1 2 OpenSSL CHANGES 3 _______________ 4 5 Changes between 0.9.8y and 0.9.8za [5 Jun 2014] 6 7 *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted 8 handshake can force the use of weak keying material in OpenSSL 9 SSL/TLS clients and servers. 10 11 Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and 12 researching this issue. (CVE-2014-0224) 13 [KIKUCHI Masashi, Steve Henson] 14 15 *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an 16 OpenSSL DTLS client the code can be made to recurse eventually crashing 17 in a DoS attack. 18 19 Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. 20 (CVE-2014-0221) 21 [Imre Rad, Steve Henson] 22 23 *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can 24 be triggered by sending invalid DTLS fragments to an OpenSSL DTLS 25 client or server. This is potentially exploitable to run arbitrary 26 code on a vulnerable client or server. 27 28 Thanks to J�ri Aedla for reporting this issue. (CVE-2014-0195) 29 [J�ri Aedla, Steve Henson] 30 31 *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites 32 are subject to a denial of service attack. 33 34 Thanks to Felix Gr�bert and Ivan Fratric at Google for discovering 35 this issue. (CVE-2014-3470) 36 [Felix Gr�bert, Ivan Fratric, Steve Henson] 37 38 *) Fix for the attack described in the paper "Recovering OpenSSL 39 ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" 40 by Yuval Yarom and Naomi Benger. Details can be obtained from: 41 http://eprint.iacr.org/2014/140 42 43 Thanks to Yuval Yarom and Naomi Benger for discovering this 44 flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) 45 [Yuval Yarom and Naomi Benger] 46 47 Thanks to mancha for backporting the fix to the 0.9.8 branch. 48 49 *) Fix handling of warning-level alerts in SSL23 client mode so they 50 don't cause client-side termination (eg. on SNI unrecognized_name 51 warnings). Add client and server support for six additional alerts 52 per RFC 6066 and RFC 4279. 53 [mancha] 54 55 *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which 56 avoids preferring ECDHE-ECDSA ciphers when the client appears to be 57 Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for 58 several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug 59 is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 60 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. 61 [Rob Stradling, Adam Langley] 62 63 Changes between 0.9.8x and 0.9.8y [5 Feb 2013] 64 65 *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. 66 67 This addresses the flaw in CBC record processing discovered by 68 Nadhem Alfardan and Kenny Paterson. Details of this attack can be found 69 at: http://www.isg.rhul.ac.uk/tls/ 70 71 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 72 Security Group at Royal Holloway, University of London 73 (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and 74 Emilia K�sper for the initial patch. 75 (CVE-2013-0169) 76 [Emilia K�sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] 77 78 *) Return an error when checking OCSP signatures when key is NULL. 79 This fixes a DoS attack. (CVE-2013-0166) 80 [Steve Henson] 81 82 *) Call OCSP Stapling callback after ciphersuite has been chosen, so 83 the right response is stapled. Also change SSL_get_certificate() 84 so it returns the certificate actually sent. 85 See http://rt.openssl.org/Ticket/Display.html?id=2836. 86 (This is a backport) 87 [Rob Stradling <rob.stradling@comodo.com>] 88 89 *) Fix possible deadlock when decoding public keys. 90 [Steve Henson] 91 92 Changes between 0.9.8w and 0.9.8x [10 May 2012] 93 94 *) Sanity check record length before skipping explicit IV in DTLS 95 to fix DoS attack. 96 97 Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic 98 fuzzing as a service testing platform. 99 (CVE-2012-2333) 100 [Steve Henson] 101 102 *) Initialise tkeylen properly when encrypting CMS messages. 103 Thanks to Solar Designer of Openwall for reporting this issue. 104 [Steve Henson] 105 106 Changes between 0.9.8v and 0.9.8w [23 Apr 2012] 107 108 *) The fix for CVE-2012-2110 did not take into account that the 109 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an 110 int in OpenSSL 0.9.8, making it still vulnerable. Fix by 111 rejecting negative len parameter. (CVE-2012-2131) 112 [Tomas Hoger <thoger@redhat.com>] 113 114 Changes between 0.9.8u and 0.9.8v [19 Apr 2012] 115 116 *) Check for potentially exploitable overflows in asn1_d2i_read_bio 117 BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer 118 in CRYPTO_realloc_clean. 119 120 Thanks to Tavis Ormandy, Google Security Team, for discovering this 121 issue and to Adam Langley <agl@chromium.org> for fixing it. 122 (CVE-2012-2110) 123 [Adam Langley (Google), Tavis Ormandy, Google Security Team] 124 125 Changes between 0.9.8t and 0.9.8u [12 Mar 2012] 126 127 *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness 128 in CMS and PKCS7 code. When RSA decryption fails use a random key for 129 content decryption and always return the same error. Note: this attack 130 needs on average 2^20 messages so it only affects automated senders. The 131 old behaviour can be reenabled in the CMS code by setting the 132 CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where 133 an MMA defence is not necessary. 134 Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering 135 this issue. (CVE-2012-0884) 136 [Steve Henson] 137 138 *) Fix CVE-2011-4619: make sure we really are receiving a 139 client hello before rejecting multiple SGC restarts. Thanks to 140 Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. 141 [Steve Henson] 142 143 Changes between 0.9.8s and 0.9.8t [18 Jan 2012] 144 145 *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. 146 Thanks to Antonio Martin, Enterprise Secure Access Research and 147 Development, Cisco Systems, Inc. for discovering this bug and 148 preparing a fix. (CVE-2012-0050) 149 [Antonio Martin] 150 151 Changes between 0.9.8r and 0.9.8s [4 Jan 2012] 152 153 *) Nadhem Alfardan and Kenny Paterson have discovered an extension 154 of the Vaudenay padding oracle attack on CBC mode encryption 155 which enables an efficient plaintext recovery attack against 156 the OpenSSL implementation of DTLS. Their attack exploits timing 157 differences arising during decryption processing. A research 158 paper describing this attack can be found at: 159 http://www.isg.rhul.ac.uk/~kp/dtls.pdf 160 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information 161 Security Group at Royal Holloway, University of London 162 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann 163 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> 164 for preparing the fix. (CVE-2011-4108) 165 [Robin Seggelmann, Michael Tuexen] 166 167 *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) 168 [Ben Laurie, Kasper <ekasper@google.com>] 169 170 *) Clear bytes used for block padding of SSL 3.0 records. 171 (CVE-2011-4576) 172 [Adam Langley (Google)] 173 174 *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George 175 Kadianakis <desnacked@gmail.com> for discovering this issue and 176 Adam Langley for preparing the fix. (CVE-2011-4619) 177 [Adam Langley (Google)] 178 179 *) Prevent malformed RFC3779 data triggering an assertion failure. 180 Thanks to Andrew Chi, BBN Technologies, for discovering the flaw 181 and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) 182 [Rob Austein <sra@hactrn.net>] 183 184 *) Fix ssl_ciph.c set-up race. 185 [Adam Langley (Google)] 186 187 *) Fix spurious failures in ecdsatest.c. 188 [Emilia K�sper (Google)] 189 190 *) Fix the BIO_f_buffer() implementation (which was mixing different 191 interpretations of the '..._len' fields). 192 [Adam Langley (Google)] 193 194 *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than 195 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent 196 threads won't reuse the same blinding coefficients. 197 198 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING 199 lock to call BN_BLINDING_invert_ex, and avoids one use of 200 BN_BLINDING_update for each BN_BLINDING structure (previously, 201 the last update always remained unused). 202 [Emilia K�sper (Google)] 203 204 *) Fix SSL memory handling for (EC)DH ciphersuites, in particular 205 for multi-threaded use of ECDH. 206 [Adam Langley (Google)] 207 208 *) Fix x509_name_ex_d2i memory leak on bad inputs. 209 [Bodo Moeller] 210 211 *) Add protection against ECDSA timing attacks as mentioned in the paper 212 by Billy Bob Brumley and Nicola Tuveri, see: 213 214 http://eprint.iacr.org/2011/232.pdf 215 216 [Billy Bob Brumley and Nicola Tuveri] 217 218 Changes between 0.9.8q and 0.9.8r [8 Feb 2011] 219 220 *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 221 [Neel Mehta, Adam Langley, Bodo Moeller (Google)] 222 223 *) Fix bug in string printing code: if *any* escaping is enabled we must 224 escape the escape character (backslash) or the resulting string is 225 ambiguous. 226 [Steve Henson] 227 228 Changes between 0.9.8p and 0.9.8q [2 Dec 2010] 229 230 *) Disable code workaround for ancient and obsolete Netscape browsers 231 and servers: an attacker can use it in a ciphersuite downgrade attack. 232 Thanks to Martin Rex for discovering this bug. CVE-2010-4180 233 [Steve Henson] 234 235 *) Fixed J-PAKE implementation error, originally discovered by 236 Sebastien Martini, further info and confirmation from Stefan 237 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 238 [Ben Laurie] 239 240 Changes between 0.9.8o and 0.9.8p [16 Nov 2010] 241 242 *) Fix extension code to avoid race conditions which can result in a buffer 243 overrun vulnerability: resumed sessions must not be modified as they can 244 be shared by multiple threads. CVE-2010-3864 245 [Steve Henson] 246 247 *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 248 [Steve Henson] 249 250 *) Don't reencode certificate when calculating signature: cache and use 251 the original encoding instead. This makes signature verification of 252 some broken encodings work correctly. 253 [Steve Henson] 254 255 *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT 256 is also one of the inputs. 257 [Emilia K�sper <emilia.kasper@esat.kuleuven.be> (Google)] 258 259 *) Don't repeatedly append PBE algorithms to table if they already exist. 260 Sort table on each new add. This effectively makes the table read only 261 after all algorithms are added and subsequent calls to PKCS12_pbe_add 262 etc are non-op. 263 [Steve Henson] 264 265 Changes between 0.9.8n and 0.9.8o [01 Jun 2010] 266 267 [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after 268 OpenSSL 1.0.0.] 269 270 *) Correct a typo in the CMS ASN1 module which can result in invalid memory 271 access or freeing data twice (CVE-2010-0742) 272 [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>] 273 274 *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more 275 common in certificates and some applications which only call 276 SSL_library_init and not OpenSSL_add_all_algorithms() will fail. 277 [Steve Henson] 278 279 *) VMS fixes: 280 Reduce copying into .apps and .test in makevms.com 281 Don't try to use blank CA certificate in CA.com 282 Allow use of C files from original directories in maketests.com 283 [Steven M. Schweda" <sms@antinode.info>] 284 285 Changes between 0.9.8m and 0.9.8n [24 Mar 2010] 286 287 *) When rejecting SSL/TLS records due to an incorrect version number, never 288 update s->server with a new major version number. As of 289 - OpenSSL 0.9.8m if 'short' is a 16-bit type, 290 - OpenSSL 0.9.8f if 'short' is longer than 16 bits, 291 the previous behavior could result in a read attempt at NULL when 292 receiving specific incorrect SSL/TLS records once record payload 293 protection is active. (CVE-2010-0740) 294 [Bodo Moeller, Adam Langley <agl@chromium.org>] 295 296 *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 297 could be crashed if the relevant tables were not present (e.g. chrooted). 298 [Tomas Hoger <thoger@redhat.com>] 299 300 Changes between 0.9.8l and 0.9.8m [25 Feb 2010] 301 302 *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) 303 [Martin Olsson, Neel Mehta] 304 305 *) Fix X509_STORE locking: Every 'objs' access requires a lock (to 306 accommodate for stack sorting, always a write lock!). 307 [Bodo Moeller] 308 309 *) On some versions of WIN32 Heap32Next is very slow. This can cause 310 excessive delays in the RAND_poll(): over a minute. As a workaround 311 include a time check in the inner Heap32Next loop too. 312 [Steve Henson] 313 314 *) The code that handled flushing of data in SSL/TLS originally used the 315 BIO_CTRL_INFO ctrl to see if any data was pending first. This caused 316 the problem outlined in PR#1949. The fix suggested there however can 317 trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions 318 of Apache). So instead simplify the code to flush unconditionally. 319 This should be fine since flushing with no data to flush is a no op. 320 [Steve Henson] 321 322 *) Handle TLS versions 2.0 and later properly and correctly use the 323 highest version of TLS/SSL supported. Although TLS >= 2.0 is some way 324 off ancient servers have a habit of sticking around for a while... 325 [Steve Henson] 326 327 *) Modify compression code so it frees up structures without using the 328 ex_data callbacks. This works around a problem where some applications 329 call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when 330 restarting) then use compression (e.g. SSL with compression) later. 331 This results in significant per-connection memory leaks and 332 has caused some security issues including CVE-2008-1678 and 333 CVE-2009-4355. 334 [Steve Henson] 335 336 *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't 337 change when encrypting or decrypting. 338 [Bodo Moeller] 339 340 *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to 341 connect and renegotiate with servers which do not support RI. 342 Until RI is more widely deployed this option is enabled by default. 343 [Steve Henson] 344 345 *) Add "missing" ssl ctrls to clear options and mode. 346 [Steve Henson] 347 348 *) If client attempts to renegotiate and doesn't support RI respond with 349 a no_renegotiation alert as required by RFC5746. Some renegotiating 350 TLS clients will continue a connection gracefully when they receive 351 the alert. Unfortunately OpenSSL mishandled this alert and would hang 352 waiting for a server hello which it will never receive. Now we treat a 353 received no_renegotiation alert as a fatal error. This is because 354 applications requesting a renegotiation might well expect it to succeed 355 and would have no code in place to handle the server denying it so the 356 only safe thing to do is to terminate the connection. 357 [Steve Henson] 358 359 *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if 360 peer supports secure renegotiation and 0 otherwise. Print out peer 361 renegotiation support in s_client/s_server. 362 [Steve Henson] 363 364 *) Replace the highly broken and deprecated SPKAC certification method with 365 the updated NID creation version. This should correctly handle UTF8. 366 [Steve Henson] 367 368 *) Implement RFC5746. Re-enable renegotiation but require the extension 369 as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 370 turns out to be a bad idea. It has been replaced by 371 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with 372 SSL_CTX_set_options(). This is really not recommended unless you 373 know what you are doing. 374 [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson] 375 376 *) Fixes to stateless session resumption handling. Use initial_ctx when 377 issuing and attempting to decrypt tickets in case it has changed during 378 servername handling. Use a non-zero length session ID when attempting 379 stateless session resumption: this makes it possible to determine if 380 a resumption has occurred immediately after receiving server hello 381 (several places in OpenSSL subtly assume this) instead of later in 382 the handshake. 383 [Steve Henson] 384 385 *) The functions ENGINE_ctrl(), OPENSSL_isservice(), 386 CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error 387 fixes for a few places where the return code is not checked 388 correctly. 389 [Julia Lawall <julia@diku.dk>] 390 391 *) Add --strict-warnings option to Configure script to include devteam 392 warnings in other configurations. 393 [Steve Henson] 394 395 *) Add support for --libdir option and LIBDIR variable in makefiles. This 396 makes it possible to install openssl libraries in locations which 397 have names other than "lib", for example "/usr/lib64" which some 398 systems need. 399 [Steve Henson, based on patch from Jeremy Utley] 400 401 *) Don't allow the use of leading 0x80 in OIDs. This is a violation of 402 X690 8.9.12 and can produce some misleading textual output of OIDs. 403 [Steve Henson, reported by Dan Kaminsky] 404 405 *) Delete MD2 from algorithm tables. This follows the recommendation in 406 several standards that it is not used in new applications due to 407 several cryptographic weaknesses. For binary compatibility reasons 408 the MD2 API is still compiled in by default. 409 [Steve Henson] 410 411 *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved 412 and restored. 413 [Steve Henson] 414 415 *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and 416 OPENSSL_asc2uni conditionally on Netware platforms to avoid a name 417 clash. 418 [Guenter <lists@gknw.net>] 419 420 *) Fix the server certificate chain building code to use X509_verify_cert(), 421 it used to have an ad-hoc builder which was unable to cope with anything 422 other than a simple chain. 423 [David Woodhouse <dwmw2@infradead.org>, Steve Henson] 424 425 *) Don't check self signed certificate signatures in X509_verify_cert() 426 by default (a flag can override this): it just wastes time without 427 adding any security. As a useful side effect self signed root CAs 428 with non-FIPS digests are now usable in FIPS mode. 429 [Steve Henson] 430 431 *) In dtls1_process_out_of_seq_message() the check if the current message 432 is already buffered was missing. For every new message was memory 433 allocated, allowing an attacker to perform an denial of service attack 434 with sending out of seq handshake messages until there is no memory 435 left. Additionally every future messege was buffered, even if the 436 sequence number made no sense and would be part of another handshake. 437 So only messages with sequence numbers less than 10 in advance will be 438 buffered. (CVE-2009-1378) 439 [Robin Seggelmann, discovered by Daniel Mentz] 440 441 *) Records are buffered if they arrive with a future epoch to be 442 processed after finishing the corresponding handshake. There is 443 currently no limitation to this buffer allowing an attacker to perform 444 a DOS attack with sending records with future epochs until there is no 445 memory left. This patch adds the pqueue_size() function to detemine 446 the size of a buffer and limits the record buffer to 100 entries. 447 (CVE-2009-1377) 448 [Robin Seggelmann, discovered by Daniel Mentz] 449 450 *) Keep a copy of frag->msg_header.frag_len so it can be used after the 451 parent structure is freed. (CVE-2009-1379) 452 [Daniel Mentz] 453 454 *) Handle non-blocking I/O properly in SSL_shutdown() call. 455 [Darryl Miles <darryl-mailinglists@netbauds.net>] 456 457 *) Add 2.5.4.* OIDs 458 [Ilya O. <vrghost@gmail.com>] 459 460 Changes between 0.9.8k and 0.9.8l [5 Nov 2009] 461 462 *) Disable renegotiation completely - this fixes a severe security 463 problem (CVE-2009-3555) at the cost of breaking all 464 renegotiation. Renegotiation can be re-enabled by setting 465 SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at 466 run-time. This is really not recommended unless you know what 467 you're doing. 468 [Ben Laurie] 469 470 Changes between 0.9.8j and 0.9.8k [25 Mar 2009] 471 472 *) Don't set val to NULL when freeing up structures, it is freed up by 473 underlying code. If sizeof(void *) > sizeof(long) this can result in 474 zeroing past the valid field. (CVE-2009-0789) 475 [Paolo Ganci <Paolo.Ganci@AdNovum.CH>] 476 477 *) Fix bug where return value of CMS_SignerInfo_verify_content() was not 478 checked correctly. This would allow some invalid signed attributes to 479 appear to verify correctly. (CVE-2009-0591) 480 [Ivan Nestlerode <inestlerode@us.ibm.com>] 481 482 *) Reject UniversalString and BMPString types with invalid lengths. This 483 prevents a crash in ASN1_STRING_print_ex() which assumes the strings have 484 a legal length. (CVE-2009-0590) 485 [Steve Henson] 486 487 *) Set S/MIME signing as the default purpose rather than setting it 488 unconditionally. This allows applications to override it at the store 489 level. 490 [Steve Henson] 491 492 *) Permit restricted recursion of ASN1 strings. This is needed in practice 493 to handle some structures. 494 [Steve Henson] 495 496 *) Improve efficiency of mem_gets: don't search whole buffer each time 497 for a '\n' 498 [Jeremy Shapiro <jnshapir@us.ibm.com>] 499 500 *) New -hex option for openssl rand. 501 [Matthieu Herrb] 502 503 *) Print out UTF8String and NumericString when parsing ASN1. 504 [Steve Henson] 505 506 *) Support NumericString type for name components. 507 [Steve Henson] 508 509 *) Allow CC in the environment to override the automatically chosen 510 compiler. Note that nothing is done to ensure flags work with the 511 chosen compiler. 512 [Ben Laurie] 513 514 Changes between 0.9.8i and 0.9.8j [07 Jan 2009] 515 516 *) Properly check EVP_VerifyFinal() and similar return values 517 (CVE-2008-5077). 518 [Ben Laurie, Bodo Moeller, Google Security Team] 519 520 *) Enable TLS extensions by default. 521 [Ben Laurie] 522 523 *) Allow the CHIL engine to be loaded, whether the application is 524 multithreaded or not. (This does not release the developer from the 525 obligation to set up the dynamic locking callbacks.) 526 [Sander Temme <sander@temme.net>] 527 528 *) Use correct exit code if there is an error in dgst command. 529 [Steve Henson; problem pointed out by Roland Dirlewanger] 530 531 *) Tweak Configure so that you need to say "experimental-jpake" to enable 532 JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. 533 [Bodo Moeller] 534 535 *) Add experimental JPAKE support, including demo authentication in 536 s_client and s_server. 537 [Ben Laurie] 538 539 *) Set the comparison function in v3_addr_canonize(). 540 [Rob Austein <sra@hactrn.net>] 541 542 *) Add support for XMPP STARTTLS in s_client. 543 [Philip Paeps <philip@freebsd.org>] 544 545 *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior 546 to ensure that even with this option, only ciphersuites in the 547 server's preference list will be accepted. (Note that the option 548 applies only when resuming a session, so the earlier behavior was 549 just about the algorithm choice for symmetric cryptography.) 550 [Bodo Moeller] 551 552 Changes between 0.9.8h and 0.9.8i [15 Sep 2008] 553 554 *) Fix NULL pointer dereference if a DTLS server received 555 ChangeCipherSpec as first record (CVE-2009-1386). 556 [PR #1679] 557 558 *) Fix a state transitition in s3_srvr.c and d1_srvr.c 559 (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). 560 [Nagendra Modadugu] 561 562 *) The fix in 0.9.8c that supposedly got rid of unsafe 563 double-checked locking was incomplete for RSA blinding, 564 addressing just one layer of what turns out to have been 565 doubly unsafe triple-checked locking. 566 567 So now fix this for real by retiring the MONT_HELPER macro 568 in crypto/rsa/rsa_eay.c. 569 570 [Bodo Moeller; problem pointed out by Marius Schilder] 571 572 *) Various precautionary measures: 573 574 - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). 575 576 - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). 577 (NB: This would require knowledge of the secret session ticket key 578 to exploit, in which case you'd be SOL either way.) 579 580 - Change bn_nist.c so that it will properly handle input BIGNUMs 581 outside the expected range. 582 583 - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG 584 builds. 585 586 [Neel Mehta, Bodo Moeller] 587 588 *) Allow engines to be "soft loaded" - i.e. optionally don't die if 589 the load fails. Useful for distros. 590 [Ben Laurie and the FreeBSD team] 591 592 *) Add support for Local Machine Keyset attribute in PKCS#12 files. 593 [Steve Henson] 594 595 *) Fix BN_GF2m_mod_arr() top-bit cleanup code. 596 [Huang Ying] 597 598 *) Expand ENGINE to support engine supplied SSL client certificate functions. 599 600 This work was sponsored by Logica. 601 [Steve Henson] 602 603 *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows 604 keystores. Support for SSL/TLS client authentication too. 605 Not compiled unless enable-capieng specified to Configure. 606 607 This work was sponsored by Logica. 608 [Steve Henson] 609 610 *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using 611 ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain 612 attribute creation routines such as certifcate requests and PKCS#12 613 files. 614 [Steve Henson] 615 616 Changes between 0.9.8g and 0.9.8h [28 May 2008] 617 618 *) Fix flaw if 'Server Key exchange message' is omitted from a TLS 619 handshake which could lead to a cilent crash as found using the 620 Codenomicon TLS test suite (CVE-2008-1672) 621 [Steve Henson, Mark Cox] 622 623 *) Fix double free in TLS server name extensions which could lead to 624 a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 625 [Joe Orton] 626 627 *) Clear error queue in SSL_CTX_use_certificate_chain_file() 628 629 Clear the error queue to ensure that error entries left from 630 older function calls do not interfere with the correct operation. 631 [Lutz Jaenicke, Erik de Castro Lopo] 632 633 *) Remove root CA certificates of commercial CAs: 634 635 The OpenSSL project does not recommend any specific CA and does not 636 have any policy with respect to including or excluding any CA. 637 Therefore it does not make any sense to ship an arbitrary selection 638 of root CA certificates with the OpenSSL software. 639 [Lutz Jaenicke] 640 641 *) RSA OAEP patches to fix two separate invalid memory reads. 642 The first one involves inputs when 'lzero' is greater than 643 'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes 644 before the beginning of from). The second one involves inputs where 645 the 'db' section contains nothing but zeroes (there is a one-byte 646 invalid read after the end of 'db'). 647 [Ivan Nestlerode <inestlerode@us.ibm.com>] 648 649 *) Partial backport from 0.9.9-dev: 650 651 Introduce bn_mul_mont (dedicated Montgomery multiplication 652 procedure) as a candidate for BIGNUM assembler implementation. 653 While 0.9.9-dev uses assembler for various architectures, only 654 x86_64 is available by default here in the 0.9.8 branch, and 655 32-bit x86 is available through a compile-time setting. 656 657 To try the 32-bit x86 assembler implementation, use Configure 658 option "enable-montasm" (which exists only for this backport). 659 660 As "enable-montasm" for 32-bit x86 disclaims code stability 661 anyway, in this constellation we activate additional code 662 backported from 0.9.9-dev for further performance improvements, 663 namely BN_from_montgomery_word. (To enable this otherwise, 664 e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".) 665 666 [Andy Polyakov (backport partially by Bodo Moeller)] 667 668 *) Add TLS session ticket callback. This allows an application to set 669 TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed 670 values. This is useful for key rollover for example where several key 671 sets may exist with different names. 672 [Steve Henson] 673 674 *) Reverse ENGINE-internal logic for caching default ENGINE handles. 675 This was broken until now in 0.9.8 releases, such that the only way 676 a registered ENGINE could be used (assuming it initialises 677 successfully on the host) was to explicitly set it as the default 678 for the relevant algorithms. This is in contradiction with 0.9.7 679 behaviour and the documentation. With this fix, when an ENGINE is 680 registered into a given algorithm's table of implementations, the 681 'uptodate' flag is reset so that auto-discovery will be used next 682 time a new context for that algorithm attempts to select an 683 implementation. 684 [Ian Lister (tweaked by Geoff Thorpe)] 685 686 *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9 687 implemention in the following ways: 688 689 Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be 690 hard coded. 691 692 Lack of BER streaming support means one pass streaming processing is 693 only supported if data is detached: setting the streaming flag is 694 ignored for embedded content. 695 696 CMS support is disabled by default and must be explicitly enabled 697 with the enable-cms configuration option. 698 [Steve Henson] 699 700 *) Update the GMP engine glue to do direct copies between BIGNUM and 701 mpz_t when openssl and GMP use the same limb size. Otherwise the 702 existing "conversion via a text string export" trick is still used. 703 [Paul Sheer <paulsheer@gmail.com>] 704 705 *) Zlib compression BIO. This is a filter BIO which compressed and 706 uncompresses any data passed through it. 707 [Steve Henson] 708 709 *) Add AES_wrap_key() and AES_unwrap_key() functions to implement 710 RFC3394 compatible AES key wrapping. 711 [Steve Henson] 712 713 *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0(): 714 sets string data without copying. X509_ALGOR_set0() and 715 X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier) 716 data. Attribute function X509at_get0_data_by_OBJ(): retrieves data 717 from an X509_ATTRIBUTE structure optionally checking it occurs only 718 once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied 719 data. 720 [Steve Henson] 721 722 *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set() 723 to get the expected BN_FLG_CONSTTIME behavior. 724 [Bodo Moeller (Google)] 725 726 *) Netware support: 727 728 - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets 729 - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT) 730 - added some more tests to do_tests.pl 731 - fixed RunningProcess usage so that it works with newer LIBC NDKs too 732 - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency 733 - added new Configure targets netware-clib-bsdsock, netware-clib-gcc, 734 netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc 735 - various changes to netware.pl to enable gcc-cross builds on Win32 736 platform 737 - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD) 738 - various changes to fix missing prototype warnings 739 - fixed x86nasm.pl to create correct asm files for NASM COFF output 740 - added AES, WHIRLPOOL and CPUID assembler code to build files 741 - added missing AES assembler make rules to mk1mf.pl 742 - fixed order of includes in apps/ocsp.c so that e_os.h settings apply 743 [Guenter Knauf <eflash@gmx.net>] 744 745 *) Implement certificate status request TLS extension defined in RFC3546. 746 A client can set the appropriate parameters and receive the encoded 747 OCSP response via a callback. A server can query the supplied parameters 748 and set the encoded OCSP response in the callback. Add simplified examples 749 to s_client and s_server. 750 [Steve Henson] 751 752 Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 753 754 *) Fix various bugs: 755 + Binary incompatibility of ssl_ctx_st structure 756 + DTLS interoperation with non-compliant servers 757 + Don't call get_session_cb() without proposed session 758 + Fix ia64 assembler code 759 [Andy Polyakov, Steve Henson] 760 761 Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 762 763 *) DTLS Handshake overhaul. There were longstanding issues with 764 OpenSSL DTLS implementation, which were making it impossible for 765 RFC 4347 compliant client to communicate with OpenSSL server. 766 Unfortunately just fixing these incompatibilities would "cut off" 767 pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 768 server keeps tolerating non RFC compliant syntax. The opposite is 769 not true, 0.9.8f client can not communicate with earlier server. 770 This update even addresses CVE-2007-4995. 771 [Andy Polyakov] 772 773 *) Changes to avoid need for function casts in OpenSSL: some compilers 774 (gcc 4.2 and later) reject their use. 775 [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 776 Steve Henson] 777 778 *) Add RFC4507 support to OpenSSL. This includes the corrections in 779 RFC4507bis. The encrypted ticket format is an encrypted encoded 780 SSL_SESSION structure, that way new session features are automatically 781 supported. 782 783 If a client application caches session in an SSL_SESSION structure 784 support is transparent because tickets are now stored in the encoded 785 SSL_SESSION. 786 787 The SSL_CTX structure automatically generates keys for ticket 788 protection in servers so again support should be possible 789 with no application modification. 790 791 If a client or server wishes to disable RFC4507 support then the option 792 SSL_OP_NO_TICKET can be set. 793 794 Add a TLS extension debugging callback to allow the contents of any client 795 or server extensions to be examined. 796 797 This work was sponsored by Google. 798 [Steve Henson] 799 800 *) Add initial support for TLS extensions, specifically for the server_name 801 extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 802 have new members for a host name. The SSL data structure has an 803 additional member SSL_CTX *initial_ctx so that new sessions can be 804 stored in that context to allow for session resumption, even after the 805 SSL has been switched to a new SSL_CTX in reaction to a client's 806 server_name extension. 807 808 New functions (subject to change): 809 810 SSL_get_servername() 811 SSL_get_servername_type() 812 SSL_set_SSL_CTX() 813 814 New CTRL codes and macros (subject to change): 815 816 SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 817 - SSL_CTX_set_tlsext_servername_callback() 818 SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 819 - SSL_CTX_set_tlsext_servername_arg() 820 SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 821 822 openssl s_client has a new '-servername ...' option. 823 824 openssl s_server has new options '-servername_host ...', '-cert2 ...', 825 '-key2 ...', '-servername_fatal' (subject to change). This allows 826 testing the HostName extension for a specific single host name ('-cert' 827 and '-key' remain fallbacks for handshakes without HostName 828 negotiation). If the unrecogninzed_name alert has to be sent, this by 829 default is a warning; it becomes fatal with the '-servername_fatal' 830 option. 831 832 [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] 833 834 *) Add AES and SSE2 assembly language support to VC++ build. 835 [Steve Henson] 836 837 *) Mitigate attack on final subtraction in Montgomery reduction. 838 [Andy Polyakov] 839 840 *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 841 (which previously caused an internal error). 842 [Bodo Moeller] 843 844 *) Squeeze another 10% out of IGE mode when in != out. 845 [Ben Laurie] 846 847 *) AES IGE mode speedup. 848 [Dean Gaudet (Google)] 849 850 *) Add the Korean symmetric 128-bit cipher SEED (see 851 http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and 852 add SEED ciphersuites from RFC 4162: 853 854 TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 855 TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 856 TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 857 TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 858 859 To minimize changes between patchlevels in the OpenSSL 0.9.8 860 series, SEED remains excluded from compilation unless OpenSSL 861 is configured with 'enable-seed'. 862 [KISA, Bodo Moeller] 863 864 *) Mitigate branch prediction attacks, which can be practical if a 865 single processor is shared, allowing a spy process to extract 866 information. For detailed background information, see 867 http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, 868 J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 869 and Necessary Software Countermeasures"). The core of the change 870 are new versions BN_div_no_branch() and 871 BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 872 respectively, which are slower, but avoid the security-relevant 873 conditional branches. These are automatically called by BN_div() 874 and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 875 of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 876 remove a conditional branch. 877 878 BN_FLG_CONSTTIME is the new name for the previous 879 BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 880 modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 881 in the exponent causes BN_mod_exp_mont() to use the alternative 882 implementation in BN_mod_exp_mont_consttime().) The old name 883 remains as a deprecated alias. 884 885 Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 886 RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 887 constant-time implementations for more than just exponentiation. 888 Here too the old name is kept as a deprecated alias. 889 890 BN_BLINDING_new() will now use BN_dup() for the modulus so that 891 the BN_BLINDING structure gets an independent copy of the 892 modulus. This means that the previous "BIGNUM *m" argument to 893 BN_BLINDING_new() and to BN_BLINDING_create_param() now 894 essentially becomes "const BIGNUM *m", although we can't actually 895 change this in the header file before 0.9.9. It allows 896 RSA_setup_blinding() to use BN_with_flags() on the modulus to 897 enable BN_FLG_CONSTTIME. 898 899 [Matthew D Wood (Intel Corp)] 900 901 *) In the SSL/TLS server implementation, be strict about session ID 902 context matching (which matters if an application uses a single 903 external cache for different purposes). Previously, 904 out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 905 set. This did ensure strict client verification, but meant that, 906 with applications using a single external cache for quite 907 different requirements, clients could circumvent ciphersuite 908 restrictions for a given session ID context by starting a session 909 in a different context. 910 [Bodo Moeller] 911 912 *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 913 a ciphersuite string such as "DEFAULT:RSA" cannot enable 914 authentication-only ciphersuites. 915 [Bodo Moeller] 916 917 *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was 918 not complete and could lead to a possible single byte overflow 919 (CVE-2007-5135) [Ben Laurie] 920 921 Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 922 923 *) Since AES128 and AES256 (and similarly Camellia128 and 924 Camellia256) share a single mask bit in the logic of 925 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 926 kludge to work properly if AES128 is available and AES256 isn't 927 (or if Camellia128 is available and Camellia256 isn't). 928 [Victor Duchovni] 929 930 *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 931 (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 932 When a point or a seed is encoded in a BIT STRING, we need to 933 prevent the removal of trailing zero bits to get the proper DER 934 encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 935 of a NamedBitList, for which trailing 0 bits need to be removed.) 936 [Bodo Moeller] 937 938 *) Have SSL/TLS server implementation tolerate "mismatched" record 939 protocol version while receiving ClientHello even if the 940 ClientHello is fragmented. (The server can't insist on the 941 particular protocol version it has chosen before the ServerHello 942 message has informed the client about his choice.) 943 [Bodo Moeller] 944 945 *) Add RFC 3779 support. 946 [Rob Austein for ARIN, Ben Laurie] 947 948 *) Load error codes if they are not already present instead of using a 949 static variable. This allows them to be cleanly unloaded and reloaded. 950 Improve header file function name parsing. 951 [Steve Henson] 952 953 *) extend SMTP and IMAP protocol emulation in s_client to use EHLO 954 or CAPABILITY handshake as required by RFCs. 955 [Goetz Babin-Ebell] 956 957 Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 958 959 *) Introduce limits to prevent malicious keys being able to 960 cause a denial of service. (CVE-2006-2940) 961 [Steve Henson, Bodo Moeller] 962 963 *) Fix ASN.1 parsing of certain invalid structures that can result 964 in a denial of service. (CVE-2006-2937) [Steve Henson] 965 966 *) Fix buffer overflow in SSL_get_shared_ciphers() function. 967 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] 968 969 *) Fix SSL client code which could crash if connecting to a 970 malicious SSLv2 server. (CVE-2006-4343) 971 [Tavis Ormandy and Will Drewry, Google Security Team] 972 973 *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 974 match only those. Before that, "AES256-SHA" would be interpreted 975 as a pattern and match "AES128-SHA" too (since AES128-SHA got 976 the same strength classification in 0.9.7h) as we currently only 977 have a single AES bit in the ciphersuite description bitmap. 978 That change, however, also applied to ciphersuite strings such as 979 "RC4-MD5" that intentionally matched multiple ciphersuites -- 980 namely, SSL 2.0 ciphersuites in addition to the more common ones 981 from SSL 3.0/TLS 1.0. 982 983 So we change the selection algorithm again: Naming an explicit 984 ciphersuite selects this one ciphersuite, and any other similar 985 ciphersuite (same bitmap) from *other* protocol versions. 986 Thus, "RC4-MD5" again will properly select both the SSL 2.0 987 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 988 989 Since SSL 2.0 does not have any ciphersuites for which the 990 128/256 bit distinction would be relevant, this works for now. 991 The proper fix will be to use different bits for AES128 and 992 AES256, which would have avoided the problems from the beginning; 993 however, bits are scarce, so we can only do this in a new release 994 (not just a patchlevel) when we can change the SSL_CIPHER 995 definition to split the single 'unsigned long mask' bitmap into 996 multiple values to extend the available space. 997 998 [Bodo Moeller] 999 1000 Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 1001 1002 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 1003 (CVE-2006-4339) [Ben Laurie and Google Security Team] 1004 1005 *) Add AES IGE and biIGE modes. 1006 [Ben Laurie] 1007 1008 *) Change the Unix randomness entropy gathering to use poll() when 1009 possible instead of select(), since the latter has some 1010 undesirable limitations. 1011 [Darryl Miles via Richard Levitte and Bodo Moeller] 1012 1013 *) Disable "ECCdraft" ciphersuites more thoroughly. Now special 1014 treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 1015 cannot be implicitly activated as part of, e.g., the "AES" alias. 1016 However, please upgrade to OpenSSL 0.9.9[-dev] for 1017 non-experimental use of the ECC ciphersuites to get TLS extension 1018 support, which is required for curve and point format negotiation 1019 to avoid potential handshake problems. 1020 [Bodo Moeller] 1021 1022 *) Disable rogue ciphersuites: 1023 1024 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 1025 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 1026 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 1027 1028 The latter two were purportedly from 1029 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 1030 appear there. 1031 1032 Also deactivate the remaining ciphersuites from 1033 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 1034 unofficial, and the ID has long expired. 1035 [Bodo Moeller] 1036 1037 *) Fix RSA blinding Heisenbug (problems sometimes occured on 1038 dual-core machines) and other potential thread-safety issues. 1039 [Bodo Moeller] 1040 1041 *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 1042 versions), which is now available for royalty-free use 1043 (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). 1044 Also, add Camellia TLS ciphersuites from RFC 4132. 1045 1046 To minimize changes between patchlevels in the OpenSSL 0.9.8 1047 series, Camellia remains excluded from compilation unless OpenSSL 1048 is configured with 'enable-camellia'. 1049 [NTT] 1050 1051 *) Disable the padding bug check when compression is in use. The padding 1052 bug check assumes the first packet is of even length, this is not 1053 necessarily true if compresssion is enabled and can result in false 1054 positives causing handshake failure. The actual bug test is ancient 1055 code so it is hoped that implementations will either have fixed it by 1056 now or any which still have the bug do not support compression. 1057 [Steve Henson] 1058 1059 Changes between 0.9.8a and 0.9.8b [04 May 2006] 1060 1061 *) When applying a cipher rule check to see if string match is an explicit 1062 cipher suite and only match that one cipher suite if it is. 1063 [Steve Henson] 1064 1065 *) Link in manifests for VC++ if needed. 1066 [Austin Ziegler <halostatue@gmail.com>] 1067 1068 *) Update support for ECC-based TLS ciphersuites according to 1069 draft-ietf-tls-ecc-12.txt with proposed changes (but without 1070 TLS extensions, which are supported starting with the 0.9.9 1071 branch, not in the OpenSSL 0.9.8 branch). 1072 [Douglas Stebila] 1073 1074 *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 1075 opaque EVP_CIPHER_CTX handling. 1076 [Steve Henson] 1077 1078 *) Fixes and enhancements to zlib compression code. We now only use 1079 "zlib1.dll" and use the default __cdecl calling convention on Win32 1080 to conform with the standards mentioned here: 1081 http://www.zlib.net/DLL_FAQ.txt 1082 Static zlib linking now works on Windows and the new --with-zlib-include 1083 --with-zlib-lib options to Configure can be used to supply the location 1084 of the headers and library. Gracefully handle case where zlib library 1085 can't be loaded. 1086 [Steve Henson] 1087 1088 *) Several fixes and enhancements to the OID generation code. The old code 1089 sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 1090 handle numbers larger than ULONG_MAX, truncated printing and had a 1091 non standard OBJ_obj2txt() behaviour. 1092 [Steve Henson] 1093 1094 *) Add support for building of engines under engine/ as shared libraries 1095 under VC++ build system. 1096 [Steve Henson] 1097 1098 *) Corrected the numerous bugs in the Win32 path splitter in DSO. 1099 Hopefully, we will not see any false combination of paths any more. 1100 [Richard Levitte] 1101 1102 Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 1103 1104 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 1105 (part of SSL_OP_ALL). This option used to disable the 1106 countermeasure against man-in-the-middle protocol-version 1107 rollback in the SSL 2.0 server implementation, which is a bad 1108 idea. (CVE-2005-2969) 1109 1110 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 1111 for Information Security, National Institute of Advanced Industrial 1112 Science and Technology [AIST], Japan)] 1113 1114 *) Add two function to clear and return the verify parameter flags. 1115 [Steve Henson] 1116 1117 *) Keep cipherlists sorted in the source instead of sorting them at 1118 runtime, thus removing the need for a lock. 1119 [Nils Larsch] 1120 1121 *) Avoid some small subgroup attacks in Diffie-Hellman. 1122 [Nick Mathewson and Ben Laurie] 1123 1124 *) Add functions for well-known primes. 1125 [Nick Mathewson] 1126 1127 *) Extended Windows CE support. 1128 [Satoshi Nakamura and Andy Polyakov] 1129 1130 *) Initialize SSL_METHOD structures at compile time instead of during 1131 runtime, thus removing the need for a lock. 1132 [Steve Henson] 1133 1134 *) Make PKCS7_decrypt() work even if no certificate is supplied by 1135 attempting to decrypt each encrypted key in turn. Add support to 1136 smime utility. 1137 [Steve Henson] 1138 1139 Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 1140 1141 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 1142 OpenSSL 0.9.8.] 1143 1144 *) Add libcrypto.pc and libssl.pc for those who feel they need them. 1145 [Richard Levitte] 1146 1147 *) Change CA.sh and CA.pl so they don't bundle the CSR and the private 1148 key into the same file any more. 1149 [Richard Levitte] 1150 1151 *) Add initial support for Win64, both IA64 and AMD64/x64 flavors. 1152 [Andy Polyakov] 1153 1154 *) Add -utf8 command line and config file option to 'ca'. 1155 [Stefan <stf@udoma.org] 1156 1157 *) Removed the macro des_crypt(), as it seems to conflict with some 1158 libraries. Use DES_crypt(). 1159 [Richard Levitte] 1160 1161 *) Correct naming of the 'chil' and '4758cca' ENGINEs. This 1162 involves renaming the source and generated shared-libs for 1163 both. The engines will accept the corrected or legacy ids 1164 ('ncipher' and '4758_cca' respectively) when binding. NB, 1165 this only applies when building 'shared'. 1166 [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] 1167 1168 *) Add attribute functions to EVP_PKEY structure. Modify 1169 PKCS12_create() to recognize a CSP name attribute and 1170 use it. Make -CSP option work again in pkcs12 utility. 1171 [Steve Henson] 1172 1173 *) Add new functionality to the bn blinding code: 1174 - automatic re-creation of the BN_BLINDING parameters after 1175 a fixed number of uses (currently 32) 1176 - add new function for parameter creation 1177 - introduce flags to control the update behaviour of the 1178 BN_BLINDING parameters 1179 - hide BN_BLINDING structure 1180 Add a second BN_BLINDING slot to the RSA structure to improve 1181 performance when a single RSA object is shared among several 1182 threads. 1183 [Nils Larsch] 1184 1185 *) Add support for DTLS. 1186 [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] 1187 1188 *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 1189 to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 1190 [Walter Goulet] 1191 1192 *) Remove buggy and incompletet DH cert support from 1193 ssl/ssl_rsa.c and ssl/s3_both.c 1194 [Nils Larsch] 1195 1196 *) Use SHA-1 instead of MD5 as the default digest algorithm for 1197 the apps/openssl applications. 1198 [Nils Larsch] 1199 1200 *) Compile clean with "-Wall -Wmissing-prototypes 1201 -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 1202 DEBUG_SAFESTACK must also be set. 1203 [Ben Laurie] 1204 1205 *) Change ./Configure so that certain algorithms can be disabled by default. 1206 The new counterpiece to "no-xxx" is "enable-xxx". 1207 1208 The patented RC5 and MDC2 algorithms will now be disabled unless 1209 "enable-rc5" and "enable-mdc2", respectively, are specified. 1210 1211 (IDEA remains enabled despite being patented. This is because IDEA 1212 is frequently required for interoperability, and there is no license 1213 fee for non-commercial use. As before, "no-idea" can be used to 1214 avoid this algorithm.) 1215 1216 [Bodo Moeller] 1217 1218 *) Add processing of proxy certificates (see RFC 3820). This work was 1219 sponsored by KTH (The Royal Institute of Technology in Stockholm) and 1220 EGEE (Enabling Grids for E-science in Europe). 1221 [Richard Levitte] 1222 1223 *) RC4 performance overhaul on modern architectures/implementations, such 1224 as Intel P4, IA-64 and AMD64. 1225 [Andy Polyakov] 1226 1227 *) New utility extract-section.pl. This can be used specify an alternative 1228 section number in a pod file instead of having to treat each file as 1229 a separate case in Makefile. This can be done by adding two lines to the 1230 pod file: 1231 1232 =for comment openssl_section:XXX 1233 1234 The blank line is mandatory. 1235 1236 [Steve Henson] 1237 1238 *) New arguments -certform, -keyform and -pass for s_client and s_server 1239 to allow alternative format key and certificate files and passphrase 1240 sources. 1241 [Steve Henson] 1242 1243 *) New structure X509_VERIFY_PARAM which combines current verify parameters, 1244 update associated structures and add various utility functions. 1245 1246 Add new policy related verify parameters, include policy checking in 1247 standard verify code. Enhance 'smime' application with extra parameters 1248 to support policy checking and print out. 1249 [Steve Henson] 1250 1251 *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 1252 Nehemiah processors. These extensions support AES encryption in hardware 1253 as well as RNG (though RNG support is currently disabled). 1254 [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] 1255 1256 *) Deprecate BN_[get|set]_params() functions (they were ignored internally). 1257 [Geoff Thorpe] 1258 1259 *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 1260 [Andy Polyakov and a number of other people] 1261 1262 *) Improved PowerPC platform support. Most notably BIGNUM assembler 1263 implementation contributed by IBM. 1264 [Suresh Chari, Peter Waltenberg, Andy Polyakov] 1265 1266 *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 1267 exponent rather than 'unsigned long'. There is a corresponding change to 1268 the new 'rsa_keygen' element of the RSA_METHOD structure. 1269 [Jelte Jansen, Geoff Thorpe] 1270 1271 *) Functionality for creating the initial serial number file is now 1272 moved from CA.pl to the 'ca' utility with a new option -create_serial. 1273 1274 (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 1275 number file to 1, which is bound to cause problems. To avoid 1276 the problems while respecting compatibility between different 0.9.7 1277 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 1278 CA.pl for serial number initialization. With the new release 0.9.8, 1279 we can fix the problem directly in the 'ca' utility.) 1280 [Steve Henson] 1281 1282 *) Reduced header interdepencies by declaring more opaque objects in 1283 ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 1284 give fewer recursive includes, which could break lazy source code - so 1285 this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 1286 developers should define this symbol when building and using openssl to 1287 ensure they track the recommended behaviour, interfaces, [etc], but 1288 backwards-compatible behaviour prevails when this isn't defined. 1289 [Geoff Thorpe] 1290 1291 *) New function X509_POLICY_NODE_print() which prints out policy nodes. 1292 [Steve Henson] 1293 1294 *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 1295 This will generate a random key of the appropriate length based on the 1296 cipher context. The EVP_CIPHER can provide its own random key generation 1297 routine to support keys of a specific form. This is used in the des and 1298 3des routines to generate a key of the correct parity. Update S/MIME 1299 code to use new functions and hence generate correct parity DES keys. 1300 Add EVP_CHECK_DES_KEY #define to return an error if the key is not 1301 valid (weak or incorrect parity). 1302 [Steve Henson] 1303 1304 *) Add a local set of CRLs that can be used by X509_verify_cert() as well 1305 as looking them up. This is useful when the verified structure may contain 1306 CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 1307 present unless the new PKCS7_NO_CRL flag is asserted. 1308 [Steve Henson] 1309 1310 *) Extend ASN1 oid configuration module. It now additionally accepts the 1311 syntax: 1312 1313 shortName = some long name, 1.2.3.4 1314 [Steve Henson] 1315 1316 *) Reimplemented the BN_CTX implementation. There is now no more static 1317 limitation on the number of variables it can handle nor the depth of the 1318 "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 1319 information can now expand as required, and rather than having a single 1320 static array of bignums, BN_CTX now uses a linked-list of such arrays 1321 allowing it to expand on demand whilst maintaining the usefulness of 1322 BN_CTX's "bundling". 1323 [Geoff Thorpe] 1324 1325 *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 1326 to allow all RSA operations to function using a single BN_CTX. 1327 [Geoff Thorpe] 1328 1329 *) Preliminary support for certificate policy evaluation and checking. This 1330 is initially intended to pass the tests outlined in "Conformance Testing 1331 of Relying Party Client Certificate Path Processing Logic" v1.07. 1332 [Steve Henson] 1333 1334 *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 1335 remained unused and not that useful. A variety of other little bignum 1336 tweaks and fixes have also been made continuing on from the audit (see 1337 below). 1338 [Geoff Thorpe] 1339 1340 *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with 1341 associated ASN1, EVP and SSL functions and old ASN1 macros. 1342 [Richard Levitte] 1343 1344 *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 1345 and this should never fail. So the return value from the use of 1346 BN_set_word() (which can fail due to needless expansion) is now deprecated; 1347 if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 1348 [Geoff Thorpe] 1349 1350 *) BN_CTX_get() should return zero-valued bignums, providing the same 1351 initialised value as BN_new(). 1352 [Geoff Thorpe, suggested by Ulf M�ller] 1353 1354 *) Support for inhibitAnyPolicy certificate extension. 1355 [Steve Henson] 1356 1357 *) An audit of the BIGNUM code is underway, for which debugging code is 1358 enabled when BN_DEBUG is defined. This makes stricter enforcements on what 1359 is considered valid when processing BIGNUMs, and causes execution to 1360 assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 1361 further steps are taken to deliberately pollute unused data in BIGNUM 1362 structures to try and expose faulty code further on. For now, openssl will 1363 (in its default mode of operation) continue to tolerate the inconsistent 1364 forms that it has tolerated in the past, but authors and packagers should 1365 consider trying openssl and their own applications when compiled with 1366 these debugging symbols defined. It will help highlight potential bugs in 1367 their own code, and will improve the test coverage for OpenSSL itself. At 1368 some point, these tighter rules will become openssl's default to improve 1369 maintainability, though the assert()s and other overheads will remain only 1370 in debugging configurations. See bn.h for more details. 1371 [Geoff Thorpe, Nils Larsch, Ulf M�ller] 1372 1373 *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 1374 that can only be obtained through BN_CTX_new() (which implicitly 1375 initialises it). The presence of this function only made it possible 1376 to overwrite an existing structure (and cause memory leaks). 1377 [Geoff Thorpe] 1378 1379 *) Because of the callback-based approach for implementing LHASH as a 1380 template type, lh_insert() adds opaque objects to hash-tables and 1381 lh_doall() or lh_doall_arg() are typically used with a destructor callback 1382 to clean up those corresponding objects before destroying the hash table 1383 (and losing the object pointers). So some over-zealous constifications in 1384 LHASH have been relaxed so that lh_insert() does not take (nor store) the 1385 objects as "const" and the lh_doall[_arg] callback wrappers are not 1386 prototyped to have "const" restrictions on the object pointers they are 1387 given (and so aren't required to cast them away any more). 1388 [Geoff Thorpe] 1389 1390 *) The tmdiff.h API was so ugly and minimal that our own timing utility 1391 (speed) prefers to use its own implementation. The two implementations 1392 haven't been consolidated as yet (volunteers?) but the tmdiff API has had 1393 its object type properly exposed (MS_TM) instead of casting to/from "char 1394 *". This may still change yet if someone realises MS_TM and "ms_time_***" 1395 aren't necessarily the greatest nomenclatures - but this is what was used 1396 internally to the implementation so I've used that for now. 1397 [Geoff Thorpe] 1398 1399 *) Ensure that deprecated functions do not get compiled when 1400 OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 1401 the self-tests were still using deprecated key-generation functions so 1402 these have been updated also. 1403 [Geoff Thorpe] 1404 1405 *) Reorganise PKCS#7 code to separate the digest location functionality 1406 into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). 1407 New function PKCS7_set_digest() to set the digest type for PKCS#7 1408 digestedData type. Add additional code to correctly generate the 1409 digestedData type and add support for this type in PKCS7 initialization 1410 functions. 1411 [Steve Henson] 1412 1413 *) New function PKCS7_set0_type_other() this initializes a PKCS7 1414 structure of type "other". 1415 [Steve Henson] 1416 1417 *) Fix prime generation loop in crypto/bn/bn_prime.pl by making 1418 sure the loop does correctly stop and breaking ("division by zero") 1419 modulus operations are not performed. The (pre-generated) prime 1420 table crypto/bn/bn_prime.h was already correct, but it could not be 1421 re-generated on some platforms because of the "division by zero" 1422 situation in the script. 1423 [Ralf S. Engelschall] 1424 1425 *) Update support for ECC-based TLS ciphersuites according to 1426 draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 1427 SHA-1 now is only used for "small" curves (where the 1428 representation of a field element takes up to 24 bytes); for 1429 larger curves, the field element resulting from ECDH is directly 1430 used as premaster secret. 1431 [Douglas Stebila (Sun Microsystems Laboratories)] 1432 1433 *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 1434 curve secp160r1 to the tests. 1435 [Douglas Stebila (Sun Microsystems Laboratories)] 1436 1437 *) Add the possibility to load symbols globally with DSO. 1438 [G�tz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] 1439 1440 *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 1441 control of the error stack. 1442 [Richard Levitte] 1443 1444 *) Add support for STORE in ENGINE. 1445 [Richard Levitte] 1446 1447 *) Add the STORE type. The intention is to provide a common interface 1448 to certificate and key stores, be they simple file-based stores, or 1449 HSM-type store, or LDAP stores, or... 1450 NOTE: The code is currently UNTESTED and isn't really used anywhere. 1451 [Richard Levitte] 1452 1453 *) Add a generic structure called OPENSSL_ITEM. This can be used to 1454 pass a list of arguments to any function as well as provide a way 1455 for a function to pass data back to the caller. 1456 [Richard Levitte] 1457 1458 *) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 1459 works like BUF_strdup() but can be used to duplicate a portion of 1460 a string. The copy gets NUL-terminated. BUF_memdup() duplicates 1461 a memory area. 1462 [Richard Levitte] 1463 1464 *) Add the function sk_find_ex() which works like sk_find(), but will 1465 return an index to an element even if an exact match couldn't be 1466 found. The index is guaranteed to point at the element where the 1467 searched-for key would be inserted to preserve sorting order. 1468 [Richard Levitte] 1469 1470 *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 1471 takes an extra flags argument for optional functionality. Currently, 1472 the following flags are defined: 1473 1474 OBJ_BSEARCH_VALUE_ON_NOMATCH 1475 This one gets OBJ_bsearch_ex() to return a pointer to the first 1476 element where the comparing function returns a negative or zero 1477 number. 1478 1479 OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 1480 This one gets OBJ_bsearch_ex() to return a pointer to the first 1481 element where the comparing function returns zero. This is useful 1482 if there are more than one element where the comparing function 1483 returns zero. 1484 [Richard Levitte] 1485 1486 *) Make it possible to create self-signed certificates with 'openssl ca' 1487 in such a way that the self-signed certificate becomes part of the 1488 CA database and uses the same mechanisms for serial number generation 1489 as all other certificate signing. The new flag '-selfsign' enables 1490 this functionality. Adapt CA.sh and CA.pl.in. 1491 [Richard Levitte] 1492 1493 *) Add functionality to check the public key of a certificate request 1494 against a given private. This is useful to check that a certificate 1495 request can be signed by that key (self-signing). 1496 [Richard Levitte] 1497 1498 *) Make it possible to have multiple active certificates with the same 1499 subject in the CA index file. This is done only if the keyword 1500 'unique_subject' is set to 'no' in the main CA section (default 1501 if 'CA_default') of the configuration file. The value is saved 1502 with the database itself in a separate index attribute file, 1503 named like the index file with '.attr' appended to the name. 1504 [Richard Levitte] 1505 1506 *) Generate muti valued AVAs using '+' notation in config files for 1507 req and dirName. 1508 [Steve Henson] 1509 1510 *) Support for nameConstraints certificate extension. 1511 [Steve Henson] 1512 1513 *) Support for policyConstraints certificate extension. 1514 [Steve Henson] 1515 1516 *) Support for policyMappings certificate extension. 1517 [Steve Henson] 1518 1519 *) Make sure the default DSA_METHOD implementation only uses its 1520 dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, 1521 and change its own handlers to be NULL so as to remove unnecessary 1522 indirection. This lets alternative implementations fallback to the 1523 default implementation more easily. 1524 [Geoff Thorpe] 1525 1526 *) Support for directoryName in GeneralName related extensions 1527 in config files. 1528 [Steve Henson] 1529 1530 *) Make it possible to link applications using Makefile.shared. 1531 Make that possible even when linking against static libraries! 1532 [Richard Levitte] 1533 1534 *) Support for single pass processing for S/MIME signing. This now 1535 means that S/MIME signing can be done from a pipe, in addition 1536 cleartext signing (multipart/signed type) is effectively streaming 1537 and the signed data does not need to be all held in memory. 1538 1539 This is done with a new flag PKCS7_STREAM. When this flag is set 1540 PKCS7_sign() only initializes the PKCS7 structure and the actual signing 1541 is done after the data is output (and digests calculated) in 1542 SMIME_write_PKCS7(). 1543 [Steve Henson] 1544 1545 *) Add full support for -rpath/-R, both in shared libraries and 1546 applications, at least on the platforms where it's known how 1547 to do it. 1548 [Richard Levitte] 1549 1550 *) In crypto/ec/ec_mult.c, implement fast point multiplication with 1551 precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() 1552 will now compute a table of multiples of the generator that 1553 makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() 1554 faster (notably in the case of a single point multiplication, 1555 scalar * generator). 1556 [Nils Larsch, Bodo Moeller] 1557 1558 *) IPv6 support for certificate extensions. The various extensions 1559 which use the IP:a.b.c.d can now take IPv6 addresses using the 1560 formats of RFC1884 2.2 . IPv6 addresses are now also displayed 1561 correctly. 1562 [Steve Henson] 1563 1564 *) Added an ENGINE that implements RSA by performing private key 1565 exponentiations with the GMP library. The conversions to and from 1566 GMP's mpz_t format aren't optimised nor are any montgomery forms 1567 cached, and on x86 it appears OpenSSL's own performance has caught up. 1568 However there are likely to be other architectures where GMP could 1569 provide a boost. This ENGINE is not built in by default, but it can be 1570 specified at Configure time and should be accompanied by the necessary 1571 linker additions, eg; 1572 ./config -DOPENSSL_USE_GMP -lgmp 1573 [Geoff Thorpe] 1574 1575 *) "openssl engine" will not display ENGINE/DSO load failure errors when 1576 testing availability of engines with "-t" - the old behaviour is 1577 produced by increasing the feature's verbosity with "-tt". 1578 [Geoff Thorpe] 1579 1580 *) ECDSA routines: under certain error conditions uninitialized BN objects 1581 could be freed. Solution: make sure initialization is performed early 1582 enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> 1583 via PR#459) 1584 [Lutz Jaenicke] 1585 1586 *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD 1587 and DH_METHOD (eg. by ENGINE implementations) to override the normal 1588 software implementations. For DSA and DH, parameter generation can 1589 also be overriden by providing the appropriate method callbacks. 1590 [Geoff Thorpe] 1591 1592 *) Change the "progress" mechanism used in key-generation and 1593 primality testing to functions that take a new BN_GENCB pointer in 1594 place of callback/argument pairs. The new API functions have "_ex" 1595 postfixes and the older functions are reimplemented as wrappers for 1596 the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide 1597 declarations of the old functions to help (graceful) attempts to 1598 migrate to the new functions. Also, the new key-generation API 1599 functions operate on a caller-supplied key-structure and return 1600 success/failure rather than returning a key or NULL - this is to 1601 help make "keygen" another member function of RSA_METHOD etc. 1602 1603 Example for using the new callback interface: 1604 1605 int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; 1606 void *my_arg = ...; 1607 BN_GENCB my_cb; 1608 1609 BN_GENCB_set(&my_cb, my_callback, my_arg); 1610 1611 return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); 1612 /* For the meaning of a, b in calls to my_callback(), see the 1613 * documentation of the function that calls the callback. 1614 * cb will point to my_cb; my_arg can be retrieved as cb->arg. 1615 * my_callback should return 1 if it wants BN_is_prime_ex() 1616 * to continue, or 0 to stop. 1617 */ 1618 1619 [Geoff Thorpe] 1620 1621 *) Change the ZLIB compression method to be stateful, and make it 1622 available to TLS with the number defined in 1623 draft-ietf-tls-compression-04.txt. 1624 [Richard Levitte] 1625 1626 *) Add the ASN.1 structures and functions for CertificatePair, which 1627 is defined as follows (according to X.509_4thEditionDraftV6.pdf): 1628 1629 CertificatePair ::= SEQUENCE { 1630 forward [0] Certificate OPTIONAL, 1631 reverse [1] Certificate OPTIONAL, 1632 -- at least one of the pair shall be present -- } 1633 1634 Also implement the PEM functions to read and write certificate 1635 pairs, and defined the PEM tag as "CERTIFICATE PAIR". 1636 1637 This needed to be defined, mostly for the sake of the LDAP 1638 attribute crossCertificatePair, but may prove useful elsewhere as 1639 well. 1640 [Richard Levitte] 1641 1642 *) Make it possible to inhibit symlinking of shared libraries in 1643 Makefile.shared, for Cygwin's sake. 1644 [Richard Levitte] 1645 1646 *) Extend the BIGNUM API by creating a function 1647 void BN_set_negative(BIGNUM *a, int neg); 1648 and a macro that behave like 1649 int BN_is_negative(const BIGNUM *a); 1650 1651 to avoid the need to access 'a->neg' directly in applications. 1652 [Nils Larsch] 1653 1654 *) Implement fast modular reduction for pseudo-Mersenne primes 1655 used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). 1656 EC_GROUP_new_curve_GFp() will now automatically use this 1657 if applicable. 1658 [Nils Larsch <nla@trustcenter.de>] 1659 1660 *) Add new lock type (CRYPTO_LOCK_BN). 1661 [Bodo Moeller] 1662 1663 *) Change the ENGINE framework to automatically load engines 1664 dynamically from specific directories unless they could be 1665 found to already be built in or loaded. Move all the 1666 current engines except for the cryptodev one to a new 1667 directory engines/. 1668 The engines in engines/ are built as shared libraries if 1669 the "shared" options was given to ./Configure or ./config. 1670 Otherwise, they are inserted in libcrypto.a. 1671 /usr/local/ssl/engines is the default directory for dynamic 1672 engines, but that can be overriden at configure time through 1673 the usual use of --prefix and/or --openssldir, and at run 1674 time with the environment variable OPENSSL_ENGINES. 1675 [Geoff Thorpe and Richard Levitte] 1676 1677 *) Add Makefile.shared, a helper makefile to build shared 1678 libraries. Addapt Makefile.org. 1679 [Richard Levitte] 1680 1681 *) Add version info to Win32 DLLs. 1682 [Peter 'Luna' Runestig" <peter@runestig.com>] 1683 1684 *) Add new 'medium level' PKCS#12 API. Certificates and keys 1685 can be added using this API to created arbitrary PKCS#12 1686 files while avoiding the low level API. 1687 1688 New options to PKCS12_create(), key or cert can be NULL and 1689 will then be omitted from the output file. The encryption 1690 algorithm NIDs can be set to -1 for no encryption, the mac 1691 iteration count can be set to 0 to omit the mac. 1692 1693 Enhance pkcs12 utility by making the -nokeys and -nocerts 1694 options work when creating a PKCS#12 file. New option -nomac 1695 to omit the mac, NONE can be set for an encryption algorithm. 1696 New code is modified to use the enhanced PKCS12_create() 1697 instead of the low level API. 1698 [Steve Henson] 1699 1700 *) Extend ASN1 encoder to support indefinite length constructed 1701 encoding. This can output sequences tags and octet strings in 1702 this form. Modify pk7_asn1.c to support indefinite length 1703 encoding. This is experimental and needs additional code to 1704 be useful, such as an ASN1 bio and some enhanced streaming 1705 PKCS#7 code. 1706 1707 Extend template encode functionality so that tagging is passed 1708 down to the template encoder. 1709 [Steve Henson] 1710 1711 *) Let 'openssl req' fail if an argument to '-newkey' is not 1712 recognized instead of using RSA as a default. 1713 [Bodo Moeller] 1714 1715 *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. 1716 As these are not official, they are not included in "ALL"; 1717 the "ECCdraft" ciphersuite group alias can be used to select them. 1718 [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] 1719 1720 *) Add ECDH engine support. 1721 [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] 1722 1723 *) Add ECDH in new directory crypto/ecdh/. 1724 [Douglas Stebila (Sun Microsystems Laboratories)] 1725 1726 *) Let BN_rand_range() abort with an error after 100 iterations 1727 without success (which indicates a broken PRNG). 1728 [Bodo Moeller] 1729 1730 *) Change BN_mod_sqrt() so that it verifies that the input value 1731 is really the square of the return value. (Previously, 1732 BN_mod_sqrt would show GIGO behaviour.) 1733 [Bodo Moeller] 1734 1735 *) Add named elliptic curves over binary fields from X9.62, SECG, 1736 and WAP/WTLS; add OIDs that were still missing. 1737 1738 [Sheueling Chang Shantz and Douglas Stebila 1739 (Sun Microsystems Laboratories)] 1740 1741 *) Extend the EC library for elliptic curves over binary fields 1742 (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). 1743 New EC_METHOD: 1744 1745 EC_GF2m_simple_method 1746 1747 New API functions: 1748 1749 EC_GROUP_new_curve_GF2m 1750 EC_GROUP_set_curve_GF2m 1751 EC_GROUP_get_curve_GF2m 1752 EC_POINT_set_affine_coordinates_GF2m 1753 EC_POINT_get_affine_coordinates_GF2m 1754 EC_POINT_set_compressed_coordinates_GF2m 1755 1756 Point compression for binary fields is disabled by default for 1757 patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to 1758 enable it). 1759 1760 As binary polynomials are represented as BIGNUMs, various members 1761 of the EC_GROUP and EC_POINT data structures can be shared 1762 between the implementations for prime fields and binary fields; 1763 the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) 1764 are essentially identical to their ..._GFp counterparts. 1765 (For simplicity, the '..._GFp' prefix has been dropped from 1766 various internal method names.) 1767 1768 An internal 'field_div' method (similar to 'field_mul' and 1769 'field_sqr') has been added; this is used only for binary fields. 1770 1771 [Sheueling Chang Shantz and Douglas Stebila 1772 (Sun Microsystems Laboratories)] 1773 1774 *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() 1775 through methods ('mul', 'precompute_mult'). 1776 1777 The generic implementations (now internally called 'ec_wNAF_mul' 1778 and 'ec_wNAF_precomputed_mult') remain the default if these 1779 methods are undefined. 1780 1781 [Sheueling Chang Shantz and Douglas Stebila 1782 (Sun Microsystems Laboratories)] 1783 1784 *) New function EC_GROUP_get_degree, which is defined through 1785 EC_METHOD. For curves over prime fields, this returns the bit 1786 length of the modulus. 1787 1788 [Sheueling Chang Shantz and Douglas Stebila 1789 (Sun Microsystems Laboratories)] 1790 1791 *) New functions EC_GROUP_dup, EC_POINT_dup. 1792 (These simply call ..._new and ..._copy). 1793 1794 [Sheueling Chang Shantz and Douglas Stebila 1795 (Sun Microsystems Laboratories)] 1796 1797 *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. 1798 Polynomials are represented as BIGNUMs (where the sign bit is not 1799 used) in the following functions [macros]: 1800 1801 BN_GF2m_add 1802 BN_GF2m_sub [= BN_GF2m_add] 1803 BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] 1804 BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] 1805 BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] 1806 BN_GF2m_mod_inv 1807 BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] 1808 BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] 1809 BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] 1810 BN_GF2m_cmp [= BN_ucmp] 1811 1812 (Note that only the 'mod' functions are actually for fields GF(2^m). 1813 BN_GF2m_add() is misnomer, but this is for the sake of consistency.) 1814 1815 For some functions, an the irreducible polynomial defining a 1816 field can be given as an 'unsigned int[]' with strictly 1817 decreasing elements giving the indices of those bits that are set; 1818 i.e., p[] represents the polynomial 1819 f(t) = t^p[0] + t^p[1] + ... + t^p[k] 1820 where 1821 p[0] > p[1] > ... > p[k] = 0. 1822 This applies to the following functions: 1823 1824 BN_GF2m_mod_arr 1825 BN_GF2m_mod_mul_arr 1826 BN_GF2m_mod_sqr_arr 1827 BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] 1828 BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] 1829 BN_GF2m_mod_exp_arr 1830 BN_GF2m_mod_sqrt_arr 1831 BN_GF2m_mod_solve_quad_arr 1832 BN_GF2m_poly2arr 1833 BN_GF2m_arr2poly 1834 1835 Conversion can be performed by the following functions: 1836 1837 BN_GF2m_poly2arr 1838 BN_GF2m_arr2poly 1839 1840 bntest.c has additional tests for binary polynomial arithmetic. 1841 1842 Two implementations for BN_GF2m_mod_div() are available. 1843 The default algorithm simply uses BN_GF2m_mod_inv() and 1844 BN_GF2m_mod_mul(). The alternative algorithm is compiled in only 1845 if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the 1846 copyright notice in crypto/bn/bn_gf2m.c before enabling it). 1847 1848 [Sheueling Chang Shantz and Douglas Stebila 1849 (Sun Microsystems Laboratories)] 1850 1851 *) Add new error code 'ERR_R_DISABLED' that can be used when some 1852 functionality is disabled at compile-time. 1853 [Douglas Stebila <douglas.stebila@sun.com>] 1854 1855 *) Change default behaviour of 'openssl asn1parse' so that more 1856 information is visible when viewing, e.g., a certificate: 1857 1858 Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' 1859 mode the content of non-printable OCTET STRINGs is output in a 1860 style similar to INTEGERs, but with '[HEX DUMP]' prepended to 1861 avoid the appearance of a printable string. 1862 [Nils Larsch <nla@trustcenter.de>] 1863 1864 *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access 1865 functions 1866 EC_GROUP_set_asn1_flag() 1867 EC_GROUP_get_asn1_flag() 1868 EC_GROUP_set_point_conversion_form() 1869 EC_GROUP_get_point_conversion_form() 1870 These control ASN1 encoding details: 1871 - Curves (i.e., groups) are encoded explicitly unless asn1_flag 1872 has been set to OPENSSL_EC_NAMED_CURVE. 1873 - Points are encoded in uncompressed form by default; options for 1874 asn1_for are as for point2oct, namely 1875 POINT_CONVERSION_COMPRESSED 1876 POINT_CONVERSION_UNCOMPRESSED 1877 POINT_CONVERSION_HYBRID 1878 1879 Also add 'seed' and 'seed_len' members to EC_GROUP with access 1880 functions 1881 EC_GROUP_set_seed() 1882 EC_GROUP_get0_seed() 1883 EC_GROUP_get_seed_len() 1884 This is used only for ASN1 purposes (so far). 1885 [Nils Larsch <nla@trustcenter.de>] 1886 1887 *) Add 'field_type' member to EC_METHOD, which holds the NID 1888 of the appropriate field type OID. The new function 1889 EC_METHOD_get_field_type() returns this value. 1890 [Nils Larsch <nla@trustcenter.de>] 1891 1892 *) Add functions 1893 EC_POINT_point2bn() 1894 EC_POINT_bn2point() 1895 EC_POINT_point2hex() 1896 EC_POINT_hex2point() 1897 providing useful interfaces to EC_POINT_point2oct() and 1898 EC_POINT_oct2point(). 1899 [Nils Larsch <nla@trustcenter.de>] 1900 1901 *) Change internals of the EC library so that the functions 1902 EC_GROUP_set_generator() 1903 EC_GROUP_get_generator() 1904 EC_GROUP_get_order() 1905 EC_GROUP_get_cofactor() 1906 are implemented directly in crypto/ec/ec_lib.c and not dispatched 1907 to methods, which would lead to unnecessary code duplication when 1908 adding different types of curves. 1909 [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] 1910 1911 *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM 1912 arithmetic, and such that modified wNAFs are generated 1913 (which avoid length expansion in many cases). 1914 [Bodo Moeller] 1915 1916 *) Add a function EC_GROUP_check_discriminant() (defined via 1917 EC_METHOD) that verifies that the curve discriminant is non-zero. 1918 1919 Add a function EC_GROUP_check() that makes some sanity tests 1920 on a EC_GROUP, its generator and order. This includes 1921 EC_GROUP_check_discriminant(). 1922 [Nils Larsch <nla@trustcenter.de>] 1923 1924 *) Add ECDSA in new directory crypto/ecdsa/. 1925 1926 Add applications 'openssl ecparam' and 'openssl ecdsa' 1927 (these are based on 'openssl dsaparam' and 'openssl dsa'). 1928 1929 ECDSA support is also included in various other files across the 1930 library. Most notably, 1931 - 'openssl req' now has a '-newkey ecdsa:file' option; 1932 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; 1933 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and 1934 d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make 1935 them suitable for ECDSA where domain parameters must be 1936 extracted before the specific public key; 1937 - ECDSA engine support has been added. 1938 [Nils Larsch <nla@trustcenter.de>] 1939 1940 *) Include some named elliptic curves, and add OIDs from X9.62, 1941 SECG, and WAP/WTLS. Each curve can be obtained from the new 1942 function 1943 EC_GROUP_new_by_curve_name(), 1944 and the list of available named curves can be obtained with 1945 EC_get_builtin_curves(). 1946 Also add a 'curve_name' member to EC_GROUP objects, which can be 1947 accessed via 1948 EC_GROUP_set_curve_name() 1949 EC_GROUP_get_curve_name() 1950 [Nils Larsch <larsch@trustcenter.de, Bodo Moeller] 1951 1952 *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 1953 was actually never needed) and in BN_mul(). The removal in BN_mul() 1954 required a small change in bn_mul_part_recursive() and the addition 1955 of the functions bn_cmp_part_words(), bn_sub_part_words() and 1956 bn_add_part_words(), which do the same thing as bn_cmp_words(), 1957 bn_sub_words() and bn_add_words() except they take arrays with 1958 differing sizes. 1959 [Richard Levitte] 1960 1961 Changes between 0.9.7l and 0.9.7m [23 Feb 2007] 1962 1963 *) Cleanse PEM buffers before freeing them since they may contain 1964 sensitive data. 1965 [Benjamin Bennett <ben@psc.edu>] 1966 1967 *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 1968 a ciphersuite string such as "DEFAULT:RSA" cannot enable 1969 authentication-only ciphersuites. 1970 [Bodo Moeller] 1971 1972 *) Since AES128 and AES256 share a single mask bit in the logic of 1973 ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 1974 kludge to work properly if AES128 is available and AES256 isn't. 1975 [Victor Duchovni] 1976 1977 *) Expand security boundary to match 1.1.1 module. 1978 [Steve Henson] 1979 1980 *) Remove redundant features: hash file source, editing of test vectors 1981 modify fipsld to use external fips_premain.c signature. 1982 [Steve Henson] 1983 1984 *) New perl script mkfipsscr.pl to create shell scripts or batch files to 1985 run algorithm test programs. 1986 [Steve Henson] 1987 1988 *) Make algorithm test programs more tolerant of whitespace. 1989 [Steve Henson] 1990 1991 *) Have SSL/TLS server implementation tolerate "mismatched" record 1992 protocol version while receiving ClientHello even if the 1993 ClientHello is fragmented. (The server can't insist on the 1994 particular protocol version it has chosen before the ServerHello 1995 message has informed the client about his choice.) 1996 [Bodo Moeller] 1997 1998 *) Load error codes if they are not already present instead of using a 1999 static variable. This allows them to be cleanly unloaded and reloaded. 2000 [Steve Henson] 2001 2002 Changes between 0.9.7k and 0.9.7l [28 Sep 2006] 2003 2004 *) Introduce limits to prevent malicious keys being able to 2005 cause a denial of service. (CVE-2006-2940) 2006 [Steve Henson, Bodo Moeller] 2007 2008 *) Fix ASN.1 parsing of certain invalid structures that can result 2009 in a denial of service. (CVE-2006-2937) [Steve Henson] 2010 2011 *) Fix buffer overflow in SSL_get_shared_ciphers() function. 2012 (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] 2013 2014 *) Fix SSL client code which could crash if connecting to a 2015 malicious SSLv2 server. (CVE-2006-4343) 2016 [Tavis Ormandy and Will Drewry, Google Security Team] 2017 2018 *) Change ciphersuite string processing so that an explicit 2019 ciphersuite selects this one ciphersuite (so that "AES256-SHA" 2020 will no longer include "AES128-SHA"), and any other similar 2021 ciphersuite (same bitmap) from *other* protocol versions (so that 2022 "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the 2023 SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining 2024 changes from 0.9.8b and 0.9.8d. 2025 [Bodo Moeller] 2026 2027 Changes between 0.9.7j and 0.9.7k [05 Sep 2006] 2028 2029 *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 2030 (CVE-2006-4339) [Ben Laurie and Google Security Team] 2031 2032 *) Change the Unix randomness entropy gathering to use poll() when 2033 possible instead of select(), since the latter has some 2034 undesirable limitations. 2035 [Darryl Miles via Richard Levitte and Bodo Moeller] 2036 2037 *) Disable rogue ciphersuites: 2038 2039 - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 2040 - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 2041 - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 2042 2043 The latter two were purportedly from 2044 draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 2045 appear there. 2046 2047 Also deactive the remaining ciphersuites from 2048 draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 2049 unofficial, and the ID has long expired. 2050 [Bodo Moeller] 2051 2052 *) Fix RSA blinding Heisenbug (problems sometimes occured on 2053 dual-core machines) and other potential thread-safety issues. 2054 [Bodo Moeller] 2055 2056 Changes between 0.9.7i and 0.9.7j [04 May 2006] 2057 2058 *) Adapt fipsld and the build system to link against the validated FIPS 2059 module in FIPS mode. 2060 [Steve Henson] 2061 2062 *) Fixes for VC++ 2005 build under Windows. 2063 [Steve Henson] 2064 2065 *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 2066 from a Windows bash shell such as MSYS. It is autodetected from the 2067 "config" script when run from a VC++ environment. Modify standard VC++ 2068 build to use fipscanister.o from the GNU make build. 2069 [Steve Henson] 2070 2071 Changes between 0.9.7h and 0.9.7i [14 Oct 2005] 2072 2073 *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS. 2074 The value now differs depending on if you build for FIPS or not. 2075 BEWARE! A program linked with a shared FIPSed libcrypto can't be 2076 safely run with a non-FIPSed libcrypto, as it may crash because of 2077 the difference induced by this change. 2078 [Andy Polyakov] 2079 2080 Changes between 0.9.7g and 0.9.7h [11 Oct 2005] 2081 2082 *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 2083 (part of SSL_OP_ALL). This option used to disable the 2084 countermeasure against man-in-the-middle protocol-version 2085 rollback in the SSL 2.0 server implementation, which is a bad 2086 idea. (CVE-2005-2969) 2087 2088 [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 2089 for Information Security, National Institute of Advanced Industrial 2090 Science and Technology [AIST], Japan)] 2091 2092 *) Minimal support for X9.31 signatures and PSS padding modes. This is 2093 mainly for FIPS compliance and not fully integrated at this stage. 2094 [Steve Henson] 2095 2096 *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform 2097 the exponentiation using a fixed-length exponent. (Otherwise, 2098 the information leaked through timing could expose the secret key 2099 after many signatures; cf. Bleichenbacher's attack on DSA with 2100 biased k.) 2101 [Bodo Moeller] 2102 2103 *) Make a new fixed-window mod_exp implementation the default for 2104 RSA, DSA, and DH private-key operations so that the sequence of 2105 squares and multiplies and the memory access pattern are 2106 independent of the particular secret key. This will mitigate 2107 cache-timing and potential related attacks. 2108 2109 BN_mod_exp_mont_consttime() is the new exponentiation implementation, 2110 and this is automatically used by BN_mod_exp_mont() if the new flag 2111 BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH 2112 will use this BN flag for private exponents unless the flag 2113 RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or 2114 DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. 2115 2116 [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] 2117 2118 *) Change the client implementation for SSLv23_method() and 2119 SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 2120 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. 2121 (Previously, the SSL 2.0 backwards compatible Client Hello 2122 message format would be used even with SSL_OP_NO_SSLv2.) 2123 [Bodo Moeller] 2124 2125 *) Add support for smime-type MIME parameter in S/MIME messages which some 2126 clients need. 2127 [Steve Henson] 2128 2129 *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in 2130 a threadsafe manner. Modify rsa code to use new function and add calls 2131 to dsa and dh code (which had race conditions before). 2132 [Steve Henson] 2133 2134 *) Include the fixed error library code in the C error file definitions 2135 instead of fixing them up at runtime. This keeps the error code 2136 structures constant. 2137 [Steve Henson] 2138 2139 Changes between 0.9.7f and 0.9.7g [11 Apr 2005] 2140 2141 [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after 2142 OpenSSL 0.9.8.] 2143 2144 *) Fixes for newer kerberos headers. NB: the casts are needed because 2145 the 'length' field is signed on one version and unsigned on another 2146 with no (?) obvious way to tell the difference, without these VC++ 2147 complains. Also the "definition" of FAR (blank) is no longer included 2148 nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up 2149 some needed definitions. 2150 [Steve Henson] 2151 2152 *) Undo Cygwin change. 2153 [Ulf M�ller] 2154 2155 *) Added support for proxy certificates according to RFC 3820. 2156 Because they may be a security thread to unaware applications, 2157 they must be explicitely allowed in run-time. See 2158 docs/HOWTO/proxy_certificates.txt for further information. 2159 [Richard Levitte] 2160 2161 Changes between 0.9.7e and 0.9.7f [22 Mar 2005] 2162 2163 *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating 2164 server and client random values. Previously 2165 (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in 2166 less random data when sizeof(time_t) > 4 (some 64 bit platforms). 2167 2168 This change has negligible security impact because: 2169 2170 1. Server and client random values still have 24 bytes of pseudo random 2171 data. 2172 2173 2. Server and client random values are sent in the clear in the initial 2174 handshake. 2175 2176 3. The master secret is derived using the premaster secret (48 bytes in 2177 size for static RSA ciphersuites) as well as client server and random 2178 values. 2179 2180 The OpenSSL team would like to thank the UK NISCC for bringing this issue 2181 to our attention. 2182 2183 [Stephen Henson, reported by UK NISCC] 2184 2185 *) Use Windows randomness collection on Cygwin. 2186 [Ulf M�ller] 2187 2188 *) Fix hang in EGD/PRNGD query when communication socket is closed 2189 prematurely by EGD/PRNGD. 2190 [Darren Tucker <dtucker@zip.com.au> via Lutz J�nicke, resolves #1014] 2191 2192 *) Prompt for pass phrases when appropriate for PKCS12 input format. 2193 [Steve Henson] 2194 2195 *) Back-port of selected performance improvements from development 2196 branch, as well as improved support for PowerPC platforms. 2197 [Andy Polyakov] 2198 2199 *) Add lots of checks for memory allocation failure, error codes to indicate 2200 failure and freeing up memory if a failure occurs. 2201 [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson] 2202 2203 *) Add new -passin argument to dgst. 2204 [Steve Henson] 2205 2206 *) Perform some character comparisons of different types in X509_NAME_cmp: 2207 this is needed for some certificates that reencode DNs into UTF8Strings 2208 (in violation of RFC3280) and can't or wont issue name rollover 2209 certificates. 2210 [Steve Henson] 2211 2212 *) Make an explicit check during certificate validation to see that 2213 the CA setting in each certificate on the chain is correct. As a 2214 side effect always do the following basic checks on extensions, 2215 not just when there's an associated purpose to the check: 2216 2217 - if there is an unhandled critical extension (unless the user 2218 has chosen to ignore this fault) 2219 - if the path length has been exceeded (if one is set at all) 2220 - that certain extensions fit the associated purpose (if one has 2221 been given) 2222 [Richard Levitte] 2223 2224 Changes between 0.9.7d and 0.9.7e [25 Oct 2004] 2225 2226 *) Avoid a race condition when CRLs are checked in a multi threaded 2227 environment. This would happen due to the reordering of the revoked 2228 entries during signature checking and serial number lookup. Now the 2229 encoding is cached and the serial number sort performed under a lock. 2230 Add new STACK function sk_is_sorted(). 2231 [Steve Henson] 2232 2233 *) Add Delta CRL to the extension code. 2234 [Steve Henson] 2235 2236 *) Various fixes to s3_pkt.c so alerts are sent properly. 2237 [David Holmes <d.holmes@f5.com>] 2238 2239 *) Reduce the chances of duplicate issuer name and serial numbers (in 2240 violation of RFC3280) using the OpenSSL certificate creation utilities. 2241 This is done by creating a random 64 bit value for the initial serial 2242 number when a serial number file is created or when a self signed 2243 certificate is created using 'openssl req -x509'. The initial serial 2244 number file is created using 'openssl x509 -next_serial' in CA.pl 2245 rather than being initialized to 1. 2246 [Steve Henson] 2247 2248 Changes between 0.9.7c and 0.9.7d [17 Mar 2004] 2249 2250 *) Fix null-pointer assignment in do_change_cipher_spec() revealed 2251 by using the Codenomicon TLS Test Tool (CVE-2004-0079) 2252 [Joe Orton, Steve Henson] 2253 2254 *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites 2255 (CVE-2004-0112) 2256 [Joe Orton, Steve Henson] 2257 2258 *) Make it possible to have multiple active certificates with the same 2259 subject in the CA index file. This is done only if the keyword 2260 'unique_subject' is set to 'no' in the main CA section (default 2261 if 'CA_default') of the configuration file. The value is saved 2262 with the database itself in a separate index attribute file, 2263 named like the index file with '.attr' appended to the name. 2264 [Richard Levitte] 2265 2266 *) X509 verify fixes. Disable broken certificate workarounds when 2267 X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if 2268 keyUsage extension present. Don't accept CRLs with unhandled critical 2269 extensions: since verify currently doesn't process CRL extensions this 2270 rejects a CRL with *any* critical extensions. Add new verify error codes 2271 for these cases. 2272 [Steve Henson] 2273 2274 *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. 2275 A clarification of RFC2560 will require the use of OCTET STRINGs and 2276 some implementations cannot handle the current raw format. Since OpenSSL 2277 copies and compares OCSP nonces as opaque blobs without any attempt at 2278 parsing them this should not create any compatibility issues. 2279 [Steve Henson] 2280 2281 *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when 2282 calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without 2283 this HMAC (and other) operations are several times slower than OpenSSL 2284 < 0.9.7. 2285 [Steve Henson] 2286 2287 *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). 2288 [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] 2289 2290 *) Use the correct content when signing type "other". 2291 [Steve Henson] 2292 2293 Changes between 0.9.7b and 0.9.7c [30 Sep 2003] 2294 2295 *) Fix various bugs revealed by running the NISCC test suite: 2296 2297 Stop out of bounds reads in the ASN1 code when presented with 2298 invalid tags (CVE-2003-0543 and CVE-2003-0544). 2299 2300 Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545). 2301 2302 If verify callback ignores invalid public key errors don't try to check 2303 certificate signature with the NULL public key. 2304 2305 [Steve Henson] 2306 2307 *) New -ignore_err option in ocsp application to stop the server 2308 exiting on the first error in a request. 2309 [Steve Henson] 2310 2311 *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 2312 if the server requested one: as stated in TLS 1.0 and SSL 3.0 2313 specifications. 2314 [Steve Henson] 2315 2316 *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 2317 extra data after the compression methods not only for TLS 1.0 2318 but also for SSL 3.0 (as required by the specification). 2319 [Bodo Moeller; problem pointed out by Matthias Loepfe] 2320 2321 *) Change X509_certificate_type() to mark the key as exported/exportable 2322 when it's 512 *bits* long, not 512 bytes. 2323 [Richard Levitte] 2324 2325 *) Change AES_cbc_encrypt() so it outputs exact multiple of 2326 blocks during encryption. 2327 [Richard Levitte] 2328 2329 *) Various fixes to base64 BIO and non blocking I/O. On write 2330 flushes were not handled properly if the BIO retried. On read 2331 data was not being buffered properly and had various logic bugs. 2332 This also affects blocking I/O when the data being decoded is a 2333 certain size. 2334 [Steve Henson] 2335 2336 *) Various S/MIME bugfixes and compatibility changes: 2337 output correct application/pkcs7 MIME type if 2338 PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. 2339 Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening 2340 of files as .eml work). Correctly handle very long lines in MIME 2341 parser. 2342 [Steve Henson] 2343 2344 Changes between 0.9.7a and 0.9.7b [10 Apr 2003] 2345 2346 *) Countermeasure against the Klima-Pokorny-Rosa extension of 2347 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 2348 a protocol version number mismatch like a decryption error 2349 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 2350 [Bodo Moeller] 2351 2352 *) Turn on RSA blinding by default in the default implementation 2353 to avoid a timing attack. Applications that don't want it can call 2354 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 2355 They would be ill-advised to do so in most cases. 2356 [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] 2357 2358 *) Change RSA blinding code so that it works when the PRNG is not 2359 seeded (in this case, the secret RSA exponent is abused as 2360 an unpredictable seed -- if it is not unpredictable, there 2361 is no point in blinding anyway). Make RSA blinding thread-safe 2362 by remembering the creator's thread ID in rsa->blinding and 2363 having all other threads use local one-time blinding factors 2364 (this requires more computation than sharing rsa->blinding, but 2365 avoids excessive locking; and if an RSA object is not shared 2366 between threads, blinding will still be very fast). 2367 [Bodo Moeller] 2368 2369 *) Fixed a typo bug that would cause ENGINE_set_default() to set an 2370 ENGINE as defaults for all supported algorithms irrespective of 2371 the 'flags' parameter. 'flags' is now honoured, so applications 2372 should make sure they are passing it correctly. 2373 [Geoff Thorpe] 2374 2375 *) Target "mingw" now allows native Windows code to be generated in 2376 the Cygwin environment as well as with the MinGW compiler. 2377 [Ulf Moeller] 2378 2379 Changes between 0.9.7 and 0.9.7a [19 Feb 2003] 2380 2381 *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 2382 via timing by performing a MAC computation even if incorrrect 2383 block cipher padding has been found. This is a countermeasure 2384 against active attacks where the attacker has to distinguish 2385 between bad padding and a MAC verification error. (CVE-2003-0078) 2386 2387 [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 2388 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 2389 Martin Vuagnoux (EPFL, Ilion)] 2390 2391 *) Make the no-err option work as intended. The intention with no-err 2392 is not to have the whole error stack handling routines removed from 2393 libcrypto, it's only intended to remove all the function name and 2394 reason texts, thereby removing some of the footprint that may not 2395 be interesting if those errors aren't displayed anyway. 2396 2397 NOTE: it's still possible for any application or module to have it's 2398 own set of error texts inserted. The routines are there, just not 2399 used by default when no-err is given. 2400 [Richard Levitte] 2401 2402 *) Add support for FreeBSD on IA64. 2403 [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] 2404 2405 *) Adjust DES_cbc_cksum() so it returns the same value as the MIT 2406 Kerberos function mit_des_cbc_cksum(). Before this change, 2407 the value returned by DES_cbc_cksum() was like the one from 2408 mit_des_cbc_cksum(), except the bytes were swapped. 2409 [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] 2410 2411 *) Allow an application to disable the automatic SSL chain building. 2412 Before this a rather primitive chain build was always performed in 2413 ssl3_output_cert_chain(): an application had no way to send the 2414 correct chain if the automatic operation produced an incorrect result. 2415 2416 Now the chain builder is disabled if either: 2417 2418 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). 2419 2420 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. 2421 2422 The reasoning behind this is that an application would not want the 2423 auto chain building to take place if extra chain certificates are 2424 present and it might also want a means of sending no additional 2425 certificates (for example the chain has two certificates and the 2426 root is omitted). 2427 [Steve Henson] 2428 2429 *) Add the possibility to build without the ENGINE framework. 2430 [Steven Reddie <smr@essemer.com.au> via Richard Levitte] 2431 2432 *) Under Win32 gmtime() can return NULL: check return value in 2433 OPENSSL_gmtime(). Add error code for case where gmtime() fails. 2434 [Steve Henson] 2435 2436 *) DSA routines: under certain error conditions uninitialized BN objects 2437 could be freed. Solution: make sure initialization is performed early 2438 enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, 2439 Nils Larsch <nla@trustcenter.de> via PR#459) 2440 [Lutz Jaenicke] 2441 2442 *) Another fix for SSLv2 session ID handling: the session ID was incorrectly 2443 checked on reconnect on the client side, therefore session resumption 2444 could still fail with a "ssl session id is different" error. This 2445 behaviour is masked when SSL_OP_ALL is used due to 2446 SSL_OP_MICROSOFT_SESS_ID_BUG being set. 2447 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 2448 followup to PR #377. 2449 [Lutz Jaenicke] 2450 2451 *) IA-32 assembler support enhancements: unified ELF targets, support 2452 for SCO/Caldera platforms, fix for Cygwin shared build. 2453 [Andy Polyakov] 2454 2455 *) Add support for FreeBSD on sparc64. As a consequence, support for 2456 FreeBSD on non-x86 processors is separate from x86 processors on 2457 the config script, much like the NetBSD support. 2458 [Richard Levitte & Kris Kennaway <kris@obsecurity.org>] 2459 2460 Changes between 0.9.6h and 0.9.7 [31 Dec 2002] 2461 2462 [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after 2463 OpenSSL 0.9.7.] 2464 2465 *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED 2466 code (06) was taken as the first octet of the session ID and the last 2467 octet was ignored consequently. As a result SSLv2 client side session 2468 caching could not have worked due to the session ID mismatch between 2469 client and server. 2470 Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as 2471 PR #377. 2472 [Lutz Jaenicke] 2473 2474 *) Change the declaration of needed Kerberos libraries to use EX_LIBS 2475 instead of the special (and badly supported) LIBKRB5. LIBKRB5 is 2476 removed entirely. 2477 [Richard Levitte] 2478 2479 *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it 2480 seems that in spite of existing for more than a year, many application 2481 author have done nothing to provide the necessary callbacks, which 2482 means that this particular engine will not work properly anywhere. 2483 This is a very unfortunate situation which forces us, in the name 2484 of usability, to give the hw_ncipher.c a static lock, which is part 2485 of libcrypto. 2486 NOTE: This is for the 0.9.7 series ONLY. This hack will never 2487 appear in 0.9.8 or later. We EXPECT application authors to have 2488 dealt properly with this when 0.9.8 is released (unless we actually 2489 make such changes in the libcrypto locking code that changes will 2490 have to be made anyway). 2491 [Richard Levitte] 2492 2493 *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content 2494 octets have been read, EOF or an error occurs. Without this change 2495 some truncated ASN1 structures will not produce an error. 2496 [Steve Henson] 2497 2498 *) Disable Heimdal support, since it hasn't been fully implemented. 2499 Still give the possibility to force the use of Heimdal, but with 2500 warnings and a request that patches get sent to openssl-dev. 2501 [Richard Levitte] 2502 2503 *) Add the VC-CE target, introduce the WINCE sysname, and add 2504 INSTALL.WCE and appropriate conditionals to make it build. 2505 [Steven Reddie <smr@essemer.com.au> via Richard Levitte] 2506 2507 *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and 2508 cygssl-x.y.z.dll, where x, y and z are the major, minor and 2509 edit numbers of the version. 2510 [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] 2511 2512 *) Introduce safe string copy and catenation functions 2513 (BUF_strlcpy() and BUF_strlcat()). 2514 [Ben Laurie (CHATS) and Richard Levitte] 2515 2516 *) Avoid using fixed-size buffers for one-line DNs. 2517 [Ben Laurie (CHATS)] 2518 2519 *) Add BUF_MEM_grow_clean() to avoid information leakage when 2520 resizing buffers containing secrets, and use where appropriate. 2521 [Ben Laurie (CHATS)] 2522 2523 *) Avoid using fixed size buffers for configuration file location. 2524 [Ben Laurie (CHATS)] 2525 2526 *) Avoid filename truncation for various CA files. 2527 [Ben Laurie (CHATS)] 2528 2529 *) Use sizeof in preference to magic numbers. 2530 [Ben Laurie (CHATS)] 2531 2532 *) Avoid filename truncation in cert requests. 2533 [Ben Laurie (CHATS)] 2534 2535 *) Add assertions to check for (supposedly impossible) buffer 2536 overflows. 2537 [Ben Laurie (CHATS)] 2538 2539 *) Don't cache truncated DNS entries in the local cache (this could 2540 potentially lead to a spoofing attack). 2541 [Ben Laurie (CHATS)] 2542 2543 *) Fix various buffers to be large enough for hex/decimal 2544 representations in a platform independent manner. 2545 [Ben Laurie (CHATS)] 2546 2547 *) Add CRYPTO_realloc_clean() to avoid information leakage when 2548 resizing buffers containing secrets, and use where appropriate. 2549 [Ben Laurie (CHATS)] 2550 2551 *) Add BIO_indent() to avoid much slightly worrying code to do 2552 indents. 2553 [Ben Laurie (CHATS)] 2554 2555 *) Convert sprintf()/BIO_puts() to BIO_printf(). 2556 [Ben Laurie (CHATS)] 2557 2558 *) buffer_gets() could terminate with the buffer only half 2559 full. Fixed. 2560 [Ben Laurie (CHATS)] 2561 2562 *) Add assertions to prevent user-supplied crypto functions from 2563 overflowing internal buffers by having large block sizes, etc. 2564 [Ben Laurie (CHATS)] 2565 2566 *) New OPENSSL_assert() macro (similar to assert(), but enabled 2567 unconditionally). 2568 [Ben Laurie (CHATS)] 2569 2570 *) Eliminate unused copy of key in RC4. 2571 [Ben Laurie (CHATS)] 2572 2573 *) Eliminate unused and incorrectly sized buffers for IV in pem.h. 2574 [Ben Laurie (CHATS)] 2575 2576 *) Fix off-by-one error in EGD path. 2577 [Ben Laurie (CHATS)] 2578 2579 *) If RANDFILE path is too long, ignore instead of truncating. 2580 [Ben Laurie (CHATS)] 2581 2582 *) Eliminate unused and incorrectly sized X.509 structure 2583 CBCParameter. 2584 [Ben Laurie (CHATS)] 2585 2586 *) Eliminate unused and dangerous function knumber(). 2587 [Ben Laurie (CHATS)] 2588 2589 *) Eliminate unused and dangerous structure, KSSL_ERR. 2590 [Ben Laurie (CHATS)] 2591 2592 *) Protect against overlong session ID context length in an encoded 2593 session object. Since these are local, this does not appear to be 2594 exploitable. 2595 [Ben Laurie (CHATS)] 2596 2597 *) Change from security patch (see 0.9.6e below) that did not affect 2598 the 0.9.6 release series: 2599 2600 Remote buffer overflow in SSL3 protocol - an attacker could 2601 supply an oversized master key in Kerberos-enabled versions. 2602 (CVE-2002-0657) 2603 [Ben Laurie (CHATS)] 2604 2605 *) Change the SSL kerb5 codes to match RFC 2712. 2606 [Richard Levitte] 2607 2608 *) Make -nameopt work fully for req and add -reqopt switch. 2609 [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] 2610 2611 *) The "block size" for block ciphers in CFB and OFB mode should be 1. 2612 [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] 2613 2614 *) Make sure tests can be performed even if the corresponding algorithms 2615 have been removed entirely. This was also the last step to make 2616 OpenSSL compilable with DJGPP under all reasonable conditions. 2617 [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] 2618 2619 *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT 2620 to allow version independent disabling of normally unselected ciphers, 2621 which may be activated as a side-effect of selecting a single cipher. 2622 2623 (E.g., cipher list string "RSA" enables ciphersuites that are left 2624 out of "ALL" because they do not provide symmetric encryption. 2625 "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) 2626 [Lutz Jaenicke, Bodo Moeller] 2627 2628 *) Add appropriate support for separate platform-dependent build 2629 directories. The recommended way to make a platform-dependent 2630 build directory is the following (tested on Linux), maybe with 2631 some local tweaks: 2632 2633 # Place yourself outside of the OpenSSL source tree. In 2634 # this example, the environment variable OPENSSL_SOURCE 2635 # is assumed to contain the absolute OpenSSL source directory. 2636 mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 2637 cd objtree/"`uname -s`-`uname -r`-`uname -m`" 2638 (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 2639 mkdir -p `dirname $F` 2640 ln -s $OPENSSL_SOURCE/$F $F 2641 done 2642 2643 To be absolutely sure not to disturb the source tree, a "make clean" 2644 is a good thing. If it isn't successfull, don't worry about it, 2645 it probably means the source directory is very clean. 2646 [Richard Levitte] 2647 2648 *) Make sure any ENGINE control commands make local copies of string 2649 pointers passed to them whenever necessary. Otherwise it is possible 2650 the caller may have overwritten (or deallocated) the original string 2651 data when a later ENGINE operation tries to use the stored values. 2652 [G�tz Babin-Ebell <babinebell@trustcenter.de>] 2653 2654 *) Improve diagnostics in file reading and command-line digests. 2655 [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] 2656 2657 *) Add AES modes CFB and OFB to the object database. Correct an 2658 error in AES-CFB decryption. 2659 [Richard Levitte] 2660 2661 *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 2662 allows existing EVP_CIPHER_CTX structures to be reused after 2663 calling EVP_*Final(). This behaviour is used by encryption 2664 BIOs and some applications. This has the side effect that 2665 applications must explicitly clean up cipher contexts with 2666 EVP_CIPHER_CTX_cleanup() or they will leak memory. 2667 [Steve Henson] 2668 2669 *) Check the values of dna and dnb in bn_mul_recursive before calling 2670 bn_mul_comba (a non zero value means the a or b arrays do not contain 2671 n2 elements) and fallback to bn_mul_normal if either is not zero. 2672 [Steve Henson] 2673 2674 *) Fix escaping of non-ASCII characters when using the -subj option 2675 of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) 2676 [Lutz Jaenicke] 2677 2678 *) Make object definitions compliant to LDAP (RFC2256): SN is the short 2679 form for "surname", serialNumber has no short form. 2680 Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; 2681 therefore remove "mail" short name for "internet 7". 2682 The OID for unique identifiers in X509 certificates is 2683 x500UniqueIdentifier, not uniqueIdentifier. 2684 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) 2685 [Lutz Jaenicke] 2686 2687 *) Add an "init" command to the ENGINE config module and auto initialize 2688 ENGINEs. Without any "init" command the ENGINE will be initialized 2689 after all ctrl commands have been executed on it. If init=1 the 2690 ENGINE is initailized at that point (ctrls before that point are run 2691 on the uninitialized ENGINE and after on the initialized one). If 2692 init=0 then the ENGINE will not be iniatialized at all. 2693 [Steve Henson] 2694 2695 *) Fix the 'app_verify_callback' interface so that the user-defined 2696 argument is actually passed to the callback: In the 2697 SSL_CTX_set_cert_verify_callback() prototype, the callback 2698 declaration has been changed from 2699 int (*cb)() 2700 into 2701 int (*cb)(X509_STORE_CTX *,void *); 2702 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call 2703 i=s->ctx->app_verify_callback(&ctx) 2704 has been changed into 2705 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). 2706 2707 To update applications using SSL_CTX_set_cert_verify_callback(), 2708 a dummy argument can be added to their callback functions. 2709 [D. K. Smetters <smetters@parc.xerox.com>] 2710 2711 *) Added the '4758cca' ENGINE to support IBM 4758 cards. 2712 [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] 2713 2714 *) Add and OPENSSL_LOAD_CONF define which will cause 2715 OpenSSL_add_all_algorithms() to load the openssl.cnf config file. 2716 This allows older applications to transparently support certain 2717 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. 2718 Two new functions OPENSSL_add_all_algorithms_noconf() which will never 2719 load the config file and OPENSSL_add_all_algorithms_conf() which will 2720 always load it have also been added. 2721 [Steve Henson] 2722 2723 *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. 2724 Adjust NIDs and EVP layer. 2725 [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] 2726 2727 *) Config modules support in openssl utility. 2728 2729 Most commands now load modules from the config file, 2730 though in a few (such as version) this isn't done 2731 because it couldn't be used for anything. 2732 2733 In the case of ca and req the config file used is 2734 the same as the utility itself: that is the -config 2735 command line option can be used to specify an 2736 alternative file. 2737 [Steve Henson] 2738 2739 *) Move default behaviour from OPENSSL_config(). If appname is NULL 2740 use "openssl_conf" if filename is NULL use default openssl config file. 2741 [Steve Henson] 2742 2743 *) Add an argument to OPENSSL_config() to allow the use of an alternative 2744 config section name. Add a new flag to tolerate a missing config file 2745 and move code to CONF_modules_load_file(). 2746 [Steve Henson] 2747 2748 *) Support for crypto accelerator cards from Accelerated Encryption 2749 Processing, www.aep.ie. (Use engine 'aep') 2750 The support was copied from 0.9.6c [engine] and adapted/corrected 2751 to work with the new engine framework. 2752 [AEP Inc. and Richard Levitte] 2753 2754 *) Support for SureWare crypto accelerator cards from Baltimore 2755 Technologies. (Use engine 'sureware') 2756 The support was copied from 0.9.6c [engine] and adapted 2757 to work with the new engine framework. 2758 [Richard Levitte] 2759 2760 *) Have the CHIL engine fork-safe (as defined by nCipher) and actually 2761 make the newer ENGINE framework commands for the CHIL engine work. 2762 [Toomas Kiisk <vix@cyber.ee> and Richard Levitte] 2763 2764 *) Make it possible to produce shared libraries on ReliantUNIX. 2765 [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] 2766 2767 *) Add the configuration target debug-linux-ppro. 2768 Make 'openssl rsa' use the general key loading routines 2769 implemented in apps.c, and make those routines able to 2770 handle the key format FORMAT_NETSCAPE and the variant 2771 FORMAT_IISSGC. 2772 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 2773 2774 *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 2775 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 2776 2777 *) Add -keyform to rsautl, and document -engine. 2778 [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] 2779 2780 *) Change BIO_new_file (crypto/bio/bss_file.c) to use new 2781 BIO_R_NO_SUCH_FILE error code rather than the generic 2782 ERR_R_SYS_LIB error code if fopen() fails with ENOENT. 2783 [Ben Laurie] 2784 2785 *) Add new functions 2786 ERR_peek_last_error 2787 ERR_peek_last_error_line 2788 ERR_peek_last_error_line_data. 2789 These are similar to 2790 ERR_peek_error 2791 ERR_peek_error_line 2792 ERR_peek_error_line_data, 2793 but report on the latest error recorded rather than the first one 2794 still in the error queue. 2795 [Ben Laurie, Bodo Moeller] 2796 2797 *) default_algorithms option in ENGINE config module. This allows things 2798 like: 2799 default_algorithms = ALL 2800 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS 2801 [Steve Henson] 2802 2803 *) Prelminary ENGINE config module. 2804 [Steve Henson] 2805 2806 *) New experimental application configuration code. 2807 [Steve Henson] 2808 2809 *) Change the AES code to follow the same name structure as all other 2810 symmetric ciphers, and behave the same way. Move everything to 2811 the directory crypto/aes, thereby obsoleting crypto/rijndael. 2812 [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] 2813 2814 *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. 2815 [Ben Laurie and Theo de Raadt] 2816 2817 *) Add option to output public keys in req command. 2818 [Massimiliano Pala madwolf@openca.org] 2819 2820 *) Use wNAFs in EC_POINTs_mul() for improved efficiency 2821 (up to about 10% better than before for P-192 and P-224). 2822 [Bodo Moeller] 2823 2824 *) New functions/macros 2825 2826 SSL_CTX_set_msg_callback(ctx, cb) 2827 SSL_CTX_set_msg_callback_arg(ctx, arg) 2828 SSL_set_msg_callback(ssl, cb) 2829 SSL_set_msg_callback_arg(ssl, arg) 2830 2831 to request calling a callback function 2832 2833 void cb(int write_p, int version, int content_type, 2834 const void *buf, size_t len, SSL *ssl, void *arg) 2835 2836 whenever a protocol message has been completely received 2837 (write_p == 0) or sent (write_p == 1). Here 'version' is the 2838 protocol version according to which the SSL library interprets 2839 the current protocol message (SSL2_VERSION, SSL3_VERSION, or 2840 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or 2841 the content type as defined in the SSL 3.0/TLS 1.0 protocol 2842 specification (change_cipher_spec(20), alert(21), handshake(22)). 2843 'buf' and 'len' point to the actual message, 'ssl' to the 2844 SSL object, and 'arg' is the application-defined value set by 2845 SSL[_CTX]_set_msg_callback_arg(). 2846 2847 'openssl s_client' and 'openssl s_server' have new '-msg' options 2848 to enable a callback that displays all protocol messages. 2849 [Bodo Moeller] 2850 2851 *) Change the shared library support so shared libraries are built as 2852 soon as the corresponding static library is finished, and thereby get 2853 openssl and the test programs linked against the shared library. 2854 This still only happens when the keyword "shard" has been given to 2855 the configuration scripts. 2856 2857 NOTE: shared library support is still an experimental thing, and 2858 backward binary compatibility is still not guaranteed. 2859 ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] 2860 2861 *) Add support for Subject Information Access extension. 2862 [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] 2863 2864 *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero 2865 additional bytes when new memory had to be allocated, not just 2866 when reusing an existing buffer. 2867 [Bodo Moeller] 2868 2869 *) New command line and configuration option 'utf8' for the req command. 2870 This allows field values to be specified as UTF8 strings. 2871 [Steve Henson] 2872 2873 *) Add -multi and -mr options to "openssl speed" - giving multiple parallel 2874 runs for the former and machine-readable output for the latter. 2875 [Ben Laurie] 2876 2877 *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion 2878 of the e-mail address in the DN (i.e., it will go into a certificate 2879 extension only). The new configuration file option 'email_in_dn = no' 2880 has the same effect. 2881 [Massimiliano Pala madwolf@openca.org] 2882 2883 *) Change all functions with names starting with des_ to be starting 2884 with DES_ instead. Add wrappers that are compatible with libdes, 2885 but are named _ossl_old_des_*. Finally, add macros that map the 2886 des_* symbols to the corresponding _ossl_old_des_* if libdes 2887 compatibility is desired. If OpenSSL 0.9.6c compatibility is 2888 desired, the des_* symbols will be mapped to DES_*, with one 2889 exception. 2890 2891 Since we provide two compatibility mappings, the user needs to 2892 define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes 2893 compatibility is desired. The default (i.e., when that macro 2894 isn't defined) is OpenSSL 0.9.6c compatibility. 2895 2896 There are also macros that enable and disable the support of old 2897 des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT 2898 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those 2899 are defined, the default will apply: to support the old des routines. 2900 2901 In either case, one must include openssl/des.h to get the correct 2902 definitions. Do not try to just include openssl/des_old.h, that 2903 won't work. 2904 2905 NOTE: This is a major break of an old API into a new one. Software 2906 authors are encouraged to switch to the DES_ style functions. Some 2907 time in the future, des_old.h and the libdes compatibility functions 2908 will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the 2909 default), and then completely removed. 2910 [Richard Levitte] 2911 2912 *) Test for certificates which contain unsupported critical extensions. 2913 If such a certificate is found during a verify operation it is 2914 rejected by default: this behaviour can be overridden by either 2915 handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or 2916 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function 2917 X509_supported_extension() has also been added which returns 1 if a 2918 particular extension is supported. 2919 [Steve Henson] 2920 2921 *) Modify the behaviour of EVP cipher functions in similar way to digests 2922 to retain compatibility with existing code. 2923 [Steve Henson] 2924 2925 *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain 2926 compatibility with existing code. In particular the 'ctx' parameter does 2927 not have to be to be initialized before the call to EVP_DigestInit() and 2928 it is tidied up after a call to EVP_DigestFinal(). New function 2929 EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function 2930 EVP_MD_CTX_copy() changed to not require the destination to be 2931 initialized valid and new function EVP_MD_CTX_copy_ex() added which 2932 requires the destination to be valid. 2933 2934 Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), 2935 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). 2936 [Steve Henson] 2937 2938 *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it 2939 so that complete 'Handshake' protocol structures are kept in memory 2940 instead of overwriting 'msg_type' and 'length' with 'body' data. 2941 [Bodo Moeller] 2942 2943 *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. 2944 [Massimo Santin via Richard Levitte] 2945 2946 *) Major restructuring to the underlying ENGINE code. This includes 2947 reduction of linker bloat, separation of pure "ENGINE" manipulation 2948 (initialisation, etc) from functionality dealing with implementations 2949 of specific crypto iterfaces. This change also introduces integrated 2950 support for symmetric ciphers and digest implementations - so ENGINEs 2951 can now accelerate these by providing EVP_CIPHER and EVP_MD 2952 implementations of their own. This is detailed in crypto/engine/README 2953 as it couldn't be adequately described here. However, there are a few 2954 API changes worth noting - some RSA, DSA, DH, and RAND functions that 2955 were changed in the original introduction of ENGINE code have now 2956 reverted back - the hooking from this code to ENGINE is now a good 2957 deal more passive and at run-time, operations deal directly with 2958 RSA_METHODs, DSA_METHODs (etc) as they did before, rather than 2959 dereferencing through an ENGINE pointer any more. Also, the ENGINE 2960 functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - 2961 they were not being used by the framework as there is no concept of a 2962 BIGNUM_METHOD and they could not be generalised to the new 2963 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, 2964 ENGINE_cpy() has been removed as it cannot be consistently defined in 2965 the new code. 2966 [Geoff Thorpe] 2967 2968 *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. 2969 [Steve Henson] 2970 2971 *) Change mkdef.pl to sort symbols that get the same entry number, 2972 and make sure the automatically generated functions ERR_load_* 2973 become part of libeay.num as well. 2974 [Richard Levitte] 2975 2976 *) New function SSL_renegotiate_pending(). This returns true once 2977 renegotiation has been requested (either SSL_renegotiate() call 2978 or HelloRequest/ClientHello receveived from the peer) and becomes 2979 false once a handshake has been completed. 2980 (For servers, SSL_renegotiate() followed by SSL_do_handshake() 2981 sends a HelloRequest, but does not ensure that a handshake takes 2982 place. SSL_renegotiate_pending() is useful for checking if the 2983 client has followed the request.) 2984 [Bodo Moeller] 2985 2986 *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. 2987 By default, clients may request session resumption even during 2988 renegotiation (if session ID contexts permit); with this option, 2989 session resumption is possible only in the first handshake. 2990 2991 SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes 2992 more bits available for options that should not be part of 2993 SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). 2994 [Bodo Moeller] 2995 2996 *) Add some demos for certificate and certificate request creation. 2997 [Steve Henson] 2998 2999 *) Make maximum certificate chain size accepted from the peer application 3000 settable (SSL*_get/set_max_cert_list()), as proposed by 3001 "Douglas E. Engert" <deengert@anl.gov>. 3002 [Lutz Jaenicke] 3003 3004 *) Add support for shared libraries for Unixware-7 3005 (Boyd Lynn Gerber <gerberb@zenez.com>). 3006 [Lutz Jaenicke] 3007 3008 *) Add a "destroy" handler to ENGINEs that allows structural cleanup to 3009 be done prior to destruction. Use this to unload error strings from 3010 ENGINEs that load their own error strings. NB: This adds two new API 3011 functions to "get" and "set" this destroy handler in an ENGINE. 3012 [Geoff Thorpe] 3013 3014 *) Alter all existing ENGINE implementations (except "openssl" and 3015 "openbsd") to dynamically instantiate their own error strings. This 3016 makes them more flexible to be built both as statically-linked ENGINEs 3017 and self-contained shared-libraries loadable via the "dynamic" ENGINE. 3018 Also, add stub code to each that makes building them as self-contained 3019 shared-libraries easier (see README.ENGINE). 3020 [Geoff Thorpe] 3021 3022 *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE 3023 implementations into applications that are completely implemented in 3024 self-contained shared-libraries. The "dynamic" ENGINE exposes control 3025 commands that can be used to configure what shared-library to load and 3026 to control aspects of the way it is handled. Also, made an update to 3027 the README.ENGINE file that brings its information up-to-date and 3028 provides some information and instructions on the "dynamic" ENGINE 3029 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). 3030 [Geoff Thorpe] 3031 3032 *) Make it possible to unload ranges of ERR strings with a new 3033 "ERR_unload_strings" function. 3034 [Geoff Thorpe] 3035 3036 *) Add a copy() function to EVP_MD. 3037 [Ben Laurie] 3038 3039 *) Make EVP_MD routines take a context pointer instead of just the 3040 md_data void pointer. 3041 [Ben Laurie] 3042 3043 *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates 3044 that the digest can only process a single chunk of data 3045 (typically because it is provided by a piece of 3046 hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application 3047 is only going to provide a single chunk of data, and hence the 3048 framework needn't accumulate the data for oneshot drivers. 3049 [Ben Laurie] 3050 3051 *) As with "ERR", make it possible to replace the underlying "ex_data" 3052 functions. This change also alters the storage and management of global 3053 ex_data state - it's now all inside ex_data.c and all "class" code (eg. 3054 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class 3055 index counters. The API functions that use this state have been changed 3056 to take a "class_index" rather than pointers to the class's local STACK 3057 and counter, and there is now an API function to dynamically create new 3058 classes. This centralisation allows us to (a) plug a lot of the 3059 thread-safety problems that existed, and (b) makes it possible to clean 3060 up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) 3061 such data would previously have always leaked in application code and 3062 workarounds were in place to make the memory debugging turn a blind eye 3063 to it. Application code that doesn't use this new function will still 3064 leak as before, but their memory debugging output will announce it now 3065 rather than letting it slide. 3066 3067 Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change 3068 induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now 3069 has a return value to indicate success or failure. 3070 [Geoff Thorpe] 3071 3072 *) Make it possible to replace the underlying "ERR" functions such that the 3073 global state (2 LHASH tables and 2 locks) is only used by the "default" 3074 implementation. This change also adds two functions to "get" and "set" 3075 the implementation prior to it being automatically set the first time 3076 any other ERR function takes place. Ie. an application can call "get", 3077 pass the return value to a module it has just loaded, and that module 3078 can call its own "set" function using that value. This means the 3079 module's "ERR" operations will use (and modify) the error state in the 3080 application and not in its own statically linked copy of OpenSSL code. 3081 [Geoff Thorpe] 3082 3083 *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment 3084 reference counts. This performs normal REF_PRINT/REF_CHECK macros on 3085 the operation, and provides a more encapsulated way for external code 3086 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code 3087 to use these functions rather than manually incrementing the counts. 3088 3089 Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". 3090 [Geoff Thorpe] 3091 3092 *) Add EVP test program. 3093 [Ben Laurie] 3094 3095 *) Add symmetric cipher support to ENGINE. Expect the API to change! 3096 [Ben Laurie] 3097 3098 *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() 3099 X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), 3100 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). 3101 These allow a CRL to be built without having to access X509_CRL fields 3102 directly. Modify 'ca' application to use new functions. 3103 [Steve Henson] 3104 3105 *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended 3106 bug workarounds. Rollback attack detection is a security feature. 3107 The problem will only arise on OpenSSL servers when TLSv1 is not 3108 available (sslv3_server_method() or SSL_OP_NO_TLSv1). 3109 Software authors not wanting to support TLSv1 will have special reasons 3110 for their choice and can explicitly enable this option. 3111 [Bodo Moeller, Lutz Jaenicke] 3112 3113 *) Rationalise EVP so it can be extended: don't include a union of 3114 cipher/digest structures, add init/cleanup functions for EVP_MD_CTX 3115 (similar to those existing for EVP_CIPHER_CTX). 3116 Usage example: 3117 3118 EVP_MD_CTX md; 3119 3120 EVP_MD_CTX_init(&md); /* new function call */ 3121 EVP_DigestInit(&md, EVP_sha1()); 3122 EVP_DigestUpdate(&md, in, len); 3123 EVP_DigestFinal(&md, out, NULL); 3124 EVP_MD_CTX_cleanup(&md); /* new function call */ 3125 3126 [Ben Laurie] 3127 3128 *) Make DES key schedule conform to the usual scheme, as well as 3129 correcting its structure. This means that calls to DES functions 3130 now have to pass a pointer to a des_key_schedule instead of a 3131 plain des_key_schedule (which was actually always a pointer 3132 anyway): E.g., 3133 3134 des_key_schedule ks; 3135 3136 des_set_key_checked(..., &ks); 3137 des_ncbc_encrypt(..., &ks, ...); 3138 3139 (Note that a later change renames 'des_...' into 'DES_...'.) 3140 [Ben Laurie] 3141 3142 *) Initial reduction of linker bloat: the use of some functions, such as 3143 PEM causes large amounts of unused functions to be linked in due to 3144 poor organisation. For example pem_all.c contains every PEM function 3145 which has a knock on effect of linking in large amounts of (unused) 3146 ASN1 code. Grouping together similar functions and splitting unrelated 3147 functions prevents this. 3148 [Steve Henson] 3149 3150 *) Cleanup of EVP macros. 3151 [Ben Laurie] 3152 3153 *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the 3154 correct _ecb suffix. 3155 [Ben Laurie] 3156 3157 *) Add initial OCSP responder support to ocsp application. The 3158 revocation information is handled using the text based index 3159 use by the ca application. The responder can either handle 3160 requests generated internally, supplied in files (for example 3161 via a CGI script) or using an internal minimal server. 3162 [Steve Henson] 3163 3164 *) Add configuration choices to get zlib compression for TLS. 3165 [Richard Levitte] 3166 3167 *) Changes to Kerberos SSL for RFC 2712 compliance: 3168 1. Implemented real KerberosWrapper, instead of just using 3169 KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] 3170 2. Implemented optional authenticator field of KerberosWrapper. 3171 3172 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, 3173 and authenticator structs; see crypto/krb5/. 3174 3175 Generalized Kerberos calls to support multiple Kerberos libraries. 3176 [Vern Staats <staatsvr@asc.hpc.mil>, 3177 Jeffrey Altman <jaltman@columbia.edu> 3178 via Richard Levitte] 3179 3180 *) Cause 'openssl speed' to use fully hard-coded DSA keys as it 3181 already does with RSA. testdsa.h now has 'priv_key/pub_key' 3182 values for each of the key sizes rather than having just 3183 parameters (and 'speed' generating keys each time). 3184 [Geoff Thorpe] 3185 3186 *) Speed up EVP routines. 3187 Before: 3188encrypt 3189type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 3190des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k 3191des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k 3192des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k 3193decrypt 3194des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k 3195des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k 3196des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k 3197 After: 3198encrypt 3199des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k 3200decrypt 3201des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k 3202 [Ben Laurie] 3203 3204 *) Added the OS2-EMX target. 3205 ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] 3206 3207 *) Rewrite apps to use NCONF routines instead of the old CONF. New functions 3208 to support NCONF routines in extension code. New function CONF_set_nconf() 3209 to allow functions which take an NCONF to also handle the old LHASH 3210 structure: this means that the old CONF compatible routines can be 3211 retained (in particular wrt extensions) without having to duplicate the 3212 code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. 3213 [Steve Henson] 3214 3215 *) Enhance the general user interface with mechanisms for inner control 3216 and with possibilities to have yes/no kind of prompts. 3217 [Richard Levitte] 3218 3219 *) Change all calls to low level digest routines in the library and 3220 applications to use EVP. Add missing calls to HMAC_cleanup() and 3221 don't assume HMAC_CTX can be copied using memcpy(). 3222 [Verdon Walker <VWalker@novell.com>, Steve Henson] 3223 3224 *) Add the possibility to control engines through control names but with 3225 arbitrary arguments instead of just a string. 3226 Change the key loaders to take a UI_METHOD instead of a callback 3227 function pointer. NOTE: this breaks binary compatibility with earlier 3228 versions of OpenSSL [engine]. 3229 Adapt the nCipher code for these new conditions and add a card insertion 3230 callback. 3231 [Richard Levitte] 3232 3233 *) Enhance the general user interface with mechanisms to better support 3234 dialog box interfaces, application-defined prompts, the possibility 3235 to use defaults (for example default passwords from somewhere else) 3236 and interrupts/cancellations. 3237 [Richard Levitte] 3238 3239 *) Tidy up PKCS#12 attribute handling. Add support for the CSP name 3240 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. 3241 [Steve Henson] 3242 3243 *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also 3244 tidy up some unnecessarily weird code in 'sk_new()'). 3245 [Geoff, reported by Diego Tartara <dtartara@novamens.com>] 3246 3247 *) Change the key loading routines for ENGINEs to use the same kind 3248 callback (pem_password_cb) as all other routines that need this 3249 kind of callback. 3250 [Richard Levitte] 3251 3252 *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with 3253 256 bit (=32 byte) keys. Of course seeding with more entropy bytes 3254 than this minimum value is recommended. 3255 [Lutz Jaenicke] 3256 3257 *) New random seeder for OpenVMS, using the system process statistics 3258 that are easily reachable. 3259 [Richard Levitte] 3260 3261 *) Windows apparently can't transparently handle global 3262 variables defined in DLLs. Initialisations such as: 3263 3264 const ASN1_ITEM *it = &ASN1_INTEGER_it; 3265 3266 wont compile. This is used by the any applications that need to 3267 declare their own ASN1 modules. This was fixed by adding the option 3268 EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly 3269 needed for static libraries under Win32. 3270 [Steve Henson] 3271 3272 *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle 3273 setting of purpose and trust fields. New X509_STORE trust and 3274 purpose functions and tidy up setting in other SSL functions. 3275 [Steve Henson] 3276 3277 *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE 3278 structure. These are inherited by X509_STORE_CTX when it is 3279 initialised. This allows various defaults to be set in the 3280 X509_STORE structure (such as flags for CRL checking and custom 3281 purpose or trust settings) for functions which only use X509_STORE_CTX 3282 internally such as S/MIME. 3283 3284 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and 3285 trust settings if they are not set in X509_STORE. This allows X509_STORE 3286 purposes and trust (in S/MIME for example) to override any set by default. 3287 3288 Add command line options for CRL checking to smime, s_client and s_server 3289 applications. 3290 [Steve Henson] 3291 3292 *) Initial CRL based revocation checking. If the CRL checking flag(s) 3293 are set then the CRL is looked up in the X509_STORE structure and 3294 its validity and signature checked, then if the certificate is found 3295 in the CRL the verify fails with a revoked error. 3296 3297 Various new CRL related callbacks added to X509_STORE_CTX structure. 3298 3299 Command line options added to 'verify' application to support this. 3300 3301 This needs some additional work, such as being able to handle multiple 3302 CRLs with different times, extension based lookup (rather than just 3303 by subject name) and ultimately more complete V2 CRL extension 3304 handling. 3305 [Steve Henson] 3306 3307 *) Add a general user interface API (crypto/ui/). This is designed 3308 to replace things like des_read_password and friends (backward 3309 compatibility functions using this new API are provided). 3310 The purpose is to remove prompting functions from the DES code 3311 section as well as provide for prompting through dialog boxes in 3312 a window system and the like. 3313 [Richard Levitte] 3314 3315 *) Add "ex_data" support to ENGINE so implementations can add state at a 3316 per-structure level rather than having to store it globally. 3317 [Geoff] 3318 3319 *) Make it possible for ENGINE structures to be copied when retrieved by 3320 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. 3321 This causes the "original" ENGINE structure to act like a template, 3322 analogous to the RSA vs. RSA_METHOD type of separation. Because of this 3323 operational state can be localised to each ENGINE structure, despite the 3324 fact they all share the same "methods". New ENGINE structures returned in 3325 this case have no functional references and the return value is the single 3326 structural reference. This matches the single structural reference returned 3327 by ENGINE_by_id() normally, when it is incremented on the pre-existing 3328 ENGINE structure. 3329 [Geoff] 3330 3331 *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this 3332 needs to match any other type at all we need to manually clear the 3333 tag cache. 3334 [Steve Henson] 3335 3336 *) Changes to the "openssl engine" utility to include; 3337 - verbosity levels ('-v', '-vv', and '-vvv') that provide information 3338 about an ENGINE's available control commands. 3339 - executing control commands from command line arguments using the 3340 '-pre' and '-post' switches. '-post' is only used if '-t' is 3341 specified and the ENGINE is successfully initialised. The syntax for 3342 the individual commands are colon-separated, for example; 3343 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so 3344 [Geoff] 3345 3346 *) New dynamic control command support for ENGINEs. ENGINEs can now 3347 declare their own commands (numbers), names (strings), descriptions, 3348 and input types for run-time discovery by calling applications. A 3349 subset of these commands are implicitly classed as "executable" 3350 depending on their input type, and only these can be invoked through 3351 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this 3352 can be based on user input, config files, etc). The distinction is 3353 that "executable" commands cannot return anything other than a boolean 3354 result and can only support numeric or string input, whereas some 3355 discoverable commands may only be for direct use through 3356 ENGINE_ctrl(), eg. supporting the exchange of binary data, function 3357 pointers, or other custom uses. The "executable" commands are to 3358 support parameterisations of ENGINE behaviour that can be 3359 unambiguously defined by ENGINEs and used consistently across any 3360 OpenSSL-based application. Commands have been added to all the 3361 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow 3362 control over shared-library paths without source code alterations. 3363 [Geoff] 3364 3365 *) Changed all ENGINE implementations to dynamically allocate their 3366 ENGINEs rather than declaring them statically. Apart from this being 3367 necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, 3368 this also allows the implementations to compile without using the 3369 internal engine_int.h header. 3370 [Geoff] 3371 3372 *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a 3373 'const' value. Any code that should be able to modify a RAND_METHOD 3374 should already have non-const pointers to it (ie. they should only 3375 modify their own ones). 3376 [Geoff] 3377 3378 *) Made a variety of little tweaks to the ENGINE code. 3379 - "atalla" and "ubsec" string definitions were moved from header files 3380 to C code. "nuron" string definitions were placed in variables 3381 rather than hard-coded - allowing parameterisation of these values 3382 later on via ctrl() commands. 3383 - Removed unused "#if 0"'d code. 3384 - Fixed engine list iteration code so it uses ENGINE_free() to release 3385 structural references. 3386 - Constified the RAND_METHOD element of ENGINE structures. 3387 - Constified various get/set functions as appropriate and added 3388 missing functions (including a catch-all ENGINE_cpy that duplicates 3389 all ENGINE values onto a new ENGINE except reference counts/state). 3390 - Removed NULL parameter checks in get/set functions. Setting a method 3391 or function to NULL is a way of cancelling out a previously set 3392 value. Passing a NULL ENGINE parameter is just plain stupid anyway 3393 and doesn't justify the extra error symbols and code. 3394 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for 3395 flags from engine_int.h to engine.h. 3396 - Changed prototypes for ENGINE handler functions (init(), finish(), 3397 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. 3398 [Geoff] 3399 3400 *) Implement binary inversion algorithm for BN_mod_inverse in addition 3401 to the algorithm using long division. The binary algorithm can be 3402 used only if the modulus is odd. On 32-bit systems, it is faster 3403 only for relatively small moduli (roughly 20-30% for 128-bit moduli, 3404 roughly 5-15% for 256-bit moduli), so we use it only for moduli 3405 up to 450 bits. In 64-bit environments, the binary algorithm 3406 appears to be advantageous for much longer moduli; here we use it 3407 for moduli up to 2048 bits. 3408 [Bodo Moeller] 3409 3410 *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code 3411 could not support the combine flag in choice fields. 3412 [Steve Henson] 3413 3414 *) Add a 'copy_extensions' option to the 'ca' utility. This copies 3415 extensions from a certificate request to the certificate. 3416 [Steve Henson] 3417 3418 *) Allow multiple 'certopt' and 'nameopt' options to be separated 3419 by commas. Add 'namopt' and 'certopt' options to the 'ca' config 3420 file: this allows the display of the certificate about to be 3421 signed to be customised, to allow certain fields to be included 3422 or excluded and extension details. The old system didn't display 3423 multicharacter strings properly, omitted fields not in the policy 3424 and couldn't display additional details such as extensions. 3425 [Steve Henson] 3426 3427 *) Function EC_POINTs_mul for multiple scalar multiplication 3428 of an arbitrary number of elliptic curve points 3429 \sum scalars[i]*points[i], 3430 optionally including the generator defined for the EC_GROUP: 3431 scalar*generator + \sum scalars[i]*points[i]. 3432 3433 EC_POINT_mul is a simple wrapper function for the typical case 3434 that the point list has just one item (besides the optional 3435 generator). 3436 [Bodo Moeller] 3437 3438 *) First EC_METHODs for curves over GF(p): 3439 3440 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr 3441 operations and provides various method functions that can also 3442 operate with faster implementations of modular arithmetic. 3443 3444 EC_GFp_mont_method() reuses most functions that are part of 3445 EC_GFp_simple_method, but uses Montgomery arithmetic. 3446 3447 [Bodo Moeller; point addition and point doubling 3448 implementation directly derived from source code provided by 3449 Lenka Fibikova <fibikova@exp-math.uni-essen.de>] 3450 3451 *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, 3452 crypto/ec/ec_lib.c): 3453 3454 Curves are EC_GROUP objects (with an optional group generator) 3455 based on EC_METHODs that are built into the library. 3456 3457 Points are EC_POINT objects based on EC_GROUP objects. 3458 3459 Most of the framework would be able to handle curves over arbitrary 3460 finite fields, but as there are no obvious types for fields other 3461 than GF(p), some functions are limited to that for now. 3462 [Bodo Moeller] 3463 3464 *) Add the -HTTP option to s_server. It is similar to -WWW, but requires 3465 that the file contains a complete HTTP response. 3466 [Richard Levitte] 3467 3468 *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl 3469 change the def and num file printf format specifier from "%-40sXXX" 3470 to "%-39s XXX". The latter will always guarantee a space after the 3471 field while the former will cause them to run together if the field 3472 is 40 of more characters long. 3473 [Steve Henson] 3474 3475 *) Constify the cipher and digest 'method' functions and structures 3476 and modify related functions to take constant EVP_MD and EVP_CIPHER 3477 pointers. 3478 [Steve Henson] 3479 3480 *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them 3481 in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. 3482 [Bodo Moeller] 3483 3484 *) Modify EVP_Digest*() routines so they now return values. Although the 3485 internal software routines can never fail additional hardware versions 3486 might. 3487 [Steve Henson] 3488 3489 *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: 3490 3491 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 3492 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. 3493 3494 ASN1 error codes 3495 ERR_R_NESTED_ASN1_ERROR 3496 ... 3497 ERR_R_MISSING_ASN1_EOS 3498 were 4 .. 9, conflicting with 3499 ERR_LIB_RSA (= ERR_R_RSA_LIB) 3500 ... 3501 ERR_LIB_PEM (= ERR_R_PEM_LIB). 3502 They are now 58 .. 63 (i.e., just below ERR_R_FATAL). 3503 3504 Add new error code 'ERR_R_INTERNAL_ERROR'. 3505 [Bodo Moeller] 3506 3507 *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock 3508 suffices. 3509 [Bodo Moeller] 3510 3511 *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This 3512 sets the subject name for a new request or supersedes the 3513 subject name in a given request. Formats that can be parsed are 3514 'CN=Some Name, OU=myOU, C=IT' 3515 and 3516 'CN=Some Name/OU=myOU/C=IT'. 3517 3518 Add options '-batch' and '-verbose' to 'openssl req'. 3519 [Massimiliano Pala <madwolf@hackmasters.net>] 3520 3521 *) Introduce the possibility to access global variables through 3522 functions on platform were that's the best way to handle exporting 3523 global variables in shared libraries. To enable this functionality, 3524 one must configure with "EXPORT_VAR_AS_FN" or defined the C macro 3525 "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter 3526 is normally done by Configure or something similar). 3527 3528 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL 3529 in the source file (foo.c) like this: 3530 3531 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; 3532 OPENSSL_IMPLEMENT_GLOBAL(double,bar); 3533 3534 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL 3535 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: 3536 3537 OPENSSL_DECLARE_GLOBAL(int,foo); 3538 #define foo OPENSSL_GLOBAL_REF(foo) 3539 OPENSSL_DECLARE_GLOBAL(double,bar); 3540 #define bar OPENSSL_GLOBAL_REF(bar) 3541 3542 The #defines are very important, and therefore so is including the 3543 header file everywhere where the defined globals are used. 3544 3545 The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition 3546 of ASN.1 items, but that structure is a bit different. 3547 3548 The largest change is in util/mkdef.pl which has been enhanced with 3549 better and easier to understand logic to choose which symbols should 3550 go into the Windows .def files as well as a number of fixes and code 3551 cleanup (among others, algorithm keywords are now sorted 3552 lexicographically to avoid constant rewrites). 3553 [Richard Levitte] 3554 3555 *) In BN_div() keep a copy of the sign of 'num' before writing the 3556 result to 'rm' because if rm==num the value will be overwritten 3557 and produce the wrong result if 'num' is negative: this caused 3558 problems with BN_mod() and BN_nnmod(). 3559 [Steve Henson] 3560 3561 *) Function OCSP_request_verify(). This checks the signature on an 3562 OCSP request and verifies the signer certificate. The signer 3563 certificate is just checked for a generic purpose and OCSP request 3564 trust settings. 3565 [Steve Henson] 3566 3567 *) Add OCSP_check_validity() function to check the validity of OCSP 3568 responses. OCSP responses are prepared in real time and may only 3569 be a few seconds old. Simply checking that the current time lies 3570 between thisUpdate and nextUpdate max reject otherwise valid responses 3571 caused by either OCSP responder or client clock inaccuracy. Instead 3572 we allow thisUpdate and nextUpdate to fall within a certain period of 3573 the current time. The age of the response can also optionally be 3574 checked. Two new options -validity_period and -status_age added to 3575 ocsp utility. 3576 [Steve Henson] 3577 3578 *) If signature or public key algorithm is unrecognized print out its 3579 OID rather that just UNKNOWN. 3580 [Steve Henson] 3581 3582 *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and 3583 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate 3584 ID to be generated from the issuer certificate alone which can then be 3585 passed to OCSP_id_issuer_cmp(). 3586 [Steve Henson] 3587 3588 *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new 3589 ASN1 modules to export functions returning ASN1_ITEM pointers 3590 instead of the ASN1_ITEM structures themselves. This adds several 3591 new macros which allow the underlying ASN1 function/structure to 3592 be accessed transparently. As a result code should not use ASN1_ITEM 3593 references directly (such as &X509_it) but instead use the relevant 3594 macros (such as ASN1_ITEM_rptr(X509)). This option is to allow 3595 use of the new ASN1 code on platforms where exporting structures 3596 is problematical (for example in shared libraries) but exporting 3597 functions returning pointers to structures is not. 3598 [Steve Henson] 3599 3600 *) Add support for overriding the generation of SSL/TLS session IDs. 3601 These callbacks can be registered either in an SSL_CTX or per SSL. 3602 The purpose of this is to allow applications to control, if they wish, 3603 the arbitrary values chosen for use as session IDs, particularly as it 3604 can be useful for session caching in multiple-server environments. A 3605 command-line switch for testing this (and any client code that wishes 3606 to use such a feature) has been added to "s_server". 3607 [Geoff Thorpe, Lutz Jaenicke] 3608 3609 *) Modify mkdef.pl to recognise and parse preprocessor conditionals 3610 of the form '#if defined(...) || defined(...) || ...' and 3611 '#if !defined(...) && !defined(...) && ...'. This also avoids 3612 the growing number of special cases it was previously handling. 3613 [Richard Levitte] 3614 3615 *) Make all configuration macros available for application by making 3616 sure they are available in opensslconf.h, by giving them names starting 3617 with "OPENSSL_" to avoid conflicts with other packages and by making 3618 sure e_os2.h will cover all platform-specific cases together with 3619 opensslconf.h. 3620 Additionally, it is now possible to define configuration/platform- 3621 specific names (called "system identities"). In the C code, these 3622 are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another 3623 macro with the name beginning with "OPENSSL_SYS_", which is determined 3624 from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on 3625 what is available. 3626 [Richard Levitte] 3627 3628 *) New option -set_serial to 'req' and 'x509' this allows the serial 3629 number to use to be specified on the command line. Previously self 3630 signed certificates were hard coded with serial number 0 and the 3631 CA options of 'x509' had to use a serial number in a file which was 3632 auto incremented. 3633 [Steve Henson] 3634 3635 *) New options to 'ca' utility to support V2 CRL entry extensions. 3636 Currently CRL reason, invalidity date and hold instruction are 3637 supported. Add new CRL extensions to V3 code and some new objects. 3638 [Steve Henson] 3639 3640 *) New function EVP_CIPHER_CTX_set_padding() this is used to 3641 disable standard block padding (aka PKCS#5 padding) in the EVP 3642 API, which was previously mandatory. This means that the data is 3643 not padded in any way and so the total length much be a multiple 3644 of the block size, otherwise an error occurs. 3645 [Steve Henson] 3646 3647 *) Initial (incomplete) OCSP SSL support. 3648 [Steve Henson] 3649 3650 *) New function OCSP_parse_url(). This splits up a URL into its host, 3651 port and path components: primarily to parse OCSP URLs. New -url 3652 option to ocsp utility. 3653 [Steve Henson] 3654 3655 *) New nonce behavior. The return value of OCSP_check_nonce() now 3656 reflects the various checks performed. Applications can decide 3657 whether to tolerate certain situations such as an absent nonce 3658 in a response when one was present in a request: the ocsp application 3659 just prints out a warning. New function OCSP_add1_basic_nonce() 3660 this is to allow responders to include a nonce in a response even if 3661 the request is nonce-less. 3662 [Steve Henson] 3663 3664 *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are 3665 skipped when using openssl x509 multiple times on a single input file, 3666 e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". 3667 [Bodo Moeller] 3668 3669 *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() 3670 set string type: to handle setting ASN1_TIME structures. Fix ca 3671 utility to correctly initialize revocation date of CRLs. 3672 [Steve Henson] 3673 3674 *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override 3675 the clients preferred ciphersuites and rather use its own preferences. 3676 Should help to work around M$ SGC (Server Gated Cryptography) bug in 3677 Internet Explorer by ensuring unchanged hash method during stepup. 3678 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) 3679 [Lutz Jaenicke] 3680 3681 *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael 3682 to aes and add a new 'exist' option to print out symbols that don't 3683 appear to exist. 3684 [Steve Henson] 3685 3686 *) Additional options to ocsp utility to allow flags to be set and 3687 additional certificates supplied. 3688 [Steve Henson] 3689 3690 *) Add the option -VAfile to 'openssl ocsp', so the user can give the 3691 OCSP client a number of certificate to only verify the response 3692 signature against. 3693 [Richard Levitte] 3694 3695 *) Update Rijndael code to version 3.0 and change EVP AES ciphers to 3696 handle the new API. Currently only ECB, CBC modes supported. Add new 3697 AES OIDs. 3698 3699 Add TLS AES ciphersuites as described in RFC3268, "Advanced 3700 Encryption Standard (AES) Ciphersuites for Transport Layer 3701 Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were 3702 not enabled by default and were not part of the "ALL" ciphersuite 3703 alias because they were not yet official; they could be 3704 explicitly requested by specifying the "AESdraft" ciphersuite 3705 group alias. In the final release of OpenSSL 0.9.7, the group 3706 alias is called "AES" and is part of "ALL".) 3707 [Ben Laurie, Steve Henson, Bodo Moeller] 3708 3709 *) New function OCSP_copy_nonce() to copy nonce value (if present) from 3710 request to response. 3711 [Steve Henson] 3712 3713 *) Functions for OCSP responders. OCSP_request_onereq_count(), 3714 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() 3715 extract information from a certificate request. OCSP_response_create() 3716 creates a response and optionally adds a basic response structure. 3717 OCSP_basic_add1_status() adds a complete single response to a basic 3718 response and returns the OCSP_SINGLERESP structure just added (to allow 3719 extensions to be included for example). OCSP_basic_add1_cert() adds a 3720 certificate to a basic response and OCSP_basic_sign() signs a basic 3721 response with various flags. New helper functions ASN1_TIME_check() 3722 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() 3723 (converts ASN1_TIME to GeneralizedTime). 3724 [Steve Henson] 3725 3726 *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() 3727 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key 3728 structure from a certificate. X509_pubkey_digest() digests the public_key 3729 contents: this is used in various key identifiers. 3730 [Steve Henson] 3731 3732 *) Make sk_sort() tolerate a NULL argument. 3733 [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] 3734 3735 *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates 3736 passed by the function are trusted implicitly. If any of them signed the 3737 response then it is assumed to be valid and is not verified. 3738 [Steve Henson] 3739 3740 *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT 3741 to data. This was previously part of the PKCS7 ASN1 code. This 3742 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. 3743 [Steve Henson, reported by Kenneth R. Robinette 3744 <support@securenetterm.com>] 3745 3746 *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 3747 routines: without these tracing memory leaks is very painful. 3748 Fix leaks in PKCS12 and PKCS7 routines. 3749 [Steve Henson] 3750 3751 *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). 3752 Previously it initialised the 'type' argument to V_ASN1_UTCTIME which 3753 effectively meant GeneralizedTime would never be used. Now it 3754 is initialised to -1 but X509_time_adj() now has to check the value 3755 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or 3756 V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. 3757 [Steve Henson, reported by Kenneth R. Robinette 3758 <support@securenetterm.com>] 3759 3760 *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously 3761 result in a zero length in the ASN1_INTEGER structure which was 3762 not consistent with the structure when d2i_ASN1_INTEGER() was used 3763 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() 3764 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() 3765 where it did not print out a minus for negative ASN1_INTEGER. 3766 [Steve Henson] 3767 3768 *) Add summary printout to ocsp utility. The various functions which 3769 convert status values to strings have been renamed to: 3770 OCSP_response_status_str(), OCSP_cert_status_str() and 3771 OCSP_crl_reason_str() and are no longer static. New options 3772 to verify nonce values and to disable verification. OCSP response 3773 printout format cleaned up. 3774 [Steve Henson] 3775 3776 *) Add additional OCSP certificate checks. These are those specified 3777 in RFC2560. This consists of two separate checks: the CA of the 3778 certificate being checked must either be the OCSP signer certificate 3779 or the issuer of the OCSP signer certificate. In the latter case the 3780 OCSP signer certificate must contain the OCSP signing extended key 3781 usage. This check is performed by attempting to match the OCSP 3782 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash 3783 in the OCSP_CERTID structures of the response. 3784 [Steve Henson] 3785 3786 *) Initial OCSP certificate verification added to OCSP_basic_verify() 3787 and related routines. This uses the standard OpenSSL certificate 3788 verify routines to perform initial checks (just CA validity) and 3789 to obtain the certificate chain. Then additional checks will be 3790 performed on the chain. Currently the root CA is checked to see 3791 if it is explicitly trusted for OCSP signing. This is used to set 3792 a root CA as a global signing root: that is any certificate that 3793 chains to that CA is an acceptable OCSP signing certificate. 3794 [Steve Henson] 3795 3796 *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 3797 extensions from a separate configuration file. 3798 As when reading extensions from the main configuration file, 3799 the '-extensions ...' option may be used for specifying the 3800 section to use. 3801 [Massimiliano Pala <madwolf@comune.modena.it>] 3802 3803 *) New OCSP utility. Allows OCSP requests to be generated or 3804 read. The request can be sent to a responder and the output 3805 parsed, outputed or printed in text form. Not complete yet: 3806 still needs to check the OCSP response validity. 3807 [Steve Henson] 3808 3809 *) New subcommands for 'openssl ca': 3810 'openssl ca -status <serial>' prints the status of the cert with 3811 the given serial number (according to the index file). 3812 'openssl ca -updatedb' updates the expiry status of certificates 3813 in the index file. 3814 [Massimiliano Pala <madwolf@comune.modena.it>] 3815 3816 *) New '-newreq-nodes' command option to CA.pl. This is like 3817 '-newreq', but calls 'openssl req' with the '-nodes' option 3818 so that the resulting key is not encrypted. 3819 [Damien Miller <djm@mindrot.org>] 3820 3821 *) New configuration for the GNU Hurd. 3822 [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] 3823 3824 *) Initial code to implement OCSP basic response verify. This 3825 is currently incomplete. Currently just finds the signer's 3826 certificate and verifies the signature on the response. 3827 [Steve Henson] 3828 3829 *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in 3830 value of OPENSSLDIR. This is available via the new '-d' option 3831 to 'openssl version', and is also included in 'openssl version -a'. 3832 [Bodo Moeller] 3833 3834 *) Allowing defining memory allocation callbacks that will be given 3835 file name and line number information in additional arguments 3836 (a const char* and an int). The basic functionality remains, as 3837 well as the original possibility to just replace malloc(), 3838 realloc() and free() by functions that do not know about these 3839 additional arguments. To register and find out the current 3840 settings for extended allocation functions, the following 3841 functions are provided: 3842 3843 CRYPTO_set_mem_ex_functions 3844 CRYPTO_set_locked_mem_ex_functions 3845 CRYPTO_get_mem_ex_functions 3846 CRYPTO_get_locked_mem_ex_functions 3847 3848 These work the same way as CRYPTO_set_mem_functions and friends. 3849 CRYPTO_get_[locked_]mem_functions now writes 0 where such an 3850 extended allocation function is enabled. 3851 Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where 3852 a conventional allocation function is enabled. 3853 [Richard Levitte, Bodo Moeller] 3854 3855 *) Finish off removing the remaining LHASH function pointer casts. 3856 There should no longer be any prototype-casting required when using 3857 the LHASH abstraction, and any casts that remain are "bugs". See 3858 the callback types and macros at the head of lhash.h for details 3859 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). 3860 [Geoff Thorpe] 3861 3862 *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. 3863 If /dev/[u]random devices are not available or do not return enough 3864 entropy, EGD style sockets (served by EGD or PRNGD) will automatically 3865 be queried. 3866 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and 3867 /etc/entropy will be queried once each in this sequence, quering stops 3868 when enough entropy was collected without querying more sockets. 3869 [Lutz Jaenicke] 3870 3871 *) Change the Unix RAND_poll() variant to be able to poll several 3872 random devices, as specified by DEVRANDOM, until a sufficient amount 3873 of data has been collected. We spend at most 10 ms on each file 3874 (select timeout) and read in non-blocking mode. DEVRANDOM now 3875 defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" 3876 (previously it was just the string "/dev/urandom"), so on typical 3877 platforms the 10 ms delay will never occur. 3878 Also separate out the Unix variant to its own file, rand_unix.c. 3879 For VMS, there's a currently-empty rand_vms.c. 3880 [Richard Levitte] 3881 3882 *) Move OCSP client related routines to ocsp_cl.c. These 3883 provide utility functions which an application needing 3884 to issue a request to an OCSP responder and analyse the 3885 response will typically need: as opposed to those which an 3886 OCSP responder itself would need which will be added later. 3887 3888 OCSP_request_sign() signs an OCSP request with an API similar 3889 to PKCS7_sign(). OCSP_response_status() returns status of OCSP 3890 response. OCSP_response_get1_basic() extracts basic response 3891 from response. OCSP_resp_find_status(): finds and extracts status 3892 information from an OCSP_CERTID structure (which will be created 3893 when the request structure is built). These are built from lower 3894 level functions which work on OCSP_SINGLERESP structures but 3895 wont normally be used unless the application wishes to examine 3896 extensions in the OCSP response for example. 3897 3898 Replace nonce routines with a pair of functions. 3899 OCSP_request_add1_nonce() adds a nonce value and optionally 3900 generates a random value. OCSP_check_nonce() checks the 3901 validity of the nonce in an OCSP response. 3902 [Steve Henson] 3903 3904 *) Change function OCSP_request_add() to OCSP_request_add0_id(). 3905 This doesn't copy the supplied OCSP_CERTID and avoids the 3906 need to free up the newly created id. Change return type 3907 to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. 3908 This can then be used to add extensions to the request. 3909 Deleted OCSP_request_new(), since most of its functionality 3910 is now in OCSP_REQUEST_new() (and the case insensitive name 3911 clash) apart from the ability to set the request name which 3912 will be added elsewhere. 3913 [Steve Henson] 3914 3915 *) Update OCSP API. Remove obsolete extensions argument from 3916 various functions. Extensions are now handled using the new 3917 OCSP extension code. New simple OCSP HTTP function which 3918 can be used to send requests and parse the response. 3919 [Steve Henson] 3920 3921 *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new 3922 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN 3923 uses the special reorder version of SET OF to sort the attributes 3924 and reorder them to match the encoded order. This resolves a long 3925 standing problem: a verify on a PKCS7 structure just after signing 3926 it used to fail because the attribute order did not match the 3927 encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: 3928 it uses the received order. This is necessary to tolerate some broken 3929 software that does not order SET OF. This is handled by encoding 3930 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) 3931 to produce the required SET OF. 3932 [Steve Henson] 3933 3934 *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and 3935 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header 3936 files to get correct declarations of the ASN.1 item variables. 3937 [Richard Levitte] 3938 3939 *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many 3940 PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: 3941 asn1_check_tlen() would sometimes attempt to use 'ctx' when it was 3942 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). 3943 New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant 3944 ASN1_ITEM and no wrapper functions. 3945 [Steve Henson] 3946 3947 *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These 3948 replace the old function pointer based I/O routines. Change most of 3949 the *_d2i_bio() and *_d2i_fp() functions to use these. 3950 [Steve Henson] 3951 3952 *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor 3953 lines, recognice more "algorithms" that can be deselected, and make 3954 it complain about algorithm deselection that isn't recognised. 3955 [Richard Levitte] 3956 3957 *) New ASN1 functions to handle dup, sign, verify, digest, pack and 3958 unpack operations in terms of ASN1_ITEM. Modify existing wrappers 3959 to use new functions. Add NO_ASN1_OLD which can be set to remove 3960 some old style ASN1 functions: this can be used to determine if old 3961 code will still work when these eventually go away. 3962 [Steve Henson] 3963 3964 *) New extension functions for OCSP structures, these follow the 3965 same conventions as certificates and CRLs. 3966 [Steve Henson] 3967 3968 *) New function X509V3_add1_i2d(). This automatically encodes and 3969 adds an extension. Its behaviour can be customised with various 3970 flags to append, replace or delete. Various wrappers added for 3971 certifcates and CRLs. 3972 [Steve Henson] 3973 3974 *) Fix to avoid calling the underlying ASN1 print routine when 3975 an extension cannot be parsed. Correct a typo in the 3976 OCSP_SERVICELOC extension. Tidy up print OCSP format. 3977 [Steve Henson] 3978 3979 *) Make mkdef.pl parse some of the ASN1 macros and add apropriate 3980 entries for variables. 3981 [Steve Henson] 3982 3983 *) Add functionality to apps/openssl.c for detecting locking 3984 problems: As the program is single-threaded, all we have 3985 to do is register a locking callback using an array for 3986 storing which locks are currently held by the program. 3987 [Bodo Moeller] 3988 3989 *) Use a lock around the call to CRYPTO_get_ex_new_index() in 3990 SSL_get_ex_data_X509_STORE_idx(), which is used in 3991 ssl_verify_cert_chain() and thus can be called at any time 3992 during TLS/SSL handshakes so that thread-safety is essential. 3993 Unfortunately, the ex_data design is not at all suited 3994 for multi-threaded use, so it probably should be abolished. 3995 [Bodo Moeller] 3996 3997 *) Added Broadcom "ubsec" ENGINE to OpenSSL. 3998 [Broadcom, tweaked and integrated by Geoff Thorpe] 3999 4000 *) Move common extension printing code to new function 4001 X509V3_print_extensions(). Reorganise OCSP print routines and 4002 implement some needed OCSP ASN1 functions. Add OCSP extensions. 4003 [Steve Henson] 4004 4005 *) New function X509_signature_print() to remove duplication in some 4006 print routines. 4007 [Steve Henson] 4008 4009 *) Add a special meaning when SET OF and SEQUENCE OF flags are both 4010 set (this was treated exactly the same as SET OF previously). This 4011 is used to reorder the STACK representing the structure to match the 4012 encoding. This will be used to get round a problem where a PKCS7 4013 structure which was signed could not be verified because the STACK 4014 order did not reflect the encoded order. 4015 [Steve Henson] 4016 4017 *) Reimplement the OCSP ASN1 module using the new code. 4018 [Steve Henson] 4019 4020 *) Update the X509V3 code to permit the use of an ASN1_ITEM structure 4021 for its ASN1 operations. The old style function pointers still exist 4022 for now but they will eventually go away. 4023 [Steve Henson] 4024 4025 *) Merge in replacement ASN1 code from the ASN1 branch. This almost 4026 completely replaces the old ASN1 functionality with a table driven 4027 encoder and decoder which interprets an ASN1_ITEM structure describing 4028 the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is 4029 largely maintained. Almost all of the old asn1_mac.h macro based ASN1 4030 has also been converted to the new form. 4031 [Steve Henson] 4032 4033 *) Change BN_mod_exp_recp so that negative moduli are tolerated 4034 (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set 4035 so that BN_mod_exp_mont and BN_mod_exp_mont_word work 4036 for negative moduli. 4037 [Bodo Moeller] 4038 4039 *) Fix BN_uadd and BN_usub: Always return non-negative results instead 4040 of not touching the result's sign bit. 4041 [Bodo Moeller] 4042 4043 *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be 4044 set. 4045 [Bodo Moeller] 4046 4047 *) Changed the LHASH code to use prototypes for callbacks, and created 4048 macros to declare and implement thin (optionally static) functions 4049 that provide type-safety and avoid function pointer casting for the 4050 type-specific callbacks. 4051 [Geoff Thorpe] 4052 4053 *) Added Kerberos Cipher Suites to be used with TLS, as written in 4054 RFC 2712. 4055 [Veers Staats <staatsvr@asc.hpc.mil>, 4056 Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] 4057 4058 *) Reformat the FAQ so the different questions and answers can be divided 4059 in sections depending on the subject. 4060 [Richard Levitte] 4061 4062 *) Have the zlib compression code load ZLIB.DLL dynamically under 4063 Windows. 4064 [Richard Levitte] 4065 4066 *) New function BN_mod_sqrt for computing square roots modulo a prime 4067 (using the probabilistic Tonelli-Shanks algorithm unless 4068 p == 3 (mod 4) or p == 5 (mod 8), which are cases that can 4069 be handled deterministically). 4070 [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] 4071 4072 *) Make BN_mod_inverse faster by explicitly handling small quotients 4073 in the Euclid loop. (Speed gain about 20% for small moduli [256 or 4074 512 bits], about 30% for larger ones [1024 or 2048 bits].) 4075 [Bodo Moeller] 4076 4077 *) New function BN_kronecker. 4078 [Bodo Moeller] 4079 4080 *) Fix BN_gcd so that it works on negative inputs; the result is 4081 positive unless both parameters are zero. 4082 Previously something reasonably close to an infinite loop was 4083 possible because numbers could be growing instead of shrinking 4084 in the implementation of Euclid's algorithm. 4085 [Bodo Moeller] 4086 4087 *) Fix BN_is_word() and BN_is_one() macros to take into account the 4088 sign of the number in question. 4089 4090 Fix BN_is_word(a,w) to work correctly for w == 0. 4091 4092 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) 4093 because its test if the absolute value of 'a' equals 'w'. 4094 Note that BN_abs_is_word does *not* handle w == 0 reliably; 4095 it exists mostly for use in the implementations of BN_is_zero(), 4096 BN_is_one(), and BN_is_word(). 4097 [Bodo Moeller] 4098 4099 *) New function BN_swap. 4100 [Bodo Moeller] 4101 4102 *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that 4103 the exponentiation functions are more likely to produce reasonable 4104 results on negative inputs. 4105 [Bodo Moeller] 4106 4107 *) Change BN_mod_mul so that the result is always non-negative. 4108 Previously, it could be negative if one of the factors was negative; 4109 I don't think anyone really wanted that behaviour. 4110 [Bodo Moeller] 4111 4112 *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c 4113 (except for exponentiation, which stays in crypto/bn/bn_exp.c, 4114 and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) 4115 and add new functions: 4116 4117 BN_nnmod 4118 BN_mod_sqr 4119 BN_mod_add 4120 BN_mod_add_quick 4121 BN_mod_sub 4122 BN_mod_sub_quick 4123 BN_mod_lshift1 4124 BN_mod_lshift1_quick 4125 BN_mod_lshift 4126 BN_mod_lshift_quick 4127 4128 These functions always generate non-negative results. 4129 4130 BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r 4131 such that |m| < r < 0, BN_nnmod will output rem + |m| instead). 4132 4133 BN_mod_XXX_quick(r, a, [b,] m) generates the same result as 4134 BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] 4135 be reduced modulo m. 4136 [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] 4137 4138#if 0 4139 The following entry accidentily appeared in the CHANGES file 4140 distributed with OpenSSL 0.9.7. The modifications described in 4141 it do *not* apply to OpenSSL 0.9.7. 4142 4143 *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there 4144 was actually never needed) and in BN_mul(). The removal in BN_mul() 4145 required a small change in bn_mul_part_recursive() and the addition 4146 of the functions bn_cmp_part_words(), bn_sub_part_words() and 4147 bn_add_part_words(), which do the same thing as bn_cmp_words(), 4148 bn_sub_words() and bn_add_words() except they take arrays with 4149 differing sizes. 4150 [Richard Levitte] 4151#endif 4152 4153 *) In 'openssl passwd', verify passwords read from the terminal 4154 unless the '-salt' option is used (which usually means that 4155 verification would just waste user's time since the resulting 4156 hash is going to be compared with some given password hash) 4157 or the new '-noverify' option is used. 4158 4159 This is an incompatible change, but it does not affect 4160 non-interactive use of 'openssl passwd' (passwords on the command 4161 line, '-stdin' option, '-in ...' option) and thus should not 4162 cause any problems. 4163 [Bodo Moeller] 4164 4165 *) Remove all references to RSAref, since there's no more need for it. 4166 [Richard Levitte] 4167 4168 *) Make DSO load along a path given through an environment variable 4169 (SHLIB_PATH) with shl_load(). 4170 [Richard Levitte] 4171 4172 *) Constify the ENGINE code as a result of BIGNUM constification. 4173 Also constify the RSA code and most things related to it. In a 4174 few places, most notable in the depth of the ASN.1 code, ugly 4175 casts back to non-const were required (to be solved at a later 4176 time) 4177 [Richard Levitte] 4178 4179 *) Make it so the openssl application has all engines loaded by default. 4180 [Richard Levitte] 4181 4182 *) Constify the BIGNUM routines a little more. 4183 [Richard Levitte] 4184 4185 *) Add the following functions: 4186 4187 ENGINE_load_cswift() 4188 ENGINE_load_chil() 4189 ENGINE_load_atalla() 4190 ENGINE_load_nuron() 4191 ENGINE_load_builtin_engines() 4192 4193 That way, an application can itself choose if external engines that 4194 are built-in in OpenSSL shall ever be used or not. The benefit is 4195 that applications won't have to be linked with libdl or other dso 4196 libraries unless it's really needed. 4197 4198 Changed 'openssl engine' to load all engines on demand. 4199 Changed the engine header files to avoid the duplication of some 4200 declarations (they differed!). 4201 [Richard Levitte] 4202 4203 *) 'openssl engine' can now list capabilities. 4204 [Richard Levitte] 4205 4206 *) Better error reporting in 'openssl engine'. 4207 [Richard Levitte] 4208 4209 *) Never call load_dh_param(NULL) in s_server. 4210 [Bodo Moeller] 4211 4212 *) Add engine application. It can currently list engines by name and 4213 identity, and test if they are actually available. 4214 [Richard Levitte] 4215 4216 *) Improve RPM specification file by forcing symbolic linking and making 4217 sure the installed documentation is also owned by root.root. 4218 [Damien Miller <djm@mindrot.org>] 4219 4220 *) Give the OpenSSL applications more possibilities to make use of 4221 keys (public as well as private) handled by engines. 4222 [Richard Levitte] 4223 4224 *) Add OCSP code that comes from CertCo. 4225 [Richard Levitte] 4226 4227 *) Add VMS support for the Rijndael code. 4228 [Richard Levitte] 4229 4230 *) Added untested support for Nuron crypto accelerator. 4231 [Ben Laurie] 4232 4233 *) Add support for external cryptographic devices. This code was 4234 previously distributed separately as the "engine" branch. 4235 [Geoff Thorpe, Richard Levitte] 4236 4237 *) Rework the filename-translation in the DSO code. It is now possible to 4238 have far greater control over how a "name" is turned into a filename 4239 depending on the operating environment and any oddities about the 4240 different shared library filenames on each system. 4241 [Geoff Thorpe] 4242 4243 *) Support threads on FreeBSD-elf in Configure. 4244 [Richard Levitte] 4245 4246 *) Fix for SHA1 assembly problem with MASM: it produces 4247 warnings about corrupt line number information when assembling 4248 with debugging information. This is caused by the overlapping 4249 of two sections. 4250 [Bernd Matthes <mainbug@celocom.de>, Steve Henson] 4251 4252 *) NCONF changes. 4253 NCONF_get_number() has no error checking at all. As a replacement, 4254 NCONF_get_number_e() is defined (_e for "error checking") and is 4255 promoted strongly. The old NCONF_get_number is kept around for 4256 binary backward compatibility. 4257 Make it possible for methods to load from something other than a BIO, 4258 by providing a function pointer that is given a name instead of a BIO. 4259 For example, this could be used to load configuration data from an 4260 LDAP server. 4261 [Richard Levitte] 4262 4263 *) Fix for non blocking accept BIOs. Added new I/O special reason 4264 BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs 4265 with non blocking I/O was not possible because no retry code was 4266 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover 4267 this case. 4268 [Steve Henson] 4269 4270 *) Added the beginnings of Rijndael support. 4271 [Ben Laurie] 4272 4273 *) Fix for bug in DirectoryString mask setting. Add support for 4274 X509_NAME_print_ex() in 'req' and X509_print_ex() function 4275 to allow certificate printing to more controllable, additional 4276 'certopt' option to 'x509' to allow new printing options to be 4277 set. 4278 [Steve Henson] 4279 4280 *) Clean old EAY MD5 hack from e_os.h. 4281 [Richard Levitte] 4282 4283 Changes between 0.9.6l and 0.9.6m [17 Mar 2004] 4284 4285 *) Fix null-pointer assignment in do_change_cipher_spec() revealed 4286 by using the Codenomicon TLS Test Tool (CVE-2004-0079) 4287 [Joe Orton, Steve Henson] 4288 4289 Changes between 0.9.6k and 0.9.6l [04 Nov 2003] 4290 4291 *) Fix additional bug revealed by the NISCC test suite: 4292 4293 Stop bug triggering large recursion when presented with 4294 certain ASN.1 tags (CVE-2003-0851) 4295 [Steve Henson] 4296 4297 Changes between 0.9.6j and 0.9.6k [30 Sep 2003] 4298 4299 *) Fix various bugs revealed by running the NISCC test suite: 4300 4301 Stop out of bounds reads in the ASN1 code when presented with 4302 invalid tags (CVE-2003-0543 and CVE-2003-0544). 4303 4304 If verify callback ignores invalid public key errors don't try to check 4305 certificate signature with the NULL public key. 4306 4307 [Steve Henson] 4308 4309 *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate 4310 if the server requested one: as stated in TLS 1.0 and SSL 3.0 4311 specifications. 4312 [Steve Henson] 4313 4314 *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional 4315 extra data after the compression methods not only for TLS 1.0 4316 but also for SSL 3.0 (as required by the specification). 4317 [Bodo Moeller; problem pointed out by Matthias Loepfe] 4318 4319 *) Change X509_certificate_type() to mark the key as exported/exportable 4320 when it's 512 *bits* long, not 512 bytes. 4321 [Richard Levitte] 4322 4323 Changes between 0.9.6i and 0.9.6j [10 Apr 2003] 4324 4325 *) Countermeasure against the Klima-Pokorny-Rosa extension of 4326 Bleichbacher's attack on PKCS #1 v1.5 padding: treat 4327 a protocol version number mismatch like a decryption error 4328 in ssl3_get_client_key_exchange (ssl/s3_srvr.c). 4329 [Bodo Moeller] 4330 4331 *) Turn on RSA blinding by default in the default implementation 4332 to avoid a timing attack. Applications that don't want it can call 4333 RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. 4334 They would be ill-advised to do so in most cases. 4335 [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] 4336 4337 *) Change RSA blinding code so that it works when the PRNG is not 4338 seeded (in this case, the secret RSA exponent is abused as 4339 an unpredictable seed -- if it is not unpredictable, there 4340 is no point in blinding anyway). Make RSA blinding thread-safe 4341 by remembering the creator's thread ID in rsa->blinding and 4342 having all other threads use local one-time blinding factors 4343 (this requires more computation than sharing rsa->blinding, but 4344 avoids excessive locking; and if an RSA object is not shared 4345 between threads, blinding will still be very fast). 4346 [Bodo Moeller] 4347 4348 Changes between 0.9.6h and 0.9.6i [19 Feb 2003] 4349 4350 *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked 4351 via timing by performing a MAC computation even if incorrrect 4352 block cipher padding has been found. This is a countermeasure 4353 against active attacks where the attacker has to distinguish 4354 between bad padding and a MAC verification error. (CVE-2003-0078) 4355 4356 [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), 4357 Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and 4358 Martin Vuagnoux (EPFL, Ilion)] 4359 4360 Changes between 0.9.6g and 0.9.6h [5 Dec 2002] 4361 4362 *) New function OPENSSL_cleanse(), which is used to cleanse a section of 4363 memory from it's contents. This is done with a counter that will 4364 place alternating values in each byte. This can be used to solve 4365 two issues: 1) the removal of calls to memset() by highly optimizing 4366 compilers, and 2) cleansing with other values than 0, since those can 4367 be read through on certain media, for example a swap space on disk. 4368 [Geoff Thorpe] 4369 4370 *) Bugfix: client side session caching did not work with external caching, 4371 because the session->cipher setting was not restored when reloading 4372 from the external cache. This problem was masked, when 4373 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. 4374 (Found by Steve Haslam <steve@araqnid.ddts.net>.) 4375 [Lutz Jaenicke] 4376 4377 *) Fix client_certificate (ssl/s2_clnt.c): The permissible total 4378 length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. 4379 [Zeev Lieber <zeev-l@yahoo.com>] 4380 4381 *) Undo an undocumented change introduced in 0.9.6e which caused 4382 repeated calls to OpenSSL_add_all_ciphers() and 4383 OpenSSL_add_all_digests() to be ignored, even after calling 4384 EVP_cleanup(). 4385 [Richard Levitte] 4386 4387 *) Change the default configuration reader to deal with last line not 4388 being properly terminated. 4389 [Richard Levitte] 4390 4391 *) Change X509_NAME_cmp() so it applies the special rules on handling 4392 DN values that are of type PrintableString, as well as RDNs of type 4393 emailAddress where the value has the type ia5String. 4394 [stefank@valicert.com via Richard Levitte] 4395 4396 *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half 4397 the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently 4398 doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be 4399 the bitwise-OR of the two for use by the majority of applications 4400 wanting this behaviour, and update the docs. The documented 4401 behaviour and actual behaviour were inconsistent and had been 4402 changing anyway, so this is more a bug-fix than a behavioural 4403 change. 4404 [Geoff Thorpe, diagnosed by Nadav Har'El] 4405 4406 *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c 4407 (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). 4408 [Bodo Moeller] 4409 4410 *) Fix initialization code race conditions in 4411 SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), 4412 SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), 4413 SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), 4414 TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), 4415 ssl2_get_cipher_by_char(), 4416 ssl3_get_cipher_by_char(). 4417 [Patrick McCormick <patrick@tellme.com>, Bodo Moeller] 4418 4419 *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after 4420 the cached sessions are flushed, as the remove_cb() might use ex_data 4421 contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> 4422 (see [openssl.org #212]). 4423 [Geoff Thorpe, Lutz Jaenicke] 4424 4425 *) Fix typo in OBJ_txt2obj which incorrectly passed the content 4426 length, instead of the encoding length to d2i_ASN1_OBJECT. 4427 [Steve Henson] 4428 4429 Changes between 0.9.6f and 0.9.6g [9 Aug 2002] 4430 4431 *) [In 0.9.6g-engine release:] 4432 Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall'). 4433 [Lynn Gazis <lgazis@rainbow.com>] 4434 4435 Changes between 0.9.6e and 0.9.6f [8 Aug 2002] 4436 4437 *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX 4438 and get fix the header length calculation. 4439 [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, 4440 Alon Kantor <alonk@checkpoint.com> (and others), 4441 Steve Henson] 4442 4443 *) Use proper error handling instead of 'assertions' in buffer 4444 overflow checks added in 0.9.6e. This prevents DoS (the 4445 assertions could call abort()). 4446 [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller] 4447 4448 Changes between 0.9.6d and 0.9.6e [30 Jul 2002] 4449 4450 *) Add various sanity checks to asn1_get_length() to reject 4451 the ASN1 length bytes if they exceed sizeof(long), will appear 4452 negative or the content length exceeds the length of the 4453 supplied buffer. 4454 [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] 4455 4456 *) Fix cipher selection routines: ciphers without encryption had no flags 4457 for the cipher strength set and where therefore not handled correctly 4458 by the selection routines (PR #130). 4459 [Lutz Jaenicke] 4460 4461 *) Fix EVP_dsa_sha macro. 4462 [Nils Larsch] 4463 4464 *) New option 4465 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 4466 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure 4467 that was added in OpenSSL 0.9.6d. 4468 4469 As the countermeasure turned out to be incompatible with some 4470 broken SSL implementations, the new option is part of SSL_OP_ALL. 4471 SSL_OP_ALL is usually employed when compatibility with weird SSL 4472 implementations is desired (e.g. '-bugs' option to 's_client' and 4473 's_server'), so the new option is automatically set in many 4474 applications. 4475 [Bodo Moeller] 4476 4477 *) Changes in security patch: 4478 4479 Changes marked "(CHATS)" were sponsored by the Defense Advanced 4480 Research Projects Agency (DARPA) and Air Force Research Laboratory, 4481 Air Force Materiel Command, USAF, under agreement number 4482 F30602-01-2-0537. 4483 4484 *) Add various sanity checks to asn1_get_length() to reject 4485 the ASN1 length bytes if they exceed sizeof(long), will appear 4486 negative or the content length exceeds the length of the 4487 supplied buffer. (CVE-2002-0659) 4488 [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] 4489 4490 *) Assertions for various potential buffer overflows, not known to 4491 happen in practice. 4492 [Ben Laurie (CHATS)] 4493 4494 *) Various temporary buffers to hold ASCII versions of integers were 4495 too small for 64 bit platforms. (CVE-2002-0655) 4496 [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> 4497 4498 *) Remote buffer overflow in SSL3 protocol - an attacker could 4499 supply an oversized session ID to a client. (CVE-2002-0656) 4500 [Ben Laurie (CHATS)] 4501 4502 *) Remote buffer overflow in SSL2 protocol - an attacker could 4503 supply an oversized client master key. (CVE-2002-0656) 4504 [Ben Laurie (CHATS)] 4505 4506 Changes between 0.9.6c and 0.9.6d [9 May 2002] 4507 4508 *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not 4509 encoded as NULL) with id-dsa-with-sha1. 4510 [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] 4511 4512 *) Check various X509_...() return values in apps/req.c. 4513 [Nils Larsch <nla@trustcenter.de>] 4514 4515 *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: 4516 an end-of-file condition would erronously be flagged, when the CRLF 4517 was just at the end of a processed block. The bug was discovered when 4518 processing data through a buffering memory BIO handing the data to a 4519 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov 4520 <ptsekov@syntrex.com> and Nedelcho Stanev. 4521 [Lutz Jaenicke] 4522 4523 *) Implement a countermeasure against a vulnerability recently found 4524 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment 4525 before application data chunks to avoid the use of known IVs 4526 with data potentially chosen by the attacker. 4527 [Bodo Moeller] 4528 4529 *) Fix length checks in ssl3_get_client_hello(). 4530 [Bodo Moeller] 4531 4532 *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently 4533 to prevent ssl3_read_internal() from incorrectly assuming that 4534 ssl3_read_bytes() found application data while handshake 4535 processing was enabled when in fact s->s3->in_read_app_data was 4536 merely automatically cleared during the initial handshake. 4537 [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] 4538 4539 *) Fix object definitions for Private and Enterprise: they were not 4540 recognized in their shortname (=lowercase) representation. Extend 4541 obj_dat.pl to issue an error when using undefined keywords instead 4542 of silently ignoring the problem (Svenning Sorensen 4543 <sss@sss.dnsalias.net>). 4544 [Lutz Jaenicke] 4545 4546 *) Fix DH_generate_parameters() so that it works for 'non-standard' 4547 generators, i.e. generators other than 2 and 5. (Previously, the 4548 code did not properly initialise the 'add' and 'rem' values to 4549 BN_generate_prime().) 4550 4551 In the new general case, we do not insist that 'generator' is 4552 actually a primitive root: This requirement is rather pointless; 4553 a generator of the order-q subgroup is just as good, if not 4554 better. 4555 [Bodo Moeller] 4556 4557 *) Map new X509 verification errors to alerts. Discovered and submitted by 4558 Tom Wu <tom@arcot.com>. 4559 [Lutz Jaenicke] 4560 4561 *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from 4562 returning non-zero before the data has been completely received 4563 when using non-blocking I/O. 4564 [Bodo Moeller; problem pointed out by John Hughes] 4565 4566 *) Some of the ciphers missed the strength entry (SSL_LOW etc). 4567 [Ben Laurie, Lutz Jaenicke] 4568 4569 *) Fix bug in SSL_clear(): bad sessions were not removed (found by 4570 Yoram Zahavi <YoramZ@gilian.com>). 4571 [Lutz Jaenicke] 4572 4573 *) Add information about CygWin 1.3 and on, and preserve proper 4574 configuration for the versions before that. 4575 [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] 4576 4577 *) Make removal from session cache (SSL_CTX_remove_session()) more robust: 4578 check whether we deal with a copy of a session and do not delete from 4579 the cache in this case. Problem reported by "Izhar Shoshani Levi" 4580 <izhar@checkpoint.com>. 4581 [Lutz Jaenicke] 4582 4583 *) Do not store session data into the internal session cache, if it 4584 is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 4585 flag is set). Proposed by Aslam <aslam@funk.com>. 4586 [Lutz Jaenicke] 4587 4588 *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested 4589 value is 0. 4590 [Richard Levitte] 4591 4592 *) [In 0.9.6d-engine release:] 4593 Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). 4594 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] 4595 4596 *) Add the configuration target linux-s390x. 4597 [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] 4598 4599 *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of 4600 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag 4601 variable as an indication that a ClientHello message has been 4602 received. As the flag value will be lost between multiple 4603 invocations of ssl3_accept when using non-blocking I/O, the 4604 function may not be aware that a handshake has actually taken 4605 place, thus preventing a new session from being added to the 4606 session cache. 4607 4608 To avoid this problem, we now set s->new_session to 2 instead of 4609 using a local variable. 4610 [Lutz Jaenicke, Bodo Moeller] 4611 4612 *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) 4613 if the SSL_R_LENGTH_MISMATCH error is detected. 4614 [Geoff Thorpe, Bodo Moeller] 4615 4616 *) New 'shared_ldflag' column in Configure platform table. 4617 [Richard Levitte] 4618 4619 *) Fix EVP_CIPHER_mode macro. 4620 ["Dan S. Camper" <dan@bti.net>] 4621 4622 *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown 4623 type, we must throw them away by setting rr->length to 0. 4624 [D P Chang <dpc@qualys.com>] 4625 4626 Changes between 0.9.6b and 0.9.6c [21 dec 2001] 4627 4628 *) Fix BN_rand_range bug pointed out by Dominikus Scherkl 4629 <Dominikus.Scherkl@biodata.com>. (The previous implementation 4630 worked incorrectly for those cases where range = 10..._2 and 4631 3*range is two bits longer than range.) 4632 [Bodo Moeller] 4633 4634 *) Only add signing time to PKCS7 structures if it is not already 4635 present. 4636 [Steve Henson] 4637 4638 *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 4639 OBJ_ld_ce should be OBJ_id_ce. 4640 Also some ip-pda OIDs in crypto/objects/objects.txt were 4641 incorrect (cf. RFC 3039). 4642 [Matt Cooper, Frederic Giudicelli, Bodo Moeller] 4643 4644 *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 4645 returns early because it has nothing to do. 4646 [Andy Schneider <andy.schneider@bjss.co.uk>] 4647 4648 *) [In 0.9.6c-engine release:] 4649 Fix mutex callback return values in crypto/engine/hw_ncipher.c. 4650 [Andy Schneider <andy.schneider@bjss.co.uk>] 4651 4652 *) [In 0.9.6c-engine release:] 4653 Add support for Cryptographic Appliance's keyserver technology. 4654 (Use engine 'keyclient') 4655 [Cryptographic Appliances and Geoff Thorpe] 4656 4657 *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' 4658 is called via tools/c89.sh because arguments have to be 4659 rearranged (all '-L' options must appear before the first object 4660 modules). 4661 [Richard Shapiro <rshapiro@abinitio.com>] 4662 4663 *) [In 0.9.6c-engine release:] 4664 Add support for Broadcom crypto accelerator cards, backported 4665 from 0.9.7. 4666 [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] 4667 4668 *) [In 0.9.6c-engine release:] 4669 Add support for SureWare crypto accelerator cards from 4670 Baltimore Technologies. (Use engine 'sureware') 4671 [Baltimore Technologies and Mark Cox] 4672 4673 *) [In 0.9.6c-engine release:] 4674 Add support for crypto accelerator cards from Accelerated 4675 Encryption Processing, www.aep.ie. (Use engine 'aep') 4676 [AEP Inc. and Mark Cox] 4677 4678 *) Add a configuration entry for gcc on UnixWare. 4679 [Gary Benson <gbenson@redhat.com>] 4680 4681 *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 4682 messages are stored in a single piece (fixed-length part and 4683 variable-length part combined) and fix various bugs found on the way. 4684 [Bodo Moeller] 4685 4686 *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() 4687 instead. BIO_gethostbyname() does not know what timeouts are 4688 appropriate, so entries would stay in cache even when they have 4689 become invalid. 4690 [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> 4691 4692 *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 4693 faced with a pathologically small ClientHello fragment that does 4694 not contain client_version: Instead of aborting with an error, 4695 simply choose the highest available protocol version (i.e., 4696 TLS 1.0 unless it is disabled). In practice, ClientHello 4697 messages are never sent like this, but this change gives us 4698 strictly correct behaviour at least for TLS. 4699 [Bodo Moeller] 4700 4701 *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() 4702 never resets s->method to s->ctx->method when called from within 4703 one of the SSL handshake functions. 4704 [Bodo Moeller; problem pointed out by Niko Baric] 4705 4706 *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 4707 (sent using the client's version number) if client_version is 4708 smaller than the protocol version in use. Also change 4709 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 4710 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 4711 the client will at least see that alert. 4712 [Bodo Moeller] 4713 4714 *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 4715 correctly. 4716 [Bodo Moeller] 4717 4718 *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 4719 client receives HelloRequest while in a handshake. 4720 [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] 4721 4722 *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 4723 should end in 'break', not 'goto end' which circuments various 4724 cleanups done in state SSL_ST_OK. But session related stuff 4725 must be disabled for SSL_ST_OK in the case that we just sent a 4726 HelloRequest. 4727 4728 Also avoid some overhead by not calling ssl_init_wbio_buffer() 4729 before just sending a HelloRequest. 4730 [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] 4731 4732 *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 4733 reveal whether illegal block cipher padding was found or a MAC 4734 verification error occured. (Neither SSLerr() codes nor alerts 4735 are directly visible to potential attackers, but the information 4736 may leak via logfiles.) 4737 4738 Similar changes are not required for the SSL 2.0 implementation 4739 because the number of padding bytes is sent in clear for SSL 2.0, 4740 and the extra bytes are just ignored. However ssl/s2_pkt.c 4741 failed to verify that the purported number of padding bytes is in 4742 the legal range. 4743 [Bodo Moeller] 4744 4745 *) Add OpenUNIX-8 support including shared libraries 4746 (Boyd Lynn Gerber <gerberb@zenez.com>). 4747 [Lutz Jaenicke] 4748 4749 *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 4750 'wristwatch attack' using huge encoding parameters (cf. 4751 James H. Manger's CRYPTO 2001 paper). Note that the 4752 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 4753 encoding parameters and hence was not vulnerable. 4754 [Bodo Moeller] 4755 4756 *) BN_sqr() bug fix. 4757 [Ulf M�ller, reported by Jim Ellis <jim.ellis@cavium.com>] 4758 4759 *) Rabin-Miller test analyses assume uniformly distributed witnesses, 4760 so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 4761 followed by modular reduction. 4762 [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] 4763 4764 *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 4765 equivalent based on BN_pseudo_rand() instead of BN_rand(). 4766 [Bodo Moeller] 4767 4768 *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 4769 This function was broken, as the check for a new client hello message 4770 to handle SGC did not allow these large messages. 4771 (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 4772 [Lutz Jaenicke] 4773 4774 *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). 4775 [Lutz Jaenicke] 4776 4777 *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 4778 for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 4779 [Lutz Jaenicke] 4780 4781 *) Rework the configuration and shared library support for Tru64 Unix. 4782 The configuration part makes use of modern compiler features and 4783 still retains old compiler behavior for those that run older versions 4784 of the OS. The shared library support part includes a variant that 4785 uses the RPATH feature, and is available through the special 4786 configuration target "alpha-cc-rpath", which will never be selected 4787 automatically. 4788 [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] 4789 4790 *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 4791 with the same message size as in ssl3_get_certificate_request(). 4792 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 4793 messages might inadvertently be reject as too long. 4794 [Petr Lampa <lampa@fee.vutbr.cz>] 4795 4796 *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 4797 [Andy Polyakov] 4798 4799 *) Modified SSL library such that the verify_callback that has been set 4800 specificly for an SSL object with SSL_set_verify() is actually being 4801 used. Before the change, a verify_callback set with this function was 4802 ignored and the verify_callback() set in the SSL_CTX at the time of 4803 the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 4804 to allow the necessary settings. 4805 [Lutz Jaenicke] 4806 4807 *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 4808 explicitly to NULL, as at least on Solaris 8 this seems not always to be 4809 done automatically (in contradiction to the requirements of the C 4810 standard). This made problems when used from OpenSSH. 4811 [Lutz Jaenicke] 4812 4813 *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 4814 dh->length and always used 4815 4816 BN_rand_range(priv_key, dh->p). 4817 4818 BN_rand_range() is not necessary for Diffie-Hellman, and this 4819 specific range makes Diffie-Hellman unnecessarily inefficient if 4820 dh->length (recommended exponent length) is much smaller than the 4821 length of dh->p. We could use BN_rand_range() if the order of 4822 the subgroup was stored in the DH structure, but we only have 4823 dh->length. 4824 4825 So switch back to 4826 4827 BN_rand(priv_key, l, ...) 4828 4829 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 4830 otherwise. 4831 [Bodo Moeller] 4832 4833 *) In 4834 4835 RSA_eay_public_encrypt 4836 RSA_eay_private_decrypt 4837 RSA_eay_private_encrypt (signing) 4838 RSA_eay_public_decrypt (signature verification) 4839 4840 (default implementations for RSA_public_encrypt, 4841 RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 4842 always reject numbers >= n. 4843 [Bodo Moeller] 4844 4845 *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 4846 to synchronize access to 'locking_thread'. This is necessary on 4847 systems where access to 'locking_thread' (an 'unsigned long' 4848 variable) is not atomic. 4849 [Bodo Moeller] 4850 4851 *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 4852 *before* setting the 'crypto_lock_rand' flag. The previous code had 4853 a race condition if 0 is a valid thread ID. 4854 [Travis Vitek <vitek@roguewave.com>] 4855 4856 *) Add support for shared libraries under Irix. 4857 [Albert Chin-A-Young <china@thewrittenword.com>] 4858 4859 *) Add configuration option to build on Linux on both big-endian and 4860 little-endian MIPS. 4861 [Ralf Baechle <ralf@uni-koblenz.de>] 4862 4863 *) Add the possibility to create shared libraries on HP-UX. 4864 [Richard Levitte] 4865 4866 Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 4867 4868 *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) 4869 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 4870 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 4871 PRNG state recovery was possible based on the output of 4872 one PRNG request appropriately sized to gain knowledge on 4873 'md' followed by enough consecutive 1-byte PRNG requests 4874 to traverse all of 'state'. 4875 4876 1. When updating 'md_local' (the current thread's copy of 'md') 4877 during PRNG output generation, hash all of the previous 4878 'md_local' value, not just the half used for PRNG output. 4879 4880 2. Make the number of bytes from 'state' included into the hash 4881 independent from the number of PRNG bytes requested. 4882 4883 The first measure alone would be sufficient to avoid 4884 Markku-Juhani's attack. (Actually it had never occurred 4885 to me that the half of 'md_local' used for chaining was the 4886 half from which PRNG output bytes were taken -- I had always 4887 assumed that the secret half would be used.) The second 4888 measure makes sure that additional data from 'state' is never 4889 mixed into 'md_local' in small portions; this heuristically 4890 further strengthens the PRNG. 4891 [Bodo Moeller] 4892 4893 *) Fix crypto/bn/asm/mips3.s. 4894 [Andy Polyakov] 4895 4896 *) When only the key is given to "enc", the IV is undefined. Print out 4897 an error message in this case. 4898 [Lutz Jaenicke] 4899 4900 *) Handle special case when X509_NAME is empty in X509 printing routines. 4901 [Steve Henson] 4902 4903 *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 4904 positive and less than q. 4905 [Bodo Moeller] 4906 4907 *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is 4908 used: it isn't thread safe and the add_lock_callback should handle 4909 that itself. 4910 [Paul Rose <Paul.Rose@bridge.com>] 4911 4912 *) Verify that incoming data obeys the block size in 4913 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 4914 [Bodo Moeller] 4915 4916 *) Fix OAEP check. 4917 [Ulf M�ller, Bodo M�ller] 4918 4919 *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 4920 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 4921 when fixing the server behaviour for backwards-compatible 'client 4922 hello' messages. (Note that the attack is impractical against 4923 SSL 3.0 and TLS 1.0 anyway because length and version checking 4924 means that the probability of guessing a valid ciphertext is 4925 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 4926 paper.) 4927 4928 Before 0.9.5, the countermeasure (hide the error by generating a 4929 random 'decryption result') did not work properly because 4930 ERR_clear_error() was missing, meaning that SSL_get_error() would 4931 detect the supposedly ignored error. 4932 4933 Both problems are now fixed. 4934 [Bodo Moeller] 4935 4936 *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 4937 (previously it was 1024). 4938 [Bodo Moeller] 4939 4940 *) Fix for compatibility mode trust settings: ignore trust settings 4941 unless some valid trust or reject settings are present. 4942 [Steve Henson] 4943 4944 *) Fix for blowfish EVP: its a variable length cipher. 4945 [Steve Henson] 4946 4947 *) Fix various bugs related to DSA S/MIME verification. Handle missing 4948 parameters in DSA public key structures and return an error in the 4949 DSA routines if parameters are absent. 4950 [Steve Henson] 4951 4952 *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 4953 in the current directory if neither $RANDFILE nor $HOME was set. 4954 RAND_file_name() in 0.9.6a returned NULL in this case. This has 4955 caused some confusion to Windows users who haven't defined $HOME. 4956 Thus RAND_file_name() is changed again: e_os.h can define a 4957 DEFAULT_HOME, which will be used if $HOME is not set. 4958 For Windows, we use "C:"; on other platforms, we still require 4959 environment variables. 4960 4961 *) Move 'if (!initialized) RAND_poll()' into regions protected by 4962 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 4963 having multiple threads call RAND_poll() concurrently. 4964 [Bodo Moeller] 4965 4966 *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 4967 combination of a flag and a thread ID variable. 4968 Otherwise while one thread is in ssleay_rand_bytes (which sets the 4969 flag), *other* threads can enter ssleay_add_bytes without obeying 4970 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock 4971 that they do not hold after the first thread unsets add_do_not_lock). 4972 [Bodo Moeller] 4973 4974 *) Change bctest again: '-x' expressions are not available in all 4975 versions of 'test'. 4976 [Bodo Moeller] 4977 4978 Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 4979 4980 *) Fix a couple of memory leaks in PKCS7_dataDecode() 4981 [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] 4982 4983 *) Change Configure and Makefiles to provide EXE_EXT, which will contain 4984 the default extension for executables, if any. Also, make the perl 4985 scripts that use symlink() to test if it really exists and use "cp" 4986 if it doesn't. All this made OpenSSL compilable and installable in 4987 CygWin. 4988 [Richard Levitte] 4989 4990 *) Fix for asn1_GetSequence() for indefinite length constructed data. 4991 If SEQUENCE is length is indefinite just set c->slen to the total 4992 amount of data available. 4993 [Steve Henson, reported by shige@FreeBSD.org] 4994 [This change does not apply to 0.9.7.] 4995 4996 *) Change bctest to avoid here-documents inside command substitution 4997 (workaround for FreeBSD /bin/sh bug). 4998 For compatibility with Ultrix, avoid shell functions (introduced 4999 in the bctest version that searches along $PATH). 5000 [Bodo Moeller] 5001 5002 *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes 5003 with des_encrypt() defined on some operating systems, like Solaris 5004 and UnixWare. 5005 [Richard Levitte] 5006 5007 *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: 5008 On the Importance of Eliminating Errors in Cryptographic 5009 Computations, J. Cryptology 14 (2001) 2, 101-119, 5010 http://theory.stanford.edu/~dabo/papers/faults.ps.gz). 5011 [Ulf Moeller] 5012 5013 *) MIPS assembler BIGNUM division bug fix. 5014 [Andy Polyakov] 5015 5016 *) Disabled incorrect Alpha assembler code. 5017 [Richard Levitte] 5018 5019 *) Fix PKCS#7 decode routines so they correctly update the length 5020 after reading an EOC for the EXPLICIT tag. 5021 [Steve Henson] 5022 [This change does not apply to 0.9.7.] 5023 5024 *) Fix bug in PKCS#12 key generation routines. This was triggered 5025 if a 3DES key was generated with a 0 initial byte. Include 5026 PKCS12_BROKEN_KEYGEN compilation option to retain the old 5027 (but broken) behaviour. 5028 [Steve Henson] 5029 5030 *) Enhance bctest to search for a working bc along $PATH and print 5031 it when found. 5032 [Tim Rice <tim@multitalents.net> via Richard Levitte] 5033 5034 *) Fix memory leaks in err.c: free err_data string if necessary; 5035 don't write to the wrong index in ERR_set_error_data. 5036 [Bodo Moeller] 5037 5038 *) Implement ssl23_peek (analogous to ssl23_read), which previously 5039 did not exist. 5040 [Bodo Moeller] 5041 5042 *) Replace rdtsc with _emit statements for VC++ version 5. 5043 [Jeremy Cooper <jeremy@baymoo.org>] 5044 5045 *) Make it possible to reuse SSLv2 sessions. 5046 [Richard Levitte] 5047 5048 *) In copy_email() check for >= 0 as a return value for 5049 X509_NAME_get_index_by_NID() since 0 is a valid index. 5050 [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] 5051 5052 *) Avoid coredump with unsupported or invalid public keys by checking if 5053 X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when 5054 PKCS7_verify() fails with non detached data. 5055 [Steve Henson] 5056 5057 *) Don't use getenv in library functions when run as setuid/setgid. 5058 New function OPENSSL_issetugid(). 5059 [Ulf Moeller] 5060 5061 *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) 5062 due to incorrect handling of multi-threading: 5063 5064 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). 5065 5066 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). 5067 5068 3. Count how many times MemCheck_off() has been called so that 5069 nested use can be treated correctly. This also avoids 5070 inband-signalling in the previous code (which relied on the 5071 assumption that thread ID 0 is impossible). 5072 [Bodo Moeller] 5073 5074 *) Add "-rand" option also to s_client and s_server. 5075 [Lutz Jaenicke] 5076 5077 *) Fix CPU detection on Irix 6.x. 5078 [Kurt Hockenbury <khockenb@stevens-tech.edu> and 5079 "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] 5080 5081 *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME 5082 was empty. 5083 [Steve Henson] 5084 [This change does not apply to 0.9.7.] 5085 5086 *) Use the cached encoding of an X509_NAME structure rather than 5087 copying it. This is apparently the reason for the libsafe "errors" 5088 but the code is actually correct. 5089 [Steve Henson] 5090 5091 *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent 5092 Bleichenbacher's DSA attack. 5093 Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits 5094 to be set and top=0 forces the highest bit to be set; top=-1 is new 5095 and leaves the highest bit random. 5096 [Ulf Moeller, Bodo Moeller] 5097 5098 *) In the NCONF_...-based implementations for CONF_... queries 5099 (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using 5100 a temporary CONF structure with the data component set to NULL 5101 (which gives segmentation faults in lh_retrieve). 5102 Instead, use NULL for the CONF pointer in CONF_get_string and 5103 CONF_get_number (which may use environment variables) and directly 5104 return NULL from CONF_get_section. 5105 [Bodo Moeller] 5106 5107 *) Fix potential buffer overrun for EBCDIC. 5108 [Ulf Moeller] 5109 5110 *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign 5111 keyUsage if basicConstraints absent for a CA. 5112 [Steve Henson] 5113 5114 *) Make SMIME_write_PKCS7() write mail header values with a format that 5115 is more generally accepted (no spaces before the semicolon), since 5116 some programs can't parse those values properly otherwise. Also make 5117 sure BIO's that break lines after each write do not create invalid 5118 headers. 5119 [Richard Levitte] 5120 5121 *) Make the CRL encoding routines work with empty SEQUENCE OF. The 5122 macros previously used would not encode an empty SEQUENCE OF 5123 and break the signature. 5124 [Steve Henson] 5125 [This change does not apply to 0.9.7.] 5126 5127 *) Zero the premaster secret after deriving the master secret in 5128 DH ciphersuites. 5129 [Steve Henson] 5130 5131 *) Add some EVP_add_digest_alias registrations (as found in 5132 OpenSSL_add_all_digests()) to SSL_library_init() 5133 aka OpenSSL_add_ssl_algorithms(). This provides improved 5134 compatibility with peers using X.509 certificates 5135 with unconventional AlgorithmIdentifier OIDs. 5136 [Bodo Moeller] 5137 5138 *) Fix for Irix with NO_ASM. 5139 ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>] 5140 5141 *) ./config script fixes. 5142 [Ulf Moeller, Richard Levitte] 5143 5144 *) Fix 'openssl passwd -1'. 5145 [Bodo Moeller] 5146 5147 *) Change PKCS12_key_gen_asc() so it can cope with non null 5148 terminated strings whose length is passed in the passlen 5149 parameter, for example from PEM callbacks. This was done 5150 by adding an extra length parameter to asc2uni(). 5151 [Steve Henson, reported by <oddissey@samsung.co.kr>] 5152 5153 *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn 5154 call failed, free the DSA structure. 5155 [Bodo Moeller] 5156 5157 *) Fix to uni2asc() to cope with zero length Unicode strings. 5158 These are present in some PKCS#12 files. 5159 [Steve Henson] 5160 5161 *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). 5162 Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits 5163 when writing a 32767 byte record. 5164 [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] 5165 5166 *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), 5167 obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. 5168 5169 (RSA objects have a reference count access to which is protected 5170 by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], 5171 so they are meant to be shared between threads.) 5172 [Bodo Moeller, Geoff Thorpe; original patch submitted by 5173 "Reddie, Steven" <Steven.Reddie@ca.com>] 5174 5175 *) Fix a deadlock in CRYPTO_mem_leaks(). 5176 [Bodo Moeller] 5177 5178 *) Use better test patterns in bntest. 5179 [Ulf M�ller] 5180 5181 *) rand_win.c fix for Borland C. 5182 [Ulf M�ller] 5183 5184 *) BN_rshift bugfix for n == 0. 5185 [Bodo Moeller] 5186 5187 *) Add a 'bctest' script that checks for some known 'bc' bugs 5188 so that 'make test' does not abort just because 'bc' is broken. 5189 [Bodo Moeller] 5190 5191 *) Store verify_result within SSL_SESSION also for client side to 5192 avoid potential security hole. (Re-used sessions on the client side 5193 always resulted in verify_result==X509_V_OK, not using the original 5194 result of the server certificate verification.) 5195 [Lutz Jaenicke] 5196 5197 *) Fix ssl3_pending: If the record in s->s3->rrec is not of type 5198 SSL3_RT_APPLICATION_DATA, return 0. 5199 Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. 5200 [Bodo Moeller] 5201 5202 *) Fix SSL_peek: 5203 Both ssl2_peek and ssl3_peek, which were totally broken in earlier 5204 releases, have been re-implemented by renaming the previous 5205 implementations of ssl2_read and ssl3_read to ssl2_read_internal 5206 and ssl3_read_internal, respectively, and adding 'peek' parameters 5207 to them. The new ssl[23]_{read,peek} functions are calls to 5208 ssl[23]_read_internal with the 'peek' flag set appropriately. 5209 A 'peek' parameter has also been added to ssl3_read_bytes, which 5210 does the actual work for ssl3_read_internal. 5211 [Bodo Moeller] 5212 5213 *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling 5214 the method-specific "init()" handler. Also clean up ex_data after 5215 calling the method-specific "finish()" handler. Previously, this was 5216 happening the other way round. 5217 [Geoff Thorpe] 5218 5219 *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. 5220 The previous value, 12, was not always sufficient for BN_mod_exp(). 5221 [Bodo Moeller] 5222 5223 *) Make sure that shared libraries get the internal name engine with 5224 the full version number and not just 0. This should mark the 5225 shared libraries as not backward compatible. Of course, this should 5226 be changed again when we can guarantee backward binary compatibility. 5227 [Richard Levitte] 5228 5229 *) Fix typo in get_cert_by_subject() in by_dir.c 5230 [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>] 5231 5232 *) Rework the system to generate shared libraries: 5233 5234 - Make note of the expected extension for the shared libraries and 5235 if there is a need for symbolic links from for example libcrypto.so.0 5236 to libcrypto.so.0.9.7. There is extended info in Configure for 5237 that. 5238 5239 - Make as few rebuilds of the shared libraries as possible. 5240 5241 - Still avoid linking the OpenSSL programs with the shared libraries. 5242 5243 - When installing, install the shared libraries separately from the 5244 static ones. 5245 [Richard Levitte] 5246 5247 *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. 5248 5249 Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new 5250 and not in SSL_clear because the latter is also used by the 5251 accept/connect functions; previously, the settings made by 5252 SSL_set_read_ahead would be lost during the handshake. 5253 [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>] 5254 5255 *) Correct util/mkdef.pl to be selective about disabled algorithms. 5256 Previously, it would create entries for disableed algorithms no 5257 matter what. 5258 [Richard Levitte] 5259 5260 *) Added several new manual pages for SSL_* function. 5261 [Lutz Jaenicke] 5262 5263 Changes between 0.9.5a and 0.9.6 [24 Sep 2000] 5264 5265 *) In ssl23_get_client_hello, generate an error message when faced 5266 with an initial SSL 3.0/TLS record that is too small to contain the 5267 first two bytes of the ClientHello message, i.e. client_version. 5268 (Note that this is a pathologic case that probably has never happened 5269 in real life.) The previous approach was to use the version number 5270 from the record header as a substitute; but our protocol choice 5271 should not depend on that one because it is not authenticated 5272 by the Finished messages. 5273 [Bodo Moeller] 5274 5275 *) More robust randomness gathering functions for Windows. 5276 [Jeffrey Altman <jaltman@columbia.edu>] 5277 5278 *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is 5279 not set then we don't setup the error code for issuer check errors 5280 to avoid possibly overwriting other errors which the callback does 5281 handle. If an application does set the flag then we assume it knows 5282 what it is doing and can handle the new informational codes 5283 appropriately. 5284 [Steve Henson] 5285 5286 *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for 5287 a general "ANY" type, as such it should be able to decode anything 5288 including tagged types. However it didn't check the class so it would 5289 wrongly interpret tagged types in the same way as their universal 5290 counterpart and unknown types were just rejected. Changed so that the 5291 tagged and unknown types are handled in the same way as a SEQUENCE: 5292 that is the encoding is stored intact. There is also a new type 5293 "V_ASN1_OTHER" which is used when the class is not universal, in this 5294 case we have no idea what the actual type is so we just lump them all 5295 together. 5296 [Steve Henson] 5297 5298 *) On VMS, stdout may very well lead to a file that is written to 5299 in a record-oriented fashion. That means that every write() will 5300 write a separate record, which will be read separately by the 5301 programs trying to read from it. This can be very confusing. 5302 5303 The solution is to put a BIO filter in the way that will buffer 5304 text until a linefeed is reached, and then write everything a 5305 line at a time, so every record written will be an actual line, 5306 not chunks of lines and not (usually doesn't happen, but I've 5307 seen it once) several lines in one record. BIO_f_linebuffer() is 5308 the answer. 5309 5310 Currently, it's a VMS-only method, because that's where it has 5311 been tested well enough. 5312 [Richard Levitte] 5313 5314 *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, 5315 it can return incorrect results. 5316 (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, 5317 but it was in 0.9.6-beta[12].) 5318 [Bodo Moeller] 5319 5320 *) Disable the check for content being present when verifying detached 5321 signatures in pk7_smime.c. Some versions of Netscape (wrongly) 5322 include zero length content when signing messages. 5323 [Steve Henson] 5324 5325 *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR 5326 BIO_ctrl (for BIO pairs). 5327 [Bodo M�ller] 5328 5329 *) Add DSO method for VMS. 5330 [Richard Levitte] 5331 5332 *) Bug fix: Montgomery multiplication could produce results with the 5333 wrong sign. 5334 [Ulf M�ller] 5335 5336 *) Add RPM specification openssl.spec and modify it to build three 5337 packages. The default package contains applications, application 5338 documentation and run-time libraries. The devel package contains 5339 include files, static libraries and function documentation. The 5340 doc package contains the contents of the doc directory. The original 5341 openssl.spec was provided by Damien Miller <djm@mindrot.org>. 5342 [Richard Levitte] 5343 5344 *) Add a large number of documentation files for many SSL routines. 5345 [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] 5346 5347 *) Add a configuration entry for Sony News 4. 5348 [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>] 5349 5350 *) Don't set the two most significant bits to one when generating a 5351 random number < q in the DSA library. 5352 [Ulf M�ller] 5353 5354 *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default 5355 behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if 5356 the underlying transport is blocking) if a handshake took place. 5357 (The default behaviour is needed by applications such as s_client 5358 and s_server that use select() to determine when to use SSL_read; 5359 but for applications that know in advance when to expect data, it 5360 just makes things more complicated.) 5361 [Bodo Moeller] 5362 5363 *) Add RAND_egd_bytes(), which gives control over the number of bytes read 5364 from EGD. 5365 [Ben Laurie] 5366 5367 *) Add a few more EBCDIC conditionals that make `req' and `x509' 5368 work better on such systems. 5369 [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 5370 5371 *) Add two demo programs for PKCS12_parse() and PKCS12_create(). 5372 Update PKCS12_parse() so it copies the friendlyName and the 5373 keyid to the certificates aux info. 5374 [Steve Henson] 5375 5376 *) Fix bug in PKCS7_verify() which caused an infinite loop 5377 if there was more than one signature. 5378 [Sven Uszpelkat <su@celocom.de>] 5379 5380 *) Major change in util/mkdef.pl to include extra information 5381 about each symbol, as well as presentig variables as well 5382 as functions. This change means that there's n more need 5383 to rebuild the .num files when some algorithms are excluded. 5384 [Richard Levitte] 5385 5386 *) Allow the verify time to be set by an application, 5387 rather than always using the current time. 5388 [Steve Henson] 5389 5390 *) Phase 2 verify code reorganisation. The certificate 5391 verify code now looks up an issuer certificate by a 5392 number of criteria: subject name, authority key id 5393 and key usage. It also verifies self signed certificates 5394 by the same criteria. The main comparison function is 5395 X509_check_issued() which performs these checks. 5396 5397 Lot of changes were necessary in order to support this 5398 without completely rewriting the lookup code. 5399 5400 Authority and subject key identifier are now cached. 5401 5402 The LHASH 'certs' is X509_STORE has now been replaced 5403 by a STACK_OF(X509_OBJECT). This is mainly because an 5404 LHASH can't store or retrieve multiple objects with 5405 the same hash value. 5406 5407 As a result various functions (which were all internal 5408 use only) have changed to handle the new X509_STORE 5409 structure. This will break anything that messed round 5410 with X509_STORE internally. 5411 5412 The functions X509_STORE_add_cert() now checks for an 5413 exact match, rather than just subject name. 5414 5415 The X509_STORE API doesn't directly support the retrieval 5416 of multiple certificates matching a given criteria, however 5417 this can be worked round by performing a lookup first 5418 (which will fill the cache with candidate certificates) 5419 and then examining the cache for matches. This is probably 5420 the best we can do without throwing out X509_LOOKUP 5421 entirely (maybe later...). 5422 5423 The X509_VERIFY_CTX structure has been enhanced considerably. 5424 5425 All certificate lookup operations now go via a get_issuer() 5426 callback. Although this currently uses an X509_STORE it 5427 can be replaced by custom lookups. This is a simple way 5428 to bypass the X509_STORE hackery necessary to make this 5429 work and makes it possible to use more efficient techniques 5430 in future. A very simple version which uses a simple 5431 STACK for its trusted certificate store is also provided 5432 using X509_STORE_CTX_trusted_stack(). 5433 5434 The verify_cb() and verify() callbacks now have equivalents 5435 in the X509_STORE_CTX structure. 5436 5437 X509_STORE_CTX also has a 'flags' field which can be used 5438 to customise the verify behaviour. 5439 [Steve Henson] 5440 5441 *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 5442 excludes S/MIME capabilities. 5443 [Steve Henson] 5444 5445 *) When a certificate request is read in keep a copy of the 5446 original encoding of the signed data and use it when outputing 5447 again. Signatures then use the original encoding rather than 5448 a decoded, encoded version which may cause problems if the 5449 request is improperly encoded. 5450 [Steve Henson] 5451 5452 *) For consistency with other BIO_puts implementations, call 5453 buffer_write(b, ...) directly in buffer_puts instead of calling 5454 BIO_write(b, ...). 5455 5456 In BIO_puts, increment b->num_write as in BIO_write. 5457 [Peter.Sylvester@EdelWeb.fr] 5458 5459 *) Fix BN_mul_word for the case where the word is 0. (We have to use 5460 BN_zero, we may not return a BIGNUM with an array consisting of 5461 words set to zero.) 5462 [Bodo Moeller] 5463 5464 *) Avoid calling abort() from within the library when problems are 5465 detected, except if preprocessor symbols have been defined 5466 (such as REF_CHECK, BN_DEBUG etc.). 5467 [Bodo Moeller] 5468 5469 *) New openssl application 'rsautl'. This utility can be 5470 used for low level RSA operations. DER public key 5471 BIO/fp routines also added. 5472 [Steve Henson] 5473 5474 *) New Configure entry and patches for compiling on QNX 4. 5475 [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>] 5476 5477 *) A demo state-machine implementation was sponsored by 5478 Nuron (http://www.nuron.com/) and is now available in 5479 demos/state_machine. 5480 [Ben Laurie] 5481 5482 *) New options added to the 'dgst' utility for signature 5483 generation and verification. 5484 [Steve Henson] 5485 5486 *) Unrecognized PKCS#7 content types are now handled via a 5487 catch all ASN1_TYPE structure. This allows unsupported 5488 types to be stored as a "blob" and an application can 5489 encode and decode it manually. 5490 [Steve Henson] 5491 5492 *) Fix various signed/unsigned issues to make a_strex.c 5493 compile under VC++. 5494 [Oscar Jacobsson <oscar.jacobsson@celocom.com>] 5495 5496 *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct 5497 length if passed a buffer. ASN1_INTEGER_to_BN failed 5498 if passed a NULL BN and its argument was negative. 5499 [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>] 5500 5501 *) Modification to PKCS#7 encoding routines to output definite 5502 length encoding. Since currently the whole structures are in 5503 memory there's not real point in using indefinite length 5504 constructed encoding. However if OpenSSL is compiled with 5505 the flag PKCS7_INDEFINITE_ENCODING the old form is used. 5506 [Steve Henson] 5507 5508 *) Added BIO_vprintf() and BIO_vsnprintf(). 5509 [Richard Levitte] 5510 5511 *) Added more prefixes to parse for in the the strings written 5512 through a logging bio, to cover all the levels that are available 5513 through syslog. The prefixes are now: 5514 5515 PANIC, EMERG, EMR => LOG_EMERG 5516 ALERT, ALR => LOG_ALERT 5517 CRIT, CRI => LOG_CRIT 5518 ERROR, ERR => LOG_ERR 5519 WARNING, WARN, WAR => LOG_WARNING 5520 NOTICE, NOTE, NOT => LOG_NOTICE 5521 INFO, INF => LOG_INFO 5522 DEBUG, DBG => LOG_DEBUG 5523 5524 and as before, if none of those prefixes are present at the 5525 beginning of the string, LOG_ERR is chosen. 5526 5527 On Win32, the LOG_* levels are mapped according to this: 5528 5529 LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE 5530 LOG_WARNING => EVENTLOG_WARNING_TYPE 5531 LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE 5532 5533 [Richard Levitte] 5534 5535 *) Made it possible to reconfigure with just the configuration 5536 argument "reconf" or "reconfigure". The command line arguments 5537 are stored in Makefile.ssl in the variable CONFIGURE_ARGS, 5538 and are retrieved from there when reconfiguring. 5539 [Richard Levitte] 5540 5541 *) MD4 implemented. 5542 [Assar Westerlund <assar@sics.se>, Richard Levitte] 5543 5544 *) Add the arguments -CAfile and -CApath to the pkcs12 utility. 5545 [Richard Levitte] 5546 5547 *) The obj_dat.pl script was messing up the sorting of object 5548 names. The reason was that it compared the quoted version 5549 of strings as a result "OCSP" > "OCSP Signing" because 5550 " > SPACE. Changed script to store unquoted versions of 5551 names and add quotes on output. It was also omitting some 5552 names from the lookup table if they were given a default 5553 value (that is if SN is missing it is given the same 5554 value as LN and vice versa), these are now added on the 5555 grounds that if an object has a name we should be able to 5556 look it up. Finally added warning output when duplicate 5557 short or long names are found. 5558 [Steve Henson] 5559 5560 *) Changes needed for Tandem NSK. 5561 [Scott Uroff <scott@xypro.com>] 5562 5563 *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in 5564 RSA_padding_check_SSLv23(), special padding was never detected 5565 and thus the SSL 3.0/TLS 1.0 countermeasure against protocol 5566 version rollback attacks was not effective. 5567 5568 In s23_clnt.c, don't use special rollback-attack detection padding 5569 (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the 5570 client; similarly, in s23_srvr.c, don't do the rollback check if 5571 SSL 2.0 is the only protocol enabled in the server. 5572 [Bodo Moeller] 5573 5574 *) Make it possible to get hexdumps of unprintable data with 'openssl 5575 asn1parse'. By implication, the functions ASN1_parse_dump() and 5576 BIO_dump_indent() are added. 5577 [Richard Levitte] 5578 5579 *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() 5580 these print out strings and name structures based on various 5581 flags including RFC2253 support and proper handling of 5582 multibyte characters. Added options to the 'x509' utility 5583 to allow the various flags to be set. 5584 [Steve Henson] 5585 5586 *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. 5587 Also change the functions X509_cmp_current_time() and 5588 X509_gmtime_adj() work with an ASN1_TIME structure, 5589 this will enable certificates using GeneralizedTime in validity 5590 dates to be checked. 5591 [Steve Henson] 5592 5593 *) Make the NEG_PUBKEY_BUG code (which tolerates invalid 5594 negative public key encodings) on by default, 5595 NO_NEG_PUBKEY_BUG can be set to disable it. 5596 [Steve Henson] 5597 5598 *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT 5599 content octets. An i2c_ASN1_OBJECT is unnecessary because 5600 the encoding can be trivially obtained from the structure. 5601 [Steve Henson] 5602 5603 *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), 5604 not read locks (CRYPTO_r_[un]lock). 5605 [Bodo Moeller] 5606 5607 *) A first attempt at creating official support for shared 5608 libraries through configuration. I've kept it so the 5609 default is static libraries only, and the OpenSSL programs 5610 are always statically linked for now, but there are 5611 preparations for dynamic linking in place. 5612 This has been tested on Linux and Tru64. 5613 [Richard Levitte] 5614 5615 *) Randomness polling function for Win9x, as described in: 5616 Peter Gutmann, Software Generation of Practically Strong 5617 Random Numbers. 5618 [Ulf M�ller] 5619 5620 *) Fix so PRNG is seeded in req if using an already existing 5621 DSA key. 5622 [Steve Henson] 5623 5624 *) New options to smime application. -inform and -outform 5625 allow alternative formats for the S/MIME message including 5626 PEM and DER. The -content option allows the content to be 5627 specified separately. This should allow things like Netscape 5628 form signing output easier to verify. 5629 [Steve Henson] 5630 5631 *) Fix the ASN1 encoding of tags using the 'long form'. 5632 [Steve Henson] 5633 5634 *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT 5635 STRING types. These convert content octets to and from the 5636 underlying type. The actual tag and length octets are 5637 already assumed to have been read in and checked. These 5638 are needed because all other string types have virtually 5639 identical handling apart from the tag. By having versions 5640 of the ASN1 functions that just operate on content octets 5641 IMPLICIT tagging can be handled properly. It also allows 5642 the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED 5643 and ASN1_INTEGER are identical apart from the tag. 5644 [Steve Henson] 5645 5646 *) Change the handling of OID objects as follows: 5647 5648 - New object identifiers are inserted in objects.txt, following 5649 the syntax given in objects.README. 5650 - objects.pl is used to process obj_mac.num and create a new 5651 obj_mac.h. 5652 - obj_dat.pl is used to create a new obj_dat.h, using the data in 5653 obj_mac.h. 5654 5655 This is currently kind of a hack, and the perl code in objects.pl 5656 isn't very elegant, but it works as I intended. The simplest way 5657 to check that it worked correctly is to look in obj_dat.h and 5658 check the array nid_objs and make sure the objects haven't moved 5659 around (this is important!). Additions are OK, as well as 5660 consistent name changes. 5661 [Richard Levitte] 5662 5663 *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1'). 5664 [Bodo Moeller] 5665 5666 *) Addition of the command line parameter '-rand file' to 'openssl req'. 5667 The given file adds to whatever has already been seeded into the 5668 random pool through the RANDFILE configuration file option or 5669 environment variable, or the default random state file. 5670 [Richard Levitte] 5671 5672 *) mkstack.pl now sorts each macro group into lexical order. 5673 Previously the output order depended on the order the files 5674 appeared in the directory, resulting in needless rewriting 5675 of safestack.h . 5676 [Steve Henson] 5677 5678 *) Patches to make OpenSSL compile under Win32 again. Mostly 5679 work arounds for the VC++ problem that it treats func() as 5680 func(void). Also stripped out the parts of mkdef.pl that 5681 added extra typesafe functions: these no longer exist. 5682 [Steve Henson] 5683 5684 *) Reorganisation of the stack code. The macros are now all 5685 collected in safestack.h . Each macro is defined in terms of 5686 a "stack macro" of the form SKM_<name>(type, a, b). The 5687 DEBUG_SAFESTACK is now handled in terms of function casts, 5688 this has the advantage of retaining type safety without the 5689 use of additional functions. If DEBUG_SAFESTACK is not defined 5690 then the non typesafe macros are used instead. Also modified the 5691 mkstack.pl script to handle the new form. Needs testing to see 5692 if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK 5693 the default if no major problems. Similar behaviour for ASN1_SET_OF 5694 and PKCS12_STACK_OF. 5695 [Steve Henson] 5696 5697 *) When some versions of IIS use the 'NET' form of private key the 5698 key derivation algorithm is different. Normally MD5(password) is 5699 used as a 128 bit RC4 key. In the modified case 5700 MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some 5701 new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same 5702 as the old Netscape_RSA functions except they have an additional 5703 'sgckey' parameter which uses the modified algorithm. Also added 5704 an -sgckey command line option to the rsa utility. Thanks to 5705 Adrian Peck <bertie@ncipher.com> for posting details of the modified 5706 algorithm to openssl-dev. 5707 [Steve Henson] 5708 5709 *) The evp_local.h macros were using 'c.##kname' which resulted in 5710 invalid expansion on some systems (SCO 5.0.5 for example). 5711 Corrected to 'c.kname'. 5712 [Phillip Porch <root@theporch.com>] 5713 5714 *) New X509_get1_email() and X509_REQ_get1_email() functions that return 5715 a STACK of email addresses from a certificate or request, these look 5716 in the subject name and the subject alternative name extensions and 5717 omit any duplicate addresses. 5718 [Steve Henson] 5719 5720 *) Re-implement BN_mod_exp2_mont using independent (and larger) windows. 5721 This makes DSA verification about 2 % faster. 5722 [Bodo Moeller] 5723 5724 *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5 5725 (meaning that now 2^5 values will be precomputed, which is only 4 KB 5726 plus overhead for 1024 bit moduli). 5727 This makes exponentiations about 0.5 % faster for 1024 bit 5728 exponents (as measured by "openssl speed rsa2048"). 5729 [Bodo Moeller] 5730 5731 *) Rename memory handling macros to avoid conflicts with other 5732 software: 5733 Malloc => OPENSSL_malloc 5734 Malloc_locked => OPENSSL_malloc_locked 5735 Realloc => OPENSSL_realloc 5736 Free => OPENSSL_free 5737 [Richard Levitte] 5738 5739 *) New function BN_mod_exp_mont_word for small bases (roughly 15% 5740 faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange). 5741 [Bodo Moeller] 5742 5743 *) CygWin32 support. 5744 [John Jarvie <jjarvie@newsguy.com>] 5745 5746 *) The type-safe stack code has been rejigged. It is now only compiled 5747 in when OpenSSL is configured with the DEBUG_SAFESTACK option and 5748 by default all type-specific stack functions are "#define"d back to 5749 standard stack functions. This results in more streamlined output 5750 but retains the type-safety checking possibilities of the original 5751 approach. 5752 [Geoff Thorpe] 5753 5754 *) The STACK code has been cleaned up, and certain type declarations 5755 that didn't make a lot of sense have been brought in line. This has 5756 also involved a cleanup of sorts in safestack.h to more correctly 5757 map type-safe stack functions onto their plain stack counterparts. 5758 This work has also resulted in a variety of "const"ifications of 5759 lots of the code, especially "_cmp" operations which should normally 5760 be prototyped with "const" parameters anyway. 5761 [Geoff Thorpe] 5762 5763 *) When generating bytes for the first time in md_rand.c, 'stir the pool' 5764 by seeding with STATE_SIZE dummy bytes (with zero entropy count). 5765 (The PRNG state consists of two parts, the large pool 'state' and 'md', 5766 where all of 'md' is used each time the PRNG is used, but 'state' 5767 is used only indexed by a cyclic counter. As entropy may not be 5768 well distributed from the beginning, 'md' is important as a 5769 chaining variable. However, the output function chains only half 5770 of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains 5771 all of 'md', and seeding with STATE_SIZE dummy bytes will result 5772 in all of 'state' being rewritten, with the new values depending 5773 on virtually all of 'md'. This overcomes the 80 bit limitation.) 5774 [Bodo Moeller] 5775 5776 *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when 5777 the handshake is continued after ssl_verify_cert_chain(); 5778 otherwise, if SSL_VERIFY_NONE is set, remaining error codes 5779 can lead to 'unexplainable' connection aborts later. 5780 [Bodo Moeller; problem tracked down by Lutz Jaenicke] 5781 5782 *) Major EVP API cipher revision. 5783 Add hooks for extra EVP features. This allows various cipher 5784 parameters to be set in the EVP interface. Support added for variable 5785 key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and 5786 setting of RC2 and RC5 parameters. 5787 5788 Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length 5789 ciphers. 5790 5791 Remove lots of duplicated code from the EVP library. For example *every* 5792 cipher init() function handles the 'iv' in the same way according to the 5793 cipher mode. They also all do nothing if the 'key' parameter is NULL and 5794 for CFB and OFB modes they zero ctx->num. 5795 5796 New functionality allows removal of S/MIME code RC2 hack. 5797 5798 Most of the routines have the same form and so can be declared in terms 5799 of macros. 5800 5801 By shifting this to the top level EVP_CipherInit() it can be removed from 5802 all individual ciphers. If the cipher wants to handle IVs or keys 5803 differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT 5804 flags. 5805 5806 Change lots of functions like EVP_EncryptUpdate() to now return a 5807 value: although software versions of the algorithms cannot fail 5808 any installed hardware versions can. 5809 [Steve Henson] 5810 5811 *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if 5812 this option is set, tolerate broken clients that send the negotiated 5813 protocol version number instead of the requested protocol version 5814 number. 5815 [Bodo Moeller] 5816 5817 *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag; 5818 i.e. non-zero for export ciphersuites, zero otherwise. 5819 Previous versions had this flag inverted, inconsistent with 5820 rsa_tmp_cb (..._TMP_RSA_CB). 5821 [Bodo Moeller; problem reported by Amit Chopra] 5822 5823 *) Add missing DSA library text string. Work around for some IIS 5824 key files with invalid SEQUENCE encoding. 5825 [Steve Henson] 5826 5827 *) Add a document (doc/standards.txt) that list all kinds of standards 5828 and so on that are implemented in OpenSSL. 5829 [Richard Levitte] 5830 5831 *) Enhance c_rehash script. Old version would mishandle certificates 5832 with the same subject name hash and wouldn't handle CRLs at all. 5833 Added -fingerprint option to crl utility, to support new c_rehash 5834 features. 5835 [Steve Henson] 5836 5837 *) Eliminate non-ANSI declarations in crypto.h and stack.h. 5838 [Ulf M�ller] 5839 5840 *) Fix for SSL server purpose checking. Server checking was 5841 rejecting certificates which had extended key usage present 5842 but no ssl client purpose. 5843 [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>] 5844 5845 *) Make PKCS#12 code work with no password. The PKCS#12 spec 5846 is a little unclear about how a blank password is handled. 5847 Since the password in encoded as a BMPString with terminating 5848 double NULL a zero length password would end up as just the 5849 double NULL. However no password at all is different and is 5850 handled differently in the PKCS#12 key generation code. NS 5851 treats a blank password as zero length. MSIE treats it as no 5852 password on export: but it will try both on import. We now do 5853 the same: PKCS12_parse() tries zero length and no password if 5854 the password is set to "" or NULL (NULL is now a valid password: 5855 it wasn't before) as does the pkcs12 application. 5856 [Steve Henson] 5857 5858 *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use 5859 perror when PEM_read_bio_X509_REQ fails, the error message must 5860 be obtained from the error queue. 5861 [Bodo Moeller] 5862 5863 *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing 5864 it in ERR_remove_state if appropriate, and change ERR_get_state 5865 accordingly to avoid race conditions (this is necessary because 5866 thread_hash is no longer constant once set). 5867 [Bodo Moeller] 5868 5869 *) Bugfix for linux-elf makefile.one. 5870 [Ulf M�ller] 5871 5872 *) RSA_get_default_method() will now cause a default 5873 RSA_METHOD to be chosen if one doesn't exist already. 5874 Previously this was only set during a call to RSA_new() 5875 or RSA_new_method(NULL) meaning it was possible for 5876 RSA_get_default_method() to return NULL. 5877 [Geoff Thorpe] 5878 5879 *) Added native name translation to the existing DSO code 5880 that will convert (if the flag to do so is set) filenames 5881 that are sufficiently small and have no path information 5882 into a canonical native form. Eg. "blah" converted to 5883 "libblah.so" or "blah.dll" etc. 5884 [Geoff Thorpe] 5885 5886 *) New function ERR_error_string_n(e, buf, len) which is like 5887 ERR_error_string(e, buf), but writes at most 'len' bytes 5888 including the 0 terminator. For ERR_error_string_n, 'buf' 5889 may not be NULL. 5890 [Damien Miller <djm@mindrot.org>, Bodo Moeller] 5891 5892 *) CONF library reworked to become more general. A new CONF 5893 configuration file reader "class" is implemented as well as a 5894 new functions (NCONF_*, for "New CONF") to handle it. The now 5895 old CONF_* functions are still there, but are reimplemented to 5896 work in terms of the new functions. Also, a set of functions 5897 to handle the internal storage of the configuration data is 5898 provided to make it easier to write new configuration file 5899 reader "classes" (I can definitely see something reading a 5900 configuration file in XML format, for example), called _CONF_*, 5901 or "the configuration storage API"... 5902 5903 The new configuration file reading functions are: 5904 5905 NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio, 5906 NCONF_get_section, NCONF_get_string, NCONF_get_numbre 5907 5908 NCONF_default, NCONF_WIN32 5909 5910 NCONF_dump_fp, NCONF_dump_bio 5911 5912 NCONF_default and NCONF_WIN32 are method (or "class") choosers, 5913 NCONF_new creates a new CONF object. This works in the same way 5914 as other interfaces in OpenSSL, like the BIO interface. 5915 NCONF_dump_* dump the internal storage of the configuration file, 5916 which is useful for debugging. All other functions take the same 5917 arguments as the old CONF_* functions wth the exception of the 5918 first that must be a `CONF *' instead of a `LHASH *'. 5919 5920 To make it easer to use the new classes with the old CONF_* functions, 5921 the function CONF_set_default_method is provided. 5922 [Richard Levitte] 5923 5924 *) Add '-tls1' option to 'openssl ciphers', which was already 5925 mentioned in the documentation but had not been implemented. 5926 (This option is not yet really useful because even the additional 5927 experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.) 5928 [Bodo Moeller] 5929 5930 *) Initial DSO code added into libcrypto for letting OpenSSL (and 5931 OpenSSL-based applications) load shared libraries and bind to 5932 them in a portable way. 5933 [Geoff Thorpe, with contributions from Richard Levitte] 5934 5935 Changes between 0.9.5 and 0.9.5a [1 Apr 2000] 5936 5937 *) Make sure _lrotl and _lrotr are only used with MSVC. 5938 5939 *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status 5940 (the default implementation of RAND_status). 5941 5942 *) Rename openssl x509 option '-crlext', which was added in 0.9.5, 5943 to '-clrext' (= clear extensions), as intended and documented. 5944 [Bodo Moeller; inconsistency pointed out by Michael Attili 5945 <attili@amaxo.com>] 5946 5947 *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length 5948 was larger than the MD block size. 5949 [Steve Henson, pointed out by Yost William <YostW@tce.com>] 5950 5951 *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument 5952 fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set() 5953 using the passed key: if the passed key was a private key the result 5954 of X509_print(), for example, would be to print out all the private key 5955 components. 5956 [Steve Henson] 5957 5958 *) des_quad_cksum() byte order bug fix. 5959 [Ulf M�ller, using the problem description in krb4-0.9.7, where 5960 the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>] 5961 5962 *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly 5963 discouraged. 5964 [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>] 5965 5966 *) For easily testing in shell scripts whether some command 5967 'openssl XXX' exists, the new pseudo-command 'openssl no-XXX' 5968 returns with exit code 0 iff no command of the given name is available. 5969 'no-XXX' is printed in this case, 'XXX' otherwise. In both cases, 5970 the output goes to stdout and nothing is printed to stderr. 5971 Additional arguments are always ignored. 5972 5973 Since for each cipher there is a command of the same name, 5974 the 'no-cipher' compilation switches can be tested this way. 5975 5976 ('openssl no-XXX' is not able to detect pseudo-commands such 5977 as 'quit', 'list-XXX-commands', or 'no-XXX' itself.) 5978 [Bodo Moeller] 5979 5980 *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration. 5981 [Bodo Moeller] 5982 5983 *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE 5984 is set; it will be thrown away anyway because each handshake creates 5985 its own key. 5986 ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition 5987 to parameters -- in previous versions (since OpenSSL 0.9.3) the 5988 'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining 5989 you effectivly got SSL_OP_SINGLE_DH_USE when using this macro. 5990 [Bodo Moeller] 5991 5992 *) New s_client option -ign_eof: EOF at stdin is ignored, and 5993 'Q' and 'R' lose their special meanings (quit/renegotiate). 5994 This is part of what -quiet does; unlike -quiet, -ign_eof 5995 does not suppress any output. 5996 [Richard Levitte] 5997 5998 *) Add compatibility options to the purpose and trust code. The 5999 purpose X509_PURPOSE_ANY is "any purpose" which automatically 6000 accepts a certificate or CA, this was the previous behaviour, 6001 with all the associated security issues. 6002 6003 X509_TRUST_COMPAT is the old trust behaviour: only and 6004 automatically trust self signed roots in certificate store. A 6005 new trust setting X509_TRUST_DEFAULT is used to specify that 6006 a purpose has no associated trust setting and it should instead 6007 use the value in the default purpose. 6008 [Steve Henson] 6009 6010 *) Fix the PKCS#8 DSA private key code so it decodes keys again 6011 and fix a memory leak. 6012 [Steve Henson] 6013 6014 *) In util/mkerr.pl (which implements 'make errors'), preserve 6015 reason strings from the previous version of the .c file, as 6016 the default to have only downcase letters (and digits) in 6017 automatically generated reasons codes is not always appropriate. 6018 [Bodo Moeller] 6019 6020 *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table 6021 using strerror. Previously, ERR_reason_error_string() returned 6022 library names as reason strings for SYSerr; but SYSerr is a special 6023 case where small numbers are errno values, not library numbers. 6024 [Bodo Moeller] 6025 6026 *) Add '-dsaparam' option to 'openssl dhparam' application. This 6027 converts DSA parameters into DH parameters. (When creating parameters, 6028 DSA_generate_parameters is used.) 6029 [Bodo Moeller] 6030 6031 *) Include 'length' (recommended exponent length) in C code generated 6032 by 'openssl dhparam -C'. 6033 [Bodo Moeller] 6034 6035 *) The second argument to set_label in perlasm was already being used 6036 so couldn't be used as a "file scope" flag. Moved to third argument 6037 which was free. 6038 [Steve Henson] 6039 6040 *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes 6041 instead of RAND_bytes for encryption IVs and salts. 6042 [Bodo Moeller] 6043 6044 *) Include RAND_status() into RAND_METHOD instead of implementing 6045 it only for md_rand.c Otherwise replacing the PRNG by calling 6046 RAND_set_rand_method would be impossible. 6047 [Bodo Moeller] 6048 6049 *) Don't let DSA_generate_key() enter an infinite loop if the random 6050 number generation fails. 6051 [Bodo Moeller] 6052 6053 *) New 'rand' application for creating pseudo-random output. 6054 [Bodo Moeller] 6055 6056 *) Added configuration support for Linux/IA64 6057 [Rolf Haberrecker <rolf@suse.de>] 6058 6059 *) Assembler module support for Mingw32. 6060 [Ulf M�ller] 6061 6062 *) Shared library support for HPUX (in shlib/). 6063 [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous] 6064 6065 *) Shared library support for Solaris gcc. 6066 [Lutz Behnke <behnke@trustcenter.de>] 6067 6068 Changes between 0.9.4 and 0.9.5 [28 Feb 2000] 6069 6070 *) PKCS7_encrypt() was adding text MIME headers twice because they 6071 were added manually and by SMIME_crlf_copy(). 6072 [Steve Henson] 6073 6074 *) In bntest.c don't call BN_rand with zero bits argument. 6075 [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>] 6076 6077 *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] 6078 case was implemented. This caused BN_div_recp() to fail occasionally. 6079 [Ulf M�ller] 6080 6081 *) Add an optional second argument to the set_label() in the perl 6082 assembly language builder. If this argument exists and is set 6083 to 1 it signals that the assembler should use a symbol whose 6084 scope is the entire file, not just the current function. This 6085 is needed with MASM which uses the format label:: for this scope. 6086 [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>] 6087 6088 *) Change the ASN1 types so they are typedefs by default. Before 6089 almost all types were #define'd to ASN1_STRING which was causing 6090 STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING) 6091 for example. 6092 [Steve Henson] 6093 6094 *) Change names of new functions to the new get1/get0 naming 6095 convention: After 'get1', the caller owns a reference count 6096 and has to call ..._free; 'get0' returns a pointer to some 6097 data structure without incrementing reference counters. 6098 (Some of the existing 'get' functions increment a reference 6099 counter, some don't.) 6100 Similarly, 'set1' and 'add1' functions increase reference 6101 counters or duplicate objects. 6102 [Steve Henson] 6103 6104 *) Allow for the possibility of temp RSA key generation failure: 6105 the code used to assume it always worked and crashed on failure. 6106 [Steve Henson] 6107 6108 *) Fix potential buffer overrun problem in BIO_printf(). 6109 [Ulf M�ller, using public domain code by Patrick Powell; problem 6110 pointed out by David Sacerdote <das33@cornell.edu>] 6111 6112 *) Support EGD <http://www.lothar.com/tech/crypto/>. New functions 6113 RAND_egd() and RAND_status(). In the command line application, 6114 the EGD socket can be specified like a seed file using RANDFILE 6115 or -rand. 6116 [Ulf M�ller] 6117 6118 *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. 6119 Some CAs (e.g. Verisign) distribute certificates in this form. 6120 [Steve Henson] 6121 6122 *) Remove the SSL_ALLOW_ADH compile option and set the default cipher 6123 list to exclude them. This means that no special compilation option 6124 is needed to use anonymous DH: it just needs to be included in the 6125 cipher list. 6126 [Steve Henson] 6127 6128 *) Change the EVP_MD_CTX_type macro so its meaning consistent with 6129 EVP_MD_type. The old functionality is available in a new macro called 6130 EVP_MD_md(). Change code that uses it and update docs. 6131 [Steve Henson] 6132 6133 *) ..._ctrl functions now have corresponding ..._callback_ctrl functions 6134 where the 'void *' argument is replaced by a function pointer argument. 6135 Previously 'void *' was abused to point to functions, which works on 6136 many platforms, but is not correct. As these functions are usually 6137 called by macros defined in OpenSSL header files, most source code 6138 should work without changes. 6139 [Richard Levitte] 6140 6141 *) <openssl/opensslconf.h> (which is created by Configure) now contains 6142 sections with information on -D... compiler switches used for 6143 compiling the library so that applications can see them. To enable 6144 one of these sections, a pre-processor symbol OPENSSL_..._DEFINES 6145 must be defined. E.g., 6146 #define OPENSSL_ALGORITHM_DEFINES 6147 #include <openssl/opensslconf.h> 6148 defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc. 6149 [Richard Levitte, Ulf and Bodo M�ller] 6150 6151 *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS 6152 record layer. 6153 [Bodo Moeller] 6154 6155 *) Change the 'other' type in certificate aux info to a STACK_OF 6156 X509_ALGOR. Although not an AlgorithmIdentifier as such it has 6157 the required ASN1 format: arbitrary types determined by an OID. 6158 [Steve Henson] 6159 6160 *) Add some PEM_write_X509_REQ_NEW() functions and a command line 6161 argument to 'req'. This is not because the function is newer or 6162 better than others it just uses the work 'NEW' in the certificate 6163 request header lines. Some software needs this. 6164 [Steve Henson] 6165 6166 *) Reorganise password command line arguments: now passwords can be 6167 obtained from various sources. Delete the PEM_cb function and make 6168 it the default behaviour: i.e. if the callback is NULL and the 6169 usrdata argument is not NULL interpret it as a null terminated pass 6170 phrase. If usrdata and the callback are NULL then the pass phrase 6171 is prompted for as usual. 6172 [Steve Henson] 6173 6174 *) Add support for the Compaq Atalla crypto accelerator. If it is installed, 6175 the support is automatically enabled. The resulting binaries will 6176 autodetect the card and use it if present. 6177 [Ben Laurie and Compaq Inc.] 6178 6179 *) Work around for Netscape hang bug. This sends certificate request 6180 and server done in one record. Since this is perfectly legal in the 6181 SSL/TLS protocol it isn't a "bug" option and is on by default. See 6182 the bugs/SSLv3 entry for more info. 6183 [Steve Henson] 6184 6185 *) HP-UX tune-up: new unified configs, HP C compiler bug workaround. 6186 [Andy Polyakov] 6187 6188 *) Add -rand argument to smime and pkcs12 applications and read/write 6189 of seed file. 6190 [Steve Henson] 6191 6192 *) New 'passwd' tool for crypt(3) and apr1 password hashes. 6193 [Bodo Moeller] 6194 6195 *) Add command line password options to the remaining applications. 6196 [Steve Henson] 6197 6198 *) Bug fix for BN_div_recp() for numerators with an even number of 6199 bits. 6200 [Ulf M�ller] 6201 6202 *) More tests in bntest.c, and changed test_bn output. 6203 [Ulf M�ller] 6204 6205 *) ./config recognizes MacOS X now. 6206 [Andy Polyakov] 6207 6208 *) Bug fix for BN_div() when the first words of num and divsor are 6209 equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). 6210 [Ulf M�ller] 6211 6212 *) Add support for various broken PKCS#8 formats, and command line 6213 options to produce them. 6214 [Steve Henson] 6215 6216 *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to 6217 get temporary BIGNUMs from a BN_CTX. 6218 [Ulf M�ller] 6219 6220 *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() 6221 for p == 0. 6222 [Ulf M�ller] 6223 6224 *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and 6225 include a #define from the old name to the new. The original intent 6226 was that statically linked binaries could for example just call 6227 SSLeay_add_all_ciphers() to just add ciphers to the table and not 6228 link with digests. This never worked becayse SSLeay_add_all_digests() 6229 and SSLeay_add_all_ciphers() were in the same source file so calling 6230 one would link with the other. They are now in separate source files. 6231 [Steve Henson] 6232 6233 *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'. 6234 [Steve Henson] 6235 6236 *) Use a less unusual form of the Miller-Rabin primality test (it used 6237 a binary algorithm for exponentiation integrated into the Miller-Rabin 6238 loop, our standard modexp algorithms are faster). 6239 [Bodo Moeller] 6240 6241 *) Support for the EBCDIC character set completed. 6242 [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>] 6243 6244 *) Source code cleanups: use const where appropriate, eliminate casts, 6245 use void * instead of char * in lhash. 6246 [Ulf M�ller] 6247 6248 *) Bugfix: ssl3_send_server_key_exchange was not restartable 6249 (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of 6250 this the server could overwrite ephemeral keys that the client 6251 has already seen). 6252 [Bodo Moeller] 6253 6254 *) Turn DSA_is_prime into a macro that calls BN_is_prime, 6255 using 50 iterations of the Rabin-Miller test. 6256 6257 DSA_generate_parameters now uses BN_is_prime_fasttest (with 50 6258 iterations of the Rabin-Miller test as required by the appendix 6259 to FIPS PUB 186[-1]) instead of DSA_is_prime. 6260 As BN_is_prime_fasttest includes trial division, DSA parameter 6261 generation becomes much faster. 6262 6263 This implies a change for the callback functions in DSA_is_prime 6264 and DSA_generate_parameters: The callback function is called once 6265 for each positive witness in the Rabin-Miller test, not just 6266 occasionally in the inner loop; and the parameters to the 6267 callback function now provide an iteration count for the outer 6268 loop rather than for the current invocation of the inner loop. 6269 DSA_generate_parameters additionally can call the callback 6270 function with an 'iteration count' of -1, meaning that a 6271 candidate has passed the trial division test (when q is generated 6272 from an application-provided seed, trial division is skipped). 6273 [Bodo Moeller] 6274 6275 *) New function BN_is_prime_fasttest that optionally does trial 6276 division before starting the Rabin-Miller test and has 6277 an additional BN_CTX * argument (whereas BN_is_prime always 6278 has to allocate at least one BN_CTX). 6279 'callback(1, -1, cb_arg)' is called when a number has passed the 6280 trial division stage. 6281 [Bodo Moeller] 6282 6283 *) Fix for bug in CRL encoding. The validity dates weren't being handled 6284 as ASN1_TIME. 6285 [Steve Henson] 6286 6287 *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file. 6288 [Steve Henson] 6289 6290 *) New function BN_pseudo_rand(). 6291 [Ulf M�ller] 6292 6293 *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) 6294 bignum version of BN_from_montgomery() with the working code from 6295 SSLeay 0.9.0 (the word based version is faster anyway), and clean up 6296 the comments. 6297 [Ulf M�ller] 6298 6299 *) Avoid a race condition in s2_clnt.c (function get_server_hello) that 6300 made it impossible to use the same SSL_SESSION data structure in 6301 SSL2 clients in multiple threads. 6302 [Bodo Moeller] 6303 6304 *) The return value of RAND_load_file() no longer counts bytes obtained 6305 by stat(). RAND_load_file(..., -1) is new and uses the complete file 6306 to seed the PRNG (previously an explicit byte count was required). 6307 [Ulf M�ller, Bodo M�ller] 6308 6309 *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes 6310 used (char *) instead of (void *) and had casts all over the place. 6311 [Steve Henson] 6312 6313 *) Make BN_generate_prime() return NULL on error if ret!=NULL. 6314 [Ulf M�ller] 6315 6316 *) Retain source code compatibility for BN_prime_checks macro: 6317 BN_is_prime(..., BN_prime_checks, ...) now uses 6318 BN_prime_checks_for_size to determine the appropriate number of 6319 Rabin-Miller iterations. 6320 [Ulf M�ller] 6321 6322 *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to 6323 DH_CHECK_P_NOT_SAFE_PRIME. 6324 (Check if this is true? OpenPGP calls them "strong".) 6325 [Ulf M�ller] 6326 6327 *) Merge the functionality of "dh" and "gendh" programs into a new program 6328 "dhparam". The old programs are retained for now but will handle DH keys 6329 (instead of parameters) in future. 6330 [Steve Henson] 6331 6332 *) Make the ciphers, s_server and s_client programs check the return values 6333 when a new cipher list is set. 6334 [Steve Henson] 6335 6336 *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit 6337 ciphers. Before when the 56bit ciphers were enabled the sorting was 6338 wrong. 6339 6340 The syntax for the cipher sorting has been extended to support sorting by 6341 cipher-strength (using the strength_bits hard coded in the tables). 6342 The new command is "@STRENGTH" (see also doc/apps/ciphers.pod). 6343 6344 Fix a bug in the cipher-command parser: when supplying a cipher command 6345 string with an "undefined" symbol (neither command nor alphanumeric 6346 [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now 6347 an error is flagged. 6348 6349 Due to the strength-sorting extension, the code of the 6350 ssl_create_cipher_list() function was completely rearranged. I hope that 6351 the readability was also increased :-) 6352 [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>] 6353 6354 *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1 6355 for the first serial number and places 2 in the serial number file. This 6356 avoids problems when the root CA is created with serial number zero and 6357 the first user certificate has the same issuer name and serial number 6358 as the root CA. 6359 [Steve Henson] 6360 6361 *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses 6362 the new code. Add documentation for this stuff. 6363 [Steve Henson] 6364 6365 *) Changes to X509_ATTRIBUTE utilities. These have been renamed from 6366 X509_*() to X509at_*() on the grounds that they don't handle X509 6367 structures and behave in an analagous way to the X509v3 functions: 6368 they shouldn't be called directly but wrapper functions should be used 6369 instead. 6370 6371 So we also now have some wrapper functions that call the X509at functions 6372 when passed certificate requests. (TO DO: similar things can be done with 6373 PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other 6374 things. Some of these need some d2i or i2d and print functionality 6375 because they handle more complex structures.) 6376 [Steve Henson] 6377 6378 *) Add missing #ifndefs that caused missing symbols when building libssl 6379 as a shared library without RSA. Use #ifndef NO_SSL2 instead of 6380 NO_RSA in ssl/s2*.c. 6381 [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf M�ller] 6382 6383 *) Precautions against using the PRNG uninitialized: RAND_bytes() now 6384 has a return value which indicates the quality of the random data 6385 (1 = ok, 0 = not seeded). Also an error is recorded on the thread's 6386 error queue. New function RAND_pseudo_bytes() generates output that is 6387 guaranteed to be unique but not unpredictable. RAND_add is like 6388 RAND_seed, but takes an extra argument for an entropy estimate 6389 (RAND_seed always assumes full entropy). 6390 [Ulf M�ller] 6391 6392 *) Do more iterations of Rabin-Miller probable prime test (specifically, 6393 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes 6394 instead of only 2 for all lengths; see BN_prime_checks_for_size definition 6395 in crypto/bn/bn_prime.c for the complete table). This guarantees a 6396 false-positive rate of at most 2^-80 for random input. 6397 [Bodo Moeller] 6398 6399 *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. 6400 [Bodo Moeller] 6401 6402 *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain 6403 in the 0.9.5 release), this returns the chain 6404 from an X509_CTX structure with a dup of the stack and all 6405 the X509 reference counts upped: so the stack will exist 6406 after X509_CTX_cleanup() has been called. Modify pkcs12.c 6407 to use this. 6408 6409 Also make SSL_SESSION_print() print out the verify return 6410 code. 6411 [Steve Henson] 6412 6413 *) Add manpage for the pkcs12 command. Also change the default 6414 behaviour so MAC iteration counts are used unless the new 6415 -nomaciter option is used. This improves file security and 6416 only older versions of MSIE (4.0 for example) need it. 6417 [Steve Henson] 6418 6419 *) Honor the no-xxx Configure options when creating .DEF files. 6420 [Ulf M�ller] 6421 6422 *) Add PKCS#10 attributes to field table: challengePassword, 6423 unstructuredName and unstructuredAddress. These are taken from 6424 draft PKCS#9 v2.0 but are compatible with v1.2 provided no 6425 international characters are used. 6426 6427 More changes to X509_ATTRIBUTE code: allow the setting of types 6428 based on strings. Remove the 'loc' parameter when adding 6429 attributes because these will be a SET OF encoding which is sorted 6430 in ASN1 order. 6431 [Steve Henson] 6432 6433 *) Initial changes to the 'req' utility to allow request generation 6434 automation. This will allow an application to just generate a template 6435 file containing all the field values and have req construct the 6436 request. 6437 6438 Initial support for X509_ATTRIBUTE handling. Stacks of these are 6439 used all over the place including certificate requests and PKCS#7 6440 structures. They are currently handled manually where necessary with 6441 some primitive wrappers for PKCS#7. The new functions behave in a 6442 manner analogous to the X509 extension functions: they allow 6443 attributes to be looked up by NID and added. 6444 6445 Later something similar to the X509V3 code would be desirable to 6446 automatically handle the encoding, decoding and printing of the 6447 more complex types. The string types like challengePassword can 6448 be handled by the string table functions. 6449 6450 Also modified the multi byte string table handling. Now there is 6451 a 'global mask' which masks out certain types. The table itself 6452 can use the flag STABLE_NO_MASK to ignore the mask setting: this 6453 is useful when for example there is only one permissible type 6454 (as in countryName) and using the mask might result in no valid 6455 types at all. 6456 [Steve Henson] 6457 6458 *) Clean up 'Finished' handling, and add functions SSL_get_finished and 6459 SSL_get_peer_finished to allow applications to obtain the latest 6460 Finished messages sent to the peer or expected from the peer, 6461 respectively. (SSL_get_peer_finished is usually the Finished message 6462 actually received from the peer, otherwise the protocol will be aborted.) 6463 6464 As the Finished message are message digests of the complete handshake 6465 (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can 6466 be used for external authentication procedures when the authentication 6467 provided by SSL/TLS is not desired or is not enough. 6468 [Bodo Moeller] 6469 6470 *) Enhanced support for Alpha Linux is added. Now ./config checks if 6471 the host supports BWX extension and if Compaq C is present on the 6472 $PATH. Just exploiting of the BWX extension results in 20-30% 6473 performance kick for some algorithms, e.g. DES and RC4 to mention 6474 a couple. Compaq C in turn generates ~20% faster code for MD5 and 6475 SHA1. 6476 [Andy Polyakov] 6477 6478 *) Add support for MS "fast SGC". This is arguably a violation of the 6479 SSL3/TLS protocol. Netscape SGC does two handshakes: the first with 6480 weak crypto and after checking the certificate is SGC a second one 6481 with strong crypto. MS SGC stops the first handshake after receiving 6482 the server certificate message and sends a second client hello. Since 6483 a server will typically do all the time consuming operations before 6484 expecting any further messages from the client (server key exchange 6485 is the most expensive) there is little difference between the two. 6486 6487 To get OpenSSL to support MS SGC we have to permit a second client 6488 hello message after we have sent server done. In addition we have to 6489 reset the MAC if we do get this second client hello. 6490 [Steve Henson] 6491 6492 *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide 6493 if a DER encoded private key is RSA or DSA traditional format. Changed 6494 d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" 6495 format DER encoded private key. Newer code should use PKCS#8 format which 6496 has the key type encoded in the ASN1 structure. Added DER private key 6497 support to pkcs8 application. 6498 [Steve Henson] 6499 6500 *) SSL 3/TLS 1 servers now don't request certificates when an anonymous 6501 ciphersuites has been selected (as required by the SSL 3/TLS 1 6502 specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT 6503 is set, we interpret this as a request to violate the specification 6504 (the worst that can happen is a handshake failure, and 'correct' 6505 behaviour would result in a handshake failure anyway). 6506 [Bodo Moeller] 6507 6508 *) In SSL_CTX_add_session, take into account that there might be multiple 6509 SSL_SESSION structures with the same session ID (e.g. when two threads 6510 concurrently obtain them from an external cache). 6511 The internal cache can handle only one SSL_SESSION with a given ID, 6512 so if there's a conflict, we now throw out the old one to achieve 6513 consistency. 6514 [Bodo Moeller] 6515 6516 *) Add OIDs for idea and blowfish in CBC mode. This will allow both 6517 to be used in PKCS#5 v2.0 and S/MIME. Also add checking to 6518 some routines that use cipher OIDs: some ciphers do not have OIDs 6519 defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for 6520 example. 6521 [Steve Henson] 6522 6523 *) Simplify the trust setting structure and code. Now we just have 6524 two sequences of OIDs for trusted and rejected settings. These will 6525 typically have values the same as the extended key usage extension 6526 and any application specific purposes. 6527 6528 The trust checking code now has a default behaviour: it will just 6529 check for an object with the same NID as the passed id. Functions can 6530 be provided to override either the default behaviour or the behaviour 6531 for a given id. SSL client, server and email already have functions 6532 in place for compatibility: they check the NID and also return "trusted" 6533 if the certificate is self signed. 6534 [Steve Henson] 6535 6536 *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the 6537 traditional format into an EVP_PKEY structure. 6538 [Steve Henson] 6539 6540 *) Add a password callback function PEM_cb() which either prompts for 6541 a password if usr_data is NULL or otherwise assumes it is a null 6542 terminated password. Allow passwords to be passed on command line 6543 environment or config files in a few more utilities. 6544 [Steve Henson] 6545 6546 *) Add a bunch of DER and PEM functions to handle PKCS#8 format private 6547 keys. Add some short names for PKCS#8 PBE algorithms and allow them 6548 to be specified on the command line for the pkcs8 and pkcs12 utilities. 6549 Update documentation. 6550 [Steve Henson] 6551 6552 *) Support for ASN1 "NULL" type. This could be handled before by using 6553 ASN1_TYPE but there wasn't any function that would try to read a NULL 6554 and produce an error if it couldn't. For compatibility we also have 6555 ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and 6556 don't allocate anything because they don't need to. 6557 [Steve Henson] 6558 6559 *) Initial support for MacOS is now provided. Examine INSTALL.MacOS 6560 for details. 6561 [Andy Polyakov, Roy Woods <roy@centicsystems.ca>] 6562 6563 *) Rebuild of the memory allocation routines used by OpenSSL code and 6564 possibly others as well. The purpose is to make an interface that 6565 provide hooks so anyone can build a separate set of allocation and 6566 deallocation routines to be used by OpenSSL, for example memory 6567 pool implementations, or something else, which was previously hard 6568 since Malloc(), Realloc() and Free() were defined as macros having 6569 the values malloc, realloc and free, respectively (except for Win32 6570 compilations). The same is provided for memory debugging code. 6571 OpenSSL already comes with functionality to find memory leaks, but 6572 this gives people a chance to debug other memory problems. 6573 6574 With these changes, a new set of functions and macros have appeared: 6575 6576 CRYPTO_set_mem_debug_functions() [F] 6577 CRYPTO_get_mem_debug_functions() [F] 6578 CRYPTO_dbg_set_options() [F] 6579 CRYPTO_dbg_get_options() [F] 6580 CRYPTO_malloc_debug_init() [M] 6581 6582 The memory debug functions are NULL by default, unless the library 6583 is compiled with CRYPTO_MDEBUG or friends is defined. If someone 6584 wants to debug memory anyway, CRYPTO_malloc_debug_init() (which 6585 gives the standard debugging functions that come with OpenSSL) or 6586 CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions 6587 provided by the library user) must be used. When the standard 6588 debugging functions are used, CRYPTO_dbg_set_options can be used to 6589 request additional information: 6590 CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting 6591 the CRYPTO_MDEBUG_xxx macro when compiling the library. 6592 6593 Also, things like CRYPTO_set_mem_functions will always give the 6594 expected result (the new set of functions is used for allocation 6595 and deallocation) at all times, regardless of platform and compiler 6596 options. 6597 6598 To finish it up, some functions that were never use in any other 6599 way than through macros have a new API and new semantic: 6600 6601 CRYPTO_dbg_malloc() 6602 CRYPTO_dbg_realloc() 6603 CRYPTO_dbg_free() 6604 6605 All macros of value have retained their old syntax. 6606 [Richard Levitte and Bodo Moeller] 6607 6608 *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the 6609 ordering of SMIMECapabilities wasn't in "strength order" and there 6610 was a missing NULL in the AlgorithmIdentifier for the SHA1 signature 6611 algorithm. 6612 [Steve Henson] 6613 6614 *) Some ASN1 types with illegal zero length encoding (INTEGER, 6615 ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. 6616 [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] 6617 6618 *) Merge in my S/MIME library for OpenSSL. This provides a simple 6619 S/MIME API on top of the PKCS#7 code, a MIME parser (with enough 6620 functionality to handle multipart/signed properly) and a utility 6621 called 'smime' to call all this stuff. This is based on code I 6622 originally wrote for Celo who have kindly allowed it to be 6623 included in OpenSSL. 6624 [Steve Henson] 6625 6626 *) Add variants des_set_key_checked and des_set_key_unchecked of 6627 des_set_key (aka des_key_sched). Global variable des_check_key 6628 decides which of these is called by des_set_key; this way 6629 des_check_key behaves as it always did, but applications and 6630 the library itself, which was buggy for des_check_key == 1, 6631 have a cleaner way to pick the version they need. 6632 [Bodo Moeller] 6633 6634 *) New function PKCS12_newpass() which changes the password of a 6635 PKCS12 structure. 6636 [Steve Henson] 6637 6638 *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and 6639 dynamic mix. In both cases the ids can be used as an index into the 6640 table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() 6641 functions so they accept a list of the field values and the 6642 application doesn't need to directly manipulate the X509_TRUST 6643 structure. 6644 [Steve Henson] 6645 6646 *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't 6647 need initialising. 6648 [Steve Henson] 6649 6650 *) Modify the way the V3 extension code looks up extensions. This now 6651 works in a similar way to the object code: we have some "standard" 6652 extensions in a static table which is searched with OBJ_bsearch() 6653 and the application can add dynamic ones if needed. The file 6654 crypto/x509v3/ext_dat.h now has the info: this file needs to be 6655 updated whenever a new extension is added to the core code and kept 6656 in ext_nid order. There is a simple program 'tabtest.c' which checks 6657 this. New extensions are not added too often so this file can readily 6658 be maintained manually. 6659 6660 There are two big advantages in doing things this way. The extensions 6661 can be looked up immediately and no longer need to be "added" using 6662 X509V3_add_standard_extensions(): this function now does nothing. 6663 [Side note: I get *lots* of email saying the extension code doesn't 6664 work because people forget to call this function] 6665 Also no dynamic allocation is done unless new extensions are added: 6666 so if we don't add custom extensions there is no need to call 6667 X509V3_EXT_cleanup(). 6668 [Steve Henson] 6669 6670 *) Modify enc utility's salting as follows: make salting the default. Add a 6671 magic header, so unsalted files fail gracefully instead of just decrypting 6672 to garbage. This is because not salting is a big security hole, so people 6673 should be discouraged from doing it. 6674 [Ben Laurie] 6675 6676 *) Fixes and enhancements to the 'x509' utility. It allowed a message 6677 digest to be passed on the command line but it only used this 6678 parameter when signing a certificate. Modified so all relevant 6679 operations are affected by the digest parameter including the 6680 -fingerprint and -x509toreq options. Also -x509toreq choked if a 6681 DSA key was used because it didn't fix the digest. 6682 [Steve Henson] 6683 6684 *) Initial certificate chain verify code. Currently tests the untrusted 6685 certificates for consistency with the verify purpose (which is set 6686 when the X509_STORE_CTX structure is set up) and checks the pathlength. 6687 6688 There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: 6689 this is because it will reject chains with invalid extensions whereas 6690 every previous version of OpenSSL and SSLeay made no checks at all. 6691 6692 Trust code: checks the root CA for the relevant trust settings. Trust 6693 settings have an initial value consistent with the verify purpose: e.g. 6694 if the verify purpose is for SSL client use it expects the CA to be 6695 trusted for SSL client use. However the default value can be changed to 6696 permit custom trust settings: one example of this would be to only trust 6697 certificates from a specific "secure" set of CAs. 6698 6699 Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions 6700 which should be used for version portability: especially since the 6701 verify structure is likely to change more often now. 6702 6703 SSL integration. Add purpose and trust to SSL_CTX and SSL and functions 6704 to set them. If not set then assume SSL clients will verify SSL servers 6705 and vice versa. 6706 6707 Two new options to the verify program: -untrusted allows a set of 6708 untrusted certificates to be passed in and -purpose which sets the 6709 intended purpose of the certificate. If a purpose is set then the 6710 new chain verify code is used to check extension consistency. 6711 [Steve Henson] 6712 6713 *) Support for the authority information access extension. 6714 [Steve Henson] 6715 6716 *) Modify RSA and DSA PEM read routines to transparently handle 6717 PKCS#8 format private keys. New *_PUBKEY_* functions that handle 6718 public keys in a format compatible with certificate 6719 SubjectPublicKeyInfo structures. Unfortunately there were already 6720 functions called *_PublicKey_* which used various odd formats so 6721 these are retained for compatibility: however the DSA variants were 6722 never in a public release so they have been deleted. Changed dsa/rsa 6723 utilities to handle the new format: note no releases ever handled public 6724 keys so we should be OK. 6725 6726 The primary motivation for this change is to avoid the same fiasco 6727 that dogs private keys: there are several incompatible private key 6728 formats some of which are standard and some OpenSSL specific and 6729 require various evil hacks to allow partial transparent handling and 6730 even then it doesn't work with DER formats. Given the option anything 6731 other than PKCS#8 should be dumped: but the other formats have to 6732 stay in the name of compatibility. 6733 6734 With public keys and the benefit of hindsight one standard format 6735 is used which works with EVP_PKEY, RSA or DSA structures: though 6736 it clearly returns an error if you try to read the wrong kind of key. 6737 6738 Added a -pubkey option to the 'x509' utility to output the public key. 6739 Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() 6740 (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add 6741 EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) 6742 that do the same as the EVP_PKEY_assign_*() except they up the 6743 reference count of the added key (they don't "swallow" the 6744 supplied key). 6745 [Steve Henson] 6746 6747 *) Fixes to crypto/x509/by_file.c the code to read in certificates and 6748 CRLs would fail if the file contained no certificates or no CRLs: 6749 added a new function to read in both types and return the number 6750 read: this means that if none are read it will be an error. The 6751 DER versions of the certificate and CRL reader would always fail 6752 because it isn't possible to mix certificates and CRLs in DER format 6753 without choking one or the other routine. Changed this to just read 6754 a certificate: this is the best we can do. Also modified the code 6755 in apps/verify.c to take notice of return codes: it was previously 6756 attempting to read in certificates from NULL pointers and ignoring 6757 any errors: this is one reason why the cert and CRL reader seemed 6758 to work. It doesn't check return codes from the default certificate 6759 routines: these may well fail if the certificates aren't installed. 6760 [Steve Henson] 6761 6762 *) Code to support otherName option in GeneralName. 6763 [Steve Henson] 6764 6765 *) First update to verify code. Change the verify utility 6766 so it warns if it is passed a self signed certificate: 6767 for consistency with the normal behaviour. X509_verify 6768 has been modified to it will now verify a self signed 6769 certificate if *exactly* the same certificate appears 6770 in the store: it was previously impossible to trust a 6771 single self signed certificate. This means that: 6772 openssl verify ss.pem 6773 now gives a warning about a self signed certificate but 6774 openssl verify -CAfile ss.pem ss.pem 6775 is OK. 6776 [Steve Henson] 6777 6778 *) For servers, store verify_result in SSL_SESSION data structure 6779 (and add it to external session representation). 6780 This is needed when client certificate verifications fails, 6781 but an application-provided verification callback (set by 6782 SSL_CTX_set_cert_verify_callback) allows accepting the session 6783 anyway (i.e. leaves x509_store_ctx->error != X509_V_OK 6784 but returns 1): When the session is reused, we have to set 6785 ssl->verify_result to the appropriate error code to avoid 6786 security holes. 6787 [Bodo Moeller, problem pointed out by Lutz Jaenicke] 6788 6789 *) Fix a bug in the new PKCS#7 code: it didn't consider the 6790 case in PKCS7_dataInit() where the signed PKCS7 structure 6791 didn't contain any existing data because it was being created. 6792 [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] 6793 6794 *) Add a salt to the key derivation routines in enc.c. This 6795 forms the first 8 bytes of the encrypted file. Also add a 6796 -S option to allow a salt to be input on the command line. 6797 [Steve Henson] 6798 6799 *) New function X509_cmp(). Oddly enough there wasn't a function 6800 to compare two certificates. We do this by working out the SHA1 6801 hash and comparing that. X509_cmp() will be needed by the trust 6802 code. 6803 [Steve Henson] 6804 6805 *) SSL_get1_session() is like SSL_get_session(), but increments 6806 the reference count in the SSL_SESSION returned. 6807 [Geoff Thorpe <geoff@eu.c2.net>] 6808 6809 *) Fix for 'req': it was adding a null to request attributes. 6810 Also change the X509_LOOKUP and X509_INFO code to handle 6811 certificate auxiliary information. 6812 [Steve Henson] 6813 6814 *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document 6815 the 'enc' command. 6816 [Steve Henson] 6817 6818 *) Add the possibility to add extra information to the memory leak 6819 detecting output, to form tracebacks, showing from where each 6820 allocation was originated: CRYPTO_push_info("constant string") adds 6821 the string plus current file name and line number to a per-thread 6822 stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info() 6823 is like calling CYRPTO_pop_info() until the stack is empty. 6824 Also updated memory leak detection code to be multi-thread-safe. 6825 [Richard Levitte] 6826 6827 *) Add options -text and -noout to pkcs7 utility and delete the 6828 encryption options which never did anything. Update docs. 6829 [Steve Henson] 6830 6831 *) Add options to some of the utilities to allow the pass phrase 6832 to be included on either the command line (not recommended on 6833 OSes like Unix) or read from the environment. Update the 6834 manpages and fix a few bugs. 6835 [Steve Henson] 6836 6837 *) Add a few manpages for some of the openssl commands. 6838 [Steve Henson] 6839 6840 *) Fix the -revoke option in ca. It was freeing up memory twice, 6841 leaking and not finding already revoked certificates. 6842 [Steve Henson] 6843 6844 *) Extensive changes to support certificate auxiliary information. 6845 This involves the use of X509_CERT_AUX structure and X509_AUX 6846 functions. An X509_AUX function such as PEM_read_X509_AUX() 6847 can still read in a certificate file in the usual way but it 6848 will also read in any additional "auxiliary information". By 6849 doing things this way a fair degree of compatibility can be 6850 retained: existing certificates can have this information added 6851 using the new 'x509' options. 6852 6853 Current auxiliary information includes an "alias" and some trust 6854 settings. The trust settings will ultimately be used in enhanced 6855 certificate chain verification routines: currently a certificate 6856 can only be trusted if it is self signed and then it is trusted 6857 for all purposes. 6858 [Steve Henson] 6859 6860 *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). 6861 The problem was that one of the replacement routines had not been working 6862 since SSLeay releases. For now the offending routine has been replaced 6863 with non-optimised assembler. Even so, this now gives around 95% 6864 performance improvement for 1024 bit RSA signs. 6865 [Mark Cox] 6866 6867 *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 6868 handling. Most clients have the effective key size in bits equal to 6869 the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. 6870 A few however don't do this and instead use the size of the decrypted key 6871 to determine the RC2 key length and the AlgorithmIdentifier to determine 6872 the effective key length. In this case the effective key length can still 6873 be 40 bits but the key length can be 168 bits for example. This is fixed 6874 by manually forcing an RC2 key into the EVP_PKEY structure because the 6875 EVP code can't currently handle unusual RC2 key sizes: it always assumes 6876 the key length and effective key length are equal. 6877 [Steve Henson] 6878 6879 *) Add a bunch of functions that should simplify the creation of 6880 X509_NAME structures. Now you should be able to do: 6881 X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); 6882 and have it automatically work out the correct field type and fill in 6883 the structures. The more adventurous can try: 6884 X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); 6885 and it will (hopefully) work out the correct multibyte encoding. 6886 [Steve Henson] 6887 6888 *) Change the 'req' utility to use the new field handling and multibyte 6889 copy routines. Before the DN field creation was handled in an ad hoc 6890 way in req, ca, and x509 which was rather broken and didn't support 6891 BMPStrings or UTF8Strings. Since some software doesn't implement 6892 BMPStrings or UTF8Strings yet, they can be enabled using the config file 6893 using the dirstring_type option. See the new comment in the default 6894 openssl.cnf for more info. 6895 [Steve Henson] 6896 6897 *) Make crypto/rand/md_rand.c more robust: 6898 - Assure unique random numbers after fork(). 6899 - Make sure that concurrent threads access the global counter and 6900 md serializably so that we never lose entropy in them 6901 or use exactly the same state in multiple threads. 6902 Access to the large state is not always serializable because 6903 the additional locking could be a performance killer, and 6904 md should be large enough anyway. 6905 [Bodo Moeller] 6906 6907 *) New file apps/app_rand.c with commonly needed functionality 6908 for handling the random seed file. 6909 6910 Use the random seed file in some applications that previously did not: 6911 ca, 6912 dsaparam -genkey (which also ignored its '-rand' option), 6913 s_client, 6914 s_server, 6915 x509 (when signing). 6916 Except on systems with /dev/urandom, it is crucial to have a random 6917 seed file at least for key creation, DSA signing, and for DH exchanges; 6918 for RSA signatures we could do without one. 6919 6920 gendh and gendsa (unlike genrsa) used to read only the first byte 6921 of each file listed in the '-rand' option. The function as previously 6922 found in genrsa is now in app_rand.c and is used by all programs 6923 that support '-rand'. 6924 [Bodo Moeller] 6925 6926 *) In RAND_write_file, use mode 0600 for creating files; 6927 don't just chmod when it may be too late. 6928 [Bodo Moeller] 6929 6930 *) Report an error from X509_STORE_load_locations 6931 when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. 6932 [Bill Perry] 6933 6934 *) New function ASN1_mbstring_copy() this copies a string in either 6935 ASCII, Unicode, Universal (4 bytes per character) or UTF8 format 6936 into an ASN1_STRING type. A mask of permissible types is passed 6937 and it chooses the "minimal" type to use or an error if not type 6938 is suitable. 6939 [Steve Henson] 6940 6941 *) Add function equivalents to the various macros in asn1.h. The old 6942 macros are retained with an M_ prefix. Code inside the library can 6943 use the M_ macros. External code (including the openssl utility) 6944 should *NOT* in order to be "shared library friendly". 6945 [Steve Henson] 6946 6947 *) Add various functions that can check a certificate's extensions 6948 to see if it usable for various purposes such as SSL client, 6949 server or S/MIME and CAs of these types. This is currently 6950 VERY EXPERIMENTAL but will ultimately be used for certificate chain 6951 verification. Also added a -purpose flag to x509 utility to 6952 print out all the purposes. 6953 [Steve Henson] 6954 6955 *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated 6956 functions. 6957 [Steve Henson] 6958 6959 *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search 6960 for, obtain and decode and extension and obtain its critical flag. 6961 This allows all the necessary extension code to be handled in a 6962 single function call. 6963 [Steve Henson] 6964 6965 *) RC4 tune-up featuring 30-40% performance improvement on most RISC 6966 platforms. See crypto/rc4/rc4_enc.c for further details. 6967 [Andy Polyakov] 6968 6969 *) New -noout option to asn1parse. This causes no output to be produced 6970 its main use is when combined with -strparse and -out to extract data 6971 from a file (which may not be in ASN.1 format). 6972 [Steve Henson] 6973 6974 *) Fix for pkcs12 program. It was hashing an invalid certificate pointer 6975 when producing the local key id. 6976 [Richard Levitte <levitte@stacken.kth.se>] 6977 6978 *) New option -dhparam in s_server. This allows a DH parameter file to be 6979 stated explicitly. If it is not stated then it tries the first server 6980 certificate file. The previous behaviour hard coded the filename 6981 "server.pem". 6982 [Steve Henson] 6983 6984 *) Add -pubin and -pubout options to the rsa and dsa commands. These allow 6985 a public key to be input or output. For example: 6986 openssl rsa -in key.pem -pubout -out pubkey.pem 6987 Also added necessary DSA public key functions to handle this. 6988 [Steve Henson] 6989 6990 *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained 6991 in the message. This was handled by allowing 6992 X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. 6993 [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] 6994 6995 *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null 6996 to the end of the strings whereas this didn't. This would cause problems 6997 if strings read with d2i_ASN1_bytes() were later modified. 6998 [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] 6999 7000 *) Fix for base64 decode bug. When a base64 bio reads only one line of 7001 data and it contains EOF it will end up returning an error. This is 7002 caused by input 46 bytes long. The cause is due to the way base64 7003 BIOs find the start of base64 encoded data. They do this by trying a 7004 trial decode on each line until they find one that works. When they 7005 do a flag is set and it starts again knowing it can pass all the 7006 data directly through the decoder. Unfortunately it doesn't reset 7007 the context it uses. This means that if EOF is reached an attempt 7008 is made to pass two EOFs through the context and this causes the 7009 resulting error. This can also cause other problems as well. As is 7010 usual with these problems it takes *ages* to find and the fix is 7011 trivial: move one line. 7012 [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] 7013 7014 *) Ugly workaround to get s_client and s_server working under Windows. The 7015 old code wouldn't work because it needed to select() on sockets and the 7016 tty (for keypresses and to see if data could be written). Win32 only 7017 supports select() on sockets so we select() with a 1s timeout on the 7018 sockets and then see if any characters are waiting to be read, if none 7019 are present then we retry, we also assume we can always write data to 7020 the tty. This isn't nice because the code then blocks until we've 7021 received a complete line of data and it is effectively polling the 7022 keyboard at 1s intervals: however it's quite a bit better than not 7023 working at all :-) A dedicated Windows application might handle this 7024 with an event loop for example. 7025 [Steve Henson] 7026 7027 *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign 7028 and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions 7029 will be called when RSA_sign() and RSA_verify() are used. This is useful 7030 if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. 7031 For this to work properly RSA_public_decrypt() and RSA_private_encrypt() 7032 should *not* be used: RSA_sign() and RSA_verify() must be used instead. 7033 This necessitated the support of an extra signature type NID_md5_sha1 7034 for SSL signatures and modifications to the SSL library to use it instead 7035 of calling RSA_public_decrypt() and RSA_private_encrypt(). 7036 [Steve Henson] 7037 7038 *) Add new -verify -CAfile and -CApath options to the crl program, these 7039 will lookup a CRL issuers certificate and verify the signature in a 7040 similar way to the verify program. Tidy up the crl program so it 7041 no longer accesses structures directly. Make the ASN1 CRL parsing a bit 7042 less strict. It will now permit CRL extensions even if it is not 7043 a V2 CRL: this will allow it to tolerate some broken CRLs. 7044 [Steve Henson] 7045 7046 *) Initialize all non-automatic variables each time one of the openssl 7047 sub-programs is started (this is necessary as they may be started 7048 multiple times from the "OpenSSL>" prompt). 7049 [Lennart Bang, Bodo Moeller] 7050 7051 *) Preliminary compilation option RSA_NULL which disables RSA crypto without 7052 removing all other RSA functionality (this is what NO_RSA does). This 7053 is so (for example) those in the US can disable those operations covered 7054 by the RSA patent while allowing storage and parsing of RSA keys and RSA 7055 key generation. 7056 [Steve Henson] 7057 7058 *) Non-copying interface to BIO pairs. 7059 (still largely untested) 7060 [Bodo Moeller] 7061 7062 *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive 7063 ASCII string. This was handled independently in various places before. 7064 [Steve Henson] 7065 7066 *) New functions UTF8_getc() and UTF8_putc() that parse and generate 7067 UTF8 strings a character at a time. 7068 [Steve Henson] 7069 7070 *) Use client_version from client hello to select the protocol 7071 (s23_srvr.c) and for RSA client key exchange verification 7072 (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. 7073 [Bodo Moeller] 7074 7075 *) Add various utility functions to handle SPKACs, these were previously 7076 handled by poking round in the structure internals. Added new function 7077 NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to 7078 print, verify and generate SPKACs. Based on an original idea from 7079 Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. 7080 [Steve Henson] 7081 7082 *) RIPEMD160 is operational on all platforms and is back in 'make test'. 7083 [Andy Polyakov] 7084 7085 *) Allow the config file extension section to be overwritten on the 7086 command line. Based on an original idea from Massimiliano Pala 7087 <madwolf@comune.modena.it>. The new option is called -extensions 7088 and can be applied to ca, req and x509. Also -reqexts to override 7089 the request extensions in req and -crlexts to override the crl extensions 7090 in ca. 7091 [Steve Henson] 7092 7093 *) Add new feature to the SPKAC handling in ca. Now you can include 7094 the same field multiple times by preceding it by "XXXX." for example: 7095 1.OU="Unit name 1" 7096 2.OU="Unit name 2" 7097 this is the same syntax as used in the req config file. 7098 [Steve Henson] 7099 7100 *) Allow certificate extensions to be added to certificate requests. These 7101 are specified in a 'req_extensions' option of the req section of the 7102 config file. They can be printed out with the -text option to req but 7103 are otherwise ignored at present. 7104 [Steve Henson] 7105 7106 *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first 7107 data read consists of only the final block it would not decrypted because 7108 EVP_CipherUpdate() would correctly report zero bytes had been decrypted. 7109 A misplaced 'break' also meant the decrypted final block might not be 7110 copied until the next read. 7111 [Steve Henson] 7112 7113 *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added 7114 a few extra parameters to the DH structure: these will be useful if 7115 for example we want the value of 'q' or implement X9.42 DH. 7116 [Steve Henson] 7117 7118 *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and 7119 provides hooks that allow the default DSA functions or functions on a 7120 "per key" basis to be replaced. This allows hardware acceleration and 7121 hardware key storage to be handled without major modification to the 7122 library. Also added low level modexp hooks and CRYPTO_EX structure and 7123 associated functions. 7124 [Steve Henson] 7125 7126 *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO 7127 as "read only": it can't be written to and the buffer it points to will 7128 not be freed. Reading from a read only BIO is much more efficient than 7129 a normal memory BIO. This was added because there are several times when 7130 an area of memory needs to be read from a BIO. The previous method was 7131 to create a memory BIO and write the data to it, this results in two 7132 copies of the data and an O(n^2) reading algorithm. There is a new 7133 function BIO_new_mem_buf() which creates a read only memory BIO from 7134 an area of memory. Also modified the PKCS#7 routines to use read only 7135 memory BIOs. 7136 [Steve Henson] 7137 7138 *) Bugfix: ssl23_get_client_hello did not work properly when called in 7139 state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of 7140 a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, 7141 but a retry condition occured while trying to read the rest. 7142 [Bodo Moeller] 7143 7144 *) The PKCS7_ENC_CONTENT_new() function was setting the content type as 7145 NID_pkcs7_encrypted by default: this was wrong since this should almost 7146 always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle 7147 the encrypted data type: this is a more sensible place to put it and it 7148 allows the PKCS#12 code to be tidied up that duplicated this 7149 functionality. 7150 [Steve Henson] 7151 7152 *) Changed obj_dat.pl script so it takes its input and output files on 7153 the command line. This should avoid shell escape redirection problems 7154 under Win32. 7155 [Steve Henson] 7156 7157 *) Initial support for certificate extension requests, these are included 7158 in things like Xenroll certificate requests. Included functions to allow 7159 extensions to be obtained and added. 7160 [Steve Henson] 7161 7162 *) -crlf option to s_client and s_server for sending newlines as 7163 CRLF (as required by many protocols). 7164 [Bodo Moeller] 7165 7166 Changes between 0.9.3a and 0.9.4 [09 Aug 1999] 7167 7168 *) Install libRSAglue.a when OpenSSL is built with RSAref. 7169 [Ralf S. Engelschall] 7170 7171 *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. 7172 [Andrija Antonijevic <TheAntony2@bigfoot.com>] 7173 7174 *) Fix -startdate and -enddate (which was missing) arguments to 'ca' 7175 program. 7176 [Steve Henson] 7177 7178 *) New function DSA_dup_DH, which duplicates DSA parameters/keys as 7179 DH parameters/keys (q is lost during that conversion, but the resulting 7180 DH parameters contain its length). 7181 7182 For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is 7183 much faster than DH_generate_parameters (which creates parameters 7184 where p = 2*q + 1), and also the smaller q makes DH computations 7185 much more efficient (160-bit exponentiation instead of 1024-bit 7186 exponentiation); so this provides a convenient way to support DHE 7187 ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of 7188 utter importance to use 7189 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 7190 or 7191 SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 7192 when such DH parameters are used, because otherwise small subgroup 7193 attacks may become possible! 7194 [Bodo Moeller] 7195 7196 *) Avoid memory leak in i2d_DHparams. 7197 [Bodo Moeller] 7198 7199 *) Allow the -k option to be used more than once in the enc program: 7200 this allows the same encrypted message to be read by multiple recipients. 7201 [Steve Henson] 7202 7203 *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts 7204 an ASN1_OBJECT to a text string. If the "no_name" parameter is set then 7205 it will always use the numerical form of the OID, even if it has a short 7206 or long name. 7207 [Steve Henson] 7208 7209 *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp 7210 method only got called if p,q,dmp1,dmq1,iqmp components were present, 7211 otherwise bn_mod_exp was called. In the case of hardware keys for example 7212 no private key components need be present and it might store extra data 7213 in the RSA structure, which cannot be accessed from bn_mod_exp. 7214 By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for 7215 private key operations. 7216 [Steve Henson] 7217 7218 *) Added support for SPARC Linux. 7219 [Andy Polyakov] 7220 7221 *) pem_password_cb function type incompatibly changed from 7222 typedef int pem_password_cb(char *buf, int size, int rwflag); 7223 to 7224 ....(char *buf, int size, int rwflag, void *userdata); 7225 so that applications can pass data to their callbacks: 7226 The PEM[_ASN1]_{read,write}... functions and macros now take an 7227 additional void * argument, which is just handed through whenever 7228 the password callback is called. 7229 [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] 7230 7231 New function SSL_CTX_set_default_passwd_cb_userdata. 7232 7233 Compatibility note: As many C implementations push function arguments 7234 onto the stack in reverse order, the new library version is likely to 7235 interoperate with programs that have been compiled with the old 7236 pem_password_cb definition (PEM_whatever takes some data that 7237 happens to be on the stack as its last argument, and the callback 7238 just ignores this garbage); but there is no guarantee whatsoever that 7239 this will work. 7240 7241 *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... 7242 (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused 7243 problems not only on Windows, but also on some Unix platforms. 7244 To avoid problematic command lines, these definitions are now in an 7245 auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl 7246 for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). 7247 [Bodo Moeller] 7248 7249 *) MIPS III/IV assembler module is reimplemented. 7250 [Andy Polyakov] 7251 7252 *) More DES library cleanups: remove references to srand/rand and 7253 delete an unused file. 7254 [Ulf M�ller] 7255 7256 *) Add support for the the free Netwide assembler (NASM) under Win32, 7257 since not many people have MASM (ml) and it can be hard to obtain. 7258 This is currently experimental but it seems to work OK and pass all 7259 the tests. Check out INSTALL.W32 for info. 7260 [Steve Henson] 7261 7262 *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections 7263 without temporary keys kept an extra copy of the server key, 7264 and connections with temporary keys did not free everything in case 7265 of an error. 7266 [Bodo Moeller] 7267 7268 *) New function RSA_check_key and new openssl rsa option -check 7269 for verifying the consistency of RSA keys. 7270 [Ulf Moeller, Bodo Moeller] 7271 7272 *) Various changes to make Win32 compile work: 7273 1. Casts to avoid "loss of data" warnings in p5_crpt2.c 7274 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned 7275 comparison" warnings. 7276 3. Add sk_<TYPE>_sort to DEF file generator and do make update. 7277 [Steve Henson] 7278 7279 *) Add a debugging option to PKCS#5 v2 key generation function: when 7280 you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and 7281 derived keys are printed to stderr. 7282 [Steve Henson] 7283 7284 *) Copy the flags in ASN1_STRING_dup(). 7285 [Roman E. Pavlov <pre@mo.msk.ru>] 7286 7287 *) The x509 application mishandled signing requests containing DSA 7288 keys when the signing key was also DSA and the parameters didn't match. 7289 7290 It was supposed to omit the parameters when they matched the signing key: 7291 the verifying software was then supposed to automatically use the CA's 7292 parameters if they were absent from the end user certificate. 7293 7294 Omitting parameters is no longer recommended. The test was also 7295 the wrong way round! This was probably due to unusual behaviour in 7296 EVP_cmp_parameters() which returns 1 if the parameters match. 7297 This meant that parameters were omitted when they *didn't* match and 7298 the certificate was useless. Certificates signed with 'ca' didn't have 7299 this bug. 7300 [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] 7301 7302 *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. 7303 The interface is as follows: 7304 Applications can use 7305 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), 7306 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); 7307 "off" is now the default. 7308 The library internally uses 7309 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), 7310 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() 7311 to disable memory-checking temporarily. 7312 7313 Some inconsistent states that previously were possible (and were 7314 even the default) are now avoided. 7315 7316 -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time 7317 with each memory chunk allocated; this is occasionally more helpful 7318 than just having a counter. 7319 7320 -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. 7321 7322 -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future 7323 extensions. 7324 [Bodo Moeller] 7325 7326 *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), 7327 which largely parallels "options", but is for changing API behaviour, 7328 whereas "options" are about protocol behaviour. 7329 Initial "mode" flags are: 7330 7331 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 7332 a single record has been written. 7333 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 7334 retries use the same buffer location. 7335 (But all of the contents must be 7336 copied!) 7337 [Bodo Moeller] 7338 7339 *) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options 7340 worked. 7341 7342 *) Fix problems with no-hmac etc. 7343 [Ulf M�ller, pointed out by Brian Wellington <bwelling@tislabs.com>] 7344 7345 *) New functions RSA_get_default_method(), RSA_set_method() and 7346 RSA_get_method(). These allows replacement of RSA_METHODs without having 7347 to mess around with the internals of an RSA structure. 7348 [Steve Henson] 7349 7350 *) Fix memory leaks in DSA_do_sign and DSA_is_prime. 7351 Also really enable memory leak checks in openssl.c and in some 7352 test programs. 7353 [Chad C. Mulligan, Bodo Moeller] 7354 7355 *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess 7356 up the length of negative integers. This has now been simplified to just 7357 store the length when it is first determined and use it later, rather 7358 than trying to keep track of where data is copied and updating it to 7359 point to the end. 7360 [Steve Henson, reported by Brien Wheeler 7361 <bwheeler@authentica-security.com>] 7362 7363 *) Add a new function PKCS7_signatureVerify. This allows the verification 7364 of a PKCS#7 signature but with the signing certificate passed to the 7365 function itself. This contrasts with PKCS7_dataVerify which assumes the 7366 certificate is present in the PKCS#7 structure. This isn't always the 7367 case: certificates can be omitted from a PKCS#7 structure and be 7368 distributed by "out of band" means (such as a certificate database). 7369 [Steve Henson] 7370 7371 *) Complete the PEM_* macros with DECLARE_PEM versions to replace the 7372 function prototypes in pem.h, also change util/mkdef.pl to add the 7373 necessary function names. 7374 [Steve Henson] 7375 7376 *) mk1mf.pl (used by Windows builds) did not properly read the 7377 options set by Configure in the top level Makefile, and Configure 7378 was not even able to write more than one option correctly. 7379 Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. 7380 [Bodo Moeller] 7381 7382 *) New functions CONF_load_bio() and CONF_load_fp() to allow a config 7383 file to be loaded from a BIO or FILE pointer. The BIO version will 7384 for example allow memory BIOs to contain config info. 7385 [Steve Henson] 7386 7387 *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS. 7388 Whoever hopes to achieve shared-library compatibility across versions 7389 must use this, not the compile-time macro. 7390 (Exercise 0.9.4: Which is the minimum library version required by 7391 such programs?) 7392 Note: All this applies only to multi-threaded programs, others don't 7393 need locks. 7394 [Bodo Moeller] 7395 7396 *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests 7397 through a BIO pair triggered the default case, i.e. 7398 SSLerr(...,SSL_R_UNKNOWN_STATE). 7399 [Bodo Moeller] 7400 7401 *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications 7402 can use the SSL library even if none of the specific BIOs is 7403 appropriate. 7404 [Bodo Moeller] 7405 7406 *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value 7407 for the encoded length. 7408 [Jeon KyoungHo <khjeon@sds.samsung.co.kr>] 7409 7410 *) Add initial documentation of the X509V3 functions. 7411 [Steve Henson] 7412 7413 *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 7414 PEM_write_bio_PKCS8PrivateKey() that are equivalent to 7415 PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more 7416 secure PKCS#8 private key format with a high iteration count. 7417 [Steve Henson] 7418 7419 *) Fix determination of Perl interpreter: A perl or perl5 7420 _directory_ in $PATH was also accepted as the interpreter. 7421 [Ralf S. Engelschall] 7422 7423 *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking 7424 wrong with it but it was very old and did things like calling 7425 PEM_ASN1_read() directly and used MD5 for the hash not to mention some 7426 unusual formatting. 7427 [Steve Henson] 7428 7429 *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed 7430 to use the new extension code. 7431 [Steve Henson] 7432 7433 *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c 7434 with macros. This should make it easier to change their form, add extra 7435 arguments etc. Fix a few PEM prototypes which didn't have cipher as a 7436 constant. 7437 [Steve Henson] 7438 7439 *) Add to configuration table a new entry that can specify an alternative 7440 name for unistd.h (for pre-POSIX systems); we need this for NeXTstep, 7441 according to Mark Crispin <MRC@Panda.COM>. 7442 [Bodo Moeller] 7443 7444#if 0 7445 *) DES CBC did not update the IV. Weird. 7446 [Ben Laurie] 7447#else 7448 des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does. 7449 Changing the behaviour of the former might break existing programs -- 7450 where IV updating is needed, des_ncbc_encrypt can be used. 7451#endif 7452 7453 *) When bntest is run from "make test" it drives bc to check its 7454 calculations, as well as internally checking them. If an internal check 7455 fails, it needs to cause bc to give a non-zero result or make test carries 7456 on without noticing the failure. Fixed. 7457 [Ben Laurie] 7458 7459 *) DES library cleanups. 7460 [Ulf M�ller] 7461 7462 *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be 7463 used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit 7464 ciphers. NOTE: although the key derivation function has been verified 7465 against some published test vectors it has not been extensively tested 7466 yet. Added a -v2 "cipher" option to pkcs8 application to allow the use 7467 of v2.0. 7468 [Steve Henson] 7469 7470 *) Instead of "mkdir -p", which is not fully portable, use new 7471 Perl script "util/mkdir-p.pl". 7472 [Bodo Moeller] 7473 7474 *) Rewrite the way password based encryption (PBE) is handled. It used to 7475 assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter 7476 structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms 7477 but doesn't apply to PKCS#5 v2.0 where it can be something else. Now 7478 the 'parameter' field of the AlgorithmIdentifier is passed to the 7479 underlying key generation function so it must do its own ASN1 parsing. 7480 This has also changed the EVP_PBE_CipherInit() function which now has a 7481 'parameter' argument instead of literal salt and iteration count values 7482 and the function EVP_PBE_ALGOR_CipherInit() has been deleted. 7483 [Steve Henson] 7484 7485 *) Support for PKCS#5 v1.5 compatible password based encryption algorithms 7486 and PKCS#8 functionality. New 'pkcs8' application linked to openssl. 7487 Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE 7488 KEY" because this clashed with PKCS#8 unencrypted string. Since this 7489 value was just used as a "magic string" and not used directly its 7490 value doesn't matter. 7491 [Steve Henson] 7492 7493 *) Introduce some semblance of const correctness to BN. Shame C doesn't 7494 support mutable. 7495 [Ben Laurie] 7496 7497 *) "linux-sparc64" configuration (ultrapenguin). 7498 [Ray Miller <ray.miller@oucs.ox.ac.uk>] 7499 "linux-sparc" configuration. 7500 [Christian Forster <fo@hawo.stw.uni-erlangen.de>] 7501 7502 *) config now generates no-xxx options for missing ciphers. 7503 [Ulf M�ller] 7504 7505 *) Support the EBCDIC character set (work in progress). 7506 File ebcdic.c not yet included because it has a different license. 7507 [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 7508 7509 *) Support BS2000/OSD-POSIX. 7510 [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>] 7511 7512 *) Make callbacks for key generation use void * instead of char *. 7513 [Ben Laurie] 7514 7515 *) Make S/MIME samples compile (not yet tested). 7516 [Ben Laurie] 7517 7518 *) Additional typesafe stacks. 7519 [Ben Laurie] 7520 7521 *) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x). 7522 [Bodo Moeller] 7523 7524 7525 Changes between 0.9.3 and 0.9.3a [29 May 1999] 7526 7527 *) New configuration variant "sco5-gcc". 7528 7529 *) Updated some demos. 7530 [Sean O Riordain, Wade Scholine] 7531 7532 *) Add missing BIO_free at exit of pkcs12 application. 7533 [Wu Zhigang] 7534 7535 *) Fix memory leak in conf.c. 7536 [Steve Henson] 7537 7538 *) Updates for Win32 to assembler version of MD5. 7539 [Steve Henson] 7540 7541 *) Set #! path to perl in apps/der_chop to where we found it 7542 instead of using a fixed path. 7543 [Bodo Moeller] 7544 7545 *) SHA library changes for irix64-mips4-cc. 7546 [Andy Polyakov] 7547 7548 *) Improvements for VMS support. 7549 [Richard Levitte] 7550 7551 7552 Changes between 0.9.2b and 0.9.3 [24 May 1999] 7553 7554 *) Bignum library bug fix. IRIX 6 passes "make test" now! 7555 This also avoids the problems with SC4.2 and unpatched SC5. 7556 [Andy Polyakov <appro@fy.chalmers.se>] 7557 7558 *) New functions sk_num, sk_value and sk_set to replace the previous macros. 7559 These are required because of the typesafe stack would otherwise break 7560 existing code. If old code used a structure member which used to be STACK 7561 and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with 7562 sk_num or sk_value it would produce an error because the num, data members 7563 are not present in STACK_OF. Now it just produces a warning. sk_set 7564 replaces the old method of assigning a value to sk_value 7565 (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code 7566 that does this will no longer work (and should use sk_set instead) but 7567 this could be regarded as a "questionable" behaviour anyway. 7568 [Steve Henson] 7569 7570 *) Fix most of the other PKCS#7 bugs. The "experimental" code can now 7571 correctly handle encrypted S/MIME data. 7572 [Steve Henson] 7573 7574 *) Change type of various DES function arguments from des_cblock 7575 (which means, in function argument declarations, pointer to char) 7576 to des_cblock * (meaning pointer to array with 8 char elements), 7577 which allows the compiler to do more typechecking; it was like 7578 that back in SSLeay, but with lots of ugly casts. 7579 7580 Introduce new type const_des_cblock. 7581 [Bodo Moeller] 7582 7583 *) Reorganise the PKCS#7 library and get rid of some of the more obvious 7584 problems: find RecipientInfo structure that matches recipient certificate 7585 and initialise the ASN1 structures properly based on passed cipher. 7586 [Steve Henson] 7587 7588 *) Belatedly make the BN tests actually check the results. 7589 [Ben Laurie] 7590 7591 *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion 7592 to and from BNs: it was completely broken. New compilation option 7593 NEG_PUBKEY_BUG to allow for some broken certificates that encode public 7594 key elements as negative integers. 7595 [Steve Henson] 7596 7597 *) Reorganize and speed up MD5. 7598 [Andy Polyakov <appro@fy.chalmers.se>] 7599 7600 *) VMS support. 7601 [Richard Levitte <richard@levitte.org>] 7602 7603 *) New option -out to asn1parse to allow the parsed structure to be 7604 output to a file. This is most useful when combined with the -strparse 7605 option to examine the output of things like OCTET STRINGS. 7606 [Steve Henson] 7607 7608 *) Make SSL library a little more fool-proof by not requiring any longer 7609 that SSL_set_{accept,connect}_state be called before 7610 SSL_{accept,connect} may be used (SSL_set_..._state is omitted 7611 in many applications because usually everything *appeared* to work as 7612 intended anyway -- now it really works as intended). 7613 [Bodo Moeller] 7614 7615 *) Move openssl.cnf out of lib/. 7616 [Ulf M�ller] 7617 7618 *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall 7619 -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes 7620 -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ 7621 [Ralf S. Engelschall] 7622 7623 *) Various fixes to the EVP and PKCS#7 code. It may now be able to 7624 handle PKCS#7 enveloped data properly. 7625 [Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve] 7626 7627 *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of 7628 copying pointers. The cert_st handling is changed by this in 7629 various ways (and thus what used to be known as ctx->default_cert 7630 is now called ctx->cert, since we don't resort to s->ctx->[default_]cert 7631 any longer when s->cert does not give us what we need). 7632 ssl_cert_instantiate becomes obsolete by this change. 7633 As soon as we've got the new code right (possibly it already is?), 7634 we have solved a couple of bugs of the earlier code where s->cert 7635 was used as if it could not have been shared with other SSL structures. 7636 7637 Note that using the SSL API in certain dirty ways now will result 7638 in different behaviour than observed with earlier library versions: 7639 Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) 7640 does not influence s as it used to. 7641 7642 In order to clean up things more thoroughly, inside SSL_SESSION 7643 we don't use CERT any longer, but a new structure SESS_CERT 7644 that holds per-session data (if available); currently, this is 7645 the peer's certificate chain and, for clients, the server's certificate 7646 and temporary key. CERT holds only those values that can have 7647 meaningful defaults in an SSL_CTX. 7648 [Bodo Moeller] 7649 7650 *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure 7651 from the internal representation. Various PKCS#7 fixes: remove some 7652 evil casts and set the enc_dig_alg field properly based on the signing 7653 key type. 7654 [Steve Henson] 7655 7656 *) Allow PKCS#12 password to be set from the command line or the 7657 environment. Let 'ca' get its config file name from the environment 7658 variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' 7659 and 'x509'). 7660 [Steve Henson] 7661 7662 *) Allow certificate policies extension to use an IA5STRING for the 7663 organization field. This is contrary to the PKIX definition but 7664 VeriSign uses it and IE5 only recognises this form. Document 'x509' 7665 extension option. 7666 [Steve Henson] 7667 7668 *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, 7669 without disallowing inline assembler and the like for non-pedantic builds. 7670 [Ben Laurie] 7671 7672 *) Support Borland C++ builder. 7673 [Janez Jere <jj@void.si>, modified by Ulf M�ller] 7674 7675 *) Support Mingw32. 7676 [Ulf M�ller] 7677 7678 *) SHA-1 cleanups and performance enhancements. 7679 [Andy Polyakov <appro@fy.chalmers.se>] 7680 7681 *) Sparc v8plus assembler for the bignum library. 7682 [Andy Polyakov <appro@fy.chalmers.se>] 7683 7684 *) Accept any -xxx and +xxx compiler options in Configure. 7685 [Ulf M�ller] 7686 7687 *) Update HPUX configuration. 7688 [Anonymous] 7689 7690 *) Add missing sk_<type>_unshift() function to safestack.h 7691 [Ralf S. Engelschall] 7692 7693 *) New function SSL_CTX_use_certificate_chain_file that sets the 7694 "extra_cert"s in addition to the certificate. (This makes sense 7695 only for "PEM" format files, as chains as a whole are not 7696 DER-encoded.) 7697 [Bodo Moeller] 7698 7699 *) Support verify_depth from the SSL API. 7700 x509_vfy.c had what can be considered an off-by-one-error: 7701 Its depth (which was not part of the external interface) 7702 was actually counting the number of certificates in a chain; 7703 now it really counts the depth. 7704 [Bodo Moeller] 7705 7706 *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used 7707 instead of X509err, which often resulted in confusing error 7708 messages since the error codes are not globally unique 7709 (e.g. an alleged error in ssl3_accept when a certificate 7710 didn't match the private key). 7711 7712 *) New function SSL_CTX_set_session_id_context that allows to set a default 7713 value (so that you don't need SSL_set_session_id_context for each 7714 connection using the SSL_CTX). 7715 [Bodo Moeller] 7716 7717 *) OAEP decoding bug fix. 7718 [Ulf M�ller] 7719 7720 *) Support INSTALL_PREFIX for package builders, as proposed by 7721 David Harris. 7722 [Bodo Moeller] 7723 7724 *) New Configure options "threads" and "no-threads". For systems 7725 where the proper compiler options are known (currently Solaris 7726 and Linux), "threads" is the default. 7727 [Bodo Moeller] 7728 7729 *) New script util/mklink.pl as a faster substitute for util/mklink.sh. 7730 [Bodo Moeller] 7731 7732 *) Install various scripts to $(OPENSSLDIR)/misc, not to 7733 $(INSTALLTOP)/bin -- they shouldn't clutter directories 7734 such as /usr/local/bin. 7735 [Bodo Moeller] 7736 7737 *) "make linux-shared" to build shared libraries. 7738 [Niels Poppe <niels@netbox.org>] 7739 7740 *) New Configure option no-<cipher> (rsa, idea, rc5, ...). 7741 [Ulf M�ller] 7742 7743 *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for 7744 extension adding in x509 utility. 7745 [Steve Henson] 7746 7747 *) Remove NOPROTO sections and error code comments. 7748 [Ulf M�ller] 7749 7750 *) Partial rewrite of the DEF file generator to now parse the ANSI 7751 prototypes. 7752 [Steve Henson] 7753 7754 *) New Configure options --prefix=DIR and --openssldir=DIR. 7755 [Ulf M�ller] 7756 7757 *) Complete rewrite of the error code script(s). It is all now handled 7758 by one script at the top level which handles error code gathering, 7759 header rewriting and C source file generation. It should be much better 7760 than the old method: it now uses a modified version of Ulf's parser to 7761 read the ANSI prototypes in all header files (thus the old K&R definitions 7762 aren't needed for error creation any more) and do a better job of 7763 translating function codes into names. The old 'ASN1 error code imbedded 7764 in a comment' is no longer necessary and it doesn't use .err files which 7765 have now been deleted. Also the error code call doesn't have to appear all 7766 on one line (which resulted in some large lines...). 7767 [Steve Henson] 7768 7769 *) Change #include filenames from <foo.h> to <openssl/foo.h>. 7770 [Bodo Moeller] 7771 7772 *) Change behaviour of ssl2_read when facing length-0 packets: Don't return 7773 0 (which usually indicates a closed connection), but continue reading. 7774 [Bodo Moeller] 7775 7776 *) Fix some race conditions. 7777 [Bodo Moeller] 7778 7779 *) Add support for CRL distribution points extension. Add Certificate 7780 Policies and CRL distribution points documentation. 7781 [Steve Henson] 7782 7783 *) Move the autogenerated header file parts to crypto/opensslconf.h. 7784 [Ulf M�ller] 7785 7786 *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 7787 8 of keying material. Merlin has also confirmed interop with this fix 7788 between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. 7789 [Merlin Hughes <merlin@baltimore.ie>] 7790 7791 *) Fix lots of warnings. 7792 [Richard Levitte <levitte@stacken.kth.se>] 7793 7794 *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if 7795 the directory spec didn't end with a LIST_SEPARATOR_CHAR. 7796 [Richard Levitte <levitte@stacken.kth.se>] 7797 7798 *) Fix problems with sizeof(long) == 8. 7799 [Andy Polyakov <appro@fy.chalmers.se>] 7800 7801 *) Change functions to ANSI C. 7802 [Ulf M�ller] 7803 7804 *) Fix typos in error codes. 7805 [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf M�ller] 7806 7807 *) Remove defunct assembler files from Configure. 7808 [Ulf M�ller] 7809 7810 *) SPARC v8 assembler BIGNUM implementation. 7811 [Andy Polyakov <appro@fy.chalmers.se>] 7812 7813 *) Support for Certificate Policies extension: both print and set. 7814 Various additions to support the r2i method this uses. 7815 [Steve Henson] 7816 7817 *) A lot of constification, and fix a bug in X509_NAME_oneline() that could 7818 return a const string when you are expecting an allocated buffer. 7819 [Ben Laurie] 7820 7821 *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE 7822 types DirectoryString and DisplayText. 7823 [Steve Henson] 7824 7825 *) Add code to allow r2i extensions to access the configuration database, 7826 add an LHASH database driver and add several ctx helper functions. 7827 [Steve Henson] 7828 7829 *) Fix an evil bug in bn_expand2() which caused various BN functions to 7830 fail when they extended the size of a BIGNUM. 7831 [Steve Henson] 7832 7833 *) Various utility functions to handle SXNet extension. Modify mkdef.pl to 7834 support typesafe stack. 7835 [Steve Henson] 7836 7837 *) Fix typo in SSL_[gs]et_options(). 7838 [Nils Frostberg <nils@medcom.se>] 7839 7840 *) Delete various functions and files that belonged to the (now obsolete) 7841 old X509V3 handling code. 7842 [Steve Henson] 7843 7844 *) New Configure option "rsaref". 7845 [Ulf M�ller] 7846 7847 *) Don't auto-generate pem.h. 7848 [Bodo Moeller] 7849 7850 *) Introduce type-safe ASN.1 SETs. 7851 [Ben Laurie] 7852 7853 *) Convert various additional casted stacks to type-safe STACK_OF() variants. 7854 [Ben Laurie, Ralf S. Engelschall, Steve Henson] 7855 7856 *) Introduce type-safe STACKs. This will almost certainly break lots of code 7857 that links with OpenSSL (well at least cause lots of warnings), but fear 7858 not: the conversion is trivial, and it eliminates loads of evil casts. A 7859 few STACKed things have been converted already. Feel free to convert more. 7860 In the fullness of time, I'll do away with the STACK type altogether. 7861 [Ben Laurie] 7862 7863 *) Add `openssl ca -revoke <certfile>' facility which revokes a certificate 7864 specified in <certfile> by updating the entry in the index.txt file. 7865 This way one no longer has to edit the index.txt file manually for 7866 revoking a certificate. The -revoke option does the gory details now. 7867 [Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall] 7868 7869 *) Fix `openssl crl -noout -text' combination where `-noout' killed the 7870 `-text' option at all and this way the `-noout -text' combination was 7871 inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. 7872 [Ralf S. Engelschall] 7873 7874 *) Make sure a corresponding plain text error message exists for the 7875 X509_V_ERR_CERT_REVOKED/23 error number which can occur when a 7876 verify callback function determined that a certificate was revoked. 7877 [Ralf S. Engelschall] 7878 7879 *) Bugfix: In test/testenc, don't test "openssl <cipher>" for 7880 ciphers that were excluded, e.g. by -DNO_IDEA. Also, test 7881 all available cipers including rc5, which was forgotten until now. 7882 In order to let the testing shell script know which algorithms 7883 are available, a new (up to now undocumented) command 7884 "openssl list-cipher-commands" is used. 7885 [Bodo Moeller] 7886 7887 *) Bugfix: s_client occasionally would sleep in select() when 7888 it should have checked SSL_pending() first. 7889 [Bodo Moeller] 7890 7891 *) New functions DSA_do_sign and DSA_do_verify to provide access to 7892 the raw DSA values prior to ASN.1 encoding. 7893 [Ulf M�ller] 7894 7895 *) Tweaks to Configure 7896 [Niels Poppe <niels@netbox.org>] 7897 7898 *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, 7899 yet... 7900 [Steve Henson] 7901 7902 *) New variables $(RANLIB) and $(PERL) in the Makefiles. 7903 [Ulf M�ller] 7904 7905 *) New config option to avoid instructions that are illegal on the 80386. 7906 The default code is faster, but requires at least a 486. 7907 [Ulf M�ller] 7908 7909 *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and 7910 SSL2_SERVER_VERSION (not used at all) macros, which are now the 7911 same as SSL2_VERSION anyway. 7912 [Bodo Moeller] 7913 7914 *) New "-showcerts" option for s_client. 7915 [Bodo Moeller] 7916 7917 *) Still more PKCS#12 integration. Add pkcs12 application to openssl 7918 application. Various cleanups and fixes. 7919 [Steve Henson] 7920 7921 *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and 7922 modify error routines to work internally. Add error codes and PBE init 7923 to library startup routines. 7924 [Steve Henson] 7925 7926 *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and 7927 packing functions to asn1 and evp. Changed function names and error 7928 codes along the way. 7929 [Steve Henson] 7930 7931 *) PKCS12 integration: and so it begins... First of several patches to 7932 slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 7933 objects to objects.h 7934 [Steve Henson] 7935 7936 *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 7937 and display support for Thawte strong extranet extension. 7938 [Steve Henson] 7939 7940 *) Add LinuxPPC support. 7941 [Jeff Dubrule <igor@pobox.org>] 7942 7943 *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to 7944 bn_div_words in alpha.s. 7945 [Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie] 7946 7947 *) Make sure the RSA OAEP test is skipped under -DRSAref because 7948 OAEP isn't supported when OpenSSL is built with RSAref. 7949 [Ulf Moeller <ulf@fitug.de>] 7950 7951 *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h 7952 so they no longer are missing under -DNOPROTO. 7953 [Soren S. Jorvang <soren@t.dk>] 7954 7955 7956 Changes between 0.9.1c and 0.9.2b [22 Mar 1999] 7957 7958 *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still 7959 doesn't work when the session is reused. Coming soon! 7960 [Ben Laurie] 7961 7962 *) Fix a security hole, that allows sessions to be reused in the wrong 7963 context thus bypassing client cert protection! All software that uses 7964 client certs and session caches in multiple contexts NEEDS PATCHING to 7965 allow session reuse! A fuller solution is in the works. 7966 [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] 7967 7968 *) Some more source tree cleanups (removed obsolete files 7969 crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed 7970 permission on "config" script to be executable) and a fix for the INSTALL 7971 document. 7972 [Ulf Moeller <ulf@fitug.de>] 7973 7974 *) Remove some legacy and erroneous uses of malloc, free instead of 7975 Malloc, Free. 7976 [Lennart Bang <lob@netstream.se>, with minor changes by Steve] 7977 7978 *) Make rsa_oaep_test return non-zero on error. 7979 [Ulf Moeller <ulf@fitug.de>] 7980 7981 *) Add support for native Solaris shared libraries. Configure 7982 solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice 7983 if someone would make that last step automatic. 7984 [Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>] 7985 7986 *) ctx_size was not built with the right compiler during "make links". Fixed. 7987 [Ben Laurie] 7988 7989 *) Change the meaning of 'ALL' in the cipher list. It now means "everything 7990 except NULL ciphers". This means the default cipher list will no longer 7991 enable NULL ciphers. They need to be specifically enabled e.g. with 7992 the string "DEFAULT:eNULL". 7993 [Steve Henson] 7994 7995 *) Fix to RSA private encryption routines: if p < q then it would 7996 occasionally produce an invalid result. This will only happen with 7997 externally generated keys because OpenSSL (and SSLeay) ensure p > q. 7998 [Steve Henson] 7999 8000 *) Be less restrictive and allow also `perl util/perlpath.pl 8001 /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin', 8002 because this way one can also use an interpreter named `perl5' (which is 8003 usually the name of Perl 5.xxx on platforms where an Perl 4.x is still 8004 installed as `perl'). 8005 [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 8006 8007 *) Let util/clean-depend.pl work also with older Perl 5.00x versions. 8008 [Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 8009 8010 *) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add 8011 advapi32.lib to Win32 build and change the pem test comparision 8012 to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the 8013 suggestion). Fix misplaced ASNI prototypes and declarations in evp.h 8014 and crypto/des/ede_cbcm_enc.c. 8015 [Steve Henson] 8016 8017 *) DES quad checksum was broken on big-endian architectures. Fixed. 8018 [Ben Laurie] 8019 8020 *) Comment out two functions in bio.h that aren't implemented. Fix up the 8021 Win32 test batch file so it (might) work again. The Win32 test batch file 8022 is horrible: I feel ill.... 8023 [Steve Henson] 8024 8025 *) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected 8026 in e_os.h. Audit of header files to check ANSI and non ANSI 8027 sections: 10 functions were absent from non ANSI section and not exported 8028 from Windows DLLs. Fixed up libeay.num for new functions. 8029 [Steve Henson] 8030 8031 *) Make `openssl version' output lines consistent. 8032 [Ralf S. Engelschall] 8033 8034 *) Fix Win32 symbol export lists for BIO functions: Added 8035 BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data 8036 to ms/libeay{16,32}.def. 8037 [Ralf S. Engelschall] 8038 8039 *) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled 8040 fine under Unix and passes some trivial tests I've now added. But the 8041 whole stuff is horribly incomplete, so a README.1ST with a disclaimer was 8042 added to make sure no one expects that this stuff really works in the 8043 OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources 8044 up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and 8045 openssl_bio.xs. 8046 [Ralf S. Engelschall] 8047 8048 *) Fix the generation of two part addresses in perl. 8049 [Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie] 8050 8051 *) Add config entry for Linux on MIPS. 8052 [John Tobey <jtobey@channel1.com>] 8053 8054 *) Make links whenever Configure is run, unless we are on Windoze. 8055 [Ben Laurie] 8056 8057 *) Permit extensions to be added to CRLs using crl_section in openssl.cnf. 8058 Currently only issuerAltName and AuthorityKeyIdentifier make any sense 8059 in CRLs. 8060 [Steve Henson] 8061 8062 *) Add a useful kludge to allow package maintainers to specify compiler and 8063 other platforms details on the command line without having to patch the 8064 Configure script everytime: One now can use ``perl Configure 8065 <id>:<details>'', i.e. platform ids are allowed to have details appended 8066 to them (seperated by colons). This is treated as there would be a static 8067 pre-configured entry in Configure's %table under key <id> with value 8068 <details> and ``perl Configure <id>'' is called. So, when you want to 8069 perform a quick test-compile under FreeBSD 3.1 with pgcc and without 8070 assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"'' 8071 now, which overrides the FreeBSD-elf entry on-the-fly. 8072 [Ralf S. Engelschall] 8073 8074 *) Disable new TLS1 ciphersuites by default: they aren't official yet. 8075 [Ben Laurie] 8076 8077 *) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified 8078 on the `perl Configure ...' command line. This way one can compile 8079 OpenSSL libraries with Position Independent Code (PIC) which is needed 8080 for linking it into DSOs. 8081 [Ralf S. Engelschall] 8082 8083 *) Remarkably, export ciphers were totally broken and no-one had noticed! 8084 Fixed. 8085 [Ben Laurie] 8086 8087 *) Cleaned up the LICENSE document: The official contact for any license 8088 questions now is the OpenSSL core team under openssl-core@openssl.org. 8089 And add a paragraph about the dual-license situation to make sure people 8090 recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply 8091 to the OpenSSL toolkit. 8092 [Ralf S. Engelschall] 8093 8094 *) General source tree makefile cleanups: Made `making xxx in yyy...' 8095 display consistent in the source tree and replaced `/bin/rm' by `rm'. 8096 Additonally cleaned up the `make links' target: Remove unnecessary 8097 semicolons, subsequent redundant removes, inline point.sh into mklink.sh 8098 to speed processing and no longer clutter the display with confusing 8099 stuff. Instead only the actually done links are displayed. 8100 [Ralf S. Engelschall] 8101 8102 *) Permit null encryption ciphersuites, used for authentication only. It used 8103 to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this. 8104 It is now necessary to set SSL_FORBID_ENULL to prevent the use of null 8105 encryption. 8106 [Ben Laurie] 8107 8108 *) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder 8109 signed attributes when verifying signatures (this would break them), 8110 the detached data encoding was wrong and public keys obtained using 8111 X509_get_pubkey() weren't freed. 8112 [Steve Henson] 8113 8114 *) Add text documentation for the BUFFER functions. Also added a work around 8115 to a Win95 console bug. This was triggered by the password read stuff: the 8116 last character typed gets carried over to the next fread(). If you were 8117 generating a new cert request using 'req' for example then the last 8118 character of the passphrase would be CR which would then enter the first 8119 field as blank. 8120 [Steve Henson] 8121 8122 *) Added the new `Includes OpenSSL Cryptography Software' button as 8123 doc/openssl_button.{gif,html} which is similar in style to the old SSLeay 8124 button and can be used by applications based on OpenSSL to show the 8125 relationship to the OpenSSL project. 8126 [Ralf S. Engelschall] 8127 8128 *) Remove confusing variables in function signatures in files 8129 ssl/ssl_lib.c and ssl/ssl.h. 8130 [Lennart Bong <lob@kulthea.stacken.kth.se>] 8131 8132 *) Don't install bss_file.c under PREFIX/include/ 8133 [Lennart Bong <lob@kulthea.stacken.kth.se>] 8134 8135 *) Get the Win32 compile working again. Modify mkdef.pl so it can handle 8136 functions that return function pointers and has support for NT specific 8137 stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various 8138 #ifdef WIN32 and WINNTs sprinkled about the place and some changes from 8139 unsigned to signed types: this was killing the Win32 compile. 8140 [Steve Henson] 8141 8142 *) Add new certificate file to stack functions, 8143 SSL_add_dir_cert_subjects_to_stack() and 8144 SSL_add_file_cert_subjects_to_stack(). These largely supplant 8145 SSL_load_client_CA_file(), and can be used to add multiple certs easily 8146 to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). 8147 This means that Apache-SSL and similar packages don't have to mess around 8148 to add as many CAs as they want to the preferred list. 8149 [Ben Laurie] 8150 8151 *) Experiment with doxygen documentation. Currently only partially applied to 8152 ssl/ssl_lib.c. 8153 See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with 8154 openssl.doxy as the configuration file. 8155 [Ben Laurie] 8156 8157 *) Get rid of remaining C++-style comments which strict C compilers hate. 8158 [Ralf S. Engelschall, pointed out by Carlos Amengual] 8159 8160 *) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not 8161 compiled in by default: it has problems with large keys. 8162 [Steve Henson] 8163 8164 *) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and 8165 DH private keys and/or callback functions which directly correspond to 8166 their SSL_CTX_xxx() counterparts but work on a per-connection basis. This 8167 is needed for applications which have to configure certificates on a 8168 per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis 8169 (e.g. s_server). 8170 For the RSA certificate situation is makes no difference, but 8171 for the DSA certificate situation this fixes the "no shared cipher" 8172 problem where the OpenSSL cipher selection procedure failed because the 8173 temporary keys were not overtaken from the context and the API provided 8174 no way to reconfigure them. 8175 The new functions now let applications reconfigure the stuff and they 8176 are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh, 8177 SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new 8178 non-public-API function ssl_cert_instantiate() is used as a helper 8179 function and also to reduce code redundancy inside ssl_rsa.c. 8180 [Ralf S. Engelschall] 8181 8182 *) Move s_server -dcert and -dkey options out of the undocumented feature 8183 area because they are useful for the DSA situation and should be 8184 recognized by the users. 8185 [Ralf S. Engelschall] 8186 8187 *) Fix the cipher decision scheme for export ciphers: the export bits are 8188 *not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within 8189 SSL_EXP_MASK. So, the original variable has to be used instead of the 8190 already masked variable. 8191 [Richard Levitte <levitte@stacken.kth.se>] 8192 8193 *) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c 8194 [Richard Levitte <levitte@stacken.kth.se>] 8195 8196 *) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal() 8197 from `int' to `unsigned int' because it's a length and initialized by 8198 EVP_DigestFinal() which expects an `unsigned int *'. 8199 [Richard Levitte <levitte@stacken.kth.se>] 8200 8201 *) Don't hard-code path to Perl interpreter on shebang line of Configure 8202 script. Instead use the usual Shell->Perl transition trick. 8203 [Ralf S. Engelschall] 8204 8205 *) Make `openssl x509 -noout -modulus' functional also for DSA certificates 8206 (in addition to RSA certificates) to match the behaviour of `openssl dsa 8207 -noout -modulus' as it's already the case for `openssl rsa -noout 8208 -modulus'. For RSA the -modulus is the real "modulus" while for DSA 8209 currently the public key is printed (a decision which was already done by 8210 `openssl dsa -modulus' in the past) which serves a similar purpose. 8211 Additionally the NO_RSA no longer completely removes the whole -modulus 8212 option; it now only avoids using the RSA stuff. Same applies to NO_DSA 8213 now, too. 8214 [Ralf S. Engelschall] 8215 8216 *) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested 8217 BIO. See the source (crypto/evp/bio_ok.c) for more info. 8218 [Arne Ansper <arne@ats.cyber.ee>] 8219 8220 *) Dump the old yucky req code that tried (and failed) to allow raw OIDs 8221 to be added. Now both 'req' and 'ca' can use new objects defined in the 8222 config file. 8223 [Steve Henson] 8224 8225 *) Add cool BIO that does syslog (or event log on NT). 8226 [Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie] 8227 8228 *) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5, 8229 TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and 8230 TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher 8231 Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt. 8232 [Ben Laurie] 8233 8234 *) Add preliminary config info for new extension code. 8235 [Steve Henson] 8236 8237 *) Make RSA_NO_PADDING really use no padding. 8238 [Ulf Moeller <ulf@fitug.de>] 8239 8240 *) Generate errors when private/public key check is done. 8241 [Ben Laurie] 8242 8243 *) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support 8244 for some CRL extensions and new objects added. 8245 [Steve Henson] 8246 8247 *) Really fix the ASN1 IMPLICIT bug this time... Partial support for private 8248 key usage extension and fuller support for authority key id. 8249 [Steve Henson] 8250 8251 *) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved 8252 padding method for RSA, which is recommended for new applications in PKCS 8253 #1 v2.0 (RFC 2437, October 1998). 8254 OAEP (Optimal Asymmetric Encryption Padding) has better theoretical 8255 foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure 8256 against Bleichbacher's attack on RSA. 8257 [Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by 8258 Ben Laurie] 8259 8260 *) Updates to the new SSL compression code 8261 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 8262 8263 *) Fix so that the version number in the master secret, when passed 8264 via RSA, checks that if TLS was proposed, but we roll back to SSLv3 8265 (because the server will not accept higher), that the version number 8266 is 0x03,0x01, not 0x03,0x00 8267 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 8268 8269 *) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory 8270 leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes 8271 in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c 8272 [Steve Henson] 8273 8274 *) Support for RAW extensions where an arbitrary extension can be 8275 created by including its DER encoding. See apps/openssl.cnf for 8276 an example. 8277 [Steve Henson] 8278 8279 *) Make sure latest Perl versions don't interpret some generated C array 8280 code as Perl array code in the crypto/err/err_genc.pl script. 8281 [Lars Weber <3weber@informatik.uni-hamburg.de>] 8282 8283 *) Modify ms/do_ms.bat to not generate assembly language makefiles since 8284 not many people have the assembler. Various Win32 compilation fixes and 8285 update to the INSTALL.W32 file with (hopefully) more accurate Win32 8286 build instructions. 8287 [Steve Henson] 8288 8289 *) Modify configure script 'Configure' to automatically create crypto/date.h 8290 file under Win32 and also build pem.h from pem.org. New script 8291 util/mkfiles.pl to create the MINFO file on environments that can't do a 8292 'make files': perl util/mkfiles.pl >MINFO should work. 8293 [Steve Henson] 8294 8295 *) Major rework of DES function declarations, in the pursuit of correctness 8296 and purity. As a result, many evil casts evaporated, and some weirdness, 8297 too. You may find this causes warnings in your code. Zapping your evil 8298 casts will probably fix them. Mostly. 8299 [Ben Laurie] 8300 8301 *) Fix for a typo in asn1.h. Bug fix to object creation script 8302 obj_dat.pl. It considered a zero in an object definition to mean 8303 "end of object": none of the objects in objects.h have any zeros 8304 so it wasn't spotted. 8305 [Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>] 8306 8307 *) Add support for Triple DES Cipher Block Chaining with Output Feedback 8308 Masking (CBCM). In the absence of test vectors, the best I have been able 8309 to do is check that the decrypt undoes the encrypt, so far. Send me test 8310 vectors if you have them. 8311 [Ben Laurie] 8312 8313 *) Correct calculation of key length for export ciphers (too much space was 8314 allocated for null ciphers). This has not been tested! 8315 [Ben Laurie] 8316 8317 *) Modifications to the mkdef.pl for Win32 DEF file creation. The usage 8318 message is now correct (it understands "crypto" and "ssl" on its 8319 command line). There is also now an "update" option. This will update 8320 the util/ssleay.num and util/libeay.num files with any new functions. 8321 If you do a: 8322 perl util/mkdef.pl crypto ssl update 8323 it will update them. 8324 [Steve Henson] 8325 8326 *) Overhauled the Perl interface (perl/*): 8327 - ported BN stuff to OpenSSL's different BN library 8328 - made the perl/ source tree CVS-aware 8329 - renamed the package from SSLeay to OpenSSL (the files still contain 8330 their history because I've copied them in the repository) 8331 - removed obsolete files (the test scripts will be replaced 8332 by better Test::Harness variants in the future) 8333 [Ralf S. Engelschall] 8334 8335 *) First cut for a very conservative source tree cleanup: 8336 1. merge various obsolete readme texts into doc/ssleay.txt 8337 where we collect the old documents and readme texts. 8338 2. remove the first part of files where I'm already sure that we no 8339 longer need them because of three reasons: either they are just temporary 8340 files which were left by Eric or they are preserved original files where 8341 I've verified that the diff is also available in the CVS via "cvs diff 8342 -rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for 8343 the crypto/md/ stuff). 8344 [Ralf S. Engelschall] 8345 8346 *) More extension code. Incomplete support for subject and issuer alt 8347 name, issuer and authority key id. Change the i2v function parameters 8348 and add an extra 'crl' parameter in the X509V3_CTX structure: guess 8349 what that's for :-) Fix to ASN1 macro which messed up 8350 IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. 8351 [Steve Henson] 8352 8353 *) Preliminary support for ENUMERATED type. This is largely copied from the 8354 INTEGER code. 8355 [Steve Henson] 8356 8357 *) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. 8358 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 8359 8360 *) Make sure `make rehash' target really finds the `openssl' program. 8361 [Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] 8362 8363 *) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd 8364 like to hear about it if this slows down other processors. 8365 [Ben Laurie] 8366 8367 *) Add CygWin32 platform information to Configure script. 8368 [Alan Batie <batie@aahz.jf.intel.com>] 8369 8370 *) Fixed ms/32all.bat script: `no_asm' -> `no-asm' 8371 [Rainer W. Gerling <gerling@mpg-gv.mpg.de>] 8372 8373 *) New program nseq to manipulate netscape certificate sequences 8374 [Steve Henson] 8375 8376 *) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a 8377 few typos. 8378 [Steve Henson] 8379 8380 *) Fixes to BN code. Previously the default was to define BN_RECURSION 8381 but the BN code had some problems that would cause failures when 8382 doing certificate verification and some other functions. 8383 [Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] 8384 8385 *) Add ASN1 and PEM code to support netscape certificate sequences. 8386 [Steve Henson] 8387 8388 *) Add ASN1 and PEM code to support netscape certificate sequences. 8389 [Steve Henson] 8390 8391 *) Add several PKIX and private extended key usage OIDs. 8392 [Steve Henson] 8393 8394 *) Modify the 'ca' program to handle the new extension code. Modify 8395 openssl.cnf for new extension format, add comments. 8396 [Steve Henson] 8397 8398 *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' 8399 and add a sample to openssl.cnf so req -x509 now adds appropriate 8400 CA extensions. 8401 [Steve Henson] 8402 8403 *) Continued X509 V3 changes. Add to other makefiles, integrate with the 8404 error code, add initial support to X509_print() and x509 application. 8405 [Steve Henson] 8406 8407 *) Takes a deep breath and start addding X509 V3 extension support code. Add 8408 files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this 8409 stuff is currently isolated and isn't even compiled yet. 8410 [Steve Henson] 8411 8412 *) Continuing patches for GeneralizedTime. Fix up certificate and CRL 8413 ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. 8414 Removed the versions check from X509 routines when loading extensions: 8415 this allows certain broken certificates that don't set the version 8416 properly to be processed. 8417 [Steve Henson] 8418 8419 *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another 8420 Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which 8421 can still be regenerated with "make depend". 8422 [Ben Laurie] 8423 8424 *) Spelling mistake in C version of CAST-128. 8425 [Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>] 8426 8427 *) Changes to the error generation code. The perl script err-code.pl 8428 now reads in the old error codes and retains the old numbers, only 8429 adding new ones if necessary. It also only changes the .err files if new 8430 codes are added. The makefiles have been modified to only insert errors 8431 when needed (to avoid needlessly modifying header files). This is done 8432 by only inserting errors if the .err file is newer than the auto generated 8433 C file. To rebuild all the error codes from scratch (the old behaviour) 8434 either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl 8435 or delete all the .err files. 8436 [Steve Henson] 8437 8438 *) CAST-128 was incorrectly implemented for short keys. The C version has 8439 been fixed, but is untested. The assembler versions are also fixed, but 8440 new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing 8441 to regenerate it if needed. 8442 [Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun 8443 Hagino <itojun@kame.net>] 8444 8445 *) File was opened incorrectly in randfile.c. 8446 [Ulf M�ller <ulf@fitug.de>] 8447 8448 *) Beginning of support for GeneralizedTime. d2i, i2d, check and print 8449 functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or 8450 GeneralizedTime. ASN1_TIME is the proper type used in certificates et 8451 al: it's just almost always a UTCTime. Note this patch adds new error 8452 codes so do a "make errors" if there are problems. 8453 [Steve Henson] 8454 8455 *) Correct Linux 1 recognition in config. 8456 [Ulf M�ller <ulf@fitug.de>] 8457 8458 *) Remove pointless MD5 hash when using DSA keys in ca. 8459 [Anonymous <nobody@replay.com>] 8460 8461 *) Generate an error if given an empty string as a cert directory. Also 8462 generate an error if handed NULL (previously returned 0 to indicate an 8463 error, but didn't set one). 8464 [Ben Laurie, reported by Anonymous <nobody@replay.com>] 8465 8466 *) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. 8467 [Ben Laurie] 8468 8469 *) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct 8470 parameters. This was causing a warning which killed off the Win32 compile. 8471 [Steve Henson] 8472 8473 *) Remove C++ style comments from crypto/bn/bn_local.h. 8474 [Neil Costigan <neil.costigan@celocom.com>] 8475 8476 *) The function OBJ_txt2nid was broken. It was supposed to return a nid 8477 based on a text string, looking up short and long names and finally 8478 "dot" format. The "dot" format stuff didn't work. Added new function 8479 OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote 8480 OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the 8481 OID is not part of the table. 8482 [Steve Henson] 8483 8484 *) Add prototypes to X509 lookup/verify methods, fixing a bug in 8485 X509_LOOKUP_by_alias(). 8486 [Ben Laurie] 8487 8488 *) Sort openssl functions by name. 8489 [Ben Laurie] 8490 8491 *) Get the gendsa program working (hopefully) and add it to app list. Remove 8492 encryption from sample DSA keys (in case anyone is interested the password 8493 was "1234"). 8494 [Steve Henson] 8495 8496 *) Make _all_ *_free functions accept a NULL pointer. 8497 [Frans Heymans <fheymans@isaserver.be>] 8498 8499 *) If a DH key is generated in s3_srvr.c, don't blow it by trying to use 8500 NULL pointers. 8501 [Anonymous <nobody@replay.com>] 8502 8503 *) s_server should send the CAfile as acceptable CAs, not its own cert. 8504 [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] 8505 8506 *) Don't blow it for numeric -newkey arguments to apps/req. 8507 [Bodo Moeller <3moeller@informatik.uni-hamburg.de>] 8508 8509 *) Temp key "for export" tests were wrong in s3_srvr.c. 8510 [Anonymous <nobody@replay.com>] 8511 8512 *) Add prototype for temp key callback functions 8513 SSL_CTX_set_tmp_{rsa,dh}_callback(). 8514 [Ben Laurie] 8515 8516 *) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and 8517 DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). 8518 [Steve Henson] 8519 8520 *) X509_name_add_entry() freed the wrong thing after an error. 8521 [Arne Ansper <arne@ats.cyber.ee>] 8522 8523 *) rsa_eay.c would attempt to free a NULL context. 8524 [Arne Ansper <arne@ats.cyber.ee>] 8525 8526 *) BIO_s_socket() had a broken should_retry() on Windoze. 8527 [Arne Ansper <arne@ats.cyber.ee>] 8528 8529 *) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. 8530 [Arne Ansper <arne@ats.cyber.ee>] 8531 8532 *) Make sure the already existing X509_STORE->depth variable is initialized 8533 in X509_STORE_new(), but document the fact that this variable is still 8534 unused in the certificate verification process. 8535 [Ralf S. Engelschall] 8536 8537 *) Fix the various library and apps files to free up pkeys obtained from 8538 X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. 8539 [Steve Henson] 8540 8541 *) Fix reference counting in X509_PUBKEY_get(). This makes 8542 demos/maurice/example2.c work, amongst others, probably. 8543 [Steve Henson and Ben Laurie] 8544 8545 *) First cut of a cleanup for apps/. First the `ssleay' program is now named 8546 `openssl' and second, the shortcut symlinks for the `openssl <command>' 8547 are no longer created. This way we have a single and consistent command 8548 line interface `openssl <command>', similar to `cvs <command>'. 8549 [Ralf S. Engelschall, Paul Sutton and Ben Laurie] 8550 8551 *) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey 8552 BIT STRING wrapper always have zero unused bits. 8553 [Steve Henson] 8554 8555 *) Add CA.pl, perl version of CA.sh, add extended key usage OID. 8556 [Steve Henson] 8557 8558 *) Make the top-level INSTALL documentation easier to understand. 8559 [Paul Sutton] 8560 8561 *) Makefiles updated to exit if an error occurs in a sub-directory 8562 make (including if user presses ^C) [Paul Sutton] 8563 8564 *) Make Montgomery context stuff explicit in RSA data structure. 8565 [Ben Laurie] 8566 8567 *) Fix build order of pem and err to allow for generated pem.h. 8568 [Ben Laurie] 8569 8570 *) Fix renumbering bug in X509_NAME_delete_entry(). 8571 [Ben Laurie] 8572 8573 *) Enhanced the err-ins.pl script so it makes the error library number 8574 global and can add a library name. This is needed for external ASN1 and 8575 other error libraries. 8576 [Steve Henson] 8577 8578 *) Fixed sk_insert which never worked properly. 8579 [Steve Henson] 8580 8581 *) Fix ASN1 macros so they can handle indefinite length construted 8582 EXPLICIT tags. Some non standard certificates use these: they can now 8583 be read in. 8584 [Steve Henson] 8585 8586 *) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) 8587 into a single doc/ssleay.txt bundle. This way the information is still 8588 preserved but no longer messes up this directory. Now it's new room for 8589 the new set of documenation files. 8590 [Ralf S. Engelschall] 8591 8592 *) SETs were incorrectly DER encoded. This was a major pain, because they 8593 shared code with SEQUENCEs, which aren't coded the same. This means that 8594 almost everything to do with SETs or SEQUENCEs has either changed name or 8595 number of arguments. 8596 [Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>] 8597 8598 *) Fix test data to work with the above. 8599 [Ben Laurie] 8600 8601 *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but 8602 was already fixed by Eric for 0.9.1 it seems. 8603 [Ben Laurie - pointed out by Ulf M�ller <ulf@fitug.de>] 8604 8605 *) Autodetect FreeBSD3. 8606 [Ben Laurie] 8607 8608 *) Fix various bugs in Configure. This affects the following platforms: 8609 nextstep 8610 ncr-scde 8611 unixware-2.0 8612 unixware-2.0-pentium 8613 sco5-cc. 8614 [Ben Laurie] 8615 8616 *) Eliminate generated files from CVS. Reorder tests to regenerate files 8617 before they are needed. 8618 [Ben Laurie] 8619 8620 *) Generate Makefile.ssl from Makefile.org (to keep CVS happy). 8621 [Ben Laurie] 8622 8623 8624 Changes between 0.9.1b and 0.9.1c [23-Dec-1998] 8625 8626 *) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and 8627 changed SSLeay to OpenSSL in version strings. 8628 [Ralf S. Engelschall] 8629 8630 *) Some fixups to the top-level documents. 8631 [Paul Sutton] 8632 8633 *) Fixed the nasty bug where rsaref.h was not found under compile-time 8634 because the symlink to include/ was missing. 8635 [Ralf S. Engelschall] 8636 8637 *) Incorporated the popular no-RSA/DSA-only patches 8638 which allow to compile a RSA-free SSLeay. 8639 [Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] 8640 8641 *) Fixed nasty rehash problem under `make -f Makefile.ssl links' 8642 when "ssleay" is still not found. 8643 [Ralf S. Engelschall] 8644 8645 *) Added more platforms to Configure: Cray T3E, HPUX 11, 8646 [Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>] 8647 8648 *) Updated the README file. 8649 [Ralf S. Engelschall] 8650 8651 *) Added various .cvsignore files in the CVS repository subdirs 8652 to make a "cvs update" really silent. 8653 [Ralf S. Engelschall] 8654 8655 *) Recompiled the error-definition header files and added 8656 missing symbols to the Win32 linker tables. 8657 [Ralf S. Engelschall] 8658 8659 *) Cleaned up the top-level documents; 8660 o new files: CHANGES and LICENSE 8661 o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay 8662 o merged COPYRIGHT into LICENSE 8663 o removed obsolete TODO file 8664 o renamed MICROSOFT to INSTALL.W32 8665 [Ralf S. Engelschall] 8666 8667 *) Removed dummy files from the 0.9.1b source tree: 8668 crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi 8669 crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f 8670 crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f 8671 crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f 8672 util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f 8673 [Ralf S. Engelschall] 8674 8675 *) Added various platform portability fixes. 8676 [Mark J. Cox] 8677 8678 *) The Genesis of the OpenSSL rpject: 8679 We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. 8680 Young and Tim J. Hudson created while they were working for C2Net until 8681 summer 1998. 8682 [The OpenSSL Project] 8683 8684 8685 Changes between 0.9.0b and 0.9.1b [not released] 8686 8687 *) Updated a few CA certificates under certs/ 8688 [Eric A. Young] 8689 8690 *) Changed some BIGNUM api stuff. 8691 [Eric A. Young] 8692 8693 *) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, 8694 DGUX x86, Linux Alpha, etc. 8695 [Eric A. Young] 8696 8697 *) New COMP library [crypto/comp/] for SSL Record Layer Compression: 8698 RLE (dummy implemented) and ZLIB (really implemented when ZLIB is 8699 available). 8700 [Eric A. Young] 8701 8702 *) Add -strparse option to asn1pars program which parses nested 8703 binary structures 8704 [Dr Stephen Henson <shenson@bigfoot.com>] 8705 8706 *) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. 8707 [Eric A. Young] 8708 8709 *) DSA fix for "ca" program. 8710 [Eric A. Young] 8711 8712 *) Added "-genkey" option to "dsaparam" program. 8713 [Eric A. Young] 8714 8715 *) Added RIPE MD160 (rmd160) message digest. 8716 [Eric A. Young] 8717 8718 *) Added -a (all) option to "ssleay version" command. 8719 [Eric A. Young] 8720 8721 *) Added PLATFORM define which is the id given to Configure. 8722 [Eric A. Young] 8723 8724 *) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. 8725 [Eric A. Young] 8726 8727 *) Extended the ASN.1 parser routines. 8728 [Eric A. Young] 8729 8730 *) Extended BIO routines to support REUSEADDR, seek, tell, etc. 8731 [Eric A. Young] 8732 8733 *) Added a BN_CTX to the BN library. 8734 [Eric A. Young] 8735 8736 *) Fixed the weak key values in DES library 8737 [Eric A. Young] 8738 8739 *) Changed API in EVP library for cipher aliases. 8740 [Eric A. Young] 8741 8742 *) Added support for RC2/64bit cipher. 8743 [Eric A. Young] 8744 8745 *) Converted the lhash library to the crypto/mem.c functions. 8746 [Eric A. Young] 8747 8748 *) Added more recognized ASN.1 object ids. 8749 [Eric A. Young] 8750 8751 *) Added more RSA padding checks for SSL/TLS. 8752 [Eric A. Young] 8753 8754 *) Added BIO proxy/filter functionality. 8755 [Eric A. Young] 8756 8757 *) Added extra_certs to SSL_CTX which can be used 8758 send extra CA certificates to the client in the CA cert chain sending 8759 process. It can be configured with SSL_CTX_add_extra_chain_cert(). 8760 [Eric A. Young] 8761 8762 *) Now Fortezza is denied in the authentication phase because 8763 this is key exchange mechanism is not supported by SSLeay at all. 8764 [Eric A. Young] 8765 8766 *) Additional PKCS1 checks. 8767 [Eric A. Young] 8768 8769 *) Support the string "TLSv1" for all TLS v1 ciphers. 8770 [Eric A. Young] 8771 8772 *) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the 8773 ex_data index of the SSL context in the X509_STORE_CTX ex_data. 8774 [Eric A. Young] 8775 8776 *) Fixed a few memory leaks. 8777 [Eric A. Young] 8778 8779 *) Fixed various code and comment typos. 8780 [Eric A. Young] 8781 8782 *) A minor bug in ssl/s3_clnt.c where there would always be 4 0 8783 bytes sent in the client random. 8784 [Edward Bishop <ebishop@spyglass.com>] 8785 8786