1.0 in initial client 1950238405Sjkim hello: some (but not all) hanging servers will now work. 1951238405Sjkim 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate 1952238405Sjkim the number of ciphers sent in the client hello. This should be 1953238405Sjkim set to an even number, such as 50, for example by passing: 1954238405Sjkim -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. 1955238405Sjkim Most broken servers should now work. 1956238405Sjkim 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable 1957238405Sjkim TLS 1.2 client support entirely. 1958238405Sjkim [Steve Henson] 1959238405Sjkim 1960238405Sjkim *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. 1961238405Sjkim [Andy Polyakov] 1962238405Sjkim 1963238405Sjkim Changes between 1.0.0h and 1.0.1 [14 Mar 2012] 1964238405Sjkim 1965238405Sjkim *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET 1966238405Sjkim STRING form instead of a DigestInfo. 1967238405Sjkim [Steve Henson] 1968238405Sjkim 1969238405Sjkim *) The format used for MDC2 RSA signatures is inconsistent between EVP 1970238405Sjkim and the RSA_sign/RSA_verify functions. This was made more apparent when 1971238405Sjkim OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular 1972238405Sjkim those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 1973238405Sjkim the correct format in RSA_verify so both forms transparently work. 1974238405Sjkim [Steve Henson] 1975238405Sjkim 1976238405Sjkim *) Some servers which support TLS 1.0 can choke if we initially indicate 1977238405Sjkim support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA 1978238405Sjkim encrypted premaster secret. As a workaround use the maximum pemitted 1979238405Sjkim client version in client hello, this should keep such servers happy 1980238405Sjkim and still work with previous versions of OpenSSL. 1981238405Sjkim [Steve Henson] 1982238405Sjkim 1983238405Sjkim *) Add support for TLS/DTLS heartbeats. 1984238405Sjkim [Robin Seggelmann <seggelmann@fh-muenster.de>] 1985238405Sjkim 1986238405Sjkim *) Add support for SCTP. 1987238405Sjkim [Robin Seggelmann <seggelmann@fh-muenster.de>] 1988238405Sjkim 1989238405Sjkim *) Improved PRNG seeding for VOS. 1990238405Sjkim [Paul Green <Paul.Green@stratus.com>] 1991238405Sjkim 1992238405Sjkim *) Extensive assembler packs updates, most notably: 1993238405Sjkim 1994238405Sjkim - x86[_64]: AES-NI, PCLMULQDQ, RDRAND support; 1995238405Sjkim - x86[_64]: SSSE3 support (SHA1, vector-permutation AES); 1996238405Sjkim - x86_64: bit-sliced AES implementation; 1997238405Sjkim - ARM: NEON support, contemporary platforms optimizations; 1998238405Sjkim - s390x: z196 support; 1999238405Sjkim - *: GHASH and GF(2^m) multiplication implementations; 2000238405Sjkim 2001238405Sjkim [Andy Polyakov] 2002238405Sjkim 2003238405Sjkim *) Make TLS-SRP code conformant with RFC 5054 API cleanup 2004238405Sjkim (removal of unnecessary code) 2005238405Sjkim [Peter Sylvester <peter.sylvester@edelweb.fr>] 2006238405Sjkim 2007238405Sjkim *) Add TLS key material exporter from RFC 5705. 2008238405Sjkim [Eric Rescorla] 2009238405Sjkim 2010238405Sjkim *) Add DTLS-SRTP negotiation from RFC 5764. 2011238405Sjkim [Eric Rescorla] 2012238405Sjkim 2013238405Sjkim *) Add Next Protocol Negotiation, 2014238405Sjkim http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be 2015238405Sjkim disabled with a no-npn flag to config or Configure. Code donated 2016238405Sjkim by Google. 2017238405Sjkim [Adam Langley <agl@google.com> and Ben Laurie] 2018238405Sjkim 2019238405Sjkim *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224, 2020238405Sjkim NIST-P256, NIST-P521, with constant-time single point multiplication on 2021238405Sjkim typical inputs. Compiler support for the nonstandard type __uint128_t is 2022238405Sjkim required to use this (present in gcc 4.4 and later, for 64-bit builds). 2023238405Sjkim Code made available under Apache License version 2.0. 2024238405Sjkim 2025238405Sjkim Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command 2026238405Sjkim line to include this in your build of OpenSSL, and run "make depend" (or 2027238405Sjkim "make update"). This enables the following EC_METHODs: 2028238405Sjkim 2029238405Sjkim EC_GFp_nistp224_method() 2030238405Sjkim EC_GFp_nistp256_method() 2031238405Sjkim EC_GFp_nistp521_method() 2032238405Sjkim 2033238405Sjkim EC_GROUP_new_by_curve_name() will automatically use these (while 2034238405Sjkim EC_GROUP_new_curve_GFp() currently prefers the more flexible 2035238405Sjkim implementations). 2036291719Sjkim [Emilia K��sper, Adam Langley, Bodo Moeller (Google)] 2037238405Sjkim 2038238405Sjkim *) Use type ossl_ssize_t instad of ssize_t which isn't available on 2039238405Sjkim all platforms. Move ssize_t definition from e_os.h to the public 2040238405Sjkim header file e_os2.h as it now appears in public header file cms.h 2041238405Sjkim [Steve Henson] 2042238405Sjkim 2043238405Sjkim *) New -sigopt option to the ca, req and x509 utilities. Additional 2044238405Sjkim signature parameters can be passed using this option and in 2045238405Sjkim particular PSS. 2046238405Sjkim [Steve Henson] 2047238405Sjkim 2048238405Sjkim *) Add RSA PSS signing function. This will generate and set the 2049238405Sjkim appropriate AlgorithmIdentifiers for PSS based on those in the 2050238405Sjkim corresponding EVP_MD_CTX structure. No application support yet. 2051238405Sjkim [Steve Henson] 2052238405Sjkim 2053238405Sjkim *) Support for companion algorithm specific ASN1 signing routines. 2054238405Sjkim New function ASN1_item_sign_ctx() signs a pre-initialised 2055238405Sjkim EVP_MD_CTX structure and sets AlgorithmIdentifiers based on 2056238405Sjkim the appropriate parameters. 2057238405Sjkim [Steve Henson] 2058238405Sjkim 2059238405Sjkim *) Add new algorithm specific ASN1 verification initialisation function 2060238405Sjkim to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1 2061238405Sjkim handling will be the same no matter what EVP_PKEY_METHOD is used. 2062238405Sjkim Add a PSS handler to support verification of PSS signatures: checked 2063238405Sjkim against a number of sample certificates. 2064238405Sjkim [Steve Henson] 2065238405Sjkim 2066238405Sjkim *) Add signature printing for PSS. Add PSS OIDs. 2067238405Sjkim [Steve Henson, Martin Kaiser <lists@kaiser.cx>] 2068238405Sjkim 2069238405Sjkim *) Add algorithm specific signature printing. An individual ASN1 method 2070238405Sjkim can now print out signatures instead of the standard hex dump. 2071238405Sjkim 2072238405Sjkim More complex signatures (e.g. PSS) can print out more meaningful 2073238405Sjkim information. Include DSA version that prints out the signature 2074238405Sjkim parameters r, s. 2075238405Sjkim [Steve Henson] 2076238405Sjkim 2077238405Sjkim *) Password based recipient info support for CMS library: implementing 2078238405Sjkim RFC3211. 2079238405Sjkim [Steve Henson] 2080238405Sjkim 2081238405Sjkim *) Split password based encryption into PBES2 and PBKDF2 functions. This 2082238405Sjkim neatly separates the code into cipher and PBE sections and is required 2083238405Sjkim for some algorithms that split PBES2 into separate pieces (such as 2084238405Sjkim password based CMS). 2085238405Sjkim [Steve Henson] 2086238405Sjkim 2087238405Sjkim *) Session-handling fixes: 2088238405Sjkim - Fix handling of connections that are resuming with a session ID, 2089238405Sjkim but also support Session Tickets. 2090238405Sjkim - Fix a bug that suppressed issuing of a new ticket if the client 2091238405Sjkim presented a ticket with an expired session. 2092238405Sjkim - Try to set the ticket lifetime hint to something reasonable. 2093238405Sjkim - Make tickets shorter by excluding irrelevant information. 2094238405Sjkim - On the client side, don't ignore renewed tickets. 2095238405Sjkim [Adam Langley, Bodo Moeller (Google)] 2096238405Sjkim 2097238405Sjkim *) Fix PSK session representation. 2098238405Sjkim [Bodo Moeller] 2099238405Sjkim 2100238405Sjkim *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations. 2101238405Sjkim 2102238405Sjkim This work was sponsored by Intel. 2103238405Sjkim [Andy Polyakov] 2104238405Sjkim 2105238405Sjkim *) Add GCM support to TLS library. Some custom code is needed to split 2106238405Sjkim the IV between the fixed (from PRF) and explicit (from TLS record) 2107238405Sjkim portions. This adds all GCM ciphersuites supported by RFC5288 and 2108238405Sjkim RFC5289. Generalise some AES* cipherstrings to inlclude GCM and 2109238405Sjkim add a special AESGCM string for GCM only. 2110238405Sjkim [Steve Henson] 2111238405Sjkim 2112238405Sjkim *) Expand range of ctrls for AES GCM. Permit setting invocation 2113238405Sjkim field on decrypt and retrieval of invocation field only on encrypt. 2114238405Sjkim [Steve Henson] 2115238405Sjkim 2116238405Sjkim *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support. 2117238405Sjkim As required by RFC5289 these ciphersuites cannot be used if for 2118238405Sjkim versions of TLS earlier than 1.2. 2119238405Sjkim [Steve Henson] 2120238405Sjkim 2121238405Sjkim *) For FIPS capable OpenSSL interpret a NULL default public key method 2122238405Sjkim as unset and return the appopriate default but do *not* set the default. 2123238405Sjkim This means we can return the appopriate method in applications that 2124238405Sjkim swicth between FIPS and non-FIPS modes. 2125238405Sjkim [Steve Henson] 2126238405Sjkim 2127238405Sjkim *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an 2128238405Sjkim ENGINE is used then we cannot handle that in the FIPS module so we 2129238405Sjkim keep original code iff non-FIPS operations are allowed. 2130238405Sjkim [Steve Henson] 2131238405Sjkim 2132238405Sjkim *) Add -attime option to openssl utilities. 2133238405Sjkim [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson] 2134238405Sjkim 2135238405Sjkim *) Redirect DSA and DH operations to FIPS module in FIPS mode. 2136238405Sjkim [Steve Henson] 2137238405Sjkim 2138238405Sjkim *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use 2139238405Sjkim FIPS EC methods unconditionally for now. 2140238405Sjkim [Steve Henson] 2141238405Sjkim 2142238405Sjkim *) New build option no-ec2m to disable characteristic 2 code. 2143238405Sjkim [Steve Henson] 2144238405Sjkim 2145238405Sjkim *) Backport libcrypto audit of return value checking from 1.1.0-dev; not 2146238405Sjkim all cases can be covered as some introduce binary incompatibilities. 2147238405Sjkim [Steve Henson] 2148238405Sjkim 2149238405Sjkim *) Redirect RSA operations to FIPS module including keygen, 2150238405Sjkim encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods. 2151238405Sjkim [Steve Henson] 2152238405Sjkim 2153238405Sjkim *) Add similar low level API blocking to ciphers. 2154238405Sjkim [Steve Henson] 2155238405Sjkim 2156238405Sjkim *) Low level digest APIs are not approved in FIPS mode: any attempt 2157238405Sjkim to use these will cause a fatal error. Applications that *really* want 2158238405Sjkim to use them can use the private_* version instead. 2159238405Sjkim [Steve Henson] 2160238405Sjkim 2161238405Sjkim *) Redirect cipher operations to FIPS module for FIPS builds. 2162238405Sjkim [Steve Henson] 2163238405Sjkim 2164238405Sjkim *) Redirect digest operations to FIPS module for FIPS builds. 2165238405Sjkim [Steve Henson] 2166238405Sjkim 2167238405Sjkim *) Update build system to add "fips" flag which will link in fipscanister.o 2168238405Sjkim for static and shared library builds embedding a signature if needed. 2169238405Sjkim [Steve Henson] 2170238405Sjkim 2171238405Sjkim *) Output TLS supported curves in preference order instead of numerical 2172238405Sjkim order. This is currently hardcoded for the highest order curves first. 2173238405Sjkim This should be configurable so applications can judge speed vs strength. 2174238405Sjkim [Steve Henson] 2175238405Sjkim 2176238405Sjkim *) Add TLS v1.2 server support for client authentication. 2177238405Sjkim [Steve Henson] 2178238405Sjkim 2179238405Sjkim *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers 2180238405Sjkim and enable MD5. 2181238405Sjkim [Steve Henson] 2182238405Sjkim 2183238405Sjkim *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying 2184238405Sjkim FIPS modules versions. 2185238405Sjkim [Steve Henson] 2186238405Sjkim 2187238405Sjkim *) Add TLS v1.2 client side support for client authentication. Keep cache 2188238405Sjkim of handshake records longer as we don't know the hash algorithm to use 2189238405Sjkim until after the certificate request message is received. 2190238405Sjkim [Steve Henson] 2191238405Sjkim 2192238405Sjkim *) Initial TLS v1.2 client support. Add a default signature algorithms 2193238405Sjkim extension including all the algorithms we support. Parse new signature 2194238405Sjkim format in client key exchange. Relax some ECC signing restrictions for 2195238405Sjkim TLS v1.2 as indicated in RFC5246. 2196238405Sjkim [Steve Henson] 2197238405Sjkim 2198238405Sjkim *) Add server support for TLS v1.2 signature algorithms extension. Switch 2199238405Sjkim to new signature format when needed using client digest preference. 2200238405Sjkim All server ciphersuites should now work correctly in TLS v1.2. No client 2201238405Sjkim support yet and no support for client certificates. 2202238405Sjkim [Steve Henson] 2203238405Sjkim 2204238405Sjkim *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch 2205238405Sjkim to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based 2206238405Sjkim ciphersuites. At present only RSA key exchange ciphersuites work with 2207238405Sjkim TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete 2208238405Sjkim SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods 2209238405Sjkim and version checking. 2210238405Sjkim [Steve Henson] 2211238405Sjkim 2212238405Sjkim *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled 2213238405Sjkim with this defined it will not be affected by any changes to ssl internal 2214238405Sjkim structures. Add several utility functions to allow openssl application 2215238405Sjkim to work with OPENSSL_NO_SSL_INTERN defined. 2216238405Sjkim [Steve Henson] 2217238405Sjkim 2218331638Sjkim *) A long standing patch to add support for SRP from EdelWeb (Peter 2219331638Sjkim Sylvester and Christophe Renou) was integrated. 2220331638Sjkim [Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester 2221331638Sjkim <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and 2222331638Sjkim Ben Laurie] 2223238405Sjkim 2224238405Sjkim *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id. 2225238405Sjkim [Steve Henson] 2226238405Sjkim 2227238405Sjkim *) Permit abbreviated handshakes when renegotiating using the function 2228238405Sjkim SSL_renegotiate_abbreviated(). 2229238405Sjkim [Robin Seggelmann <seggelmann@fh-muenster.de>] 2230238405Sjkim 2231238405Sjkim *) Add call to ENGINE_register_all_complete() to 2232238405Sjkim ENGINE_load_builtin_engines(), so some implementations get used 2233238405Sjkim automatically instead of needing explicit application support. 2234238405Sjkim [Steve Henson] 2235238405Sjkim 2236238405Sjkim *) Add support for TLS key exporter as described in RFC5705. 2237238405Sjkim [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson] 2238238405Sjkim 2239238405Sjkim *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only 2240238405Sjkim a few changes are required: 2241238405Sjkim 2242238405Sjkim Add SSL_OP_NO_TLSv1_1 flag. 2243238405Sjkim Add TLSv1_1 methods. 2244238405Sjkim Update version checking logic to handle version 1.1. 2245238405Sjkim Add explicit IV handling (ported from DTLS code). 2246238405Sjkim Add command line options to s_client/s_server. 2247238405Sjkim [Steve Henson] 2248238405Sjkim 2249238405Sjkim Changes between 1.0.0g and 1.0.0h [12 Mar 2012] 2250238405Sjkim 2251237657Sjkim *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness 2252237657Sjkim in CMS and PKCS7 code. When RSA decryption fails use a random key for 2253237657Sjkim content decryption and always return the same error. Note: this attack 2254237657Sjkim needs on average 2^20 messages so it only affects automated senders. The 2255237657Sjkim old behaviour can be reenabled in the CMS code by setting the 2256237657Sjkim CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where 2257237657Sjkim an MMA defence is not necessary. 2258237657Sjkim Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering 2259237657Sjkim this issue. (CVE-2012-0884) 2260237657Sjkim [Steve Henson] 2261237657Sjkim 2262237657Sjkim *) Fix CVE-2011-4619: make sure we really are receiving a 2263237657Sjkim client hello before rejecting multiple SGC restarts. Thanks to 2264237657Sjkim Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. 2265237657Sjkim [Steve Henson] 2266237657Sjkim 2267238405Sjkim Changes between 1.0.0f and 1.0.0g [18 Jan 2012] 2268238405Sjkim 2269238405Sjkim *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 2270238405Sjkim Thanks to Antonio Martin, Enterprise Secure Access Research and 2271238405Sjkim Development, Cisco Systems, Inc. for discovering this bug and 2272238405Sjkim preparing a fix. (CVE-2012-0050) 2273238405Sjkim [Antonio Martin] 2274238405Sjkim 2275238405Sjkim Changes between 1.0.0e and 1.0.0f [4 Jan 2012] 2276238405Sjkim 2277238405Sjkim *) Nadhem Alfardan and Kenny Paterson have discovered an extension 2278238405Sjkim of the Vaudenay padding oracle attack on CBC mode encryption 2279238405Sjkim which enables an efficient plaintext recovery attack against 2280238405Sjkim the OpenSSL implementation of DTLS. Their attack exploits timing 2281238405Sjkim differences arising during decryption processing. A research 2282238405Sjkim paper describing this attack can be found at: 2283238405Sjkim http://www.isg.rhul.ac.uk/~kp/dtls.pdf 2284238405Sjkim Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 2285238405Sjkim Security Group at Royal Holloway, University of London 2286238405Sjkim (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann 2287238405Sjkim <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> 2288238405Sjkim for preparing the fix. (CVE-2011-4108) 2289238405Sjkim [Robin Seggelmann, Michael Tuexen] 2290238405Sjkim 2291238405Sjkim *) Clear bytes used for block padding of SSL 3.0 records. 2292238405Sjkim (CVE-2011-4576) 2293238405Sjkim [Adam Langley (Google)] 2294238405Sjkim 2295238405Sjkim *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George 2296238405Sjkim Kadianakis <desnacked@gmail.com> for discovering this issue and 2297238405Sjkim Adam Langley for preparing the fix. (CVE-2011-4619) 2298238405Sjkim [Adam Langley (Google)] 2299238405Sjkim 2300238405Sjkim *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027) 2301238405Sjkim [Andrey Kulikov <amdeich@gmail.com>] 2302238405Sjkim 2303238405Sjkim *) Prevent malformed RFC3779 data triggering an assertion failure. 2304238405Sjkim Thanks to Andrew Chi, BBN Technologies, for discovering the flaw 2305238405Sjkim and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) 2306238405Sjkim [Rob Austein <sra@hactrn.net>] 2307238405Sjkim 2308238405Sjkim *) Improved PRNG seeding for VOS. 2309238405Sjkim [Paul Green <Paul.Green@stratus.com>] 2310238405Sjkim 2311238405Sjkim *) Fix ssl_ciph.c set-up race. 2312238405Sjkim [Adam Langley (Google)] 2313238405Sjkim 2314238405Sjkim *) Fix spurious failures in ecdsatest.c. 2315291719Sjkim [Emilia K��sper (Google)] 2316238405Sjkim 2317238405Sjkim *) Fix the BIO_f_buffer() implementation (which was mixing different 2318238405Sjkim interpretations of the '..._len' fields). 2319238405Sjkim [Adam Langley (Google)] 2320238405Sjkim 2321238405Sjkim *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than 2322238405Sjkim BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent 2323238405Sjkim threads won't reuse the same blinding coefficients. 2324238405Sjkim 2325238405Sjkim This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING 2326238405Sjkim lock to call BN_BLINDING_invert_ex, and avoids one use of 2327238405Sjkim BN_BLINDING_update for each BN_BLINDING structure (previously, 2328238405Sjkim the last update always remained unused). 2329291719Sjkim [Emilia K��sper (Google)] 2330238405Sjkim 2331238405Sjkim *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. 2332238405Sjkim [Bob Buckholz (Google)] 2333238405Sjkim 2334238405Sjkim Changes between 1.0.0d and 1.0.0e [6 Sep 2011] 2335238405Sjkim 2336238405Sjkim *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted 2337238405Sjkim by initialising X509_STORE_CTX properly. (CVE-2011-3207) 2338238405Sjkim [Kaspar Brand <ossl@velox.ch>] 2339238405Sjkim 2340238405Sjkim *) Fix SSL memory handling for (EC)DH ciphersuites, in particular 2341238405Sjkim for multi-threaded use of ECDH. (CVE-2011-3210) 2342238405Sjkim [Adam Langley (Google)] 2343238405Sjkim 2344238405Sjkim *) Fix x509_name_ex_d2i memory leak on bad inputs. 2345238405Sjkim [Bodo Moeller] 2346238405Sjkim 2347238405Sjkim *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check 2348238405Sjkim signature public key algorithm by using OID xref utilities instead. 2349238405Sjkim Before this you could only use some ECC ciphersuites with SHA1 only. 2350238405Sjkim [Steve Henson] 2351238405Sjkim 2352238405Sjkim *) Add protection against ECDSA timing attacks as mentioned in the paper 2353238405Sjkim by Billy Bob Brumley and Nicola Tuveri, see: 2354238405Sjkim 2355238405Sjkim http://eprint.iacr.org/2011/232.pdf 2356238405Sjkim 2357238405Sjkim [Billy Bob Brumley and Nicola Tuveri] 2358238405Sjkim 2359238405Sjkim Changes between 1.0.0c and 1.0.0d [8 Feb 2011] 2360238405Sjkim 2361238405Sjkim *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 2362238405Sjkim [Neel Mehta, Adam Langley, Bodo Moeller (Google)] 2363238405Sjkim 2364238405Sjkim *) Fix bug in string printing code: if *any* escaping is enabled we must 2365238405Sjkim escape the escape character (backslash) or the resulting string is 2366238405Sjkim ambiguous. 2367238405Sjkim [Steve Henson] 2368238405Sjkim 2369238405Sjkim Changes between 1.0.0b and 1.0.0c [2 Dec 2010] 2370238405Sjkim 2371238405Sjkim *) Disable code workaround for ancient and obsolete Netscape browsers 2372238405Sjkim and servers: an attacker can use it in a ciphersuite downgrade attack. 2373238405Sjkim Thanks to Martin Rex for discovering this bug. CVE-2010-4180 2374238405Sjkim [Steve Henson] 2375238405Sjkim 2376238405Sjkim *) Fixed J-PAKE implementation error, originally discovered by 2377238405Sjkim Sebastien Martini, further info and confirmation from Stefan 2378238405Sjkim Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 2379238405Sjkim [Ben Laurie] 2380238405Sjkim 2381238405Sjkim Changes between 1.0.0a and 1.0.0b [16 Nov 2010] 2382238405Sjkim 2383238405Sjkim *) Fix extension code to avoid race conditions which can result in a buffer 2384238405Sjkim overrun vulnerability: resumed sessions must not be modified as they can 2385238405Sjkim be shared by multiple threads. CVE-2010-3864 2386238405Sjkim [Steve Henson] 2387238405Sjkim 2388238405Sjkim *) Fix WIN32 build system to correctly link an ENGINE directory into 2389238405Sjkim a DLL. 2390238405Sjkim [Steve Henson] 2391238405Sjkim 2392238405Sjkim Changes between 1.0.0 and 1.0.0a [01 Jun 2010] 2393238405Sjkim 2394238405Sjkim *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 2395238405Sjkim (CVE-2010-1633) 2396238405Sjkim [Steve Henson, Peter-Michael Hager <hager@dortmund.net>] 2397238405Sjkim 2398238405Sjkim Changes between 0.9.8n and 1.0.0 [29 Mar 2010] 2399238405Sjkim 2400238405Sjkim *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher 2401238405Sjkim context. The operation can be customised via the ctrl mechanism in 2402238405Sjkim case ENGINEs want to include additional functionality. 2403238405Sjkim [Steve Henson] 2404238405Sjkim 2405238405Sjkim *) Tolerate yet another broken PKCS#8 key format: private key value negative. 2406238405Sjkim [Steve Henson] 2407238405Sjkim 2408238405Sjkim *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to 2409238405Sjkim output hashes compatible with older versions of OpenSSL. 2410238405Sjkim [Willy Weisz <weisz@vcpc.univie.ac.at>] 2411238405Sjkim 2412238405Sjkim *) Fix compression algorithm handling: if resuming a session use the 2413238405Sjkim compression algorithm of the resumed session instead of determining 2414238405Sjkim it from client hello again. Don't allow server to change algorithm. 2415238405Sjkim [Steve Henson] 2416238405Sjkim 2417238405Sjkim *) Add load_crls() function to apps tidying load_certs() too. Add option 2418238405Sjkim to verify utility to allow additional CRLs to be included. 2419238405Sjkim [Steve Henson] 2420238405Sjkim 2421238405Sjkim *) Update OCSP request code to permit adding custom headers to the request: 2422238405Sjkim some responders need this. 2423238405Sjkim [Steve Henson] 2424238405Sjkim 2425238405Sjkim *) The function EVP_PKEY_sign() returns <=0 on error: check return code 2426238405Sjkim correctly. 2427238405Sjkim [Julia Lawall <julia@diku.dk>] 2428238405Sjkim 2429238405Sjkim *) Update verify callback code in apps/s_cb.c and apps/verify.c, it 2430238405Sjkim needlessly dereferenced structures, used obsolete functions and 2431238405Sjkim didn't handle all updated verify codes correctly. 2432238405Sjkim [Steve Henson] 2433238405Sjkim 2434238405Sjkim *) Disable MD2 in the default configuration. 2435238405Sjkim [Steve Henson] 2436238405Sjkim 2437238405Sjkim *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to 2438238405Sjkim indicate the initial BIO being pushed or popped. This makes it possible 2439238405Sjkim to determine whether the BIO is the one explicitly called or as a result 2440238405Sjkim of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so 2441238405Sjkim it handles reference counts correctly and doesn't zero out the I/O bio 2442238405Sjkim when it is not being explicitly popped. WARNING: applications which 2443238405Sjkim included workarounds for the old buggy behaviour will need to be modified 2444238405Sjkim or they could free up already freed BIOs. 2445238405Sjkim [Steve Henson] 2446238405Sjkim 2447238405Sjkim *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni 2448238405Sjkim renaming to all platforms (within the 0.9.8 branch, this was 2449238405Sjkim done conditionally on Netware platforms to avoid a name clash). 2450238405Sjkim [Guenter <lists@gknw.net>] 2451238405Sjkim 2452238405Sjkim *) Add ECDHE and PSK support to DTLS. 2453238405Sjkim [Michael Tuexen <tuexen@fh-muenster.de>] 2454238405Sjkim 2455238405Sjkim *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't 2456238405Sjkim be used on C++. 2457238405Sjkim [Steve Henson] 2458238405Sjkim 2459238405Sjkim *) Add "missing" function EVP_MD_flags() (without this the only way to 2460238405Sjkim retrieve a digest flags is by accessing the structure directly. Update 2461238405Sjkim EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest 2462238405Sjkim or cipher is registered as in the "from" argument. Print out all 2463238405Sjkim registered digests in the dgst usage message instead of manually 2464238405Sjkim attempting to work them out. 2465238405Sjkim [Steve Henson] 2466238405Sjkim 2467238405Sjkim *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello: 2468238405Sjkim this allows the use of compression and extensions. Change default cipher 2469238405Sjkim string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2 2470238405Sjkim by default unless an application cipher string requests it. 2471238405Sjkim [Steve Henson] 2472238405Sjkim 2473238405Sjkim *) Alter match criteria in PKCS12_parse(). It used to try to use local 2474238405Sjkim key ids to find matching certificates and keys but some PKCS#12 files 2475238405Sjkim don't follow the (somewhat unwritten) rules and this strategy fails. 2476238405Sjkim Now just gather all certificates together and the first private key 2477238405Sjkim then look for the first certificate that matches the key. 2478238405Sjkim [Steve Henson] 2479238405Sjkim 2480238405Sjkim *) Support use of registered digest and cipher names for dgst and cipher 2481238405Sjkim commands instead of having to add each one as a special case. So now 2482238405Sjkim you can do: 2483238405Sjkim 2484238405Sjkim openssl sha256 foo 2485238405Sjkim 2486238405Sjkim as well as: 2487238405Sjkim 2488238405Sjkim openssl dgst -sha256 foo 2489238405Sjkim 2490238405Sjkim and this works for ENGINE based algorithms too. 2491238405Sjkim 2492238405Sjkim [Steve Henson] 2493238405Sjkim 2494238405Sjkim *) Update Gost ENGINE to support parameter files. 2495238405Sjkim [Victor B. Wagner <vitus@cryptocom.ru>] 2496238405Sjkim 2497238405Sjkim *) Support GeneralizedTime in ca utility. 2498238405Sjkim [Oliver Martin <oliver@volatilevoid.net>, Steve Henson] 2499238405Sjkim 2500238405Sjkim *) Enhance the hash format used for certificate directory links. The new 2501238405Sjkim form uses the canonical encoding (meaning equivalent names will work 2502238405Sjkim even if they aren't identical) and uses SHA1 instead of MD5. This form 2503238405Sjkim is incompatible with the older format and as a result c_rehash should 2504238405Sjkim be used to rebuild symbolic links. 2505238405Sjkim [Steve Henson] 2506238405Sjkim 2507238405Sjkim *) Make PKCS#8 the default write format for private keys, replacing the 2508238405Sjkim traditional format. This form is standardised, more secure and doesn't 2509238405Sjkim include an implicit MD5 dependency. 2510238405Sjkim [Steve Henson] 2511238405Sjkim 2512238405Sjkim *) Add a $gcc_devteam_warn option to Configure. The idea is that any code 2513238405Sjkim committed to OpenSSL should pass this lot as a minimum. 2514238405Sjkim [Steve Henson] 2515238405Sjkim 2516238405Sjkim *) Add session ticket override functionality for use by EAP-FAST. 2517238405Sjkim [Jouni Malinen <j@w1.fi>] 2518238405Sjkim 2519238405Sjkim *) Modify HMAC functions to return a value. Since these can be implemented 2520238405Sjkim in an ENGINE errors can occur. 2521238405Sjkim [Steve Henson] 2522238405Sjkim 2523238405Sjkim *) Type-checked OBJ_bsearch_ex. 2524238405Sjkim [Ben Laurie] 2525238405Sjkim 2526238405Sjkim *) Type-checked OBJ_bsearch. Also some constification necessitated 2527238405Sjkim by type-checking. Still to come: TXT_DB, bsearch(?), 2528238405Sjkim OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING, 2529238405Sjkim CONF_VALUE. 2530238405Sjkim [Ben Laurie] 2531238405Sjkim 2532238405Sjkim *) New function OPENSSL_gmtime_adj() to add a specific number of days and 2533238405Sjkim seconds to a tm structure directly, instead of going through OS 2534238405Sjkim specific date routines. This avoids any issues with OS routines such 2535238405Sjkim as the year 2038 bug. New *_adj() functions for ASN1 time structures 2536238405Sjkim and X509_time_adj_ex() to cover the extended range. The existing 2537238405Sjkim X509_time_adj() is still usable and will no longer have any date issues. 2538238405Sjkim [Steve Henson] 2539238405Sjkim 2540238405Sjkim *) Delta CRL support. New use deltas option which will attempt to locate 2541238405Sjkim and search any appropriate delta CRLs available. 2542238405Sjkim 2543238405Sjkim This work was sponsored by Google. 2544238405Sjkim [Steve Henson] 2545238405Sjkim 2546238405Sjkim *) Support for CRLs partitioned by reason code. Reorganise CRL processing 2547238405Sjkim code and add additional score elements. Validate alternate CRL paths 2548238405Sjkim as part of the CRL checking and indicate a new error "CRL path validation 2549238405Sjkim error" in this case. Applications wanting additional details can use 2550238405Sjkim the verify callback and check the new "parent" field. If this is not 2551238405Sjkim NULL CRL path validation is taking place. Existing applications wont 2552238405Sjkim see this because it requires extended CRL support which is off by 2553238405Sjkim default. 2554238405Sjkim 2555238405Sjkim This work was sponsored by Google. 2556238405Sjkim [Steve Henson] 2557238405Sjkim 2558238405Sjkim *) Support for freshest CRL extension. 2559238405Sjkim 2560238405Sjkim This work was sponsored by Google. 2561238405Sjkim [Steve Henson] 2562238405Sjkim 2563238405Sjkim *) Initial indirect CRL support. Currently only supported in the CRLs 2564238405Sjkim passed directly and not via lookup. Process certificate issuer 2565238405Sjkim CRL entry extension and lookup CRL entries by bother issuer name 2566238405Sjkim and serial number. Check and process CRL issuer entry in IDP extension. 2567238405Sjkim 2568238405Sjkim This work was sponsored by Google. 2569238405Sjkim [Steve Henson] 2570238405Sjkim 2571238405Sjkim *) Add support for distinct certificate and CRL paths. The CRL issuer 2572238405Sjkim certificate is validated separately in this case. Only enabled if 2573238405Sjkim an extended CRL support flag is set: this flag will enable additional 2574238405Sjkim CRL functionality in future. 2575238405Sjkim 2576238405Sjkim This work was sponsored by Google. 2577238405Sjkim [Steve Henson] 2578238405Sjkim 2579238405Sjkim *) Add support for policy mappings extension. 2580238405Sjkim 2581238405Sjkim This work was sponsored by Google. 2582238405Sjkim [Steve Henson] 2583238405Sjkim 2584238405Sjkim *) Fixes to pathlength constraint, self issued certificate handling, 2585238405Sjkim policy processing to align with RFC3280 and PKITS tests. 2586238405Sjkim 2587238405Sjkim This work was sponsored by Google. 2588238405Sjkim [Steve Henson] 2589238405Sjkim 2590238405Sjkim *) Support for name constraints certificate extension. DN, email, DNS 2591238405Sjkim and URI types are currently supported. 2592238405Sjkim 2593238405Sjkim This work was sponsored by Google. 2594238405Sjkim [Steve Henson] 2595238405Sjkim 2596238405Sjkim *) To cater for systems that provide a pointer-based thread ID rather 2597238405Sjkim than numeric, deprecate the current numeric thread ID mechanism and 2598238405Sjkim replace it with a structure and associated callback type. This 2599238405Sjkim mechanism allows a numeric "hash" to be extracted from a thread ID in 2600238405Sjkim either case, and on platforms where pointers are larger than 'long', 2601238405Sjkim mixing is done to help ensure the numeric 'hash' is usable even if it 2602238405Sjkim can't be guaranteed unique. The default mechanism is to use "&errno" 2603238405Sjkim as a pointer-based thread ID to distinguish between threads. 2604238405Sjkim 2605238405Sjkim Applications that want to provide their own thread IDs should now use 2606238405Sjkim CRYPTO_THREADID_set_callback() to register a callback that will call 2607238405Sjkim either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). 2608238405Sjkim 2609238405Sjkim Note that ERR_remove_state() is now deprecated, because it is tied 2610238405Sjkim to the assumption that thread IDs are numeric. ERR_remove_state(0) 2611238405Sjkim to free the current thread's error state should be replaced by 2612238405Sjkim ERR_remove_thread_state(NULL). 2613238405Sjkim 2614238405Sjkim (This new approach replaces the functions CRYPTO_set_idptr_callback(), 2615238405Sjkim CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in 2616238405Sjkim OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an 2617238405Sjkim application was previously providing a numeric thread callback that 2618238405Sjkim was inappropriate for distinguishing threads, then uniqueness might 2619238405Sjkim have been obtained with &errno that happened immediately in the 2620238405Sjkim intermediate development versions of OpenSSL; this is no longer the 2621238405Sjkim case, the numeric thread callback will now override the automatic use 2622238405Sjkim of &errno.) 2623238405Sjkim [Geoff Thorpe, with help from Bodo Moeller] 2624238405Sjkim 2625238405Sjkim *) Initial support for different CRL issuing certificates. This covers a 2626238405Sjkim simple case where the self issued certificates in the chain exist and 2627238405Sjkim the real CRL issuer is higher in the existing chain. 2628238405Sjkim 2629238405Sjkim This work was sponsored by Google. 2630238405Sjkim [Steve Henson] 2631238405Sjkim 2632238405Sjkim *) Removed effectively defunct crypto/store from the build. 2633238405Sjkim [Ben Laurie] 2634238405Sjkim 2635238405Sjkim *) Revamp of STACK to provide stronger type-checking. Still to come: 2636238405Sjkim TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE, 2637238405Sjkim ASN1_STRING, CONF_VALUE. 2638238405Sjkim [Ben Laurie] 2639238405Sjkim 2640238405Sjkim *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer 2641238405Sjkim RAM on SSL connections. This option can save about 34k per idle SSL. 2642238405Sjkim [Nick Mathewson] 2643238405Sjkim 2644238405Sjkim *) Revamp of LHASH to provide stronger type-checking. Still to come: 2645238405Sjkim STACK, TXT_DB, bsearch, qsort. 2646238405Sjkim [Ben Laurie] 2647238405Sjkim 2648238405Sjkim *) Initial support for Cryptographic Message Syntax (aka CMS) based 2649238405Sjkim on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, 2650238405Sjkim support for data, signedData, compressedData, digestedData and 2651238405Sjkim encryptedData, envelopedData types included. Scripts to check against 2652238405Sjkim RFC4134 examples draft and interop and consistency checks of many 2653238405Sjkim content types and variants. 2654238405Sjkim [Steve Henson] 2655238405Sjkim 2656238405Sjkim *) Add options to enc utility to support use of zlib compression BIO. 2657238405Sjkim [Steve Henson] 2658238405Sjkim 2659238405Sjkim *) Extend mk1mf to support importing of options and assembly language 2660238405Sjkim files from Configure script, currently only included in VC-WIN32. 2661238405Sjkim The assembly language rules can now optionally generate the source 2662238405Sjkim files from the associated perl scripts. 2663238405Sjkim [Steve Henson] 2664238405Sjkim 2665238405Sjkim *) Implement remaining functionality needed to support GOST ciphersuites. 2666238405Sjkim Interop testing has been performed using CryptoPro implementations. 2667238405Sjkim [Victor B. Wagner <vitus@cryptocom.ru>] 2668238405Sjkim 2669238405Sjkim *) s390x assembler pack. 2670238405Sjkim [Andy Polyakov] 2671238405Sjkim 2672238405Sjkim *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU 2673238405Sjkim "family." 2674238405Sjkim [Andy Polyakov] 2675238405Sjkim 2676238405Sjkim *) Implement Opaque PRF Input TLS extension as specified in 2677238405Sjkim draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an 2678238405Sjkim official specification yet and no extension type assignment by 2679238405Sjkim IANA exists, this extension (for now) will have to be explicitly 2680238405Sjkim enabled when building OpenSSL by providing the extension number 2681238405Sjkim to use. For example, specify an option 2682238405Sjkim 2683238405Sjkim -DTLSEXT_TYPE_opaque_prf_input=0x9527 2684238405Sjkim 2685238405Sjkim to the "config" or "Configure" script to enable the extension, 2686238405Sjkim assuming extension number 0x9527 (which is a completely arbitrary 2687238405Sjkim and unofficial assignment based on the MD5 hash of the Internet 2688238405Sjkim Draft). Note that by doing so, you potentially lose 2689238405Sjkim interoperability with other TLS implementations since these might 2690238405Sjkim be using the same extension number for other purposes. 2691238405Sjkim 2692238405Sjkim SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the 2693238405Sjkim opaque PRF input value to use in the handshake. This will create 2694238405Sjkim an interal copy of the length-'len' string at 'src', and will 2695238405Sjkim return non-zero for success. 2696238405Sjkim 2697238405Sjkim To get more control and flexibility, provide a callback function 2698238405Sjkim by using 2699238405Sjkim 2700238405Sjkim SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb) 2701238405Sjkim SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg) 2702238405Sjkim 2703238405Sjkim where 2704238405Sjkim 2705238405Sjkim int (*cb)(SSL *, void *peerinput, size_t len, void *arg); 2706238405Sjkim void *arg; 2707238405Sjkim 2708238405Sjkim Callback function 'cb' will be called in handshakes, and is 2709238405Sjkim expected to use SSL_set_tlsext_opaque_prf_input() as appropriate. 2710238405Sjkim Argument 'arg' is for application purposes (the value as given to 2711238405Sjkim SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly 2712238405Sjkim be provided to the callback function). The callback function 2713238405Sjkim has to return non-zero to report success: usually 1 to use opaque 2714238405Sjkim PRF input just if possible, or 2 to enforce use of the opaque PRF 2715238405Sjkim input. In the latter case, the library will abort the handshake 2716238405Sjkim if opaque PRF input is not successfully negotiated. 2717238405Sjkim 2718238405Sjkim Arguments 'peerinput' and 'len' given to the callback function 2719238405Sjkim will always be NULL and 0 in the case of a client. A server will 2720238405Sjkim see the client's opaque PRF input through these variables if 2721238405Sjkim available (NULL and 0 otherwise). Note that if the server 2722238405Sjkim provides an opaque PRF input, the length must be the same as the 2723238405Sjkim length of the client's opaque PRF input. 2724238405Sjkim 2725238405Sjkim Note that the callback function will only be called when creating 2726238405Sjkim a new session (session resumption can resume whatever was 2727238405Sjkim previously negotiated), and will not be called in SSL 2.0 2728238405Sjkim handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or 2729238405Sjkim SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended 2730238405Sjkim for applications that need to enforce opaque PRF input. 2731238405Sjkim 2732238405Sjkim [Bodo Moeller] 2733238405Sjkim 2734238405Sjkim *) Update ssl code to support digests other than SHA1+MD5 for handshake 2735238405Sjkim MAC. 2736238405Sjkim 2737238405Sjkim [Victor B. Wagner <vitus@cryptocom.ru>] 2738238405Sjkim 2739238405Sjkim *) Add RFC4507 support to OpenSSL. This includes the corrections in 2740238405Sjkim RFC4507bis. The encrypted ticket format is an encrypted encoded 2741238405Sjkim SSL_SESSION structure, that way new session features are automatically 2742238405Sjkim supported. 2743238405Sjkim 2744238405Sjkim If a client application caches session in an SSL_SESSION structure 2745238405Sjkim support is transparent because tickets are now stored in the encoded 2746238405Sjkim SSL_SESSION. 2747238405Sjkim 2748238405Sjkim The SSL_CTX structure automatically generates keys for ticket 2749238405Sjkim protection in servers so again support should be possible 2750238405Sjkim with no application modification. 2751238405Sjkim 2752238405Sjkim If a client or server wishes to disable RFC4507 support then the option 2753238405Sjkim SSL_OP_NO_TICKET can be set. 2754238405Sjkim 2755238405Sjkim Add a TLS extension debugging callback to allow the contents of any client 2756238405Sjkim or server extensions to be examined. 2757238405Sjkim 2758238405Sjkim This work was sponsored by Google. 2759238405Sjkim [Steve Henson] 2760238405Sjkim 2761238405Sjkim *) Final changes to avoid use of pointer pointer casts in OpenSSL. 2762238405Sjkim OpenSSL should now compile cleanly on gcc 4.2 2763238405Sjkim [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson] 2764238405Sjkim 2765238405Sjkim *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC 2766238405Sjkim support including streaming MAC support: this is required for GOST 2767238405Sjkim ciphersuite support. 2768238405Sjkim [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson] 2769238405Sjkim 2770238405Sjkim *) Add option -stream to use PKCS#7 streaming in smime utility. New 2771238405Sjkim function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream() 2772238405Sjkim to output in BER and PEM format. 2773238405Sjkim [Steve Henson] 2774238405Sjkim 2775238405Sjkim *) Experimental support for use of HMAC via EVP_PKEY interface. This 2776238405Sjkim allows HMAC to be handled via the EVP_DigestSign*() interface. The 2777238405Sjkim EVP_PKEY "key" in this case is the HMAC key, potentially allowing 2778238405Sjkim ENGINE support for HMAC keys which are unextractable. New -mac and 2779238405Sjkim -macopt options to dgst utility. 2780238405Sjkim [Steve Henson] 2781238405Sjkim 2782238405Sjkim *) New option -sigopt to dgst utility. Update dgst to use 2783238405Sjkim EVP_Digest{Sign,Verify}*. These two changes make it possible to use 2784238405Sjkim alternative signing paramaters such as X9.31 or PSS in the dgst 2785238405Sjkim utility. 2786238405Sjkim [Steve Henson] 2787238405Sjkim 2788238405Sjkim *) Change ssl_cipher_apply_rule(), the internal function that does 2789238405Sjkim the work each time a ciphersuite string requests enabling 2790238405Sjkim ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or 2791238405Sjkim removing ("!foo+bar") a class of ciphersuites: Now it maintains 2792238405Sjkim the order of disabled ciphersuites such that those ciphersuites 2793238405Sjkim that most recently went from enabled to disabled not only stay 2794238405Sjkim in order with respect to each other, but also have higher priority 2795238405Sjkim than other disabled ciphersuites the next time ciphersuites are 2796238405Sjkim enabled again. 2797238405Sjkim 2798238405Sjkim This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable 2799238405Sjkim the same ciphersuites as with "HIGH" alone, but in a specific 2800238405Sjkim order where the PSK ciphersuites come first (since they are the 2801238405Sjkim most recently disabled ciphersuites when "HIGH" is parsed). 2802238405Sjkim 2803238405Sjkim Also, change ssl_create_cipher_list() (using this new 2804238405Sjkim funcionality) such that between otherwise identical 2805238405Sjkim cihpersuites, ephemeral ECDH is preferred over ephemeral DH in 2806238405Sjkim the default order. 2807238405Sjkim [Bodo Moeller] 2808238405Sjkim 2809238405Sjkim *) Change ssl_create_cipher_list() so that it automatically 2810238405Sjkim arranges the ciphersuites in reasonable order before starting 2811238405Sjkim to process the rule string. Thus, the definition for "DEFAULT" 2812238405Sjkim (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but 2813238405Sjkim remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH". 2814238405Sjkim This makes it much easier to arrive at a reasonable default order 2815238405Sjkim in applications for which anonymous ciphers are OK (meaning 2816238405Sjkim that you can't actually use DEFAULT). 2817238405Sjkim [Bodo Moeller; suggested by Victor Duchovni] 2818238405Sjkim 2819238405Sjkim *) Split the SSL/TLS algorithm mask (as used for ciphersuite string 2820238405Sjkim processing) into multiple integers instead of setting 2821238405Sjkim "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK", 2822238405Sjkim "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer. 2823238405Sjkim (These masks as well as the individual bit definitions are hidden 2824238405Sjkim away into the non-exported interface ssl/ssl_locl.h, so this 2825238405Sjkim change to the definition of the SSL_CIPHER structure shouldn't 2826238405Sjkim affect applications.) This give us more bits for each of these 2827238405Sjkim categories, so there is no longer a need to coagulate AES128 and 2828238405Sjkim AES256 into a single algorithm bit, and to coagulate Camellia128 2829238405Sjkim and Camellia256 into a single algorithm bit, which has led to all 2830238405Sjkim kinds of kludges. 2831238405Sjkim 2832238405Sjkim Thus, among other things, the kludge introduced in 0.9.7m and 2833238405Sjkim 0.9.8e for masking out AES256 independently of AES128 or masking 2834238405Sjkim out Camellia256 independently of AES256 is not needed here in 0.9.9. 2835238405Sjkim 2836238405Sjkim With the change, we also introduce new ciphersuite aliases that 2837238405Sjkim so far were missing: "AES128", "AES256", "CAMELLIA128", and 2838238405Sjkim "CAMELLIA256". 2839238405Sjkim [Bodo Moeller] 2840238405Sjkim 2841238405Sjkim *) Add support for dsa-with-SHA224 and dsa-with-SHA256. 2842238405Sjkim Use the leftmost N bytes of the signature input if the input is 2843238405Sjkim larger than the prime q (with N being the size in bytes of q). 2844238405Sjkim [Nils Larsch] 2845238405Sjkim 2846238405Sjkim *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses 2847238405Sjkim it yet and it is largely untested. 2848238405Sjkim [Steve Henson] 2849238405Sjkim 2850238405Sjkim *) Add support for the ecdsa-with-SHA224/256/384/512 signature types. 2851238405Sjkim [Nils Larsch] 2852238405Sjkim 2853238405Sjkim *) Initial incomplete changes to avoid need for function casts in OpenSSL 2854238405Sjkim some compilers (gcc 4.2 and later) reject their use. Safestack is 2855238405Sjkim reimplemented. Update ASN1 to avoid use of legacy functions. 2856238405Sjkim [Steve Henson] 2857238405Sjkim 2858238405Sjkim *) Win32/64 targets are linked with Winsock2. 2859238405Sjkim [Andy Polyakov] 2860238405Sjkim 2861238405Sjkim *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected 2862238405Sjkim to external functions. This can be used to increase CRL handling 2863238405Sjkim efficiency especially when CRLs are very large by (for example) storing 2864238405Sjkim the CRL revoked certificates in a database. 2865238405Sjkim [Steve Henson] 2866238405Sjkim 2867238405Sjkim *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so 2868238405Sjkim new CRLs added to a directory can be used. New command line option 2869238405Sjkim -verify_return_error to s_client and s_server. This causes real errors 2870238405Sjkim to be returned by the verify callback instead of carrying on no matter 2871238405Sjkim what. This reflects the way a "real world" verify callback would behave. 2872238405Sjkim [Steve Henson] 2873238405Sjkim 2874238405Sjkim *) GOST engine, supporting several GOST algorithms and public key formats. 2875238405Sjkim Kindly donated by Cryptocom. 2876238405Sjkim [Cryptocom] 2877238405Sjkim 2878238405Sjkim *) Partial support for Issuing Distribution Point CRL extension. CRLs 2879238405Sjkim partitioned by DP are handled but no indirect CRL or reason partitioning 2880238405Sjkim (yet). Complete overhaul of CRL handling: now the most suitable CRL is 2881238405Sjkim selected via a scoring technique which handles IDP and AKID in CRLs. 2882238405Sjkim [Steve Henson] 2883238405Sjkim 2884238405Sjkim *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which 2885238405Sjkim will ultimately be used for all verify operations: this will remove the 2886238405Sjkim X509_STORE dependency on certificate verification and allow alternative 2887238405Sjkim lookup methods. X509_STORE based implementations of these two callbacks. 2888238405Sjkim [Steve Henson] 2889238405Sjkim 2890238405Sjkim *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. 2891238405Sjkim Modify get_crl() to find a valid (unexpired) CRL if possible. 2892238405Sjkim [Steve Henson] 2893238405Sjkim 2894238405Sjkim *) New function X509_CRL_match() to check if two CRLs are identical. Normally 2895238405Sjkim this would be called X509_CRL_cmp() but that name is already used by 2896238405Sjkim a function that just compares CRL issuer names. Cache several CRL 2897238405Sjkim extensions in X509_CRL structure and cache CRLDP in X509. 2898238405Sjkim [Steve Henson] 2899238405Sjkim 2900238405Sjkim *) Store a "canonical" representation of X509_NAME structure (ASN1 Name) 2901238405Sjkim this maps equivalent X509_NAME structures into a consistent structure. 2902238405Sjkim Name comparison can then be performed rapidly using memcmp(). 2903238405Sjkim [Steve Henson] 2904238405Sjkim 2905238405Sjkim *) Non-blocking OCSP request processing. Add -timeout option to ocsp 2906238405Sjkim utility. 2907238405Sjkim [Steve Henson] 2908238405Sjkim 2909238405Sjkim *) Allow digests to supply their own micalg string for S/MIME type using 2910238405Sjkim the ctrl EVP_MD_CTRL_MICALG. 2911238405Sjkim [Steve Henson] 2912238405Sjkim 2913238405Sjkim *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the 2914238405Sjkim EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN 2915238405Sjkim ctrl. It can then customise the structure before and/or after signing 2916238405Sjkim if necessary. 2917238405Sjkim [Steve Henson] 2918238405Sjkim 2919238405Sjkim *) New function OBJ_add_sigid() to allow application defined signature OIDs 2920238405Sjkim to be added to OpenSSLs internal tables. New function OBJ_sigid_free() 2921238405Sjkim to free up any added signature OIDs. 2922238405Sjkim [Steve Henson] 2923238405Sjkim 2924238405Sjkim *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(), 2925238405Sjkim EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal 2926238405Sjkim digest and cipher tables. New options added to openssl utility: 2927238405Sjkim list-message-digest-algorithms and list-cipher-algorithms. 2928238405Sjkim [Steve Henson] 2929238405Sjkim 2930238405Sjkim *) Change the array representation of binary polynomials: the list 2931238405Sjkim of degrees of non-zero coefficients is now terminated with -1. 2932238405Sjkim Previously it was terminated with 0, which was also part of the 2933238405Sjkim value; thus, the array representation was not applicable to 2934238405Sjkim polynomials where t^0 has coefficient zero. This change makes 2935238405Sjkim the array representation useful in a more general context. 2936238405Sjkim [Douglas Stebila] 2937238405Sjkim 2938238405Sjkim *) Various modifications and fixes to SSL/TLS cipher string 2939238405Sjkim handling. For ECC, the code now distinguishes between fixed ECDH 2940238405Sjkim with RSA certificates on the one hand and with ECDSA certificates 2941238405Sjkim on the other hand, since these are separate ciphersuites. The 2942238405Sjkim unused code for Fortezza ciphersuites has been removed. 2943238405Sjkim 2944238405Sjkim For consistency with EDH, ephemeral ECDH is now called "EECDH" 2945238405Sjkim (not "ECDHE"). For consistency with the code for DH 2946238405Sjkim certificates, use of ECDH certificates is now considered ECDH 2947238405Sjkim authentication, not RSA or ECDSA authentication (the latter is 2948238405Sjkim merely the CA's signing algorithm and not actively used in the 2949238405Sjkim protocol). 2950238405Sjkim 2951238405Sjkim The temporary ciphersuite alias "ECCdraft" is no longer 2952238405Sjkim available, and ECC ciphersuites are no longer excluded from "ALL" 2953238405Sjkim and "DEFAULT". The following aliases now exist for RFC 4492 2954238405Sjkim ciphersuites, most of these by analogy with the DH case: 2955238405Sjkim 2956238405Sjkim kECDHr - ECDH cert, signed with RSA 2957238405Sjkim kECDHe - ECDH cert, signed with ECDSA 2958238405Sjkim kECDH - ECDH cert (signed with either RSA or ECDSA) 2959238405Sjkim kEECDH - ephemeral ECDH 2960238405Sjkim ECDH - ECDH cert or ephemeral ECDH 2961238405Sjkim 2962238405Sjkim aECDH - ECDH cert 2963238405Sjkim aECDSA - ECDSA cert 2964238405Sjkim ECDSA - ECDSA cert 2965238405Sjkim 2966238405Sjkim AECDH - anonymous ECDH 2967238405Sjkim EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH") 2968238405Sjkim 2969238405Sjkim [Bodo Moeller] 2970238405Sjkim 2971238405Sjkim *) Add additional S/MIME capabilities for AES and GOST ciphers if supported. 2972238405Sjkim Use correct micalg parameters depending on digest(s) in signed message. 2973238405Sjkim [Steve Henson] 2974238405Sjkim 2975238405Sjkim *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process 2976238405Sjkim an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code. 2977238405Sjkim [Steve Henson] 2978238405Sjkim 2979238405Sjkim *) Initial engine support for EVP_PKEY_METHOD. New functions to permit 2980238405Sjkim an engine to register a method. Add ENGINE lookups for methods and 2981238405Sjkim functional reference processing. 2982238405Sjkim [Steve Henson] 2983238405Sjkim 2984238405Sjkim *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of 2985238405Sjkim EVP_{Sign,Verify}* which allow an application to customise the signature 2986238405Sjkim process. 2987238405Sjkim [Steve Henson] 2988238405Sjkim 2989238405Sjkim *) New -resign option to smime utility. This adds one or more signers 2990238405Sjkim to an existing PKCS#7 signedData structure. Also -md option to use an 2991238405Sjkim alternative message digest algorithm for signing. 2992238405Sjkim [Steve Henson] 2993238405Sjkim 2994238405Sjkim *) Tidy up PKCS#7 routines and add new functions to make it easier to 2995238405Sjkim create PKCS7 structures containing multiple signers. Update smime 2996238405Sjkim application to support multiple signers. 2997238405Sjkim [Steve Henson] 2998238405Sjkim 2999238405Sjkim *) New -macalg option to pkcs12 utility to allow setting of an alternative 3000238405Sjkim digest MAC. 3001238405Sjkim [Steve Henson] 3002238405Sjkim 3003238405Sjkim *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC. 3004238405Sjkim Reorganize PBE internals to lookup from a static table using NIDs, 3005238405Sjkim add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl: 3006238405Sjkim EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative 3007238405Sjkim PRF which will be automatically used with PBES2. 3008238405Sjkim [Steve Henson] 3009238405Sjkim 3010238405Sjkim *) Replace the algorithm specific calls to generate keys in "req" with the 3011238405Sjkim new API. 3012238405Sjkim [Steve Henson] 3013238405Sjkim 3014238405Sjkim *) Update PKCS#7 enveloped data routines to use new API. This is now 3015238405Sjkim supported by any public key method supporting the encrypt operation. A 3016238405Sjkim ctrl is added to allow the public key algorithm to examine or modify 3017238405Sjkim the PKCS#7 RecipientInfo structure if it needs to: for RSA this is 3018238405Sjkim a no op. 3019238405Sjkim [Steve Henson] 3020238405Sjkim 3021238405Sjkim *) Add a ctrl to asn1 method to allow a public key algorithm to express 3022238405Sjkim a default digest type to use. In most cases this will be SHA1 but some 3023238405Sjkim algorithms (such as GOST) need to specify an alternative digest. The 3024238405Sjkim return value indicates how strong the prefernce is 1 means optional and 3025238405Sjkim 2 is mandatory (that is it is the only supported type). Modify 3026238405Sjkim ASN1_item_sign() to accept a NULL digest argument to indicate it should 3027238405Sjkim use the default md. Update openssl utilities to use the default digest 3028238405Sjkim type for signing if it is not explicitly indicated. 3029238405Sjkim [Steve Henson] 3030238405Sjkim 3031238405Sjkim *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 3032238405Sjkim EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant 3033238405Sjkim signing method from the key type. This effectively removes the link 3034238405Sjkim between digests and public key types. 3035238405Sjkim [Steve Henson] 3036238405Sjkim 3037238405Sjkim *) Add an OID cross reference table and utility functions. Its purpose is to 3038238405Sjkim translate between signature OIDs such as SHA1WithrsaEncryption and SHA1, 3039238405Sjkim rsaEncryption. This will allow some of the algorithm specific hackery 3040238405Sjkim needed to use the correct OID to be removed. 3041238405Sjkim [Steve Henson] 3042238405Sjkim 3043238405Sjkim *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO 3044238405Sjkim structures for PKCS7_sign(). They are now set up by the relevant public 3045238405Sjkim key ASN1 method. 3046238405Sjkim [Steve Henson] 3047238405Sjkim 3048238405Sjkim *) Add provisional EC pkey method with support for ECDSA and ECDH. 3049238405Sjkim [Steve Henson] 3050238405Sjkim 3051238405Sjkim *) Add support for key derivation (agreement) in the API, DH method and 3052238405Sjkim pkeyutl. 3053238405Sjkim [Steve Henson] 3054238405Sjkim 3055238405Sjkim *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support 3056238405Sjkim public and private key formats. As a side effect these add additional 3057238405Sjkim command line functionality not previously available: DSA signatures can be 3058238405Sjkim generated and verified using pkeyutl and DH key support and generation in 3059238405Sjkim pkey, genpkey. 3060238405Sjkim [Steve Henson] 3061238405Sjkim 3062238405Sjkim *) BeOS support. 3063238405Sjkim [Oliver Tappe <zooey@hirschkaefer.de>] 3064238405Sjkim 3065238405Sjkim *) New make target "install_html_docs" installs HTML renditions of the 3066238405Sjkim manual pages. 3067238405Sjkim [Oliver Tappe <zooey@hirschkaefer.de>] 3068238405Sjkim 3069238405Sjkim *) New utility "genpkey" this is analagous to "genrsa" etc except it can 3070238405Sjkim generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to 3071238405Sjkim support key and parameter generation and add initial key generation 3072238405Sjkim functionality for RSA. 3073238405Sjkim [Steve Henson] 3074238405Sjkim 3075238405Sjkim *) Add functions for main EVP_PKEY_method operations. The undocumented 3076238405Sjkim functions EVP_PKEY_{encrypt,decrypt} have been renamed to 3077238405Sjkim EVP_PKEY_{encrypt,decrypt}_old. 3078238405Sjkim [Steve Henson] 3079238405Sjkim 3080238405Sjkim *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public 3081238405Sjkim key API, doesn't do much yet. 3082238405Sjkim [Steve Henson] 3083238405Sjkim 3084238405Sjkim *) New function EVP_PKEY_asn1_get0_info() to retrieve information about 3085238405Sjkim public key algorithms. New option to openssl utility: 3086238405Sjkim "list-public-key-algorithms" to print out info. 3087238405Sjkim [Steve Henson] 3088238405Sjkim 3089238405Sjkim *) Implement the Supported Elliptic Curves Extension for 3090238405Sjkim ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 3091238405Sjkim [Douglas Stebila] 3092238405Sjkim 3093238405Sjkim *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or 3094238405Sjkim EVP_CIPHER structures to avoid later problems in EVP_cleanup(). 3095238405Sjkim [Steve Henson] 3096238405Sjkim 3097238405Sjkim *) New utilities pkey and pkeyparam. These are similar to algorithm specific 3098238405Sjkim utilities such as rsa, dsa, dsaparam etc except they process any key 3099238405Sjkim type. 3100238405Sjkim [Steve Henson] 3101238405Sjkim 3102238405Sjkim *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 3103238405Sjkim functions EVP_PKEY_print_public(), EVP_PKEY_print_private(), 3104238405Sjkim EVP_PKEY_print_param() to print public key data from an EVP_PKEY 3105238405Sjkim structure. 3106238405Sjkim [Steve Henson] 3107238405Sjkim 3108238405Sjkim *) Initial support for pluggable public key ASN1. 3109238405Sjkim De-spaghettify the public key ASN1 handling. Move public and private 3110238405Sjkim key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate 3111238405Sjkim algorithm specific handling to a single module within the relevant 3112238405Sjkim algorithm directory. Add functions to allow (near) opaque processing 3113238405Sjkim of public and private key structures. 3114238405Sjkim [Steve Henson] 3115238405Sjkim 3116238405Sjkim *) Implement the Supported Point Formats Extension for 3117238405Sjkim ECC ciphersuites from draft-ietf-tls-ecc-12.txt. 3118238405Sjkim [Douglas Stebila] 3119238405Sjkim 3120238405Sjkim *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members 3121238405Sjkim for the psk identity [hint] and the psk callback functions to the 3122238405Sjkim SSL_SESSION, SSL and SSL_CTX structure. 3123238405Sjkim 3124238405Sjkim New ciphersuites: 3125238405Sjkim PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA, 3126238405Sjkim PSK-AES256-CBC-SHA 3127238405Sjkim 3128238405Sjkim New functions: 3129238405Sjkim SSL_CTX_use_psk_identity_hint 3130238405Sjkim SSL_get_psk_identity_hint 3131238405Sjkim SSL_get_psk_identity 3132238405Sjkim SSL_use_psk_identity_hint 3133238405Sjkim 3134238405Sjkim [Mika Kousa and Pasi Eronen of Nokia Corporation] 3135238405Sjkim 3136238405Sjkim *) Add RFC 3161 compliant time stamp request creation, response generation 3137238405Sjkim and response verification functionality. 3138291719Sjkim [Zolt��n Gl��zik <zglozik@opentsa.org>, The OpenTSA Project] 3139238405Sjkim 3140238405Sjkim *) Add initial support for TLS extensions, specifically for the server_name 3141238405Sjkim extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 3142238405Sjkim have new members for a host name. The SSL data structure has an 3143238405Sjkim additional member SSL_CTX *initial_ctx so that new sessions can be 3144238405Sjkim stored in that context to allow for session resumption, even after the 3145238405Sjkim SSL has been switched to a new SSL_CTX in reaction to a client's 3146238405Sjkim server_name extension. 3147238405Sjkim 3148238405Sjkim New functions (subject to change): 3149238405Sjkim 3150238405Sjkim SSL_get_servername() 3151238405Sjkim SSL_get_servername_type() 3152238405Sjkim SSL_set_SSL_CTX() 3153238405Sjkim 3154238405Sjkim New CTRL codes and macros (subject to change): 3155238405Sjkim 3156238405Sjkim SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 3157238405Sjkim - SSL_CTX_set_tlsext_servername_callback() 3158238405Sjkim SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 3159238405Sjkim - SSL_CTX_set_tlsext_servername_arg() 3160238405Sjkim SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 3161238405Sjkim 3162238405Sjkim openssl s_client has a new '-servername ...' option. 3163238405Sjkim 3164238405Sjkim openssl s_server has new options '-servername_host ...', '-cert2 ...', 3165238405Sjkim '-key2 ...', '-servername_fatal' (subject to change). This allows 3166238405Sjkim testing the HostName extension for a specific single host name ('-cert' 3167238405Sjkim and '-key' remain fallbacks for handshakes without HostName 3168238405Sjkim negotiation). If the unrecogninzed_name alert has to be sent, this by 3169238405Sjkim default is a warning; it becomes fatal with the '-servername_fatal' 3170238405Sjkim option. 3171238405Sjkim 3172238405Sjkim [Peter Sylvester, Remy Allais, Christophe Renou] 3173238405Sjkim 3174238405Sjkim *) Whirlpool hash implementation is added. 3175238405Sjkim [Andy Polyakov] 3176238405Sjkim 3177238405Sjkim *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to 3178238405Sjkim bn(64,32). Because of instruction set limitations it doesn't have 3179238405Sjkim any negative impact on performance. This was done mostly in order 3180238405Sjkim to make it possible to share assembler modules, such as bn_mul_mont 3181238405Sjkim implementations, between 32- and 64-bit builds without hassle. 3182238405Sjkim [Andy Polyakov] 3183238405Sjkim 3184238405Sjkim *) Move code previously exiled into file crypto/ec/ec2_smpt.c 3185238405Sjkim to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP 3186238405Sjkim macro. 3187238405Sjkim [Bodo Moeller] 3188238405Sjkim 3189238405Sjkim *) New candidate for BIGNUM assembler implementation, bn_mul_mont, 3190238405Sjkim dedicated Montgomery multiplication procedure, is introduced. 3191238405Sjkim BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher 3192238405Sjkim "64-bit" performance on certain 32-bit targets. 3193238405Sjkim [Andy Polyakov] 3194238405Sjkim 3195238405Sjkim *) New option SSL_OP_NO_COMP to disable use of compression selectively 3196238405Sjkim in SSL structures. New SSL ctrl to set maximum send fragment size. 3197238405Sjkim Save memory by seeting the I/O buffer sizes dynamically instead of 3198238405Sjkim using the maximum available value. 3199238405Sjkim [Steve Henson] 3200238405Sjkim 3201238405Sjkim *) New option -V for 'openssl ciphers'. This prints the ciphersuite code 3202238405Sjkim in addition to the text details. 3203238405Sjkim [Bodo Moeller] 3204238405Sjkim 3205238405Sjkim *) Very, very preliminary EXPERIMENTAL support for printing of general 3206238405Sjkim ASN1 structures. This currently produces rather ugly output and doesn't 3207238405Sjkim handle several customised structures at all. 3208238405Sjkim [Steve Henson] 3209238405Sjkim 3210238405Sjkim *) Integrated support for PVK file format and some related formats such 3211238405Sjkim as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support 3212238405Sjkim these in the 'rsa' and 'dsa' utilities. 3213238405Sjkim [Steve Henson] 3214238405Sjkim 3215238405Sjkim *) Support for PKCS#1 RSAPublicKey format on rsa utility command line. 3216238405Sjkim [Steve Henson] 3217238405Sjkim 3218238405Sjkim *) Remove the ancient ASN1_METHOD code. This was only ever used in one 3219238405Sjkim place for the (very old) "NETSCAPE" format certificates which are now 3220238405Sjkim handled using new ASN1 code equivalents. 3221238405Sjkim [Steve Henson] 3222238405Sjkim 3223238405Sjkim *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD 3224238405Sjkim pointer and make the SSL_METHOD parameter in SSL_CTX_new, 3225238405Sjkim SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'. 3226238405Sjkim [Nils Larsch] 3227238405Sjkim 3228238405Sjkim *) Modify CRL distribution points extension code to print out previously 3229238405Sjkim unsupported fields. Enhance extension setting code to allow setting of 3230238405Sjkim all fields. 3231238405Sjkim [Steve Henson] 3232238405Sjkim 3233238405Sjkim *) Add print and set support for Issuing Distribution Point CRL extension. 3234238405Sjkim [Steve Henson] 3235238405Sjkim 3236238405Sjkim *) Change 'Configure' script to enable Camellia by default. 3237238405Sjkim [NTT] 3238238405Sjkim 3239206046Ssimon Changes between 0.9.8m and 0.9.8n [24 Mar 2010] 3240206046Ssimon 3241206046Ssimon *) When rejecting SSL/TLS records due to an incorrect version number, never 3242206046Ssimon update s->server with a new major version number. As of 3243206046Ssimon - OpenSSL 0.9.8m if 'short' is a 16-bit type, 3244206046Ssimon - OpenSSL 0.9.8f if 'short' is longer than 16 bits, 3245206046Ssimon the previous behavior could result in a read attempt at NULL when 3246206046Ssimon receiving specific incorrect SSL/TLS records once record payload 3247206046Ssimon protection is active. (CVE-2010-0740) 3248206046Ssimon [Bodo Moeller, Adam Langley <agl@chromium.org>] 3249206046Ssimon 3250206046Ssimon *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 3251206046Ssimon could be crashed if the relevant tables were not present (e.g. chrooted). 3252206046Ssimon [Tomas Hoger <thoger@redhat.com>] 3253206046Ssimon 3254205128Ssimon Changes between 0.9.8l and 0.9.8m [25 Feb 2010] 3255205128Ssimon 3256205128Ssimon *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) 3257205128Ssimon [Martin Olsson, Neel Mehta] 3258205128Ssimon 3259205128Ssimon *) Fix X509_STORE locking: Every 'objs' access requires a lock (to 3260205128Ssimon accommodate for stack sorting, always a write lock!). 3261205128Ssimon [Bodo Moeller] 3262205128Ssimon 3263205128Ssimon *) On some versions of WIN32 Heap32Next is very slow. This can cause 3264205128Ssimon excessive delays in the RAND_poll(): over a minute. As a workaround 3265205128Ssimon include a time check in the inner Heap32Next loop too. 3266205128Ssimon [Steve Henson] 3267205128Ssimon 3268205128Ssimon *) The code that handled flushing of data in SSL/TLS originally used the 3269205128Ssimon BIO_CTRL_INFO ctrl to see if any data was pending first. This caused 3270205128Ssimon the problem outlined in PR#1949. The fix suggested there however can 3271205128Ssimon trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions 3272205128Ssimon of Apache). So instead simplify the code to flush unconditionally. 3273205128Ssimon This should be fine since flushing with no data to flush is a no op. 3274205128Ssimon [Steve Henson] 3275205128Ssimon 3276205128Ssimon *) Handle TLS versions 2.0 and later properly and correctly use the 3277205128Ssimon highest version of TLS/SSL supported. Although TLS >= 2.0 is some way 3278205128Ssimon off ancient servers have a habit of sticking around for a while... 3279205128Ssimon [Steve Henson] 3280205128Ssimon 3281205128Ssimon *) Modify compression code so it frees up structures without using the 3282205128Ssimon ex_data callbacks. This works around a problem where some applications 3283205128Ssimon call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when 3284205128Ssimon restarting) then use compression (e.g. SSL with compression) later. 3285205128Ssimon This results in significant per-connection memory leaks and 3286205128Ssimon has caused some security issues including CVE-2008-1678 and 3287205128Ssimon CVE-2009-4355. 3288205128Ssimon [Steve Henson] 3289205128Ssimon 3290205128Ssimon *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't 3291205128Ssimon change when encrypting or decrypting. 3292205128Ssimon [Bodo Moeller] 3293205128Ssimon 3294205128Ssimon *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to 3295205128Ssimon connect and renegotiate with servers which do not support RI. 3296205128Ssimon Until RI is more widely deployed this option is enabled by default. 3297205128Ssimon [Steve Henson] 3298205128Ssimon 3299205128Ssimon *) Add "missing" ssl ctrls to clear options and mode. 3300205128Ssimon [Steve Henson] 3301205128Ssimon 3302205128Ssimon *) If client attempts to renegotiate and doesn't support RI respond with 3303205128Ssimon a no_renegotiation alert as required by RFC5746. Some renegotiating 3304205128Ssimon TLS clients will continue a connection gracefully when they receive 3305205128Ssimon the alert. Unfortunately OpenSSL mishandled this alert and would hang 3306205128Ssimon waiting for a server hello which it will never receive. Now we treat a 3307205128Ssimon received no_renegotiation alert as a fatal error. This is because 3308205128Ssimon applications requesting a renegotiation might well expect it to succeed 3309205128Ssimon and would have no code in place to handle the server denying it so the 3310205128Ssimon only safe thing to do is to terminate the connection. 3311205128Ssimon [Steve Henson] 3312205128Ssimon 3313205128Ssimon *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if 3314205128Ssimon peer supports secure renegotiation and 0 otherwise. Print out peer 3315205128Ssimon renegotiation support in s_client/s_server. 3316205128Ssimon [Steve Henson] 3317205128Ssimon 3318205128Ssimon *) Replace the highly broken and deprecated SPKAC certification method with 3319205128Ssimon the updated NID creation version. This should correctly handle UTF8. 3320205128Ssimon [Steve Henson] 3321205128Ssimon 3322205128Ssimon *) Implement RFC5746. Re-enable renegotiation but require the extension 3323205128Ssimon as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 3324205128Ssimon turns out to be a bad idea. It has been replaced by 3325205128Ssimon SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with 3326205128Ssimon SSL_CTX_set_options(). This is really not recommended unless you 3327205128Ssimon know what you are doing. 3328205128Ssimon [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] 3329205128Ssimon 3330205128Ssimon *) Fixes to stateless session resumption handling. Use initial_ctx when 3331205128Ssimon issuing and attempting to decrypt tickets in case it has changed during 3332205128Ssimon servername handling. Use a non-zero length session ID when attempting 3333205128Ssimon stateless session resumption: this makes it possible to determine if 3334205128Ssimon a resumption has occurred immediately after receiving server hello 3335205128Ssimon (several places in OpenSSL subtly assume this) instead of later in 3336205128Ssimon the handshake. 3337205128Ssimon [Steve Henson] 3338205128Ssimon 3339205128Ssimon *) The functions ENGINE_ctrl(), OPENSSL_isservice(), 3340205128Ssimon CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error 3341205128Ssimon fixes for a few places where the return code is not checked 3342205128Ssimon correctly. 3343205128Ssimon [Julia Lawall <julia@diku.dk>] 3344205128Ssimon 3345205128Ssimon *) Add --strict-warnings option to Configure script to include devteam 3346205128Ssimon warnings in other configurations. 3347205128Ssimon [Steve Henson] 3348205128Ssimon 3349205128Ssimon *) Add support for --libdir option and LIBDIR variable in makefiles. This 3350205128Ssimon makes it possible to install openssl libraries in locations which 3351205128Ssimon have names other than "lib", for example "/usr/lib64" which some 3352205128Ssimon systems need. 3353205128Ssimon [Steve Henson, based on patch from Jeremy Utley] 3354205128Ssimon 3355205128Ssimon *) Don't allow the use of leading 0x80 in OIDs. This is a violation of 3356205128Ssimon X690 8.9.12 and can produce some misleading textual output of OIDs. 3357205128Ssimon [Steve Henson, reported by Dan Kaminsky] 3358205128Ssimon 3359205128Ssimon *) Delete MD2 from algorithm tables. This follows the recommendation in 3360205128Ssimon several standards that it is not used in new applications due to 3361205128Ssimon several cryptographic weaknesses. For binary compatibility reasons 3362205128Ssimon the MD2 API is still compiled in by default. 3363205128Ssimon [Steve Henson] 3364205128Ssimon 3365205128Ssimon *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved 3366205128Ssimon and restored. 3367205128Ssimon [Steve Henson] 3368205128Ssimon 3369205128Ssimon *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and 3370205128Ssimon OPENSSL_asc2uni conditionally on Netware platforms to avoid a name 3371205128Ssimon clash. 3372205128Ssimon [Guenter <lists@gknw.net>] 3373205128Ssimon 3374205128Ssimon *) Fix the server certificate chain building code to use X509_verify_cert(), 3375205128Ssimon it used to have an ad-hoc builder which was unable to cope with anything 3376205128Ssimon other than a simple chain. 3377205128Ssimon [David Woodhouse <dwmw2@infradead.org>, Steve Henson] 3378205128Ssimon 3379205128Ssimon *) Don't check self signed certificate signatures in X509_verify_cert() 3380205128Ssimon by default (a flag can override this): it just wastes time without 3381205128Ssimon adding any security. As a useful side effect self signed root CAs 3382205128Ssimon with non-FIPS digests are now usable in FIPS mode. 3383205128Ssimon [Steve Henson] 3384205128Ssimon 3385205128Ssimon *) In dtls1_process_out_of_seq_message() the check if the current message 3386205128Ssimon is already buffered was missing. For every new message was memory 3387205128Ssimon allocated, allowing an attacker to perform an denial of service attack 3388205128Ssimon with sending out of seq handshake messages until there is no memory 3389205128Ssimon left. Additionally every future messege was buffered, even if the 3390205128Ssimon sequence number made no sense and would be part of another handshake. 3391205128Ssimon So only messages with sequence numbers less than 10 in advance will be 3392205128Ssimon buffered. (CVE-2009-1378) 3393205128Ssimon [Robin Seggelmann, discovered by Daniel Mentz] 3394205128Ssimon 3395205128Ssimon *) Records are buffered if they arrive with a future epoch to be 3396205128Ssimon processed after finishing the corresponding handshake. There is 3397205128Ssimon currently no limitation to this buffer allowing an attacker to perform 3398205128Ssimon a DOS attack with sending records with future epochs until there is no 3399205128Ssimon memory left. This patch adds the pqueue_size() function to detemine 3400205128Ssimon the size of a buffer and limits the record buffer to 100 entries. 3401205128Ssimon (CVE-2009-1377) 3402205128Ssimon [Robin Seggelmann, discovered by Daniel Mentz] 3403205128Ssimon 3404205128Ssimon *) Keep a copy of frag->msg_header.frag_len so it can be used after the 3405205128Ssimon parent structure is freed. (CVE-2009-1379) 3406205128Ssimon [Daniel Mentz] 3407205128Ssimon 3408205128Ssimon *) Handle non-blocking I/O properly in SSL_shutdown() call. 3409205128Ssimon [Darryl Miles <darryl-mailinglists@netbauds.net>] 3410205128Ssimon 3411205128Ssimon *) Add 2.5.4.* OIDs 3412205128Ssimon [Ilya O. <vrghost@gmail.com>] 3413205128Ssimon 3414205128Ssimon Changes between 0.9.8k and 0.9.8l [5 Nov 2009] 3415205128Ssimon 3416205128Ssimon *) Disable renegotiation completely - this fixes a severe security 3417205128Ssimon problem (CVE-2009-3555) at the cost of breaking all 3418205128Ssimon renegotiation. Renegotiation can be re-enabled by setting 3419205128Ssimon SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at 3420205128Ssimon run-time. This is really not recommended unless you know what 3421205128Ssimon you're doing. 3422205128Ssimon [Ben Laurie] 3423205128Ssimon 3424194206Ssimon Changes between 0.9.8j and 0.9.8k [25 Mar 2009] 3425167612Ssimon 3426194206Ssimon *) Don't set val to NULL when freeing up structures, it is freed up by 3427194206Ssimon underlying code. If sizeof(void *) > sizeof(long) this can result in 3428194206Ssimon zeroing past the valid field. (CVE-2009-0789) 3429194206Ssimon [Paolo Ganci <Paolo.Ganci@AdNovum.CH>] 3430194206Ssimon 3431194206Ssimon *) Fix bug where return value of CMS_SignerInfo_verify_content() was not 3432194206Ssimon checked correctly. This would allow some invalid signed attributes to 3433194206Ssimon appear to verify correctly. (CVE-2009-0591) 3434194206Ssimon [Ivan Nestlerode <inestlerode@us.ibm.com>] 3435194206Ssimon 3436194206Ssimon *) Reject UniversalString and BMPString types with invalid lengths. This 3437194206Ssimon prevents a crash in ASN1_STRING_print_ex() which assumes the strings have 3438194206Ssimon a legal length. (CVE-2009-0590) 3439194206Ssimon [Steve Henson] 3440194206Ssimon 3441194206Ssimon *) Set S/MIME signing as the default purpose rather than setting it 3442194206Ssimon unconditionally. This allows applications to override it at the store 3443194206Ssimon level. 3444194206Ssimon [Steve Henson] 3445194206Ssimon 3446194206Ssimon *) Permit restricted recursion of ASN1 strings. This is needed in practice 3447194206Ssimon to handle some structures. 3448194206Ssimon [Steve Henson] 3449194206Ssimon 3450194206Ssimon *) Improve efficiency of mem_gets: don't search whole buffer each time 3451194206Ssimon for a '\n' 3452194206Ssimon [Jeremy Shapiro <jnshapir@us.ibm.com>] 3453194206Ssimon 3454194206Ssimon *) New -hex option for openssl rand. 3455194206Ssimon [Matthieu Herrb] 3456194206Ssimon 3457194206Ssimon *) Print out UTF8String and NumericString when parsing ASN1. 3458194206Ssimon [Steve Henson] 3459194206Ssimon 3460194206Ssimon *) Support NumericString type for name components. 3461194206Ssimon [Steve Henson] 3462194206Ssimon 3463194206Ssimon *) Allow CC in the environment to override the automatically chosen 3464194206Ssimon compiler. Note that nothing is done to ensure flags work with the 3465194206Ssimon chosen compiler. 3466194206Ssimon [Ben Laurie] 3467194206Ssimon 3468194206Ssimon Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 3469194206Ssimon 3470194206Ssimon *) Properly check EVP_VerifyFinal() and similar return values 3471194206Ssimon (CVE-2008-5077). 3472194206Ssimon [Ben Laurie, Bodo Moeller, Google Security Team] 3473194206Ssimon 3474194206Ssimon *) Enable TLS extensions by default. 3475194206Ssimon [Ben Laurie] 3476194206Ssimon 3477194206Ssimon *) Allow the CHIL engine to be loaded, whether the application is 3478194206Ssimon multithreaded or not. (This does not release the developer from the 3479194206Ssimon obligation to set up the dynamic locking callbacks.) 3480194206Ssimon [Sander Temme <sander@temme.net>] 3481194206Ssimon 3482194206Ssimon *) Use correct exit code if there is an error in dgst command. 3483194206Ssimon [Steve Henson; problem pointed out by Roland Dirlewanger] 3484194206Ssimon 3485194206Ssimon *) Tweak Configure so that you need to say "experimental-jpake" to enable 3486194206Ssimon JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. 3487194206Ssimon [Bodo Moeller] 3488194206Ssimon 3489194206Ssimon *) Add experimental JPAKE support, including demo authentication in 3490194206Ssimon s_client and s_server. 3491194206Ssimon [Ben Laurie] 3492194206Ssimon 3493194206Ssimon *) Set the comparison function in v3_addr_canonize(). 3494194206Ssimon [Rob Austein <sra@hactrn.net>] 3495194206Ssimon 3496194206Ssimon *) Add support for XMPP STARTTLS in s_client. 3497194206Ssimon [Philip Paeps <philip@freebsd.org>] 3498194206Ssimon 3499194206Ssimon *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior 3500194206Ssimon to ensure that even with this option, only ciphersuites in the 3501194206Ssimon server's preference list will be accepted. (Note that the option 3502194206Ssimon applies only when resuming a session, so the earlier behavior was 3503194206Ssimon just about the algorithm choice for symmetric cryptography.) 3504194206Ssimon [Bodo Moeller] 3505194206Ssimon 3506194206Ssimon Changes between 0.9.8h and 0.9.8i [15 Sep 2008] 3507194206Ssimon 3508205128Ssimon *) Fix NULL pointer dereference if a DTLS server received 3509205128Ssimon ChangeCipherSpec as first record (CVE-2009-1386). 3510205128Ssimon [PR #1679] 3511205128Ssimon 3512194206Ssimon *) Fix a state transitition in s3_srvr.c and d1_srvr.c 3513194206Ssimon (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). 3514194206Ssimon [Nagendra Modadugu] 3515194206Ssimon 3516194206Ssimon *) The fix in 0.9.8c that supposedly got rid of unsafe 3517194206Ssimon double-checked locking was incomplete for RSA blinding, 3518194206Ssimon addressing just one layer of what turns out to have been 3519194206Ssimon doubly unsafe triple-checked locking. 3520194206Ssimon 3521194206Ssimon So now fix this for real by retiring the MONT_HELPER macro 3522194206Ssimon in crypto/rsa/rsa_eay.c. 3523194206Ssimon 3524194206Ssimon [Bodo Moeller; problem pointed out by Marius Schilder] 3525194206Ssimon 3526194206Ssimon *) Various precautionary measures: 3527194206Ssimon 3528194206Ssimon - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). 3529194206Ssimon 3530194206Ssimon - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). 3531194206Ssimon (NB: This would require knowledge of the secret session ticket key 3532194206Ssimon to exploit, in which case you'd be SOL either way.) 3533194206Ssimon 3534194206Ssimon - Change bn_nist.c so that it will properly handle input BIGNUMs 3535194206Ssimon outside the expected range. 3536194206Ssimon 3537194206Ssimon - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG 3538194206Ssimon builds. 3539194206Ssimon 3540194206Ssimon [Neel Mehta, Bodo Moeller] 3541194206Ssimon 3542194206Ssimon *) Allow engines to be "soft loaded" - i.e. optionally don't die if 3543194206Ssimon the load fails. Useful for distros. 3544194206Ssimon [Ben Laurie and the FreeBSD team] 3545194206Ssimon 3546194206Ssimon *) Add support for Local Machine Keyset attribute in PKCS#12 files. 3547194206Ssimon [Steve Henson] 3548194206Ssimon 3549194206Ssimon *) Fix BN_GF2m_mod_arr() top-bit cleanup code. 3550194206Ssimon [Huang Ying] 3551194206Ssimon 3552194206Ssimon *) Expand ENGINE to support engine supplied SSL client certificate functions. 3553194206Ssimon 3554194206Ssimon This work was sponsored by Logica. 3555194206Ssimon [Steve Henson] 3556194206Ssimon 3557194206Ssimon *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows 3558194206Ssimon keystores. Support for SSL/TLS client authentication too. 3559194206Ssimon Not compiled unless enable-capieng specified to Configure. 3560194206Ssimon 3561194206Ssimon This work was sponsored by Logica. 3562194206Ssimon [Steve Henson] 3563194206Ssimon 3564194206Ssimon *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using 3565194206Ssimon ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain 3566194206Ssimon attribute creation routines such as certifcate requests and PKCS#12 3567194206Ssimon files. 3568194206Ssimon [Steve Henson] 3569194206Ssimon 3570194206Ssimon Changes between 0.9.8g and 0.9.8h [28 May 2008] 3571194206Ssimon 3572194206Ssimon *) Fix flaw if 'Server Key exchange message' is omitted from a TLS 3573194206Ssimon handshake which could lead to a cilent crash as found using the 3574194206Ssimon Codenomicon TLS test suite (CVE-2008-1672) 3575194206Ssimon [Steve Henson, Mark Cox] 3576194206Ssimon 3577194206Ssimon *) Fix double free in TLS server name extensions which could lead to 3578194206Ssimon a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 3579194206Ssimon [Joe Orton] 3580194206Ssimon 3581194206Ssimon *) Clear error queue in SSL_CTX_use_certificate_chain_file() 3582194206Ssimon 3583194206Ssimon Clear the error queue to ensure that error entries left from 3584194206Ssimon older function calls do not interfere with the correct operation. 3585194206Ssimon [Lutz Jaenicke, Erik de Castro Lopo] 3586194206Ssimon 3587194206Ssimon *) Remove root CA certificates of commercial CAs: 3588194206Ssimon 3589194206Ssimon The OpenSSL project does not recommend any specific CA and does not 3590194206Ssimon have any policy with respect to including or excluding any CA. 3591194206Ssimon Therefore it does not make any sense to ship an arbitrary selection 3592194206Ssimon of root CA certificates with the OpenSSL software. 3593194206Ssimon [Lutz Jaenicke] 3594194206Ssimon 3595194206Ssimon *) RSA OAEP patches to fix two separate invalid memory reads. 3596194206Ssimon The first one involves inputs when 'lzero' is greater than 3597194206Ssimon 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes 3598194206Ssimon before the beginning of from). The second one involves inputs where 3599194206Ssimon the 'db' section contains nothing but zeroes (there is a one-byte 3600194206Ssimon invalid read after the end of 'db'). 3601194206Ssimon [Ivan Nestlerode <inestlerode@us.ibm.com>] 3602194206Ssimon 3603194206Ssimon *) Partial backport from 0.9.9-dev: 3604194206Ssimon 3605194206Ssimon Introduce bn_mul_mont (dedicated Montgomery multiplication 3606194206Ssimon procedure) as a candidate for BIGNUM assembler implementation. 3607194206Ssimon While 0.9.9-dev uses assembler for various architectures, only 3608194206Ssimon x86_64 is available by default here in the 0.9.8 branch, and 3609194206Ssimon 32-bit x86 is available through a compile-time setting. 3610194206Ssimon 3611194206Ssimon To try the 32-bit x86 assembler implementation, use Configure 3612194206Ssimon option "enable-montasm" (which exists only for this backport). 3613194206Ssimon 3614194206Ssimon As "enable-montasm" for 32-bit x86 disclaims code stability 3615194206Ssimon anyway, in this constellation we activate additional code 3616194206Ssimon backported from 0.9.9-dev for further performance improvements, 3617194206Ssimon namely BN_from_montgomery_word. (To enable this otherwise, 3618194206Ssimon e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) 3619194206Ssimon 3620194206Ssimon [Andy Polyakov (backport partially by Bodo Moeller)] 3621194206Ssimon 3622194206Ssimon *) Add TLS session ticket callback. This allows an application to set 3623194206Ssimon TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed 3624194206Ssimon values. This is useful for key rollover for example where several key 3625194206Ssimon sets may exist with different names. 3626194206Ssimon [Steve Henson] 3627194206Ssimon 3628194206Ssimon *) Reverse ENGINE-internal logic for caching default ENGINE handles. 3629194206Ssimon This was broken until now in 0.9.8 releases, such that the only way 3630194206Ssimon a registered ENGINE could be used (assuming it initialises 3631194206Ssimon successfully on the host) was to explicitly set it as the default 3632194206Ssimon for the relevant algorithms. This is in contradiction with 0.9.7 3633194206Ssimon behaviour and the documentation. With this fix, when an ENGINE is 3634194206Ssimon registered into a given algorithm's table of implementations, the 3635194206Ssimon 'uptodate' flag is reset so that auto-discovery will be used next 3636194206Ssimon time a new context for that algorithm attempts to select an 3637194206Ssimon implementation. 3638194206Ssimon [Ian Lister (tweaked by Geoff Thorpe)] 3639194206Ssimon 3640194206Ssimon *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 3641194206Ssimon implemention in the following ways: 3642194206Ssimon 3643194206Ssimon Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be 3644194206Ssimon hard coded. 3645194206Ssimon 3646194206Ssimon Lack of BER streaming support means one pass streaming processing is 3647194206Ssimon only supported if data is detached: setting the streaming flag is 3648194206Ssimon ignored for embedded content. 3649194206Ssimon 3650194206Ssimon CMS support is disabled by default and must be explicitly enabled 3651194206Ssimon with the enable-cms configuration option. 3652194206Ssimon [Steve Henson] 3653194206Ssimon 3654194206Ssimon *) Update the GMP engine glue to do direct copies between BIGNUM and 3655194206Ssimon mpz_t when openssl and GMP use the same limb size. Otherwise the 3656194206Ssimon existing "conversion via a text string export" trick is still used. 3657194206Ssimon [Paul Sheer <paulsheer@gmail.com>] 3658194206Ssimon 3659194206Ssimon *) Zlib compression BIO. This is a filter BIO which compressed and 3660194206Ssimon uncompresses any data passed through it. 3661194206Ssimon [Steve Henson] 3662194206Ssimon 3663194206Ssimon *) Add AES_wrap_key() and AES_unwrap_key() functions to implement 3664194206Ssimon RFC3394 compatible AES key wrapping. 3665194206Ssimon [Steve Henson] 3666194206Ssimon 3667194206Ssimon *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): 3668194206Ssimon sets string data without copying. X509_ALGOR_set0() and 3669194206Ssimon X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) 3670194206Ssimon data. Attribute function X509at_get0_data_by_OBJ(): retrieves data 3671194206Ssimon from an X509_ATTRIBUTE structure optionally checking it occurs only 3672194206Ssimon once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied 3673194206Ssimon data. 3674194206Ssimon [Steve Henson] 3675194206Ssimon 3676194206Ssimon *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() 3677194206Ssimon to get the expected BN_FLG_CONSTTIME behavior. 3678194206Ssimon [Bodo Moeller (Google)] 3679194206Ssimon 3680194206Ssimon *) Netware support: 3681194206Ssimon 3682194206Ssimon - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets 3683194206Ssimon - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) 3684194206Ssimon - added some more tests to do_tests.pl 3685194206Ssimon - fixed RunningProcess usage so that it works with newer LIBC NDKs too 3686194206Ssimon - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency 3687194206Ssimon - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, 3688194206Ssimon netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc 3689194206Ssimon - various changes to netware.pl to enable gcc-cross builds on Win32 3690194206Ssimon platform 3691194206Ssimon - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) 3692194206Ssimon - various changes to fix missing prototype warnings 3693194206Ssimon - fixed x86nasm.pl to create correct asm files for NASM COFF output 3694194206Ssimon - added AES, WHIRLPOOL and CPUID assembler code to build files 3695194206Ssimon - added missing AES assembler make rules to mk1mf.pl 3696194206Ssimon - fixed order of includes in apps/ocsp.c so that e_os.h settings apply 3697194206Ssimon [Guenter Knauf <eflash@gmx.net>] 3698194206Ssimon 3699194206Ssimon *) Implement certificate status request TLS extension defined in RFC3546. 3700194206Ssimon A client can set the appropriate parameters and receive the encoded 3701194206Ssimon OCSP response via a callback. A server can query the supplied parameters 3702194206Ssimon and set the encoded OCSP response in the callback. Add simplified examples 3703194206Ssimon to s_client and s_server. 3704194206Ssimon [Steve Henson] 3705194206Ssimon 3706194206Ssimon Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 3707194206Ssimon 3708194206Ssimon *) Fix various bugs: 3709194206Ssimon + Binary incompatibility of ssl_ctx_st structure 3710194206Ssimon + DTLS interoperation with non-compliant servers 3711194206Ssimon + Don't call get_session_cb() without proposed session 3712194206Ssimon + Fix ia64 assembler code 3713194206Ssimon [Andy Polyakov, Steve Henson] 3714194206Ssimon 3715194206Ssimon Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 3716194206Ssimon 3717194206Ssimon *) DTLS Handshake overhaul. There were longstanding issues with 3718194206Ssimon OpenSSL DTLS implementation, which were making it impossible for 3719194206Ssimon RFC 4347 compliant client to communicate with OpenSSL server. 3720194206Ssimon Unfortunately just fixing these incompatibilities would "cut off" 3721194206Ssimon pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 3722194206Ssimon server keeps tolerating non RFC compliant syntax. The opposite is 3723194206Ssimon not true, 0.9.8f client can not communicate with earlier server. 3724194206Ssimon This update even addresses CVE-2007-4995. 3725194206Ssimon [Andy Polyakov] 3726194206Ssimon 3727194206Ssimon *) Changes to avoid need for function casts in OpenSSL: some compilers 3728194206Ssimon (gcc 4.2 and later) reject their use. 3729194206Ssimon [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 3730194206Ssimon Steve Henson] 3731194206Ssimon 3732194206Ssimon *) Add RFC4507 support to OpenSSL. This includes the corrections in 3733194206Ssimon RFC4507bis. The encrypted ticket format is an encrypted encoded 3734194206Ssimon SSL_SESSION structure, that way new session features are automatically 3735194206Ssimon supported. 3736194206Ssimon 3737194206Ssimon If a client application caches session in an SSL_SESSION structure 3738194206Ssimon support is transparent because tickets are now stored in the encoded 3739194206Ssimon SSL_SESSION. 3740194206Ssimon 3741194206Ssimon The SSL_CTX structure automatically generates keys for ticket 3742194206Ssimon protection in servers so again support should be possible 3743194206Ssimon with no application modification. 3744194206Ssimon 3745194206Ssimon If a client or server wishes to disable RFC4507 support then the option 3746194206Ssimon SSL_OP_NO_TICKET can be set. 3747194206Ssimon 3748194206Ssimon Add a TLS extension debugging callback to allow the contents of any client 3749194206Ssimon or server extensions to be examined. 3750194206Ssimon 3751194206Ssimon This work was sponsored by Google. 3752194206Ssimon [Steve Henson] 3753194206Ssimon 3754194206Ssimon *) Add initial support for TLS extensions, specifically for the server_name 3755194206Ssimon extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 3756194206Ssimon have new members for a host name. The SSL data structure has an 3757194206Ssimon additional member SSL_CTX *initial_ctx so that new sessions can be 3758194206Ssimon stored in that context to allow for session resumption, even after the 3759194206Ssimon SSL has been switched to a new SSL_CTX in reaction to a client's 3760194206Ssimon server_name extension. 3761194206Ssimon 3762194206Ssimon New functions (subject to change): 3763194206Ssimon 3764194206Ssimon SSL_get_servername() 3765194206Ssimon SSL_get_servername_type() 3766194206Ssimon SSL_set_SSL_CTX() 3767194206Ssimon 3768194206Ssimon New CTRL codes and macros (subject to change): 3769194206Ssimon 3770194206Ssimon SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 3771194206Ssimon - SSL_CTX_set_tlsext_servername_callback() 3772194206Ssimon SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 3773194206Ssimon - SSL_CTX_set_tlsext_servername_arg() 3774194206Ssimon SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 3775194206Ssimon 3776194206Ssimon openssl s_client has a new '-servername ...' option. 3777194206Ssimon 3778194206Ssimon openssl s_server has new options '-servername_host ...', '-cert2 ...', 3779194206Ssimon '-key2 ...', '-servername_fatal' (subject to change). This allows 3780194206Ssimon testing the HostName extension for a specific single host name ('-cert' 3781194206Ssimon and '-key' remain fallbacks for handshakes without HostName 3782194206Ssimon negotiation). If the unrecogninzed_name alert has to be sent, this by 3783194206Ssimon default is a warning; it becomes fatal with the '-servername_fatal' 3784194206Ssimon option. 3785194206Ssimon 3786194206Ssimon [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] 3787194206Ssimon 3788194206Ssimon *) Add AES and SSE2 assembly language support to VC++ build. 3789194206Ssimon [Steve Henson] 3790194206Ssimon 3791194206Ssimon *) Mitigate attack on final subtraction in Montgomery reduction. 3792194206Ssimon [Andy Polyakov] 3793194206Ssimon 3794194206Ssimon *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 3795194206Ssimon (which previously caused an internal error). 3796194206Ssimon [Bodo Moeller] 3797194206Ssimon 3798194206Ssimon *) Squeeze another 10% out of IGE mode when in != out. 3799194206Ssimon [Ben Laurie] 3800194206Ssimon 3801194206Ssimon *) AES IGE mode speedup. 3802194206Ssimon [Dean Gaudet (Google)] 3803194206Ssimon 3804194206Ssimon *) Add the Korean symmetric 128-bit cipher SEED (see 3805194206Ssimon http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and 3806194206Ssimon add SEED ciphersuites from RFC 4162: 3807194206Ssimon 3808194206Ssimon TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 3809194206Ssimon TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 3810194206Ssimon TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 3811194206Ssimon TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 3812194206Ssimon 3813194206Ssimon To minimize changes between patchlevels in the OpenSSL 0.9.8 3814194206Ssimon series, SEED remains excluded from compilation unless OpenSSL 3815194206Ssimon is configured with 'enable-seed'. 3816194206Ssimon [KISA, Bodo Moeller] 3817194206Ssimon 3818194206Ssimon *) Mitigate branch prediction attacks, which can be practical if a 3819194206Ssimon single processor is shared, allowing a spy process to extract 3820194206Ssimon information. For detailed background information, see 3821194206Ssimon http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, 3822194206Ssimon J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 3823194206Ssimon and Necessary Software Countermeasures"). The core of the change 3824194206Ssimon are new versions BN_div_no_branch() and 3825194206Ssimon BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 3826194206Ssimon respectively, which are slower, but avoid the security-relevant 3827194206Ssimon conditional branches. These are automatically called by BN_div() 3828194206Ssimon and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 3829194206Ssimon of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 3830194206Ssimon remove a conditional branch. 3831194206Ssimon 3832194206Ssimon BN_FLG_CONSTTIME is the new name for the previous 3833194206Ssimon BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 3834194206Ssimon modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 3835194206Ssimon in the exponent causes BN_mod_exp_mont() to use the alternative 3836194206Ssimon implementation in BN_mod_exp_mont_consttime().) The old name 3837194206Ssimon remains as a deprecated alias. 3838194206Ssimon 3839194206Ssimon Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 3840194206Ssimon RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 3841194206Ssimon constant-time implementations for more than just exponentiation. 3842194206Ssimon Here too the old name is kept as a deprecated alias. 3843194206Ssimon 3844194206Ssimon BN_BLINDING_new() will now use BN_dup() for the modulus so that 3845194206Ssimon the BN_BLINDING structure gets an independent copy of the 3846194206Ssimon modulus. This means that the previous "BIGNUM *m" argument to 3847194206Ssimon BN_BLINDING_new() and to BN_BLINDING_create_param() now 3848194206Ssimon essentially becomes "const BIGNUM *m", although we can't actually 3849194206Ssimon change this in the header file before 0.9.9. It allows 3850194206Ssimon RSA_setup_blinding() to use BN_with_flags() on the modulus to 3851194206Ssimon enable BN_FLG_CONSTTIME. 3852194206Ssimon 3853194206Ssimon [Matthew D Wood (Intel Corp)] 3854194206Ssimon 3855194206Ssimon *) In the SSL/TLS server implementation, be strict about session ID 3856194206Ssimon context matching (which matters if an application uses a single 3857194206Ssimon external cache for different purposes). Previously, 3858194206Ssimon out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 3859194206Ssimon set. This did ensure strict client verification, but meant that, 3860194206Ssimon with applications using a single external cache for quite 3861194206Ssimon different requirements, clients could circumvent ciphersuite 3862194206Ssimon restrictions for a given session ID context by starting a session 3863194206Ssimon in a different context. 3864194206Ssimon [Bodo Moeller] 3865194206Ssimon 3866167612Ssimon *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 3867167612Ssimon a ciphersuite string such as "DEFAULT:RSA" cannot enable 3868167612Ssimon authentication-only ciphersuites. 3869167612Ssimon [Bodo Moeller] 3870167612Ssimon 3871194206Ssimon *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was 3872194206Ssimon not complete and could lead to a possible single byte overflow 3873194206Ssimon (CVE-2007-5135) [Ben Laurie] 3874194206Ssimon 3875194206Ssimon Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 3876194206Ssimon 3877167612Ssimon *) Since AES128 and AES256 (and similarly Camellia128 and 3878167612Ssimon Camellia256) share a single mask bit in the logic of 3879167612Ssimon ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 3880167612Ssimon kludge to work properly if AES128 is available and AES256 isn't 3881167612Ssimon (or if Camellia128 is available and Camellia256 isn't). 3882167612Ssimon [Victor Duchovni] 3883167612Ssimon 3884167612Ssimon *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 3885167612Ssimon (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 3886167612Ssimon When a point or a seed is encoded in a BIT STRING, we need to 3887167612Ssimon prevent the removal of trailing zero bits to get the proper DER 3888167612Ssimon encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 3889167612Ssimon of a NamedBitList, for which trailing 0 bits need to be removed.) 3890167612Ssimon [Bodo Moeller] 3891167612Ssimon 3892167612Ssimon *) Have SSL/TLS server implementation tolerate "mismatched" record 3893167612Ssimon protocol version while receiving ClientHello even if the 3894167612Ssimon ClientHello is fragmented. (The server can't insist on the 3895167612Ssimon particular protocol version it has chosen before the ServerHello 3896167612Ssimon message has informed the client about his choice.) 3897167612Ssimon [Bodo Moeller] 3898167612Ssimon 3899167612Ssimon *) Add RFC 3779 support. 3900167612Ssimon [Rob Austein for ARIN, Ben Laurie] 3901167612Ssimon 3902167612Ssimon *) Load error codes if they are not already present instead of using a 3903167612Ssimon static variable. This allows them to be cleanly unloaded and reloaded. 3904167612Ssimon Improve header file function name parsing. 3905167612Ssimon [Steve Henson] 3906167612Ssimon 3907167612Ssimon *) extend SMTP and IMAP protocol emulation in s_client to use EHLO 3908167612Ssimon or CAPABILITY handshake as required by RFCs. 3909167612Ssimon [Goetz Babin-Ebell] 3910167612Ssimon 3911162911Ssimon Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 3912162911Ssimon 3913162911Ssimon *) Introduce limits to prevent malicious keys being able to 3914162911Ssimon cause a denial of service. (CVE-2006-2940) 3915162911Ssimon [Steve Henson, Bodo Moeller] 3916162911Ssimon 3917162911Ssimon *) Fix ASN.1 parsing of certain invalid structures that can result 3918162911Ssimon in a denial of service. (CVE-2006-2937) [Steve Henson] 3919162911Ssimon 3920162911Ssimon *) Fix buffer overflow in SSL_get_shared_ciphers() function. 3921162911Ssimon (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] 3922162911Ssimon 3923162911Ssimon *) Fix SSL client code which could crash if connecting to a 3924162911Ssimon malicious SSLv2 server. (CVE-2006-4343) 3925162911Ssimon [Tavis Ormandy and Will Drewry, Google Security Team] 3926162911Ssimon 3927162911Ssimon *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 3928162911Ssimon match only those. Before that, "AES256-SHA" would be interpreted 3929162911Ssimon as a pattern and match "AES128-SHA" too (since AES128-SHA got 3930162911Ssimon the same strength classification in 0.9.7h) as we currently only 3931162911Ssimon have a single AES bit in the ciphersuite description bitmap. 3932162911Ssimon That change, however, also applied to ciphersuite strings such as 3933162911Ssimon "RC4-MD5" that intentionally matched multiple ciphersuites -- 3934162911Ssimon namely, SSL 2.0 ciphersuites in addition to the more common ones 3935162911Ssimon from SSL 3.0/TLS 1.0. 3936162911Ssimon 3937162911Ssimon So we change the selection algorithm again: Naming an explicit 3938162911Ssimon ciphersuite selects this one ciphersuite, and any other similar 3939162911Ssimon ciphersuite (same bitmap) from *other* protocol versions. 3940162911Ssimon Thus, "RC4-MD5" again will properly select both the SSL 2.0 3941162911Ssimon ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 3942162911Ssimon 3943162911Ssimon Since SSL 2.0 does not have any ciphersuites for which the 3944162911Ssimon 128/256 bit distinction would be relevant, this works for now. 3945162911Ssimon The proper fix will be to use different bits for AES128 and 3946162911Ssimon AES256, which would have avoided the problems from the beginning; 3947162911Ssimon however, bits are scarce, so we can only do this in a new release 3948162911Ssimon (not just a patchlevel) when we can change the SSL_CIPHER 3949162911Ssimon definition to split the single 'unsigned long mask' bitmap into 3950162911Ssimon multiple values to extend the available space. 3951162911Ssimon 3952162911Ssimon [Bodo Moeller] 3953162911Ssimon 3954162911Ssimon Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 3955162911Ssimon 3956162911Ssimon *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 3957162911Ssimon (CVE-2006-4339) [Ben Laurie and Google Security Team] 3958162911Ssimon 3959162911Ssimon *) Add AES IGE and biIGE modes. 3960162911Ssimon [Ben Laurie] 3961162911Ssimon 3962162911Ssimon *) Change the Unix randomness entropy gathering to use poll() when 3963162911Ssimon possible instead of select(), since the latter has some 3964162911Ssimon undesirable limitations. 3965162911Ssimon [Darryl Miles via Richard Levitte and Bodo Moeller] 3966162911Ssimon 3967162911Ssimon *) Disable "ECCdraft" ciphersuites more thoroughly. Now special 3968162911Ssimon treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 3969162911Ssimon cannot be implicitly activated as part of, e.g., the "AES" alias. 3970162911Ssimon However, please upgrade to OpenSSL 0.9.9[-dev] for 3971162911Ssimon non-experimental use of the ECC ciphersuites to get TLS extension 3972162911Ssimon support, which is required for curve and point format negotiation 3973162911Ssimon to avoid potential handshake problems. 3974162911Ssimon [Bodo Moeller] 3975162911Ssimon 3976162911Ssimon *) Disable rogue ciphersuites: 3977162911Ssimon 3978162911Ssimon - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 3979162911Ssimon - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 3980162911Ssimon - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 3981162911Ssimon 3982162911Ssimon The latter two were purportedly from 3983162911Ssimon draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 3984162911Ssimon appear there. 3985162911Ssimon 3986167612Ssimon Also deactivate the remaining ciphersuites from 3987162911Ssimon draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 3988162911Ssimon unofficial, and the ID has long expired. 3989162911Ssimon [Bodo Moeller] 3990162911Ssimon 3991162911Ssimon *) Fix RSA blinding Heisenbug (problems sometimes occured on 3992162911Ssimon dual-core machines) and other potential thread-safety issues. 3993162911Ssimon [Bodo Moeller] 3994162911Ssimon 3995162911Ssimon *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 3996162911Ssimon versions), which is now available for royalty-free use 3997162911Ssimon (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). 3998162911Ssimon Also, add Camellia TLS ciphersuites from RFC 4132. 3999162911Ssimon 4000162911Ssimon To minimize changes between patchlevels in the OpenSSL 0.9.8 4001162911Ssimon series, Camellia remains excluded from compilation unless OpenSSL 4002162911Ssimon is configured with 'enable-camellia'. 4003162911Ssimon [NTT] 4004162911Ssimon 4005162911Ssimon *) Disable the padding bug check when compression is in use. The padding 4006162911Ssimon bug check assumes the first packet is of even length, this is not 4007162911Ssimon necessarily true if compresssion is enabled and can result in false 4008162911Ssimon positives causing handshake failure. The actual bug test is ancient 4009162911Ssimon code so it is hoped that implementations will either have fixed it by 4010162911Ssimon now or any which still have the bug do not support compression. 4011162911Ssimon [Steve Henson] 4012162911Ssimon 4013160814Ssimon Changes between 0.9.8a and 0.9.8b [04 May 2006] 4014160814Ssimon 4015160814Ssimon *) When applying a cipher rule check to see if string match is an explicit 4016160814Ssimon cipher suite and only match that one cipher suite if it is. 4017160814Ssimon [Steve Henson] 4018160814Ssimon 4019160814Ssimon *) Link in manifests for VC++ if needed. 4020160814Ssimon [Austin Ziegler <halostatue@gmail.com>] 4021160814Ssimon 4022160814Ssimon *) Update support for ECC-based TLS ciphersuites according to 4023160814Ssimon draft-ietf-tls-ecc-12.txt with proposed changes (but without 4024160814Ssimon TLS extensions, which are supported starting with the 0.9.9 4025160814Ssimon branch, not in the OpenSSL 0.9.8 branch). 4026160814Ssimon [Douglas Stebila] 4027160814Ssimon 4028160814Ssimon *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 4029160814Ssimon opaque EVP_CIPHER_CTX handling. 4030160814Ssimon [Steve Henson] 4031160814Ssimon 4032160814Ssimon *) Fixes and enhancements to zlib compression code. We now only use 4033160814Ssimon "zlib1.dll" and use the default __cdecl calling convention on Win32 4034160814Ssimon to conform with the standards mentioned here: 4035160814Ssimon http://www.zlib.net/DLL_FAQ.txt 4036160814Ssimon Static zlib linking now works on Windows and the new --with-zlib-include 4037160814Ssimon --with-zlib-lib options to Configure can be used to supply the location 4038160814Ssimon of the headers and library. Gracefully handle case where zlib library 4039160814Ssimon can't be loaded. 4040160814Ssimon [Steve Henson] 4041160814Ssimon 4042160814Ssimon *) Several fixes and enhancements to the OID generation code. The old code 4043160814Ssimon sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 4044160814Ssimon handle numbers larger than ULONG_MAX, truncated printing and had a 4045160814Ssimon non standard OBJ_obj2txt() behaviour. 4046160814Ssimon [Steve Henson] 4047160814Ssimon 4048160814Ssimon *) Add support for building of engines under engine/ as shared libraries 4049160814Ssimon under VC++ build system. 4050160814Ssimon [Steve Henson] 4051160814Ssimon 4052160814Ssimon *) Corrected the numerous bugs in the Win32 path splitter in DSO. 4053160814Ssimon Hopefully, we will not see any false combination of paths any more. 4054160814Ssimon [Richard Levitte] 4055160814Ssimon 4056160814Ssimon Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 4057160814Ssimon 4058160814Ssimon *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 4059160814Ssimon (part of SSL_OP_ALL). This option used to disable the 4060160814Ssimon countermeasure against man-in-the-middle protocol-version 4061160814Ssimon rollback in the SSL 2.0 server implementation, which is a bad 4062160814Ssimon idea. (CVE-2005-2969) 4063160814Ssimon 4064160814Ssimon [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 4065160814Ssimon for Information Security, National Institute of Advanced Industrial 4066160814Ssimon Science and Technology [AIST], Japan)] 4067160814Ssimon 4068160814Ssimon *) Add two function to clear and return the verify parameter flags. 4069160814Ssimon [Steve Henson] 4070160814Ssimon 4071160814Ssimon *) Keep cipherlists sorted in the source instead of sorting them at 4072160814Ssimon runtime, thus removing the need for a lock. 4073160814Ssimon [Nils Larsch] 4074160814Ssimon 4075160814Ssimon *) Avoid some small subgroup attacks in Diffie-Hellman. 4076160814Ssimon [Nick Mathewson and Ben Laurie] 4077160814Ssimon 4078160814Ssimon *) Add functions for well-known primes. 4079160814Ssimon [Nick Mathewson] 4080160814Ssimon 4081160814Ssimon *) Extended Windows CE support. 4082160814Ssimon [Satoshi Nakamura and Andy Polyakov] 4083160814Ssimon 4084160814Ssimon *) Initialize SSL_METHOD structures at compile time instead of during 4085160814Ssimon runtime, thus removing the need for a lock. 4086160814Ssimon [Steve Henson] 4087160814Ssimon 4088160814Ssimon *) Make PKCS7_decrypt() work even if no certificate is supplied by 4089160814Ssimon attempting to decrypt each encrypted key in turn. Add support to 4090160814Ssimon smime utility. 4091160814Ssimon [Steve Henson] 4092160814Ssimon 4093160814Ssimon Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 4094160814Ssimon 4095162911Ssimon [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 4096162911Ssimon OpenSSL 0.9.8.] 4097162911Ssimon 4098160814Ssimon *) Add libcrypto.pc and libssl.pc for those who feel they need them. 4099160814Ssimon [Richard Levitte] 4100160814Ssimon 4101160814Ssimon *) Change CA.sh and CA.pl so they don't bundle the CSR and the private 4102160814Ssimon key into the same file any more. 4103160814Ssimon [Richard Levitte] 4104160814Ssimon 4105160814Ssimon *) Add initial support for Win64, both IA64 and AMD64/x64 flavors. 4106160814Ssimon [Andy Polyakov] 4107160814Ssimon 4108160814Ssimon *) Add -utf8 command line and config file option to 'ca'. 4109160814Ssimon [Stefan <stf@udoma.org] 4110160814Ssimon 4111160814Ssimon *) Removed the macro des_crypt(), as it seems to conflict with some 4112160814Ssimon libraries. Use DES_crypt(). 4113160814Ssimon [Richard Levitte] 4114160814Ssimon 4115160814Ssimon *) Correct naming of the 'chil' and '4758cca' ENGINEs. This 4116160814Ssimon involves renaming the source and generated shared-libs for 4117160814Ssimon both. The engines will accept the corrected or legacy ids 4118160814Ssimon ('ncipher' and '4758_cca' respectively) when binding. NB, 4119160814Ssimon this only applies when building 'shared'. 4120160814Ssimon [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] 4121160814Ssimon 4122160814Ssimon *) Add attribute functions to EVP_PKEY structure. Modify 4123160814Ssimon PKCS12_create() to recognize a CSP name attribute and 4124160814Ssimon use it. Make -CSP option work again in pkcs12 utility. 4125160814Ssimon [Steve Henson] 4126160814Ssimon 4127160814Ssimon *) Add new functionality to the bn blinding code: 4128160814Ssimon - automatic re-creation of the BN_BLINDING parameters after 4129160814Ssimon a fixed number of uses (currently 32) 4130160814Ssimon - add new function for parameter creation 4131160814Ssimon - introduce flags to control the update behaviour of the 4132160814Ssimon BN_BLINDING parameters 4133160814Ssimon - hide BN_BLINDING structure 4134160814Ssimon Add a second BN_BLINDING slot to the RSA structure to improve 4135160814Ssimon performance when a single RSA object is shared among several 4136160814Ssimon threads. 4137160814Ssimon [Nils Larsch] 4138160814Ssimon 4139160814Ssimon *) Add support for DTLS. 4140160814Ssimon [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] 4141160814Ssimon 4142160814Ssimon *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 4143160814Ssimon to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 4144160814Ssimon [Walter Goulet] 4145160814Ssimon 4146160814Ssimon *) Remove buggy and incompletet DH cert support from 4147160814Ssimon ssl/ssl_rsa.c and ssl/s3_both.c 4148160814Ssimon [Nils Larsch] 4149160814Ssimon 4150160814Ssimon *) Use SHA-1 instead of MD5 as the default digest algorithm for 4151160814Ssimon the apps/openssl applications. 4152160814Ssimon [Nils Larsch] 4153160814Ssimon 4154160814Ssimon *) Compile clean with "-Wall -Wmissing-prototypes 4155160814Ssimon -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 4156160814Ssimon DEBUG_SAFESTACK must also be set. 4157160814Ssimon [Ben Laurie] 4158160814Ssimon 4159160814Ssimon *) Change ./Configure so that certain algorithms can be disabled by default. 4160160814Ssimon The new counterpiece to "no-xxx" is "enable-xxx". 4161160814Ssimon 4162160814Ssimon The patented RC5 and MDC2 algorithms will now be disabled unless 4163160814Ssimon "enable-rc5" and "enable-mdc2", respectively, are specified. 4164160814Ssimon 4165160814Ssimon (IDEA remains enabled despite being patented. This is because IDEA 4166160814Ssimon is frequently required for interoperability, and there is no license 4167160814Ssimon fee for non-commercial use. As before, "no-idea" can be used to 4168160814Ssimon avoid this algorithm.) 4169160814Ssimon 4170160814Ssimon [Bodo Moeller] 4171160814Ssimon 4172160814Ssimon *) Add processing of proxy certificates (see RFC 3820). This work was 4173160814Ssimon sponsored by KTH (The Royal Institute of Technology in Stockholm) and 4174160814Ssimon EGEE (Enabling Grids for E-science in Europe). 4175160814Ssimon [Richard Levitte] 4176160814Ssimon 4177160814Ssimon *) RC4 performance overhaul on modern architectures/implementations, such 4178160814Ssimon as Intel P4, IA-64 and AMD64. 4179160814Ssimon [Andy Polyakov] 4180160814Ssimon 4181160814Ssimon *) New utility extract-section.pl. This can be used specify an alternative 4182160814Ssimon section number in a pod file instead of having to treat each file as 4183160814Ssimon a separate case in Makefile. This can be done by adding two lines to the 4184160814Ssimon pod file: 4185160814Ssimon 4186160814Ssimon =for comment openssl_section:XXX 4187160814Ssimon 4188160814Ssimon The blank line is mandatory. 4189160814Ssimon 4190160814Ssimon [Steve Henson] 4191160814Ssimon 4192160814Ssimon *) New arguments -certform, -keyform and -pass for s_client and s_server 4193160814Ssimon to allow alternative format key and certificate files and passphrase 4194160814Ssimon sources. 4195160814Ssimon [Steve Henson] 4196160814Ssimon 4197160814Ssimon *) New structure X509_VERIFY_PARAM which combines current verify parameters, 4198160814Ssimon update associated structures and add various utility functions. 4199160814Ssimon 4200160814Ssimon Add new policy related verify parameters, include policy checking in 4201160814Ssimon standard verify code. Enhance 'smime' application with extra parameters 4202160814Ssimon to support policy checking and print out. 4203160814Ssimon [Steve Henson] 4204160814Ssimon 4205160814Ssimon *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 4206160814Ssimon Nehemiah processors. These extensions support AES encryption in hardware 4207160814Ssimon as well as RNG (though RNG support is currently disabled). 4208160814Ssimon [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] 4209160814Ssimon 4210160814Ssimon *) Deprecate BN_[get|set]_params() functions (they were ignored internally). 4211160814Ssimon [Geoff Thorpe] 4212160814Ssimon 4213160814Ssimon *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 4214160814Ssimon [Andy Polyakov and a number of other people] 4215160814Ssimon 4216160814Ssimon *) Improved PowerPC platform support. Most notably BIGNUM assembler 4217160814Ssimon implementation contributed by IBM. 4218160814Ssimon [Suresh Chari, Peter Waltenberg, Andy Polyakov] 4219160814Ssimon 4220160814Ssimon *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 4221160814Ssimon exponent rather than 'unsigned long'. There is a corresponding change to 4222160814Ssimon the new 'rsa_keygen' element of the RSA_METHOD structure. 4223160814Ssimon [Jelte Jansen, Geoff Thorpe] 4224160814Ssimon 4225160814Ssimon *) Functionality for creating the initial serial number file is now 4226160814Ssimon moved from CA.pl to the 'ca' utility with a new option -create_serial. 4227160814Ssimon 4228160814Ssimon (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 4229160814Ssimon number file to 1, which is bound to cause problems. To avoid 4230160814Ssimon the problems while respecting compatibility between different 0.9.7 4231160814Ssimon patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 4232160814Ssimon CA.pl for serial number initialization. With the new release 0.9.8, 4233160814Ssimon we can fix the problem directly in the 'ca' utility.) 4234160814Ssimon [Steve Henson] 4235160814Ssimon 4236160814Ssimon *) Reduced header interdepencies by declaring more opaque objects in 4237160814Ssimon ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 4238160814Ssimon give fewer recursive includes, which could break lazy source code - so 4239160814Ssimon this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 4240160814Ssimon developers should define this symbol when building and using openssl to 4241160814Ssimon ensure they track the recommended behaviour, interfaces, [etc], but 4242160814Ssimon backwards-compatible behaviour prevails when this isn't defined. 4243160814Ssimon [Geoff Thorpe] 4244160814Ssimon 4245160814Ssimon *) New function X509_POLICY_NODE_print() which prints out policy nodes. 4246160814Ssimon [Steve Henson] 4247160814Ssimon 4248160814Ssimon *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 4249160814Ssimon This will generate a random key of the appropriate length based on the 4250160814Ssimon cipher context. The EVP_CIPHER can provide its own random key generation 4251160814Ssimon routine to support keys of a specific form. This is used in the des and 4252160814Ssimon 3des routines to generate a key of the correct parity. Update S/MIME 4253160814Ssimon code to use new functions and hence generate correct parity DES keys. 4254160814Ssimon Add EVP_CHECK_DES_KEY #define to return an error if the key is not 4255160814Ssimon valid (weak or incorrect parity). 4256160814Ssimon [Steve Henson] 4257160814Ssimon 4258160814Ssimon *) Add a local set of CRLs that can be used by X509_verify_cert() as well 4259160814Ssimon as looking them up. This is useful when the verified structure may contain 4260160814Ssimon CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 4261160814Ssimon present unless the new PKCS7_NO_CRL flag is asserted. 4262160814Ssimon [Steve Henson] 4263160814Ssimon 4264160814Ssimon *) Extend ASN1 oid configuration module. It now additionally accepts the 4265160814Ssimon syntax: 4266160814Ssimon 4267160814Ssimon shortName = some long name, 1.2.3.4 4268160814Ssimon [Steve Henson] 4269160814Ssimon 4270160814Ssimon *) Reimplemented the BN_CTX implementation. There is now no more static 4271160814Ssimon limitation on the number of variables it can handle nor the depth of the 4272160814Ssimon "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 4273160814Ssimon information can now expand as required, and rather than having a single 4274160814Ssimon static array of bignums, BN_CTX now uses a linked-list of such arrays 4275160814Ssimon allowing it to expand on demand whilst maintaining the usefulness of 4276160814Ssimon BN_CTX's "bundling". 4277160814Ssimon [Geoff Thorpe] 4278160814Ssimon 4279160814Ssimon *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 4280160814Ssimon to allow all RSA operations to function using a single BN_CTX. 4281160814Ssimon [Geoff Thorpe] 4282160814Ssimon 4283160814Ssimon *) Preliminary support for certificate policy evaluation and checking. This 4284160814Ssimon is initially intended to pass the tests outlined in "Conformance Testing 4285160814Ssimon of Relying Party Client Certificate Path Processing Logic" v1.07. 4286160814Ssimon [Steve Henson] 4287160814Ssimon 4288160814Ssimon *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 4289160814Ssimon remained unused and not that useful. A variety of other little bignum 4290160814Ssimon tweaks and fixes have also been made continuing on from the audit (see 4291160814Ssimon below). 4292160814Ssimon [Geoff Thorpe] 4293160814Ssimon 4294160814Ssimon *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with 4295160814Ssimon associated ASN1, EVP and SSL functions and old ASN1 macros. 4296160814Ssimon [Richard Levitte] 4297160814Ssimon 4298160814Ssimon *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 4299160814Ssimon and this should never fail. So the return value from the use of 4300160814Ssimon BN_set_word() (which can fail due to needless expansion) is now deprecated; 4301160814Ssimon if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 4302160814Ssimon [Geoff Thorpe] 4303160814Ssimon 4304160814Ssimon *) BN_CTX_get() should return zero-valued bignums, providing the same 4305160814Ssimon initialised value as BN_new(). 4306291719Sjkim [Geoff Thorpe, suggested by Ulf M��ller] 4307160814Ssimon 4308160814Ssimon *) Support for inhibitAnyPolicy certificate extension. 4309160814Ssimon [Steve Henson] 4310160814Ssimon 4311160814Ssimon *) An audit of the BIGNUM code is underway, for which debugging code is 4312160814Ssimon enabled when BN_DEBUG is defined. This makes stricter enforcements on what 4313160814Ssimon is considered valid when processing BIGNUMs, and causes execution to 4314160814Ssimon assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 4315160814Ssimon further steps are taken to deliberately pollute unused data in BIGNUM 4316160814Ssimon structures to try and expose faulty code further on. For now, openssl will 4317160814Ssimon (in its default mode of operation) continue to tolerate the inconsistent 4318160814Ssimon forms that it has tolerated in the past, but authors and packagers should 4319160814Ssimon consider trying openssl and their own applications when compiled with 4320160814Ssimon these debugging symbols defined. It will help highlight potential bugs in 4321160814Ssimon their own code, and will improve the test coverage for OpenSSL itself. At 4322160814Ssimon some point, these tighter rules will become openssl's default to improve 4323160814Ssimon maintainability, though the assert()s and other overheads will remain only 4324160814Ssimon in debugging configurations. See bn.h for more details. 4325291719Sjkim [Geoff Thorpe, Nils Larsch, Ulf M��ller] 4326160814Ssimon 4327160814Ssimon *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 4328160814Ssimon that can only be obtained through BN_CTX_new() (which implicitly 4329160814Ssimon initialises it). The presence of this function only made it possible 4330160814Ssimon to overwrite an existing structure (and cause memory leaks). 4331160814Ssimon [Geoff Thorpe] 4332160814Ssimon 4333160814Ssimon *) Because of the callback-based approach for implementing LHASH as a 4334160814Ssimon template type, lh_insert() adds opaque objects to hash-tables and 4335160814Ssimon lh_doall() or lh_doall_arg() are typically used with a destructor callback 4336160814Ssimon to clean up those corresponding objects before destroying the hash table 4337160814Ssimon (and losing the object pointers). So some over-zealous constifications in 4338160814Ssimon LHASH have been relaxed so that lh_insert() does not take (nor store) the 4339160814Ssimon objects as "const" and the lh_doall[_arg] callback wrappers are not 4340160814Ssimon prototyped to have "const" restrictions on the object pointers they are 4341160814Ssimon given (and so aren't required to cast them away any more). 4342160814Ssimon [Geoff Thorpe] 4343160814Ssimon 4344160814Ssimon *) The tmdiff.h API was so ugly and minimal that our own timing utility 4345160814Ssimon (speed) prefers to use its own implementation. The two implementations 4346160814Ssimon haven't been consolidated as yet (volunteers?) but the tmdiff API has had 4347160814Ssimon its object type properly exposed (MS_TM) instead of casting to/from "char 4348160814Ssimon *". This may still change yet if someone realises MS_TM and "ms_time_***" 4349160814Ssimon aren't necessarily the greatest nomenclatures - but this is what was used 4350160814Ssimon internally to the implementation so I've used that for now. 4351160814Ssimon [Geoff Thorpe] 4352160814Ssimon 4353160814Ssimon *) Ensure that deprecated functions do not get compiled when 4354160814Ssimon OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 4355160814Ssimon the self-tests were still using deprecated key-generation functions so 4356160814Ssimon these have been updated also. 4357160814Ssimon [Geoff Thorpe] 4358160814Ssimon 4359160814Ssimon *) Reorganise PKCS#7 code to separate the digest location functionality 4360160814Ssimon into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). 4361160814Ssimon New function PKCS7_set_digest() to set the digest type for PKCS#7 4362160814Ssimon digestedData type. Add additional code to correctly generate the 4363160814Ssimon digestedData type and add support for this type in PKCS7 initialization 4364160814Ssimon functions. 4365160814Ssimon [Steve Henson] 4366160814Ssimon 4367160814Ssimon *) New function PKCS7_set0_type_other() this initializes a PKCS7 4368160814Ssimon structure of type "other". 4369160814Ssimon [Steve Henson] 4370160814Ssimon 4371160814Ssimon *) Fix prime generation loop in crypto/bn/bn_prime.pl by making 4372160814Ssimon sure the loop does correctly stop and breaking ("division by zero") 4373160814Ssimon modulus operations are not performed. The (pre-generated) prime 4374160814Ssimon table crypto/bn/bn_prime.h was already correct, but it could not be 4375160814Ssimon re-generated on some platforms because of the "division by zero" 4376160814Ssimon situation in the script. 4377160814Ssimon [Ralf S. Engelschall] 4378160814Ssimon 4379160814Ssimon *) Update support for ECC-based TLS ciphersuites according to 4380160814Ssimon draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 4381160814Ssimon SHA-1 now is only used for "small" curves (where the 4382160814Ssimon representation of a field element takes up to 24 bytes); for 4383160814Ssimon larger curves, the field element resulting from ECDH is directly 4384160814Ssimon used as premaster secret. 4385160814Ssimon [Douglas Stebila (Sun Microsystems Laboratories)] 4386160814Ssimon 4387160814Ssimon *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 4388160814Ssimon curve secp160r1 to the tests. 4389160814Ssimon [Douglas Stebila (Sun Microsystems Laboratories)] 4390160814Ssimon 4391160814Ssimon *) Add the possibility to load symbols globally with DSO. 4392291719Sjkim [G��tz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] 4393160814Ssimon 4394160814Ssimon *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 4395160814Ssimon control of the error stack. 4396160814Ssimon [Richard Levitte] 4397160814Ssimon 4398160814Ssimon *) Add support for STORE in ENGINE. 4399160814Ssimon [Richard Levitte] 4400160814Ssimon 4401160814Ssimon *) Add the STORE type. The intention is to provide a common interface 4402160814Ssimon to certificate and key stores, be they simple file-based stores, or 4403160814Ssimon HSM-type store, or LDAP stores, or... 4404160814Ssimon NOTE: The code is currently UNTESTED and isn't really used anywhere. 4405160814Ssimon [Richard Levitte] 4406160814Ssimon 4407160814Ssimon *) Add a generic structure called OPENSSL_ITEM. This can be used to 4408160814Ssimon pass a list of arguments to any function as well as provide a way 4409160814Ssimon for a function to pass data back to the caller. 4410160814Ssimon [Richard Levitte] 4411160814Ssimon 4412160814Ssimon *) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 4413160814Ssimon works like BUF_strdup() but can be used to duplicate a portion of 4414160814Ssimon a string. The copy gets NUL-terminated. BUF_memdup() duplicates 4415160814Ssimon a memory area. 4416160814Ssimon [Richard Levitte] 4417160814Ssimon 4418160814Ssimon *) Add the function sk_find_ex() which works like sk_find(), but will 4419160814Ssimon return an index to an element even if an exact match couldn't be 4420160814Ssimon found. The index is guaranteed to point at the element where the 4421160814Ssimon searched-for key would be inserted to preserve sorting order. 4422160814Ssimon [Richard Levitte] 4423160814Ssimon 4424160814Ssimon *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 4425160814Ssimon takes an extra flags argument for optional functionality. Currently, 4426160814Ssimon the following flags are defined: 4427160814Ssimon 4428160814Ssimon OBJ_BSEARCH_VALUE_ON_NOMATCH 4429160814Ssimon This one gets OBJ_bsearch_ex() to return a pointer to the first 4430160814Ssimon element where the comparing function returns a negative or zero 4431160814Ssimon number. 4432160814Ssimon 4433160814Ssimon OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 4434160814Ssimon This one gets OBJ_bsearch_ex() to return a pointer to the first 4435160814Ssimon element where the comparing function returns zero. This is useful 4436160814Ssimon if there are more than one element where the comparing function 4437160814Ssimon returns zero. 4438160814Ssimon [Richard Levitte] 4439160814Ssimon 4440160814Ssimon *) Make it possible to create self-signed certificates with 'openssl ca' 4441160814Ssimon in such a way that the self-signed certificate becomes part of the 4442160814Ssimon CA database and uses the same mechanisms for serial number generation 4443160814Ssimon as all other certificate signing. The new flag '-selfsign' enables 4444160814Ssimon this functionality. Adapt CA.sh and CA.pl.in. 4445160814Ssimon [Richard Levitte] 4446160814Ssimon 4447160814Ssimon *) Add functionality to check the public key of a certificate request 4448160814Ssimon against a given private. This is useful to check that a certificate 4449160814Ssimon request can be signed by that key (self-signing). 4450160814Ssimon [Richard Levitte] 4451160814Ssimon 4452160814Ssimon *) Make it possible to have multiple active certificates with the same 4453160814Ssimon subject in the CA index file. This is done only if the keyword 4454160814Ssimon 'unique_subject' is set to 'no' in the main CA section (default 4455160814Ssimon if 'CA_default') of the configuration file. The value is saved 4456160814Ssimon with the database itself in a separate index attribute file, 4457160814Ssimon named like the index file with '.attr' appended to the name. 4458160814Ssimon [Richard Levitte] 4459160814Ssimon 4460160814Ssimon *) Generate muti valued AVAs using '+' notation in config files for 4461160814Ssimon req and dirName. 4462160814Ssimon [Steve Henson] 4463160814Ssimon 4464160814Ssimon *) Support for nameConstraints certificate extension. 4465160814Ssimon [Steve Henson] 4466160814Ssimon 4467160814Ssimon *) Support for policyConstraints certificate extension. 4468160814Ssimon [Steve Henson] 4469160814Ssimon 4470160814Ssimon *) Support for policyMappings certificate extension. 4471160814Ssimon [Steve Henson] 4472160814Ssimon 4473160814Ssimon *) Make sure the default DSA_METHOD implementation only uses its 4474160814Ssimon dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, 4475160814Ssimon and change its own handlers to be NULL so as to remove unnecessary 4476160814Ssimon indirection. This lets alternative implementations fallback to the 4477160814Ssimon default implementation more easily. 4478160814Ssimon [Geoff Thorpe] 4479160814Ssimon 4480160814Ssimon *) Support for directoryName in GeneralName related extensions 4481160814Ssimon in config files. 4482160814Ssimon [Steve Henson] 4483160814Ssimon 4484160814Ssimon *) Make it possible to link applications using Makefile.shared. 4485160814Ssimon Make that possible even when linking against static libraries! 4486160814Ssimon [Richard Levitte] 4487160814Ssimon 4488160814Ssimon *) Support for single pass processing for S/MIME signing. This now 4489160814Ssimon means that S/MIME signing can be done from a pipe, in addition 4490160814Ssimon cleartext signing (multipart/signed type) is effectively streaming 4491160814Ssimon and the signed data does not need to be all held in memory. 4492160814Ssimon 4493160814Ssimon This is done with a new flag PKCS7_STREAM. When this flag is set 4494160814Ssimon PKCS7_sign() only initializes the PKCS7 structure and the actual signing 4495160814Ssimon is done after the data is output (and digests calculated) in 4496160814Ssimon SMIME_write_PKCS7(). 4497160814Ssimon [Steve Henson] 4498160814Ssimon 4499160814Ssimon *) Add full support for -rpath/-R, both in shared libraries and 4500160814Ssimon applications, at least on the platforms where it's known how 4501160814Ssimon to do it. 4502160814Ssimon [Richard Levitte] 4503160814Ssimon 4504160814Ssimon *) In crypto/ec/ec_mult.c, implement fast point multiplication with 4505160814Ssimon precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() 4506160814Ssimon will now compute a table of multiples of the generator that 4507160814Ssimon makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() 4508160814Ssimon faster (notably in the case of a single point multiplication, 4509160814Ssimon scalar * generator). 4510160814Ssimon [Nils Larsch, Bodo Moeller] 4511160814Ssimon 4512160814Ssimon *) IPv6 support for certificate extensions. The various extensions 4513160814Ssimon which use the IP:a.b.c.d can now take IPv6 addresses using the 4514160814Ssimon formats of RFC1884 2.2 . IPv6 addresses are now also displayed 4515160814Ssimon correctly. 4516160814Ssimon [Steve Henson] 4517160814Ssimon 4518160814Ssimon *) Added an ENGINE that implements RSA by performing private key 4519160814Ssimon exponentiations with the GMP library. The conversions to and from 4520160814Ssimon GMP's mpz_t format aren't optimised nor are any montgomery forms 4521160814Ssimon cached, and on x86 it appears OpenSSL's own performance has caught up. 4522160814Ssimon However there are likely to be other architectures where GMP could 4523160814Ssimon provide a boost. This ENGINE is not built in by default, but it can be 4524160814Ssimon specified at Configure time and should be accompanied by the necessary 4525160814Ssimon linker additions, eg; 4526160814Ssimon ./config -DOPENSSL_USE_GMP -lgmp 4527160814Ssimon [Geoff Thorpe] 4528160814Ssimon 4529160814Ssimon *) "openssl engine" will not display ENGINE/DSO load failure errors when 4530160814Ssimon testing availability of engines with "-t" - the old behaviour is 4531160814Ssimon produced by increasing the feature's verbosity with "-tt". 4532160814Ssimon [Geoff Thorpe] 4533160814Ssimon 4534160814Ssimon *) ECDSA routines: under certain error conditions uninitialized BN objects 4535160814Ssimon could be freed. Solution: make sure initialization is performed early 4536160814Ssimon enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> 4537160814Ssimon via PR#459) 4538160814Ssimon [Lutz Jaenicke] 4539160814Ssimon 4540160814Ssimon *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD 4541160814Ssimon and DH_METHOD (eg. by ENGINE implementations) to override the normal 4542160814Ssimon software implementations. For DSA and DH, parameter generation can 4543160814Ssimon also be overriden by providing the appropriate method callbacks. 4544160814Ssimon [Geoff Thorpe] 4545160814Ssimon 4546160814Ssimon *) Change the "progress" mechanism used in key-generation and 4547160814Ssimon primality testing to functions that take a new BN_GENCB pointer in 4548160814Ssimon place of callback/argument pairs. The new API functions have "_ex" 4549160814Ssimon postfixes and the older functions are reimplemented as wrappers for 4550160814Ssimon the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide 4551160814Ssimon declarations of the old functions to help (graceful) attempts to 4552160814Ssimon migrate to the new functions. Also, the new key-generation API 4553160814Ssimon functions operate on a caller-supplied key-structure and return 4554160814Ssimon success/failure rather than returning a key or NULL - this is to 4555160814Ssimon help make "keygen" another member function of RSA_METHOD etc. 4556160814Ssimon 4557160814Ssimon Example for using the new callback interface: 4558160814Ssimon 4559160814Ssimon int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; 4560160814Ssimon void *my_arg = ...; 4561160814Ssimon BN_GENCB my_cb; 4562160814Ssimon 4563160814Ssimon BN_GENCB_set(&my_cb, my_callback, my_arg); 4564160814Ssimon 4565160814Ssimon return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); 4566160814Ssimon /* For the meaning of a, b in calls to my_callback(), see the 4567160814Ssimon * documentation of the function that calls the callback. 4568160814Ssimon * cb will point to my_cb; my_arg can be retrieved as cb->arg. 4569160814Ssimon * my_callback should return 1 if it wants BN_is_prime_ex() 4570160814Ssimon * to continue, or 0 to stop. 4571160814Ssimon */ 4572160814Ssimon 4573160814Ssimon [Geoff Thorpe] 4574160814Ssimon 4575160814Ssimon *) Change the ZLIB compression method to be stateful, and make it 4576160814Ssimon available to TLS with the number defined in 4577160814Ssimon draft-ietf-tls-compression-04.txt. 4578160814Ssimon [Richard Levitte] 4579160814Ssimon 4580160814Ssimon *) Add the ASN.1 structures and functions for CertificatePair, which 4581160814Ssimon is defined as follows (according to X.509_4thEditionDraftV6.pdf): 4582160814Ssimon 4583160814Ssimon CertificatePair ::= SEQUENCE { 4584160814Ssimon forward [0] Certificate OPTIONAL, 4585160814Ssimon reverse [1] Certificate OPTIONAL, 4586160814Ssimon -- at least one of the pair shall be present -- } 4587160814Ssimon 4588160814Ssimon Also implement the PEM functions to read and write certificate 4589160814Ssimon pairs, and defined the PEM tag as "CERTIFICATE PAIR". 4590160814Ssimon 4591160814Ssimon This needed to be defined, mostly for the sake of the LDAP 4592160814Ssimon attribute crossCertificatePair, but may prove useful elsewhere as 4593160814Ssimon well. 4594160814Ssimon [Richard Levitte] 4595160814Ssimon 4596160814Ssimon *) Make it possible to inhibit symlinking of shared libraries in 4597160814Ssimon Makefile.shared, for Cygwin's sake. 4598160814Ssimon [Richard Levitte] 4599160814Ssimon 4600160814Ssimon *) Extend the BIGNUM API by creating a function 4601160814Ssimon void BN_set_negative(BIGNUM *a, int neg); 4602160814Ssimon and a macro that behave like 4603160814Ssimon int BN_is_negative(const BIGNUM *a); 4604160814Ssimon 4605160814Ssimon to avoid the need to access 'a->neg' directly in applications. 4606160814Ssimon [Nils Larsch] 4607160814Ssimon 4608160814Ssimon *) Implement fast modular reduction for pseudo-Mersenne primes 4609160814Ssimon used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). 4610160814Ssimon EC_GROUP_new_curve_GFp() will now automatically use this 4611160814Ssimon if applicable. 4612160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4613160814Ssimon 4614160814Ssimon *) Add new lock type (CRYPTO_LOCK_BN). 4615160814Ssimon [Bodo Moeller] 4616160814Ssimon 4617160814Ssimon *) Change the ENGINE framework to automatically load engines 4618160814Ssimon dynamically from specific directories unless they could be 4619160814Ssimon found to already be built in or loaded. Move all the 4620160814Ssimon current engines except for the cryptodev one to a new 4621160814Ssimon directory engines/. 4622160814Ssimon The engines in engines/ are built as shared libraries if 4623160814Ssimon the "shared" options was given to ./Configure or ./config. 4624160814Ssimon Otherwise, they are inserted in libcrypto.a. 4625160814Ssimon /usr/local/ssl/engines is the default directory for dynamic 4626160814Ssimon engines, but that can be overriden at configure time through 4627160814Ssimon the usual use of --prefix and/or --openssldir, and at run 4628160814Ssimon time with the environment variable OPENSSL_ENGINES. 4629160814Ssimon [Geoff Thorpe and Richard Levitte] 4630160814Ssimon 4631160814Ssimon *) Add Makefile.shared, a helper makefile to build shared 4632160814Ssimon libraries. Addapt Makefile.org. 4633160814Ssimon [Richard Levitte] 4634160814Ssimon 4635160814Ssimon *) Add version info to Win32 DLLs. 4636160814Ssimon [Peter 'Luna' Runestig" <peter@runestig.com>] 4637160814Ssimon 4638160814Ssimon *) Add new 'medium level' PKCS#12 API. Certificates and keys 4639160814Ssimon can be added using this API to created arbitrary PKCS#12 4640160814Ssimon files while avoiding the low level API. 4641160814Ssimon 4642160814Ssimon New options to PKCS12_create(), key or cert can be NULL and 4643160814Ssimon will then be omitted from the output file. The encryption 4644160814Ssimon algorithm NIDs can be set to -1 for no encryption, the mac 4645160814Ssimon iteration count can be set to 0 to omit the mac. 4646160814Ssimon 4647160814Ssimon Enhance pkcs12 utility by making the -nokeys and -nocerts 4648160814Ssimon options work when creating a PKCS#12 file. New option -nomac 4649160814Ssimon to omit the mac, NONE can be set for an encryption algorithm. 4650160814Ssimon New code is modified to use the enhanced PKCS12_create() 4651160814Ssimon instead of the low level API. 4652160814Ssimon [Steve Henson] 4653160814Ssimon 4654160814Ssimon *) Extend ASN1 encoder to support indefinite length constructed 4655160814Ssimon encoding. This can output sequences tags and octet strings in 4656160814Ssimon this form. Modify pk7_asn1.c to support indefinite length 4657160814Ssimon encoding. This is experimental and needs additional code to 4658160814Ssimon be useful, such as an ASN1 bio and some enhanced streaming 4659160814Ssimon PKCS#7 code. 4660160814Ssimon 4661160814Ssimon Extend template encode functionality so that tagging is passed 4662160814Ssimon down to the template encoder. 4663160814Ssimon [Steve Henson] 4664160814Ssimon 4665160814Ssimon *) Let 'openssl req' fail if an argument to '-newkey' is not 4666160814Ssimon recognized instead of using RSA as a default. 4667160814Ssimon [Bodo Moeller] 4668160814Ssimon 4669160814Ssimon *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. 4670160814Ssimon As these are not official, they are not included in "ALL"; 4671160814Ssimon the "ECCdraft" ciphersuite group alias can be used to select them. 4672160814Ssimon [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] 4673160814Ssimon 4674160814Ssimon *) Add ECDH engine support. 4675160814Ssimon [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] 4676160814Ssimon 4677160814Ssimon *) Add ECDH in new directory crypto/ecdh/. 4678160814Ssimon [Douglas Stebila (Sun Microsystems Laboratories)] 4679160814Ssimon 4680160814Ssimon *) Let BN_rand_range() abort with an error after 100 iterations 4681160814Ssimon without success (which indicates a broken PRNG). 4682160814Ssimon [Bodo Moeller] 4683160814Ssimon 4684160814Ssimon *) Change BN_mod_sqrt() so that it verifies that the input value 4685160814Ssimon is really the square of the return value. (Previously, 4686160814Ssimon BN_mod_sqrt would show GIGO behaviour.) 4687160814Ssimon [Bodo Moeller] 4688160814Ssimon 4689160814Ssimon *) Add named elliptic curves over binary fields from X9.62, SECG, 4690160814Ssimon and WAP/WTLS; add OIDs that were still missing. 4691160814Ssimon 4692160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4693160814Ssimon (Sun Microsystems Laboratories)] 4694160814Ssimon 4695160814Ssimon *) Extend the EC library for elliptic curves over binary fields 4696160814Ssimon (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). 4697160814Ssimon New EC_METHOD: 4698160814Ssimon 4699160814Ssimon EC_GF2m_simple_method 4700160814Ssimon 4701160814Ssimon New API functions: 4702160814Ssimon 4703160814Ssimon EC_GROUP_new_curve_GF2m 4704160814Ssimon EC_GROUP_set_curve_GF2m 4705160814Ssimon EC_GROUP_get_curve_GF2m 4706160814Ssimon EC_POINT_set_affine_coordinates_GF2m 4707160814Ssimon EC_POINT_get_affine_coordinates_GF2m 4708160814Ssimon EC_POINT_set_compressed_coordinates_GF2m 4709160814Ssimon 4710160814Ssimon Point compression for binary fields is disabled by default for 4711160814Ssimon patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to 4712160814Ssimon enable it). 4713160814Ssimon 4714160814Ssimon As binary polynomials are represented as BIGNUMs, various members 4715160814Ssimon of the EC_GROUP and EC_POINT data structures can be shared 4716160814Ssimon between the implementations for prime fields and binary fields; 4717160814Ssimon the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) 4718160814Ssimon are essentially identical to their ..._GFp counterparts. 4719160814Ssimon (For simplicity, the '..._GFp' prefix has been dropped from 4720160814Ssimon various internal method names.) 4721160814Ssimon 4722160814Ssimon An internal 'field_div' method (similar to 'field_mul' and 4723160814Ssimon 'field_sqr') has been added; this is used only for binary fields. 4724160814Ssimon 4725160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4726160814Ssimon (Sun Microsystems Laboratories)] 4727160814Ssimon 4728160814Ssimon *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() 4729160814Ssimon through methods ('mul', 'precompute_mult'). 4730160814Ssimon 4731160814Ssimon The generic implementations (now internally called 'ec_wNAF_mul' 4732160814Ssimon and 'ec_wNAF_precomputed_mult') remain the default if these 4733160814Ssimon methods are undefined. 4734160814Ssimon 4735160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4736160814Ssimon (Sun Microsystems Laboratories)] 4737160814Ssimon 4738160814Ssimon *) New function EC_GROUP_get_degree, which is defined through 4739160814Ssimon EC_METHOD. For curves over prime fields, this returns the bit 4740160814Ssimon length of the modulus. 4741160814Ssimon 4742160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4743160814Ssimon (Sun Microsystems Laboratories)] 4744160814Ssimon 4745160814Ssimon *) New functions EC_GROUP_dup, EC_POINT_dup. 4746160814Ssimon (These simply call ..._new and ..._copy). 4747160814Ssimon 4748160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4749160814Ssimon (Sun Microsystems Laboratories)] 4750160814Ssimon 4751160814Ssimon *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. 4752160814Ssimon Polynomials are represented as BIGNUMs (where the sign bit is not 4753160814Ssimon used) in the following functions [macros]: 4754160814Ssimon 4755160814Ssimon BN_GF2m_add 4756160814Ssimon BN_GF2m_sub [= BN_GF2m_add] 4757160814Ssimon BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] 4758160814Ssimon BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] 4759160814Ssimon BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] 4760160814Ssimon BN_GF2m_mod_inv 4761160814Ssimon BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] 4762160814Ssimon BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] 4763160814Ssimon BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] 4764160814Ssimon BN_GF2m_cmp [= BN_ucmp] 4765160814Ssimon 4766160814Ssimon (Note that only the 'mod' functions are actually for fields GF(2^m). 4767160814Ssimon BN_GF2m_add() is misnomer, but this is for the sake of consistency.) 4768160814Ssimon 4769160814Ssimon For some functions, an the irreducible polynomial defining a 4770160814Ssimon field can be given as an 'unsigned int[]' with strictly 4771160814Ssimon decreasing elements giving the indices of those bits that are set; 4772160814Ssimon i.e., p[] represents the polynomial 4773160814Ssimon f(t) = t^p[0] + t^p[1] + ... + t^p[k] 4774160814Ssimon where 4775160814Ssimon p[0] > p[1] > ... > p[k] = 0. 4776160814Ssimon This applies to the following functions: 4777160814Ssimon 4778160814Ssimon BN_GF2m_mod_arr 4779160814Ssimon BN_GF2m_mod_mul_arr 4780160814Ssimon BN_GF2m_mod_sqr_arr 4781160814Ssimon BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] 4782160814Ssimon BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] 4783160814Ssimon BN_GF2m_mod_exp_arr 4784160814Ssimon BN_GF2m_mod_sqrt_arr 4785160814Ssimon BN_GF2m_mod_solve_quad_arr 4786160814Ssimon BN_GF2m_poly2arr 4787160814Ssimon BN_GF2m_arr2poly 4788160814Ssimon 4789160814Ssimon Conversion can be performed by the following functions: 4790160814Ssimon 4791160814Ssimon BN_GF2m_poly2arr 4792160814Ssimon BN_GF2m_arr2poly 4793160814Ssimon 4794160814Ssimon bntest.c has additional tests for binary polynomial arithmetic. 4795160814Ssimon 4796160814Ssimon Two implementations for BN_GF2m_mod_div() are available. 4797160814Ssimon The default algorithm simply uses BN_GF2m_mod_inv() and 4798160814Ssimon BN_GF2m_mod_mul(). The alternative algorithm is compiled in only 4799160814Ssimon if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the 4800160814Ssimon copyright notice in crypto/bn/bn_gf2m.c before enabling it). 4801160814Ssimon 4802160814Ssimon [Sheueling Chang Shantz and Douglas Stebila 4803160814Ssimon (Sun Microsystems Laboratories)] 4804160814Ssimon 4805160814Ssimon *) Add new error code 'ERR_R_DISABLED' that can be used when some 4806160814Ssimon functionality is disabled at compile-time. 4807160814Ssimon [Douglas Stebila <douglas.stebila@sun.com>] 4808160814Ssimon 4809160814Ssimon *) Change default behaviour of 'openssl asn1parse' so that more 4810160814Ssimon information is visible when viewing, e.g., a certificate: 4811160814Ssimon 4812160814Ssimon Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' 4813160814Ssimon mode the content of non-printable OCTET STRINGs is output in a 4814160814Ssimon style similar to INTEGERs, but with '[HEX DUMP]' prepended to 4815160814Ssimon avoid the appearance of a printable string. 4816160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4817160814Ssimon 4818160814Ssimon *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access 4819160814Ssimon functions 4820160814Ssimon EC_GROUP_set_asn1_flag() 4821160814Ssimon EC_GROUP_get_asn1_flag() 4822160814Ssimon EC_GROUP_set_point_conversion_form() 4823160814Ssimon EC_GROUP_get_point_conversion_form() 4824160814Ssimon These control ASN1 encoding details: 4825160814Ssimon - Curves (i.e., groups) are encoded explicitly unless asn1_flag 4826160814Ssimon has been set to OPENSSL_EC_NAMED_CURVE. 4827160814Ssimon - Points are encoded in uncompressed form by default; options for 4828160814Ssimon asn1_for are as for point2oct, namely 4829160814Ssimon POINT_CONVERSION_COMPRESSED 4830160814Ssimon POINT_CONVERSION_UNCOMPRESSED 4831160814Ssimon POINT_CONVERSION_HYBRID 4832160814Ssimon 4833160814Ssimon Also add 'seed' and 'seed_len' members to EC_GROUP with access 4834160814Ssimon functions 4835160814Ssimon EC_GROUP_set_seed() 4836160814Ssimon EC_GROUP_get0_seed() 4837160814Ssimon EC_GROUP_get_seed_len() 4838160814Ssimon This is used only for ASN1 purposes (so far). 4839160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4840160814Ssimon 4841160814Ssimon *) Add 'field_type' member to EC_METHOD, which holds the NID 4842160814Ssimon of the appropriate field type OID. The new function 4843160814Ssimon EC_METHOD_get_field_type() returns this value. 4844160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4845160814Ssimon 4846160814Ssimon *) Add functions 4847160814Ssimon EC_POINT_point2bn() 4848160814Ssimon EC_POINT_bn2point() 4849160814Ssimon EC_POINT_point2hex() 4850160814Ssimon EC_POINT_hex2point() 4851160814Ssimon providing useful interfaces to EC_POINT_point2oct() and 4852160814Ssimon EC_POINT_oct2point(). 4853160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4854160814Ssimon 4855160814Ssimon *) Change internals of the EC library so that the functions 4856160814Ssimon EC_GROUP_set_generator() 4857160814Ssimon EC_GROUP_get_generator() 4858160814Ssimon EC_GROUP_get_order() 4859160814Ssimon EC_GROUP_get_cofactor() 4860160814Ssimon are implemented directly in crypto/ec/ec_lib.c and not dispatched 4861160814Ssimon to methods, which would lead to unnecessary code duplication when 4862160814Ssimon adding different types of curves. 4863160814Ssimon [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] 4864160814Ssimon 4865160814Ssimon *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM 4866160814Ssimon arithmetic, and such that modified wNAFs are generated 4867160814Ssimon (which avoid length expansion in many cases). 4868160814Ssimon [Bodo Moeller] 4869160814Ssimon 4870160814Ssimon *) Add a function EC_GROUP_check_discriminant() (defined via 4871160814Ssimon EC_METHOD) that verifies that the curve discriminant is non-zero. 4872160814Ssimon 4873160814Ssimon Add a function EC_GROUP_check() that makes some sanity tests 4874160814Ssimon on a EC_GROUP, its generator and order. This includes 4875160814Ssimon EC_GROUP_check_discriminant(). 4876160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4877160814Ssimon 4878160814Ssimon *) Add ECDSA in new directory crypto/ecdsa/. 4879160814Ssimon 4880160814Ssimon Add applications 'openssl ecparam' and 'openssl ecdsa' 4881160814Ssimon (these are based on 'openssl dsaparam' and 'openssl dsa'). 4882160814Ssimon 4883160814Ssimon ECDSA support is also included in various other files across the 4884160814Ssimon library. Most notably, 4885160814Ssimon - 'openssl req' now has a '-newkey ecdsa:file' option; 4886160814Ssimon - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; 4887160814Ssimon - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and 4888160814Ssimon d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make 4889160814Ssimon them suitable for ECDSA where domain parameters must be 4890160814Ssimon extracted before the specific public key; 4891160814Ssimon - ECDSA engine support has been added. 4892160814Ssimon [Nils Larsch <nla@trustcenter.de>] 4893160814Ssimon 4894160814Ssimon *) Include some named elliptic curves, and add OIDs from X9.62, 4895160814Ssimon SECG, and WAP/WTLS. Each curve can be obtained from the new 4896160814Ssimon function 4897160814Ssimon EC_GROUP_new_by_curve_name(), 4898160814Ssimon and the list of available named curves can be obtained with 4899160814Ssimon EC_get_builtin_curves(). 4900160814Ssimon Also add a 'curve_name' member to EC_GROUP objects, which can be 4901160814Ssimon accessed via 4902160814Ssimon EC_GROUP_set_curve_name() 4903160814Ssimon EC_GROUP_get_curve_name() 4904160814Ssimon [Nils Larsch <larsch@trustcenter.de, Bodo Moeller] 4905160814Ssimon 4906160814Ssimon *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 4907160814Ssimon was actually never needed) and in BN_mul(). The removal in BN_mul() 4908160814Ssimon required a small change in bn_mul_part_recursive() and the addition 4909160814Ssimon of the functions bn_cmp_part_words(), bn_sub_part_words() and 4910160814Ssimon bn_add_part_words(), which do the same thing as bn_cmp_words(), 4911160814Ssimon bn_sub_words() and bn_add_words() except they take arrays with 4912160814Ssimon differing sizes. 4913160814Ssimon [Richard Levitte] 4914160814Ssimon 4915194206Ssimon Changes between 0.9.7l and 0.9.7m [23 Feb 2007] 4916194206Ssimon 4917167612Ssimon *) Cleanse PEM buffers before freeing them since they may contain 4918167612Ssimon sensitive data. 4919167612Ssimon [Benjamin Bennett <ben@psc.edu>] 4920167612Ssimon 4921167612Ssimon *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 4922167612Ssimon a ciphersuite string such as "DEFAULT:RSA" cannot enable 4923167612Ssimon authentication-only ciphersuites. 4924167612Ssimon [Bodo Moeller] 4925167612Ssimon 4926167612Ssimon *) Since AES128 and AES256 share a single mask bit in the logic of 4927167612Ssimon ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 4928167612Ssimon kludge to work properly if AES128 is available and AES256 isn't. 4929167612Ssimon [Victor Duchovni] 4930167612Ssimon 4931194206Ssimon *) Expand security boundary to match 1.1.1 module. 4932194206Ssimon [Steve Henson] 4933194206Ssimon 4934194206Ssimon *) Remove redundant features: hash file source, editing of test vectors 4935194206Ssimon modify fipsld to use external fips_premain.c signature. 4936194206Ssimon [Steve Henson] 4937194206Ssimon 4938194206Ssimon *) New perl script mkfipsscr.pl to create shell scripts or batch files to 4939194206Ssimon run algorithm test programs. 4940194206Ssimon [Steve Henson] 4941194206Ssimon 4942194206Ssimon *) Make algorithm test programs more tolerant of whitespace. 4943194206Ssimon [Steve Henson] 4944194206Ssimon 4945167612Ssimon *) Have SSL/TLS server implementation tolerate "mismatched" record 4946167612Ssimon protocol version while receiving ClientHello even if the 4947167612Ssimon ClientHello is fragmented. (The server can't insist on the 4948167612Ssimon particular protocol version it has chosen before the ServerHello 4949167612Ssimon message has informed the client about his choice.) 4950167612Ssimon [Bodo Moeller] 4951167612Ssimon 4952167612Ssimon *) Load error codes if they are not already present instead of using a 4953167612Ssimon static variable. This allows them to be cleanly unloaded and reloaded. 4954167612Ssimon [Steve Henson] 4955167612Ssimon 4956167612Ssimon Changes between 0.9.7k and 0.9.7l [28 Sep 2006] 4957167612Ssimon 4958167612Ssimon *) Introduce limits to prevent malicious keys being able to 4959167612Ssimon cause a denial of service. (CVE-2006-2940) 4960167612Ssimon [Steve Henson, Bodo Moeller] 4961167612Ssimon 4962167612Ssimon *) Fix ASN.1 parsing of certain invalid structures that can result 4963167612Ssimon in a denial of service. (CVE-2006-2937) [Steve Henson] 4964167612Ssimon 4965167612Ssimon *) Fix buffer overflow in SSL_get_shared_ciphers() function. 4966167612Ssimon (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] 4967167612Ssimon 4968167612Ssimon *) Fix SSL client code which could crash if connecting to a 4969167612Ssimon malicious SSLv2 server. (CVE-2006-4343) 4970167612Ssimon [Tavis Ormandy and Will Drewry, Google Security Team] 4971167612Ssimon 4972162911Ssimon *) Change ciphersuite string processing so that an explicit 4973162911Ssimon ciphersuite selects this one ciphersuite (so that "AES256-SHA" 4974162911Ssimon will no longer include "AES128-SHA"), and any other similar 4975162911Ssimon ciphersuite (same bitmap) from *other* protocol versions (so that 4976162911Ssimon "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the 4977162911Ssimon SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining 4978162911Ssimon changes from 0.9.8b and 0.9.8d. 4979162911Ssimon [Bodo Moeller] 4980162911Ssimon 4981162911Ssimon Changes between 0.9.7j and 0.9.7k [05 Sep 2006] 4982162911Ssimon 4983162911Ssimon *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 4984162911Ssimon (CVE-2006-4339) [Ben Laurie and Google Security Team] 4985162911Ssimon 4986162911Ssimon *) Change the Unix randomness entropy gathering to use poll() when 4987162911Ssimon possible instead of select(), since the latter has some 4988162911Ssimon undesirable limitations. 4989162911Ssimon [Darryl Miles via Richard Levitte and Bodo Moeller] 4990162911Ssimon 4991162911Ssimon *) Disable rogue ciphersuites: 4992162911Ssimon 4993162911Ssimon - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 4994162911Ssimon - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 4995162911Ssimon - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 4996162911Ssimon 4997162911Ssimon The latter two were purportedly from 4998162911Ssimon draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 4999162911Ssimon appear there. 5000162911Ssimon 5001162911Ssimon Also deactive the remaining ciphersuites from 5002162911Ssimon draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 5003162911Ssimon unofficial, and the ID has long expired. 5004162911Ssimon [Bodo Moeller] 5005162911Ssimon 5006162911Ssimon *) Fix RSA blinding Heisenbug (problems sometimes occured on 5007162911Ssimon dual-core machines) and other potential thread-safety issues. 5008162911Ssimon [Bodo Moeller] 5009162911Ssimon 5010162911Ssimon Changes between 0.9.7i and 0.9.7j [04 May 2006] 5011162911Ssimon 5012162911Ssimon *) Adapt fipsld and the build system to link against the validated FIPS 5013162911Ssimon module in FIPS mode. 5014162911Ssimon [Steve Henson] 5015162911Ssimon 5016162911Ssimon *) Fixes for VC++ 2005 build under Windows. 5017162911Ssimon [Steve Henson] 5018162911Ssimon 5019162911Ssimon *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 5020162911Ssimon from a Windows bash shell such as MSYS. It is autodetected from the 5021162911Ssimon "config" script when run from a VC++ environment. Modify standard VC++ 5022162911Ssimon build to use fipscanister.o from the GNU make build. 5023162911Ssimon [Steve Henson] 5024162911Ssimon 5025160814Ssimon Changes between 0.9.7h and 0.9.7i [14 Oct 2005] 5026160814Ssimon 5027160814Ssimon *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. 5028160814Ssimon The value now differs depending on if you build for FIPS or not. 5029160814Ssimon BEWARE! A program linked with a shared FIPSed libcrypto can't be 5030160814Ssimon safely run with a non-FIPSed libcrypto, as it may crash because of 5031160814Ssimon the difference induced by this change. 5032160814Ssimon [Andy Polyakov] 5033160814Ssimon 5034160814Ssimon Changes between 0.9.7g and 0.9.7h [11 Oct 2005] 5035160814Ssimon 5036160814Ssimon *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 5037160814Ssimon (part of SSL_OP_ALL). This option used to disable the 5038160814Ssimon countermeasure against man-in-the-middle protocol-version 5039160814Ssimon rollback in the SSL 2.0 server implementation, which is a bad 5040160814Ssimon idea. (CVE-2005-2969) 5041160814Ssimon 5042160814Ssimon [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 5043160814Ssimon for Information Security, National Institute of Advanced Industrial 5044160814Ssimon Science and Technology [AIST], Japan)] 5045160814Ssimon 5046160814Ssimon *) Minimal support for X9.31 signatures and PSS padding modes. This is 5047160814Ssimon mainly for FIPS compliance and not fully integrated at this stage. 5048160814Ssimon [Steve Henson] 5049160814Ssimon 5050160814Ssimon *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform 5051160814Ssimon the exponentiation using a fixed-length exponent. (Otherwise, 5052160814Ssimon the information leaked through timing could expose the secret key 5053160814Ssimon after many signatures; cf. Bleichenbacher's attack on DSA with 5054160814Ssimon biased k.) 5055160814Ssimon [Bodo Moeller] 5056160814Ssimon 5057160814Ssimon *) Make a new fixed-window mod_exp implementation the default for 5058160814Ssimon RSA, DSA, and DH private-key operations so that the sequence of 5059160814Ssimon squares and multiplies and the memory access pattern are 5060160814Ssimon independent of the particular secret key. This will mitigate 5061160814Ssimon cache-timing and potential related attacks. 5062160814Ssimon 5063160814Ssimon BN_mod_exp_mont_consttime() is the new exponentiation implementation, 5064160814Ssimon and this is automatically used by BN_mod_exp_mont() if the new flag 5065160814Ssimon BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH 5066160814Ssimon will use this BN flag for private exponents unless the flag 5067160814Ssimon RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or 5068160814Ssimon DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. 5069160814Ssimon 5070160814Ssimon [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] 5071160814Ssimon 5072160814Ssimon *) Change the client implementation for SSLv23_method() and 5073160814Ssimon SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 5074160814Ssimon Client Hello message format if the SSL_OP_NO_SSLv2 option is set. 5075160814Ssimon (Previously, the SSL 2.0 backwards compatible Client Hello 5076160814Ssimon message format would be used even with SSL_OP_NO_SSLv2.) 5077160814Ssimon [Bodo Moeller] 5078160814Ssimon 5079160814Ssimon *) Add support for smime-type MIME parameter in S/MIME messages which some 5080160814Ssimon clients need. 5081160814Ssimon [Steve Henson] 5082160814Ssimon 5083160814Ssimon *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in 5084160814Ssimon a threadsafe manner. Modify rsa code to use new function and add calls 5085160814Ssimon to dsa and dh code (which had race conditions before). 5086160814Ssimon [Steve Henson] 5087160814Ssimon 5088160814Ssimon *) Include the fixed error library code in the C error file definitions 5089160814Ssimon instead of fixing them up at runtime. This keeps the error code 5090160814Ssimon structures constant. 5091160814Ssimon [Steve Henson] 5092160814Ssimon 5093160814Ssimon Changes between 0.9.7f and 0.9.7g [11 Apr 2005] 5094160814Ssimon 5095160814Ssimon [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after 5096160814Ssimon OpenSSL 0.9.8.] 5097160814Ssimon 5098160814Ssimon *) Fixes for newer kerberos headers. NB: the casts are needed because 5099160814Ssimon the 'length' field is signed on one version and unsigned on another 5100160814Ssimon with no (?) obvious way to tell the difference, without these VC++ 5101160814Ssimon complains. Also the "definition" of FAR (blank) is no longer included 5102160814Ssimon nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up 5103160814Ssimon some needed definitions. 5104160814Ssimon [Steve Henson] 5105160814Ssimon 5106160814Ssimon *) Undo Cygwin change. 5107291719Sjkim [Ulf M��ller] 5108160814Ssimon 5109160814Ssimon *) Added support for proxy certificates according to RFC 3820. 5110160814Ssimon Because they may be a security thread to unaware applications, 5111160814Ssimon they must be explicitely allowed in run-time. See 5112160814Ssimon docs/HOWTO/proxy_certificates.txt for further information. 5113160814Ssimon [Richard Levitte] 5114160814Ssimon 5115160814Ssimon Changes between 0.9.7e and 0.9.7f [22 Mar 2005] 5116160814Ssimon 5117160814Ssimon *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating 5118160814Ssimon server and client random values. Previously 5119160814Ssimon (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in 5120160814Ssimon less random data when sizeof(time_t) > 4 (some 64 bit platforms). 5121160814Ssimon 5122160814Ssimon This change has negligible security impact because: 5123160814Ssimon 5124160814Ssimon 1. Server and client random values still have 24 bytes of pseudo random 5125160814Ssimon data. 5126160814Ssimon 5127160814Ssimon 2. Server and client random values are sent in the clear in the initial 5128160814Ssimon handshake. 5129160814Ssimon 5130160814Ssimon 3. The master secret is derived using the premaster secret (48 bytes in 5131160814Ssimon size for static RSA ciphersuites) as well as client server and random 5132160814Ssimon values. 5133160814Ssimon 5134160814Ssimon The OpenSSL team would like to thank the UK NISCC for bringing this issue 5135160814Ssimon to our attention. 5136160814Ssimon 5137160814Ssimon [Stephen Henson, reported by UK NISCC] 5138160814Ssimon 5139160814Ssimon *) Use Windows randomness collection on Cygwin. 5140291719Sjkim [Ulf M��ller] 5141160814Ssimon 5142160814Ssimon *) Fix hang in EGD/PRNGD query when communication socket is closed 5143160814Ssimon prematurely by EGD/PRNGD. 5144291719Sjkim [Darren Tucker <dtucker@zip.com.au> via Lutz J��nicke, resolves #1014] 5145160814Ssimon 5146160814Ssimon *) Prompt for pass phrases when appropriate for PKCS12 input format. 5147160814Ssimon [Steve Henson] 5148160814Ssimon 5149160814Ssimon *) Back-port of selected performance improvements from development 5150160814Ssimon branch, as well as improved support for PowerPC platforms. 5151160814Ssimon [Andy Polyakov] 5152160814Ssimon 5153160814Ssimon *) Add lots of checks for memory allocation failure, error codes to indicate 5154160814Ssimon failure and freeing up memory if a failure occurs. 5155160814Ssimon [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] 5156160814Ssimon 5157160814Ssimon *) Add new -passin argument to dgst. 5158160814Ssimon [Steve Henson] 5159160814Ssimon 5160160814Ssimon *) Perform some character comparisons of different types in X509_NAME_cmp: 5161160814Ssimon this is needed for some certificates that reencode DNs into UTF8Strings 5162160814Ssimon (in violation of RFC3280) and can't or wont issue name rollover 5163160814Ssimon certificates. 5164160814Ssimon [Steve Henson] 5165160814Ssimon 5166160814Ssimon *) Make an explicit check during certificate validation to see that 5167160814Ssimon the CA setting in each certificate on the chain is correct. As a 5168160814Ssimon side effect always do the following basic checks on extensions, 5169160814Ssimon not just when there's an associated purpose to the check: 5170160814Ssimon 5171160814Ssimon - if there is an unhandled critical extension (unless the user 5172160814Ssimon has chosen to ignore this fault) 5173160814Ssimon - if the path length has been exceeded (if one is set at all) 5174160814Ssimon - that certain extensions fit the associated purpose (if one has 5175160814Ssimon been given) 5176160814Ssimon [Richard Levitte] 5177160814Ssimon 5178142425Snectar Changes between 0.9.7d and 0.9.7e [25 Oct 2004] 5179142425Snectar 5180142425Snectar *) Avoid a race condition when CRLs are checked in a multi threaded 5181142425Snectar environment. This would happen due to the reordering of the revoked 5182142425Snectar entries during signature checking and serial number lookup. Now the 5183142425Snectar encoding is cached and the serial number sort performed under a lock. 5184142425Snectar Add new STACK function sk_is_sorted(). 5185142425Snectar [Steve Henson] 5186142425Snectar 5187142425Snectar *) Add Delta CRL to the extension code. 5188142425Snectar [Steve Henson] 5189142425Snectar 5190142425Snectar *) Various fixes to s3_pkt.c so alerts are sent properly. 5191142425Snectar [David Holmes <d.holmes@f5.com>] 5192142425Snectar 5193142425Snectar *) Reduce the chances of duplicate issuer name and serial numbers (in 5194142425Snectar violation of RFC3280) using the OpenSSL certificate creation utilities. 5195142425Snectar This is done by creating a random 64 bit value for the initial serial 5196142425Snectar number when a serial number file is created or when a self signed 5197142425Snectar certificate is created using 'openssl req -x509'. The initial serial 5198142425Snectar number file is created using 'openssl x509 -next_serial' in CA.pl 5199142425Snectar rather than being initialized to 1. 5200142425Snectar [Steve Henson] 5201142425Snectar 5202127128Snectar Changes between 0.9.7c and 0.9.7d [17 Mar 2004] 5203127128Snectar 5204127128Snectar *) Fix null-pointer assignment in do_change_cipher_spec() revealed 5205160814Ssimon by using the Codenomicon TLS Test Tool (CVE-2004-0079) 5206127128Snectar [Joe Orton, Steve Henson] 5207127128Snectar 5208127128Snectar *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites 5209160814Ssimon (CVE-2004-0112) 5210127128Snectar [Joe Orton, Steve Henson] 5211127128Snectar 5212127128Snectar *) Make it possible to have multiple active certificates with the same 5213127128Snectar subject in the CA index file. This is done only if the keyword 5214127128Snectar 'unique_subject' is set to 'no' in the main CA section (default 5215127128Snectar if 'CA_default') of the configuration file. The value is saved 5216127128Snectar with the database itself in a separate index attribute file, 5217127128Snectar named like the index file with '.attr' appended to the name. 5218127128Snectar [Richard Levitte] 5219127128Snectar 5220127128Snectar *) X509 verify fixes. Disable broken certificate workarounds when 5221127128Snectar X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if 5222127128Snectar keyUsage extension present. Don't accept CRLs with unhandled critical 5223127128Snectar extensions: since verify currently doesn't process CRL extensions this 5224127128Snectar rejects a CRL with *any* critical extensions. Add new verify error codes 5225127128Snectar for these cases. 5226127128Snectar [Steve Henson] 5227127128Snectar 5228127128Snectar *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. 5229127128Snectar A clarification of RFC2560 will require the use of OCTET STRINGs and 5230127128Snectar some implementations cannot handle the current raw format. Since OpenSSL 5231127128Snectar copies and compares OCSP nonces as opaque blobs without any attempt at 5232127128Snectar parsing them this should not create any compatibility issues. 5233127128Snectar [Steve Henson] 5234127128Snectar 5235127128Snectar *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when 5236127128Snectar calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without 5237127128Snectar this HMAC (and other) operations are several times slower than OpenSSL 5238127128Snectar < 0.9.7. 5239127128Snectar [Steve Henson] 5240127128Snectar 5241127128Snectar *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). 5242127128Snectar [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] 5243127128Snectar 5244127128Snectar *) Use the correct content when signing type "other". 5245127128Snectar [Steve Henson] 5246127128Snectar 5247120631Snectar Changes between 0.9.7b and 0.9.7c [30 Sep 2003] 5248120631Snectar 5249120631Snectar *) Fix various bugs revealed by running the NISCC test suite: 5250120631Snectar 5251120631Snectar Stop out of bounds reads in the ASN1 code when presented with 5252160814Ssimon invalid tags (CVE-2003-0543 and CVE-2003-0544). 5253120631Snectar 5254160814Ssimon Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). 5255120631Snectar 5256120631Snectar If verify callback ignores invalid public key errors don't try to check 5257120631Snectar certificate signature with the NULL public key. 5258120631Snectar 5259120631Snectar [Steve Henson] 5260120631Snectar 5261120631Snectar *) New -ignore_err option in ocsp application to stop the server 5262120631Snectar exiting on the first error in a request. 5263120631Snectar [Steve Henson] 5264120631Snectar 5265120631Snectar *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 5266120631Snectar if the server requested one: as stated in TLS 1.0 and SSL 3.0 5267120631Snectar specifications. 5268120631Snectar [Steve Henson] 5269120631Snectar 5270120631Snectar *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 5271120631Snectar extra data after the compression methods not only for TLS 1.0 5272120631Snectar but also for SSL 3.0 (as required by the specification). 5273120631Snectar [Bodo Moeller; problem pointed out by Matthias Loepfe] 5274120631Snectar 5275120631Snectar *) Change X509_certificate_type() to mark the key as exported/exportable 5276120631Snectar when it's 512 *bits* long, not 512 bytes. 5277120631Snectar [Richard Levitte] 5278120631Snectar 5279120631Snectar *) Change AES_cbc_encrypt() so it outputs exact multiple of 5280120631Snectar blocks during encryption. 5281120631Snectar [Richard Levitte] 5282120631Snectar 5283120631Snectar *) Various fixes to base64 BIO and non blocking I/O. On write 5284120631Snectar flushes were not handled properly if the BIO retried. On read 5285120631Snectar data was not being buffered properly and had various logic bugs. 5286120631Snectar This also affects blocking I/O when the data being decoded is a 5287120631Snectar certain size. 5288120631Snectar [Steve Henson] 5289120631Snectar 5290120631Snectar *) Various S/MIME bugfixes and compatibility changes: 5291120631Snectar output correct application/pkcs7 MIME type if 5292120631Snectar PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. 5293120631Snectar Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening 5294120631Snectar of files as .eml work). Correctly handle very long lines in MIME 5295120631Snectar parser. 5296120631Snectar [Steve Henson] 5297120631Snectar 5298120631Snectar Changes between 0.9.7a and 0.9.7b [10 Apr 2003] 5299120631Snectar 5300120631Snectar *) Countermeasure against the Klima-Pokorny-Rosa extension of 5301120631Snectar Bleichbacher's attack on PKCS #1 v1.5 padding: treat 5302120631Snectar a protocol version number mismatch like a decryption error 5303120631Snectar in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 5304120631Snectar [Bodo Moeller] 5305120631Snectar 5306120631Snectar *) Turn on RSA blinding by default in the default implementation 5307120631Snectar to avoid a timing attack. Applications that don't want it can call 5308120631Snectar RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 5309120631Snectar They would be ill-advised to do so in most cases. 5310120631Snectar [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] 5311120631Snectar 5312120631Snectar *) Change RSA blinding code so that it works when the PRNG is not 5313120631Snectar seeded (in this case, the secret RSA exponent is abused as 5314120631Snectar an unpredictable seed -- if it is not unpredictable, there 5315120631Snectar is no point in blinding anyway). Make RSA blinding thread-safe 5316120631Snectar by remembering the creator's thread ID in rsa->blinding and 5317120631Snectar having all other threads use local one-time blinding factors 5318120631Snectar (this requires more computation than sharing rsa->blinding, but 5319120631Snectar avoids excessive locking; and if an RSA object is not shared 5320120631Snectar between threads, blinding will still be very fast). 5321120631Snectar [Bodo Moeller] 5322120631Snectar 5323120631Snectar *) Fixed a typo bug that would cause ENGINE_set_default() to set an 5324120631Snectar ENGINE as defaults for all supported algorithms irrespective of 5325120631Snectar the 'flags' parameter. 'flags' is now honoured, so applications 5326120631Snectar should make sure they are passing it correctly. 5327120631Snectar [Geoff Thorpe] 5328120631Snectar 5329120631Snectar *) Target "mingw" now allows native Windows code to be generated in 5330120631Snectar the Cygwin environment as well as with the MinGW compiler. 5331120631Snectar [Ulf Moeller] 5332120631Snectar 5333111147Snectar Changes between 0.9.7 and 0.9.7a [19 Feb 2003] 5334111147Snectar 5335111147Snectar *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 5336111147Snectar via timing by performing a MAC computation even if incorrrect 5337111147Snectar block cipher padding has been found. This is a countermeasure 5338111147Snectar against active attacks where the attacker has to distinguish 5339160814Ssimon between bad padding and a MAC verification error. (CVE-2003-0078) 5340111147Snectar 5341111147Snectar [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 5342111147Snectar Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 5343111147Snectar Martin Vuagnoux (EPFL, Ilion)] 5344111147Snectar 5345111147Snectar *) Make the no-err option work as intended. The intention with no-err 5346111147Snectar is not to have the whole error stack handling routines removed from 5347111147Snectar libcrypto, it's only intended to remove all the function name and 5348111147Snectar reason texts, thereby removing some of the footprint that may not 5349111147Snectar be interesting if those errors aren't displayed anyway. 5350111147Snectar 5351111147Snectar NOTE: it's still possible for any application or module to have it's 5352111147Snectar own set of error texts inserted. The routines are there, just not 5353111147Snectar used by default when no-err is given. 5354111147Snectar [Richard Levitte] 5355111147Snectar 5356111147Snectar *) Add support for FreeBSD on IA64. 5357111147Snectar [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] 5358111147Snectar 5359111147Snectar *) Adjust DES_cbc_cksum() so it returns the same value as the MIT 5360111147Snectar Kerberos function mit_des_cbc_cksum(). Before this change, 5361111147Snectar the value returned by DES_cbc_cksum() was like the one from 5362111147Snectar mit_des_cbc_cksum(), except the bytes were swapped. 5363111147Snectar [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] 5364111147Snectar 5365111147Snectar *) Allow an application to disable the automatic SSL chain building. 5366111147Snectar Before this a rather primitive chain build was always performed in 5367111147Snectar ssl3_output_cert_chain(): an application had no way to send the 5368111147Snectar correct chain if the automatic operation produced an incorrect result. 5369111147Snectar 5370111147Snectar Now the chain builder is disabled if either: 5371111147Snectar 5372111147Snectar 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 5373111147Snectar 5374111147Snectar 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. 5375111147Snectar 5376111147Snectar The reasoning behind this is that an application would not want the 5377111147Snectar auto chain building to take place if extra chain certificates are 5378111147Snectar present and it might also want a means of sending no additional 5379111147Snectar certificates (for example the chain has two certificates and the 5380111147Snectar root is omitted). 5381111147Snectar [Steve Henson] 5382111147Snectar 5383111147Snectar *) Add the possibility to build without the ENGINE framework. 5384111147Snectar [Steven Reddie <smr@essemer.com.au> via Richard Levitte] 5385111147Snectar 5386111147Snectar *) Under Win32 gmtime() can return NULL: check return value in 5387111147Snectar OPENSSL_gmtime(). Add error code for case where gmtime() fails. 5388111147Snectar [Steve Henson] 5389111147Snectar 5390111147Snectar *) DSA routines: under certain error conditions uninitialized BN objects 5391111147Snectar could be freed. Solution: make sure initialization is performed early 5392111147Snectar enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, 5393111147Snectar Nils Larsch <nla@trustcenter.de> via PR#459) 5394111147Snectar [Lutz Jaenicke] 5395111147Snectar 5396111147Snectar *) Another fix for SSLv2 session ID handling: the session ID was incorrectly 5397111147Snectar checked on reconnect on the client side, therefore session resumption 5398111147Snectar could still fail with a "ssl session id is different" error. This 5399111147Snectar behaviour is masked when SSL_OP_ALL is used due to 5400111147Snectar SSL_OP_MICROSOFT_SESS_ID_BUG being set. 5401111147Snectar Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 5402111147Snectar followup to PR #377. 5403111147Snectar [Lutz Jaenicke] 5404111147Snectar 5405111147Snectar *) IA-32 assembler support enhancements: unified ELF targets, support 5406111147Snectar for SCO/Caldera platforms, fix for Cygwin shared build. 5407111147Snectar [Andy Polyakov] 5408111147Snectar 5409111147Snectar *) Add support for FreeBSD on sparc64. As a consequence, support for 5410111147Snectar FreeBSD on non-x86 processors is separate from x86 processors on 5411111147Snectar the config script, much like the NetBSD support. 5412111147Snectar [Richard Levitte & Kris Kennaway <kris@obsecurity.org>] 5413111147Snectar 5414109998Smarkm Changes between 0.9.6h and 0.9.7 [31 Dec 2002] 5415109998Smarkm 5416120631Snectar [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after 5417120631Snectar OpenSSL 0.9.7.] 5418120631Snectar 5419109998Smarkm *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED 5420109998Smarkm code (06) was taken as the first octet of the session ID and the last 5421109998Smarkm octet was ignored consequently. As a result SSLv2 client side session 5422109998Smarkm caching could not have worked due to the session ID mismatch between 5423109998Smarkm client and server. 5424109998Smarkm Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 5425109998Smarkm PR #377. 5426109998Smarkm [Lutz Jaenicke] 5427109998Smarkm 5428109998Smarkm *) Change the declaration of needed Kerberos libraries to use EX_LIBS 5429109998Smarkm instead of the special (and badly supported) LIBKRB5. LIBKRB5 is 5430109998Smarkm removed entirely. 5431109998Smarkm [Richard Levitte] 5432109998Smarkm 5433109998Smarkm *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it 5434109998Smarkm seems that in spite of existing for more than a year, many application 5435109998Smarkm author have done nothing to provide the necessary callbacks, which 5436109998Smarkm means that this particular engine will not work properly anywhere. 5437109998Smarkm This is a very unfortunate situation which forces us, in the name 5438109998Smarkm of usability, to give the hw_ncipher.c a static lock, which is part 5439109998Smarkm of libcrypto. 5440109998Smarkm NOTE: This is for the 0.9.7 series ONLY. This hack will never 5441109998Smarkm appear in 0.9.8 or later. We EXPECT application authors to have 5442109998Smarkm dealt properly with this when 0.9.8 is released (unless we actually 5443109998Smarkm make such changes in the libcrypto locking code that changes will 5444109998Smarkm have to be made anyway). 5445109998Smarkm [Richard Levitte] 5446109998Smarkm 5447109998Smarkm *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content 5448109998Smarkm octets have been read, EOF or an error occurs. Without this change 5449109998Smarkm some truncated ASN1 structures will not produce an error. 5450109998Smarkm [Steve Henson] 5451109998Smarkm 5452109998Smarkm *) Disable Heimdal support, since it hasn't been fully implemented. 5453109998Smarkm Still give the possibility to force the use of Heimdal, but with 5454109998Smarkm warnings and a request that patches get sent to openssl-dev. 5455109998Smarkm [Richard Levitte] 5456109998Smarkm 5457109998Smarkm *) Add the VC-CE target, introduce the WINCE sysname, and add 5458109998Smarkm INSTALL.WCE and appropriate conditionals to make it build. 5459109998Smarkm [Steven Reddie <smr@essemer.com.au> via Richard Levitte] 5460109998Smarkm 5461109998Smarkm *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and 5462109998Smarkm cygssl-x.y.z.dll, where x, y and z are the major, minor and 5463109998Smarkm edit numbers of the version. 5464109998Smarkm [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] 5465109998Smarkm 5466109998Smarkm *) Introduce safe string copy and catenation functions 5467109998Smarkm (BUF_strlcpy() and BUF_strlcat()). 5468109998Smarkm [Ben Laurie (CHATS) and Richard Levitte] 5469109998Smarkm 5470109998Smarkm *) Avoid using fixed-size buffers for one-line DNs. 5471109998Smarkm [Ben Laurie (CHATS)] 5472109998Smarkm 5473109998Smarkm *) Add BUF_MEM_grow_clean() to avoid information leakage when 5474109998Smarkm resizing buffers containing secrets, and use where appropriate. 5475109998Smarkm [Ben Laurie (CHATS)] 5476109998Smarkm 5477109998Smarkm *) Avoid using fixed size buffers for configuration file location. 5478109998Smarkm [Ben Laurie (CHATS)] 5479109998Smarkm 5480109998Smarkm *) Avoid filename truncation for various CA files. 5481109998Smarkm [Ben Laurie (CHATS)] 5482109998Smarkm 5483109998Smarkm *) Use sizeof in preference to magic numbers. 5484109998Smarkm [Ben Laurie (CHATS)] 5485109998Smarkm 5486109998Smarkm *) Avoid filename truncation in cert requests. 5487109998Smarkm [Ben Laurie (CHATS)] 5488109998Smarkm 5489109998Smarkm *) Add assertions to check for (supposedly impossible) buffer 5490109998Smarkm overflows. 5491109998Smarkm [Ben Laurie (CHATS)] 5492109998Smarkm 5493109998Smarkm *) Don't cache truncated DNS entries in the local cache (this could 5494109998Smarkm potentially lead to a spoofing attack). 5495109998Smarkm [Ben Laurie (CHATS)] 5496109998Smarkm 5497109998Smarkm *) Fix various buffers to be large enough for hex/decimal 5498109998Smarkm representations in a platform independent manner. 5499109998Smarkm [Ben Laurie (CHATS)] 5500109998Smarkm 5501109998Smarkm *) Add CRYPTO_realloc_clean() to avoid information leakage when 5502109998Smarkm resizing buffers containing secrets, and use where appropriate. 5503109998Smarkm [Ben Laurie (CHATS)] 5504109998Smarkm 5505109998Smarkm *) Add BIO_indent() to avoid much slightly worrying code to do 5506109998Smarkm indents. 5507109998Smarkm [Ben Laurie (CHATS)] 5508109998Smarkm 5509109998Smarkm *) Convert sprintf()/BIO_puts() to BIO_printf(). 5510109998Smarkm [Ben Laurie (CHATS)] 5511109998Smarkm 5512109998Smarkm *) buffer_gets() could terminate with the buffer only half 5513109998Smarkm full. Fixed. 5514109998Smarkm [Ben Laurie (CHATS)] 5515109998Smarkm 5516109998Smarkm *) Add assertions to prevent user-supplied crypto functions from 5517109998Smarkm overflowing internal buffers by having large block sizes, etc. 5518109998Smarkm [Ben Laurie (CHATS)] 5519109998Smarkm 5520109998Smarkm *) New OPENSSL_assert() macro (similar to assert(), but enabled 5521109998Smarkm unconditionally). 5522109998Smarkm [Ben Laurie (CHATS)] 5523109998Smarkm 5524109998Smarkm *) Eliminate unused copy of key in RC4. 5525109998Smarkm [Ben Laurie (CHATS)] 5526109998Smarkm 5527109998Smarkm *) Eliminate unused and incorrectly sized buffers for IV in pem.h. 5528109998Smarkm [Ben Laurie (CHATS)] 5529109998Smarkm 5530109998Smarkm *) Fix off-by-one error in EGD path. 5531109998Smarkm [Ben Laurie (CHATS)] 5532109998Smarkm 5533109998Smarkm *) If RANDFILE path is too long, ignore instead of truncating. 5534109998Smarkm [Ben Laurie (CHATS)] 5535109998Smarkm 5536109998Smarkm *) Eliminate unused and incorrectly sized X.509 structure 5537109998Smarkm CBCParameter. 5538109998Smarkm [Ben Laurie (CHATS)] 5539109998Smarkm 5540109998Smarkm *) Eliminate unused and dangerous function knumber(). 5541109998Smarkm [Ben Laurie (CHATS)] 5542109998Smarkm 5543109998Smarkm *) Eliminate unused and dangerous structure, KSSL_ERR. 5544109998Smarkm [Ben Laurie (CHATS)] 5545109998Smarkm 5546109998Smarkm *) Protect against overlong session ID context length in an encoded 5547109998Smarkm session object. Since these are local, this does not appear to be 5548109998Smarkm exploitable. 5549109998Smarkm [Ben Laurie (CHATS)] 5550109998Smarkm 5551109998Smarkm *) Change from security patch (see 0.9.6e below) that did not affect 5552109998Smarkm the 0.9.6 release series: 5553109998Smarkm 5554109998Smarkm Remote buffer overflow in SSL3 protocol - an attacker could 5555109998Smarkm supply an oversized master key in Kerberos-enabled versions. 5556160814Ssimon (CVE-2002-0657) 5557109998Smarkm [Ben Laurie (CHATS)] 5558109998Smarkm 5559109998Smarkm *) Change the SSL kerb5 codes to match RFC 2712. 5560109998Smarkm [Richard Levitte] 5561109998Smarkm 5562109998Smarkm *) Make -nameopt work fully for req and add -reqopt switch. 5563109998Smarkm [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] 5564109998Smarkm 5565109998Smarkm *) The "block size" for block ciphers in CFB and OFB mode should be 1. 5566109998Smarkm [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] 5567109998Smarkm 5568109998Smarkm *) Make sure tests can be performed even if the corresponding algorithms 5569109998Smarkm have been removed entirely. This was also the last step to make 5570109998Smarkm OpenSSL compilable with DJGPP under all reasonable conditions. 5571109998Smarkm [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] 5572109998Smarkm 5573109998Smarkm *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT 5574109998Smarkm to allow version independent disabling of normally unselected ciphers, 5575109998Smarkm which may be activated as a side-effect of selecting a single cipher. 5576109998Smarkm 5577109998Smarkm (E.g., cipher list string "RSA" enables ciphersuites that are left 5578109998Smarkm out of "ALL" because they do not provide symmetric encryption. 5579109998Smarkm "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) 5580109998Smarkm [Lutz Jaenicke, Bodo Moeller] 5581109998Smarkm 5582109998Smarkm *) Add appropriate support for separate platform-dependent build 5583109998Smarkm directories. The recommended way to make a platform-dependent 5584109998Smarkm build directory is the following (tested on Linux), maybe with 5585109998Smarkm some local tweaks: 5586109998Smarkm 5587109998Smarkm # Place yourself outside of the OpenSSL source tree. In 5588109998Smarkm # this example, the environment variable OPENSSL_SOURCE 5589109998Smarkm # is assumed to contain the absolute OpenSSL source directory. 5590109998Smarkm mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 5591109998Smarkm cd objtree/"`uname -s`-`uname -r`-`uname -m`" 5592111147Snectar (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 5593109998Smarkm mkdir -p `dirname $F` 5594109998Smarkm ln -s $OPENSSL_SOURCE/$F $F 5595109998Smarkm done 5596109998Smarkm 5597109998Smarkm To be absolutely sure not to disturb the source tree, a "make clean" 5598109998Smarkm is a good thing. If it isn't successfull, don't worry about it, 5599109998Smarkm it probably means the source directory is very clean. 5600109998Smarkm [Richard Levitte] 5601109998Smarkm 5602109998Smarkm *) Make sure any ENGINE control commands make local copies of string 5603109998Smarkm pointers passed to them whenever necessary. Otherwise it is possible 5604109998Smarkm the caller may have overwritten (or deallocated) the original string 5605109998Smarkm data when a later ENGINE operation tries to use the stored values. 5606291719Sjkim [G��tz Babin-Ebell <babinebell@trustcenter.de>] 5607109998Smarkm 5608109998Smarkm *) Improve diagnostics in file reading and command-line digests. 5609109998Smarkm [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] 5610109998Smarkm 5611109998Smarkm *) Add AES modes CFB and OFB to the object database. Correct an 5612109998Smarkm error in AES-CFB decryption. 5613109998Smarkm [Richard Levitte] 5614109998Smarkm 5615109998Smarkm *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 5616109998Smarkm allows existing EVP_CIPHER_CTX structures to be reused after 5617109998Smarkm calling EVP_*Final(). This behaviour is used by encryption 5618109998Smarkm BIOs and some applications. This has the side effect that 5619109998Smarkm applications must explicitly clean up cipher contexts with 5620109998Smarkm EVP_CIPHER_CTX_cleanup() or they will leak memory. 5621109998Smarkm [Steve Henson] 5622109998Smarkm 5623109998Smarkm *) Check the values of dna and dnb in bn_mul_recursive before calling 5624109998Smarkm bn_mul_comba (a non zero value means the a or b arrays do not contain 5625109998Smarkm n2 elements) and fallback to bn_mul_normal if either is not zero. 5626109998Smarkm [Steve Henson] 5627109998Smarkm 5628109998Smarkm *) Fix escaping of non-ASCII characters when using the -subj option 5629109998Smarkm of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) 5630109998Smarkm [Lutz Jaenicke] 5631109998Smarkm 5632109998Smarkm *) Make object definitions compliant to LDAP (RFC2256): SN is the short 5633109998Smarkm form for "surname", serialNumber has no short form. 5634109998Smarkm Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; 5635109998Smarkm therefore remove "mail" short name for "internet 7". 5636109998Smarkm The OID for unique identifiers in X509 certificates is 5637109998Smarkm x500UniqueIdentifier, not uniqueIdentifier. 5638109998Smarkm Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) 5639109998Smarkm [Lutz Jaenicke] 5640109998Smarkm 5641109998Smarkm *) Add an "init" command to the ENGINE config module and auto initialize 5642109998Smarkm ENGINEs. Without any "init" command the ENGINE will be initialized 5643109998Smarkm after all ctrl commands have been executed on it. If init=1 the 5644109998Smarkm ENGINE is initailized at that point (ctrls before that point are run 5645109998Smarkm on the uninitialized ENGINE and after on the initialized one). If 5646109998Smarkm init=0 then the ENGINE will not be iniatialized at all. 5647109998Smarkm [Steve Henson] 5648109998Smarkm 5649109998Smarkm *) Fix the 'app_verify_callback' interface so that the user-defined 5650109998Smarkm argument is actually passed to the callback: In the 5651109998Smarkm SSL_CTX_set_cert_verify_callback() prototype, the callback 5652109998Smarkm declaration has been changed from 5653109998Smarkm int (*cb)() 5654109998Smarkm into 5655109998Smarkm int (*cb)(X509_STORE_CTX *,void *); 5656109998Smarkm in ssl_verify_cert_chain (ssl/ssl_cert.c), the call 5657109998Smarkm i=s->ctx->app_verify_callback(&ctx) 5658109998Smarkm has been changed into 5659109998Smarkm i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). 5660109998Smarkm 5661109998Smarkm To update applications using SSL_CTX_set_cert_verify_callback(), 5662109998Smarkm a dummy argument can be added to their callback functions. 5663109998Smarkm [D. K. Smetters <smetters@parc.xerox.com>] 5664109998Smarkm 5665109998Smarkm *) Added the '4758cca' ENGINE to support IBM 4758 cards. 5666109998Smarkm [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] 5667109998Smarkm 5668109998Smarkm *) Add and OPENSSL_LOAD_CONF define which will cause 5669109998Smarkm OpenSSL_add_all_algorithms() to load the openssl.cnf config file. 5670109998Smarkm This allows older applications to transparently support certain 5671109998Smarkm OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. 5672109998Smarkm Two new functions OPENSSL_add_all_algorithms_noconf() which will never 5673109998Smarkm load the config file and OPENSSL_add_all_algorithms_conf() which will 5674109998Smarkm always load it have also been added. 5675109998Smarkm [Steve Henson] 5676109998Smarkm 5677109998Smarkm *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. 5678109998Smarkm Adjust NIDs and EVP layer. 5679109998Smarkm [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] 5680109998Smarkm 5681109998Smarkm *) Config modules support in openssl utility. 5682109998Smarkm 5683109998Smarkm Most commands now load modules from the config file, 5684109998Smarkm though in a few (such as version) this isn't done 5685109998Smarkm because it couldn't be used for anything. 5686109998Smarkm 5687109998Smarkm In the case of ca and req the config file used is 5688109998Smarkm the same as the utility itself: that is the -config 5689109998Smarkm command line option can be used to specify an 5690109998Smarkm alternative file. 5691109998Smarkm [Steve Henson] 5692109998Smarkm 5693109998Smarkm *) Move default behaviour from OPENSSL_config(). If appname is NULL 5694109998Smarkm use "openssl_conf" if filename is NULL use default openssl config file. 5695109998Smarkm [Steve Henson] 5696109998Smarkm 5697109998Smarkm *) Add an argument to OPENSSL_config() to allow the use of an alternative 5698109998Smarkm config section name. Add a new flag to tolerate a missing config file 5699109998Smarkm and move code to CONF_modules_load_file(). 5700109998Smarkm [Steve Henson] 5701109998Smarkm 5702109998Smarkm *) Support for crypto accelerator cards from Accelerated Encryption 5703109998Smarkm Processing, www.aep.ie. (Use engine 'aep') 5704109998Smarkm The support was copied from 0.9.6c [engine] and adapted/corrected 5705109998Smarkm to work with the new engine framework. 5706109998Smarkm [AEP Inc. and Richard Levitte] 5707109998Smarkm 5708109998Smarkm *) Support for SureWare crypto accelerator cards from Baltimore 5709109998Smarkm Technologies. (Use engine 'sureware') 5710109998Smarkm The support was copied from 0.9.6c [engine] and adapted 5711109998Smarkm to work with the new engine framework. 5712109998Smarkm [Richard Levitte] 5713109998Smarkm 5714109998Smarkm *) Have the CHIL engine fork-safe (as defined by nCipher) and actually 5715109998Smarkm make the newer ENGINE framework commands for the CHIL engine work. 5716109998Smarkm [Toomas Kiisk <vix@cyber.ee> and Richard Levitte] 5717109998Smarkm 5718109998Smarkm *) Make it possible to produce shared libraries on ReliantUNIX. 5719109998Smarkm [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] 5720109998Smarkm 5721109998Smarkm *) Add the configuration target debug-linux-ppro. 5722109998Smarkm Make 'openssl rsa' use the general key loading routines 5723109998Smarkm implemented in apps.c, and make those routines able to 5724109998Smarkm handle the key format FORMAT_NETSCAPE and the variant 5725109998Smarkm FORMAT_IISSGC. 5726109998Smarkm [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 5727109998Smarkm 5728109998Smarkm *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 5729109998Smarkm [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 5730109998Smarkm 5731109998Smarkm *) Add -keyform to rsautl, and document -engine. 5732109998Smarkm [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] 5733109998Smarkm 5734109998Smarkm *) Change BIO_new_file (crypto/bio/bss_file.c) to use new 5735109998Smarkm BIO_R_NO_SUCH_FILE error code rather than the generic 5736109998Smarkm ERR_R_SYS_LIB error code if fopen() fails with ENOENT. 5737109998Smarkm [Ben Laurie] 5738109998Smarkm 5739109998Smarkm *) Add new functions 5740109998Smarkm ERR_peek_last_error 5741109998Smarkm ERR_peek_last_error_line 5742109998Smarkm ERR_peek_last_error_line_data. 5743109998Smarkm These are similar to 5744109998Smarkm ERR_peek_error 5745109998Smarkm ERR_peek_error_line 5746109998Smarkm ERR_peek_error_line_data, 5747109998Smarkm but report on the latest error recorded rather than the first one 5748109998Smarkm still in the error queue. 5749109998Smarkm [Ben Laurie, Bodo Moeller] 5750109998Smarkm 5751109998Smarkm *) default_algorithms option in ENGINE config module. This allows things 5752109998Smarkm like: 5753109998Smarkm default_algorithms = ALL 5754109998Smarkm default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS 5755109998Smarkm [Steve Henson] 5756109998Smarkm 5757109998Smarkm *) Prelminary ENGINE config module. 5758109998Smarkm [Steve Henson] 5759109998Smarkm 5760109998Smarkm *) New experimental application configuration code. 5761109998Smarkm [Steve Henson] 5762109998Smarkm 5763109998Smarkm *) Change the AES code to follow the same name structure as all other 5764109998Smarkm symmetric ciphers, and behave the same way. Move everything to 5765109998Smarkm the directory crypto/aes, thereby obsoleting crypto/rijndael. 5766109998Smarkm [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] 5767109998Smarkm 5768109998Smarkm *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. 5769109998Smarkm [Ben Laurie and Theo de Raadt] 5770109998Smarkm 5771109998Smarkm *) Add option to output public keys in req command. 5772109998Smarkm [Massimiliano Pala madwolf@openca.org] 5773109998Smarkm 5774109998Smarkm *) Use wNAFs in EC_POINTs_mul() for improved efficiency 5775109998Smarkm (up to about 10% better than before for P-192 and P-224). 5776109998Smarkm [Bodo Moeller] 5777109998Smarkm 5778109998Smarkm *) New functions/macros 5779109998Smarkm 5780109998Smarkm SSL_CTX_set_msg_callback(ctx, cb) 5781109998Smarkm SSL_CTX_set_msg_callback_arg(ctx, arg) 5782109998Smarkm SSL_set_msg_callback(ssl, cb) 5783109998Smarkm SSL_set_msg_callback_arg(ssl, arg) 5784109998Smarkm 5785109998Smarkm to request calling a callback function 5786109998Smarkm 5787109998Smarkm void cb(int write_p, int version, int content_type, 5788109998Smarkm const void *buf, size_t len, SSL *ssl, void *arg) 5789109998Smarkm 5790109998Smarkm whenever a protocol message has been completely received 5791109998Smarkm (write_p == 0) or sent (write_p == 1). Here 'version' is the 5792109998Smarkm protocol version according to which the SSL library interprets 5793109998Smarkm the current protocol message (SSL2_VERSION, SSL3_VERSION, or 5794109998Smarkm TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or 5795109998Smarkm the content type as defined in the SSL 3.0/TLS 1.0 protocol 5796109998Smarkm specification (change_cipher_spec(20), alert(21), handshake(22)). 5797109998Smarkm 'buf' and 'len' point to the actual message, 'ssl' to the 5798109998Smarkm SSL object, and 'arg' is the application-defined value set by 5799109998Smarkm SSL[_CTX]_set_msg_callback_arg(). 5800109998Smarkm 5801109998Smarkm 'openssl s_client' and 'openssl s_server' have new '-msg' options 5802109998Smarkm to enable a callback that displays all protocol messages. 5803109998Smarkm [Bodo Moeller] 5804109998Smarkm 5805109998Smarkm *) Change the shared library support so shared libraries are built as 5806109998Smarkm soon as the corresponding static library is finished, and thereby get 5807109998Smarkm openssl and the test programs linked against the shared library. 5808109998Smarkm This still only happens when the keyword "shard" has been given to 5809109998Smarkm the configuration scripts. 5810109998Smarkm 5811109998Smarkm NOTE: shared library support is still an experimental thing, and 5812109998Smarkm backward binary compatibility is still not guaranteed. 5813109998Smarkm ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] 5814109998Smarkm 5815109998Smarkm *) Add support for Subject Information Access extension. 5816109998Smarkm [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] 5817109998Smarkm 5818109998Smarkm *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero 5819109998Smarkm additional bytes when new memory had to be allocated, not just 5820109998Smarkm when reusing an existing buffer. 5821109998Smarkm [Bodo Moeller] 5822109998Smarkm 5823109998Smarkm *) New command line and configuration option 'utf8' for the req command. 5824109998Smarkm This allows field values to be specified as UTF8 strings. 5825109998Smarkm [Steve Henson] 5826109998Smarkm 5827109998Smarkm *) Add -multi and -mr options to "openssl speed" - giving multiple parallel 5828109998Smarkm runs for the former and machine-readable output for the latter. 5829109998Smarkm [Ben Laurie] 5830109998Smarkm 5831109998Smarkm *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion 5832109998Smarkm of the e-mail address in the DN (i.e., it will go into a certificate 5833109998Smarkm extension only). The new configuration file option 'email_in_dn = no' 5834109998Smarkm has the same effect. 5835109998Smarkm [Massimiliano Pala madwolf@openca.org] 5836109998Smarkm 5837109998Smarkm *) Change all functions with names starting with des_ to be starting 5838109998Smarkm with DES_ instead. Add wrappers that are compatible with libdes, 5839109998Smarkm but are named _ossl_old_des_*. Finally, add macros that map the 5840109998Smarkm des_* symbols to the corresponding _ossl_old_des_* if libdes 5841109998Smarkm compatibility is desired. If OpenSSL 0.9.6c compatibility is 5842109998Smarkm desired, the des_* symbols will be mapped to DES_*, with one 5843109998Smarkm exception. 5844109998Smarkm 5845109998Smarkm Since we provide two compatibility mappings, the user needs to 5846109998Smarkm define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes 5847109998Smarkm compatibility is desired. The default (i.e., when that macro 5848109998Smarkm isn't defined) is OpenSSL 0.9.6c compatibility. 5849109998Smarkm 5850109998Smarkm There are also macros that enable and disable the support of old 5851109998Smarkm des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT 5852109998Smarkm and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those 5853109998Smarkm are defined, the default will apply: to support the old des routines. 5854109998Smarkm 5855109998Smarkm In either case, one must include openssl/des.h to get the correct 5856109998Smarkm definitions. Do not try to just include openssl/des_old.h, that 5857109998Smarkm won't work. 5858109998Smarkm 5859109998Smarkm NOTE: This is a major break of an old API into a new one. Software 5860109998Smarkm authors are encouraged to switch to the DES_ style functions. Some 5861109998Smarkm time in the future, des_old.h and the libdes compatibility functions 5862109998Smarkm will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the 5863109998Smarkm default), and then completely removed. 5864109998Smarkm [Richard Levitte] 5865109998Smarkm 5866109998Smarkm *) Test for certificates which contain unsupported critical extensions. 5867109998Smarkm If such a certificate is found during a verify operation it is 5868109998Smarkm rejected by default: this behaviour can be overridden by either 5869109998Smarkm handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or 5870109998Smarkm by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function 5871109998Smarkm X509_supported_extension() has also been added which returns 1 if a 5872109998Smarkm particular extension is supported. 5873109998Smarkm [Steve Henson] 5874109998Smarkm 5875109998Smarkm *) Modify the behaviour of EVP cipher functions in similar way to digests 5876109998Smarkm to retain compatibility with existing code. 5877109998Smarkm [Steve Henson] 5878109998Smarkm 5879109998Smarkm *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain 5880109998Smarkm compatibility with existing code. In particular the 'ctx' parameter does 5881109998Smarkm not have to be to be initialized before the call to EVP_DigestInit() and 5882109998Smarkm it is tidied up after a call to EVP_DigestFinal(). New function 5883109998Smarkm EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function 5884109998Smarkm EVP_MD_CTX_copy() changed to not require the destination to be 5885109998Smarkm initialized valid and new function EVP_MD_CTX_copy_ex() added which 5886109998Smarkm requires the destination to be valid. 5887109998Smarkm 5888109998Smarkm Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), 5889109998Smarkm EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). 5890109998Smarkm [Steve Henson] 5891109998Smarkm 5892109998Smarkm *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it 5893109998Smarkm so that complete 'Handshake' protocol structures are kept in memory 5894109998Smarkm instead of overwriting 'msg_type' and 'length' with 'body' data. 5895109998Smarkm [Bodo Moeller] 5896109998Smarkm 5897109998Smarkm *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. 5898109998Smarkm [Massimo Santin via Richard Levitte] 5899109998Smarkm 5900109998Smarkm *) Major restructuring to the underlying ENGINE code. This includes 5901109998Smarkm reduction of linker bloat, separation of pure "ENGINE" manipulation 5902109998Smarkm (initialisation, etc) from functionality dealing with implementations 5903109998Smarkm of specific crypto iterfaces. This change also introduces integrated 5904109998Smarkm support for symmetric ciphers and digest implementations - so ENGINEs 5905109998Smarkm can now accelerate these by providing EVP_CIPHER and EVP_MD 5906109998Smarkm implementations of their own. This is detailed in crypto/engine/README 5907109998Smarkm as it couldn't be adequately described here. However, there are a few 5908109998Smarkm API changes worth noting - some RSA, DSA, DH, and RAND functions that 5909109998Smarkm were changed in the original introduction of ENGINE code have now 5910109998Smarkm reverted back - the hooking from this code to ENGINE is now a good 5911109998Smarkm deal more passive and at run-time, operations deal directly with 5912109998Smarkm RSA_METHODs, DSA_METHODs (etc) as they did before, rather than 5913109998Smarkm dereferencing through an ENGINE pointer any more. Also, the ENGINE 5914109998Smarkm functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - 5915109998Smarkm they were not being used by the framework as there is no concept of a 5916109998Smarkm BIGNUM_METHOD and they could not be generalised to the new 5917109998Smarkm 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, 5918109998Smarkm ENGINE_cpy() has been removed as it cannot be consistently defined in 5919109998Smarkm the new code. 5920109998Smarkm [Geoff Thorpe] 5921109998Smarkm 5922109998Smarkm *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. 5923109998Smarkm [Steve Henson] 5924109998Smarkm 5925109998Smarkm *) Change mkdef.pl to sort symbols that get the same entry number, 5926109998Smarkm and make sure the automatically generated functions ERR_load_* 5927109998Smarkm become part of libeay.num as well. 5928109998Smarkm [Richard Levitte] 5929109998Smarkm 5930109998Smarkm *) New function SSL_renegotiate_pending(). This returns true once 5931109998Smarkm renegotiation has been requested (either SSL_renegotiate() call 5932109998Smarkm or HelloRequest/ClientHello receveived from the peer) and becomes 5933109998Smarkm false once a handshake has been completed. 5934109998Smarkm (For servers, SSL_renegotiate() followed by SSL_do_handshake() 5935109998Smarkm sends a HelloRequest, but does not ensure that a handshake takes 5936109998Smarkm place. SSL_renegotiate_pending() is useful for checking if the 5937109998Smarkm client has followed the request.) 5938109998Smarkm [Bodo Moeller] 5939109998Smarkm 5940109998Smarkm *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. 5941109998Smarkm By default, clients may request session resumption even during 5942109998Smarkm renegotiation (if session ID contexts permit); with this option, 5943109998Smarkm session resumption is possible only in the first handshake. 5944109998Smarkm 5945109998Smarkm SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes 5946109998Smarkm more bits available for options that should not be part of 5947109998Smarkm SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). 5948109998Smarkm [Bodo Moeller] 5949109998Smarkm 5950109998Smarkm *) Add some demos for certificate and certificate request creation. 5951109998Smarkm [Steve Henson] 5952109998Smarkm 5953109998Smarkm *) Make maximum certificate chain size accepted from the peer application 5954109998Smarkm settable (SSL*_get/set_max_cert_list()), as proposed by 5955109998Smarkm "Douglas E. Engert" <deengert@anl.gov>. 5956109998Smarkm [Lutz Jaenicke] 5957109998Smarkm 5958109998Smarkm *) Add support for shared libraries for Unixware-7 5959109998Smarkm (Boyd Lynn Gerber <gerberb@zenez.com>). 5960109998Smarkm [Lutz Jaenicke] 5961109998Smarkm 5962109998Smarkm *) Add a "destroy" handler to ENGINEs that allows structural cleanup to 5963109998Smarkm be done prior to destruction. Use this to unload error strings from 5964109998Smarkm ENGINEs that load their own error strings. NB: This adds two new API 5965109998Smarkm functions to "get" and "set" this destroy handler in an ENGINE. 5966109998Smarkm [Geoff Thorpe] 5967109998Smarkm 5968109998Smarkm *) Alter all existing ENGINE implementations (except "openssl" and 5969109998Smarkm "openbsd") to dynamically instantiate their own error strings. This 5970109998Smarkm makes them more flexible to be built both as statically-linked ENGINEs 5971109998Smarkm and self-contained shared-libraries loadable via the "dynamic" ENGINE. 5972109998Smarkm Also, add stub code to each that makes building them as self-contained 5973109998Smarkm shared-libraries easier (see README.ENGINE). 5974109998Smarkm [Geoff Thorpe] 5975109998Smarkm 5976109998Smarkm *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE 5977109998Smarkm implementations into applications that are completely implemented in 5978109998Smarkm self-contained shared-libraries. The "dynamic" ENGINE exposes control 5979109998Smarkm commands that can be used to configure what shared-library to load and 5980109998Smarkm to control aspects of the way it is handled. Also, made an update to 5981109998Smarkm the README.ENGINE file that brings its information up-to-date and 5982109998Smarkm provides some information and instructions on the "dynamic" ENGINE 5983109998Smarkm (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). 5984109998Smarkm [Geoff Thorpe] 5985109998Smarkm 5986109998Smarkm *) Make it possible to unload ranges of ERR strings with a new 5987109998Smarkm "ERR_unload_strings" function. 5988109998Smarkm [Geoff Thorpe] 5989109998Smarkm 5990109998Smarkm *) Add a copy() function to EVP_MD. 5991109998Smarkm [Ben Laurie] 5992109998Smarkm 5993109998Smarkm *) Make EVP_MD routines take a context pointer instead of just the 5994109998Smarkm md_data void pointer. 5995109998Smarkm [Ben Laurie] 5996109998Smarkm 5997109998Smarkm *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates 5998109998Smarkm that the digest can only process a single chunk of data 5999109998Smarkm (typically because it is provided by a piece of 6000109998Smarkm hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application 6001109998Smarkm is only going to provide a single chunk of data, and hence the 6002109998Smarkm framework needn't accumulate the data for oneshot drivers. 6003109998Smarkm [Ben Laurie] 6004109998Smarkm 6005109998Smarkm *) As with "ERR", make it possible to replace the underlying "ex_data" 6006109998Smarkm functions. This change also alters the storage and management of global 6007109998Smarkm ex_data state - it's now all inside ex_data.c and all "class" code (eg. 6008109998Smarkm RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class 6009109998Smarkm index counters. The API functions that use this state have been changed 6010109998Smarkm to take a "class_index" rather than pointers to the class's local STACK 6011109998Smarkm and counter, and there is now an API function to dynamically create new 6012109998Smarkm classes. This centralisation allows us to (a) plug a lot of the 6013109998Smarkm thread-safety problems that existed, and (b) makes it possible to clean 6014109998Smarkm up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) 6015109998Smarkm such data would previously have always leaked in application code and 6016109998Smarkm workarounds were in place to make the memory debugging turn a blind eye 6017109998Smarkm to it. Application code that doesn't use this new function will still 6018109998Smarkm leak as before, but their memory debugging output will announce it now 6019109998Smarkm rather than letting it slide. 6020109998Smarkm 6021109998Smarkm Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change 6022109998Smarkm induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now 6023109998Smarkm has a return value to indicate success or failure. 6024109998Smarkm [Geoff Thorpe] 6025109998Smarkm 6026109998Smarkm *) Make it possible to replace the underlying "ERR" functions such that the 6027109998Smarkm global state (2 LHASH tables and 2 locks) is only used by the "default" 6028109998Smarkm implementation. This change also adds two functions to "get" and "set" 6029109998Smarkm the implementation prior to it being automatically set the first time 6030109998Smarkm any other ERR function takes place. Ie. an application can call "get", 6031109998Smarkm pass the return value to a module it has just loaded, and that module 6032109998Smarkm can call its own "set" function using that value. This means the 6033109998Smarkm module's "ERR" operations will use (and modify) the error state in the 6034109998Smarkm application and not in its own statically linked copy of OpenSSL code. 6035109998Smarkm [Geoff Thorpe] 6036109998Smarkm 6037109998Smarkm *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment 6038109998Smarkm reference counts. This performs normal REF_PRINT/REF_CHECK macros on 6039109998Smarkm the operation, and provides a more encapsulated way for external code 6040109998Smarkm (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code 6041109998Smarkm to use these functions rather than manually incrementing the counts. 6042109998Smarkm 6043109998Smarkm Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". 6044109998Smarkm [Geoff Thorpe] 6045109998Smarkm 6046109998Smarkm *) Add EVP test program. 6047109998Smarkm [Ben Laurie] 6048109998Smarkm 6049109998Smarkm *) Add symmetric cipher support to ENGINE. Expect the API to change! 6050109998Smarkm [Ben Laurie] 6051109998Smarkm 6052109998Smarkm *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() 6053109998Smarkm X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), 6054109998Smarkm X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). 6055109998Smarkm These allow a CRL to be built without having to access X509_CRL fields 6056109998Smarkm directly. Modify 'ca' application to use new functions. 6057109998Smarkm [Steve Henson] 6058109998Smarkm 6059109998Smarkm *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended 6060109998Smarkm bug workarounds. Rollback attack detection is a security feature. 6061109998Smarkm The problem will only arise on OpenSSL servers when TLSv1 is not 6062109998Smarkm available (sslv3_server_method() or SSL_OP_NO_TLSv1). 6063109998Smarkm Software authors not wanting to support TLSv1 will have special reasons 6064109998Smarkm for their choice and can explicitly enable this option. 6065109998Smarkm [Bodo Moeller, Lutz Jaenicke] 6066109998Smarkm 6067109998Smarkm *) Rationalise EVP so it can be extended: don't include a union of 6068109998Smarkm cipher/digest structures, add init/cleanup functions for EVP_MD_CTX 6069109998Smarkm (similar to those existing for EVP_CIPHER_CTX). 6070109998Smarkm Usage example: 6071109998Smarkm 6072109998Smarkm EVP_MD_CTX md; 6073109998Smarkm 6074109998Smarkm EVP_MD_CTX_init(&md); /* new function call */ 6075109998Smarkm EVP_DigestInit(&md, EVP_sha1()); 6076109998Smarkm EVP_DigestUpdate(&md, in, len); 6077109998Smarkm EVP_DigestFinal(&md, out, NULL); 6078109998Smarkm EVP_MD_CTX_cleanup(&md); /* new function call */ 6079109998Smarkm 6080109998Smarkm [Ben Laurie] 6081109998Smarkm 6082109998Smarkm *) Make DES key schedule conform to the usual scheme, as well as 6083109998Smarkm correcting its structure. This means that calls to DES functions 6084109998Smarkm now have to pass a pointer to a des_key_schedule instead of a 6085109998Smarkm plain des_key_schedule (which was actually always a pointer 6086109998Smarkm anyway): E.g., 6087109998Smarkm 6088109998Smarkm des_key_schedule ks; 6089109998Smarkm 6090109998Smarkm des_set_key_checked(..., &ks); 6091109998Smarkm des_ncbc_encrypt(..., &ks, ...); 6092109998Smarkm 6093109998Smarkm (Note that a later change renames 'des_...' into 'DES_...'.) 6094109998Smarkm [Ben Laurie] 6095109998Smarkm 6096109998Smarkm *) Initial reduction of linker bloat: the use of some functions, such as 6097109998Smarkm PEM causes large amounts of unused functions to be linked in due to 6098109998Smarkm poor organisation. For example pem_all.c contains every PEM function 6099109998Smarkm which has a knock on effect of linking in large amounts of (unused) 6100109998Smarkm ASN1 code. Grouping together similar functions and splitting unrelated 6101109998Smarkm functions prevents this. 6102109998Smarkm [Steve Henson] 6103109998Smarkm 6104109998Smarkm *) Cleanup of EVP macros. 6105109998Smarkm [Ben Laurie] 6106109998Smarkm 6107109998Smarkm *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the 6108109998Smarkm correct _ecb suffix. 6109109998Smarkm [Ben Laurie] 6110109998Smarkm 6111109998Smarkm *) Add initial OCSP responder support to ocsp application. The 6112109998Smarkm revocation information is handled using the text based index 6113109998Smarkm use by the ca application. The responder can either handle 6114109998Smarkm requests generated internally, supplied in files (for example 6115109998Smarkm via a CGI script) or using an internal minimal server. 6116109998Smarkm [Steve Henson] 6117109998Smarkm 6118109998Smarkm *) Add configuration choices to get zlib compression for TLS. 6119109998Smarkm [Richard Levitte] 6120109998Smarkm 6121109998Smarkm *) Changes to Kerberos SSL for RFC 2712 compliance: 6122109998Smarkm 1. Implemented real KerberosWrapper, instead of just using 6123109998Smarkm KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] 6124109998Smarkm 2. Implemented optional authenticator field of KerberosWrapper. 6125109998Smarkm 6126109998Smarkm Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, 6127109998Smarkm and authenticator structs; see crypto/krb5/. 6128109998Smarkm 6129109998Smarkm Generalized Kerberos calls to support multiple Kerberos libraries. 6130109998Smarkm [Vern Staats <staatsvr@asc.hpc.mil>, 6131109998Smarkm Jeffrey Altman <jaltman@columbia.edu> 6132109998Smarkm via Richard Levitte] 6133109998Smarkm 6134109998Smarkm *) Cause 'openssl speed' to use fully hard-coded DSA keys as it 6135109998Smarkm already does with RSA. testdsa.h now has 'priv_key/pub_key' 6136109998Smarkm values for each of the key sizes rather than having just 6137109998Smarkm parameters (and 'speed' generating keys each time). 6138109998Smarkm [Geoff Thorpe] 6139109998Smarkm 6140109998Smarkm *) Speed up EVP routines. 6141109998Smarkm Before: 6142109998Smarkmencrypt 6143109998Smarkmtype 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 6144109998Smarkmdes-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k 6145109998Smarkmdes-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k 6146109998Smarkmdes-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k 6147109998Smarkmdecrypt 6148109998Smarkmdes-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k 6149109998Smarkmdes-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k 6150109998Smarkmdes-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k 6151109998Smarkm After: 6152109998Smarkmencrypt 6153109998Smarkmdes-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k 6154109998Smarkmdecrypt 6155109998Smarkmdes-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 6156109998Smarkm [Ben Laurie] 6157109998Smarkm 6158109998Smarkm *) Added the OS2-EMX target. 6159109998Smarkm ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] 6160109998Smarkm 6161109998Smarkm *) Rewrite apps to use NCONF routines instead of the old CONF. New functions 6162109998Smarkm to support NCONF routines in extension code. New function CONF_set_nconf() 6163109998Smarkm to allow functions which take an NCONF to also handle the old LHASH 6164109998Smarkm structure: this means that the old CONF compatible routines can be 6165109998Smarkm retained (in particular wrt extensions) without having to duplicate the 6166109998Smarkm code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. 6167109998Smarkm [Steve Henson] 6168109998Smarkm 6169109998Smarkm *) Enhance the general user interface with mechanisms for inner control 6170109998Smarkm and with possibilities to have yes/no kind of prompts. 6171109998Smarkm [Richard Levitte] 6172109998Smarkm 6173109998Smarkm *) Change all calls to low level digest routines in the library and 6174109998Smarkm applications to use EVP. Add missing calls to HMAC_cleanup() and 6175109998Smarkm don't assume HMAC_CTX can be copied using memcpy(). 6176109998Smarkm [Verdon Walker <VWalker@novell.com>, Steve Henson] 6177109998Smarkm 6178109998Smarkm *) Add the possibility to control engines through control names but with 6179109998Smarkm arbitrary arguments instead of just a string. 6180109998Smarkm Change the key loaders to take a UI_METHOD instead of a callback 6181109998Smarkm function pointer. NOTE: this breaks binary compatibility with earlier 6182109998Smarkm versions of OpenSSL [engine]. 6183109998Smarkm Adapt the nCipher code for these new conditions and add a card insertion 6184109998Smarkm callback. 6185109998Smarkm [Richard Levitte] 6186109998Smarkm 6187109998Smarkm *) Enhance the general user interface with mechanisms to better support 6188109998Smarkm dialog box interfaces, application-defined prompts, the possibility 6189109998Smarkm to use defaults (for example default passwords from somewhere else) 6190109998Smarkm and interrupts/cancellations. 6191109998Smarkm [Richard Levitte] 6192109998Smarkm 6193109998Smarkm *) Tidy up PKCS#12 attribute handling. Add support for the CSP name 6194109998Smarkm attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. 6195109998Smarkm [Steve Henson] 6196109998Smarkm 6197109998Smarkm *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also 6198109998Smarkm tidy up some unnecessarily weird code in 'sk_new()'). 6199109998Smarkm [Geoff, reported by Diego Tartara <dtartara@novamens.com>] 6200109998Smarkm 6201109998Smarkm *) Change the key loading routines for ENGINEs to use the same kind 6202109998Smarkm callback (pem_password_cb) as all other routines that need this 6203109998Smarkm kind of callback. 6204109998Smarkm [Richard Levitte] 6205109998Smarkm 6206109998Smarkm *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 6207109998Smarkm 256 bit (=32 byte) keys. Of course seeding with more entropy bytes 6208109998Smarkm than this minimum value is recommended. 6209109998Smarkm [Lutz Jaenicke] 6210109998Smarkm 6211109998Smarkm *) New random seeder for OpenVMS, using the system process statistics 6212109998Smarkm that are easily reachable. 6213109998Smarkm [Richard Levitte] 6214109998Smarkm 6215109998Smarkm *) Windows apparently can't transparently handle global 6216109998Smarkm variables defined in DLLs. Initialisations such as: 6217109998Smarkm 6218109998Smarkm const ASN1_ITEM *it = &ASN1_INTEGER_it; 6219109998Smarkm 6220109998Smarkm wont compile. This is used by the any applications that need to 6221109998Smarkm declare their own ASN1 modules. This was fixed by adding the option 6222109998Smarkm EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly 6223109998Smarkm needed for static libraries under Win32. 6224109998Smarkm [Steve Henson] 6225109998Smarkm 6226109998Smarkm *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle 6227109998Smarkm setting of purpose and trust fields. New X509_STORE trust and 6228109998Smarkm purpose functions and tidy up setting in other SSL functions. 6229109998Smarkm [Steve Henson] 6230109998Smarkm 6231109998Smarkm *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE 6232109998Smarkm structure. These are inherited by X509_STORE_CTX when it is 6233109998Smarkm initialised. This allows various defaults to be set in the 6234109998Smarkm X509_STORE structure (such as flags for CRL checking and custom 6235109998Smarkm purpose or trust settings) for functions which only use X509_STORE_CTX 6236109998Smarkm internally such as S/MIME. 6237109998Smarkm 6238109998Smarkm Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and 6239109998Smarkm trust settings if they are not set in X509_STORE. This allows X509_STORE 6240109998Smarkm purposes and trust (in S/MIME for example) to override any set by default. 6241109998Smarkm 6242109998Smarkm Add command line options for CRL checking to smime, s_client and s_server 6243109998Smarkm applications. 6244109998Smarkm [Steve Henson] 6245109998Smarkm 6246109998Smarkm *) Initial CRL based revocation checking. If the CRL checking flag(s) 6247109998Smarkm are set then the CRL is looked up in the X509_STORE structure and 6248109998Smarkm its validity and signature checked, then if the certificate is found 6249109998Smarkm in the CRL the verify fails with a revoked error. 6250109998Smarkm 6251109998Smarkm Various new CRL related callbacks added to X509_STORE_CTX structure. 6252109998Smarkm 6253109998Smarkm Command line options added to 'verify' application to support this. 6254109998Smarkm 6255109998Smarkm This needs some additional work, such as being able to handle multiple 6256109998Smarkm CRLs with different times, extension based lookup (rather than just 6257109998Smarkm by subject name) and ultimately more complete V2 CRL extension 6258109998Smarkm handling. 6259109998Smarkm [Steve Henson] 6260109998Smarkm 6261109998Smarkm *) Add a general user interface API (crypto/ui/). This is designed 6262109998Smarkm to replace things like des_read_password and friends (backward 6263109998Smarkm compatibility functions using this new API are provided). 6264109998Smarkm The purpose is to remove prompting functions from the DES code 6265109998Smarkm section as well as provide for prompting through dialog boxes in 6266109998Smarkm a window system and the like. 6267109998Smarkm [Richard Levitte] 6268109998Smarkm 6269109998Smarkm *) Add "ex_data" support to ENGINE so implementations can add state at a 6270109998Smarkm per-structure level rather than having to store it globally. 6271109998Smarkm [Geoff] 6272109998Smarkm 6273109998Smarkm *) Make it possible for ENGINE structures to be copied when retrieved by 6274109998Smarkm ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. 6275109998Smarkm This causes the "original" ENGINE structure to act like a template, 6276109998Smarkm analogous to the RSA vs. RSA_METHOD type of separation. Because of this 6277109998Smarkm operational state can be localised to each ENGINE structure, despite the 6278109998Smarkm fact they all share the same "methods". New ENGINE structures returned in 6279109998Smarkm this case have no functional references and the return value is the single 6280109998Smarkm structural reference. This matches the single structural reference returned 6281109998Smarkm by ENGINE_by_id() normally, when it is incremented on the pre-existing 6282109998Smarkm ENGINE structure. 6283109998Smarkm [Geoff] 6284109998Smarkm 6285109998Smarkm *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this 6286109998Smarkm needs to match any other type at all we need to manually clear the 6287109998Smarkm tag cache. 6288109998Smarkm [Steve Henson] 6289109998Smarkm 6290109998Smarkm *) Changes to the "openssl engine" utility to include; 6291109998Smarkm - verbosity levels ('-v', '-vv', and '-vvv') that provide information 6292109998Smarkm about an ENGINE's available control commands. 6293109998Smarkm - executing control commands from command line arguments using the 6294109998Smarkm '-pre' and '-post' switches. '-post' is only used if '-t' is 6295109998Smarkm specified and the ENGINE is successfully initialised. The syntax for 6296109998Smarkm the individual commands are colon-separated, for example; 6297109998Smarkm openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so 6298109998Smarkm [Geoff] 6299109998Smarkm 6300109998Smarkm *) New dynamic control command support for ENGINEs. ENGINEs can now 6301109998Smarkm declare their own commands (numbers), names (strings), descriptions, 6302109998Smarkm and input types for run-time discovery by calling applications. A 6303109998Smarkm subset of these commands are implicitly classed as "executable" 6304109998Smarkm depending on their input type, and only these can be invoked through 6305109998Smarkm the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this 6306109998Smarkm can be based on user input, config files, etc). The distinction is 6307109998Smarkm that "executable" commands cannot return anything other than a boolean 6308109998Smarkm result and can only support numeric or string input, whereas some 6309109998Smarkm discoverable commands may only be for direct use through 6310109998Smarkm ENGINE_ctrl(), eg. supporting the exchange of binary data, function 6311109998Smarkm pointers, or other custom uses. The "executable" commands are to 6312109998Smarkm support parameterisations of ENGINE behaviour that can be 6313109998Smarkm unambiguously defined by ENGINEs and used consistently across any 6314109998Smarkm OpenSSL-based application. Commands have been added to all the 6315109998Smarkm existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow 6316109998Smarkm control over shared-library paths without source code alterations. 6317109998Smarkm [Geoff] 6318109998Smarkm 6319109998Smarkm *) Changed all ENGINE implementations to dynamically allocate their 6320109998Smarkm ENGINEs rather than declaring them statically. Apart from this being 6321109998Smarkm necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, 6322109998Smarkm this also allows the implementations to compile without using the 6323109998Smarkm internal engine_int.h header. 6324109998Smarkm [Geoff] 6325109998Smarkm 6326109998Smarkm *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 6327109998Smarkm 'const' value. Any code that should be able to modify a RAND_METHOD 6328109998Smarkm should already have non-const pointers to it (ie. they should only 6329109998Smarkm modify their own ones). 6330109998Smarkm [Geoff] 6331109998Smarkm 6332109998Smarkm *) Made a variety of little tweaks to the ENGINE code. 6333109998Smarkm - "atalla" and "ubsec" string definitions were moved from header files 6334109998Smarkm to C code. "nuron" string definitions were placed in variables 6335109998Smarkm rather than hard-coded - allowing parameterisation of these values 6336109998Smarkm later on via ctrl() commands. 6337109998Smarkm - Removed unused "#if 0"'d code. 6338109998Smarkm - Fixed engine list iteration code so it uses ENGINE_free() to release 6339109998Smarkm structural references. 6340109998Smarkm - Constified the RAND_METHOD element of ENGINE structures. 6341109998Smarkm - Constified various get/set functions as appropriate and added 6342109998Smarkm missing functions (including a catch-all ENGINE_cpy that duplicates 6343109998Smarkm all ENGINE values onto a new ENGINE except reference counts/state). 6344109998Smarkm - Removed NULL parameter checks in get/set functions. Setting a method 6345109998Smarkm or function to NULL is a way of cancelling out a previously set 6346109998Smarkm value. Passing a NULL ENGINE parameter is just plain stupid anyway 6347109998Smarkm and doesn't justify the extra error symbols and code. 6348109998Smarkm - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for 6349109998Smarkm flags from engine_int.h to engine.h. 6350109998Smarkm - Changed prototypes for ENGINE handler functions (init(), finish(), 6351109998Smarkm ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. 6352109998Smarkm [Geoff] 6353109998Smarkm 6354109998Smarkm *) Implement binary inversion algorithm for BN_mod_inverse in addition 6355109998Smarkm to the algorithm using long division. The binary algorithm can be 6356109998Smarkm used only if the modulus is odd. On 32-bit systems, it is faster 6357109998Smarkm only for relatively small moduli (roughly 20-30% for 128-bit moduli, 6358109998Smarkm roughly 5-15% for 256-bit moduli), so we use it only for moduli 6359109998Smarkm up to 450 bits. In 64-bit environments, the binary algorithm 6360109998Smarkm appears to be advantageous for much longer moduli; here we use it 6361109998Smarkm for moduli up to 2048 bits. 6362109998Smarkm [Bodo Moeller] 6363109998Smarkm 6364109998Smarkm *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code 6365109998Smarkm could not support the combine flag in choice fields. 6366109998Smarkm [Steve Henson] 6367109998Smarkm 6368109998Smarkm *) Add a 'copy_extensions' option to the 'ca' utility. This copies 6369109998Smarkm extensions from a certificate request to the certificate. 6370109998Smarkm [Steve Henson] 6371109998Smarkm 6372109998Smarkm *) Allow multiple 'certopt' and 'nameopt' options to be separated 6373109998Smarkm by commas. Add 'namopt' and 'certopt' options to the 'ca' config 6374109998Smarkm file: this allows the display of the certificate about to be 6375109998Smarkm signed to be customised, to allow certain fields to be included 6376109998Smarkm or excluded and extension details. The old system didn't display 6377109998Smarkm multicharacter strings properly, omitted fields not in the policy 6378109998Smarkm and couldn't display additional details such as extensions. 6379109998Smarkm [Steve Henson] 6380109998Smarkm 6381109998Smarkm *) Function EC_POINTs_mul for multiple scalar multiplication 6382109998Smarkm of an arbitrary number of elliptic curve points 6383109998Smarkm \sum scalars[i]*points[i], 6384109998Smarkm optionally including the generator defined for the EC_GROUP: 6385109998Smarkm scalar*generator + \sum scalars[i]*points[i]. 6386109998Smarkm 6387109998Smarkm EC_POINT_mul is a simple wrapper function for the typical case 6388109998Smarkm that the point list has just one item (besides the optional 6389109998Smarkm generator). 6390109998Smarkm [Bodo Moeller] 6391109998Smarkm 6392109998Smarkm *) First EC_METHODs for curves over GF(p): 6393109998Smarkm 6394109998Smarkm EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr 6395109998Smarkm operations and provides various method functions that can also 6396109998Smarkm operate with faster implementations of modular arithmetic. 6397109998Smarkm 6398109998Smarkm EC_GFp_mont_method() reuses most functions that are part of 6399109998Smarkm EC_GFp_simple_method, but uses Montgomery arithmetic. 6400109998Smarkm 6401109998Smarkm [Bodo Moeller; point addition and point doubling 6402109998Smarkm implementation directly derived from source code provided by 6403109998Smarkm Lenka Fibikova <fibikova@exp-math.uni-essen.de>] 6404109998Smarkm 6405109998Smarkm *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, 6406109998Smarkm crypto/ec/ec_lib.c): 6407109998Smarkm 6408109998Smarkm Curves are EC_GROUP objects (with an optional group generator) 6409109998Smarkm based on EC_METHODs that are built into the library. 6410109998Smarkm 6411109998Smarkm Points are EC_POINT objects based on EC_GROUP objects. 6412109998Smarkm 6413109998Smarkm Most of the framework would be able to handle curves over arbitrary 6414109998Smarkm finite fields, but as there are no obvious types for fields other 6415109998Smarkm than GF(p), some functions are limited to that for now. 6416109998Smarkm [Bodo Moeller] 6417109998Smarkm 6418109998Smarkm *) Add the -HTTP option to s_server. It is similar to -WWW, but requires 6419109998Smarkm that the file contains a complete HTTP response. 6420109998Smarkm [Richard Levitte] 6421109998Smarkm 6422109998Smarkm *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl 6423109998Smarkm change the def and num file printf format specifier from "%-40sXXX" 6424109998Smarkm to "%-39s XXX". The latter will always guarantee a space after the 6425109998Smarkm field while the former will cause them to run together if the field 6426109998Smarkm is 40 of more characters long. 6427109998Smarkm [Steve Henson] 6428109998Smarkm 6429109998Smarkm *) Constify the cipher and digest 'method' functions and structures 6430109998Smarkm and modify related functions to take constant EVP_MD and EVP_CIPHER 6431109998Smarkm pointers. 6432109998Smarkm [Steve Henson] 6433109998Smarkm 6434109998Smarkm *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them 6435109998Smarkm in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. 6436109998Smarkm [Bodo Moeller] 6437109998Smarkm 6438109998Smarkm *) Modify EVP_Digest*() routines so they now return values. Although the 6439109998Smarkm internal software routines can never fail additional hardware versions 6440109998Smarkm might. 6441109998Smarkm [Steve Henson] 6442109998Smarkm 6443109998Smarkm *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: 6444109998Smarkm 6445109998Smarkm Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 6446109998Smarkm (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. 6447109998Smarkm 6448109998Smarkm ASN1 error codes 6449109998Smarkm ERR_R_NESTED_ASN1_ERROR 6450109998Smarkm ... 6451109998Smarkm ERR_R_MISSING_ASN1_EOS 6452109998Smarkm were 4 .. 9, conflicting with 6453109998Smarkm ERR_LIB_RSA (= ERR_R_RSA_LIB) 6454109998Smarkm ... 6455109998Smarkm ERR_LIB_PEM (= ERR_R_PEM_LIB). 6456109998Smarkm They are now 58 .. 63 (i.e., just below ERR_R_FATAL). 6457109998Smarkm 6458109998Smarkm Add new error code 'ERR_R_INTERNAL_ERROR'. 6459109998Smarkm [Bodo Moeller] 6460109998Smarkm 6461109998Smarkm *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock 6462109998Smarkm suffices. 6463109998Smarkm [Bodo Moeller] 6464109998Smarkm 6465109998Smarkm *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This 6466109998Smarkm sets the subject name for a new request or supersedes the 6467109998Smarkm subject name in a given request. Formats that can be parsed are 6468109998Smarkm 'CN=Some Name, OU=myOU, C=IT' 6469109998Smarkm and 6470109998Smarkm 'CN=Some Name/OU=myOU/C=IT'. 6471109998Smarkm 6472109998Smarkm Add options '-batch' and '-verbose' to 'openssl req'. 6473109998Smarkm [Massimiliano Pala <madwolf@hackmasters.net>] 6474109998Smarkm 6475109998Smarkm *) Introduce the possibility to access global variables through 6476109998Smarkm functions on platform were that's the best way to handle exporting 6477109998Smarkm global variables in shared libraries. To enable this functionality, 6478109998Smarkm one must configure with "EXPORT_VAR_AS_FN" or defined the C macro 6479109998Smarkm "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter 6480109998Smarkm is normally done by Configure or something similar). 6481109998Smarkm 6482109998Smarkm To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL 6483109998Smarkm in the source file (foo.c) like this: 6484109998Smarkm 6485109998Smarkm OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; 6486109998Smarkm OPENSSL_IMPLEMENT_GLOBAL(double,bar); 6487109998Smarkm 6488109998Smarkm To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL 6489109998Smarkm and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: 6490109998Smarkm 6491109998Smarkm OPENSSL_DECLARE_GLOBAL(int,foo); 6492109998Smarkm #define foo OPENSSL_GLOBAL_REF(foo) 6493109998Smarkm OPENSSL_DECLARE_GLOBAL(double,bar); 6494109998Smarkm #define bar OPENSSL_GLOBAL_REF(bar) 6495109998Smarkm 6496109998Smarkm The #defines are very important, and therefore so is including the 6497109998Smarkm header file everywhere where the defined globals are used. 6498109998Smarkm 6499109998Smarkm The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition 6500109998Smarkm of ASN.1 items, but that structure is a bit different. 6501109998Smarkm 6502109998Smarkm The largest change is in util/mkdef.pl which has been enhanced with 6503109998Smarkm better and easier to understand logic to choose which symbols should 6504109998Smarkm go into the Windows .def files as well as a number of fixes and code 6505109998Smarkm cleanup (among others, algorithm keywords are now sorted 6506109998Smarkm lexicographically to avoid constant rewrites). 6507109998Smarkm [Richard Levitte] 6508109998Smarkm 6509109998Smarkm *) In BN_div() keep a copy of the sign of 'num' before writing the 6510109998Smarkm result to 'rm' because if rm==num the value will be overwritten 6511109998Smarkm and produce the wrong result if 'num' is negative: this caused 6512109998Smarkm problems with BN_mod() and BN_nnmod(). 6513109998Smarkm [Steve Henson] 6514109998Smarkm 6515109998Smarkm *) Function OCSP_request_verify(). This checks the signature on an 6516109998Smarkm OCSP request and verifies the signer certificate. The signer 6517109998Smarkm certificate is just checked for a generic purpose and OCSP request 6518109998Smarkm trust settings. 6519109998Smarkm [Steve Henson] 6520109998Smarkm 6521109998Smarkm *) Add OCSP_check_validity() function to check the validity of OCSP 6522109998Smarkm responses. OCSP responses are prepared in real time and may only 6523109998Smarkm be a few seconds old. Simply checking that the current time lies 6524109998Smarkm between thisUpdate and nextUpdate max reject otherwise valid responses 6525109998Smarkm caused by either OCSP responder or client clock inaccuracy. Instead 6526109998Smarkm we allow thisUpdate and nextUpdate to fall within a certain period of 6527109998Smarkm the current time. The age of the response can also optionally be 6528109998Smarkm checked. Two new options -validity_period and -status_age added to 6529109998Smarkm ocsp utility. 6530109998Smarkm [Steve Henson] 6531109998Smarkm 6532109998Smarkm *) If signature or public key algorithm is unrecognized print out its 6533109998Smarkm OID rather that just UNKNOWN. 6534109998Smarkm [Steve Henson] 6535109998Smarkm 6536109998Smarkm *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and 6537109998Smarkm OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate 6538109998Smarkm ID to be generated from the issuer certificate alone which can then be 6539109998Smarkm passed to OCSP_id_issuer_cmp(). 6540109998Smarkm [Steve Henson] 6541109998Smarkm 6542109998Smarkm *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new 6543109998Smarkm ASN1 modules to export functions returning ASN1_ITEM pointers 6544109998Smarkm instead of the ASN1_ITEM structures themselves. This adds several 6545109998Smarkm new macros which allow the underlying ASN1 function/structure to 6546109998Smarkm be accessed transparently. As a result code should not use ASN1_ITEM 6547109998Smarkm references directly (such as &X509_it) but instead use the relevant 6548109998Smarkm macros (such as ASN1_ITEM_rptr(X509)). This option is to allow 6549109998Smarkm use of the new ASN1 code on platforms where exporting structures 6550109998Smarkm is problematical (for example in shared libraries) but exporting 6551109998Smarkm functions returning pointers to structures is not. 6552109998Smarkm [Steve Henson] 6553109998Smarkm 6554109998Smarkm *) Add support for overriding the generation of SSL/TLS session IDs. 6555109998Smarkm These callbacks can be registered either in an SSL_CTX or per SSL. 6556109998Smarkm The purpose of this is to allow applications to control, if they wish, 6557109998Smarkm the arbitrary values chosen for use as session IDs, particularly as it 6558109998Smarkm can be useful for session caching in multiple-server environments. A 6559109998Smarkm command-line switch for testing this (and any client code that wishes 6560109998Smarkm to use such a feature) has been added to "s_server". 6561109998Smarkm [Geoff Thorpe, Lutz Jaenicke] 6562109998Smarkm 6563109998Smarkm *) Modify mkdef.pl to recognise and parse preprocessor conditionals 6564109998Smarkm of the form '#if defined(...) || defined(...) || ...' and 6565109998Smarkm '#if !defined(...) && !defined(...) && ...'. This also avoids 6566109998Smarkm the growing number of special cases it was previously handling. 6567109998Smarkm [Richard Levitte] 6568109998Smarkm 6569109998Smarkm *) Make all configuration macros available for application by making 6570109998Smarkm sure they are available in opensslconf.h, by giving them names starting 6571109998Smarkm with "OPENSSL_" to avoid conflicts with other packages and by making 6572109998Smarkm sure e_os2.h will cover all platform-specific cases together with 6573109998Smarkm opensslconf.h. 6574109998Smarkm Additionally, it is now possible to define configuration/platform- 6575109998Smarkm specific names (called "system identities"). In the C code, these 6576109998Smarkm are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another 6577109998Smarkm macro with the name beginning with "OPENSSL_SYS_", which is determined 6578109998Smarkm from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on 6579109998Smarkm what is available. 6580109998Smarkm [Richard Levitte] 6581109998Smarkm 6582109998Smarkm *) New option -set_serial to 'req' and 'x509' this allows the serial 6583109998Smarkm number to use to be specified on the command line. Previously self 6584109998Smarkm signed certificates were hard coded with serial number 0 and the 6585109998Smarkm CA options of 'x509' had to use a serial number in a file which was 6586109998Smarkm auto incremented. 6587109998Smarkm [Steve Henson] 6588109998Smarkm 6589109998Smarkm *) New options to 'ca' utility to support V2 CRL entry extensions. 6590109998Smarkm Currently CRL reason, invalidity date and hold instruction are 6591109998Smarkm supported. Add new CRL extensions to V3 code and some new objects. 6592109998Smarkm [Steve Henson] 6593109998Smarkm 6594109998Smarkm *) New function EVP_CIPHER_CTX_set_padding() this is used to 6595109998Smarkm disable standard block padding (aka PKCS#5 padding) in the EVP 6596109998Smarkm API, which was previously mandatory. This means that the data is 6597109998Smarkm not padded in any way and so the total length much be a multiple 6598109998Smarkm of the block size, otherwise an error occurs. 6599109998Smarkm [Steve Henson] 6600109998Smarkm 6601109998Smarkm *) Initial (incomplete) OCSP SSL support. 6602109998Smarkm [Steve Henson] 6603109998Smarkm 6604109998Smarkm *) New function OCSP_parse_url(). This splits up a URL into its host, 6605109998Smarkm port and path components: primarily to parse OCSP URLs. New -url 6606109998Smarkm option to ocsp utility. 6607109998Smarkm [Steve Henson] 6608109998Smarkm 6609109998Smarkm *) New nonce behavior. The return value of OCSP_check_nonce() now 6610109998Smarkm reflects the various checks performed. Applications can decide 6611109998Smarkm whether to tolerate certain situations such as an absent nonce 6612109998Smarkm in a response when one was present in a request: the ocsp application 6613109998Smarkm just prints out a warning. New function OCSP_add1_basic_nonce() 6614109998Smarkm this is to allow responders to include a nonce in a response even if 6615109998Smarkm the request is nonce-less. 6616109998Smarkm [Steve Henson] 6617109998Smarkm 6618109998Smarkm *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are 6619109998Smarkm skipped when using openssl x509 multiple times on a single input file, 6620109998Smarkm e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". 6621109998Smarkm [Bodo Moeller] 6622109998Smarkm 6623109998Smarkm *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() 6624109998Smarkm set string type: to handle setting ASN1_TIME structures. Fix ca 6625109998Smarkm utility to correctly initialize revocation date of CRLs. 6626109998Smarkm [Steve Henson] 6627109998Smarkm 6628109998Smarkm *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override 6629109998Smarkm the clients preferred ciphersuites and rather use its own preferences. 6630109998Smarkm Should help to work around M$ SGC (Server Gated Cryptography) bug in 6631109998Smarkm Internet Explorer by ensuring unchanged hash method during stepup. 6632109998Smarkm (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) 6633109998Smarkm [Lutz Jaenicke] 6634109998Smarkm 6635109998Smarkm *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael 6636109998Smarkm to aes and add a new 'exist' option to print out symbols that don't 6637109998Smarkm appear to exist. 6638109998Smarkm [Steve Henson] 6639109998Smarkm 6640109998Smarkm *) Additional options to ocsp utility to allow flags to be set and 6641109998Smarkm additional certificates supplied. 6642109998Smarkm [Steve Henson] 6643109998Smarkm 6644109998Smarkm *) Add the option -VAfile to 'openssl ocsp', so the user can give the 6645109998Smarkm OCSP client a number of certificate to only verify the response 6646109998Smarkm signature against. 6647109998Smarkm [Richard Levitte] 6648109998Smarkm 6649109998Smarkm *) Update Rijndael code to version 3.0 and change EVP AES ciphers to 6650109998Smarkm handle the new API. Currently only ECB, CBC modes supported. Add new 6651109998Smarkm AES OIDs. 6652109998Smarkm 6653109998Smarkm Add TLS AES ciphersuites as described in RFC3268, "Advanced 6654109998Smarkm Encryption Standard (AES) Ciphersuites for Transport Layer 6655109998Smarkm Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were 6656109998Smarkm not enabled by default and were not part of the "ALL" ciphersuite 6657109998Smarkm alias because they were not yet official; they could be 6658109998Smarkm explicitly requested by specifying the "AESdraft" ciphersuite 6659109998Smarkm group alias. In the final release of OpenSSL 0.9.7, the group 6660109998Smarkm alias is called "AES" and is part of "ALL".) 6661109998Smarkm [Ben Laurie, Steve Henson, Bodo Moeller] 6662109998Smarkm 6663109998Smarkm *) New function OCSP_copy_nonce() to copy nonce value (if present) from 6664109998Smarkm request to response. 6665109998Smarkm [Steve Henson] 6666109998Smarkm 6667109998Smarkm *) Functions for OCSP responders. OCSP_request_onereq_count(), 6668109998Smarkm OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() 6669109998Smarkm extract information from a certificate request. OCSP_response_create() 6670109998Smarkm creates a response and optionally adds a basic response structure. 6671109998Smarkm OCSP_basic_add1_status() adds a complete single response to a basic 6672109998Smarkm response and returns the OCSP_SINGLERESP structure just added (to allow 6673109998Smarkm extensions to be included for example). OCSP_basic_add1_cert() adds a 6674109998Smarkm certificate to a basic response and OCSP_basic_sign() signs a basic 6675109998Smarkm response with various flags. New helper functions ASN1_TIME_check() 6676109998Smarkm (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() 6677109998Smarkm (converts ASN1_TIME to GeneralizedTime). 6678109998Smarkm [Steve Henson] 6679109998Smarkm 6680109998Smarkm *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() 6681109998Smarkm in a single operation. X509_get0_pubkey_bitstr() extracts the public_key 6682109998Smarkm structure from a certificate. X509_pubkey_digest() digests the public_key 6683109998Smarkm contents: this is used in various key identifiers. 6684109998Smarkm [Steve Henson] 6685109998Smarkm 6686109998Smarkm *) Make sk_sort() tolerate a NULL argument. 6687109998Smarkm [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] 6688109998Smarkm 6689109998Smarkm *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates 6690109998Smarkm passed by the function are trusted implicitly. If any of them signed the 6691109998Smarkm response then it is assumed to be valid and is not verified. 6692109998Smarkm [Steve Henson] 6693109998Smarkm 6694109998Smarkm *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT 6695109998Smarkm to data. This was previously part of the PKCS7 ASN1 code. This 6696109998Smarkm was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. 6697109998Smarkm [Steve Henson, reported by Kenneth R. Robinette 6698109998Smarkm <support@securenetterm.com>] 6699109998Smarkm 6700109998Smarkm *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 6701109998Smarkm routines: without these tracing memory leaks is very painful. 6702109998Smarkm Fix leaks in PKCS12 and PKCS7 routines. 6703109998Smarkm [Steve Henson] 6704109998Smarkm 6705109998Smarkm *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). 6706109998Smarkm Previously it initialised the 'type' argument to V_ASN1_UTCTIME which 6707109998Smarkm effectively meant GeneralizedTime would never be used. Now it 6708109998Smarkm is initialised to -1 but X509_time_adj() now has to check the value 6709109998Smarkm and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or 6710109998Smarkm V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. 6711109998Smarkm [Steve Henson, reported by Kenneth R. Robinette 6712109998Smarkm <support@securenetterm.com>] 6713109998Smarkm 6714109998Smarkm *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously 6715109998Smarkm result in a zero length in the ASN1_INTEGER structure which was 6716109998Smarkm not consistent with the structure when d2i_ASN1_INTEGER() was used 6717109998Smarkm and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() 6718109998Smarkm to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() 6719109998Smarkm where it did not print out a minus for negative ASN1_INTEGER. 6720109998Smarkm [Steve Henson] 6721109998Smarkm 6722109998Smarkm *) Add summary printout to ocsp utility. The various functions which 6723109998Smarkm convert status values to strings have been renamed to: 6724109998Smarkm OCSP_response_status_str(), OCSP_cert_status_str() and 6725109998Smarkm OCSP_crl_reason_str() and are no longer static. New options 6726109998Smarkm to verify nonce values and to disable verification. OCSP response 6727109998Smarkm printout format cleaned up. 6728109998Smarkm [Steve Henson] 6729109998Smarkm 6730109998Smarkm *) Add additional OCSP certificate checks. These are those specified 6731109998Smarkm in RFC2560. This consists of two separate checks: the CA of the 6732109998Smarkm certificate being checked must either be the OCSP signer certificate 6733109998Smarkm or the issuer of the OCSP signer certificate. In the latter case the 6734109998Smarkm OCSP signer certificate must contain the OCSP signing extended key 6735109998Smarkm usage. This check is performed by attempting to match the OCSP 6736109998Smarkm signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash 6737109998Smarkm in the OCSP_CERTID structures of the response. 6738109998Smarkm [Steve Henson] 6739109998Smarkm 6740109998Smarkm *) Initial OCSP certificate verification added to OCSP_basic_verify() 6741109998Smarkm and related routines. This uses the standard OpenSSL certificate 6742109998Smarkm verify routines to perform initial checks (just CA validity) and 6743109998Smarkm to obtain the certificate chain. Then additional checks will be 6744109998Smarkm performed on the chain. Currently the root CA is checked to see 6745109998Smarkm if it is explicitly trusted for OCSP signing. This is used to set 6746109998Smarkm a root CA as a global signing root: that is any certificate that 6747109998Smarkm chains to that CA is an acceptable OCSP signing certificate. 6748109998Smarkm [Steve Henson] 6749109998Smarkm 6750109998Smarkm *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 6751109998Smarkm extensions from a separate configuration file. 6752109998Smarkm As when reading extensions from the main configuration file, 6753109998Smarkm the '-extensions ...' option may be used for specifying the 6754109998Smarkm section to use. 6755109998Smarkm [Massimiliano Pala <madwolf@comune.modena.it>] 6756109998Smarkm 6757109998Smarkm *) New OCSP utility. Allows OCSP requests to be generated or 6758109998Smarkm read. The request can be sent to a responder and the output 6759109998Smarkm parsed, outputed or printed in text form. Not complete yet: 6760109998Smarkm still needs to check the OCSP response validity. 6761109998Smarkm [Steve Henson] 6762109998Smarkm 6763109998Smarkm *) New subcommands for 'openssl ca': 6764109998Smarkm 'openssl ca -status <serial>' prints the status of the cert with 6765109998Smarkm the given serial number (according to the index file). 6766109998Smarkm 'openssl ca -updatedb' updates the expiry status of certificates 6767109998Smarkm in the index file. 6768109998Smarkm [Massimiliano Pala <madwolf@comune.modena.it>] 6769109998Smarkm 6770109998Smarkm *) New '-newreq-nodes' command option to CA.pl. This is like 6771109998Smarkm '-newreq', but calls 'openssl req' with the '-nodes' option 6772109998Smarkm so that the resulting key is not encrypted. 6773109998Smarkm [Damien Miller <djm@mindrot.org>] 6774109998Smarkm 6775109998Smarkm *) New configuration for the GNU Hurd. 6776109998Smarkm [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] 6777109998Smarkm 6778109998Smarkm *) Initial code to implement OCSP basic response verify. This 6779109998Smarkm is currently incomplete. Currently just finds the signer's 6780109998Smarkm certificate and verifies the signature on the response. 6781109998Smarkm [Steve Henson] 6782109998Smarkm 6783109998Smarkm *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in 6784109998Smarkm value of OPENSSLDIR. This is available via the new '-d' option 6785109998Smarkm to 'openssl version', and is also included in 'openssl version -a'. 6786109998Smarkm [Bodo Moeller] 6787109998Smarkm 6788109998Smarkm *) Allowing defining memory allocation callbacks that will be given 6789109998Smarkm file name and line number information in additional arguments 6790109998Smarkm (a const char* and an int). The basic functionality remains, as 6791109998Smarkm well as the original possibility to just replace malloc(), 6792109998Smarkm realloc() and free() by functions that do not know about these 6793109998Smarkm additional arguments. To register and find out the current 6794109998Smarkm settings for extended allocation functions, the following 6795109998Smarkm functions are provided: 6796109998Smarkm 6797109998Smarkm CRYPTO_set_mem_ex_functions 6798109998Smarkm CRYPTO_set_locked_mem_ex_functions 6799109998Smarkm CRYPTO_get_mem_ex_functions 6800109998Smarkm CRYPTO_get_locked_mem_ex_functions 6801109998Smarkm 6802109998Smarkm These work the same way as CRYPTO_set_mem_functions and friends. 6803109998Smarkm CRYPTO_get_[locked_]mem_functions now writes 0 where such an 6804109998Smarkm extended allocation function is enabled. 6805109998Smarkm Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where 6806109998Smarkm a conventional allocation function is enabled. 6807109998Smarkm [Richard Levitte, Bodo Moeller] 6808109998Smarkm 6809109998Smarkm *) Finish off removing the remaining LHASH function pointer casts. 6810109998Smarkm There should no longer be any prototype-casting required when using 6811109998Smarkm the LHASH abstraction, and any casts that remain are "bugs". See 6812109998Smarkm the callback types and macros at the head of lhash.h for details 6813109998Smarkm (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). 6814109998Smarkm [Geoff Thorpe] 6815109998Smarkm 6816109998Smarkm *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. 6817109998Smarkm If /dev/[u]random devices are not available or do not return enough 6818109998Smarkm entropy, EGD style sockets (served by EGD or PRNGD) will automatically 6819109998Smarkm be queried. 6820109998Smarkm The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and 6821109998Smarkm /etc/entropy will be queried once each in this sequence, quering stops 6822109998Smarkm when enough entropy was collected without querying more sockets. 6823109998Smarkm [Lutz Jaenicke] 6824109998Smarkm 6825109998Smarkm *) Change the Unix RAND_poll() variant to be able to poll several 6826109998Smarkm random devices, as specified by DEVRANDOM, until a sufficient amount 6827109998Smarkm of data has been collected. We spend at most 10 ms on each file 6828109998Smarkm (select timeout) and read in non-blocking mode. DEVRANDOM now 6829109998Smarkm defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" 6830109998Smarkm (previously it was just the string "/dev/urandom"), so on typical 6831109998Smarkm platforms the 10 ms delay will never occur. 6832109998Smarkm Also separate out the Unix variant to its own file, rand_unix.c. 6833109998Smarkm For VMS, there's a currently-empty rand_vms.c. 6834109998Smarkm [Richard Levitte] 6835109998Smarkm 6836109998Smarkm *) Move OCSP client related routines to ocsp_cl.c. These 6837109998Smarkm provide utility functions which an application needing 6838109998Smarkm to issue a request to an OCSP responder and analyse the 6839109998Smarkm response will typically need: as opposed to those which an 6840109998Smarkm OCSP responder itself would need which will be added later. 6841109998Smarkm 6842109998Smarkm OCSP_request_sign() signs an OCSP request with an API similar 6843109998Smarkm to PKCS7_sign(). OCSP_response_status() returns status of OCSP 6844109998Smarkm response. OCSP_response_get1_basic() extracts basic response 6845109998Smarkm from response. OCSP_resp_find_status(): finds and extracts status 6846109998Smarkm information from an OCSP_CERTID structure (which will be created 6847109998Smarkm when the request structure is built). These are built from lower 6848109998Smarkm level functions which work on OCSP_SINGLERESP structures but 6849109998Smarkm wont normally be used unless the application wishes to examine 6850109998Smarkm extensions in the OCSP response for example. 6851109998Smarkm 6852109998Smarkm Replace nonce routines with a pair of functions. 6853109998Smarkm OCSP_request_add1_nonce() adds a nonce value and optionally 6854109998Smarkm generates a random value. OCSP_check_nonce() checks the 6855109998Smarkm validity of the nonce in an OCSP response. 6856109998Smarkm [Steve Henson] 6857109998Smarkm 6858109998Smarkm *) Change function OCSP_request_add() to OCSP_request_add0_id(). 6859109998Smarkm This doesn't copy the supplied OCSP_CERTID and avoids the 6860109998Smarkm need to free up the newly created id. Change return type 6861109998Smarkm to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. 6862109998Smarkm This can then be used to add extensions to the request. 6863109998Smarkm Deleted OCSP_request_new(), since most of its functionality 6864109998Smarkm is now in OCSP_REQUEST_new() (and the case insensitive name 6865109998Smarkm clash) apart from the ability to set the request name which 6866109998Smarkm will be added elsewhere. 6867109998Smarkm [Steve Henson] 6868109998Smarkm 6869109998Smarkm *) Update OCSP API. Remove obsolete extensions argument from 6870109998Smarkm various functions. Extensions are now handled using the new 6871109998Smarkm OCSP extension code. New simple OCSP HTTP function which 6872109998Smarkm can be used to send requests and parse the response. 6873109998Smarkm [Steve Henson] 6874109998Smarkm 6875109998Smarkm *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new 6876109998Smarkm ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN 6877109998Smarkm uses the special reorder version of SET OF to sort the attributes 6878109998Smarkm and reorder them to match the encoded order. This resolves a long 6879109998Smarkm standing problem: a verify on a PKCS7 structure just after signing 6880109998Smarkm it used to fail because the attribute order did not match the 6881109998Smarkm encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: 6882109998Smarkm it uses the received order. This is necessary to tolerate some broken 6883109998Smarkm software that does not order SET OF. This is handled by encoding 6884109998Smarkm as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) 6885109998Smarkm to produce the required SET OF. 6886109998Smarkm [Steve Henson] 6887109998Smarkm 6888109998Smarkm *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and 6889109998Smarkm OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header 6890109998Smarkm files to get correct declarations of the ASN.1 item variables. 6891109998Smarkm [Richard Levitte] 6892109998Smarkm 6893109998Smarkm *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many 6894109998Smarkm PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: 6895109998Smarkm asn1_check_tlen() would sometimes attempt to use 'ctx' when it was 6896109998Smarkm NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). 6897109998Smarkm New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant 6898109998Smarkm ASN1_ITEM and no wrapper functions. 6899109998Smarkm [Steve Henson] 6900109998Smarkm 6901109998Smarkm *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These 6902109998Smarkm replace the old function pointer based I/O routines. Change most of 6903109998Smarkm the *_d2i_bio() and *_d2i_fp() functions to use these. 6904109998Smarkm [Steve Henson] 6905109998Smarkm 6906109998Smarkm *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor 6907109998Smarkm lines, recognice more "algorithms" that can be deselected, and make 6908109998Smarkm it complain about algorithm deselection that isn't recognised. 6909109998Smarkm [Richard Levitte] 6910109998Smarkm 6911109998Smarkm *) New ASN1 functions to handle dup, sign, verify, digest, pack and 6912109998Smarkm unpack operations in terms of ASN1_ITEM. Modify existing wrappers 6913109998Smarkm to use new functions. Add NO_ASN1_OLD which can be set to remove 6914109998Smarkm some old style ASN1 functions: this can be used to determine if old 6915109998Smarkm code will still work when these eventually go away. 6916109998Smarkm [Steve Henson] 6917109998Smarkm 6918109998Smarkm *) New extension functions for OCSP structures, these follow the 6919109998Smarkm same conventions as certificates and CRLs. 6920109998Smarkm [Steve Henson] 6921109998Smarkm 6922109998Smarkm *) New function X509V3_add1_i2d(). This automatically encodes and 6923109998Smarkm adds an extension. Its behaviour can be customised with various 6924109998Smarkm flags to append, replace or delete. Various wrappers added for 6925109998Smarkm certifcates and CRLs. 6926109998Smarkm [Steve Henson] 6927109998Smarkm 6928109998Smarkm *) Fix to avoid calling the underlying ASN1 print routine when 6929109998Smarkm an extension cannot be parsed. Correct a typo in the 6930109998Smarkm OCSP_SERVICELOC extension. Tidy up print OCSP format. 6931109998Smarkm [Steve Henson] 6932109998Smarkm 6933109998Smarkm *) Make mkdef.pl parse some of the ASN1 macros and add apropriate 6934109998Smarkm entries for variables. 6935109998Smarkm [Steve Henson] 6936109998Smarkm 6937109998Smarkm *) Add functionality to apps/openssl.c for detecting locking 6938109998Smarkm problems: As the program is single-threaded, all we have 6939109998Smarkm to do is register a locking callback using an array for 6940109998Smarkm storing which locks are currently held by the program. 6941109998Smarkm [Bodo Moeller] 6942109998Smarkm 6943109998Smarkm *) Use a lock around the call to CRYPTO_get_ex_new_index() in 6944109998Smarkm SSL_get_ex_data_X509_STORE_idx(), which is used in 6945109998Smarkm ssl_verify_cert_chain() and thus can be called at any time 6946109998Smarkm during TLS/SSL handshakes so that thread-safety is essential. 6947109998Smarkm Unfortunately, the ex_data design is not at all suited 6948109998Smarkm for multi-threaded use, so it probably should be abolished. 6949109998Smarkm [Bodo Moeller] 6950109998Smarkm 6951109998Smarkm *) Added Broadcom "ubsec" ENGINE to OpenSSL. 6952109998Smarkm [Broadcom, tweaked and integrated by Geoff Thorpe] 6953109998Smarkm 6954109998Smarkm *) Move common extension printing code to new function 6955109998Smarkm X509V3_print_extensions(). Reorganise OCSP print routines and 6956109998Smarkm implement some needed OCSP ASN1 functions. Add OCSP extensions. 6957109998Smarkm [Steve Henson] 6958109998Smarkm 6959109998Smarkm *) New function X509_signature_print() to remove duplication in some 6960109998Smarkm print routines. 6961109998Smarkm [Steve Henson] 6962109998Smarkm 6963109998Smarkm *) Add a special meaning when SET OF and SEQUENCE OF flags are both 6964109998Smarkm set (this was treated exactly the same as SET OF previously). This 6965109998Smarkm is used to reorder the STACK representing the structure to match the 6966109998Smarkm encoding. This will be used to get round a problem where a PKCS7 6967109998Smarkm structure which was signed could not be verified because the STACK 6968109998Smarkm order did not reflect the encoded order. 6969109998Smarkm [Steve Henson] 6970109998Smarkm 6971109998Smarkm *) Reimplement the OCSP ASN1 module using the new code. 6972109998Smarkm [Steve Henson] 6973109998Smarkm 6974109998Smarkm *) Update the X509V3 code to permit the use of an ASN1_ITEM structure 6975109998Smarkm for its ASN1 operations. The old style function pointers still exist 6976109998Smarkm for now but they will eventually go away. 6977109998Smarkm [Steve Henson] 6978109998Smarkm 6979109998Smarkm *) Merge in replacement ASN1 code from the ASN1 branch. This almost 6980109998Smarkm completely replaces the old ASN1 functionality with a table driven 6981109998Smarkm encoder and decoder which interprets an ASN1_ITEM structure describing 6982109998Smarkm the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is 6983109998Smarkm largely maintained. Almost all of the old asn1_mac.h macro based ASN1 6984109998Smarkm has also been converted to the new form. 6985109998Smarkm [Steve Henson] 6986109998Smarkm 6987109998Smarkm *) Change BN_mod_exp_recp so that negative moduli are tolerated 6988109998Smarkm (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set 6989109998Smarkm so that BN_mod_exp_mont and BN_mod_exp_mont_word work 6990109998Smarkm for negative moduli. 6991109998Smarkm [Bodo Moeller] 6992109998Smarkm 6993109998Smarkm *) Fix BN_uadd and BN_usub: Always return non-negative results instead 6994109998Smarkm of not touching the result's sign bit. 6995109998Smarkm [Bodo Moeller] 6996109998Smarkm 6997109998Smarkm *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be 6998109998Smarkm set. 6999109998Smarkm [Bodo Moeller] 7000109998Smarkm 7001109998Smarkm *) Changed the LHASH code to use prototypes for callbacks, and created 7002109998Smarkm macros to declare and implement thin (optionally static) functions 7003109998Smarkm that provide type-safety and avoid function pointer casting for the 7004109998Smarkm type-specific callbacks. 7005109998Smarkm [Geoff Thorpe] 7006109998Smarkm 7007109998Smarkm *) Added Kerberos Cipher Suites to be used with TLS, as written in 7008109998Smarkm RFC 2712. 7009109998Smarkm [Veers Staats <staatsvr@asc.hpc.mil>, 7010109998Smarkm Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] 7011109998Smarkm 7012109998Smarkm *) Reformat the FAQ so the different questions and answers can be divided 7013109998Smarkm in sections depending on the subject. 7014109998Smarkm [Richard Levitte] 7015109998Smarkm 7016109998Smarkm *) Have the zlib compression code load ZLIB.DLL dynamically under 7017109998Smarkm Windows. 7018109998Smarkm [Richard Levitte] 7019109998Smarkm 7020109998Smarkm *) New function BN_mod_sqrt for computing square roots modulo a prime 7021109998Smarkm (using the probabilistic Tonelli-Shanks algorithm unless 7022109998Smarkm p == 3 (mod 4) or p == 5 (mod 8), which are cases that can 7023109998Smarkm be handled deterministically). 7024109998Smarkm [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] 7025109998Smarkm 7026109998Smarkm *) Make BN_mod_inverse faster by explicitly handling small quotients 7027109998Smarkm in the Euclid loop. (Speed gain about 20% for small moduli [256 or 7028109998Smarkm 512 bits], about 30% for larger ones [1024 or 2048 bits].) 7029109998Smarkm [Bodo Moeller] 7030109998Smarkm 7031109998Smarkm *) New function BN_kronecker. 7032109998Smarkm [Bodo Moeller] 7033109998Smarkm 7034109998Smarkm *) Fix BN_gcd so that it works on negative inputs; the result is 7035109998Smarkm positive unless both parameters are zero. 7036109998Smarkm Previously something reasonably close to an infinite loop was 7037109998Smarkm possible because numbers could be growing instead of shrinking 7038109998Smarkm in the implementation of Euclid's algorithm. 7039109998Smarkm [Bodo Moeller] 7040109998Smarkm 7041109998Smarkm *) Fix BN_is_word() and BN_is_one() macros to take into account the 7042109998Smarkm sign of the number in question. 7043109998Smarkm 7044109998Smarkm Fix BN_is_word(a,w) to work correctly for w == 0. 7045109998Smarkm 7046109998Smarkm The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) 7047109998Smarkm because its test if the absolute value of 'a' equals 'w'. 7048109998Smarkm Note that BN_abs_is_word does *not* handle w == 0 reliably; 7049109998Smarkm it exists mostly for use in the implementations of BN_is_zero(), 7050109998Smarkm BN_is_one(), and BN_is_word(). 7051109998Smarkm [Bodo Moeller] 7052109998Smarkm 7053109998Smarkm *) New function BN_swap. 7054109998Smarkm [Bodo Moeller] 7055109998Smarkm 7056109998Smarkm *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that 7057109998Smarkm the exponentiation functions are more likely to produce reasonable 7058109998Smarkm results on negative inputs. 7059109998Smarkm [Bodo Moeller] 7060109998Smarkm 7061109998Smarkm *) Change BN_mod_mul so that the result is always non-negative. 7062109998Smarkm Previously, it could be negative if one of the factors was negative; 7063109998Smarkm I don't think anyone really wanted that behaviour. 7064109998Smarkm [Bodo Moeller] 7065109998Smarkm 7066109998Smarkm *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c 7067109998Smarkm (except for exponentiation, which stays in crypto/bn/bn_exp.c, 7068109998Smarkm and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) 7069109998Smarkm and add new functions: 7070109998Smarkm 7071109998Smarkm BN_nnmod 7072109998Smarkm BN_mod_sqr 7073109998Smarkm BN_mod_add 7074109998Smarkm BN_mod_add_quick 7075109998Smarkm BN_mod_sub 7076109998Smarkm BN_mod_sub_quick 7077109998Smarkm BN_mod_lshift1 7078109998Smarkm BN_mod_lshift1_quick 7079109998Smarkm BN_mod_lshift 7080109998Smarkm BN_mod_lshift_quick 7081109998Smarkm 7082109998Smarkm These functions always generate non-negative results. 7083109998Smarkm 7084109998Smarkm BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r 7085109998Smarkm such that |m| < r < 0, BN_nnmod will output rem + |m| instead). 7086109998Smarkm 7087109998Smarkm BN_mod_XXX_quick(r, a, [b,] m) generates the same result as 7088109998Smarkm BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] 7089109998Smarkm be reduced modulo m. 7090109998Smarkm [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] 7091109998Smarkm 7092111147Snectar#if 0 7093111147Snectar The following entry accidentily appeared in the CHANGES file 7094111147Snectar distributed with OpenSSL 0.9.7. The modifications described in 7095111147Snectar it do *not* apply to OpenSSL 0.9.7. 7096111147Snectar 7097109998Smarkm *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 7098109998Smarkm was actually never needed) and in BN_mul(). The removal in BN_mul() 7099109998Smarkm required a small change in bn_mul_part_recursive() and the addition 7100109998Smarkm of the functions bn_cmp_part_words(), bn_sub_part_words() and 7101109998Smarkm bn_add_part_words(), which do the same thing as bn_cmp_words(), 7102109998Smarkm bn_sub_words() and bn_add_words() except they take arrays with 7103109998Smarkm differing sizes. 7104109998Smarkm [Richard Levitte] 7105111147Snectar#endif 7106109998Smarkm 7107109998Smarkm *) In 'openssl passwd', verify passwords read from the terminal 7108109998Smarkm unless the '-salt' option is used (which usually means that 7109109998Smarkm verification would just waste user's time since the resulting 7110109998Smarkm hash is going to be compared with some given password hash) 7111109998Smarkm or the new '-noverify' option is used. 7112109998Smarkm 7113109998Smarkm This is an incompatible change, but it does not affect 7114109998Smarkm non-interactive use of 'openssl passwd' (passwords on the command 7115109998Smarkm line, '-stdin' option, '-in ...' option) and thus should not 7116109998Smarkm cause any problems. 7117109998Smarkm [Bodo Moeller] 7118109998Smarkm 7119109998Smarkm *) Remove all references to RSAref, since there's no more need for it. 7120109998Smarkm [Richard Levitte] 7121109998Smarkm 7122109998Smarkm *) Make DSO load along a path given through an environment variable 7123109998Smarkm (SHLIB_PATH) with shl_load(). 7124109998Smarkm [Richard Levitte] 7125109998Smarkm 7126109998Smarkm *) Constify the ENGINE code as a result of BIGNUM constification. 7127109998Smarkm Also constify the RSA code and most things related to it. In a 7128109998Smarkm few places, most notable in the depth of the ASN.1 code, ugly 7129109998Smarkm casts back to non-const were required (to be solved at a later 7130109998Smarkm time) 7131109998Smarkm [Richard Levitte] 7132109998Smarkm 7133109998Smarkm *) Make it so the openssl application has all engines loaded by default. 7134109998Smarkm [Richard Levitte] 7135109998Smarkm 7136109998Smarkm *) Constify the BIGNUM routines a little more. 7137109998Smarkm [Richard Levitte] 7138109998Smarkm 7139109998Smarkm *) Add the following functions: 7140109998Smarkm 7141109998Smarkm ENGINE_load_cswift() 7142109998Smarkm ENGINE_load_chil() 7143109998Smarkm ENGINE_load_atalla() 7144109998Smarkm ENGINE_load_nuron() 7145109998Smarkm ENGINE_load_builtin_engines() 7146109998Smarkm 7147109998Smarkm That way, an application can itself choose if external engines that 7148109998Smarkm are built-in in OpenSSL shall ever be used or not. The benefit is 7149109998Smarkm that applications won't have to be linked with libdl or other dso 7150109998Smarkm libraries unless it's really needed. 7151109998Smarkm 7152109998Smarkm Changed 'openssl engine' to load all engines on demand. 7153109998Smarkm Changed the engine header files to avoid the duplication of some 7154109998Smarkm declarations (they differed!). 7155109998Smarkm [Richard Levitte] 7156109998Smarkm 7157109998Smarkm *) 'openssl engine' can now list capabilities. 7158109998Smarkm [Richard Levitte] 7159109998Smarkm 7160109998Smarkm *) Better error reporting in 'openssl engine'. 7161109998Smarkm [Richard Levitte] 7162109998Smarkm 7163109998Smarkm *) Never call load_dh_param(NULL) in s_server. 7164109998Smarkm [Bodo Moeller] 7165109998Smarkm 7166109998Smarkm *) Add engine application. It can currently list engines by name and 7167109998Smarkm identity, and test if they are actually available. 7168109998Smarkm [Richard Levitte] 7169109998Smarkm 7170109998Smarkm *) Improve RPM specification file by forcing symbolic linking and making 7171109998Smarkm sure the installed documentation is also owned by root.root. 7172109998Smarkm [Damien Miller <djm@mindrot.org>] 7173109998Smarkm 7174109998Smarkm *) Give the OpenSSL applications more possibilities to make use of 7175109998Smarkm keys (public as well as private) handled by engines. 7176109998Smarkm [Richard Levitte] 7177109998Smarkm 7178109998Smarkm *) Add OCSP code that comes from CertCo. 7179109998Smarkm [Richard Levitte] 7180109998Smarkm 7181109998Smarkm *) Add VMS support for the Rijndael code. 7182109998Smarkm [Richard Levitte] 7183109998Smarkm 7184109998Smarkm *) Added untested support for Nuron crypto accelerator. 7185109998Smarkm [Ben Laurie] 7186109998Smarkm 7187109998Smarkm *) Add support for external cryptographic devices. This code was 7188109998Smarkm previously distributed separately as the "engine" branch. 7189109998Smarkm [Geoff Thorpe, Richard Levitte] 7190109998Smarkm 7191109998Smarkm *) Rework the filename-translation in the DSO code. It is now possible to 7192109998Smarkm have far greater control over how a "name" is turned into a filename 7193109998Smarkm depending on the operating environment and any oddities about the 7194109998Smarkm different shared library filenames on each system. 7195109998Smarkm [Geoff Thorpe] 7196109998Smarkm 7197109998Smarkm *) Support threads on FreeBSD-elf in Configure. 7198109998Smarkm [Richard Levitte] 7199109998Smarkm 7200109998Smarkm *) Fix for SHA1 assembly problem with MASM: it produces 7201109998Smarkm warnings about corrupt line number information when assembling 7202109998Smarkm with debugging information. This is caused by the overlapping 7203109998Smarkm of two sections. 7204109998Smarkm [Bernd Matthes <mainbug@celocom.de>, Steve Henson] 7205109998Smarkm 7206109998Smarkm *) NCONF changes. 7207109998Smarkm NCONF_get_number() has no error checking at all. As a replacement, 7208109998Smarkm NCONF_get_number_e() is defined (_e for "error checking") and is 7209109998Smarkm promoted strongly. The old NCONF_get_number is kept around for 7210109998Smarkm binary backward compatibility. 7211109998Smarkm Make it possible for methods to load from something other than a BIO, 7212109998Smarkm by providing a function pointer that is given a name instead of a BIO. 7213109998Smarkm For example, this could be used to load configuration data from an 7214109998Smarkm LDAP server. 7215109998Smarkm [Richard Levitte] 7216109998Smarkm 7217109998Smarkm *) Fix for non blocking accept BIOs. Added new I/O special reason 7218109998Smarkm BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs 7219109998Smarkm with non blocking I/O was not possible because no retry code was 7220109998Smarkm implemented. Also added new SSL code SSL_WANT_ACCEPT to cover 7221109998Smarkm this case. 7222109998Smarkm [Steve Henson] 7223109998Smarkm 7224109998Smarkm *) Added the beginnings of Rijndael support. 7225109998Smarkm [Ben Laurie] 7226109998Smarkm 7227109998Smarkm *) Fix for bug in DirectoryString mask setting. Add support for 7228109998Smarkm X509_NAME_print_ex() in 'req' and X509_print_ex() function 7229109998Smarkm to allow certificate printing to more controllable, additional 7230109998Smarkm 'certopt' option to 'x509' to allow new printing options to be 7231109998Smarkm set. 7232109998Smarkm [Steve Henson] 7233109998Smarkm 7234109998Smarkm *) Clean old EAY MD5 hack from e_os.h. 7235109998Smarkm [Richard Levitte] 7236109998Smarkm 7237142425Snectar Changes between 0.9.6l and 0.9.6m [17 Mar 2004] 7238142425Snectar 7239142425Snectar *) Fix null-pointer assignment in do_change_cipher_spec() revealed 7240160814Ssimon by using the Codenomicon TLS Test Tool (CVE-2004-0079) 7241142425Snectar [Joe Orton, Steve Henson] 7242142425Snectar 7243142425Snectar Changes between 0.9.6k and 0.9.6l [04 Nov 2003] 7244142425Snectar 7245142425Snectar *) Fix additional bug revealed by the NISCC test suite: 7246142425Snectar 7247142425Snectar Stop bug triggering large recursion when presented with 7248160814Ssimon certain ASN.1 tags (CVE-2003-0851) 7249142425Snectar [Steve Henson] 7250142425Snectar 7251120631Snectar Changes between 0.9.6j and 0.9.6k [30 Sep 2003] 7252120631Snectar 7253120631Snectar *) Fix various bugs revealed by running the NISCC test suite: 7254120631Snectar 7255120631Snectar Stop out of bounds reads in the ASN1 code when presented with 7256160814Ssimon invalid tags (CVE-2003-0543 and CVE-2003-0544). 7257120631Snectar 7258120631Snectar If verify callback ignores invalid public key errors don't try to check 7259120631Snectar certificate signature with the NULL public key. 7260120631Snectar 7261120631Snectar [Steve Henson] 7262120631Snectar 7263120631Snectar *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 7264120631Snectar if the server requested one: as stated in TLS 1.0 and SSL 3.0 7265120631Snectar specifications. 7266120631Snectar [Steve Henson] 7267120631Snectar 7268120631Snectar *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 7269120631Snectar extra data after the compression methods not only for TLS 1.0 7270120631Snectar but also for SSL 3.0 (as required by the specification). 7271120631Snectar [Bodo Moeller; problem pointed out by Matthias Loepfe] 7272120631Snectar 7273120631Snectar *) Change X509_certificate_type() to mark the key as exported/exportable 7274120631Snectar when it's 512 *bits* long, not 512 bytes. 7275120631Snectar [Richard Levitte] 7276120631Snectar 7277120631Snectar Changes between 0.9.6i and 0.9.6j [10 Apr 2003] 7278120631Snectar 7279120631Snectar *) Countermeasure against the Klima-Pokorny-Rosa extension of 7280120631Snectar Bleichbacher's attack on PKCS #1 v1.5 padding: treat 7281120631Snectar a protocol version number mismatch like a decryption error 7282120631Snectar in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 7283120631Snectar [Bodo Moeller] 7284120631Snectar 7285120631Snectar *) Turn on RSA blinding by default in the default implementation 7286120631Snectar to avoid a timing attack. Applications that don't want it can call 7287120631Snectar RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 7288120631Snectar They would be ill-advised to do so in most cases. 7289120631Snectar [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] 7290120631Snectar 7291120631Snectar *) Change RSA blinding code so that it works when the PRNG is not 7292120631Snectar seeded (in this case, the secret RSA exponent is abused as 7293120631Snectar an unpredictable seed -- if it is not unpredictable, there 7294120631Snectar is no point in blinding anyway). Make RSA blinding thread-safe 7295120631Snectar by remembering the creator's thread ID in rsa->blinding and 7296120631Snectar having all other threads use local one-time blinding factors 7297120631Snectar (this requires more computation than sharing rsa->blinding, but 7298120631Snectar avoids excessive locking; and if an RSA object is not shared 7299120631Snectar between threads, blinding will still be very fast). 7300120631Snectar [Bodo Moeller] 7301120631Snectar 7302111147Snectar Changes between 0.9.6h and 0.9.6i [19 Feb 2003] 7303111147Snectar 7304111147Snectar *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 7305111147Snectar via timing by performing a MAC computation even if incorrrect 7306111147Snectar block cipher padding has been found. This is a countermeasure 7307111147Snectar against active attacks where the attacker has to distinguish 7308160814Ssimon between bad padding and a MAC verification error. (CVE-2003-0078) 7309111147Snectar 7310111147Snectar [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 7311111147Snectar Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 7312111147Snectar Martin Vuagnoux (EPFL, Ilion)] 7313111147Snectar 7314109998Smarkm Changes between 0.9.6g and 0.9.6h [5 Dec 2002] 7315109998Smarkm 7316109998Smarkm *) New function OPENSSL_cleanse(), which is used to cleanse a section of 7317109998Smarkm memory from it's contents. This is done with a counter that will 7318109998Smarkm place alternating values in each byte. This can be used to solve 7319109998Smarkm two issues: 1) the removal of calls to memset() by highly optimizing 7320109998Smarkm compilers, and 2) cleansing with other values than 0, since those can 7321109998Smarkm be read through on certain media, for example a swap space on disk. 7322109998Smarkm [Geoff Thorpe] 7323109998Smarkm 7324109998Smarkm *) Bugfix: client side session caching did not work with external caching, 7325109998Smarkm because the session->cipher setting was not restored when reloading 7326109998Smarkm from the external cache. This problem was masked, when 7327109998Smarkm SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. 7328109998Smarkm (Found by Steve Haslam <steve@araqnid.ddts.net>.) 7329109998Smarkm [Lutz Jaenicke] 7330109998Smarkm 7331109998Smarkm *) Fix client_certificate (ssl/s2_clnt.c): The permissible total 7332109998Smarkm length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. 7333109998Smarkm [Zeev Lieber <zeev-l@yahoo.com>] 7334109998Smarkm 7335109998Smarkm *) Undo an undocumented change introduced in 0.9.6e which caused 7336109998Smarkm repeated calls to OpenSSL_add_all_ciphers() and 7337109998Smarkm OpenSSL_add_all_digests() to be ignored, even after calling 7338109998Smarkm EVP_cleanup(). 7339109998Smarkm [Richard Levitte] 7340109998Smarkm 7341109998Smarkm *) Change the default configuration reader to deal with last line not 7342109998Smarkm being properly terminated. 7343109998Smarkm [Richard Levitte] 7344109998Smarkm 7345109998Smarkm *) Change X509_NAME_cmp() so it applies the special rules on handling 7346109998Smarkm DN values that are of type PrintableString, as well as RDNs of type 7347109998Smarkm emailAddress where the value has the type ia5String. 7348109998Smarkm [stefank@valicert.com via Richard Levitte] 7349109998Smarkm 7350109998Smarkm *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half 7351109998Smarkm the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently 7352109998Smarkm doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be 7353109998Smarkm the bitwise-OR of the two for use by the majority of applications 7354109998Smarkm wanting this behaviour, and update the docs. The documented 7355109998Smarkm behaviour and actual behaviour were inconsistent and had been 7356109998Smarkm changing anyway, so this is more a bug-fix than a behavioural 7357109998Smarkm change. 7358109998Smarkm [Geoff Thorpe, diagnosed by Nadav Har'El] 7359109998Smarkm 7360109998Smarkm *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c 7361109998Smarkm (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). 7362109998Smarkm [Bodo Moeller] 7363109998Smarkm 7364109998Smarkm *) Fix initialization code race conditions in 7365109998Smarkm SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), 7366109998Smarkm SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), 7367109998Smarkm SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), 7368109998Smarkm TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), 7369109998Smarkm ssl2_get_cipher_by_char(), 7370109998Smarkm ssl3_get_cipher_by_char(). 7371109998Smarkm [Patrick McCormick <patrick@tellme.com>, Bodo Moeller] 7372109998Smarkm 7373109998Smarkm *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after 7374109998Smarkm the cached sessions are flushed, as the remove_cb() might use ex_data 7375109998Smarkm contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> 7376109998Smarkm (see [openssl.org #212]). 7377109998Smarkm [Geoff Thorpe, Lutz Jaenicke] 7378109998Smarkm 7379109998Smarkm *) Fix typo in OBJ_txt2obj which incorrectly passed the content 7380109998Smarkm length, instead of the encoding length to d2i_ASN1_OBJECT. 7381109998Smarkm [Steve Henson] 7382109998Smarkm 7383101618Snectar Changes between 0.9.6f and 0.9.6g [9 Aug 2002] 7384101618Snectar 7385101618Snectar *) [In 0.9.6g-engine release:] 7386101618Snectar Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). 7387101618Snectar [Lynn Gazis <lgazis@rainbow.com>] 7388101618Snectar 7389101613Snectar Changes between 0.9.6e and 0.9.6f [8 Aug 2002] 7390101613Snectar 7391101613Snectar *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX 7392101613Snectar and get fix the header length calculation. 7393101613Snectar [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 7394101613Snectar Alon Kantor <alonk@checkpoint.com> (and others), 7395101613Snectar Steve Henson] 7396101613Snectar 7397101613Snectar *) Use proper error handling instead of 'assertions' in buffer 7398101613Snectar overflow checks added in 0.9.6e. This prevents DoS (the 7399101613Snectar assertions could call abort()). 7400101613Snectar [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller] 7401101613Snectar 7402100936Snectar Changes between 0.9.6d and 0.9.6e [30 Jul 2002] 7403100936Snectar 7404109998Smarkm *) Add various sanity checks to asn1_get_length() to reject 7405109998Smarkm the ASN1 length bytes if they exceed sizeof(long), will appear 7406109998Smarkm negative or the content length exceeds the length of the 7407109998Smarkm supplied buffer. 7408109998Smarkm [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] 7409109998Smarkm 7410100936Snectar *) Fix cipher selection routines: ciphers without encryption had no flags 7411100936Snectar for the cipher strength set and where therefore not handled correctly 7412100936Snectar by the selection routines (PR #130). 7413100936Snectar [Lutz Jaenicke] 7414100936Snectar 7415100936Snectar *) Fix EVP_dsa_sha macro. 7416100936Snectar [Nils Larsch] 7417100936Snectar 7418100936Snectar *) New option 7419100936Snectar SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 7420100936Snectar for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure 7421100936Snectar that was added in OpenSSL 0.9.6d. 7422100936Snectar 7423100936Snectar As the countermeasure turned out to be incompatible with some 7424100936Snectar broken SSL implementations, the new option is part of SSL_OP_ALL. 7425100936Snectar SSL_OP_ALL is usually employed when compatibility with weird SSL 7426100936Snectar implementations is desired (e.g. '-bugs' option to 's_client' and 7427100936Snectar 's_server'), so the new option is automatically set in many 7428100936Snectar applications. 7429100936Snectar [Bodo Moeller] 7430100936Snectar 7431100936Snectar *) Changes in security patch: 7432100936Snectar 7433100936Snectar Changes marked "(CHATS)" were sponsored by the Defense Advanced 7434100936Snectar Research Projects Agency (DARPA) and Air Force Research Laboratory, 7435100936Snectar Air Force Materiel Command, USAF, under agreement number 7436100936Snectar F30602-01-2-0537. 7437100936Snectar 7438100936Snectar *) Add various sanity checks to asn1_get_length() to reject 7439100936Snectar the ASN1 length bytes if they exceed sizeof(long), will appear 7440100936Snectar negative or the content length exceeds the length of the 7441160814Ssimon supplied buffer. (CVE-2002-0659) 7442100936Snectar [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] 7443100936Snectar 7444100936Snectar *) Assertions for various potential buffer overflows, not known to 7445100936Snectar happen in practice. 7446100936Snectar [Ben Laurie (CHATS)] 7447100936Snectar 7448100936Snectar *) Various temporary buffers to hold ASCII versions of integers were 7449160814Ssimon too small for 64 bit platforms. (CVE-2002-0655) 7450100936Snectar [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> 7451100936Snectar 7452100936Snectar *) Remote buffer overflow in SSL3 protocol - an attacker could 7453160814Ssimon supply an oversized session ID to a client. (CVE-2002-0656) 7454100936Snectar [Ben Laurie (CHATS)] 7455100936Snectar 7456100936Snectar *) Remote buffer overflow in SSL2 protocol - an attacker could 7457160814Ssimon supply an oversized client master key. (CVE-2002-0656) 7458100936Snectar [Ben Laurie (CHATS)] 7459100936Snectar 7460100928Snectar Changes between 0.9.6c and 0.9.6d [9 May 2002] 7461100928Snectar 7462100928Snectar *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not 7463100928Snectar encoded as NULL) with id-dsa-with-sha1. 7464100928Snectar [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] 7465100928Snectar 7466100928Snectar *) Check various X509_...() return values in apps/req.c. 7467100928Snectar [Nils Larsch <nla@trustcenter.de>] 7468100928Snectar 7469100928Snectar *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: 7470100928Snectar an end-of-file condition would erronously be flagged, when the CRLF 7471100928Snectar was just at the end of a processed block. The bug was discovered when 7472100928Snectar processing data through a buffering memory BIO handing the data to a 7473100928Snectar BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov 7474100928Snectar <ptsekov@syntrex.com> and Nedelcho Stanev. 7475100928Snectar [Lutz Jaenicke] 7476100928Snectar 7477100928Snectar *) Implement a countermeasure against a vulnerability recently found 7478100928Snectar in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment 7479100928Snectar before application data chunks to avoid the use of known IVs 7480100928Snectar with data potentially chosen by the attacker. 7481100928Snectar [Bodo Moeller] 7482100928Snectar 7483100928Snectar *) Fix length checks in ssl3_get_client_hello(). 7484100928Snectar [Bodo Moeller] 7485100928Snectar 7486100928Snectar *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently 7487100928Snectar to prevent ssl3_read_internal() from incorrectly assuming that 7488100928Snectar ssl3_read_bytes() found application data while handshake 7489100928Snectar processing was enabled when in fact s->s3->in_read_app_data was 7490100928Snectar merely automatically cleared during the initial handshake. 7491100928Snectar [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] 7492100928Snectar 7493100928Snectar *) Fix object definitions for Private and Enterprise: they were not 7494100928Snectar recognized in their shortname (=lowercase) representation. Extend 7495100928Snectar obj_dat.pl to issue an error when using undefined keywords instead 7496100928Snectar of silently ignoring the problem (Svenning Sorensen 7497100928Snectar <sss@sss.dnsalias.net>). 7498100928Snectar [Lutz Jaenicke] 7499100928Snectar 7500100928Snectar *) Fix DH_generate_parameters() so that it works for 'non-standard' 7501100928Snectar generators, i.e. generators other than 2 and 5. (Previously, the 7502100928Snectar code did not properly initialise the 'add' and 'rem' values to 7503100928Snectar BN_generate_prime().) 7504100928Snectar 7505100928Snectar In the new general case, we do not insist that 'generator' is 7506100928Snectar actually a primitive root: This requirement is rather pointless; 7507100928Snectar a generator of the order-q subgroup is just as good, if not 7508100928Snectar better. 7509100928Snectar [Bodo Moeller] 7510100928Snectar 7511100928Snectar *) Map new X509 verification errors to alerts. Discovered and submitted by 7512100928Snectar Tom Wu <tom@arcot.com>. 7513100928Snectar [Lutz Jaenicke] 7514100928Snectar 7515100928Snectar *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from 7516100928Snectar returning non-zero before the data has been completely received 7517100928Snectar when using non-blocking I/O. 7518100928Snectar [Bodo Moeller; problem pointed out by John Hughes] 7519100928Snectar 7520100928Snectar *) Some of the ciphers missed the strength entry (SSL_LOW etc). 7521100928Snectar [Ben Laurie, Lutz Jaenicke] 7522100928Snectar 7523100928Snectar *) Fix bug in SSL_clear(): bad sessions were not removed (found by 7524100928Snectar Yoram Zahavi <YoramZ@gilian.com>). 7525100928Snectar [Lutz Jaenicke] 7526100928Snectar 7527100928Snectar *) Add information about CygWin 1.3 and on, and preserve proper 7528100928Snectar configuration for the versions before that. 7529100928Snectar [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] 7530100928Snectar 7531100928Snectar *) Make removal from session cache (SSL_CTX_remove_session()) more robust: 7532100928Snectar check whether we deal with a copy of a session and do not delete from 7533100928Snectar the cache in this case. Problem reported by "Izhar Shoshani Levi" 7534100928Snectar <izhar@checkpoint.com>. 7535100928Snectar [Lutz Jaenicke] 7536100928Snectar 7537100928Snectar *) Do not store session data into the internal session cache, if it 7538100928Snectar is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 7539100928Snectar flag is set). Proposed by Aslam <aslam@funk.com>. 7540100928Snectar [Lutz Jaenicke] 7541100928Snectar 7542100928Snectar *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested 7543100928Snectar value is 0. 7544100928Snectar [Richard Levitte] 7545100928Snectar 7546109998Smarkm *) [In 0.9.6d-engine release:] 7547109998Smarkm Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 7548100928Snectar [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 7549100928Snectar 7550100928Snectar *) Add the configuration target linux-s390x. 7551100928Snectar [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] 7552100928Snectar 7553100928Snectar *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of 7554100928Snectar ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag 7555100928Snectar variable as an indication that a ClientHello message has been 7556100928Snectar received. As the flag value will be lost between multiple 7557100928Snectar invocations of ssl3_accept when using non-blocking I/O, the 7558100928Snectar function may not be aware that a handshake has actually taken 7559100928Snectar place, thus preventing a new session from being added to the 7560100928Snectar session cache. 7561100928Snectar 7562100928Snectar To avoid this problem, we now set s->new_session to 2 instead of 7563100928Snectar using a local variable. 7564100928Snectar [Lutz Jaenicke, Bodo Moeller] 7565100928Snectar 7566100928Snectar *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) 7567100928Snectar if the SSL_R_LENGTH_MISMATCH error is detected. 7568100928Snectar [Geoff Thorpe, Bodo Moeller] 7569100928Snectar 7570100928Snectar *) New 'shared_ldflag' column in Configure platform table. 7571100928Snectar [Richard Levitte] 7572100928Snectar 7573100928Snectar *) Fix EVP_CIPHER_mode macro. 7574100928Snectar ["Dan S. Camper" <dan@bti.net>] 7575100928Snectar 7576100928Snectar *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown 7577100928Snectar type, we must throw them away by setting rr->length to 0. 7578100928Snectar [D P Chang <dpc@qualys.com>] 7579100928Snectar 758089837Skris Changes between 0.9.6b and 0.9.6c [21 dec 2001] 758189837Skris 758289837Skris *) Fix BN_rand_range bug pointed out by Dominikus Scherkl 758389837Skris <Dominikus.Scherkl@biodata.com>. (The previous implementation 758489837Skris worked incorrectly for those cases where range = 10..._2 and 758589837Skris 3*range is two bits longer than range.) 758689837Skris [Bodo Moeller] 758789837Skris 758889837Skris *) Only add signing time to PKCS7 structures if it is not already 758989837Skris present. 759089837Skris [Steve Henson] 759189837Skris 759289837Skris *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 759389837Skris OBJ_ld_ce should be OBJ_id_ce. 759489837Skris Also some ip-pda OIDs in crypto/objects/objects.txt were 759589837Skris incorrect (cf. RFC 3039). 759689837Skris [Matt Cooper, Frederic Giudicelli, Bodo Moeller] 759789837Skris 759889837Skris *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 759989837Skris returns early because it has nothing to do. 760089837Skris [Andy Schneider <andy.schneider@bjss.co.uk>] 760189837Skris 760289837Skris *) [In 0.9.6c-engine release:] 760389837Skris Fix mutex callback return values in crypto/engine/hw_ncipher.c. 760489837Skris [Andy Schneider <andy.schneider@bjss.co.uk>] 760589837Skris 760689837Skris *) [In 0.9.6c-engine release:] 760789837Skris Add support for Cryptographic Appliance's keyserver technology. 760889837Skris (Use engine 'keyclient') 760989837Skris [Cryptographic Appliances and Geoff Thorpe] 761089837Skris 761189837Skris *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' 761289837Skris is called via tools/c89.sh because arguments have to be 761389837Skris rearranged (all '-L' options must appear before the first object 761489837Skris modules). 761589837Skris [Richard Shapiro <rshapiro@abinitio.com>] 761689837Skris 761789837Skris *) [In 0.9.6c-engine release:] 761889837Skris Add support for Broadcom crypto accelerator cards, backported 761989837Skris from 0.9.7. 762089837Skris [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] 762189837Skris 762289837Skris *) [In 0.9.6c-engine release:] 762389837Skris Add support for SureWare crypto accelerator cards from 762489837Skris Baltimore Technologies. (Use engine 'sureware') 762589837Skris [Baltimore Technologies and Mark Cox] 762689837Skris 762789837Skris *) [In 0.9.6c-engine release:] 762889837Skris Add support for crypto accelerator cards from Accelerated 762989837Skris Encryption Processing, www.aep.ie. (Use engine 'aep') 763089837Skris [AEP Inc. and Mark Cox] 763189837Skris 763289837Skris *) Add a configuration entry for gcc on UnixWare. 763389837Skris [Gary Benson <gbenson@redhat.com>] 763489837Skris 763589837Skris *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 763689837Skris messages are stored in a single piece (fixed-length part and 763789837Skris variable-length part combined) and fix various bugs found on the way. 763889837Skris [Bodo Moeller] 763989837Skris 764089837Skris *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() 764189837Skris instead. BIO_gethostbyname() does not know what timeouts are 764289837Skris appropriate, so entries would stay in cache even when they have 764389837Skris become invalid. 764489837Skris [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> 764589837Skris 764689837Skris *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 764789837Skris faced with a pathologically small ClientHello fragment that does 764889837Skris not contain client_version: Instead of aborting with an error, 764989837Skris simply choose the highest available protocol version (i.e., 765089837Skris TLS 1.0 unless it is disabled). In practice, ClientHello 765189837Skris messages are never sent like this, but this change gives us 765289837Skris strictly correct behaviour at least for TLS. 765389837Skris [Bodo Moeller] 765489837Skris 765589837Skris *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() 765689837Skris never resets s->method to s->ctx->method when called from within 765789837Skris one of the SSL handshake functions. 765889837Skris [Bodo Moeller; problem pointed out by Niko Baric] 765989837Skris 766089837Skris *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 766189837Skris (sent using the client's version number) if client_version is 766289837Skris smaller than the protocol version in use. Also change 766389837Skris ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 766489837Skris the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 766589837Skris the client will at least see that alert. 766689837Skris [Bodo Moeller] 766789837Skris 766889837Skris *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 766989837Skris correctly. 767089837Skris [Bodo Moeller] 767189837Skris 767289837Skris *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 767389837Skris client receives HelloRequest while in a handshake. 767489837Skris [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] 767589837Skris 767689837Skris *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 767789837Skris should end in 'break', not 'goto end' which circuments various 767889837Skris cleanups done in state SSL_ST_OK. But session related stuff 767989837Skris must be disabled for SSL_ST_OK in the case that we just sent a 768089837Skris HelloRequest. 768189837Skris 768289837Skris Also avoid some overhead by not calling ssl_init_wbio_buffer() 768389837Skris before just sending a HelloRequest. 768489837Skris [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] 768589837Skris 768689837Skris *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 768789837Skris reveal whether illegal block cipher padding was found or a MAC 768889837Skris verification error occured. (Neither SSLerr() codes nor alerts 768989837Skris are directly visible to potential attackers, but the information 769089837Skris may leak via logfiles.) 769189837Skris 769289837Skris Similar changes are not required for the SSL 2.0 implementation 769389837Skris because the number of padding bytes is sent in clear for SSL 2.0, 769489837Skris and the extra bytes are just ignored. However ssl/s2_pkt.c 769589837Skris failed to verify that the purported number of padding bytes is in 769689837Skris the legal range. 769789837Skris [Bodo Moeller] 769889837Skris 769989837Skris *) Add OpenUNIX-8 support including shared libraries 770089837Skris (Boyd Lynn Gerber <gerberb@zenez.com>). 770189837Skris [Lutz Jaenicke] 770289837Skris 770389837Skris *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 770489837Skris 'wristwatch attack' using huge encoding parameters (cf. 770589837Skris James H. Manger's CRYPTO 2001 paper). Note that the 770689837Skris RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 770789837Skris encoding parameters and hence was not vulnerable. 770889837Skris [Bodo Moeller] 770989837Skris 771089837Skris *) BN_sqr() bug fix. 7711291719Sjkim [Ulf M��ller, reported by Jim Ellis <jim.ellis@cavium.com>] 771289837Skris 771389837Skris *) Rabin-Miller test analyses assume uniformly distributed witnesses, 771489837Skris so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 771589837Skris followed by modular reduction. 771689837Skris [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] 771789837Skris 771889837Skris *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 771989837Skris equivalent based on BN_pseudo_rand() instead of BN_rand(). 772089837Skris [Bodo Moeller] 772189837Skris 772289837Skris *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 772389837Skris This function was broken, as the check for a new client hello message 772489837Skris to handle SGC did not allow these large messages. 772589837Skris (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 772689837Skris [Lutz Jaenicke] 772789837Skris 772889837Skris *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). 772989837Skris [Lutz Jaenicke] 773089837Skris 773189837Skris *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 773289837Skris for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 773389837Skris [Lutz Jaenicke] 773489837Skris 773589837Skris *) Rework the configuration and shared library support for Tru64 Unix. 773689837Skris The configuration part makes use of modern compiler features and 773789837Skris still retains old compiler behavior for those that run older versions 773889837Skris of the OS. The shared library support part includes a variant that 773989837Skris uses the RPATH feature, and is available through the special 774089837Skris configuration target "alpha-cc-rpath", which will never be selected 774189837Skris automatically. 774289837Skris [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] 774389837Skris 774489837Skris *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 774589837Skris with the same message size as in ssl3_get_certificate_request(). 774689837Skris Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 774789837Skris messages might inadvertently be reject as too long. 774889837Skris [Petr Lampa <lampa@fee.vutbr.cz>] 774989837Skris 775089837Skris *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 775189837Skris [Andy Polyakov] 775289837Skris 775389837Skris *) Modified SSL library such that the verify_callback that has been set 775489837Skris specificly for an SSL object with SSL_set_verify() is actually being 775589837Skris used. Before the change, a verify_callback set with this function was 775689837Skris ignored and the verify_callback() set in the SSL_CTX at the time of 775789837Skris the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 775889837Skris to allow the necessary settings. 775989837Skris [Lutz Jaenicke] 776089837Skris 776189837Skris *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 776289837Skris explicitly to NULL, as at least on Solaris 8 this seems not always to be 776389837Skris done automatically (in contradiction to the requirements of the C 776489837Skris standard). This made problems when used from OpenSSH. 776589837Skris [Lutz Jaenicke] 776689837Skris 776789837Skris *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 776889837Skris dh->length and always used 776989837Skris 777089837Skris BN_rand_range(priv_key, dh->p). 777189837Skris 777289837Skris BN_rand_range() is not necessary for Diffie-Hellman, and this 777389837Skris specific range makes Diffie-Hellman unnecessarily inefficient if 777489837Skris dh->length (recommended exponent length) is much smaller than the 777589837Skris length of dh->p. We could use BN_rand_range() if the order of 777689837Skris the subgroup was stored in the DH structure, but we only have 777789837Skris dh->length. 777889837Skris 777989837Skris So switch back to 778089837Skris 778189837Skris BN_rand(priv_key, l, ...) 778289837Skris 778389837Skris where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 778489837Skris otherwise. 778589837Skris [Bodo Moeller] 778689837Skris 778789837Skris *) In 778889837Skris 778989837Skris RSA_eay_public_encrypt 779089837Skris RSA_eay_private_decrypt 779189837Skris RSA_eay_private_encrypt (signing) 779289837Skris RSA_eay_public_decrypt (signature verification) 779389837Skris 779489837Skris (default implementations for RSA_public_encrypt, 779589837Skris RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 779689837Skris always reject numbers >= n. 779789837Skris [Bodo Moeller] 779889837Skris 779989837Skris *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 780089837Skris to synchronize access to 'locking_thread'. This is necessary on 780189837Skris systems where access to 'locking_thread' (an 'unsigned long' 780289837Skris variable) is not atomic. 780389837Skris [Bodo Moeller] 780489837Skris 780589837Skris *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 780689837Skris *before* setting the 'crypto_lock_rand' flag. The previous code had 780789837Skris a race condition if 0 is a valid thread ID. 780889837Skris [Travis Vitek <vitek@roguewave.com>] 780989837Skris 781089837Skris *) Add support for shared libraries under Irix. 781189837Skris [Albert Chin-A-Young <china@thewrittenword.com>] 781289837Skris 781389837Skris *) Add configuration option to build on Linux on both big-endian and 781489837Skris little-endian MIPS. 781589837Skris [Ralf Baechle <ralf@uni-koblenz.de>] 781689837Skris 781789837Skris *) Add the possibility to create shared libraries on HP-UX. 781889837Skris [Richard Levitte] 781989837Skris 782079998Skris Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 782179998Skris 782279998Skris *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) 782379998Skris to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 782479998Skris Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 782579998Skris PRNG state recovery was possible based on the output of 782679998Skris one PRNG request appropriately sized to gain knowledge on 782779998Skris 'md' followed by enough consecutive 1-byte PRNG requests 782879998Skris to traverse all of 'state'. 782979998Skris 783079998Skris 1. When updating 'md_local' (the current thread's copy of 'md') 783179998Skris during PRNG output generation, hash all of the previous 783279998Skris 'md_local' value, not just the half used for PRNG output. 783379998Skris 783479998Skris 2. Make the number of bytes from 'state' included into the hash 783579998Skris independent from the number of PRNG bytes requested. 783679998Skris 783779998Skris The first measure alone would be sufficient to avoid 783879998Skris Markku-Juhani's attack. (Actually it had never occurred 783979998Skris to me that the half of 'md_local' used for chaining was the 784079998Skris half from which PRNG output bytes were taken -- I had always 784179998Skris assumed that the secret half would be used.) The second 784279998Skris measure makes sure that additional data from 'state' is never 784379998Skris mixed into 'md_local' in small portions; this heuristically 784479998Skris further strengthens the PRNG. 784579998Skris [Bodo Moeller] 784679998Skris 784779998Skris *) Fix crypto/bn/asm/mips3.s. 784879998Skris [Andy Polyakov] 784979998Skris 785079998Skris *) When only the key is given to "enc", the IV is undefined. Print out 785179998Skris an error message in this case. 785279998Skris [Lutz Jaenicke] 785379998Skris 785479998Skris *) Handle special case when X509_NAME is empty in X509 printing routines. 785579998Skris [Steve Henson] 785679998Skris 785779998Skris *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 785879998Skris positive and less than q. 785979998Skris [Bodo Moeller] 786079998Skris 786179998Skris *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is 786279998Skris used: it isn't thread safe and the add_lock_callback should handle 786379998Skris that itself. 786479998Skris [Paul Rose <Paul.Rose@bridge.com>] 786579998Skris 786679998Skris *) Verify that incoming data obeys the block size in 786779998Skris ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 786879998Skris [Bodo Moeller] 786979998Skris 787079998Skris *) Fix OAEP check. 7871291719Sjkim [Ulf M��ller, Bodo M��ller] 787279998Skris 787379998Skris *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 787489837Skris RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 787579998Skris when fixing the server behaviour for backwards-compatible 'client 787679998Skris hello' messages. (Note that the attack is impractical against 787779998Skris SSL 3.0 and TLS 1.0 anyway because length and version checking 787879998Skris means that the probability of guessing a valid ciphertext is 787979998Skris around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 788079998Skris paper.) 788179998Skris 788279998Skris Before 0.9.5, the countermeasure (hide the error by generating a 788379998Skris random 'decryption result') did not work properly because 788479998Skris ERR_clear_error() was missing, meaning that SSL_get_error() would 788579998Skris detect the supposedly ignored error. 788679998Skris 788779998Skris Both problems are now fixed. 788879998Skris [Bodo Moeller] 788979998Skris 789079998Skris *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 789179998Skris (previously it was 1024). 789279998Skris [Bodo Moeller] 789379998Skris 789479998Skris *) Fix for compatibility mode trust settings: ignore trust settings 789579998Skris unless some valid trust or reject settings are present. 789679998Skris [Steve Henson] 789779998Skris 789879998Skris *) Fix for blowfish EVP: its a variable length cipher. 789979998Skris [Steve Henson] 790079998Skris 790179998Skris *) Fix various bugs related to DSA S/MIME verification. Handle missing 790279998Skris parameters in DSA public key structures and return an error in the 790379998Skris DSA routines if parameters are absent. 790479998Skris [Steve Henson] 790579998Skris 790679998Skris *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 790779998Skris in the current directory if neither $RANDFILE nor $HOME was set. 790879998Skris RAND_file_name() in 0.9.6a returned NULL in this case. This has 790979998Skris caused some confusion to Windows users who haven't defined $HOME. 791079998Skris Thus RAND_file_name() is changed again: e_os.h can define a 791179998Skris DEFAULT_HOME, which will be used if $HOME is not set. 791279998Skris For Windows, we use "C:"; on other platforms, we still require 791379998Skris environment variables. 791479998Skris 791579998Skris *) Move 'if (!initialized) RAND_poll()' into regions protected by 791679998Skris CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 791779998Skris having multiple threads call RAND_poll() concurrently. 791879998Skris [Bodo Moeller] 791979998Skris 792079998Skris *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 792179998Skris combination of a flag and a thread ID variable. 792279998Skris Otherwise while one thread is in ssleay_rand_bytes (which sets the 792379998Skris flag), *other* threads can enter ssleay_add_bytes without obeying 792489837Skris the CRYPTO_LOCK_RAND lock (and may even illegally release the lock 792579998Skris that they do not hold after the first thread unsets add_do_not_lock). 792679998Skris [Bodo Moeller] 792779998Skris 792879998Skris *) Change bctest again: '-x' expressions are not available in all 792979998Skris versions of 'test'. 793079998Skris [Bodo Moeller] 793179998Skris 793276866Skris Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 793372613Skris 793476866Skris *) Fix a couple of memory leaks in PKCS7_dataDecode() 793576866Skris [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] 793676866Skris 793776866Skris *) Change Configure and Makefiles to provide EXE_EXT, which will contain 793876866Skris the default extension for executables, if any. Also, make the perl 793976866Skris scripts that use symlink() to test if it really exists and use "cp" 794076866Skris if it doesn't. All this made OpenSSL compilable and installable in 794176866Skris CygWin. 794276866Skris [Richard Levitte] 794376866Skris 794476866Skris *) Fix for asn1_GetSequence() for indefinite length constructed data. 794576866Skris If SEQUENCE is length is indefinite just set c->slen to the total 794676866Skris amount of data available. 794776866Skris [Steve Henson, reported by shige@FreeBSD.org] 794876866Skris [This change does not apply to 0.9.7.] 794976866Skris 795076866Skris *) Change bctest to avoid here-documents inside command substitution 795176866Skris (workaround for FreeBSD /bin/sh bug). 795276866Skris For compatibility with Ultrix, avoid shell functions (introduced 795376866Skris in the bctest version that searches along $PATH). 795476866Skris [Bodo Moeller] 795576866Skris 795676866Skris *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes 795776866Skris with des_encrypt() defined on some operating systems, like Solaris 795876866Skris and UnixWare. 795976866Skris [Richard Levitte] 796076866Skris 796176866Skris *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: 796276866Skris On the Importance of Eliminating Errors in Cryptographic 796376866Skris Computations, J. Cryptology 14 (2001) 2, 101-119, 796476866Skris http://theory.stanford.edu/~dabo/papers/faults.ps.gz). 796576866Skris [Ulf Moeller] 796676866Skris 796776866Skris *) MIPS assembler BIGNUM division bug fix. 796876866Skris [Andy Polyakov] 796976866Skris 797076866Skris *) Disabled incorrect Alpha assembler code. 797176866Skris [Richard Levitte] 797276866Skris 797376866Skris *) Fix PKCS#7 decode routines so they correctly update the length 797476866Skris after reading an EOC for the EXPLICIT tag. 797576866Skris [Steve Henson] 797676866Skris [This change does not apply to 0.9.7.] 797776866Skris 797876866Skris *) Fix bug in PKCS#12 key generation routines. This was triggered 797976866Skris if a 3DES key was generated with a 0 initial byte. Include 798076866Skris PKCS12_BROKEN_KEYGEN compilation option to retain the old 798176866Skris (but broken) behaviour. 798276866Skris [Steve Henson] 798376866Skris 798476866Skris *) Enhance bctest to search for a working bc along $PATH and print 798576866Skris it when found. 798676866Skris [Tim Rice <tim@multitalents.net> via Richard Levitte] 798776866Skris 798876866Skris *) Fix memory leaks in err.c: free err_data string if necessary; 798976866Skris don't write to the wrong index in ERR_set_error_data. 799076866Skris [Bodo Moeller] 799176866Skris 799276866Skris *) Implement ssl23_peek (analogous to ssl23_read), which previously 799376866Skris did not exist. 799476866Skris [Bodo Moeller] 799576866Skris 799676866Skris *) Replace rdtsc with _emit statements for VC++ version 5. 799776866Skris [Jeremy Cooper <jeremy@baymoo.org>] 799876866Skris 799976866Skris *) Make it possible to reuse SSLv2 sessions. 800076866Skris [Richard Levitte] 800176866Skris 800276866Skris *) In copy_email() check for >= 0 as a return value for 800376866Skris X509_NAME_get_index_by_NID() since 0 is a valid index. 800476866Skris [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] 800576866Skris 800676866Skris *) Avoid coredump with unsupported or invalid public keys by checking if 800776866Skris X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when 800876866Skris PKCS7_verify() fails with non detached data. 800976866Skris [Steve Henson] 801076866Skris 801176866Skris *) Don't use getenv in library functions when run as setuid/setgid. 801276866Skris New function OPENSSL_issetugid(). 801376866Skris [Ulf Moeller] 801476866Skris 801576866Skris *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) 801676866Skris due to incorrect handling of multi-threading: 801776866Skris 801876866Skris 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 801976866Skris 802076866Skris 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 802176866Skris 802276866Skris 3. Count how many times MemCheck_off() has been called so that 802376866Skris nested use can be treated correctly. This also avoids 802476866Skris inband-signalling in the previous code (which relied on the 802576866Skris assumption that thread ID 0 is impossible). 802676866Skris [Bodo Moeller] 802776866Skris 802876866Skris *) Add "-rand" option also to s_client and s_server. 802976866Skris [Lutz Jaenicke] 803076866Skris 803176866Skris *) Fix CPU detection on Irix 6.x. 803276866Skris [Kurt Hockenbury <khockenb@stevens-tech.edu> and 803376866Skris "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] 803476866Skris 803576866Skris *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME 803676866Skris was empty. 803776866Skris [Steve Henson] 803876866Skris [This change does not apply to 0.9.7.] 803976866Skris 804076866Skris *) Use the cached encoding of an X509_NAME structure rather than 804176866Skris copying it. This is apparently the reason for the libsafe "errors" 804276866Skris but the code is actually correct. 804376866Skris [Steve Henson] 804476866Skris 804572613Skris *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent 804672613Skris Bleichenbacher's DSA attack. 804776866Skris Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits 804876866Skris to be set and top=0 forces the highest bit to be set; top=-1 is new 804976866Skris and leaves the highest bit random. 805076866Skris [Ulf Moeller, Bodo Moeller] 805172613Skris 805272613Skris *) In the NCONF_...-based implementations for CONF_... queries 805372613Skris (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using 805472613Skris a temporary CONF structure with the data component set to NULL 805572613Skris (which gives segmentation faults in lh_retrieve). 805672613Skris Instead, use NULL for the CONF pointer in CONF_get_string and 805772613Skris CONF_get_number (which may use environment variables) and directly 805872613Skris return NULL from CONF_get_section. 805972613Skris [Bodo Moeller] 806072613Skris 806172613Skris *) Fix potential buffer overrun for EBCDIC. 806272613Skris [Ulf Moeller] 806372613Skris 806472613Skris *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign 806572613Skris keyUsage if basicConstraints absent for a CA. 806672613Skris [Steve Henson] 806772613Skris 806872613Skris *) Make SMIME_write_PKCS7() write mail header values with a format that 806972613Skris is more generally accepted (no spaces before the semicolon), since 807072613Skris some programs can't parse those values properly otherwise. Also make 807172613Skris sure BIO's that break lines after each write do not create invalid 807272613Skris headers. 807372613Skris [Richard Levitte] 807472613Skris 807572613Skris *) Make the CRL encoding routines work with empty SEQUENCE OF. The 807672613Skris macros previously used would not encode an empty SEQUENCE OF 807772613Skris and break the signature. 807872613Skris [Steve Henson] 807976866Skris [This change does not apply to 0.9.7.] 808072613Skris 808172613Skris *) Zero the premaster secret after deriving the master secret in 808272613Skris DH ciphersuites. 808372613Skris [Steve Henson] 808472613Skris 808572613Skris *) Add some EVP_add_digest_alias registrations (as found in 808672613Skris OpenSSL_add_all_digests()) to SSL_library_init() 808772613Skris aka OpenSSL_add_ssl_algorithms(). This provides improved 808872613Skris compatibility with peers using X.509 certificates 808972613Skris with unconventional AlgorithmIdentifier OIDs. 809072613Skris [Bodo Moeller] 809172613Skris 809272613Skris *) Fix for Irix with NO_ASM. 809372613Skris ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] 809472613Skris 809572613Skris *) ./config script fixes. 809672613Skris [Ulf Moeller, Richard Levitte] 809772613Skris 809872613Skris *) Fix 'openssl passwd -1'. 809972613Skris [Bodo Moeller] 810072613Skris 810172613Skris *) Change PKCS12_key_gen_asc() so it can cope with non null 810272613Skris terminated strings whose length is passed in the passlen 810372613Skris parameter, for example from PEM callbacks. This was done 810472613Skris by adding an extra length parameter to asc2uni(). 810572613Skris [Steve Henson, reported by <oddissey@samsung.co.kr>] 810672613Skris 810772613Skris *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn 810872613Skris call failed, free the DSA structure. 810972613Skris [Bodo Moeller] 811072613Skris 811172613Skris *) Fix to uni2asc() to cope with zero length Unicode strings. 811272613Skris These are present in some PKCS#12 files. 811372613Skris [Steve Henson] 811472613Skris 811572613Skris *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). 811672613Skris Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits 811772613Skris when writing a 32767 byte record. 811872613Skris [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] 811972613Skris 812072613Skris *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), 812172613Skris obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. 812272613Skris 812372613Skris (RSA objects have a reference count access to which is protected 812472613Skris by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], 812572613Skris so they are meant to be shared between threads.) 812672613Skris [Bodo Moeller, Geoff Thorpe; original patch submitted by 812772613Skris "Reddie, Steven" <Steven.Reddie@ca.com>] 812872613Skris 812972613Skris *) Fix a deadlock in CRYPTO_mem_leaks(). 813072613Skris [Bodo Moeller] 813172613Skris 813276866Skris *) Use better test patterns in bntest. 8133291719Sjkim [Ulf M��ller] 813476866Skris 813572613Skris *) rand_win.c fix for Borland C. 8136291719Sjkim [Ulf M��ller] 813772613Skris 813872613Skris *) BN_rshift bugfix for n == 0. 813972613Skris [Bodo Moeller] 814072613Skris 814176866Skris *) Add a 'bctest' script that checks for some known 'bc' bugs 814276866Skris so that 'make test' does not abort just because 'bc' is broken. 814376866Skris [Bodo Moeller] 814476866Skris 814572613Skris *) Store verify_result within SSL_SESSION also for client side to 814672613Skris avoid potential security hole. (Re-used sessions on the client side 814772613Skris always resulted in verify_result==X509_V_OK, not using the original 814872613Skris result of the server certificate verification.) 814972613Skris [Lutz Jaenicke] 815072613Skris 815172613Skris *) Fix ssl3_pending: If the record in s->s3->rrec is not of type 815272613Skris SSL3_RT_APPLICATION_DATA, return 0. 815372613Skris Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. 815472613Skris [Bodo Moeller] 815572613Skris 815672613Skris *) Fix SSL_peek: 815772613Skris Both ssl2_peek and ssl3_peek, which were totally broken in earlier 815872613Skris releases, have been re-implemented by renaming the previous 815972613Skris implementations of ssl2_read and ssl3_read to ssl2_read_internal 816072613Skris and ssl3_read_internal, respectively, and adding 'peek' parameters 816172613Skris to them. The new ssl[23]_{read,peek} functions are calls to 816272613Skris ssl[23]_read_internal with the 'peek' flag set appropriately. 816372613Skris A 'peek' parameter has also been added to ssl3_read_bytes, which 816472613Skris does the actual work for ssl3_read_internal. 816572613Skris [Bodo Moeller] 816672613Skris 816776866Skris *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling 816876866Skris the method-specific "init()" handler. Also clean up ex_data after 816976866Skris calling the method-specific "finish()" handler. Previously, this was 817076866Skris happening the other way round. 817176866Skris [Geoff Thorpe] 817276866Skris 817372613Skris *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. 817472613Skris The previous value, 12, was not always sufficient for BN_mod_exp(). 817572613Skris [Bodo Moeller] 817672613Skris 817776866Skris *) Make sure that shared libraries get the internal name engine with 817876866Skris the full version number and not just 0. This should mark the 817976866Skris shared libraries as not backward compatible. Of course, this should 818076866Skris be changed again when we can guarantee backward binary compatibility. 818176866Skris [Richard Levitte] 818276866Skris 818372613Skris *) Fix typo in get_cert_by_subject() in by_dir.c 818472613Skris [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] 818572613Skris 818676866Skris *) Rework the system to generate shared libraries: 818776866Skris 818876866Skris - Make note of the expected extension for the shared libraries and 818976866Skris if there is a need for symbolic links from for example libcrypto.so.0 819076866Skris to libcrypto.so.0.9.7. There is extended info in Configure for 819176866Skris that. 819276866Skris 819376866Skris - Make as few rebuilds of the shared libraries as possible. 819476866Skris 819576866Skris - Still avoid linking the OpenSSL programs with the shared libraries. 819676866Skris 819776866Skris - When installing, install the shared libraries separately from the 819876866Skris static ones. 819976866Skris [Richard Levitte] 820076866Skris 820172613Skris *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. 820272613Skris 820372613Skris Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new 820472613Skris and not in SSL_clear because the latter is also used by the 820572613Skris accept/connect functions; previously, the settings made by 820672613Skris SSL_set_read_ahead would be lost during the handshake. 820772613Skris [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] 820872613Skris 820972613Skris *) Correct util/mkdef.pl to be selective about disabled algorithms. 821072613Skris Previously, it would create entries for disableed algorithms no 821172613Skris matter what. 821272613Skris [Richard Levitte] 821372613Skris 821472613Skris *) Added several new manual pages for SSL_* function. 821572613Skris [Lutz Jaenicke] 821672613Skris 821768651Skris Changes between 0.9.5a and 0.9.6 [24 Sep 2000] 821868651Skris 821968651Skris *) In ssl23_get_client_hello, generate an error message when faced 822068651Skris with an initial SSL 3.0/TLS record that is too small to contain the 822168651Skris first two bytes of the ClientHello message, i.e. client_version. 822268651Skris (Note that this is a pathologic case that probably has never happened 822368651Skris in real life.) The previous approach was to use the version number 822468651Skris from the record header as a substitute; but our protocol choice 822568651Skris should not depend on that one because it is not authenticated 822668651Skris by the Finished messages. 822768651Skris [Bodo Moeller] 822868651Skris 822968651Skris *) More robust randomness gathering functions for Windows. 823068651Skris [Jeffrey Altman <jaltman@columbia.edu>] 823168651Skris 823268651Skris *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is 823368651Skris not set then we don't setup the error code for issuer check errors 823468651Skris to avoid possibly overwriting other errors which the callback does 823568651Skris handle. If an application does set the flag then we assume it knows 823668651Skris what it is doing and can handle the new informational codes 823768651Skris appropriately. 823868651Skris [Steve Henson] 823968651Skris 824068651Skris *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for 824168651Skris a general "ANY" type, as such it should be able to decode anything 824268651Skris including tagged types. However it didn't check the class so it would 824368651Skris wrongly interpret tagged types in the same way as their universal 824468651Skris counterpart and unknown types were just rejected. Changed so that the 824568651Skris tagged and unknown types are handled in the same way as a SEQUENCE: 824668651Skris that is the encoding is stored intact. There is also a new type 824768651Skris "V_ASN1_OTHER" which is used when the class is not universal, in this 824868651Skris case we have no idea what the actual type is so we just lump them all 824968651Skris together. 825068651Skris [Steve Henson] 825168651Skris 825268651Skris *) On VMS, stdout may very well lead to a file that is written to 825368651Skris in a record-oriented fashion. That means that every write() will 825468651Skris write a separate record, which will be read separately by the 825568651Skris programs trying to read from it. This can be very confusing. 825668651Skris 825768651Skris The solution is to put a BIO filter in the way that will buffer 825868651Skris text until a linefeed is reached, and then write everything a 825968651Skris line at a time, so every record written will be an actual line, 826068651Skris not chunks of lines and not (usually doesn't happen, but I've 826168651Skris seen it once) several lines in one record. BIO_f_linebuffer() is 826268651Skris the answer. 826368651Skris 826468651Skris Currently, it's a VMS-only method, because that's where it has 826568651Skris been tested well enough. 826668651Skris [Richard Levitte] 826768651Skris 826868651Skris *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, 826968651Skris it can return incorrect results. 827068651Skris (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, 827168651Skris but it was in 0.9.6-beta[12].) 827268651Skris [Bodo Moeller] 827368651Skris 827468651Skris *) Disable the check for content being present when verifying detached 827568651Skris signatures in pk7_smime.c. Some versions of Netscape (wrongly) 827668651Skris include zero length content when signing messages. 827768651Skris [Steve Henson] 827868651Skris 827968651Skris *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR 828068651Skris BIO_ctrl (for BIO pairs). 8281291719Sjkim [Bodo M��ller] 828268651Skris 828368651Skris *) Add DSO method for VMS. 828468651Skris [Richard Levitte] 828568651Skris 828668651Skris *) Bug fix: Montgomery multiplication could produce results with the 828768651Skris wrong sign. 8288291719Sjkim [Ulf M��ller] 828968651Skris 829068651Skris *) Add RPM specification openssl.spec and modify it to build three 829168651Skris packages. The default package contains applications, application 829268651Skris documentation and run-time libraries. The devel package contains 829368651Skris include files, static libraries and function documentation. The 829468651Skris doc package contains the contents of the doc directory. The original 829568651Skris openssl.spec was provided by Damien Miller <djm@mindrot.org>. 829668651Skris [Richard Levitte] 829768651Skris 829868651Skris *) Add a large number of documentation files for many SSL routines. 829968651Skris [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] 830068651Skris 830168651Skris *) Add a configuration entry for Sony News 4. 830268651Skris [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>] 830368651Skris 830468651Skris *) Don't set the two most significant bits to one when generating a 830568651Skris random number < q in the DSA library. 8306291719Sjkim [Ulf M��ller] 830768651Skris 830868651Skris *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default 830968651Skris behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if 831068651Skris the underlying transport is blocking) if a handshake took place. 831168651Skris (The default behaviour is needed by applications such as s_client 831268651Skris and s_server that use select() to determine when to use SSL_read; 831368651Skris but for applications that know in advance when to expect data, it 831468651Skris just makes things more complicated.) 831568651Skris [Bodo Moeller] 831668651Skris 831768651Skris *) Add RAND_egd_bytes(), which gives control over the number of bytes read 831868651Skris from EGD. 831968651Skris [Ben Laurie] 832068651Skris 832168651Skris *) Add a few more EBCDIC conditionals that make `req' and `x509' 832268651Skris work better on such systems. 832368651Skris [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 832468651Skris 832568651Skris *) Add two demo programs for PKCS12_parse() and PKCS12_create(). 832668651Skris Update PKCS12_parse() so it copies the friendlyName and the 832768651Skris keyid to the certificates aux info. 832868651Skris [Steve Henson] 832968651Skris 833068651Skris *) Fix bug in PKCS7_verify() which caused an infinite loop 833168651Skris if there was more than one signature. 833268651Skris [Sven Uszpelkat <su@celocom.de>] 833368651Skris 833468651Skris *) Major change in util/mkdef.pl to include extra information 833568651Skris about each symbol, as well as presentig variables as well 833668651Skris as functions. This change means that there's n more need 833768651Skris to rebuild the .num files when some algorithms are excluded. 833868651Skris [Richard Levitte] 833968651Skris 834068651Skris *) Allow the verify time to be set by an application, 834168651Skris rather than always using the current time. 834268651Skris [Steve Henson] 834368651Skris 834468651Skris *) Phase 2 verify code reorganisation. The certificate 834568651Skris verify code now looks up an issuer certificate by a 834668651Skris number of criteria: subject name, authority key id 834768651Skris and key usage. It also verifies self signed certificates 834868651Skris by the same criteria. The main comparison function is 834968651Skris X509_check_issued() which performs these checks. 835068651Skris 835168651Skris Lot of changes were necessary in order to support this 835268651Skris without completely rewriting the lookup code. 835368651Skris 835468651Skris Authority and subject key identifier are now cached. 835568651Skris 835668651Skris The LHASH 'certs' is X509_STORE has now been replaced 835768651Skris by a STACK_OF(X509_OBJECT). This is mainly because an 835868651Skris LHASH can't store or retrieve multiple objects with 835968651Skris the same hash value. 836068651Skris 836168651Skris As a result various functions (which were all internal 836268651Skris use only) have changed to handle the new X509_STORE 836368651Skris structure. This will break anything that messed round 836468651Skris with X509_STORE internally. 836568651Skris 836668651Skris The functions X509_STORE_add_cert() now checks for an 836768651Skris exact match, rather than just subject name. 836868651Skris 836968651Skris The X509_STORE API doesn't directly support the retrieval 837068651Skris of multiple certificates matching a given criteria, however 837168651Skris this can be worked round by performing a lookup first 837268651Skris (which will fill the cache with candidate certificates) 837368651Skris and then examining the cache for matches. This is probably 837468651Skris the best we can do without throwing out X509_LOOKUP 837568651Skris entirely (maybe later...). 837668651Skris 837768651Skris The X509_VERIFY_CTX structure has been enhanced considerably. 837868651Skris 837968651Skris All certificate lookup operations now go via a get_issuer() 838068651Skris callback. Although this currently uses an X509_STORE it 838168651Skris can be replaced by custom lookups. This is a simple way 838268651Skris to bypass the X509_STORE hackery necessary to make this 838368651Skris work and makes it possible to use more efficient techniques 838468651Skris in future. A very simple version which uses a simple 838568651Skris STACK for its trusted certificate store is also provided 838668651Skris using X509_STORE_CTX_trusted_stack(). 838768651Skris 838868651Skris The verify_cb() and verify() callbacks now have equivalents 838968651Skris in the X509_STORE_CTX structure. 839068651Skris 839168651Skris X509_STORE_CTX also has a 'flags' field which can be used 839268651Skris to customise the verify behaviour. 839368651Skris [Steve Henson] 839468651Skris 839568651Skris *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 839668651Skris excludes S/MIME capabilities. 839768651Skris [Steve Henson] 839868651Skris 839968651Skris *) When a certificate request is read in keep a copy of the 840068651Skris original encoding of the signed data and use it when outputing 840168651Skris again. Signatures then use the original encoding rather than 840268651Skris a decoded, encoded version which may cause problems if the 840368651Skris request is improperly encoded. 840468651Skris [Steve Henson] 840568651Skris 840668651Skris *) For consistency with other BIO_puts implementations, call 840768651Skris buffer_write(b, ...) directly in buffer_puts instead of calling 840868651Skris BIO_write(b, ...). 840968651Skris 841068651Skris In BIO_puts, increment b->num_write as in BIO_write. 841168651Skris [Peter.Sylvester@EdelWeb.fr] 841268651Skris 841368651Skris *) Fix BN_mul_word for the case where the word is 0. (We have to use 841468651Skris BN_zero, we may not return a BIGNUM with an array consisting of 841568651Skris words set to zero.) 841668651Skris [Bodo Moeller] 841768651Skris 841868651Skris *) Avoid calling abort() from within the library when problems are 841968651Skris detected, except if preprocessor symbols have been defined 842068651Skris (such as REF_CHECK, BN_DEBUG etc.). 842168651Skris [Bodo Moeller] 842268651Skris 842368651Skris *) New openssl application 'rsautl'. This utility can be 842468651Skris used for low level RSA operations. DER public key 842568651Skris BIO/fp routines also added. 842668651Skris [Steve Henson] 842768651Skris 842868651Skris *) New Configure entry and patches for compiling on QNX 4. 842968651Skris [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>] 843068651Skris 843168651Skris *) A demo state-machine implementation was sponsored by 843268651Skris Nuron (http://www.nuron.com/) and is now available in 843368651Skris demos/state_machine. 843468651Skris [Ben Laurie] 843568651Skris 843668651Skris *) New options added to the 'dgst' utility for signature 843768651Skris generation and verification. 843868651Skris [Steve Henson] 843968651Skris 844068651Skris *) Unrecognized PKCS#7 content types are now handled via a 844168651Skris catch all ASN1_TYPE structure. This allows unsupported 844268651Skris types to be stored as a "blob" and an application can 844368651Skris encode and decode it manually. 844468651Skris [Steve Henson] 844568651Skris 844668651Skris *) Fix various signed/unsigned issues to make a_strex.c 844768651Skris compile under VC++. 844868651Skris [Oscar Jacobsson <oscar.jacobsson@celocom.com>] 844968651Skris 845068651Skris *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct 845168651Skris length if passed a buffer. ASN1_INTEGER_to_BN failed 845268651Skris if passed a NULL BN and its argument was negative. 845368651Skris [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>] 845468651Skris 845568651Skris *) Modification to PKCS#7 encoding routines to output definite 845668651Skris length encoding. Since currently the whole structures are in 845768651Skris memory there's not real point in using indefinite length 845868651Skris constructed encoding. However if OpenSSL is compiled with 845968651Skris the flag PKCS7_INDEFINITE_ENCODING the old form is used. 846068651Skris [Steve Henson] 846168651Skris 846268651Skris *) Added BIO_vprintf() and BIO_vsnprintf(). 846368651Skris [Richard Levitte] 846468651Skris 846568651Skris *) Added more prefixes to parse for in the the strings written 846668651Skris through a logging bio, to cover all the levels that are available 846768651Skris through syslog. The prefixes are now: 846868651Skris 846968651Skris PANIC, EMERG, EMR => LOG_EMERG 847068651Skris ALERT, ALR => LOG_ALERT 847168651Skris CRIT, CRI => LOG_CRIT 847268651Skris ERROR, ERR => LOG_ERR 847368651Skris WARNING, WARN, WAR => LOG_WARNING 847468651Skris NOTICE, NOTE, NOT => LOG_NOTICE 847568651Skris INFO, INF => LOG_INFO 847668651Skris DEBUG, DBG => LOG_DEBUG 847768651Skris 847868651Skris and as before, if none of those prefixes are present at the 847968651Skris beginning of the string, LOG_ERR is chosen. 848068651Skris 848168651Skris On Win32, the LOG_* levels are mapped according to this: 848268651Skris 848368651Skris LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE 848468651Skris LOG_WARNING => EVENTLOG_WARNING_TYPE 848568651Skris LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE 848668651Skris 848768651Skris [Richard Levitte] 848868651Skris 848968651Skris *) Made it possible to reconfigure with just the configuration 849068651Skris argument "reconf" or "reconfigure". The command line arguments 849168651Skris are stored in Makefile.ssl in the variable CONFIGURE_ARGS, 849268651Skris and are retrieved from there when reconfiguring. 849368651Skris [Richard Levitte] 849468651Skris 849568651Skris *) MD4 implemented. 849668651Skris [Assar Westerlund <assar@sics.se>, Richard Levitte] 849768651Skris 849868651Skris *) Add the arguments -CAfile and -CApath to the pkcs12 utility. 849968651Skris [Richard Levitte] 850068651Skris 850168651Skris *) The obj_dat.pl script was messing up the sorting of object 850268651Skris names. The reason was that it compared the quoted version 850368651Skris of strings as a result "OCSP" > "OCSP Signing" because 850468651Skris " > SPACE. Changed script to store unquoted versions of 850568651Skris names and add quotes on output. It was also omitting some 850668651Skris names from the lookup table if they were given a default 850768651Skris value (that is if SN is missing it is given the same 850868651Skris value as LN and vice versa), these are now added on the 850968651Skris grounds that if an object has a name we should be able to 851068651Skris look it up. Finally added warning output when duplicate 851168651Skris short or long names are found. 851268651Skris [Steve Henson] 851368651Skris 851468651Skris *) Changes needed for Tandem NSK. 851568651Skris [Scott Uroff <scott@xypro.com>] 851668651Skris 851768651Skris *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in 851868651Skris RSA_padding_check_SSLv23(), special padding was never detected 851968651Skris and thus the SSL 3.0/TLS 1.0 countermeasure against protocol 852068651Skris version rollback attacks was not effective. 852168651Skris 852268651Skris In s23_clnt.c, don't use special rollback-attack detection padding 852368651Skris (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the 852468651Skris client; similarly, in s23_srvr.c, don't do the rollback check if 852568651Skris SSL 2.0 is the only protocol enabled in the server. 852668651Skris [Bodo Moeller] 852768651Skris 852868651Skris *) Make it possible to get hexdumps of unprintable data with 'openssl 852968651Skris asn1parse'. By implication, the functions ASN1_parse_dump() and 853068651Skris BIO_dump_indent() are added. 853168651Skris [Richard Levitte] 853268651Skris 853368651Skris *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() 853468651Skris these print out strings and name structures based on various 853568651Skris flags including RFC2253 support and proper handling of 853668651Skris multibyte characters. Added options to the 'x509' utility 853768651Skris to allow the various flags to be set. 853868651Skris [Steve Henson] 853968651Skris 854068651Skris *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. 854168651Skris Also change the functions X509_cmp_current_time() and 854268651Skris X509_gmtime_adj() work with an ASN1_TIME structure, 854368651Skris this will enable certificates using GeneralizedTime in validity 854468651Skris dates to be checked. 854568651Skris [Steve Henson] 854668651Skris 854768651Skris *) Make the NEG_PUBKEY_BUG code (which tolerates invalid 854868651Skris negative public key encodings) on by default, 854968651Skris NO_NEG_PUBKEY_BUG can be set to disable it. 855068651Skris [Steve Henson] 855168651Skris 855268651Skris *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT 855368651Skris content octets. An i2c_ASN1_OBJECT is unnecessary because 855468651Skris the encoding can be trivially obtained from the structure. 855568651Skris [Steve Henson] 855668651Skris 855768651Skris *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), 855868651Skris not read locks (CRYPTO_r_[un]lock). 855968651Skris [Bodo Moeller] 856068651Skris 856168651Skris *) A first attempt at creating official support for shared 856268651Skris libraries through configuration. I've kept it so the 856368651Skris default is static libraries only, and the OpenSSL programs 856468651Skris are always statically linked for now, but there are 856568651Skris preparations for dynamic linking in place. 856689837Skris This has been tested on Linux and Tru64. 856768651Skris [Richard Levitte] 856868651Skris 856968651Skris *) Randomness polling function for Win9x, as described in: 857068651Skris Peter Gutmann, Software Generation of Practically Strong 857168651Skris Random Numbers. 8572291719Sjkim [Ulf M��ller] 857368651Skris 857468651Skris *) Fix so PRNG is seeded in req if using an already existing 857568651Skris DSA key. 857668651Skris [Steve Henson] 857768651Skris 857868651Skris *) New options to smime application. -inform and -outform 857968651Skris allow alternative formats for the S/MIME message including 858068651Skris PEM and DER. The -content option allows the content to be 858168651Skris specified separately. This should allow things like Netscape 858268651Skris form signing output easier to verify. 858368651Skris [Steve Henson] 858468651Skris 858568651Skris *) Fix the ASN1 encoding of tags using the 'long form'. 858668651Skris [Steve Henson] 858768651Skris 858868651Skris *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT 858968651Skris STRING types. These convert content octets to and from the 859068651Skris underlying type. The actual tag and length octets are 859168651Skris already assumed to have been read in and checked. These 859268651Skris are needed because all other string types have virtually 859368651Skris identical handling apart from the tag. By having versions 859468651Skris of the ASN1 functions that just operate on content octets 859568651Skris IMPLICIT tagging can be handled properly. It also allows 859668651Skris the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED 859768651Skris and ASN1_INTEGER are identical apart from the tag. 859868651Skris [Steve Henson] 859968651Skris 860068651Skris *) Change the handling of OID objects as follows: 860168651Skris 860268651Skris - New object identifiers are inserted in objects.txt, following 860368651Skris the syntax given in objects.README. 860468651Skris - objects.pl is used to process obj_mac.num and create a new 860568651Skris obj_mac.h. 860668651Skris - obj_dat.pl is used to create a new obj_dat.h, using the data in 860768651Skris obj_mac.h. 860868651Skris 860968651Skris This is currently kind of a hack, and the perl code in objects.pl 861068651Skris isn't very elegant, but it works as I intended. The simplest way 861168651Skris to check that it worked correctly is to look in obj_dat.h and 861268651Skris check the array nid_objs and make sure the objects haven't moved 861368651Skris around (this is important!). Additions are OK, as well as 861468651Skris consistent name changes. 861568651Skris [Richard Levitte] 861668651Skris 861768651Skris *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). 861868651Skris [Bodo Moeller] 861968651Skris 862068651Skris *) Addition of the command line parameter '-rand file' to 'openssl req'. 862168651Skris The given file adds to whatever has already been seeded into the 862268651Skris random pool through the RANDFILE configuration file option or 862368651Skris environment variable, or the default random state file. 862468651Skris [Richard Levitte] 862568651Skris 862668651Skris *) mkstack.pl now sorts each macro group into lexical order. 862768651Skris Previously the output order depended on the order the files 862868651Skris appeared in the directory, resulting in needless rewriting 862968651Skris of safestack.h . 863068651Skris [Steve Henson] 863168651Skris 863268651Skris *) Patches to make OpenSSL compile under Win32 again. Mostly 863368651Skris work arounds for the VC++ problem that it treats func() as 863468651Skris func(void). Also stripped out the parts of mkdef.pl that 863568651Skris added extra typesafe functions: these no longer exist. 863668651Skris [Steve Henson] 863768651Skris 863868651Skris *) Reorganisation of the stack code. The macros are now all 863968651Skris collected in safestack.h . Each macro is defined in terms of 864068651Skris a "stack macro" of the form SKM_<name>(type, a, b). The 864168651Skris DEBUG_SAFESTACK is now handled in terms of function casts, 864268651Skris this has the advantage of retaining type safety without the 864368651Skris use of additional functions. If DEBUG_SAFESTACK is not defined 864468651Skris then the non typesafe macros are used instead. Also modified the 864568651Skris mkstack.pl script to handle the new form. Needs testing to see 864668651Skris if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK 864768651Skris the default if no major problems. Similar behaviour for ASN1_SET_OF 864868651Skris and PKCS12_STACK_OF. 864968651Skris [Steve Henson] 865068651Skris 865168651Skris *) When some versions of IIS use the 'NET' form of private key the 865268651Skris key derivation algorithm is different. Normally MD5(password) is 865368651Skris used as a 128 bit RC4 key. In the modified case 865468651Skris MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some 865568651Skris new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same 865668651Skris as the old Netscape_RSA functions except they have an additional 865768651Skris 'sgckey' parameter which uses the modified algorithm. Also added 865868651Skris an -sgckey command line option to the rsa utility. Thanks to 865968651Skris Adrian Peck <bertie@ncipher.com> for posting details of the modified 866068651Skris algorithm to openssl-dev. 866168651Skris [Steve Henson] 866268651Skris 866368651Skris *) The evp_local.h macros were using 'c.##kname' which resulted in 866468651Skris invalid expansion on some systems (SCO 5.0.5 for example). 866568651Skris Corrected to 'c.kname'. 866668651Skris [Phillip Porch <root@theporch.com>] 866768651Skris 866868651Skris *) New X509_get1_email() and X509_REQ_get1_email() functions that return 866968651Skris a STACK of email addresses from a certificate or request, these look 867068651Skris in the subject name and the subject alternative name extensions and 867168651Skris omit any duplicate addresses. 867268651Skris [Steve Henson] 867368651Skris 867468651Skris *) Re-implement BN_mod_exp2_mont using independent (and larger) windows. 867568651Skris This makes DSA verification about 2 % faster. 867668651Skris [Bodo Moeller] 867768651Skris 867868651Skris *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5 867968651Skris (meaning that now 2^5 values will be precomputed, which is only 4 KB 868068651Skris plus overhead for 1024 bit moduli). 868168651Skris This makes exponentiations about 0.5 % faster for 1024 bit 868268651Skris exponents (as measured by "openssl speed rsa2048"). 868368651Skris [Bodo Moeller] 868468651Skris 868568651Skris *) Rename memory handling macros to avoid conflicts with other 868668651Skris software: 868768651Skris Malloc => OPENSSL_malloc 868868651Skris Malloc_locked => OPENSSL_malloc_locked 868968651Skris Realloc => OPENSSL_realloc 869068651Skris Free => OPENSSL_free 869168651Skris [Richard Levitte] 869268651Skris 869368651Skris *) New function BN_mod_exp_mont_word for small bases (roughly 15% 869468651Skris faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). 869568651Skris [Bodo Moeller] 869668651Skris 869768651Skris *) CygWin32 support. 869868651Skris [John Jarvie <jjarvie@newsguy.com>] 869968651Skris 870068651Skris *) The type-safe stack code has been rejigged. It is now only compiled 870168651Skris in when OpenSSL is configured with the DEBUG_SAFESTACK option and 870268651Skris by default all type-specific stack functions are "#define"d back to 870368651Skris standard stack functions. This results in more streamlined output 870468651Skris but retains the type-safety checking possibilities of the original 870568651Skris approach. 870668651Skris [Geoff Thorpe] 870768651Skris 870868651Skris *) The STACK code has been cleaned up, and certain type declarations 870968651Skris that didn't make a lot of sense have been brought in line. This has 871068651Skris also involved a cleanup of sorts in safestack.h to more correctly 871168651Skris map type-safe stack functions onto their plain stack counterparts. 871268651Skris This work has also resulted in a variety of "const"ifications of 871368651Skris lots of the code, especially "_cmp" operations which should normally 871468651Skris be prototyped with "const" parameters anyway. 871568651Skris [Geoff Thorpe] 871668651Skris 871768651Skris *) When generating bytes for the first time in md_rand.c, 'stir the pool' 871868651Skris by seeding with STATE_SIZE dummy bytes (with zero entropy count). 871968651Skris (The PRNG state consists of two parts, the large pool 'state' and 'md', 872068651Skris where all of 'md' is used each time the PRNG is used, but 'state' 872168651Skris is used only indexed by a cyclic counter. As entropy may not be 872268651Skris well distributed from the beginning, 'md' is important as a 872368651Skris chaining variable. However, the output function chains only half 872468651Skris of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains 872568651Skris all of 'md', and seeding with STATE_SIZE dummy bytes will result 872668651Skris in all of 'state' being rewritten, with the new values depending 872768651Skris on virtually all of 'md'. This overcomes the 80 bit limitation.) 872868651Skris [Bodo Moeller] 872968651Skris 873068651Skris *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when 873168651Skris the handshake is continued after ssl_verify_cert_chain(); 873268651Skris otherwise, if SSL_VERIFY_NONE is set, remaining error codes 873368651Skris can lead to 'unexplainable' connection aborts later. 873468651Skris [Bodo Moeller; problem tracked down by Lutz Jaenicke] 873568651Skris 873668651Skris *) Major EVP API cipher revision. 873768651Skris Add hooks for extra EVP features. This allows various cipher 873868651Skris parameters to be set in the EVP interface. Support added for variable 873968651Skris key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and 874068651Skris setting of RC2 and RC5 parameters. 874168651Skris 874268651Skris Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length 874368651Skris ciphers. 874468651Skris 874568651Skris Remove lots of duplicated code from the EVP library. For example *every* 874668651Skris cipher init() function handles the 'iv' in the same way according to the 874768651Skris cipher mode. They also all do nothing if the 'key' parameter is NULL and 874868651Skris for CFB and OFB modes they zero ctx->num. 874968651Skris 875068651Skris New functionality allows removal of S/MIME code RC2 hack. 875168651Skris 875268651Skris Most of the routines have the same form and so can be declared in terms 875368651Skris of macros. 875468651Skris 875568651Skris By shifting this to the top level EVP_CipherInit() it can be removed from 875668651Skris all individual ciphers. If the cipher wants to handle IVs or keys 875768651Skris differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT 875868651Skris flags. 875968651Skris 876068651Skris Change lots of functions like EVP_EncryptUpdate() to now return a 876168651Skris value: although software versions of the algorithms cannot fail 876268651Skris any installed hardware versions can. 876368651Skris [Steve Henson] 876468651Skris 876568651Skris *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if 876668651Skris this option is set, tolerate broken clients that send the negotiated 876768651Skris protocol version number instead of the requested protocol version 876868651Skris number. 876968651Skris [Bodo Moeller] 877068651Skris 877168651Skris *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag; 877268651Skris i.e. non-zero for export ciphersuites, zero otherwise. 877368651Skris Previous versions had this flag inverted, inconsistent with 877468651Skris rsa_tmp_cb (..._TMP_RSA_CB). 877568651Skris [Bodo Moeller; problem reported by Amit Chopra] 877668651Skris 877768651Skris *) Add missing DSA library text string. Work around for some IIS 877868651Skris key files with invalid SEQUENCE encoding. 877968651Skris [Steve Henson] 878068651Skris 878168651Skris *) Add a document (doc/standards.txt) that list all kinds of standards 878268651Skris and so on that are implemented in OpenSSL. 878368651Skris [Richard Levitte] 878468651Skris 878568651Skris *) Enhance c_rehash script. Old version would mishandle certificates 878668651Skris with the same subject name hash and wouldn't handle CRLs at all. 878768651Skris Added -fingerprint option to crl utility, to support new c_rehash 878868651Skris features. 878968651Skris [Steve Henson] 879068651Skris 879168651Skris *) Eliminate non-ANSI declarations in crypto.h and stack.h. 8792291719Sjkim [Ulf M��ller] 879368651Skris 879468651Skris *) Fix for SSL server purpose checking. Server checking was 879568651Skris rejecting certificates which had extended key usage present 879668651Skris but no ssl client purpose. 879768651Skris [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] 879868651Skris 879968651Skris *) Make PKCS#12 code work with no password. The PKCS#12 spec 880068651Skris is a little unclear about how a blank password is handled. 880168651Skris Since the password in encoded as a BMPString with terminating 880268651Skris double NULL a zero length password would end up as just the 880368651Skris double NULL. However no password at all is different and is 880468651Skris handled differently in the PKCS#12 key generation code. NS 880568651Skris treats a blank password as zero length. MSIE treats it as no 880668651Skris password on export: but it will try both on import. We now do 880768651Skris the same: PKCS12_parse() tries zero length and no password if 880868651Skris the password is set to "" or NULL (NULL is now a valid password: 880968651Skris it wasn't before) as does the pkcs12 application. 881068651Skris [Steve Henson] 881168651Skris 881268651Skris *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use 881368651Skris perror when PEM_read_bio_X509_REQ fails, the error message must 881468651Skris be obtained from the error queue. 881568651Skris [Bodo Moeller] 881668651Skris 881768651Skris *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing 881868651Skris it in ERR_remove_state if appropriate, and change ERR_get_state 881968651Skris accordingly to avoid race conditions (this is necessary because 882068651Skris thread_hash is no longer constant once set). 882168651Skris [Bodo Moeller] 882268651Skris 882368651Skris *) Bugfix for linux-elf makefile.one. 8824291719Sjkim [Ulf M��ller] 882568651Skris 882668651Skris *) RSA_get_default_method() will now cause a default 882768651Skris RSA_METHOD to be chosen if one doesn't exist already. 882868651Skris Previously this was only set during a call to RSA_new() 882968651Skris or RSA_new_method(NULL) meaning it was possible for 883068651Skris RSA_get_default_method() to return NULL. 883168651Skris [Geoff Thorpe] 883268651Skris 883368651Skris *) Added native name translation to the existing DSO code 883468651Skris that will convert (if the flag to do so is set) filenames 883568651Skris that are sufficiently small and have no path information 883668651Skris into a canonical native form. Eg. "blah" converted to 883768651Skris "libblah.so" or "blah.dll" etc. 883868651Skris [Geoff Thorpe] 883968651Skris 884068651Skris *) New function ERR_error_string_n(e, buf, len) which is like 884168651Skris ERR_error_string(e, buf), but writes at most 'len' bytes 884268651Skris including the 0 terminator. For ERR_error_string_n, 'buf' 884368651Skris may not be NULL. 884468651Skris [Damien Miller <djm@mindrot.org>, Bodo Moeller] 884568651Skris 884668651Skris *) CONF library reworked to become more general. A new CONF 884768651Skris configuration file reader "class" is implemented as well as a 884868651Skris new functions (NCONF_*, for "New CONF") to handle it. The now 884968651Skris old CONF_* functions are still there, but are reimplemented to 885068651Skris work in terms of the new functions. Also, a set of functions 885168651Skris to handle the internal storage of the configuration data is 885268651Skris provided to make it easier to write new configuration file 885368651Skris reader "classes" (I can definitely see something reading a 885468651Skris configuration file in XML format, for example), called _CONF_*, 885568651Skris or "the configuration storage API"... 885668651Skris 885768651Skris The new configuration file reading functions are: 885868651Skris 885968651Skris NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, 886068651Skris NCONF_get_section, NCONF_get_string, NCONF_get_numbre 886168651Skris 886268651Skris NCONF_default, NCONF_WIN32 886368651Skris 886468651Skris NCONF_dump_fp, NCONF_dump_bio 886568651Skris 886668651Skris NCONF_default and NCONF_WIN32 are method (or "class") choosers, 886768651Skris NCONF_new creates a new CONF object. This works in the same way 886868651Skris as other interfaces in OpenSSL, like the BIO interface. 886968651Skris NCONF_dump_* dump the internal storage of the configuration file, 887068651Skris which is useful for debugging. All other functions take the same 887168651Skris arguments as the old CONF_* functions wth the exception of the 887268651Skris first that must be a `CONF *' instead of a `LHASH *'. 887368651Skris 887468651Skris To make it easer to use the new classes with the old CONF_* functions, 887568651Skris the function CONF_set_default_method is provided. 887668651Skris [Richard Levitte] 887768651Skris 887868651Skris *) Add '-tls1' option to 'openssl ciphers', which was already 887968651Skris mentioned in the documentation but had not been implemented. 888068651Skris (This option is not yet really useful because even the additional 888168651Skris experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) 888268651Skris [Bodo Moeller] 888368651Skris 888468651Skris *) Initial DSO code added into libcrypto for letting OpenSSL (and 888568651Skris OpenSSL-based applications) load shared libraries and bind to 888668651Skris them in a portable way. 888768651Skris [Geoff Thorpe, with contributions from Richard Levitte] 888868651Skris 888959191Skris Changes between 0.9.5 and 0.9.5a [1 Apr 2000] 889059191Skris 889159191Skris *) Make sure _lrotl and _lrotr are only used with MSVC. 889259191Skris 889359191Skris *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status 889459191Skris (the default implementation of RAND_status). 889559191Skris 889659191Skris *) Rename openssl x509 option '-crlext', which was added in 0.9.5, 889759191Skris to '-clrext' (= clear extensions), as intended and documented. 889859191Skris [Bodo Moeller; inconsistency pointed out by Michael Attili 889959191Skris <attili@amaxo.com>] 890059191Skris 890159191Skris *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length 890259191Skris was larger than the MD block size. 890359191Skris [Steve Henson, pointed out by Yost William <YostW@tce.com>] 890459191Skris 890559191Skris *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument 890659191Skris fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() 890759191Skris using the passed key: if the passed key was a private key the result 890859191Skris of X509_print(), for example, would be to print out all the private key 890959191Skris components. 891059191Skris [Steve Henson] 891159191Skris 891259191Skris *) des_quad_cksum() byte order bug fix. 8913291719Sjkim [Ulf M��ller, using the problem description in krb4-0.9.7, where 891459191Skris the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>] 891559191Skris 891659191Skris *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly 891759191Skris discouraged. 891859191Skris [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>] 891959191Skris 892059191Skris *) For easily testing in shell scripts whether some command 892159191Skris 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' 892259191Skris returns with exit code 0 iff no command of the given name is available. 892359191Skris 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, 892459191Skris the output goes to stdout and nothing is printed to stderr. 892559191Skris Additional arguments are always ignored. 892659191Skris 892759191Skris Since for each cipher there is a command of the same name, 892859191Skris the 'no-cipher' compilation switches can be tested this way. 892959191Skris 893059191Skris ('openssl no-XXX' is not able to detect pseudo-commands such 893159191Skris as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) 893259191Skris [Bodo Moeller] 893359191Skris 893459191Skris *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. 893559191Skris [Bodo Moeller] 893659191Skris 893759191Skris *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE 893859191Skris is set; it will be thrown away anyway because each handshake creates 893959191Skris its own key. 894059191Skris ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition 894159191Skris to parameters -- in previous versions (since OpenSSL 0.9.3) the 894259191Skris 'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining 894359191Skris you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. 894459191Skris [Bodo Moeller] 894559191Skris 894659191Skris *) New s_client option -ign_eof: EOF at stdin is ignored, and 894759191Skris 'Q' and 'R' lose their special meanings (quit/renegotiate). 894859191Skris This is part of what -quiet does; unlike -quiet, -ign_eof 894959191Skris does not suppress any output. 895059191Skris [Richard Levitte] 895159191Skris 895259191Skris *) Add compatibility options to the purpose and trust code. The 895359191Skris purpose X509_PURPOSE_ANY is "any purpose" which automatically 895459191Skris accepts a certificate or CA, this was the previous behaviour, 895559191Skris with all the associated security issues. 895659191Skris 895759191Skris X509_TRUST_COMPAT is the old trust behaviour: only and 895859191Skris automatically trust self signed roots in certificate store. A 895959191Skris new trust setting X509_TRUST_DEFAULT is used to specify that 896059191Skris a purpose has no associated trust setting and it should instead 896159191Skris use the value in the default purpose. 896259191Skris [Steve Henson] 896359191Skris 896459191Skris *) Fix the PKCS#8 DSA private key code so it decodes keys again 896559191Skris and fix a memory leak. 896659191Skris [Steve Henson] 896759191Skris 896859191Skris *) In util/mkerr.pl (which implements 'make errors'), preserve 896959191Skris reason strings from the previous version of the .c file, as 897059191Skris the default to have only downcase letters (and digits) in 897159191Skris automatically generated reasons codes is not always appropriate. 897259191Skris [Bodo Moeller] 897359191Skris 897459191Skris *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table 897559191Skris using strerror. Previously, ERR_reason_error_string() returned 897659191Skris library names as reason strings for SYSerr; but SYSerr is a special 897759191Skris case where small numbers are errno values, not library numbers. 897859191Skris [Bodo Moeller] 897959191Skris 898059191Skris *) Add '-dsaparam' option to 'openssl dhparam' application. This 898159191Skris converts DSA parameters into DH parameters. (When creating parameters, 898259191Skris DSA_generate_parameters is used.) 898359191Skris [Bodo Moeller] 898459191Skris 898559191Skris *) Include 'length' (recommended exponent length) in C code generated 898659191Skris by 'openssl dhparam -C'. 898759191Skris [Bodo Moeller] 898859191Skris 898959191Skris *) The second argument to set_label in perlasm was already being used 899059191Skris so couldn't be used as a "file scope" flag. Moved to third argument 899159191Skris which was free. 899259191Skris [Steve Henson] 899359191Skris 899459191Skris *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes 899559191Skris instead of RAND_bytes for encryption IVs and salts. 899659191Skris [Bodo Moeller] 899759191Skris 899859191Skris *) Include RAND_status() into RAND_METHOD instead of implementing 899959191Skris it only for md_rand.c Otherwise replacing the PRNG by calling 900059191Skris RAND_set_rand_method would be impossible. 900159191Skris [Bodo Moeller] 900259191Skris 900359191Skris *) Don't let DSA_generate_key() enter an infinite loop if the random 900459191Skris number generation fails. 900559191Skris [Bodo Moeller] 900659191Skris 900759191Skris *) New 'rand' application for creating pseudo-random output. 900859191Skris [Bodo Moeller] 900959191Skris 901059191Skris *) Added configuration support for Linux/IA64 901159191Skris [Rolf Haberrecker <rolf@suse.de>] 901259191Skris 901359191Skris *) Assembler module support for Mingw32. 9014291719Sjkim [Ulf M��ller] 901559191Skris 901659191Skris *) Shared library support for HPUX (in shlib/). 901759191Skris [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous] 901859191Skris 901959191Skris *) Shared library support for Solaris gcc. 902059191Skris [Lutz Behnke <behnke@trustcenter.de>] 902159191Skris 902259191Skris Changes between 0.9.4 and 0.9.5 [28 Feb 2000] 902359191Skris 902459191Skris *) PKCS7_encrypt() was adding text MIME headers twice because they 902559191Skris were added manually and by SMIME_crlf_copy(). 902659191Skris [Steve Henson] 902759191Skris 902859191Skris *) In bntest.c don't call BN_rand with zero bits argument. 902959191Skris [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>] 903059191Skris 903159191Skris *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] 903259191Skris case was implemented. This caused BN_div_recp() to fail occasionally. 9033291719Sjkim [Ulf M��ller] 903459191Skris 903559191Skris *) Add an optional second argument to the set_label() in the perl 903659191Skris assembly language builder. If this argument exists and is set 903759191Skris to 1 it signals that the assembler should use a symbol whose 903859191Skris scope is the entire file, not just the current function. This 903959191Skris is needed with MASM which uses the format label:: for this scope. 904059191Skris [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>] 904159191Skris 904259191Skris *) Change the ASN1 types so they are typedefs by default. Before 904359191Skris almost all types were #define'd to ASN1_STRING which was causing 904459191Skris STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) 904559191Skris for example. 904659191Skris [Steve Henson] 904759191Skris 904859191Skris *) Change names of new functions to the new get1/get0 naming 904959191Skris convention: After 'get1', the caller owns a reference count 905059191Skris and has to call ..._free; 'get0' returns a pointer to some 905159191Skris data structure without incrementing reference counters. 905259191Skris (Some of the existing 'get' functions increment a reference 905359191Skris counter, some don't.) 905459191Skris Similarly, 'set1' and 'add1' functions increase reference 905559191Skris counters or duplicate objects. 905659191Skris [Steve Henson] 905759191Skris 905859191Skris *) Allow for the possibility of temp RSA key generation failure: 905959191Skris the code used to assume it always worked and crashed on failure. 906059191Skris [Steve Henson] 906159191Skris 906259191Skris *) Fix potential buffer overrun problem in BIO_printf(). 9063291719Sjkim [Ulf M��ller, using public domain code by Patrick Powell; problem 906459191Skris pointed out by David Sacerdote <das33@cornell.edu>] 906559191Skris 906659191Skris *) Support EGD <http://www.lothar.com/tech/crypto/>. New functions 906759191Skris RAND_egd() and RAND_status(). In the command line application, 906859191Skris the EGD socket can be specified like a seed file using RANDFILE 906959191Skris or -rand. 9070291719Sjkim [Ulf M��ller] 907159191Skris 907259191Skris *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. 907359191Skris Some CAs (e.g. Verisign) distribute certificates in this form. 907459191Skris [Steve Henson] 907559191Skris 907659191Skris *) Remove the SSL_ALLOW_ADH compile option and set the default cipher 907759191Skris list to exclude them. This means that no special compilation option 907859191Skris is needed to use anonymous DH: it just needs to be included in the 907959191Skris cipher list. 908059191Skris [Steve Henson] 908159191Skris 908259191Skris *) Change the EVP_MD_CTX_type macro so its meaning consistent with 908359191Skris EVP_MD_type. The old functionality is available in a new macro called 908459191Skris EVP_MD_md(). Change code that uses it and update docs. 908559191Skris [Steve Henson] 908659191Skris 908759191Skris *) ..._ctrl functions now have corresponding ..._callback_ctrl functions 908859191Skris where the 'void *' argument is replaced by a function pointer argument. 908959191Skris Previously 'void *' was abused to point to functions, which works on 909059191Skris many platforms, but is not correct. As these functions are usually 909159191Skris called by macros defined in OpenSSL header files, most source code 909259191Skris should work without changes. 909359191Skris [Richard Levitte] 909459191Skris 909559191Skris *) <openssl/opensslconf.h> (which is created by Configure) now contains 909659191Skris sections with information on -D... compiler switches used for 909759191Skris compiling the library so that applications can see them. To enable 909859191Skris one of these sections, a pre-processor symbol OPENSSL_..._DEFINES 909959191Skris must be defined. E.g., 910059191Skris #define OPENSSL_ALGORITHM_DEFINES 910159191Skris #include <openssl/opensslconf.h> 910259191Skris defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc. 9103291719Sjkim [Richard Levitte, Ulf and Bodo M��ller] 910459191Skris 910559191Skris *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS 910659191Skris record layer. 910759191Skris [Bodo Moeller] 910859191Skris 910959191Skris *) Change the 'other' type in certificate aux info to a STACK_OF 911059191Skris X509_ALGOR. Although not an AlgorithmIdentifier as such it has 911159191Skris the required ASN1 format: arbitrary types determined by an OID. 911259191Skris [Steve Henson] 911359191Skris 911459191Skris *) Add some PEM_write_X509_REQ_NEW() functions and a command line 911559191Skris argument to 'req'. This is not because the function is newer or 911659191Skris better than others it just uses the work 'NEW' in the certificate 911759191Skris request header lines. Some software needs this. 911859191Skris [Steve Henson] 911959191Skris 912059191Skris *) Reorganise password command line arguments: now passwords can be 912159191Skris obtained from various sources. Delete the PEM_cb function and make 912259191Skris it the default behaviour: i.e. if the callback is NULL and the 912359191Skris usrdata argument is not NULL interpret it as a null terminated pass 912459191Skris phrase. If usrdata and the callback are NULL then the pass phrase 912559191Skris is prompted for as usual. 912659191Skris [Steve Henson] 912759191Skris 912859191Skris *) Add support for the Compaq Atalla crypto accelerator. If it is installed, 912959191Skris the support is automatically enabled. The resulting binaries will 913059191Skris autodetect the card and use it if present. 913159191Skris [Ben Laurie and Compaq Inc.] 913259191Skris 913359191Skris *) Work around for Netscape hang bug. This sends certificate request 913459191Skris and server done in one record. Since this is perfectly legal in the 913559191Skris SSL/TLS protocol it isn't a "bug" option and is on by default. See 913659191Skris the bugs/SSLv3 entry for more info. 913759191Skris [Steve Henson] 913859191Skris 913959191Skris *) HP-UX tune-up: new unified configs, HP C compiler bug workaround. 914059191Skris [Andy Polyakov] 914159191Skris 914259191Skris *) Add -rand argument to smime and pkcs12 applications and read/write 914359191Skris of seed file. 914459191Skris [Steve Henson] 914559191Skris 914659191Skris *) New 'passwd' tool for crypt(3) and apr1 password hashes. 914759191Skris [Bodo Moeller] 914859191Skris 914959191Skris *) Add command line password options to the remaining applications. 915059191Skris [Steve Henson] 915159191Skris 915259191Skris *) Bug fix for BN_div_recp() for numerators with an even number of 915359191Skris bits. 9154291719Sjkim [Ulf M��ller] 915559191Skris 915659191Skris *) More tests in bntest.c, and changed test_bn output. 9157291719Sjkim [Ulf M��ller] 915859191Skris 915959191Skris *) ./config recognizes MacOS X now. 916059191Skris [Andy Polyakov] 916159191Skris 916259191Skris *) Bug fix for BN_div() when the first words of num and divsor are 916359191Skris equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). 9164291719Sjkim [Ulf M��ller] 916559191Skris 916659191Skris *) Add support for various broken PKCS#8 formats, and command line 916759191Skris options to produce them. 916859191Skris [Steve Henson] 916959191Skris 917059191Skris *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to 917159191Skris get temporary BIGNUMs from a BN_CTX. 9172291719Sjkim [Ulf M��ller] 917359191Skris 917459191Skris *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() 917559191Skris for p == 0. 9176291719Sjkim [Ulf M��ller] 917759191Skris 917859191Skris *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and 917959191Skris include a #define from the old name to the new. The original intent 918059191Skris was that statically linked binaries could for example just call 918159191Skris SSLeay_add_all_ciphers() to just add ciphers to the table and not 918259191Skris link with digests. This never worked becayse SSLeay_add_all_digests() 918359191Skris and SSLeay_add_all_ciphers() were in the same source file so calling 918459191Skris one would link with the other. They are now in separate source files. 918559191Skris [Steve Henson] 918659191Skris 918759191Skris *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. 918859191Skris [Steve Henson] 918959191Skris 919059191Skris *) Use a less unusual form of the Miller-Rabin primality test (it used 919159191Skris a binary algorithm for exponentiation integrated into the Miller-Rabin 919259191Skris loop, our standard modexp algorithms are faster). 919359191Skris [Bodo Moeller] 919459191Skris 919559191Skris *) Support for the EBCDIC character set completed. 919659191Skris [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>] 919759191Skris 919859191Skris *) Source code cleanups: use const where appropriate, eliminate casts, 919959191Skris use void * instead of char * in lhash. 9200291719Sjkim [Ulf M��ller] 920159191Skris 920259191Skris *) Bugfix: ssl3_send_server_key_exchange was not restartable 920359191Skris (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of 920459191Skris this the server could overwrite ephemeral keys that the client 920559191Skris has already seen). 920659191Skris [Bodo Moeller] 920759191Skris 920859191Skris *) Turn DSA_is_prime into a macro that calls BN_is_prime, 920959191Skris using 50 iterations of the Rabin-Miller test. 921059191Skris 921159191Skris DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 921259191Skris iterations of the Rabin-Miller test as required by the appendix 921359191Skris to FIPS PUB 186[-1]) instead of DSA_is_prime. 921459191Skris As BN_is_prime_fasttest includes trial division, DSA parameter 921559191Skris generation becomes much faster. 921659191Skris 921759191Skris This implies a change for the callback functions in DSA_is_prime 921859191Skris and DSA_generate_parameters: The callback function is called once 921959191Skris for each positive witness in the Rabin-Miller test, not just 922059191Skris occasionally in the inner loop; and the parameters to the 922159191Skris callback function now provide an iteration count for the outer 922259191Skris loop rather than for the current invocation of the inner loop. 922359191Skris DSA_generate_parameters additionally can call the callback 922459191Skris function with an 'iteration count' of -1, meaning that a 922559191Skris candidate has passed the trial division test (when q is generated 922659191Skris from an application-provided seed, trial division is skipped). 922759191Skris [Bodo Moeller] 922859191Skris 922959191Skris *) New function BN_is_prime_fasttest that optionally does trial 923059191Skris division before starting the Rabin-Miller test and has 923159191Skris an additional BN_CTX * argument (whereas BN_is_prime always 923259191Skris has to allocate at least one BN_CTX). 923359191Skris 'callback(1, -1, cb_arg)' is called when a number has passed the 923459191Skris trial division stage. 923559191Skris [Bodo Moeller] 923659191Skris 923759191Skris *) Fix for bug in CRL encoding. The validity dates weren't being handled 923859191Skris as ASN1_TIME. 923959191Skris [Steve Henson] 924059191Skris 924159191Skris *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. 924259191Skris [Steve Henson] 924359191Skris 924459191Skris *) New function BN_pseudo_rand(). 9245291719Sjkim [Ulf M��ller] 924659191Skris 924759191Skris *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) 924859191Skris bignum version of BN_from_montgomery() with the working code from 924959191Skris SSLeay 0.9.0 (the word based version is faster anyway), and clean up 925059191Skris the comments. 9251291719Sjkim [Ulf M��ller] 925259191Skris 925359191Skris *) Avoid a race condition in s2_clnt.c (function get_server_hello) that 925459191Skris made it impossible to use the same SSL_SESSION data structure in 925559191Skris SSL2 clients in multiple threads. 925659191Skris [Bodo Moeller] 925759191Skris 925859191Skris *) The return value of RAND_load_file() no longer counts bytes obtained 925959191Skris by stat(). RAND_load_file(..., -1) is new and uses the complete file 926059191Skris to seed the PRNG (previously an explicit byte count was required). 9261291719Sjkim [Ulf M��ller, Bodo M��ller] 926259191Skris 926359191Skris *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes 926459191Skris used (char *) instead of (void *) and had casts all over the place. 926559191Skris [Steve Henson] 926659191Skris 926759191Skris *) Make BN_generate_prime() return NULL on error if ret!=NULL. 9268291719Sjkim [Ulf M��ller] 926959191Skris 927059191Skris *) Retain source code compatibility for BN_prime_checks macro: 927159191Skris BN_is_prime(..., BN_prime_checks, ...) now uses 927259191Skris BN_prime_checks_for_size to determine the appropriate number of 927359191Skris Rabin-Miller iterations. 9274291719Sjkim [Ulf M��ller] 927559191Skris 927659191Skris *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to 927759191Skris DH_CHECK_P_NOT_SAFE_PRIME. 927859191Skris (Check if this is true? OpenPGP calls them "strong".) 9279291719Sjkim [Ulf M��ller] 928059191Skris 928159191Skris *) Merge the functionality of "dh" and "gendh" programs into a new program 928259191Skris "dhparam". The old programs are retained for now but will handle DH keys 928359191Skris (instead of parameters) in future. 928459191Skris [Steve Henson] 928559191Skris 928659191Skris *) Make the ciphers, s_server and s_client programs check the return values 928759191Skris when a new cipher list is set. 928859191Skris [Steve Henson] 928959191Skris 929059191Skris *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit 929159191Skris ciphers. Before when the 56bit ciphers were enabled the sorting was 929259191Skris wrong. 929359191Skris 929459191Skris The syntax for the cipher sorting has been extended to support sorting by 929559191Skris cipher-strength (using the strength_bits hard coded in the tables). 929659191Skris The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). 929759191Skris 929859191Skris Fix a bug in the cipher-command parser: when supplying a cipher command 929959191Skris string with an "undefined" symbol (neither command nor alphanumeric 930059191Skris [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now 930159191Skris an error is flagged. 930259191Skris 930359191Skris Due to the strength-sorting extension, the code of the 930459191Skris ssl_create_cipher_list() function was completely rearranged. I hope that 930559191Skris the readability was also increased :-) 930659191Skris [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] 930759191Skris 930859191Skris *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 930959191Skris for the first serial number and places 2 in the serial number file. This 931059191Skris avoids problems when the root CA is created with serial number zero and 931159191Skris the first user certificate has the same issuer name and serial number 931259191Skris as the root CA. 931359191Skris [Steve Henson] 931459191Skris 931559191Skris *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses 931659191Skris the new code. Add documentation for this stuff. 931759191Skris [Steve Henson] 931859191Skris 931959191Skris *) Changes to X509_ATTRIBUTE utilities. These have been renamed from 932059191Skris X509_*() to X509at_*() on the grounds that they don't handle X509 932159191Skris structures and behave in an analagous way to the X509v3 functions: 932259191Skris they shouldn't be called directly but wrapper functions should be used 932359191Skris instead. 932459191Skris 932559191Skris So we also now have some wrapper functions that call the X509at functions 932659191Skris when passed certificate requests. (TO DO: similar things can be done with 932759191Skris PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other 932859191Skris things. Some of these need some d2i or i2d and print functionality 932959191Skris because they handle more complex structures.) 933059191Skris [Steve Henson] 933159191Skris 933259191Skris *) Add missing #ifndefs that caused missing symbols when building libssl 933359191Skris as a shared library without RSA. Use #ifndef NO_SSL2 instead of 933459191Skris NO_RSA in ssl/s2*.c. 9335291719Sjkim [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf M��ller] 933659191Skris 933759191Skris *) Precautions against using the PRNG uninitialized: RAND_bytes() now 933859191Skris has a return value which indicates the quality of the random data 933959191Skris (1 = ok, 0 = not seeded). Also an error is recorded on the thread's 934059191Skris error queue. New function RAND_pseudo_bytes() generates output that is 934159191Skris guaranteed to be unique but not unpredictable. RAND_add is like 934259191Skris RAND_seed, but takes an extra argument for an entropy estimate 934359191Skris (RAND_seed always assumes full entropy). 9344291719Sjkim [Ulf M��ller] 934559191Skris 934659191Skris *) Do more iterations of Rabin-Miller probable prime test (specifically, 934759191Skris 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes 934859191Skris instead of only 2 for all lengths; see BN_prime_checks_for_size definition 934959191Skris in crypto/bn/bn_prime.c for the complete table). This guarantees a 935059191Skris false-positive rate of at most 2^-80 for random input. 935159191Skris [Bodo Moeller] 935259191Skris 935359191Skris *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. 935459191Skris [Bodo Moeller] 935559191Skris 935659191Skris *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain 935759191Skris in the 0.9.5 release), this returns the chain 935859191Skris from an X509_CTX structure with a dup of the stack and all 935959191Skris the X509 reference counts upped: so the stack will exist 936059191Skris after X509_CTX_cleanup() has been called. Modify pkcs12.c 936159191Skris to use this. 936259191Skris 936359191Skris Also make SSL_SESSION_print() print out the verify return 936459191Skris code. 936559191Skris [Steve Henson] 936659191Skris 936759191Skris *) Add manpage for the pkcs12 command. Also change the default 936859191Skris behaviour so MAC iteration counts are used unless the new 936959191Skris -nomaciter option is used. This improves file security and 937059191Skris only older versions of MSIE (4.0 for example) need it. 937159191Skris [Steve Henson] 937259191Skris 937359191Skris *) Honor the no-xxx Configure options when creating .DEF files. 9374291719Sjkim [Ulf M��ller] 937559191Skris 937659191Skris *) Add PKCS#10 attributes to field table: challengePassword, 937759191Skris unstructuredName and unstructuredAddress. These are taken from 937859191Skris draft PKCS#9 v2.0 but are compatible with v1.2 provided no 937959191Skris international characters are used. 938059191Skris 938159191Skris More changes to X509_ATTRIBUTE code: allow the setting of types 938259191Skris based on strings. Remove the 'loc' parameter when adding 938359191Skris attributes because these will be a SET OF encoding which is sorted 938459191Skris in ASN1 order. 938559191Skris [Steve Henson] 938659191Skris 938759191Skris *) Initial changes to the 'req' utility to allow request generation 938859191Skris automation. This will allow an application to just generate a template 938959191Skris file containing all the field values and have req construct the 939059191Skris request. 939159191Skris 939259191Skris Initial support for X509_ATTRIBUTE handling. Stacks of these are 939359191Skris used all over the place including certificate requests and PKCS#7 939459191Skris structures. They are currently handled manually where necessary with 939559191Skris some primitive wrappers for PKCS#7. The new functions behave in a 939659191Skris manner analogous to the X509 extension functions: they allow 939759191Skris attributes to be looked up by NID and added. 939859191Skris 939959191Skris Later something similar to the X509V3 code would be desirable to 940059191Skris automatically handle the encoding, decoding and printing of the 940159191Skris more complex types. The string types like challengePassword can 940259191Skris be handled by the string table functions. 940359191Skris 940459191Skris Also modified the multi byte string table handling. Now there is 940559191Skris a 'global mask' which masks out certain types. The table itself 940659191Skris can use the flag STABLE_NO_MASK to ignore the mask setting: this 940759191Skris is useful when for example there is only one permissible type 940859191Skris (as in countryName) and using the mask might result in no valid 940959191Skris types at all. 941059191Skris [Steve Henson] 941159191Skris 941259191Skris *) Clean up 'Finished' handling, and add functions SSL_get_finished and 941359191Skris SSL_get_peer_finished to allow applications to obtain the latest 941459191Skris Finished messages sent to the peer or expected from the peer, 941559191Skris respectively. (SSL_get_peer_finished is usually the Finished message 941659191Skris actually received from the peer, otherwise the protocol will be aborted.) 941759191Skris 941859191Skris As the Finished message are message digests of the complete handshake 941959191Skris (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can 942059191Skris be used for external authentication procedures when the authentication 942159191Skris provided by SSL/TLS is not desired or is not enough. 942259191Skris [Bodo Moeller] 942359191Skris 942459191Skris *) Enhanced support for Alpha Linux is added. Now ./config checks if 942559191Skris the host supports BWX extension and if Compaq C is present on the 942659191Skris $PATH. Just exploiting of the BWX extension results in 20-30% 942759191Skris performance kick for some algorithms, e.g. DES and RC4 to mention 942859191Skris a couple. Compaq C in turn generates ~20% faster code for MD5 and 942959191Skris SHA1. 943059191Skris [Andy Polyakov] 943159191Skris 943259191Skris *) Add support for MS "fast SGC". This is arguably a violation of the 943359191Skris SSL3/TLS protocol. Netscape SGC does two handshakes: the first with 943459191Skris weak crypto and after checking the certificate is SGC a second one 943559191Skris with strong crypto. MS SGC stops the first handshake after receiving 943659191Skris the server certificate message and sends a second client hello. Since 943759191Skris a server will typically do all the time consuming operations before 943859191Skris expecting any further messages from the client (server key exchange 943959191Skris is the most expensive) there is little difference between the two. 944059191Skris 944159191Skris To get OpenSSL to support MS SGC we have to permit a second client 944259191Skris hello message after we have sent server done. In addition we have to 944359191Skris reset the MAC if we do get this second client hello. 944459191Skris [Steve Henson] 944559191Skris 944659191Skris *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide 944759191Skris if a DER encoded private key is RSA or DSA traditional format. Changed 944859191Skris d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" 944959191Skris format DER encoded private key. Newer code should use PKCS#8 format which 945059191Skris has the key type encoded in the ASN1 structure. Added DER private key 945159191Skris support to pkcs8 application. 945259191Skris [Steve Henson] 945359191Skris 945459191Skris *) SSL 3/TLS 1 servers now don't request certificates when an anonymous 945559191Skris ciphersuites has been selected (as required by the SSL 3/TLS 1 945659191Skris specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT 945759191Skris is set, we interpret this as a request to violate the specification 945859191Skris (the worst that can happen is a handshake failure, and 'correct' 945959191Skris behaviour would result in a handshake failure anyway). 946059191Skris [Bodo Moeller] 946159191Skris 946259191Skris *) In SSL_CTX_add_session, take into account that there might be multiple 946359191Skris SSL_SESSION structures with the same session ID (e.g. when two threads 946459191Skris concurrently obtain them from an external cache). 946559191Skris The internal cache can handle only one SSL_SESSION with a given ID, 946659191Skris so if there's a conflict, we now throw out the old one to achieve 946759191Skris consistency. 946859191Skris [Bodo Moeller] 946959191Skris 947059191Skris *) Add OIDs for idea and blowfish in CBC mode. This will allow both 947159191Skris to be used in PKCS#5 v2.0 and S/MIME. Also add checking to 947259191Skris some routines that use cipher OIDs: some ciphers do not have OIDs 947359191Skris defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for 947459191Skris example. 947559191Skris [Steve Henson] 947659191Skris 947759191Skris *) Simplify the trust setting structure and code. Now we just have 947859191Skris two sequences of OIDs for trusted and rejected settings. These will 947959191Skris typically have values the same as the extended key usage extension 948059191Skris and any application specific purposes. 948159191Skris 948259191Skris The trust checking code now has a default behaviour: it will just 948359191Skris check for an object with the same NID as the passed id. Functions can 948459191Skris be provided to override either the default behaviour or the behaviour 948559191Skris for a given id. SSL client, server and email already have functions 948659191Skris in place for compatibility: they check the NID and also return "trusted" 948759191Skris if the certificate is self signed. 948859191Skris [Steve Henson] 948959191Skris 949059191Skris *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the 949159191Skris traditional format into an EVP_PKEY structure. 949259191Skris [Steve Henson] 949359191Skris 949459191Skris *) Add a password callback function PEM_cb() which either prompts for 949559191Skris a password if usr_data is NULL or otherwise assumes it is a null 949659191Skris terminated password. Allow passwords to be passed on command line 949759191Skris environment or config files in a few more utilities. 949859191Skris [Steve Henson] 949959191Skris 950059191Skris *) Add a bunch of DER and PEM functions to handle PKCS#8 format private 950159191Skris keys. Add some short names for PKCS#8 PBE algorithms and allow them 950259191Skris to be specified on the command line for the pkcs8 and pkcs12 utilities. 950359191Skris Update documentation. 950459191Skris [Steve Henson] 950559191Skris 950659191Skris *) Support for ASN1 "NULL" type. This could be handled before by using 950759191Skris ASN1_TYPE but there wasn't any function that would try to read a NULL 950859191Skris and produce an error if it couldn't. For compatibility we also have 950959191Skris ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and 951059191Skris don't allocate anything because they don't need to. 951159191Skris [Steve Henson] 951259191Skris 951359191Skris *) Initial support for MacOS is now provided. Examine INSTALL.MacOS 951459191Skris for details. 951559191Skris [Andy Polyakov, Roy Woods <roy@centicsystems.ca>] 951659191Skris 951759191Skris *) Rebuild of the memory allocation routines used by OpenSSL code and 951859191Skris possibly others as well. The purpose is to make an interface that 951959191Skris provide hooks so anyone can build a separate set of allocation and 952059191Skris deallocation routines to be used by OpenSSL, for example memory 952159191Skris pool implementations, or something else, which was previously hard 952259191Skris since Malloc(), Realloc() and Free() were defined as macros having 952359191Skris the values malloc, realloc and free, respectively (except for Win32 952459191Skris compilations). The same is provided for memory debugging code. 952559191Skris OpenSSL already comes with functionality to find memory leaks, but 952659191Skris this gives people a chance to debug other memory problems. 952759191Skris 952859191Skris With these changes, a new set of functions and macros have appeared: 952959191Skris 953068651Skris CRYPTO_set_mem_debug_functions() [F] 953168651Skris CRYPTO_get_mem_debug_functions() [F] 953268651Skris CRYPTO_dbg_set_options() [F] 953368651Skris CRYPTO_dbg_get_options() [F] 953468651Skris CRYPTO_malloc_debug_init() [M] 953559191Skris 953659191Skris The memory debug functions are NULL by default, unless the library 953759191Skris is compiled with CRYPTO_MDEBUG or friends is defined. If someone 953859191Skris wants to debug memory anyway, CRYPTO_malloc_debug_init() (which 953959191Skris gives the standard debugging functions that come with OpenSSL) or 954059191Skris CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions 954159191Skris provided by the library user) must be used. When the standard 954259191Skris debugging functions are used, CRYPTO_dbg_set_options can be used to 954359191Skris request additional information: 954459191Skris CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting 954559191Skris the CRYPTO_MDEBUG_xxx macro when compiling the library. 954659191Skris 954759191Skris Also, things like CRYPTO_set_mem_functions will always give the 954859191Skris expected result (the new set of functions is used for allocation 954959191Skris and deallocation) at all times, regardless of platform and compiler 955059191Skris options. 955159191Skris 955259191Skris To finish it up, some functions that were never use in any other 955359191Skris way than through macros have a new API and new semantic: 955459191Skris 955559191Skris CRYPTO_dbg_malloc() 955659191Skris CRYPTO_dbg_realloc() 955759191Skris CRYPTO_dbg_free() 955859191Skris 955959191Skris All macros of value have retained their old syntax. 956059191Skris [Richard Levitte and Bodo Moeller] 956159191Skris 956259191Skris *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the 956359191Skris ordering of SMIMECapabilities wasn't in "strength order" and there 956459191Skris was a missing NULL in the AlgorithmIdentifier for the SHA1 signature 956559191Skris algorithm. 956659191Skris [Steve Henson] 956759191Skris 956859191Skris *) Some ASN1 types with illegal zero length encoding (INTEGER, 956959191Skris ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. 957059191Skris [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] 957159191Skris 957259191Skris *) Merge in my S/MIME library for OpenSSL. This provides a simple 957359191Skris S/MIME API on top of the PKCS#7 code, a MIME parser (with enough 957459191Skris functionality to handle multipart/signed properly) and a utility 957559191Skris called 'smime' to call all this stuff. This is based on code I 957659191Skris originally wrote for Celo who have kindly allowed it to be 957759191Skris included in OpenSSL. 957859191Skris [Steve Henson] 957959191Skris 958059191Skris *) Add variants des_set_key_checked and des_set_key_unchecked of 958159191Skris des_set_key (aka des_key_sched). Global variable des_check_key 958259191Skris decides which of these is called by des_set_key; this way 958359191Skris des_check_key behaves as it always did, but applications and 958459191Skris the library itself, which was buggy for des_check_key == 1, 958559191Skris have a cleaner way to pick the version they need. 958659191Skris [Bodo Moeller] 958759191Skris 958859191Skris *) New function PKCS12_newpass() which changes the password of a 958959191Skris PKCS12 structure. 959059191Skris [Steve Henson] 959159191Skris 959259191Skris *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and 959359191Skris dynamic mix. In both cases the ids can be used as an index into the 959459191Skris table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() 959559191Skris functions so they accept a list of the field values and the 959659191Skris application doesn't need to directly manipulate the X509_TRUST 959759191Skris structure. 959859191Skris [Steve Henson] 959959191Skris 960059191Skris *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't 960159191Skris need initialising. 960259191Skris [Steve Henson] 960359191Skris 960459191Skris *) Modify the way the V3 extension code looks up extensions. This now 960559191Skris works in a similar way to the object code: we have some "standard" 960659191Skris extensions in a static table which is searched with OBJ_bsearch() 960759191Skris and the application can add dynamic ones if needed. The file 960859191Skris crypto/x509v3/ext_dat.h now has the info: this file needs to be 960959191Skris updated whenever a new extension is added to the core code and kept 961059191Skris in ext_nid order. There is a simple program 'tabtest.c' which checks 961159191Skris this. New extensions are not added too often so this file can readily 961259191Skris be maintained manually. 961359191Skris 961459191Skris There are two big advantages in doing things this way. The extensions 961559191Skris can be looked up immediately and no longer need to be "added" using 961659191Skris X509V3_add_standard_extensions(): this function now does nothing. 961759191Skris [Side note: I get *lots* of email saying the extension code doesn't 961859191Skris work because people forget to call this function] 961959191Skris Also no dynamic allocation is done unless new extensions are added: 962059191Skris so if we don't add custom extensions there is no need to call 962159191Skris X509V3_EXT_cleanup(). 962259191Skris [Steve Henson] 962359191Skris 962459191Skris *) Modify enc utility's salting as follows: make salting the default. Add a 962559191Skris magic header, so unsalted files fail gracefully instead of just decrypting 962659191Skris to garbage. This is because not salting is a big security hole, so people 962759191Skris should be discouraged from doing it. 962859191Skris [Ben Laurie] 962959191Skris 963059191Skris *) Fixes and enhancements to the 'x509' utility. It allowed a message 963159191Skris digest to be passed on the command line but it only used this 963259191Skris parameter when signing a certificate. Modified so all relevant 963359191Skris operations are affected by the digest parameter including the 963459191Skris -fingerprint and -x509toreq options. Also -x509toreq choked if a 963559191Skris DSA key was used because it didn't fix the digest. 963659191Skris [Steve Henson] 963759191Skris 963859191Skris *) Initial certificate chain verify code. Currently tests the untrusted 963959191Skris certificates for consistency with the verify purpose (which is set 964059191Skris when the X509_STORE_CTX structure is set up) and checks the pathlength. 964159191Skris 964259191Skris There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: 964359191Skris this is because it will reject chains with invalid extensions whereas 964459191Skris every previous version of OpenSSL and SSLeay made no checks at all. 964559191Skris 964659191Skris Trust code: checks the root CA for the relevant trust settings. Trust 964759191Skris settings have an initial value consistent with the verify purpose: e.g. 964859191Skris if the verify purpose is for SSL client use it expects the CA to be 964959191Skris trusted for SSL client use. However the default value can be changed to 965059191Skris permit custom trust settings: one example of this would be to only trust 965159191Skris certificates from a specific "secure" set of CAs. 965259191Skris 965359191Skris Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions 965459191Skris which should be used for version portability: especially since the 965559191Skris verify structure is likely to change more often now. 965659191Skris 965759191Skris SSL integration. Add purpose and trust to SSL_CTX and SSL and functions 965859191Skris to set them. If not set then assume SSL clients will verify SSL servers 965959191Skris and vice versa. 966059191Skris 966159191Skris Two new options to the verify program: -untrusted allows a set of 966259191Skris untrusted certificates to be passed in and -purpose which sets the 966359191Skris intended purpose of the certificate. If a purpose is set then the 966459191Skris new chain verify code is used to check extension consistency. 966559191Skris [Steve Henson] 966659191Skris 966759191Skris *) Support for the authority information access extension. 966859191Skris [Steve Henson] 966959191Skris 967059191Skris *) Modify RSA and DSA PEM read routines to transparently handle 967159191Skris PKCS#8 format private keys. New *_PUBKEY_* functions that handle 967259191Skris public keys in a format compatible with certificate 967359191Skris SubjectPublicKeyInfo structures. Unfortunately there were already 967459191Skris functions called *_PublicKey_* which used various odd formats so 967559191Skris these are retained for compatibility: however the DSA variants were 967659191Skris never in a public release so they have been deleted. Changed dsa/rsa 967759191Skris utilities to handle the new format: note no releases ever handled public 967859191Skris keys so we should be OK. 967959191Skris 968059191Skris The primary motivation for this change is to avoid the same fiasco 968159191Skris that dogs private keys: there are several incompatible private key 968259191Skris formats some of which are standard and some OpenSSL specific and 968359191Skris require various evil hacks to allow partial transparent handling and 968459191Skris even then it doesn't work with DER formats. Given the option anything 968559191Skris other than PKCS#8 should be dumped: but the other formats have to 968659191Skris stay in the name of compatibility. 968759191Skris 968859191Skris With public keys and the benefit of hindsight one standard format 968959191Skris is used which works with EVP_PKEY, RSA or DSA structures: though 969059191Skris it clearly returns an error if you try to read the wrong kind of key. 969159191Skris 969259191Skris Added a -pubkey option to the 'x509' utility to output the public key. 969359191Skris Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() 969459191Skris (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add 969559191Skris EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) 969659191Skris that do the same as the EVP_PKEY_assign_*() except they up the 969759191Skris reference count of the added key (they don't "swallow" the 969859191Skris supplied key). 969959191Skris [Steve Henson] 970059191Skris 970159191Skris *) Fixes to crypto/x509/by_file.c the code to read in certificates and 970259191Skris CRLs would fail if the file contained no certificates or no CRLs: 970359191Skris added a new function to read in both types and return the number 970459191Skris read: this means that if none are read it will be an error. The 970559191Skris DER versions of the certificate and CRL reader would always fail 970659191Skris because it isn't possible to mix certificates and CRLs in DER format 970759191Skris without choking one or the other routine. Changed this to just read 970859191Skris a certificate: this is the best we can do. Also modified the code 970959191Skris in apps/verify.c to take notice of return codes: it was previously 971059191Skris attempting to read in certificates from NULL pointers and ignoring 971159191Skris any errors: this is one reason why the cert and CRL reader seemed 971259191Skris to work. It doesn't check return codes from the default certificate 971359191Skris routines: these may well fail if the certificates aren't installed. 971459191Skris [Steve Henson] 971559191Skris 971659191Skris *) Code to support otherName option in GeneralName. 971759191Skris [Steve Henson] 971859191Skris 971959191Skris *) First update to verify code. Change the verify utility 972059191Skris so it warns if it is passed a self signed certificate: 972159191Skris for consistency with the normal behaviour. X509_verify 972259191Skris has been modified to it will now verify a self signed 972359191Skris certificate if *exactly* the same certificate appears 972459191Skris in the store: it was previously impossible to trust a 972559191Skris single self signed certificate. This means that: 972659191Skris openssl verify ss.pem 972759191Skris now gives a warning about a self signed certificate but 972859191Skris openssl verify -CAfile ss.pem ss.pem 972959191Skris is OK. 973059191Skris [Steve Henson] 973159191Skris 973259191Skris *) For servers, store verify_result in SSL_SESSION data structure 973359191Skris (and add it to external session representation). 973459191Skris This is needed when client certificate verifications fails, 973559191Skris but an application-provided verification callback (set by 973659191Skris SSL_CTX_set_cert_verify_callback) allows accepting the session 973759191Skris anyway (i.e. leaves x509_store_ctx->error != X509_V_OK 973859191Skris but returns 1): When the session is reused, we have to set 973959191Skris ssl->verify_result to the appropriate error code to avoid 974059191Skris security holes. 974159191Skris [Bodo Moeller, problem pointed out by Lutz Jaenicke] 974259191Skris 974359191Skris *) Fix a bug in the new PKCS#7 code: it didn't consider the 974459191Skris case in PKCS7_dataInit() where the signed PKCS7 structure 974559191Skris didn't contain any existing data because it was being created. 974659191Skris [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] 974759191Skris 974859191Skris *) Add a salt to the key derivation routines in enc.c. This 974959191Skris forms the first 8 bytes of the encrypted file. Also add a 975059191Skris -S option to allow a salt to be input on the command line. 975159191Skris [Steve Henson] 975259191Skris 975359191Skris *) New function X509_cmp(). Oddly enough there wasn't a function 975459191Skris to compare two certificates. We do this by working out the SHA1 975559191Skris hash and comparing that. X509_cmp() will be needed by the trust 975659191Skris code. 975759191Skris [Steve Henson] 975859191Skris 975959191Skris *) SSL_get1_session() is like SSL_get_session(), but increments 976059191Skris the reference count in the SSL_SESSION returned. 976159191Skris [Geoff Thorpe <geoff@eu.c2.net>] 976259191Skris 976359191Skris *) Fix for 'req': it was adding a null to request attributes. 976459191Skris Also change the X509_LOOKUP and X509_INFO code to handle 976559191Skris certificate auxiliary information. 976659191Skris [Steve Henson] 976759191Skris 976859191Skris *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document 976959191Skris the 'enc' command. 977059191Skris [Steve Henson] 977159191Skris 977259191Skris *) Add the possibility to add extra information to the memory leak 977359191Skris detecting output, to form tracebacks, showing from where each 977459191Skris allocation was originated: CRYPTO_push_info("constant string") adds 977559191Skris the string plus current file name and line number to a per-thread 977659191Skris stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() 977759191Skris is like calling CYRPTO_pop_info() until the stack is empty. 977859191Skris Also updated memory leak detection code to be multi-thread-safe. 977959191Skris [Richard Levitte] 978059191Skris 978159191Skris *) Add options -text and -noout to pkcs7 utility and delete the 978259191Skris encryption options which never did anything. Update docs. 978359191Skris [Steve Henson] 978459191Skris 978559191Skris *) Add options to some of the utilities to allow the pass phrase 978659191Skris to be included on either the command line (not recommended on 978759191Skris OSes like Unix) or read from the environment. Update the 978859191Skris manpages and fix a few bugs. 978959191Skris [Steve Henson] 979059191Skris 979159191Skris *) Add a few manpages for some of the openssl commands. 979259191Skris [Steve Henson] 979359191Skris 979459191Skris *) Fix the -revoke option in ca. It was freeing up memory twice, 979559191Skris leaking and not finding already revoked certificates. 979659191Skris [Steve Henson] 979759191Skris 979859191Skris *) Extensive changes to support certificate auxiliary information. 979959191Skris This involves the use of X509_CERT_AUX structure and X509_AUX 980059191Skris functions. An X509_AUX function such as PEM_read_X509_AUX() 980159191Skris can still read in a certificate file in the usual way but it 980259191Skris will also read in any additional "auxiliary information". By 980359191Skris doing things this way a fair degree of compatibility can be 980459191Skris retained: existing certificates can have this information added 980559191Skris using the new 'x509' options. 980659191Skris 980759191Skris Current auxiliary information includes an "alias" and some trust 980859191Skris settings. The trust settings will ultimately be used in enhanced 980959191Skris certificate chain verification routines: currently a certificate 981059191Skris can only be trusted if it is self signed and then it is trusted 981159191Skris for all purposes. 981259191Skris [Steve Henson] 981359191Skris 981459191Skris *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). 981559191Skris The problem was that one of the replacement routines had not been working 981659191Skris since SSLeay releases. For now the offending routine has been replaced 981759191Skris with non-optimised assembler. Even so, this now gives around 95% 981859191Skris performance improvement for 1024 bit RSA signs. 981959191Skris [Mark Cox] 982059191Skris 982159191Skris *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 982259191Skris handling. Most clients have the effective key size in bits equal to 982359191Skris the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. 982459191Skris A few however don't do this and instead use the size of the decrypted key 982559191Skris to determine the RC2 key length and the AlgorithmIdentifier to determine 982659191Skris the effective key length. In this case the effective key length can still 982759191Skris be 40 bits but the key length can be 168 bits for example. This is fixed 982859191Skris by manually forcing an RC2 key into the EVP_PKEY structure because the 982959191Skris EVP code can't currently handle unusual RC2 key sizes: it always assumes 983059191Skris the key length and effective key length are equal. 983159191Skris [Steve Henson] 983259191Skris 983359191Skris *) Add a bunch of functions that should simplify the creation of 983459191Skris X509_NAME structures. Now you should be able to do: 983559191Skris X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); 983659191Skris and have it automatically work out the correct field type and fill in 983759191Skris the structures. The more adventurous can try: 983859191Skris X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); 983959191Skris and it will (hopefully) work out the correct multibyte encoding. 984059191Skris [Steve Henson] 984159191Skris 984259191Skris *) Change the 'req' utility to use the new field handling and multibyte 984359191Skris copy routines. Before the DN field creation was handled in an ad hoc 984459191Skris way in req, ca, and x509 which was rather broken and didn't support 984559191Skris BMPStrings or UTF8Strings. Since some software doesn't implement 984659191Skris BMPStrings or UTF8Strings yet, they can be enabled using the config file 984759191Skris using the dirstring_type option. See the new comment in the default 984859191Skris openssl.cnf for more info. 984959191Skris [Steve Henson] 985059191Skris 985159191Skris *) Make crypto/rand/md_rand.c more robust: 985259191Skris - Assure unique random numbers after fork(). 985359191Skris - Make sure that concurrent threads access the global counter and 985459191Skris md serializably so that we never lose entropy in them 985559191Skris or use exactly the same state in multiple threads. 985659191Skris Access to the large state is not always serializable because 985759191Skris the additional locking could be a performance killer, and 985859191Skris md should be large enough anyway. 985959191Skris [Bodo Moeller] 986059191Skris 986159191Skris *) New file apps/app_rand.c with commonly needed functionality 986259191Skris for handling the random seed file. 986359191Skris 986459191Skris Use the random seed file in some applications that previously did not: 986559191Skris ca, 986659191Skris dsaparam -genkey (which also ignored its '-rand' option), 986759191Skris s_client, 986859191Skris s_server, 986959191Skris x509 (when signing). 987059191Skris Except on systems with /dev/urandom, it is crucial to have a random 987159191Skris seed file at least for key creation, DSA signing, and for DH exchanges; 987259191Skris for RSA signatures we could do without one. 987359191Skris 987459191Skris gendh and gendsa (unlike genrsa) used to read only the first byte 987559191Skris of each file listed in the '-rand' option. The function as previously 987659191Skris found in genrsa is now in app_rand.c and is used by all programs 987759191Skris that support '-rand'. 987859191Skris [Bodo Moeller] 987959191Skris 988059191Skris *) In RAND_write_file, use mode 0600 for creating files; 988159191Skris don't just chmod when it may be too late. 988259191Skris [Bodo Moeller] 988359191Skris 988459191Skris *) Report an error from X509_STORE_load_locations 988559191Skris when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. 988659191Skris [Bill Perry] 988759191Skris 988859191Skris *) New function ASN1_mbstring_copy() this copies a string in either 988959191Skris ASCII, Unicode, Universal (4 bytes per character) or UTF8 format 989059191Skris into an ASN1_STRING type. A mask of permissible types is passed 989159191Skris and it chooses the "minimal" type to use or an error if not type 989259191Skris is suitable. 989359191Skris [Steve Henson] 989459191Skris 989559191Skris *) Add function equivalents to the various macros in asn1.h. The old 989659191Skris macros are retained with an M_ prefix. Code inside the library can 989759191Skris use the M_ macros. External code (including the openssl utility) 989859191Skris should *NOT* in order to be "shared library friendly". 989959191Skris [Steve Henson] 990059191Skris 990159191Skris *) Add various functions that can check a certificate's extensions 990259191Skris to see if it usable for various purposes such as SSL client, 990359191Skris server or S/MIME and CAs of these types. This is currently 990459191Skris VERY EXPERIMENTAL but will ultimately be used for certificate chain 990559191Skris verification. Also added a -purpose flag to x509 utility to 990659191Skris print out all the purposes. 990759191Skris [Steve Henson] 990859191Skris 990959191Skris *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated 991059191Skris functions. 991159191Skris [Steve Henson] 991259191Skris 991359191Skris *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search 991459191Skris for, obtain and decode and extension and obtain its critical flag. 991559191Skris This allows all the necessary extension code to be handled in a 991659191Skris single function call. 991759191Skris [Steve Henson] 991859191Skris 991959191Skris *) RC4 tune-up featuring 30-40% performance improvement on most RISC 992059191Skris platforms. See crypto/rc4/rc4_enc.c for further details. 992159191Skris [Andy Polyakov] 992259191Skris 992359191Skris *) New -noout option to asn1parse. This causes no output to be produced 992459191Skris its main use is when combined with -strparse and -out to extract data 992559191Skris from a file (which may not be in ASN.1 format). 992659191Skris [Steve Henson] 992759191Skris 992859191Skris *) Fix for pkcs12 program. It was hashing an invalid certificate pointer 992959191Skris when producing the local key id. 993059191Skris [Richard Levitte <levitte@stacken.kth.se>] 993159191Skris 993259191Skris *) New option -dhparam in s_server. This allows a DH parameter file to be 993359191Skris stated explicitly. If it is not stated then it tries the first server 993459191Skris certificate file. The previous behaviour hard coded the filename 993559191Skris "server.pem". 993659191Skris [Steve Henson] 993759191Skris 993859191Skris *) Add -pubin and -pubout options to the rsa and dsa commands. These allow 993959191Skris a public key to be input or output. For example: 994059191Skris openssl rsa -in key.pem -pubout -out pubkey.pem 994159191Skris Also added necessary DSA public key functions to handle this. 994259191Skris [Steve Henson] 994359191Skris 994459191Skris *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained 994559191Skris in the message. This was handled by allowing 994659191Skris X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. 994759191Skris [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] 994859191Skris 994959191Skris *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null 995059191Skris to the end of the strings whereas this didn't. This would cause problems 995159191Skris if strings read with d2i_ASN1_bytes() were later modified. 995259191Skris [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] 995359191Skris 995459191Skris *) Fix for base64 decode bug. When a base64 bio reads only one line of 995559191Skris data and it contains EOF it will end up returning an error. This is 995659191Skris caused by input 46 bytes long. The cause is due to the way base64 995759191Skris BIOs find the start of base64 encoded data. They do this by trying a 995859191Skris trial decode on each line until they find one that works. When they 995959191Skris do a flag is set and it starts again knowing it can pass all the 996059191Skris data directly through the decoder. Unfortunately it doesn't reset 996159191Skris the context it uses. This means that if EOF is reached an attempt 996259191Skris is made to pass two EOFs through the context and this causes the 996359191Skris resulting error. This can also cause other problems as well. As is 996459191Skris usual with these problems it takes *ages* to find and the fix is 996559191Skris trivial: move one line. 996659191Skris [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] 996759191Skris 996859191Skris *) Ugly workaround to get s_client and s_server working under Windows. The 996959191Skris old code wouldn't work because it needed to select() on sockets and the 997059191Skris tty (for keypresses and to see if data could be written). Win32 only 997159191Skris supports select() on sockets so we select() with a 1s timeout on the 997259191Skris sockets and then see if any characters are waiting to be read, if none 997359191Skris are present then we retry, we also assume we can always write data to 997459191Skris the tty. This isn't nice because the code then blocks until we've 997559191Skris received a complete line of data and it is effectively polling the 997659191Skris keyboard at 1s intervals: however it's quite a bit better than not 997759191Skris working at all :-) A dedicated Windows application might handle this 997859191Skris with an event loop for example. 997959191Skris [Steve Henson] 998059191Skris 998159191Skris *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign 998259191Skris and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions 998359191Skris will be called when RSA_sign() and RSA_verify() are used. This is useful 998459191Skris if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. 998559191Skris For this to work properly RSA_public_decrypt() and RSA_private_encrypt() 998659191Skris should *not* be used: RSA_sign() and RSA_verify() must be used instead. 998759191Skris This necessitated the support of an extra signature type NID_md5_sha1 998859191Skris for SSL signatures and modifications to the SSL library to use it instead 998959191Skris of calling RSA_public_decrypt() and RSA_private_encrypt(). 999059191Skris [Steve Henson] 999159191Skris 999259191Skris *) Add new -verify -CAfile and -CApath options to the crl program, these 999359191Skris will lookup a CRL issuers certificate and verify the signature in a 999459191Skris similar way to the verify program. Tidy up the crl program so it 999559191Skris no longer accesses structures directly. Make the ASN1 CRL parsing a bit 999659191Skris less strict. It will now permit CRL extensions even if it is not 999759191Skris a V2 CRL: this will allow it to tolerate some broken CRLs. 999859191Skris [Steve Henson] 999959191Skris 1000059191Skris *) Initialize all non-automatic variables each time one of the openssl 1000159191Skris sub-programs is started (this is necessary as they may be started 1000259191Skris multiple times from the "OpenSSL>" prompt). 1000359191Skris [Lennart Bang, Bodo Moeller] 1000459191Skris 1000559191Skris *) Preliminary compilation option RSA_NULL which disables RSA crypto without 1000659191Skris removing all other RSA functionality (this is what NO_RSA does). This 1000759191Skris is so (for example) those in the US can disable those operations covered 1000859191Skris by the RSA patent while allowing storage and parsing of RSA keys and RSA 1000959191Skris key generation. 1001059191Skris [Steve Henson] 1001159191Skris 1001259191Skris *) Non-copying interface to BIO pairs. 1001359191Skris (still largely untested) 1001459191Skris [Bodo Moeller] 1001559191Skris 1001659191Skris *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive 1001759191Skris ASCII string. This was handled independently in various places before. 1001859191Skris [Steve Henson] 1001959191Skris 1002059191Skris *) New functions UTF8_getc() and UTF8_putc() that parse and generate 1002159191Skris UTF8 strings a character at a time. 1002259191Skris [Steve Henson] 1002359191Skris 1002459191Skris *) Use client_version from client hello to select the protocol 1002559191Skris (s23_srvr.c) and for RSA client key exchange verification 1002659191Skris (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. 1002759191Skris [Bodo Moeller] 1002859191Skris 1002959191Skris *) Add various utility functions to handle SPKACs, these were previously 1003059191Skris handled by poking round in the structure internals. Added new function 1003159191Skris NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to 1003259191Skris print, verify and generate SPKACs. Based on an original idea from 1003359191Skris Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. 1003459191Skris [Steve Henson] 1003559191Skris 1003659191Skris *) RIPEMD160 is operational on all platforms and is back in 'make test'. 1003759191Skris [Andy Polyakov] 1003859191Skris 1003959191Skris *) Allow the config file extension section to be overwritten on the 1004059191Skris command line. Based on an original idea from Massimiliano Pala 1004159191Skris <madwolf@comune.modena.it>. The new option is called -extensions 1004259191Skris and can be applied to ca, req and x509. Also -reqexts to override 1004359191Skris the request extensions in req and -crlexts to override the crl extensions 1004459191Skris in ca. 1004559191Skris [Steve Henson] 1004659191Skris 1004759191Skris *) Add new feature to the SPKAC handling in ca. Now you can include 1004859191Skris the same field multiple times by preceding it by "XXXX." for example: 1004959191Skris 1.OU="Unit name 1" 1005059191Skris 2.OU="Unit name 2" 1005159191Skris this is the same syntax as used in the req config file. 1005259191Skris [Steve Henson] 1005359191Skris 1005459191Skris *) Allow certificate extensions to be added to certificate requests. These 1005559191Skris are specified in a 'req_extensions' option of the req section of the 1005659191Skris config file. They can be printed out with the -text option to req but 1005759191Skris are otherwise ignored at present. 1005859191Skris [Steve Henson] 1005959191Skris 1006059191Skris *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first 1006159191Skris data read consists of only the final block it would not decrypted because 1006259191Skris EVP_CipherUpdate() would correctly report zero bytes had been decrypted. 1006359191Skris A misplaced 'break' also meant the decrypted final block might not be 1006459191Skris copied until the next read. 1006559191Skris [Steve Henson] 1006659191Skris 1006759191Skris *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added 1006859191Skris a few extra parameters to the DH structure: these will be useful if 1006959191Skris for example we want the value of 'q' or implement X9.42 DH. 1007059191Skris [Steve Henson] 1007159191Skris 1007259191Skris *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and 1007359191Skris provides hooks that allow the default DSA functions or functions on a 1007459191Skris "per key" basis to be replaced. This allows hardware acceleration and 1007559191Skris hardware key storage to be handled without major modification to the 1007659191Skris library. Also added low level modexp hooks and CRYPTO_EX structure and 1007759191Skris associated functions. 1007859191Skris [Steve Henson] 1007959191Skris 1008059191Skris *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO 1008159191Skris as "read only": it can't be written to and the buffer it points to will 1008259191Skris not be freed. Reading from a read only BIO is much more efficient than 1008359191Skris a normal memory BIO. This was added because there are several times when 1008459191Skris an area of memory needs to be read from a BIO. The previous method was 1008559191Skris to create a memory BIO and write the data to it, this results in two 1008659191Skris copies of the data and an O(n^2) reading algorithm. There is a new 1008759191Skris function BIO_new_mem_buf() which creates a read only memory BIO from 1008859191Skris an area of memory. Also modified the PKCS#7 routines to use read only 1008959191Skris memory BIOs. 1009059191Skris [Steve Henson] 1009159191Skris 1009259191Skris *) Bugfix: ssl23_get_client_hello did not work properly when called in 1009359191Skris state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of 1009459191Skris a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, 1009559191Skris but a retry condition occured while trying to read the rest. 1009659191Skris [Bodo Moeller] 1009759191Skris 1009859191Skris *) The PKCS7_ENC_CONTENT_new() function was setting the content type as 1009959191Skris NID_pkcs7_encrypted by default: this was wrong since this should almost 1010059191Skris always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle 1010159191Skris the encrypted data type: this is a more sensible place to put it and it 1010259191Skris allows the PKCS#12 code to be tidied up that duplicated this 1010359191Skris functionality. 1010459191Skris [Steve Henson] 1010559191Skris 1010659191Skris *) Changed obj_dat.pl script so it takes its input and output files on 1010759191Skris the command line. This should avoid shell escape redirection problems 1010859191Skris under Win32. 1010959191Skris [Steve Henson] 1011059191Skris 1011159191Skris *) Initial support for certificate extension requests, these are included 1011259191Skris in things like Xenroll certificate requests. Included functions to allow 1011359191Skris extensions to be obtained and added. 1011459191Skris [Steve Henson] 1011559191Skris 1011659191Skris *) -crlf option to s_client and s_server for sending newlines as 1011759191Skris CRLF (as required by many protocols). 1011859191Skris [Bodo Moeller] 1011959191Skris 1012055714Skris Changes between 0.9.3a and 0.9.4 [09 Aug 1999] 1012155714Skris 1012255714Skris *) Install libRSAglue.a when OpenSSL is built with RSAref. 1012355714Skris [Ralf S. Engelschall] 1012455714Skris 1012555714Skris *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. 1012655714Skris [Andrija Antonijevic <TheAntony2@bigfoot.com>] 1012755714Skris 1012855714Skris *) Fix -startdate and -enddate (which was missing) arguments to 'ca' 1012955714Skris program. 1013055714Skris [Steve Henson] 1013155714Skris 1013255714Skris *) New function DSA_dup_DH, which duplicates DSA parameters/keys as 1013355714Skris DH parameters/keys (q is lost during that conversion, but the resulting 1013455714Skris DH parameters contain its length). 1013555714Skris 1013655714Skris For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is 1013755714Skris much faster than DH_generate_parameters (which creates parameters 1013855714Skris where p = 2*q + 1), and also the smaller q makes DH computations 1013955714Skris much more efficient (160-bit exponentiation instead of 1024-bit 1014055714Skris exponentiation); so this provides a convenient way to support DHE 1014155714Skris ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of 1014255714Skris utter importance to use 1014355714Skris SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 1014455714Skris or 1014555714Skris SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 1014655714Skris when such DH parameters are used, because otherwise small subgroup 1014755714Skris attacks may become possible! 1014855714Skris [Bodo Moeller] 1014955714Skris 1015055714Skris *) Avoid memory leak in i2d_DHparams. 1015155714Skris [Bodo Moeller] 1015255714Skris 1015355714Skris *) Allow the -k option to be used more than once in the enc program: 1015455714Skris this allows the same encrypted message to be read by multiple recipients. 1015555714Skris [Steve Henson] 1015655714Skris 1015755714Skris *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts 1015855714Skris an ASN1_OBJECT to a text string. If the "no_name" parameter is set then 1015955714Skris it will always use the numerical form of the OID, even if it has a short 1016055714Skris or long name. 1016155714Skris [Steve Henson] 1016255714Skris 1016355714Skris *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp 1016455714Skris method only got called if p,q,dmp1,dmq1,iqmp components were present, 1016555714Skris otherwise bn_mod_exp was called. In the case of hardware keys for example 1016655714Skris no private key components need be present and it might store extra data 1016759191Skris in the RSA structure, which cannot be accessed from bn_mod_exp. 1016859191Skris By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for 1016959191Skris private key operations. 1017055714Skris [Steve Henson] 1017155714Skris 1017255714Skris *) Added support for SPARC Linux. 1017355714Skris [Andy Polyakov] 1017455714Skris 1017555714Skris *) pem_password_cb function type incompatibly changed from 1017655714Skris typedef int pem_password_cb(char *buf, int size, int rwflag); 1017755714Skris to 1017855714Skris ....(char *buf, int size, int rwflag, void *userdata); 1017955714Skris so that applications can pass data to their callbacks: 1018055714Skris The PEM[_ASN1]_{read,write}... functions and macros now take an 1018155714Skris additional void * argument, which is just handed through whenever 1018255714Skris the password callback is called. 1018359191Skris [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] 1018455714Skris 1018555714Skris New function SSL_CTX_set_default_passwd_cb_userdata. 1018655714Skris 1018755714Skris Compatibility note: As many C implementations push function arguments 1018855714Skris onto the stack in reverse order, the new library version is likely to 1018955714Skris interoperate with programs that have been compiled with the old 1019055714Skris pem_password_cb definition (PEM_whatever takes some data that 1019155714Skris happens to be on the stack as its last argument, and the callback 1019255714Skris just ignores this garbage); but there is no guarantee whatsoever that 1019355714Skris this will work. 1019455714Skris 1019555714Skris *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... 1019655714Skris (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused 1019755714Skris problems not only on Windows, but also on some Unix platforms. 1019855714Skris To avoid problematic command lines, these definitions are now in an 1019955714Skris auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl 1020055714Skris for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). 1020155714Skris [Bodo Moeller] 1020255714Skris 1020355714Skris *) MIPS III/IV assembler module is reimplemented. 1020455714Skris [Andy Polyakov] 1020555714Skris 1020655714Skris *) More DES library cleanups: remove references to srand/rand and 1020755714Skris delete an unused file. 10208291719Sjkim [Ulf M��ller] 1020955714Skris 1021055714Skris *) Add support for the the free Netwide assembler (NASM) under Win32, 1021155714Skris since not many people have MASM (ml) and it can be hard to obtain. 1021255714Skris This is currently experimental but it seems to work OK and pass all 1021355714Skris the tests. Check out INSTALL.W32 for info. 1021455714Skris [Steve Henson] 1021555714Skris 1021655714Skris *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections 1021755714Skris without temporary keys kept an extra copy of the server key, 1021855714Skris and connections with temporary keys did not free everything in case 1021955714Skris of an error. 1022055714Skris [Bodo Moeller] 1022155714Skris 1022255714Skris *) New function RSA_check_key and new openssl rsa option -check 1022355714Skris for verifying the consistency of RSA keys. 1022455714Skris [Ulf Moeller, Bodo Moeller] 1022555714Skris 1022655714Skris *) Various changes to make Win32 compile work: 1022755714Skris 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 1022855714Skris 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned 1022955714Skris comparison" warnings. 1023055714Skris 3. Add sk_<TYPE>_sort to DEF file generator and do make update. 1023155714Skris [Steve Henson] 1023255714Skris 1023355714Skris *) Add a debugging option to PKCS#5 v2 key generation function: when 1023455714Skris you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and 1023555714Skris derived keys are printed to stderr. 1023655714Skris [Steve Henson] 1023755714Skris 1023855714Skris *) Copy the flags in ASN1_STRING_dup(). 1023955714Skris [Roman E. Pavlov <pre@mo.msk.ru>] 1024055714Skris 1024155714Skris *) The x509 application mishandled signing requests containing DSA 1024255714Skris keys when the signing key was also DSA and the parameters didn't match. 1024355714Skris 1024455714Skris It was supposed to omit the parameters when they matched the signing key: 1024555714Skris the verifying software was then supposed to automatically use the CA's 1024655714Skris parameters if they were absent from the end user certificate. 1024755714Skris 1024855714Skris Omitting parameters is no longer recommended. The test was also 1024955714Skris the wrong way round! This was probably due to unusual behaviour in 1025055714Skris EVP_cmp_parameters() which returns 1 if the parameters match. 1025155714Skris This meant that parameters were omitted when they *didn't* match and 1025255714Skris the certificate was useless. Certificates signed with 'ca' didn't have 1025355714Skris this bug. 1025455714Skris [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] 1025555714Skris 1025655714Skris *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. 1025755714Skris The interface is as follows: 1025855714Skris Applications can use 1025955714Skris CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), 1026055714Skris CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); 1026155714Skris "off" is now the default. 1026255714Skris The library internally uses 1026355714Skris CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), 1026455714Skris CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() 1026555714Skris to disable memory-checking temporarily. 1026655714Skris 1026755714Skris Some inconsistent states that previously were possible (and were 1026855714Skris even the default) are now avoided. 1026955714Skris 1027055714Skris -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time 1027155714Skris with each memory chunk allocated; this is occasionally more helpful 1027255714Skris than just having a counter. 1027355714Skris 1027455714Skris -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. 1027555714Skris 1027655714Skris -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future 1027755714Skris extensions. 1027855714Skris [Bodo Moeller] 1027955714Skris 1028055714Skris *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), 1028155714Skris which largely parallels "options", but is for changing API behaviour, 1028255714Skris whereas "options" are about protocol behaviour. 1028355714Skris Initial "mode" flags are: 1028455714Skris 1028555714Skris SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 1028655714Skris a single record has been written. 1028755714Skris SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 1028855714Skris retries use the same buffer location. 1028955714Skris (But all of the contents must be 1029055714Skris copied!) 1029155714Skris [Bodo Moeller] 1029255714Skris 1029379998Skris *) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options 1029455714Skris worked. 1029555714Skris 1029655714Skris *) Fix problems with no-hmac etc. 10297291719Sjkim [Ulf M��ller, pointed out by Brian Wellington <bwelling@tislabs.com>] 1029855714Skris 1029955714Skris *) New functions RSA_get_default_method(), RSA_set_method() and 1030055714Skris RSA_get_method(). These allows replacement of RSA_METHODs without having 1030155714Skris to mess around with the internals of an RSA structure. 1030255714Skris [Steve Henson] 1030355714Skris 1030455714Skris *) Fix memory leaks in DSA_do_sign and DSA_is_prime. 1030555714Skris Also really enable memory leak checks in openssl.c and in some 1030655714Skris test programs. 1030755714Skris [Chad C. Mulligan, Bodo Moeller] 1030855714Skris 1030955714Skris *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess 1031055714Skris up the length of negative integers. This has now been simplified to just 1031155714Skris store the length when it is first determined and use it later, rather 1031255714Skris than trying to keep track of where data is copied and updating it to 1031355714Skris point to the end. 1031455714Skris [Steve Henson, reported by Brien Wheeler 1031555714Skris <bwheeler@authentica-security.com>] 1031655714Skris 1031755714Skris *) Add a new function PKCS7_signatureVerify. This allows the verification 1031855714Skris of a PKCS#7 signature but with the signing certificate passed to the 1031955714Skris function itself. This contrasts with PKCS7_dataVerify which assumes the 1032055714Skris certificate is present in the PKCS#7 structure. This isn't always the 1032155714Skris case: certificates can be omitted from a PKCS#7 structure and be 1032255714Skris distributed by "out of band" means (such as a certificate database). 1032355714Skris [Steve Henson] 1032455714Skris 1032555714Skris *) Complete the PEM_* macros with DECLARE_PEM versions to replace the 1032655714Skris function prototypes in pem.h, also change util/mkdef.pl to add the 1032755714Skris necessary function names. 1032855714Skris [Steve Henson] 1032955714Skris 1033055714Skris *) mk1mf.pl (used by Windows builds) did not properly read the 1033155714Skris options set by Configure in the top level Makefile, and Configure 1033255714Skris was not even able to write more than one option correctly. 1033355714Skris Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. 1033455714Skris [Bodo Moeller] 1033555714Skris 1033655714Skris *) New functions CONF_load_bio() and CONF_load_fp() to allow a config 1033755714Skris file to be loaded from a BIO or FILE pointer. The BIO version will 1033855714Skris for example allow memory BIOs to contain config info. 1033955714Skris [Steve Henson] 1034055714Skris 1034155714Skris *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. 1034255714Skris Whoever hopes to achieve shared-library compatibility across versions 1034355714Skris must use this, not the compile-time macro. 1034455714Skris (Exercise 0.9.4: Which is the minimum library version required by 1034555714Skris such programs?) 1034655714Skris Note: All this applies only to multi-threaded programs, others don't 1034755714Skris need locks. 1034855714Skris [Bodo Moeller] 1034955714Skris 1035055714Skris *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests 1035155714Skris through a BIO pair triggered the default case, i.e. 1035255714Skris SSLerr(...,SSL_R_UNKNOWN_STATE). 1035355714Skris [Bodo Moeller] 1035455714Skris 1035555714Skris *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications 1035655714Skris can use the SSL library even if none of the specific BIOs is 1035755714Skris appropriate. 1035855714Skris [Bodo Moeller] 1035955714Skris 1036055714Skris *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value 1036155714Skris for the encoded length. 1036255714Skris [Jeon KyoungHo <khjeon@sds.samsung.co.kr>] 1036355714Skris 1036455714Skris *) Add initial documentation of the X509V3 functions. 1036555714Skris [Steve Henson] 1036655714Skris 1036755714Skris *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 1036855714Skris PEM_write_bio_PKCS8PrivateKey() that are equivalent to 1036955714Skris PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more 1037055714Skris secure PKCS#8 private key format with a high iteration count. 1037155714Skris [Steve Henson] 1037255714Skris 1037355714Skris *) Fix determination of Perl interpreter: A perl or perl5 1037455714Skris _directory_ in $PATH was also accepted as the interpreter. 1037555714Skris [Ralf S. Engelschall] 1037655714Skris 1037755714Skris *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking 1037855714Skris wrong with it but it was very old and did things like calling 1037955714Skris PEM_ASN1_read() directly and used MD5 for the hash not to mention some 1038055714Skris unusual formatting. 1038155714Skris [Steve Henson] 1038255714Skris 1038355714Skris *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed 1038455714Skris to use the new extension code. 1038555714Skris [Steve Henson] 1038655714Skris 1038755714Skris *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c 1038855714Skris with macros. This should make it easier to change their form, add extra 1038955714Skris arguments etc. Fix a few PEM prototypes which didn't have cipher as a 1039055714Skris constant. 1039155714Skris [Steve Henson] 1039255714Skris 1039355714Skris *) Add to configuration table a new entry that can specify an alternative 1039455714Skris name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, 1039555714Skris according to Mark Crispin <MRC@Panda.COM>. 1039655714Skris [Bodo Moeller] 1039755714Skris 1039855714Skris#if 0 1039955714Skris *) DES CBC did not update the IV. Weird. 1040055714Skris [Ben Laurie] 1040155714Skris#else 1040255714Skris des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. 1040355714Skris Changing the behaviour of the former might break existing programs -- 1040455714Skris where IV updating is needed, des_ncbc_encrypt can be used. 1040555714Skris#endif 1040655714Skris 1040755714Skris *) When bntest is run from "make test" it drives bc to check its 1040855714Skris calculations, as well as internally checking them. If an internal check 1040955714Skris fails, it needs to cause bc to give a non-zero result or make test carries 1041055714Skris on without noticing the failure. Fixed. 1041155714Skris [Ben Laurie] 1041255714Skris 1041355714Skris *) DES library cleanups. 10414291719Sjkim [Ulf M��ller] 1041555714Skris 1041655714Skris *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be 1041755714Skris used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit 1041855714Skris ciphers. NOTE: although the key derivation function has been verified 1041955714Skris against some published test vectors it has not been extensively tested 1042055714Skris yet. Added a -v2 "cipher" option to pkcs8 application to allow the use 1042155714Skris of v2.0. 1042255714Skris [Steve Henson] 1042355714Skris 1042455714Skris *) Instead of "mkdir -p", which is not fully portable, use new 1042555714Skris Perl script "util/mkdir-p.pl". 1042655714Skris [Bodo Moeller] 1042755714Skris 1042855714Skris *) Rewrite the way password based encryption (PBE) is handled. It used to 1042955714Skris assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter 1043055714Skris structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms 1043155714Skris but doesn't apply to PKCS#5 v2.0 where it can be something else. Now 1043255714Skris the 'parameter' field of the AlgorithmIdentifier is passed to the 1043355714Skris underlying key generation function so it must do its own ASN1 parsing. 1043455714Skris This has also changed the EVP_PBE_CipherInit() function which now has a 1043555714Skris 'parameter' argument instead of literal salt and iteration count values 1043655714Skris and the function EVP_PBE_ALGOR_CipherInit() has been deleted. 1043755714Skris [Steve Henson] 1043855714Skris 1043955714Skris *) Support for PKCS#5 v1.5 compatible password based encryption algorithms 1044055714Skris and PKCS#8 functionality. New 'pkcs8' application linked to openssl. 1044155714Skris Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE 1044255714Skris KEY" because this clashed with PKCS#8 unencrypted string. Since this 1044355714Skris value was just used as a "magic string" and not used directly its 1044455714Skris value doesn't matter. 1044555714Skris [Steve Henson] 1044655714Skris 1044755714Skris *) Introduce some semblance of const correctness to BN. Shame C doesn't 1044855714Skris support mutable. 1044955714Skris [Ben Laurie] 1045055714Skris 1045155714Skris *) "linux-sparc64" configuration (ultrapenguin). 1045255714Skris [Ray Miller <ray.miller@oucs.ox.ac.uk>] 1045355714Skris "linux-sparc" configuration. 1045455714Skris [Christian Forster <fo@hawo.stw.uni-erlangen.de>] 1045555714Skris 1045655714Skris *) config now generates no-xxx options for missing ciphers. 10457291719Sjkim [Ulf M��ller] 1045855714Skris 1045955714Skris *) Support the EBCDIC character set (work in progress). 1046055714Skris File ebcdic.c not yet included because it has a different license. 1046155714Skris [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 1046255714Skris 1046355714Skris *) Support BS2000/OSD-POSIX. 1046455714Skris [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 1046555714Skris 1046655714Skris *) Make callbacks for key generation use void * instead of char *. 1046755714Skris [Ben Laurie] 1046855714Skris 1046955714Skris *) Make S/MIME samples compile (not yet tested). 1047055714Skris [Ben Laurie] 1047155714Skris 1047255714Skris *) Additional typesafe stacks. 1047355714Skris [Ben Laurie] 1047455714Skris 1047555714Skris *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). 1047655714Skris [Bodo Moeller] 1047755714Skris 1047855714Skris 1047955714Skris Changes between 0.9.3 and 0.9.3a [29 May 1999] 1048055714Skris 1048155714Skris *) New configuration variant "sco5-gcc". 1048255714Skris 1048355714Skris *) Updated some demos. 1048455714Skris [Sean O Riordain, Wade Scholine] 1048555714Skris 1048655714Skris *) Add missing BIO_free at exit of pkcs12 application. 1048755714Skris [Wu Zhigang] 1048855714Skris 1048955714Skris *) Fix memory leak in conf.c. 1049055714Skris [Steve Henson] 1049155714Skris 1049255714Skris *) Updates for Win32 to assembler version of MD5. 1049355714Skris [Steve Henson] 1049455714Skris 1049555714Skris *) Set #! path to perl in apps/der_chop to where we found it 1049655714Skris instead of using a fixed path. 1049755714Skris [Bodo Moeller] 1049855714Skris 1049955714Skris *) SHA library changes for irix64-mips4-cc. 1050055714Skris [Andy Polyakov] 1050155714Skris 1050255714Skris *) Improvements for VMS support. 1050355714Skris [Richard Levitte] 1050455714Skris 1050555714Skris 1050655714Skris Changes between 0.9.2b and 0.9.3 [24 May 1999] 1050755714Skris 1050855714Skris *) Bignum library bug fix. IRIX 6 passes "make test" now! 1050955714Skris This also avoids the problems with SC4.2 and unpatched SC5. 1051055714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1051155714Skris 1051255714Skris *) New functions sk_num, sk_value and sk_set to replace the previous macros. 1051355714Skris These are required because of the typesafe stack would otherwise break 1051455714Skris existing code. If old code used a structure member which used to be STACK 1051555714Skris and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with 1051655714Skris sk_num or sk_value it would produce an error because the num, data members 1051755714Skris are not present in STACK_OF. Now it just produces a warning. sk_set 1051855714Skris replaces the old method of assigning a value to sk_value 1051955714Skris (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code 1052055714Skris that does this will no longer work (and should use sk_set instead) but 1052155714Skris this could be regarded as a "questionable" behaviour anyway. 1052255714Skris [Steve Henson] 1052355714Skris 1052455714Skris *) Fix most of the other PKCS#7 bugs. The "experimental" code can now 1052555714Skris correctly handle encrypted S/MIME data. 1052655714Skris [Steve Henson] 1052755714Skris 1052855714Skris *) Change type of various DES function arguments from des_cblock 1052955714Skris (which means, in function argument declarations, pointer to char) 1053055714Skris to des_cblock * (meaning pointer to array with 8 char elements), 1053155714Skris which allows the compiler to do more typechecking; it was like 1053255714Skris that back in SSLeay, but with lots of ugly casts. 1053355714Skris 1053455714Skris Introduce new type const_des_cblock. 1053555714Skris [Bodo Moeller] 1053655714Skris 1053755714Skris *) Reorganise the PKCS#7 library and get rid of some of the more obvious 1053855714Skris problems: find RecipientInfo structure that matches recipient certificate 1053955714Skris and initialise the ASN1 structures properly based on passed cipher. 1054055714Skris [Steve Henson] 1054155714Skris 1054255714Skris *) Belatedly make the BN tests actually check the results. 1054355714Skris [Ben Laurie] 1054455714Skris 1054555714Skris *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion 1054655714Skris to and from BNs: it was completely broken. New compilation option 1054755714Skris NEG_PUBKEY_BUG to allow for some broken certificates that encode public 1054855714Skris key elements as negative integers. 1054955714Skris [Steve Henson] 1055055714Skris 1055155714Skris *) Reorganize and speed up MD5. 1055255714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1055355714Skris 1055455714Skris *) VMS support. 1055555714Skris [Richard Levitte <richard@levitte.org>] 1055655714Skris 1055755714Skris *) New option -out to asn1parse to allow the parsed structure to be 1055855714Skris output to a file. This is most useful when combined with the -strparse 1055955714Skris option to examine the output of things like OCTET STRINGS. 1056055714Skris [Steve Henson] 1056155714Skris 1056255714Skris *) Make SSL library a little more fool-proof by not requiring any longer 1056355714Skris that SSL_set_{accept,connect}_state be called before 1056455714Skris SSL_{accept,connect} may be used (SSL_set_..._state is omitted 1056555714Skris in many applications because usually everything *appeared* to work as 1056655714Skris intended anyway -- now it really works as intended). 1056755714Skris [Bodo Moeller] 1056855714Skris 1056955714Skris *) Move openssl.cnf out of lib/. 10570291719Sjkim [Ulf M��ller] 1057155714Skris 1057255714Skris *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall 1057355714Skris -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes 1057455714Skris -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ 1057555714Skris [Ralf S. Engelschall] 1057655714Skris 1057755714Skris *) Various fixes to the EVP and PKCS#7 code. It may now be able to 1057855714Skris handle PKCS#7 enveloped data properly. 1057955714Skris [Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve] 1058055714Skris 1058155714Skris *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of 1058255714Skris copying pointers. The cert_st handling is changed by this in 1058355714Skris various ways (and thus what used to be known as ctx->default_cert 1058455714Skris is now called ctx->cert, since we don't resort to s->ctx->[default_]cert 1058555714Skris any longer when s->cert does not give us what we need). 1058655714Skris ssl_cert_instantiate becomes obsolete by this change. 1058755714Skris As soon as we've got the new code right (possibly it already is?), 1058855714Skris we have solved a couple of bugs of the earlier code where s->cert 1058955714Skris was used as if it could not have been shared with other SSL structures. 1059055714Skris 1059155714Skris Note that using the SSL API in certain dirty ways now will result 1059255714Skris in different behaviour than observed with earlier library versions: 1059355714Skris Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) 1059455714Skris does not influence s as it used to. 1059555714Skris 1059655714Skris In order to clean up things more thoroughly, inside SSL_SESSION 1059755714Skris we don't use CERT any longer, but a new structure SESS_CERT 1059855714Skris that holds per-session data (if available); currently, this is 1059955714Skris the peer's certificate chain and, for clients, the server's certificate 1060055714Skris and temporary key. CERT holds only those values that can have 1060155714Skris meaningful defaults in an SSL_CTX. 1060255714Skris [Bodo Moeller] 1060355714Skris 1060455714Skris *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure 1060555714Skris from the internal representation. Various PKCS#7 fixes: remove some 1060655714Skris evil casts and set the enc_dig_alg field properly based on the signing 1060755714Skris key type. 1060855714Skris [Steve Henson] 1060955714Skris 1061055714Skris *) Allow PKCS#12 password to be set from the command line or the 1061155714Skris environment. Let 'ca' get its config file name from the environment 1061255714Skris variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' 1061355714Skris and 'x509'). 1061455714Skris [Steve Henson] 1061555714Skris 1061655714Skris *) Allow certificate policies extension to use an IA5STRING for the 1061755714Skris organization field. This is contrary to the PKIX definition but 1061855714Skris VeriSign uses it and IE5 only recognises this form. Document 'x509' 1061955714Skris extension option. 1062055714Skris [Steve Henson] 1062155714Skris 1062255714Skris *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, 1062355714Skris without disallowing inline assembler and the like for non-pedantic builds. 1062455714Skris [Ben Laurie] 1062555714Skris 1062655714Skris *) Support Borland C++ builder. 10627291719Sjkim [Janez Jere <jj@void.si>, modified by Ulf M��ller] 1062855714Skris 1062955714Skris *) Support Mingw32. 10630291719Sjkim [Ulf M��ller] 1063155714Skris 1063255714Skris *) SHA-1 cleanups and performance enhancements. 1063355714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1063455714Skris 1063555714Skris *) Sparc v8plus assembler for the bignum library. 1063655714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1063755714Skris 1063855714Skris *) Accept any -xxx and +xxx compiler options in Configure. 10639291719Sjkim [Ulf M��ller] 1064055714Skris 1064155714Skris *) Update HPUX configuration. 1064255714Skris [Anonymous] 1064355714Skris 1064455714Skris *) Add missing sk_<type>_unshift() function to safestack.h 1064555714Skris [Ralf S. Engelschall] 1064655714Skris 1064755714Skris *) New function SSL_CTX_use_certificate_chain_file that sets the 1064855714Skris "extra_cert"s in addition to the certificate. (This makes sense 1064955714Skris only for "PEM" format files, as chains as a whole are not 1065055714Skris DER-encoded.) 1065155714Skris [Bodo Moeller] 1065255714Skris 1065355714Skris *) Support verify_depth from the SSL API. 1065455714Skris x509_vfy.c had what can be considered an off-by-one-error: 1065555714Skris Its depth (which was not part of the external interface) 1065655714Skris was actually counting the number of certificates in a chain; 1065755714Skris now it really counts the depth. 1065855714Skris [Bodo Moeller] 1065955714Skris 1066055714Skris *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used 1066155714Skris instead of X509err, which often resulted in confusing error 1066255714Skris messages since the error codes are not globally unique 1066355714Skris (e.g. an alleged error in ssl3_accept when a certificate 1066455714Skris didn't match the private key). 1066555714Skris 1066655714Skris *) New function SSL_CTX_set_session_id_context that allows to set a default 1066755714Skris value (so that you don't need SSL_set_session_id_context for each 1066855714Skris connection using the SSL_CTX). 1066955714Skris [Bodo Moeller] 1067055714Skris 1067155714Skris *) OAEP decoding bug fix. 10672291719Sjkim [Ulf M��ller] 1067355714Skris 1067455714Skris *) Support INSTALL_PREFIX for package builders, as proposed by 1067555714Skris David Harris. 1067655714Skris [Bodo Moeller] 1067755714Skris 1067855714Skris *) New Configure options "threads" and "no-threads". For systems 1067955714Skris where the proper compiler options are known (currently Solaris 1068055714Skris and Linux), "threads" is the default. 1068155714Skris [Bodo Moeller] 1068255714Skris 1068355714Skris *) New script util/mklink.pl as a faster substitute for util/mklink.sh. 1068455714Skris [Bodo Moeller] 1068555714Skris 1068655714Skris *) Install various scripts to $(OPENSSLDIR)/misc, not to 1068755714Skris $(INSTALLTOP)/bin -- they shouldn't clutter directories 1068855714Skris such as /usr/local/bin. 1068955714Skris [Bodo Moeller] 1069055714Skris 1069155714Skris *) "make linux-shared" to build shared libraries. 1069255714Skris [Niels Poppe <niels@netbox.org>] 1069355714Skris 1069455714Skris *) New Configure option no-<cipher> (rsa, idea, rc5, ...). 10695291719Sjkim [Ulf M��ller] 1069655714Skris 1069755714Skris *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for 1069855714Skris extension adding in x509 utility. 1069955714Skris [Steve Henson] 1070055714Skris 1070155714Skris *) Remove NOPROTO sections and error code comments. 10702291719Sjkim [Ulf M��ller] 1070355714Skris 1070455714Skris *) Partial rewrite of the DEF file generator to now parse the ANSI 1070555714Skris prototypes. 1070655714Skris [Steve Henson] 1070755714Skris 1070855714Skris *) New Configure options --prefix=DIR and --openssldir=DIR. 10709291719Sjkim [Ulf M��ller] 1071055714Skris 1071155714Skris *) Complete rewrite of the error code script(s). It is all now handled 1071255714Skris by one script at the top level which handles error code gathering, 1071355714Skris header rewriting and C source file generation. It should be much better 1071455714Skris than the old method: it now uses a modified version of Ulf's parser to 1071555714Skris read the ANSI prototypes in all header files (thus the old K&R definitions 1071655714Skris aren't needed for error creation any more) and do a better job of 1071755714Skris translating function codes into names. The old 'ASN1 error code imbedded 1071855714Skris in a comment' is no longer necessary and it doesn't use .err files which 1071955714Skris have now been deleted. Also the error code call doesn't have to appear all 1072055714Skris on one line (which resulted in some large lines...). 1072155714Skris [Steve Henson] 1072255714Skris 1072355714Skris *) Change #include filenames from <foo.h> to <openssl/foo.h>. 1072455714Skris [Bodo Moeller] 1072555714Skris 1072655714Skris *) Change behaviour of ssl2_read when facing length-0 packets: Don't return 1072755714Skris 0 (which usually indicates a closed connection), but continue reading. 1072855714Skris [Bodo Moeller] 1072955714Skris 1073055714Skris *) Fix some race conditions. 1073155714Skris [Bodo Moeller] 1073255714Skris 1073355714Skris *) Add support for CRL distribution points extension. Add Certificate 1073455714Skris Policies and CRL distribution points documentation. 1073555714Skris [Steve Henson] 1073655714Skris 1073755714Skris *) Move the autogenerated header file parts to crypto/opensslconf.h. 10738291719Sjkim [Ulf M��ller] 1073955714Skris 1074055714Skris *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 1074155714Skris 8 of keying material. Merlin has also confirmed interop with this fix 1074255714Skris between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. 1074355714Skris [Merlin Hughes <merlin@baltimore.ie>] 1074455714Skris 1074555714Skris *) Fix lots of warnings. 1074655714Skris [Richard Levitte <levitte@stacken.kth.se>] 1074755714Skris 1074855714Skris *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if 1074955714Skris the directory spec didn't end with a LIST_SEPARATOR_CHAR. 1075055714Skris [Richard Levitte <levitte@stacken.kth.se>] 1075155714Skris 1075255714Skris *) Fix problems with sizeof(long) == 8. 1075355714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1075455714Skris 1075555714Skris *) Change functions to ANSI C. 10756291719Sjkim [Ulf M��ller] 1075755714Skris 1075855714Skris *) Fix typos in error codes. 10759291719Sjkim [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf M��ller] 1076055714Skris 1076155714Skris *) Remove defunct assembler files from Configure. 10762291719Sjkim [Ulf M��ller] 1076355714Skris 1076455714Skris *) SPARC v8 assembler BIGNUM implementation. 1076555714Skris [Andy Polyakov <appro@fy.chalmers.se>] 1076655714Skris 1076755714Skris *) Support for Certificate Policies extension: both print and set. 1076855714Skris Various additions to support the r2i method this uses. 1076955714Skris [Steve Henson] 1077055714Skris 1077155714Skris *) A lot of constification, and fix a bug in X509_NAME_oneline() that could 1077255714Skris return a const string when you are expecting an allocated buffer. 1077355714Skris [Ben Laurie] 1077455714Skris 1077555714Skris *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE 1077655714Skris types DirectoryString and DisplayText. 1077755714Skris [Steve Henson] 1077855714Skris 1077955714Skris *) Add code to allow r2i extensions to access the configuration database, 1078055714Skris add an LHASH database driver and add several ctx helper functions. 1078155714Skris [Steve Henson] 1078255714Skris 1078355714Skris *) Fix an evil bug in bn_expand2() which caused various BN functions to 1078455714Skris fail when they extended the size of a BIGNUM. 1078555714Skris [Steve Henson] 1078655714Skris 1078755714Skris *) Various utility functions to handle SXNet extension. Modify mkdef.pl to 1078855714Skris support typesafe stack. 1078955714Skris [Steve Henson] 1079055714Skris 1079155714Skris *) Fix typo in SSL_[gs]et_options(). 1079255714Skris [Nils Frostberg <nils@medcom.se>] 1079355714Skris 1079455714Skris *) Delete various functions and files that belonged to the (now obsolete) 1079555714Skris old X509V3 handling code. 1079655714Skris [Steve Henson] 1079755714Skris 1079855714Skris *) New Configure option "rsaref". 10799291719Sjkim [Ulf M��ller] 1080055714Skris 1080155714Skris *) Don't auto-generate pem.h. 1080255714Skris [Bodo Moeller] 1080355714Skris 1080455714Skris *) Introduce type-safe ASN.1 SETs. 1080555714Skris [Ben Laurie] 1080655714Skris 1080755714Skris *) Convert various additional casted stacks to type-safe STACK_OF() variants. 1080855714Skris [Ben Laurie, Ralf S. Engelschall, Steve Henson] 1080955714Skris 1081055714Skris *) Introduce type-safe STACKs. This will almost certainly break lots of code 1081155714Skris that links with OpenSSL (well at least cause lots of warnings), but fear 1081255714Skris not: the conversion is trivial, and it eliminates loads of evil casts. A 1081355714Skris few STACKed things have been converted already. Feel free to convert more. 1081455714Skris In the fullness of time, I'll do away with the STACK type altogether. 1081555714Skris [Ben Laurie] 1081655714Skris 1081755714Skris *) Add `openssl ca -revoke <certfile>' facility which revokes a certificate 1081855714Skris specified in <certfile> by updating the entry in the index.txt file. 1081955714Skris This way one no longer has to edit the index.txt file manually for 1082055714Skris revoking a certificate. The -revoke option does the gory details now. 1082155714Skris [Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall] 1082255714Skris 1082355714Skris *) Fix `openssl crl -noout -text' combination where `-noout' killed the 1082455714Skris `-text' option at all and this way the `-noout -text' combination was 1082555714Skris inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. 1082655714Skris [Ralf S. Engelschall] 1082755714Skris 1082855714Skris *) Make sure a corresponding plain text error message exists for the 1082955714Skris X509_V_ERR_CERT_REVOKED/23 error number which can occur when a 1083055714Skris verify callback function determined that a certificate was revoked. 1083155714Skris [Ralf S. Engelschall] 1083255714Skris 1083355714Skris *) Bugfix: In test/testenc, don't test "openssl <cipher>" for 1083455714Skris ciphers that were excluded, e.g. by -DNO_IDEA. Also, test 1083555714Skris all available cipers including rc5, which was forgotten until now. 1083655714Skris In order to let the testing shell script know which algorithms 1083755714Skris are available, a new (up to now undocumented) command 1083855714Skris "openssl list-cipher-commands" is used. 1083955714Skris [Bodo Moeller] 1084055714Skris 1084155714Skris *) Bugfix: s_client occasionally would sleep in select() when 1084255714Skris it should have checked SSL_pending() first. 1084355714Skris [Bodo Moeller] 1084455714Skris 1084555714Skris *) New functions DSA_do_sign and DSA_do_verify to provide access to 1084655714Skris the raw DSA values prior to ASN.1 encoding. 10847291719Sjkim [Ulf M��ller] 1084855714Skris 1084955714Skris *) Tweaks to Configure 1085055714Skris [Niels Poppe <niels@netbox.org>] 1085155714Skris 1085255714Skris *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, 1085355714Skris yet... 1085455714Skris [Steve Henson] 1085555714Skris 1085655714Skris *) New variables $(RANLIB) and $(PERL) in the Makefiles. 10857291719Sjkim [Ulf M��ller] 1085855714Skris 1085955714Skris *) New config option to avoid instructions that are illegal on the 80386. 1086055714Skris The default code is faster, but requires at least a 486. 10861291719Sjkim [Ulf M��ller] 1086255714Skris 1086355714Skris *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and 1086455714Skris SSL2_SERVER_VERSION (not used at all) macros, which are now the 1086555714Skris same as SSL2_VERSION anyway. 1086655714Skris [Bodo Moeller] 1086755714Skris 1086855714Skris *) New "-showcerts" option for s_client. 1086955714Skris [Bodo Moeller] 1087055714Skris 1087155714Skris *) Still more PKCS#12 integration. Add pkcs12 application to openssl 1087255714Skris application. Various cleanups and fixes. 1087355714Skris [Steve Henson] 1087455714Skris 1087555714Skris *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and 1087655714Skris modify error routines to work internally. Add error codes and PBE init 1087755714Skris to library startup routines. 1087855714Skris [Steve Henson] 1087955714Skris 1088055714Skris *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and 1088155714Skris packing functions to asn1 and evp. Changed function names and error 1088255714Skris codes along the way. 1088355714Skris [Steve Henson] 1088455714Skris 1088555714Skris *) PKCS12 integration: and so it begins... First of several patches to 1088655714Skris slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 1088755714Skris objects to objects.h 1088855714Skris [Steve Henson] 1088955714Skris 1089055714Skris *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 1089155714Skris and display support for Thawte strong extranet extension. 1089255714Skris [Steve Henson] 1089355714Skris 1089455714Skris *) Add LinuxPPC support. 1089555714Skris [Jeff Dubrule <igor@pobox.org>] 1089655714Skris 1089755714Skris *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to 1089855714Skris bn_div_words in alpha.s. 1089955714Skris [Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie] 1090055714Skris 1090155714Skris *) Make sure the RSA OAEP test is skipped under -DRSAref because 1090255714Skris OAEP isn't supported when OpenSSL is built with RSAref. 1090355714Skris [Ulf Moeller <ulf@fitug.de>] 1090455714Skris 1090555714Skris *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 1090655714Skris so they no longer are missing under -DNOPROTO. 1090755714Skris [Soren S. Jorvang <soren@t.dk>] 1090855714Skris 1090955714Skris 1091055714Skris Changes between 0.9.1c and 0.9.2b [22 Mar 1999] 1091155714Skris 1091255714Skris *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still 1091355714Skris doesn't work when the session is reused. Coming soon! 1091455714Skris [Ben Laurie] 1091555714Skris 1091655714Skris *) Fix a security hole, that allows sessions to be reused in the wrong 1091755714Skris context thus bypassing client cert protection! All software that uses 1091855714Skris client certs and session caches in multiple contexts NEEDS PATCHING to 1091955714Skris allow session reuse! A fuller solution is in the works. 1092055714Skris [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] 1092155714Skris 1092255714Skris *) Some more source tree cleanups (removed obsolete files 1092355714Skris crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed 1092455714Skris permission on "config" script to be executable) and a fix for the INSTALL 1092555714Skris document. 1092655714Skris [Ulf Moeller <ulf@fitug.de>] 1092755714Skris 1092855714Skris *) Remove some legacy and erroneous uses of malloc, free instead of 1092955714Skris Malloc, Free. 1093055714Skris [Lennart Bang <lob@netstream.se>, with minor changes by Steve] 1093155714Skris 1093255714Skris *) Make rsa_oaep_test return non-zero on error. 1093355714Skris [Ulf Moeller <ulf@fitug.de>] 1093455714Skris 1093555714Skris *) Add support for native Solaris shared libraries. Configure 1093655714Skris solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice 1093755714Skris if someone would make that last step automatic. 1093855714Skris [Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>] 1093955714Skris 1094055714Skris *) ctx_size was not built with the right compiler during "make links". Fixed. 1094155714Skris [Ben Laurie] 1094255714Skris 1094355714Skris *) Change the meaning of 'ALL' in the cipher list. It now means "everything 1094455714Skris except NULL ciphers". This means the default cipher list will no longer 1094555714Skris enable NULL ciphers. They need to be specifically enabled e.g. with 1094655714Skris the string "DEFAULT:eNULL". 1094755714Skris [Steve Henson] 1094855714Skris 1094955714Skris *) Fix to RSA private encryption routines: if p < q then it would 1095055714Skris occasionally produce an invalid result. This will only happen with 1095155714Skris externally generated keys because OpenSSL (and SSLeay) ensure p > q. 1095255714Skris [Steve Henson] 1095355714Skris 1095455714Skris *) Be less restrictive and allow also `perl util/perlpath.pl 1095555714Skris /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', 1095655714Skris because this way one can also use an interpreter named `perl5' (which is 1095755714Skris usually the name of Perl 5.xxx on platforms where an Perl 4.x is still 1095855714Skris installed as `perl'). 1095955714Skris [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 1096055714Skris 1096155714Skris *) Let util/clean-depend.pl work also with older Perl 5.00x versions. 1096255714Skris [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 1096355714Skris 1096455714Skris *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add 1096555714Skris advapi32.lib to Win32 build and change the pem test comparision 1096655714Skris to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the 1096755714Skris suggestion). Fix misplaced ASNI prototypes and declarations in evp.h 1096855714Skris and crypto/des/ede_cbcm_enc.c. 1096955714Skris [Steve Henson] 1097055714Skris 1097155714Skris *) DES quad checksum was broken on big-endian architectures. Fixed. 1097255714Skris [Ben Laurie] 1097355714Skris 1097455714Skris *) Comment out two functions in bio.h that aren't implemented. Fix up the 1097555714Skris Win32 test batch file so it (might) work again. The Win32 test batch file 1097655714Skris is horrible: I feel ill.... 1097755714Skris [Steve Henson] 1097855714Skris 1097955714Skris *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected 1098055714Skris in e_os.h. Audit of header files to check ANSI and non ANSI 1098155714Skris sections: 10 functions were absent from non ANSI section and not exported 1098255714Skris from Windows DLLs. Fixed up libeay.num for new functions. 1098355714Skris [Steve Henson] 1098455714Skris 1098555714Skris *) Make `openssl version' output lines consistent. 1098655714Skris [Ralf S. Engelschall] 1098755714Skris 1098855714Skris *) Fix Win32 symbol export lists for BIO functions: Added 1098955714Skris BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data 1099055714Skris to ms/libeay{16,32}.def. 1099155714Skris [Ralf S. Engelschall] 1099255714Skris 1099355714Skris *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled 1099455714Skris fine under Unix and passes some trivial tests I've now added. But the 1099555714Skris whole stuff is horribly incomplete, so a README.1ST with a disclaimer was 1099655714Skris added to make sure no one expects that this stuff really works in the 1099755714Skris OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources 1099855714Skris up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and 1099955714Skris openssl_bio.xs. 1100055714Skris [Ralf S. Engelschall] 1100155714Skris 1100255714Skris *) Fix the generation of two part addresses in perl. 1100355714Skris [Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie] 1100455714Skris 1100555714Skris *) Add config entry for Linux on MIPS. 1100655714Skris [John Tobey <jtobey@channel1.com>] 1100755714Skris 1100855714Skris *) Make links whenever Configure is run, unless we are on Windoze. 1100955714Skris [Ben Laurie] 1101055714Skris 1101155714Skris *) Permit extensions to be added to CRLs using crl_section in openssl.cnf. 1101255714Skris Currently only issuerAltName and AuthorityKeyIdentifier make any sense 1101355714Skris in CRLs. 1101455714Skris [Steve Henson] 1101555714Skris 1101655714Skris *) Add a useful kludge to allow package maintainers to specify compiler and 1101755714Skris other platforms details on the command line without having to patch the 1101855714Skris Configure script everytime: One now can use ``perl Configure 1101955714Skris <id>:<details>'', i.e. platform ids are allowed to have details appended 1102055714Skris to them (seperated by colons). This is treated as there would be a static 1102155714Skris pre-configured entry in Configure's %table under key <id> with value 1102255714Skris <details> and ``perl Configure <id>'' is called. So, when you want to 1102355714Skris perform a quick test-compile under FreeBSD 3.1 with pgcc and without 1102455714Skris assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' 1102555714Skris now, which overrides the FreeBSD-elf entry on-the-fly. 1102655714Skris [Ralf S. Engelschall] 1102755714Skris 1102855714Skris *) Disable new TLS1 ciphersuites by default: they aren't official yet. 1102955714Skris [Ben Laurie] 1103055714Skris 1103155714Skris *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified 1103255714Skris on the `perl Configure ...' command line. This way one can compile 1103355714Skris OpenSSL libraries with Position Independent Code (PIC) which is needed 1103455714Skris for linking it into DSOs. 1103555714Skris [Ralf S. Engelschall] 1103655714Skris 1103755714Skris *) Remarkably, export ciphers were totally broken and no-one had noticed! 1103855714Skris Fixed. 1103955714Skris [Ben Laurie] 1104055714Skris 1104155714Skris *) Cleaned up the LICENSE document: The official contact for any license 1104255714Skris questions now is the OpenSSL core team under openssl-core@openssl.org. 1104355714Skris And add a paragraph about the dual-license situation to make sure people 1104455714Skris recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply 1104555714Skris to the OpenSSL toolkit. 1104655714Skris [Ralf S. Engelschall] 1104755714Skris 1104855714Skris *) General source tree makefile cleanups: Made `making xxx in yyy...' 1104955714Skris display consistent in the source tree and replaced `/bin/rm' by `rm'. 1105055714Skris Additonally cleaned up the `make links' target: Remove unnecessary 1105155714Skris semicolons, subsequent redundant removes, inline point.sh into mklink.sh 1105255714Skris to speed processing and no longer clutter the display with confusing 1105355714Skris stuff. Instead only the actually done links are displayed. 1105455714Skris [Ralf S. Engelschall] 1105555714Skris 1105655714Skris *) Permit null encryption ciphersuites, used for authentication only. It used 1105755714Skris to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. 1105855714Skris It is now necessary to set SSL_FORBID_ENULL to prevent the use of null 1105955714Skris encryption. 1106055714Skris [Ben Laurie] 1106155714Skris 1106255714Skris *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder 1106355714Skris signed attributes when verifying signatures (this would break them), 1106455714Skris the detached data encoding was wrong and public keys obtained using 1106555714Skris X509_get_pubkey() weren't freed. 1106655714Skris [Steve Henson] 1106755714Skris 1106855714Skris *) Add text documentation for the BUFFER functions. Also added a work around 1106955714Skris to a Win95 console bug. This was triggered by the password read stuff: the 1107055714Skris last character typed gets carried over to the next fread(). If you were 1107155714Skris generating a new cert request using 'req' for example then the last 1107255714Skris character of the passphrase would be CR which would then enter the first 1107355714Skris field as blank. 1107455714Skris [Steve Henson] 1107555714Skris 1107655714Skris *) Added the new `Includes OpenSSL Cryptography Software' button as 1107755714Skris doc/openssl_button.{gif,html} which is similar in style to the old SSLeay 1107855714Skris button and can be used by applications based on OpenSSL to show the 1107955714Skris relationship to the OpenSSL project. 1108055714Skris [Ralf S. Engelschall] 1108155714Skris 1108255714Skris *) Remove confusing variables in function signatures in files 1108355714Skris ssl/ssl_lib.c and ssl/ssl.h. 1108455714Skris [Lennart Bong <lob@kulthea.stacken.kth.se>] 1108555714Skris 1108655714Skris *) Don't install bss_file.c under PREFIX/include/ 1108755714Skris [Lennart Bong <lob@kulthea.stacken.kth.se>] 1108855714Skris 1108955714Skris *) Get the Win32 compile working again. Modify mkdef.pl so it can handle 1109055714Skris functions that return function pointers and has support for NT specific 1109155714Skris stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various 1109255714Skris #ifdef WIN32 and WINNTs sprinkled about the place and some changes from 1109355714Skris unsigned to signed types: this was killing the Win32 compile. 1109455714Skris [Steve Henson] 1109555714Skris 1109655714Skris *) Add new certificate file to stack functions, 1109755714Skris SSL_add_dir_cert_subjects_to_stack() and 1109855714Skris SSL_add_file_cert_subjects_to_stack(). These largely supplant 1109955714Skris SSL_load_client_CA_file(), and can be used to add multiple certs easily 1110055714Skris to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). 1110155714Skris This means that Apache-SSL and similar packages don't have to mess around 1110255714Skris to add as many CAs as they want to the preferred list. 1110355714Skris [Ben Laurie] 1110455714Skris 1110555714Skris *) Experiment with doxygen documentation. Currently only partially applied to 1110655714Skris ssl/ssl_lib.c. 1110755714Skris See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with 1110855714Skris openssl.doxy as the configuration file. 1110955714Skris [Ben Laurie] 1111055714Skris 1111155714Skris *) Get rid of remaining C++-style comments which strict C compilers hate. 1111255714Skris [Ralf S. Engelschall, pointed out by Carlos Amengual] 1111355714Skris 1111455714Skris *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not 1111555714Skris compiled in by default: it has problems with large keys. 1111655714Skris [Steve Henson] 1111755714Skris 1111855714Skris *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and 1111955714Skris DH private keys and/or callback functions which directly correspond to 1112055714Skris their SSL_CTX_xxx() counterparts but work on a per-connection basis. This 1112155714Skris is needed for applications which have to configure certificates on a 1112255714Skris per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis 1112355714Skris (e.g. s_server). 1112455714Skris For the RSA certificate situation is makes no difference, but 1112555714Skris for the DSA certificate situation this fixes the "no shared cipher" 1112655714Skris problem where the OpenSSL cipher selection procedure failed because the 1112755714Skris temporary keys were not overtaken from the context and the API provided 1112855714Skris no way to reconfigure them. 1112955714Skris The new functions now let applications reconfigure the stuff and they 1113055714Skris are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, 1113155714Skris SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new 1113255714Skris non-public-API function ssl_cert_instantiate() is used as a helper 1113355714Skris function and also to reduce code redundancy inside ssl_rsa.c. 1113455714Skris [Ralf S. Engelschall] 1113555714Skris 1113655714Skris *) Move s_server -dcert and -dkey options out of the undocumented feature 1113755714Skris area because they are useful for the DSA situation and should be 1113855714Skris recognized by the users. 1113955714Skris [Ralf S. Engelschall] 1114055714Skris 1114155714Skris *) Fix the cipher decision scheme for export ciphers: the export bits are 1114255714Skris *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within 1114355714Skris SSL_EXP_MASK. So, the original variable has to be used instead of the 1114455714Skris already masked variable. 1114555714Skris [Richard Levitte <levitte@stacken.kth.se>] 1114655714Skris 1114755714Skris *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c 1114855714Skris [Richard Levitte <levitte@stacken.kth.se>] 1114955714Skris 1115055714Skris *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() 1115155714Skris from `int' to `unsigned int' because it's a length and initialized by 1115255714Skris EVP_DigestFinal() which expects an `unsigned int *'. 1115355714Skris [Richard Levitte <levitte@stacken.kth.se>] 1115455714Skris 1115555714Skris *) Don't hard-code path to Perl interpreter on shebang line of Configure 1115655714Skris script. Instead use the usual Shell->Perl transition trick. 1115755714Skris [Ralf S. Engelschall] 1115855714Skris 1115955714Skris *) Make `openssl x509 -noout -modulus' functional also for DSA certificates 1116055714Skris (in addition to RSA certificates) to match the behaviour of `openssl dsa 1116155714Skris -noout -modulus' as it's already the case for `openssl rsa -noout 1116255714Skris -modulus'. For RSA the -modulus is the real "modulus" while for DSA 1116355714Skris currently the public key is printed (a decision which was already done by 1116455714Skris `openssl dsa -modulus' in the past) which serves a similar purpose. 1116555714Skris Additionally the NO_RSA no longer completely removes the whole -modulus 1116655714Skris option; it now only avoids using the RSA stuff. Same applies to NO_DSA 1116755714Skris now, too. 1116855714Skris [Ralf S. Engelschall] 1116955714Skris 1117055714Skris *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested 1117155714Skris BIO. See the source (crypto/evp/bio_ok.c) for more info. 1117255714Skris [Arne Ansper <arne@ats.cyber.ee>] 1117355714Skris 1117455714Skris *) Dump the old yucky req code that tried (and failed) to allow raw OIDs 1117555714Skris to be added. Now both 'req' and 'ca' can use new objects defined in the 1117655714Skris config file. 1117755714Skris [Steve Henson] 1117855714Skris 1117955714Skris *) Add cool BIO that does syslog (or event log on NT). 1118055714Skris [Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie] 1118155714Skris 1118255714Skris *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, 1118355714Skris TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and 1118455714Skris TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher 1118555714Skris Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. 1118655714Skris [Ben Laurie] 1118755714Skris 1118855714Skris *) Add preliminary config info for new extension code. 1118955714Skris [Steve Henson] 1119055714Skris 1119155714Skris *) Make RSA_NO_PADDING really use no padding. 1119255714Skris [Ulf Moeller <ulf@fitug.de>] 1119355714Skris 1119455714Skris *) Generate errors when private/public key check is done. 1119555714Skris [Ben Laurie] 1119655714Skris 1119755714Skris *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support 1119855714Skris for some CRL extensions and new objects added. 1119955714Skris [Steve Henson] 1120055714Skris 1120155714Skris *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private 1120255714Skris key usage extension and fuller support for authority key id. 1120355714Skris [Steve Henson] 1120455714Skris 1120555714Skris *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved 1120655714Skris padding method for RSA, which is recommended for new applications in PKCS 1120755714Skris #1 v2.0 (RFC 2437, October 1998). 1120855714Skris OAEP (Optimal Asymmetric Encryption Padding) has better theoretical 1120955714Skris foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure 1121055714Skris against Bleichbacher's attack on RSA. 1121155714Skris [Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by 1121255714Skris Ben Laurie] 1121355714Skris 1121455714Skris *) Updates to the new SSL compression code 1121555714Skris [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 1121655714Skris 1121755714Skris *) Fix so that the version number in the master secret, when passed 1121855714Skris via RSA, checks that if TLS was proposed, but we roll back to SSLv3 1121955714Skris (because the server will not accept higher), that the version number 1122055714Skris is 0x03,0x01, not 0x03,0x00 1122155714Skris [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 1122255714Skris 1122355714Skris *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory 1122455714Skris leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes 1122555714Skris in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c 1122655714Skris [Steve Henson] 1122755714Skris 1122855714Skris *) Support for RAW extensions where an arbitrary extension can be 1122955714Skris created by including its DER encoding. See apps/openssl.cnf for 1123055714Skris an example. 1123155714Skris [Steve Henson] 1123255714Skris 1123355714Skris *) Make sure latest Perl versions don't interpret some generated C array 1123455714Skris code as Perl array code in the crypto/err/err_genc.pl script. 1123555714Skris [Lars Weber <3weber@informatik.uni-hamburg.de>] 1123655714Skris 1123755714Skris *) Modify ms/do_ms.bat to not generate assembly language makefiles since 1123855714Skris not many people have the assembler. Various Win32 compilation fixes and 1123955714Skris update to the INSTALL.W32 file with (hopefully) more accurate Win32 1124055714Skris build instructions. 1124155714Skris [Steve Henson] 1124255714Skris 1124355714Skris *) Modify configure script 'Configure' to automatically create crypto/date.h 1124455714Skris file under Win32 and also build pem.h from pem.org. New script 1124555714Skris util/mkfiles.pl to create the MINFO file on environments that can't do a 1124655714Skris 'make files': perl util/mkfiles.pl >MINFO should work. 1124755714Skris [Steve Henson] 1124855714Skris 1124955714Skris *) Major rework of DES function declarations, in the pursuit of correctness 1125055714Skris and purity. As a result, many evil casts evaporated, and some weirdness, 1125155714Skris too. You may find this causes warnings in your code. Zapping your evil 1125255714Skris casts will probably fix them. Mostly. 1125355714Skris [Ben Laurie] 1125455714Skris 1125555714Skris *) Fix for a typo in asn1.h. Bug fix to object creation script 1125655714Skris obj_dat.pl. It considered a zero in an object definition to mean 1125755714Skris "end of object": none of the objects in objects.h have any zeros 1125855714Skris so it wasn't spotted. 1125955714Skris [Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>] 1126055714Skris 1126155714Skris *) Add support for Triple DES Cipher Block Chaining with Output Feedback 1126255714Skris Masking (CBCM). In the absence of test vectors, the best I have been able 1126355714Skris to do is check that the decrypt undoes the encrypt, so far. Send me test 1126455714Skris vectors if you have them. 1126555714Skris [Ben Laurie] 1126655714Skris 1126755714Skris *) Correct calculation of key length for export ciphers (too much space was 1126855714Skris allocated for null ciphers). This has not been tested! 1126955714Skris [Ben Laurie] 1127055714Skris 1127155714Skris *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage 1127255714Skris message is now correct (it understands "crypto" and "ssl" on its 1127355714Skris command line). There is also now an "update" option. This will update 1127455714Skris the util/ssleay.num and util/libeay.num files with any new functions. 1127555714Skris If you do a: 1127655714Skris perl util/mkdef.pl crypto ssl update 1127755714Skris it will update them. 1127855714Skris [Steve Henson] 1127955714Skris 1128055714Skris *) Overhauled the Perl interface (perl/*): 1128155714Skris - ported BN stuff to OpenSSL's different BN library 1128255714Skris - made the perl/ source tree CVS-aware 1128355714Skris - renamed the package from SSLeay to OpenSSL (the files still contain 1128455714Skris their history because I've copied them in the repository) 1128555714Skris - removed obsolete files (the test scripts will be replaced 1128655714Skris by better Test::Harness variants in the future) 1128755714Skris [Ralf S. Engelschall] 1128855714Skris 1128955714Skris *) First cut for a very conservative source tree cleanup: 1129055714Skris 1. merge various obsolete readme texts into doc/ssleay.txt 1129155714Skris where we collect the old documents and readme texts. 1129255714Skris 2. remove the first part of files where I'm already sure that we no 1129355714Skris longer need them because of three reasons: either they are just temporary 1129455714Skris files which were left by Eric or they are preserved original files where 1129555714Skris I've verified that the diff is also available in the CVS via "cvs diff 1129655714Skris -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for 1129755714Skris the crypto/md/ stuff). 1129855714Skris [Ralf S. Engelschall] 1129955714Skris 1130055714Skris *) More extension code. Incomplete support for subject and issuer alt 1130155714Skris name, issuer and authority key id. Change the i2v function parameters 1130255714Skris and add an extra 'crl' parameter in the X509V3_CTX structure: guess 1130355714Skris what that's for :-) Fix to ASN1 macro which messed up 1130455714Skris IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. 1130555714Skris [Steve Henson] 1130655714Skris 1130755714Skris *) Preliminary support for ENUMERATED type. This is largely copied from the 1130855714Skris INTEGER code. 1130955714Skris [Steve Henson] 1131055714Skris 1131155714Skris *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. 1131255714Skris [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 1131355714Skris 1131455714Skris *) Make sure `make rehash' target really finds the `openssl' program. 1131555714Skris [Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 1131655714Skris 1131755714Skris *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd 1131855714Skris like to hear about it if this slows down other processors. 1131955714Skris [Ben Laurie] 1132055714Skris 1132155714Skris *) Add CygWin32 platform information to Configure script. 1132255714Skris [Alan Batie <batie@aahz.jf.intel.com>] 1132355714Skris 1132455714Skris *) Fixed ms/32all.bat script: `no_asm' -> `no-asm' 1132555714Skris [Rainer W. Gerling <gerling@mpg-gv.mpg.de>] 1132655714Skris 1132755714Skris *) New program nseq to manipulate netscape certificate sequences 1132855714Skris [Steve Henson] 1132955714Skris 1133055714Skris *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a 1133155714Skris few typos. 1133255714Skris [Steve Henson] 1133355714Skris 1133455714Skris *) Fixes to BN code. Previously the default was to define BN_RECURSION 1133555714Skris but the BN code had some problems that would cause failures when 1133655714Skris doing certificate verification and some other functions. 1133755714Skris [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 1133855714Skris 1133955714Skris *) Add ASN1 and PEM code to support netscape certificate sequences. 1134055714Skris [Steve Henson] 1134155714Skris 1134255714Skris *) Add ASN1 and PEM code to support netscape certificate sequences. 1134355714Skris [Steve Henson] 1134455714Skris 1134555714Skris *) Add several PKIX and private extended key usage OIDs. 1134655714Skris [Steve Henson] 1134755714Skris 1134855714Skris *) Modify the 'ca' program to handle the new extension code. Modify 1134955714Skris openssl.cnf for new extension format, add comments. 1135055714Skris [Steve Henson] 1135155714Skris 1135255714Skris *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' 1135355714Skris and add a sample to openssl.cnf so req -x509 now adds appropriate 1135455714Skris CA extensions. 1135555714Skris [Steve Henson] 1135655714Skris 1135755714Skris *) Continued X509 V3 changes. Add to other makefiles, integrate with the 1135855714Skris error code, add initial support to X509_print() and x509 application. 1135955714Skris [Steve Henson] 1136055714Skris 1136155714Skris *) Takes a deep breath and start addding X509 V3 extension support code. Add 1136255714Skris files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this 1136355714Skris stuff is currently isolated and isn't even compiled yet. 1136455714Skris [Steve Henson] 1136555714Skris 1136655714Skris *) Continuing patches for GeneralizedTime. Fix up certificate and CRL 1136755714Skris ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. 1136855714Skris Removed the versions check from X509 routines when loading extensions: 1136955714Skris this allows certain broken certificates that don't set the version 1137055714Skris properly to be processed. 1137155714Skris [Steve Henson] 1137255714Skris 1137355714Skris *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another 1137455714Skris Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which 1137555714Skris can still be regenerated with "make depend". 1137655714Skris [Ben Laurie] 1137755714Skris 1137855714Skris *) Spelling mistake in C version of CAST-128. 1137955714Skris [Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>] 1138055714Skris 1138155714Skris *) Changes to the error generation code. The perl script err-code.pl 1138255714Skris now reads in the old error codes and retains the old numbers, only 1138355714Skris adding new ones if necessary. It also only changes the .err files if new 1138455714Skris codes are added. The makefiles have been modified to only insert errors 1138555714Skris when needed (to avoid needlessly modifying header files). This is done 1138655714Skris by only inserting errors if the .err file is newer than the auto generated 1138755714Skris C file. To rebuild all the error codes from scratch (the old behaviour) 1138855714Skris either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl 1138955714Skris or delete all the .err files. 1139055714Skris [Steve Henson] 1139155714Skris 1139255714Skris *) CAST-128 was incorrectly implemented for short keys. The C version has 1139355714Skris been fixed, but is untested. The assembler versions are also fixed, but 1139455714Skris new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing 1139555714Skris to regenerate it if needed. 1139655714Skris [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun 1139755714Skris Hagino <itojun@kame.net>] 1139855714Skris 1139955714Skris *) File was opened incorrectly in randfile.c. 11400291719Sjkim [Ulf M��ller <ulf@fitug.de>] 1140155714Skris 1140255714Skris *) Beginning of support for GeneralizedTime. d2i, i2d, check and print 1140355714Skris functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or 1140455714Skris GeneralizedTime. ASN1_TIME is the proper type used in certificates et 1140555714Skris al: it's just almost always a UTCTime. Note this patch adds new error 1140655714Skris codes so do a "make errors" if there are problems. 1140755714Skris [Steve Henson] 1140855714Skris 1140955714Skris *) Correct Linux 1 recognition in config. 11410291719Sjkim [Ulf M��ller <ulf@fitug.de>] 1141155714Skris 1141255714Skris *) Remove pointless MD5 hash when using DSA keys in ca. 1141355714Skris [Anonymous <nobody@replay.com>] 1141455714Skris 1141555714Skris *) Generate an error if given an empty string as a cert directory. Also 1141655714Skris generate an error if handed NULL (previously returned 0 to indicate an 1141755714Skris error, but didn't set one). 1141855714Skris [Ben Laurie, reported by Anonymous <nobody@replay.com>] 1141955714Skris 1142055714Skris *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. 1142155714Skris [Ben Laurie] 1142255714Skris 1142355714Skris *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct 1142455714Skris parameters. This was causing a warning which killed off the Win32 compile. 1142555714Skris [Steve Henson] 1142655714Skris 1142755714Skris *) Remove C++ style comments from crypto/bn/bn_local.h. 1142855714Skris [Neil Costigan <neil.costigan@celocom.com>] 1142955714Skris 1143055714Skris *) The function OBJ_txt2nid was broken. It was supposed to return a nid 1143155714Skris based on a text string, looking up short and long names and finally 1143255714Skris "dot" format. The "dot" format stuff didn't work. Added new function 1143355714Skris OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 1143455714Skris OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the 1143555714Skris OID is not part of the table. 1143655714Skris [Steve Henson] 1143755714Skris 1143855714Skris *) Add prototypes to X509 lookup/verify methods, fixing a bug in 1143955714Skris X509_LOOKUP_by_alias(). 1144055714Skris [Ben Laurie] 1144155714Skris 1144255714Skris *) Sort openssl functions by name. 1144355714Skris [Ben Laurie] 1144455714Skris 1144555714Skris *) Get the gendsa program working (hopefully) and add it to app list. Remove 1144655714Skris encryption from sample DSA keys (in case anyone is interested the password 1144755714Skris was "1234"). 1144855714Skris [Steve Henson] 1144955714Skris 1145055714Skris *) Make _all_ *_free functions accept a NULL pointer. 1145155714Skris [Frans Heymans <fheymans@isaserver.be>] 1145255714Skris 1145355714Skris *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use 1145455714Skris NULL pointers. 1145555714Skris [Anonymous <nobody@replay.com>] 1145655714Skris 1145755714Skris *) s_server should send the CAfile as acceptable CAs, not its own cert. 1145855714Skris [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] 1145955714Skris 1146055714Skris *) Don't blow it for numeric -newkey arguments to apps/req. 1146155714Skris [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] 1146255714Skris 1146355714Skris *) Temp key "for export" tests were wrong in s3_srvr.c. 1146455714Skris [Anonymous <nobody@replay.com>] 1146555714Skris 1146655714Skris *) Add prototype for temp key callback functions 1146755714Skris SSL_CTX_set_tmp_{rsa,dh}_callback(). 1146855714Skris [Ben Laurie] 1146955714Skris 1147055714Skris *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and 1147155714Skris DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). 1147255714Skris [Steve Henson] 1147355714Skris 1147455714Skris *) X509_name_add_entry() freed the wrong thing after an error. 1147555714Skris [Arne Ansper <arne@ats.cyber.ee>] 1147655714Skris 1147755714Skris *) rsa_eay.c would attempt to free a NULL context. 1147855714Skris [Arne Ansper <arne@ats.cyber.ee>] 1147955714Skris 1148055714Skris *) BIO_s_socket() had a broken should_retry() on Windoze. 1148155714Skris [Arne Ansper <arne@ats.cyber.ee>] 1148255714Skris 1148355714Skris *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. 1148455714Skris [Arne Ansper <arne@ats.cyber.ee>] 1148555714Skris 1148655714Skris *) Make sure the already existing X509_STORE->depth variable is initialized 1148755714Skris in X509_STORE_new(), but document the fact that this variable is still 1148855714Skris unused in the certificate verification process. 1148955714Skris [Ralf S. Engelschall] 1149055714Skris 1149155714Skris *) Fix the various library and apps files to free up pkeys obtained from 1149255714Skris X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. 1149355714Skris [Steve Henson] 1149455714Skris 1149555714Skris *) Fix reference counting in X509_PUBKEY_get(). This makes 1149655714Skris demos/maurice/example2.c work, amongst others, probably. 1149755714Skris [Steve Henson and Ben Laurie] 1149855714Skris 1149955714Skris *) First cut of a cleanup for apps/. First the `ssleay' program is now named 1150055714Skris `openssl' and second, the shortcut symlinks for the `openssl <command>' 1150155714Skris are no longer created. This way we have a single and consistent command 1150255714Skris line interface `openssl <command>', similar to `cvs <command>'. 1150355714Skris [Ralf S. Engelschall, Paul Sutton and Ben Laurie] 1150455714Skris 1150555714Skris *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey 1150655714Skris BIT STRING wrapper always have zero unused bits. 1150755714Skris [Steve Henson] 1150855714Skris 1150955714Skris *) Add CA.pl, perl version of CA.sh, add extended key usage OID. 1151055714Skris [Steve Henson] 1151155714Skris 1151255714Skris *) Make the top-level INSTALL documentation easier to understand. 1151355714Skris [Paul Sutton] 1151455714Skris 1151555714Skris *) Makefiles updated to exit if an error occurs in a sub-directory 1151655714Skris make (including if user presses ^C) [Paul Sutton] 1151755714Skris 1151855714Skris *) Make Montgomery context stuff explicit in RSA data structure. 1151955714Skris [Ben Laurie] 1152055714Skris 1152155714Skris *) Fix build order of pem and err to allow for generated pem.h. 1152255714Skris [Ben Laurie] 1152355714Skris 1152455714Skris *) Fix renumbering bug in X509_NAME_delete_entry(). 1152555714Skris [Ben Laurie] 1152655714Skris 1152755714Skris *) Enhanced the err-ins.pl script so it makes the error library number 1152855714Skris global and can add a library name. This is needed for external ASN1 and 1152955714Skris other error libraries. 1153055714Skris [Steve Henson] 1153155714Skris 1153255714Skris *) Fixed sk_insert which never worked properly. 1153355714Skris [Steve Henson] 1153455714Skris 1153555714Skris *) Fix ASN1 macros so they can handle indefinite length construted 1153655714Skris EXPLICIT tags. Some non standard certificates use these: they can now 1153755714Skris be read in. 1153855714Skris [Steve Henson] 1153955714Skris 1154055714Skris *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) 1154155714Skris into a single doc/ssleay.txt bundle. This way the information is still 1154255714Skris preserved but no longer messes up this directory. Now it's new room for 1154355714Skris the new set of documenation files. 1154455714Skris [Ralf S. Engelschall] 1154555714Skris 1154655714Skris *) SETs were incorrectly DER encoded. This was a major pain, because they 1154755714Skris shared code with SEQUENCEs, which aren't coded the same. This means that 1154855714Skris almost everything to do with SETs or SEQUENCEs has either changed name or 1154955714Skris number of arguments. 1155055714Skris [Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>] 1155155714Skris 1155255714Skris *) Fix test data to work with the above. 1155355714Skris [Ben Laurie] 1155455714Skris 1155555714Skris *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but 1155655714Skris was already fixed by Eric for 0.9.1 it seems. 11557291719Sjkim [Ben Laurie - pointed out by Ulf M��ller <ulf@fitug.de>] 1155855714Skris 1155955714Skris *) Autodetect FreeBSD3. 1156055714Skris [Ben Laurie] 1156155714Skris 1156255714Skris *) Fix various bugs in Configure. This affects the following platforms: 1156355714Skris nextstep 1156455714Skris ncr-scde 1156555714Skris unixware-2.0 1156655714Skris unixware-2.0-pentium 1156755714Skris sco5-cc. 1156855714Skris [Ben Laurie] 1156955714Skris 1157055714Skris *) Eliminate generated files from CVS. Reorder tests to regenerate files 1157155714Skris before they are needed. 1157255714Skris [Ben Laurie] 1157355714Skris 1157455714Skris *) Generate Makefile.ssl from Makefile.org (to keep CVS happy). 1157555714Skris [Ben Laurie] 1157655714Skris 1157755714Skris 1157855714Skris Changes between 0.9.1b and 0.9.1c [23-Dec-1998] 1157955714Skris 1158055714Skris *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 1158155714Skris changed SSLeay to OpenSSL in version strings. 1158255714Skris [Ralf S. Engelschall] 1158355714Skris 1158455714Skris *) Some fixups to the top-level documents. 1158555714Skris [Paul Sutton] 1158655714Skris 1158755714Skris *) Fixed the nasty bug where rsaref.h was not found under compile-time 1158855714Skris because the symlink to include/ was missing. 1158955714Skris [Ralf S. Engelschall] 1159055714Skris 1159155714Skris *) Incorporated the popular no-RSA/DSA-only patches 1159255714Skris which allow to compile a RSA-free SSLeay. 1159355714Skris [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] 1159455714Skris 1159555714Skris *) Fixed nasty rehash problem under `make -f Makefile.ssl links' 1159655714Skris when "ssleay" is still not found. 1159755714Skris [Ralf S. Engelschall] 1159855714Skris 1159955714Skris *) Added more platforms to Configure: Cray T3E, HPUX 11, 1160055714Skris [Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>] 1160155714Skris 1160255714Skris *) Updated the README file. 1160355714Skris [Ralf S. Engelschall] 1160455714Skris 1160555714Skris *) Added various .cvsignore files in the CVS repository subdirs 1160655714Skris to make a "cvs update" really silent. 1160755714Skris [Ralf S. Engelschall] 1160855714Skris 1160955714Skris *) Recompiled the error-definition header files and added 1161055714Skris missing symbols to the Win32 linker tables. 1161155714Skris [Ralf S. Engelschall] 1161255714Skris 1161355714Skris *) Cleaned up the top-level documents; 1161455714Skris o new files: CHANGES and LICENSE 1161555714Skris o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 1161655714Skris o merged COPYRIGHT into LICENSE 1161755714Skris o removed obsolete TODO file 1161855714Skris o renamed MICROSOFT to INSTALL.W32 1161955714Skris [Ralf S. Engelschall] 1162055714Skris 1162155714Skris *) Removed dummy files from the 0.9.1b source tree: 1162255714Skris crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi 1162355714Skris crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f 1162455714Skris crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f 1162555714Skris crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f 1162655714Skris util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f 1162755714Skris [Ralf S. Engelschall] 1162855714Skris 1162955714Skris *) Added various platform portability fixes. 1163055714Skris [Mark J. Cox] 1163155714Skris 1163255714Skris *) The Genesis of the OpenSSL rpject: 1163355714Skris We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. 1163455714Skris Young and Tim J. Hudson created while they were working for C2Net until 1163555714Skris summer 1998. 1163655714Skris [The OpenSSL Project] 1163755714Skris 1163855714Skris 1163955714Skris Changes between 0.9.0b and 0.9.1b [not released] 1164055714Skris 1164155714Skris *) Updated a few CA certificates under certs/ 1164255714Skris [Eric A. Young] 1164355714Skris 1164455714Skris *) Changed some BIGNUM api stuff. 1164555714Skris [Eric A. Young] 1164655714Skris 1164755714Skris *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 1164855714Skris DGUX x86, Linux Alpha, etc. 1164955714Skris [Eric A. Young] 1165055714Skris 1165155714Skris *) New COMP library [crypto/comp/] for SSL Record Layer Compression: 1165255714Skris RLE (dummy implemented) and ZLIB (really implemented when ZLIB is 1165355714Skris available). 1165455714Skris [Eric A. Young] 1165555714Skris 1165655714Skris *) Add -strparse option to asn1pars program which parses nested 1165755714Skris binary structures 1165855714Skris [Dr Stephen Henson <shenson@bigfoot.com>] 1165955714Skris 1166055714Skris *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. 1166155714Skris [Eric A. Young] 1166255714Skris 1166355714Skris *) DSA fix for "ca" program. 1166455714Skris [Eric A. Young] 1166555714Skris 1166655714Skris *) Added "-genkey" option to "dsaparam" program. 1166755714Skris [Eric A. Young] 1166855714Skris 1166955714Skris *) Added RIPE MD160 (rmd160) message digest. 1167055714Skris [Eric A. Young] 1167155714Skris 1167255714Skris *) Added -a (all) option to "ssleay version" command. 1167355714Skris [Eric A. Young] 1167455714Skris 1167555714Skris *) Added PLATFORM define which is the id given to Configure. 1167655714Skris [Eric A. Young] 1167755714Skris 1167855714Skris *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. 1167955714Skris [Eric A. Young] 1168055714Skris 1168155714Skris *) Extended the ASN.1 parser routines. 1168255714Skris [Eric A. Young] 1168355714Skris 1168455714Skris *) Extended BIO routines to support REUSEADDR, seek, tell, etc. 1168555714Skris [Eric A. Young] 1168655714Skris 1168755714Skris *) Added a BN_CTX to the BN library. 1168855714Skris [Eric A. Young] 1168955714Skris 1169055714Skris *) Fixed the weak key values in DES library 1169155714Skris [Eric A. Young] 1169255714Skris 1169355714Skris *) Changed API in EVP library for cipher aliases. 1169455714Skris [Eric A. Young] 1169555714Skris 1169655714Skris *) Added support for RC2/64bit cipher. 1169755714Skris [Eric A. Young] 1169855714Skris 1169955714Skris *) Converted the lhash library to the crypto/mem.c functions. 1170055714Skris [Eric A. Young] 1170155714Skris 1170255714Skris *) Added more recognized ASN.1 object ids. 1170355714Skris [Eric A. Young] 1170455714Skris 1170555714Skris *) Added more RSA padding checks for SSL/TLS. 1170655714Skris [Eric A. Young] 1170755714Skris 1170855714Skris *) Added BIO proxy/filter functionality. 1170955714Skris [Eric A. Young] 1171055714Skris 1171155714Skris *) Added extra_certs to SSL_CTX which can be used 1171255714Skris send extra CA certificates to the client in the CA cert chain sending 1171355714Skris process. It can be configured with SSL_CTX_add_extra_chain_cert(). 1171455714Skris [Eric A. Young] 1171555714Skris 1171655714Skris *) Now Fortezza is denied in the authentication phase because 1171755714Skris this is key exchange mechanism is not supported by SSLeay at all. 1171855714Skris [Eric A. Young] 1171955714Skris 1172055714Skris *) Additional PKCS1 checks. 1172155714Skris [Eric A. Young] 1172255714Skris 1172355714Skris *) Support the string "TLSv1" for all TLS v1 ciphers. 1172455714Skris [Eric A. Young] 1172555714Skris 1172655714Skris *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the 1172755714Skris ex_data index of the SSL context in the X509_STORE_CTX ex_data. 1172855714Skris [Eric A. Young] 1172955714Skris 1173055714Skris *) Fixed a few memory leaks. 1173155714Skris [Eric A. Young] 1173255714Skris 1173355714Skris *) Fixed various code and comment typos. 1173455714Skris [Eric A. Young] 1173555714Skris 1173655714Skris *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 1173755714Skris bytes sent in the client random. 1173855714Skris [Edward Bishop <ebishop@spyglass.com>] 1173955714Skris 11740