[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]

  *) Fixes and enhancements to the 'x509' utility. It allowed a message
     digest to be passed on the command line but it only used this
     parameter when signing a certificate. Modified so all relevant
     operations are affected by the digest parameter including the
     -fingerprint and -x509toreq options. Also -x509toreq choked if a
     DSA key was used because it didn't fix the digest.
     [Steve Henson]

  *) Initial certificate chain verify code. Currently tests the untrusted
     certificates for consistency with the verify purpose (which is set
     when the X509_STORE_CTX structure is set up) and checks the pathlength.

     There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
     this is because when it is finally working it will reject chains with
     invalid extensions whereas every previous version of OpenSSL and SSLeay
     made no checks at all.

     Trust code: checks the root CA for the relevant trust settings. Trust
     settings have an initial value consistent with the verify purpose: e.g.
     if the verify purpose is for SSL client use it expects the CA to be
     trusted for SSL client use. However the default value can be changed to
     permit custom trust settings: one example of this would be to only trust
     certificates from a specific "secure" set of CAs.

     Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
     which should be used for version portability: especially since the
     verify structure is likely to change more often now.

     Two new options to the verify program: -untrusted allows a set of
     untrusted certificates to be passed in and -purpose which sets the
     intended purpose of the certificate. If a purpose is set then the
     new chain verify code is used to check extension consistency.
     [Steve Henson]

  *) Support for the authority information access extension.
     [Steve Henson]

  *) Modify RSA and DSA PEM read routines to transparently handle
     PKCS#8 format private keys. New *_PUBKEY_* functions that handle
     public keys in a format compatible with certificate
     SubjectPublicKeyInfo structures. Unfortunately there were already
     functions called *_PublicKey_* which used various odd formats so
     these are retained for compatability: however the DSA variants were
     never in a public release so they have been deleted. Changed dsa/rsa
     utilities to handle the new format: note no releases ever handled public
     keys so we should be OK.

     The primary motivation for this change is to avoid the same fiasco
     that dogs private keys: there are several incompatible private key
     formats some of which are standard and some OpenSSL specific and
     require various evil hacks to allow partial transparent handling and
     even then it doesn't work with DER formats. Given the option anything
     other than PKCS#8 should be dumped: but the other formats have to
     stay in the name of compatability.

     With public keys and the benefit of hindsight one standard format 
     is used which works with EVP_PKEY, RSA or DSA structures: though
     it clearly returns an error if you try to read the wrong kind of key.

     Added a -pubkey option to the 'x509' utility to output the public key.
     Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() and add
     EVP_PKEY_rset_*() functions that do the same as the EVP_PKEY_assign_*()
     except they up the reference count of the added key (they don't "swallow"
     the supplied key).
     [Steve Henson]

  *) Fixes to crypto/x509/by_file.c the code to read in certificates and
     CRLs would fail if the file contained no certificates or no CRLs:
     added a new function to read in both types and return the number
     read: this means that if none are read it will be an error. The
     DER versions of the certificate and CRL reader would always fail
     because it isn't possible to mix certificates and CRLs in DER format
     without choking one or the other routine. Changed this to just read
     a certificate: this is the best we can do. Also modified the code
     in apps/verify.c to take notice of return codes: it was previously
     attempting to read in certificates from NULL pointers and ignoring
     any errors: this is one reason why the cert and CRL reader seemed
     to work. It doesn't check return codes from the default certificate
     routines: these may well fail if the certificates aren't installed.
     [Steve Henson]

  *) Code to support otherName option in GeneralName.
     [Steve Henson]

  *) First update to verify code. Change the verify utility
     so it warns if it is passed a self signed certificate:
     for consistency with the normal behaviour. X509_verify
     has been modified to it will now verify a self signed
     certificate if *exactly* the same certificate appears
     in the store: it was previously impossible to trust a
     single self signed certificate. This means that:
     openssl verify ss.pem
     now gives a warning about a self signed certificate but
     openssl verify -CAfile ss.pem ss.pem
     is OK.
     [Steve Henson]

  *) For servers, store verify_result in SSL_SESSION data structure
     (and add it to external session representation).
     This is needed when client certificate verifications fails,
     but an application-provided verification callback (set by
     SSL_CTX_set_cert_verify_callback) allows accepting the session
     anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
     but returns 1): When the session is reused, we have to set
     ssl->verify_result to the appropriate error code to avoid
     security holes.
     [Bodo Moeller, problem pointed out by Lutz Jaenicke]

  *) Fix a bug in the new PKCS#7 code: it didn't consider the
     case in PKCS7_dataInit() where the signed PKCS7 structure
     didn't contain any existing data because it was being created.
     [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]

  *) Add a salt to the key derivation routines in enc.c. This
     forms the first 8 bytes of the encrypted file. Also add a
     -S option to allow a salt to be input on the command line.
     [Steve Henson]

  *) New function X509_cmp(). Oddly enough there wasn't a function
     to compare two certificates. We do this by working out the SHA1
     hash and comparing that. X509_cmp() will be needed by the trust
     code.
     [Steve Henson]

  *) Correctly increment the reference count in the SSL_SESSION pointer 
     returned from SSL_get_session().
     [Geoff Thorpe <geoff@eu.c2.net>]

  *) Fix for 'req': it was adding a null to request attributes.
     Also change the X509_LOOKUP and X509_INFO code to handle
     certificate auxiliary information.
     [Steve Henson]

  *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
     the 'enc' command.
     [Steve Henson]

  *) Add the possibility to add extra information to the memory leak
     detecting output, to form tracebacks, showing from where each
     allocation was originated.  Also updated sid code to be multi-
     thread-safe.
     [Richard Levitte]

  *) Add options -text and -noout to pkcs7 utility and delete the
     encryption options which never did anything. Update docs.
     [Steve Henson]

  *) Add options to some of the utilities to allow the pass phrase
     to be included on either the command line (not recommended on
     OSes like Unix) or read from the environment. Update the
     manpages and fix a few bugs.
     [Steve Henson]

  *) Add a few manpages for some of the openssl commands.
     [Steve Henson]

  *) Fix the -revoke option in ca. It was freeing up memory twice,
     leaking and not finding already revoked certificates.
     [Steve Henson]

  *) Extensive changes to support certificate auxiliary information.
     This involves the use of X509_CERT_AUX structure and X509_AUX
     functions. An X509_AUX function such as PEM_read_X509_AUX()
     can still read in a certificate file in the usual way but it
     will also read in any additional "auxiliary information". By
     doing things this way a fair degree of compatability can be
     retained: existing certificates can have this information added
     using the new 'x509' options. 

     Current auxiliary information includes an "alias" and some trust
     settings. The trust settings will ultimately be used in enhanced
     certificate chain verification routines: currently a certificate
     can only be trusted if it is self signed and then it is trusted
     for all purposes.
     [Steve Henson]

  *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).  The
     problem was that one of the replacement routines had not been working since
     SSLeay releases.  For now the offending routine has been replaced with
     non-optimised assembler.  Even so, this now gives around 95% performance
     improvement for 1024 bit RSA signs.
     [Mark Cox]

  *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 
     handling. Most clients have the effective key size in bits equal to
     the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
     A few however don't do this and instead use the size of the decrypted key
     to determine the RC2 key length and the AlgorithmIdentifier to determine
     the effective key length. In this case the effective key lenth can still
     be 40 bits but the key length can be 168 bits for example. This is fixed
     by manually forcing an RC2 key into the EVP_PKEY structure because the
     EVP code can't currently handle unusual RC2 key sizes: it always assumes
     the key length and effective key length are equal.
     [Steve Henson]

  *) Add a bunch of functions that should simplify the creation of 
     X509_NAME structures. Now you should be able to do:
     X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
     and have it automatically work out the correct field type and fill in
     the structures. The more adventurous can try:
     X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
     and it will (hopefully) work out the correct multibyte encoding.
     [Steve Henson]

  *) Change the 'req' utility to use the new field handling and multibyte
     copy routines. Before the DN field creation was handled in an ad hoc
     way in req, ca, and x509 which was rather broken and didn't support
     BMPStrings or UTF8Strings. Since some software doesn't implement
     BMPStrings or UTF8Strings yet, they can be enabled using the config file
     using the dirstring_type option. See the new comment in the default
     openssl.cnf for more info.
     [Steve Henson]

  *) Make crypto/rand/md_rand.c more robust:
     - Assure unique random numbers after fork().
     - Make sure that concurrent threads access the global counter and
       md serializably so that we never lose entropy in them
       or use exactly the same state in multiple threads.
       Access to the large state is not always serializable because
       the additional locking could be a performance killer, and
       md should be large enough anyway.
     [Bodo Moeller]

  *) New file apps/app_rand.c with commonly needed functionality
     for handling the random seed file.

     Use the random seed file in some applications that previously did not:
          ca,
          dsaparam -genkey (which also ignored its `-rand' option), 
          s_client,
          s_server,
          x509 (when signing).
     Except on systems with /dev/urandom, it is crucial to have a random
     seed file at least for key creation, DSA signing, and for DH exchanges;
     for RSA signatures we could do without one.

     gendh and gendsa (unlike genrsa) used to read only the first byte
     of each file listed in the `-rand' option.  The function as previously
     found in genrsa is now in app_rand.c and is used by all programs
     that support `-rand'.
     [Bodo Moeller]

  *) In RAND_write_file, use mode 0600 for creating files;
     don't just chmod when it may be too late.
     [Bodo Moeller]

  *) Report an error from X509_STORE_load_locations
     when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
     [Bill Perry]

  *) New function ASN1_mbstring_copy() this copies a string in either
     ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
     into an ASN1_STRING type. A mask of permissible types is passed
     and it chooses the "minimal" type to use or an error if not type
     is suitable.
     [Steve Henson]

  *) Add function equivalents to the various macros in asn1.h. The old
     macros are retained with an M_ prefix. Code inside the library can
     use the M_ macros. External code (including the openssl utility)
     should *NOT* in order to be "shared library friendly".
     [Steve Henson]

  *) Add various functions that can check a certificate's extensions
     to see if it usable for various purposes such as SSL client,
     server or S/MIME and CAs of these types. This is currently 
     VERY EXPERIMENTAL but will ultimately be used for certificate chain
     verification. Also added a -purpose flag to x509 utility to
     print out all the purposes.
     [Steve Henson]

  *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated
     functions.
     [Steve Henson]

  *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search
     for, obtain and decode and extension and obtain its critical flag.
     This allows all the necessary extension code to be handled in a
     single function call.
     [Steve Henson]

  *) RC4 tune-up featuring 30-40% performance improvement on most RISC
     platforms. See crypto/rc4/rc4_enc.c for further details.
     [Andy Polyakov]

  *) New -noout option to asn1parse. This causes no output to be produced
     its main use is when combined with -strparse and -out to extract data
     from a file (which may not be in ASN.1 format).
     [Steve Henson]

  *) Fix for pkcs12 program. It was hashing an invalid certificate pointer
     when producing the local key id.
     [Richard Levitte <levitte@stacken.kth.se>]

  *) New option -dhparam in s_server. This allows a DH parameter file to be
     stated explicitly. If it is not stated then it tries the first server
     certificate file. The previous behaviour hard coded the filename
     "server.pem".
     [Steve Henson]

  *) Add -pubin and -pubout options to the rsa and dsa commands. These allow
     a public key to be input or output. For example:
     openssl rsa -in key.pem -pubout -out pubkey.pem
     Also added necessary DSA public key functions to handle this.
     [Steve Henson]

  *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
     in the message. This was handled by allowing
     X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
     [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>]

  *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
     to the end of the strings whereas this didn't. This would cause problems
     if strings read with d2i_ASN1_bytes() were later modified.
     [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>]

  *) Fix for base64 decode bug. When a base64 bio reads only one line of
     data and it contains EOF it will end up returning an error. This is
     caused by input 46 bytes long. The cause is due to the way base64
     BIOs find the start of base64 encoded data. They do this by trying a
     trial decode on each line until they find one that works. When they
     do a flag is set and it starts again knowing it can pass all the
     data directly through the decoder. Unfortunately it doesn't reset
     the context it uses. This means that if EOF is reached an attempt
     is made to pass two EOFs through the context and this causes the
     resulting error. This can also cause other problems as well. As is
     usual with these problems it takes *ages* to find and the fix is
     trivial: move one line.
     [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ]

  *) Ugly workaround to get s_client and s_server working under Windows. The
     old code wouldn't work because it needed to select() on sockets and the
     tty (for keypresses and to see if data could be written). Win32 only
     supports select() on sockets so we select() with a 1s timeout on the
     sockets and then see if any characters are waiting to be read, if none
     are present then we retry, we also assume we can always write data to
     the tty. This isn't nice because the code then blocks until we've
     received a complete line of data and it is effectively polling the
     keyboard at 1s intervals: however it's quite a bit better than not
     working at all :-) A dedicated Windows application might handle this
     with an event loop for example.
     [Steve Henson]

  *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
     and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
     will be called when RSA_sign() and RSA_verify() are used. This is useful
     if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
     For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
     should *not* be used: RSA_sign() and RSA_verify() must be used instead.
     This necessitated the support of an extra signature type NID_md5_sha1
     for SSL signatures and modifications to the SSL library to use it instead
     of calling RSA_public_decrypt() and RSA_private_encrypt().
     [Steve Henson]

  *) Add new -verify -CAfile and -CApath options to the crl program, these
     will lookup a CRL issuers certificate and verify the signature in a
     similar way to the verify program. Tidy up the crl program so it
     no longer acesses structures directly. Make the ASN1 CRL parsing a bit
     less strict. It will now permit CRL extensions even if it is not
     a V2 CRL: this will allow it to tolerate some broken CRLs.
     [Steve Henson]

  *) Initialize all non-automatic variables each time one of the openssl
     sub-programs is started (this is necessary as they may be started
     multiple times from the "OpenSSL>" prompt).
     [Lennart Bang, Bodo Moeller]

  *) Preliminary compilation option RSA_NULL which disables RSA crypto without
     removing all other RSA functionality (this is what NO_RSA does). This
     is so (for example) those in the US can disable those operations covered
     by the RSA patent while allowing storage and parsing of RSA keys and RSA
     key generation.
     [Steve Henson]

  *) Non-copying interface to BIO pairs.
     (still largely untested)
     [Bodo Moeller]

  *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive
     ASCII string. This was handled independently in various places before.
     [Steve Henson]

  *) New functions UTF8_getc() and UTF8_putc() that parse and generate
     UTF8 strings a character at a time.
     [Steve Henson]

  *) Use client_version from client hello to select the protocol
     (s23_srvr.c) and for RSA client key exchange verification
     (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
     [Bodo Moeller]

  *) Add various utility functions to handle SPKACs, these were previously
     handled by poking round in the structure internals. Added new function
     NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
     print, verify and generate SPKACs. Based on an original idea from
     Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
     [Steve Henson]

  *) RIPEMD160 is operational on all platforms and is back in 'make test'.
     [Andy Polyakov]

  *) Allow the config file extension section to be overwritten on the
     command line. Based on an original idea from Massimiliano Pala
     <madwolf@comune.modena.it>. The new option is called -extensions
     and can be applied to ca, req and x509. Also -reqexts to override
     the request extensions in req and -crlexts to override the crl extensions
     in ca.
     [Steve Henson]

  *) Add new feature to the SPKAC handling in ca.  Now you can include
     the same field multiple times by preceding it by "XXXX." for example:
     1.OU="Unit name 1"
     2.OU="Unit name 2"
     this is the same syntax as used in the req config file.
     [Steve Henson]

  *) Allow certificate extensions to be added to certificate requests. These
     are specified in a 'req_extensions' option of the req section of the
     config file. They can be printed out with the -text option to req but
     are otherwise ignored at present.
     [Steve Henson]

  *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
     data read consists of only the final block it would not decrypted because
     EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
     A misplaced 'break' also meant the decrypted final block might not be
     copied until the next read.
     [Steve Henson]

  *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
     a few extra parameters to the DH structure: these will be useful if
     for example we want the value of 'q' or implement X9.42 DH.
     [Steve Henson]

  *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and
     provides hooks that allow the default DSA functions or functions on a
     "per key" basis to be replaced. This allows hardware acceleration and
     hardware key storage to be handled without major modification to the
     library. Also added low level modexp hooks and CRYPTO_EX structure and 
     associated functions.
     [Steve Henson]

  *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
     as "read only": it can't be written to and the buffer it points to will
     not be freed. Reading from a read only BIO is much more efficient than
     a normal memory BIO. This was added because there are several times when
     an area of memory needs to be read from a BIO. The previous method was
     to create a memory BIO and write the data to it, this results in two
     copies of the data and an O(n^2) reading algorithm. There is a new
     function BIO_new_mem_buf() which creates a read only memory BIO from
     an area of memory. Also modified the PKCS#7 routines to use read only
     memory BIOSs.
     [Steve Henson]

  *) Bugfix: ssl23_get_client_hello did not work properly when called in
     state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
     a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
     but a retry condition occured while trying to read the rest.
     [Bodo Moeller]

  *) The PKCS7_ENC_CONTENT_new() function was setting the content type as
     NID_pkcs7_encrypted by default: this was wrong since this should almost
     always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
     the encrypted data type: this is a more sensible place to put it and it
     allows the PKCS#12 code to be tidied up that duplicated this
     functionality.
     [Steve Henson]

  *) Changed obj_dat.pl script so it takes its input and output files on
     the command line. This should avoid shell escape redirection problems
     under Win32.
     [Steve Henson]

  *) Initial support for certificate extension requests, these are included
     in things like Xenroll certificate requests. Included functions to allow
     extensions to be obtained and added.
     [Steve Henson]

  *) -crlf option to s_client and s_server for sending newlines as
     CRLF (as required by many protocols).
     [Bodo Moeller]

 Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
  
  *) Install libRSAglue.a when OpenSSL is built with RSAref.
     [Ralf S. Engelschall]

  *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
     [Andrija Antonijevic <TheAntony2@bigfoot.com>]

  *) Fix -startdate and -enddate (which was missing) arguments to 'ca'
     program.
     [Steve Henson]

  *) New function DSA_dup_DH, which duplicates DSA parameters/keys as
     DH parameters/keys (q is lost during that conversion, but the resulting
     DH parameters contain its length).

     For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
     much faster than DH_generate_parameters (which creates parameters
     where p = 2*q + 1), and also the smaller q makes DH computations
     much more efficient (160-bit exponentiation instead of 1024-bit
     exponentiation); so this provides a convenient way to support DHE
     ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
     utter importance to use
         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
     or
         SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
     when such DH parameters are used, because otherwise small subgroup
     attacks may become possible!
     [Bodo Moeller]

  *) Avoid memory leak in i2d_DHparams.
     [Bodo Moeller]

  *) Allow the -k option to be used more than once in the enc program:
     this allows the same encrypted message to be read by multiple recipients.
     [Steve Henson]

  *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
     an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
     it will always use the numerical form of the OID, even if it has a short
     or long name.
     [Steve Henson]

  *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
     method only got called if p,q,dmp1,dmq1,iqmp components were present,
     otherwise bn_mod_exp was called. In the case of hardware keys for example
     no private key components need be present and it might store extra data
     in the RSA structure, which cannot be accessed from bn_mod_exp.
     By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
     private key operations.
     [Steve Henson]

  *) Added support for SPARC Linux.
     [Andy Polyakov]

  *) pem_password_cb function type incompatibly changed from
          typedef int pem_password_cb(char *buf, int size, int rwflag);
     to
          ....(char *buf, int size, int rwflag, void *userdata);
     so that applications can pass data to their callbacks:
     The PEM[_ASN1]_{read,write}... functions and macros now take an
     additional void * argument, which is just handed through whenever
     the password callback is called.
     [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller]

     New function SSL_CTX_set_default_passwd_cb_userdata.

     Compatibility note: As many C implementations push function arguments
     onto the stack in reverse order, the new library version is likely to
     interoperate with programs that have been compiled with the old
     pem_password_cb definition (PEM_whatever takes some data that
     happens to be on the stack as its last argument, and the callback
     just ignores this garbage); but there is no guarantee whatsoever that
     this will work.

  *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
     (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
     problems not only on Windows, but also on some Unix platforms.
     To avoid problematic command lines, these definitions are now in an
     auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
     for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
     [Bodo Moeller]

  *) MIPS III/IV assembler module is reimplemented.
     [Andy Polyakov]

  *) More DES library cleanups: remove references to srand/rand and
     delete an unused file.