]>
Commit | Line | Data |
---|---|---|
651d0aff | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
d91e201e RE |
5 | Changes between 0.9.4 and 0.9.5 [xx XXX 1999] |
6 | ||
bdf5e183 AP |
7 | *) Enhanced support for Alpha Linux is added. Now ./config checks if |
8 | the host supports BWX extension and if Compaq C is present on the | |
9 | $PATH. Just exploiting of the BWX extention results in 20-30% | |
10 | performance kick for some algorithms, e.g. DES and RC4 to mention | |
11 | a couple. Compaq C in turn generates ~20% faster code for MD5 and | |
12 | SHA1. | |
13 | [Andy Polyakov] | |
14 | ||
3d14b9d0 DSH |
15 | *) Add support for MS "fast SGC". This is arguably a violation of the |
16 | SSL3/TLS protocol. Netscape SGC does two handshakes: the first with | |
17 | weak crypto and after checking the certificate is SGC a second one | |
18 | with strong crypto. MS SGC stops the first handshake after receiving | |
19 | the server certificate message and sends a second client hello. Since | |
20 | a server will typically do all the time consuming operations before | |
21 | expecting any further messages from the client (server key exchange | |
22 | is the most expensive) there is little difference between the two. | |
23 | ||
24 | To get OpenSSL to support MS SGC we have to permit a second client | |
25 | hello message after we have sent server done. In addition we have to | |
26 | reset the MAC if we do get this second client hello and include the | |
27 | data just received. | |
28 | [Steve Henson] | |
29 | ||
20432eae DSH |
30 | *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide |
31 | if a DER encoded private key is RSA or DSA traditional format. Changed | |
32 | d2i_PrivateKey_bio() to use it. This is only needed for the "traditional" | |
33 | format DER encoded private key. Newer code should use PKCS#8 format which | |
34 | has the key type encoded in the ASN1 structure. Added DER private key | |
35 | support to pkcs8 application. | |
36 | [Steve Henson] | |
37 | ||
47134b78 BM |
38 | *) SSL 3/TLS 1 servers now don't request certificates when an anonymous |
39 | ciphersuites has been selected (as required by the SSL 3/TLS 1 | |
40 | specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT | |
41 | is set, we interpret this as a request to violate the specification | |
42 | (the worst that can happen is a handshake failure, and 'correct' | |
43 | behaviour would result in a handshake failure anyway). | |
44 | [Bodo Moeller] | |
45 | ||
45fd4dbb BM |
46 | *) In SSL_CTX_add_session, take into account that there might be multiple |
47 | SSL_SESSION structures with the same session ID (e.g. when two threads | |
48 | concurrently obtain them from an external cache). | |
49 | The internal cache can handle only one SSL_SESSION with a given ID, | |
50 | so if there's a conflict, we now throw out the old one to achieve | |
51 | consistency. | |
52 | [Bodo Moeller] | |
53 | ||
f45f40ff DSH |
54 | *) Add OIDs for idea and blowfish in CBC mode. This will allow both |
55 | to be used in PKCS#5 v2.0 and S/MIME. Also add checking to | |
56 | some routines that use cipher OIDs: some ciphers do not have OIDs | |
57 | defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for | |
58 | example. | |
59 | [Steve Henson] | |
60 | ||
6447cce3 DSH |
61 | *) Simplify the trust setting structure and code. Now we just have |
62 | two sequences of OIDs for trusted and rejected settings. These will | |
63 | typically have values the same as the extended key usage extension | |
64 | and any application specific purposes. | |
65 | ||
66 | The trust checking code now has a default behaviour: it will just | |
67 | check for an object with the same NID as the passed id. Functions can | |
68 | be provided to override either the default behaviour or the behaviour | |
69 | for a given id. SSL client, server and email already have functions | |
20432eae | 70 | in place for compatibility: they check the NID and also return "trusted" |
6447cce3 DSH |
71 | if the certificate is self signed. |
72 | [Steve Henson] | |
73 | ||
e6f3c585 DSH |
74 | *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the |
75 | traditional format into an EVP_PKEY structure. | |
76 | [Steve Henson] | |
77 | ||
36217a94 DSH |
78 | *) Add a password callback function PEM_cb() which either prompts for |
79 | a password if usr_data is NULL or otherwise assumes it is a null | |
e6f3c585 | 80 | terminated password. Allow passwords to be passed on command line |
36217a94 DSH |
81 | environment or config files in a few more utilities. |
82 | [Steve Henson] | |
83 | ||
525f51f6 DSH |
84 | *) Add a bunch of DER and PEM functions to handle PKCS#8 format private |
85 | keys. Add some short names for PKCS#8 PBE algorithms and allow them | |
86 | to be specified on the command line for the pkcs8 and pkcs12 utilities. | |
87 | Update documentation. | |
88 | [Steve Henson] | |
89 | ||
e76f935e DSH |
90 | *) Support for ASN1 "NULL" type. This could be handled before by using |
91 | ASN1_TYPE but there wasn't any function that would try to read a NULL | |
78baa17a | 92 | and produce an error if it couldn't. For compatibility we also have |
e76f935e DSH |
93 | ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and |
94 | don't allocate anything because they don't need to. | |
95 | [Steve Henson] | |
96 | ||
099f1b32 AP |
97 | *) Initial support for MacOS is now provided. Examine INSTALL.MacOS |
98 | for details. | |
99 | [Andy Polyakov, Roy Woods <roy@centicsystems.ca>] | |
100 | ||
9ac42ed8 RL |
101 | *) Rebuild of the memory allocation routines used by OpenSSL code and |
102 | possibly others as well. The purpose is to make an interface that | |
103 | provide hooks so anyone can build a separate set of allocation and | |
104 | deallocation routines to be used by OpenSSL, for example if memory | |
105 | pool implementations, or something else. The same is provided for | |
106 | memory debugging code. OpenSSL already comes with code that finds | |
107 | memory leaks, but this gives people a chance to debug other memory | |
108 | problems. | |
d8df48a9 | 109 | |
f3a2a044 RL |
110 | With these changes, a new set of functions and macros have appeared: |
111 | ||
112 | CRYPTO_set_mem_debug_functions() [F] | |
113 | CRYPTO_get_mem_debug_functions() [F] | |
114 | CRYPTO_dbg_set_options() [F] | |
115 | CRYPTO_dbg_get_options() [F] | |
116 | CRYPTO_melloc_debug_init() [M] | |
117 | ||
118 | The memory debug functions are NULL by default, unless the library | |
119 | is compiled with CRYPTO_MDEBUG or friends is defined. If someone | |
120 | wants to debug memory anyway, CRYPTO_malloc_debug_init() or | |
121 | CRYPTO_set_mem_debug_functions() must be used. | |
122 | ||
123 | Also, things like CRYPTO_set_mem_functions will always give the | |
124 | expected result (the new set of functions is used for allocation | |
125 | and deallocation) at all times, regardless of platform and compiler | |
126 | options. | |
127 | ||
128 | To finish it up, some functions that were never use in any other | |
129 | way than through macros have a new API and new semantic: | |
130 | ||
131 | CRYPTO_dbg_malloc() | |
132 | CRYPTO_dbg_realloc() | |
133 | CRYPTO_dbg_free() | |
134 | ||
135 | All macros of value have retained their old syntax. | |
9ac42ed8 RL |
136 | [Richard Levitte] |
137 | ||
b216664f DSH |
138 | *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the |
139 | ordering of SMIMECapabilities wasn't in "strength order" and there | |
140 | was a missing NULL in the AlgorithmIdentifier for the SHA1 signature | |
141 | algorithm. | |
142 | [Steve Henson] | |
143 | ||
d8223efd DSH |
144 | *) Some ASN1 types with illegal zero length encoding (INTEGER, |
145 | ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. | |
146 | [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] | |
147 | ||
5a9a4b29 DSH |
148 | *) Merge in my S/MIME library for OpenSSL. This provides a simple |
149 | S/MIME API on top of the PKCS#7 code, a MIME parser (with enough | |
150 | functionality to handle multipart/signed properly) and a utility | |
151 | called 'smime' to call all this stuff. This is based on code I | |
152 | originally wrote for Celo who have kindly allowed it to be | |
153 | included in OpenSSL. | |
154 | [Steve Henson] | |
155 | ||
cddfe788 BM |
156 | *) Add variants des_set_key_checked and des_set_key_unchecked of |
157 | des_set_key (aka des_key_sched). Global variable des_check_key | |
158 | decides which of these is called by des_set_key; this way | |
159 | des_check_key behaves as it always did, but applications and | |
160 | the library itself, which was buggy for des_check_key == 1, | |
161 | have a cleaner way to pick the version they need. | |
162 | [Bodo Moeller] | |
163 | ||
21131f00 DSH |
164 | *) New function PKCS12_newpass() which changes the password of a |
165 | PKCS12 structure. | |
166 | [Steve Henson] | |
167 | ||
dd413410 DSH |
168 | *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and |
169 | dynamic mix. In both cases the ids can be used as an index into the | |
170 | table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() | |
171 | functions so they accept a list of the field values and the | |
172 | application doesn't need to directly manipulate the X509_TRUST | |
173 | structure. | |
174 | [Steve Henson] | |
175 | ||
176 | *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't | |
177 | need initialising. | |
178 | [Steve Henson] | |
179 | ||
08cba610 DSH |
180 | *) Modify the way the V3 extension code looks up extensions. This now |
181 | works in a similar way to the object code: we have some "standard" | |
182 | extensions in a static table which is searched with OBJ_bsearch() | |
183 | and the application can add dynamic ones if needed. The file | |
184 | crypto/x509v3/ext_dat.h now has the info: this file needs to be | |
185 | updated whenever a new extension is added to the core code and kept | |
186 | in ext_nid order. There is a simple program 'tabtest.c' which checks | |
187 | this. New extensions are not added too often so this file can readily | |
188 | be maintained manually. | |
189 | ||
190 | There are two big advantages in doing things this way. The extensions | |
191 | can be looked up immediately and no longer need to be "added" using | |
192 | X509V3_add_standard_extensions(): this function now does nothing. | |
193 | [Side note: I get *lots* of email saying the extension code doesn't | |
194 | work because people forget to call this function] | |
195 | Also no dynamic allocation is done unless new extensions are added: | |
196 | so if we don't add custom extensions there is no need to call | |
197 | X509V3_EXT_cleanup(). | |
198 | [Steve Henson] | |
199 | ||
fea9afbf BL |
200 | *) Modify enc utility's salting as follows: make salting the default. Add a |
201 | magic header, so unsalted files fail gracefully instead of just decrypting | |
202 | to garbage. This is because not salting is a big security hole, so people | |
203 | should be discouraged from doing it. | |
204 | [Ben Laurie] | |
205 | ||
9868232a DSH |
206 | *) Fixes and enhancements to the 'x509' utility. It allowed a message |
207 | digest to be passed on the command line but it only used this | |
208 | parameter when signing a certificate. Modified so all relevant | |
209 | operations are affected by the digest parameter including the | |
210 | -fingerprint and -x509toreq options. Also -x509toreq choked if a | |
211 | DSA key was used because it didn't fix the digest. | |
212 | [Steve Henson] | |
213 | ||
51630a37 DSH |
214 | *) Initial certificate chain verify code. Currently tests the untrusted |
215 | certificates for consistency with the verify purpose (which is set | |
216 | when the X509_STORE_CTX structure is set up) and checks the pathlength. | |
217 | ||
218 | There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: | |
bb7cd4e3 DSH |
219 | this is because it will reject chains with invalid extensions whereas |
220 | every previous version of OpenSSL and SSLeay made no checks at all. | |
51630a37 DSH |
221 | |
222 | Trust code: checks the root CA for the relevant trust settings. Trust | |
223 | settings have an initial value consistent with the verify purpose: e.g. | |
224 | if the verify purpose is for SSL client use it expects the CA to be | |
225 | trusted for SSL client use. However the default value can be changed to | |
226 | permit custom trust settings: one example of this would be to only trust | |
227 | certificates from a specific "secure" set of CAs. | |
11262391 DSH |
228 | |
229 | Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions | |
230 | which should be used for version portability: especially since the | |
231 | verify structure is likely to change more often now. | |
d4cec6a1 | 232 | |
bb7cd4e3 DSH |
233 | SSL integration. Add purpose and trust to SSL_CTX and SSL and functions |
234 | to set them. If not set then assume SSL clients will verify SSL servers | |
235 | and vice versa. | |
236 | ||
d4cec6a1 DSH |
237 | Two new options to the verify program: -untrusted allows a set of |
238 | untrusted certificates to be passed in and -purpose which sets the | |
239 | intended purpose of the certificate. If a purpose is set then the | |
240 | new chain verify code is used to check extension consistency. | |
11262391 DSH |
241 | [Steve Henson] |
242 | ||
243 | *) Support for the authority information access extension. | |
6d3724d3 DSH |
244 | [Steve Henson] |
245 | ||
52664f50 DSH |
246 | *) Modify RSA and DSA PEM read routines to transparently handle |
247 | PKCS#8 format private keys. New *_PUBKEY_* functions that handle | |
248 | public keys in a format compatible with certificate | |
249 | SubjectPublicKeyInfo structures. Unfortunately there were already | |
250 | functions called *_PublicKey_* which used various odd formats so | |
78baa17a | 251 | these are retained for compatibility: however the DSA variants were |
52664f50 DSH |
252 | never in a public release so they have been deleted. Changed dsa/rsa |
253 | utilities to handle the new format: note no releases ever handled public | |
254 | keys so we should be OK. | |
255 | ||
256 | The primary motivation for this change is to avoid the same fiasco | |
257 | that dogs private keys: there are several incompatible private key | |
258 | formats some of which are standard and some OpenSSL specific and | |
259 | require various evil hacks to allow partial transparent handling and | |
260 | even then it doesn't work with DER formats. Given the option anything | |
261 | other than PKCS#8 should be dumped: but the other formats have to | |
78baa17a | 262 | stay in the name of compatibility. |
52664f50 DSH |
263 | |
264 | With public keys and the benefit of hindsight one standard format | |
265 | is used which works with EVP_PKEY, RSA or DSA structures: though | |
266 | it clearly returns an error if you try to read the wrong kind of key. | |
267 | ||
268 | Added a -pubkey option to the 'x509' utility to output the public key. | |
269 | Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() and add | |
270 | EVP_PKEY_rset_*() functions that do the same as the EVP_PKEY_assign_*() | |
271 | except they up the reference count of the added key (they don't "swallow" | |
272 | the supplied key). | |
273 | [Steve Henson] | |
274 | ||
275 | *) Fixes to crypto/x509/by_file.c the code to read in certificates and | |
276 | CRLs would fail if the file contained no certificates or no CRLs: | |
277 | added a new function to read in both types and return the number | |
278 | read: this means that if none are read it will be an error. The | |
279 | DER versions of the certificate and CRL reader would always fail | |
280 | because it isn't possible to mix certificates and CRLs in DER format | |
281 | without choking one or the other routine. Changed this to just read | |
282 | a certificate: this is the best we can do. Also modified the code | |
283 | in apps/verify.c to take notice of return codes: it was previously | |
284 | attempting to read in certificates from NULL pointers and ignoring | |
285 | any errors: this is one reason why the cert and CRL reader seemed | |
286 | to work. It doesn't check return codes from the default certificate | |
287 | routines: these may well fail if the certificates aren't installed. | |
288 | [Steve Henson] | |
289 | ||
a716d727 DSH |
290 | *) Code to support otherName option in GeneralName. |
291 | [Steve Henson] | |
292 | ||
f76d8c47 DSH |
293 | *) First update to verify code. Change the verify utility |
294 | so it warns if it is passed a self signed certificate: | |
295 | for consistency with the normal behaviour. X509_verify | |
296 | has been modified to it will now verify a self signed | |
297 | certificate if *exactly* the same certificate appears | |
298 | in the store: it was previously impossible to trust a | |
299 | single self signed certificate. This means that: | |
300 | openssl verify ss.pem | |
301 | now gives a warning about a self signed certificate but | |
302 | openssl verify -CAfile ss.pem ss.pem | |
303 | is OK. | |
304 | [Steve Henson] | |
305 | ||
b1fe6ca1 BM |
306 | *) For servers, store verify_result in SSL_SESSION data structure |
307 | (and add it to external session representation). | |
308 | This is needed when client certificate verifications fails, | |
309 | but an application-provided verification callback (set by | |
310 | SSL_CTX_set_cert_verify_callback) allows accepting the session | |
311 | anyway (i.e. leaves x509_store_ctx->error != X509_V_OK | |
312 | but returns 1): When the session is reused, we have to set | |
313 | ssl->verify_result to the appropriate error code to avoid | |
314 | security holes. | |
315 | [Bodo Moeller, problem pointed out by Lutz Jaenicke] | |
316 | ||
91895a59 DSH |
317 | *) Fix a bug in the new PKCS#7 code: it didn't consider the |
318 | case in PKCS7_dataInit() where the signed PKCS7 structure | |
319 | didn't contain any existing data because it was being created. | |
f76d8c47 | 320 | [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] |
91895a59 | 321 | |
fd699ac5 DSH |
322 | *) Add a salt to the key derivation routines in enc.c. This |
323 | forms the first 8 bytes of the encrypted file. Also add a | |
324 | -S option to allow a salt to be input on the command line. | |
325 | [Steve Henson] | |
326 | ||
e947f396 DSH |
327 | *) New function X509_cmp(). Oddly enough there wasn't a function |
328 | to compare two certificates. We do this by working out the SHA1 | |
329 | hash and comparing that. X509_cmp() will be needed by the trust | |
330 | code. | |
331 | [Steve Henson] | |
332 | ||
b7cfcfb7 MC |
333 | *) Correctly increment the reference count in the SSL_SESSION pointer |
334 | returned from SSL_get_session(). | |
335 | [Geoff Thorpe <geoff@eu.c2.net>] | |
336 | ||
06556a17 DSH |
337 | *) Fix for 'req': it was adding a null to request attributes. |
338 | Also change the X509_LOOKUP and X509_INFO code to handle | |
339 | certificate auxiliary information. | |
340 | [Steve Henson] | |
341 | ||
a0e9f529 DSH |
342 | *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document |
343 | the 'enc' command. | |
344 | [Steve Henson] | |
345 | ||
71d7526b RL |
346 | *) Add the possibility to add extra information to the memory leak |
347 | detecting output, to form tracebacks, showing from where each | |
348 | allocation was originated. Also updated sid code to be multi- | |
349 | thread-safe. | |
350 | [Richard Levitte] | |
351 | ||
a0e9f529 | 352 | *) Add options -text and -noout to pkcs7 utility and delete the |
954ef7ef DSH |
353 | encryption options which never did anything. Update docs. |
354 | [Steve Henson] | |
355 | ||
af29811e DSH |
356 | *) Add options to some of the utilities to allow the pass phrase |
357 | to be included on either the command line (not recommended on | |
358 | OSes like Unix) or read from the environment. Update the | |
359 | manpages and fix a few bugs. | |
360 | [Steve Henson] | |
361 | ||
aba3e65f DSH |
362 | *) Add a few manpages for some of the openssl commands. |
363 | [Steve Henson] | |
364 | ||
a0ad17bb DSH |
365 | *) Fix the -revoke option in ca. It was freeing up memory twice, |
366 | leaking and not finding already revoked certificates. | |
367 | [Steve Henson] | |
368 | ||
ce1b4fe1 DSH |
369 | *) Extensive changes to support certificate auxiliary information. |
370 | This involves the use of X509_CERT_AUX structure and X509_AUX | |
371 | functions. An X509_AUX function such as PEM_read_X509_AUX() | |
372 | can still read in a certificate file in the usual way but it | |
373 | will also read in any additional "auxiliary information". By | |
78baa17a | 374 | doing things this way a fair degree of compatibility can be |
ce1b4fe1 DSH |
375 | retained: existing certificates can have this information added |
376 | using the new 'x509' options. | |
377 | ||
378 | Current auxiliary information includes an "alias" and some trust | |
379 | settings. The trust settings will ultimately be used in enhanced | |
380 | certificate chain verification routines: currently a certificate | |
381 | can only be trusted if it is self signed and then it is trusted | |
382 | for all purposes. | |
383 | [Steve Henson] | |
384 | ||
ce2c95b2 MC |
385 | *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The |
386 | problem was that one of the replacement routines had not been working since | |
387 | SSLeay releases. For now the offending routine has been replaced with | |
388 | non-optimised assembler. Even so, this now gives around 95% performance | |
389 | improvement for 1024 bit RSA signs. | |
390 | [Mark Cox] | |
391 | ||
9716a8f9 DSH |
392 | *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 |
393 | handling. Most clients have the effective key size in bits equal to | |
394 | the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. | |
395 | A few however don't do this and instead use the size of the decrypted key | |
396 | to determine the RC2 key length and the AlgorithmIdentifier to determine | |
397 | the effective key length. In this case the effective key lenth can still | |
398 | be 40 bits but the key length can be 168 bits for example. This is fixed | |
399 | by manually forcing an RC2 key into the EVP_PKEY structure because the | |
400 | EVP code can't currently handle unusual RC2 key sizes: it always assumes | |
401 | the key length and effective key length are equal. | |
402 | [Steve Henson] | |
403 | ||
74400f73 DSH |
404 | *) Add a bunch of functions that should simplify the creation of |
405 | X509_NAME structures. Now you should be able to do: | |
406 | X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); | |
407 | and have it automatically work out the correct field type and fill in | |
408 | the structures. The more adventurous can try: | |
409 | X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); | |
410 | and it will (hopefully) work out the correct multibyte encoding. | |
411 | [Steve Henson] | |
412 | ||
413 | *) Change the 'req' utility to use the new field handling and multibyte | |
414 | copy routines. Before the DN field creation was handled in an ad hoc | |
415 | way in req, ca, and x509 which was rather broken and didn't support | |
416 | BMPStrings or UTF8Strings. Since some software doesn't implement | |
417 | BMPStrings or UTF8Strings yet, they can be enabled using the config file | |
418 | using the dirstring_type option. See the new comment in the default | |
419 | openssl.cnf for more info. | |
420 | [Steve Henson] | |
421 | ||
c1e744b9 | 422 | *) Make crypto/rand/md_rand.c more robust: |
62ac2938 | 423 | - Assure unique random numbers after fork(). |
c1e744b9 BM |
424 | - Make sure that concurrent threads access the global counter and |
425 | md serializably so that we never lose entropy in them | |
426 | or use exactly the same state in multiple threads. | |
427 | Access to the large state is not always serializable because | |
428 | the additional locking could be a performance killer, and | |
429 | md should be large enough anyway. | |
430 | [Bodo Moeller] | |
431 | ||
a31011e8 BM |
432 | *) New file apps/app_rand.c with commonly needed functionality |
433 | for handling the random seed file. | |
434 | ||
435 | Use the random seed file in some applications that previously did not: | |
436 | ca, | |
78baa17a | 437 | dsaparam -genkey (which also ignored its '-rand' option), |
a31011e8 BM |
438 | s_client, |
439 | s_server, | |
440 | x509 (when signing). | |
441 | Except on systems with /dev/urandom, it is crucial to have a random | |
442 | seed file at least for key creation, DSA signing, and for DH exchanges; | |
99e87569 | 443 | for RSA signatures we could do without one. |
a31011e8 BM |
444 | |
445 | gendh and gendsa (unlike genrsa) used to read only the first byte | |
78baa17a | 446 | of each file listed in the '-rand' option. The function as previously |
a31011e8 | 447 | found in genrsa is now in app_rand.c and is used by all programs |
78baa17a | 448 | that support '-rand'. |
a31011e8 BM |
449 | [Bodo Moeller] |
450 | ||
451 | *) In RAND_write_file, use mode 0600 for creating files; | |
452 | don't just chmod when it may be too late. | |
453 | [Bodo Moeller] | |
454 | ||
455 | *) Report an error from X509_STORE_load_locations | |
456 | when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. | |
457 | [Bill Perry] | |
458 | ||
462f79ec DSH |
459 | *) New function ASN1_mbstring_copy() this copies a string in either |
460 | ASCII, Unicode, Universal (4 bytes per character) or UTF8 format | |
461 | into an ASN1_STRING type. A mask of permissible types is passed | |
462 | and it chooses the "minimal" type to use or an error if not type | |
463 | is suitable. | |
464 | [Steve Henson] | |
465 | ||
08e9c1af DSH |
466 | *) Add function equivalents to the various macros in asn1.h. The old |
467 | macros are retained with an M_ prefix. Code inside the library can | |
468 | use the M_ macros. External code (including the openssl utility) | |
469 | should *NOT* in order to be "shared library friendly". | |
470 | [Steve Henson] | |
471 | ||
673b102c DSH |
472 | *) Add various functions that can check a certificate's extensions |
473 | to see if it usable for various purposes such as SSL client, | |
474 | server or S/MIME and CAs of these types. This is currently | |
475 | VERY EXPERIMENTAL but will ultimately be used for certificate chain | |
476 | verification. Also added a -purpose flag to x509 utility to | |
477 | print out all the purposes. | |
478 | [Steve Henson] | |
479 | ||
56a3fec1 DSH |
480 | *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated |
481 | functions. | |
482 | [Steve Henson] | |
483 | ||
4654ef98 DSH |
484 | *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search |
485 | for, obtain and decode and extension and obtain its critical flag. | |
486 | This allows all the necessary extension code to be handled in a | |
487 | single function call. | |
488 | [Steve Henson] | |
489 | ||
7e102e28 AP |
490 | *) RC4 tune-up featuring 30-40% performance improvement on most RISC |
491 | platforms. See crypto/rc4/rc4_enc.c for further details. | |
492 | [Andy Polyakov] | |
493 | ||
d71c6bc5 DSH |
494 | *) New -noout option to asn1parse. This causes no output to be produced |
495 | its main use is when combined with -strparse and -out to extract data | |
496 | from a file (which may not be in ASN.1 format). | |
497 | [Steve Henson] | |
498 | ||
2d681b77 DSH |
499 | *) Fix for pkcs12 program. It was hashing an invalid certificate pointer |
500 | when producing the local key id. | |
501 | [Richard Levitte <levitte@stacken.kth.se>] | |
502 | ||
3908cdf4 DSH |
503 | *) New option -dhparam in s_server. This allows a DH parameter file to be |
504 | stated explicitly. If it is not stated then it tries the first server | |
505 | certificate file. The previous behaviour hard coded the filename | |
506 | "server.pem". | |
507 | [Steve Henson] | |
508 | ||
3ea23631 DSH |
509 | *) Add -pubin and -pubout options to the rsa and dsa commands. These allow |
510 | a public key to be input or output. For example: | |
511 | openssl rsa -in key.pem -pubout -out pubkey.pem | |
512 | Also added necessary DSA public key functions to handle this. | |
513 | [Steve Henson] | |
514 | ||
393f2c65 DSH |
515 | *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained |
516 | in the message. This was handled by allowing | |
517 | X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. | |
518 | [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] | |
519 | ||
520 | *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null | |
521 | to the end of the strings whereas this didn't. This would cause problems | |
522 | if strings read with d2i_ASN1_bytes() were later modified. | |
523 | [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] | |
524 | ||
4579dd5d DSH |
525 | *) Fix for base64 decode bug. When a base64 bio reads only one line of |
526 | data and it contains EOF it will end up returning an error. This is | |
527 | caused by input 46 bytes long. The cause is due to the way base64 | |
528 | BIOs find the start of base64 encoded data. They do this by trying a | |
529 | trial decode on each line until they find one that works. When they | |
530 | do a flag is set and it starts again knowing it can pass all the | |
531 | data directly through the decoder. Unfortunately it doesn't reset | |
532 | the context it uses. This means that if EOF is reached an attempt | |
533 | is made to pass two EOFs through the context and this causes the | |
534 | resulting error. This can also cause other problems as well. As is | |
535 | usual with these problems it takes *ages* to find and the fix is | |
536 | trivial: move one line. | |
537 | [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] | |
538 | ||
06f4536a DSH |
539 | *) Ugly workaround to get s_client and s_server working under Windows. The |
540 | old code wouldn't work because it needed to select() on sockets and the | |
541 | tty (for keypresses and to see if data could be written). Win32 only | |
542 | supports select() on sockets so we select() with a 1s timeout on the | |
543 | sockets and then see if any characters are waiting to be read, if none | |
544 | are present then we retry, we also assume we can always write data to | |
545 | the tty. This isn't nice because the code then blocks until we've | |
546 | received a complete line of data and it is effectively polling the | |
547 | keyboard at 1s intervals: however it's quite a bit better than not | |
548 | working at all :-) A dedicated Windows application might handle this | |
549 | with an event loop for example. | |
550 | [Steve Henson] | |
551 | ||
1c80019a DSH |
552 | *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign |
553 | and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions | |
554 | will be called when RSA_sign() and RSA_verify() are used. This is useful | |
555 | if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. | |
556 | For this to work properly RSA_public_decrypt() and RSA_private_encrypt() | |
557 | should *not* be used: RSA_sign() and RSA_verify() must be used instead. | |
558 | This necessitated the support of an extra signature type NID_md5_sha1 | |
559 | for SSL signatures and modifications to the SSL library to use it instead | |
560 | of calling RSA_public_decrypt() and RSA_private_encrypt(). | |
561 | [Steve Henson] | |
562 | ||
090d848e DSH |
563 | *) Add new -verify -CAfile and -CApath options to the crl program, these |
564 | will lookup a CRL issuers certificate and verify the signature in a | |
565 | similar way to the verify program. Tidy up the crl program so it | |
566 | no longer acesses structures directly. Make the ASN1 CRL parsing a bit | |
567 | less strict. It will now permit CRL extensions even if it is not | |
568 | a V2 CRL: this will allow it to tolerate some broken CRLs. | |
569 | [Steve Henson] | |
570 | ||
396f6314 BM |
571 | *) Initialize all non-automatic variables each time one of the openssl |
572 | sub-programs is started (this is necessary as they may be started | |
573 | multiple times from the "OpenSSL>" prompt). | |
574 | [Lennart Bang, Bodo Moeller] | |
575 | ||
4a61a64f DSH |
576 | *) Preliminary compilation option RSA_NULL which disables RSA crypto without |
577 | removing all other RSA functionality (this is what NO_RSA does). This | |
578 | is so (for example) those in the US can disable those operations covered | |
579 | by the RSA patent while allowing storage and parsing of RSA keys and RSA | |
580 | key generation. | |
581 | [Steve Henson] | |
582 | ||
c1082a90 | 583 | *) Non-copying interface to BIO pairs. |
6f7af152 | 584 | (still largely untested) |
c1082a90 BM |
585 | [Bodo Moeller] |
586 | ||
a785abc3 DSH |
587 | *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive |
588 | ASCII string. This was handled independently in various places before. | |
589 | [Steve Henson] | |
590 | ||
aef838fc DSH |
591 | *) New functions UTF8_getc() and UTF8_putc() that parse and generate |
592 | UTF8 strings a character at a time. | |
593 | [Steve Henson] | |
594 | ||
074309b7 BM |
595 | *) Use client_version from client hello to select the protocol |
596 | (s23_srvr.c) and for RSA client key exchange verification | |
597 | (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. | |
598 | [Bodo Moeller] | |
599 | ||
8ce97163 DSH |
600 | *) Add various utility functions to handle SPKACs, these were previously |
601 | handled by poking round in the structure internals. Added new function | |
602 | NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to | |
603 | print, verify and generate SPKACs. Based on an original idea from | |
604 | Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. | |
605 | [Steve Henson] | |
606 | ||
2d4287da AP |
607 | *) RIPEMD160 is operational on all platforms and is back in 'make test'. |
608 | [Andy Polyakov] | |
609 | ||
87a25f90 DSH |
610 | *) Allow the config file extension section to be overwritten on the |
611 | command line. Based on an original idea from Massimiliano Pala | |
612 | <madwolf@comune.modena.it>. The new option is called -extensions | |
613 | and can be applied to ca, req and x509. Also -reqexts to override | |
614 | the request extensions in req and -crlexts to override the crl extensions | |
615 | in ca. | |
616 | [Steve Henson] | |
617 | ||
f9150e54 DSH |
618 | *) Add new feature to the SPKAC handling in ca. Now you can include |
619 | the same field multiple times by preceding it by "XXXX." for example: | |
620 | 1.OU="Unit name 1" | |
621 | 2.OU="Unit name 2" | |
622 | this is the same syntax as used in the req config file. | |
623 | [Steve Henson] | |
624 | ||
c79b16e1 DSH |
625 | *) Allow certificate extensions to be added to certificate requests. These |
626 | are specified in a 'req_extensions' option of the req section of the | |
627 | config file. They can be printed out with the -text option to req but | |
628 | are otherwise ignored at present. | |
629 | [Steve Henson] | |
630 | ||
96c2201b | 631 | *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first |
0f7e6fe1 | 632 | data read consists of only the final block it would not decrypted because |
7b65c329 DSH |
633 | EVP_CipherUpdate() would correctly report zero bytes had been decrypted. |
634 | A misplaced 'break' also meant the decrypted final block might not be | |
635 | copied until the next read. | |
636 | [Steve Henson] | |
637 | ||
13066cee DSH |
638 | *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added |
639 | a few extra parameters to the DH structure: these will be useful if | |
640 | for example we want the value of 'q' or implement X9.42 DH. | |
641 | [Steve Henson] | |
642 | ||
c0711f7f DSH |
643 | *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and |
644 | provides hooks that allow the default DSA functions or functions on a | |
645 | "per key" basis to be replaced. This allows hardware acceleration and | |
646 | hardware key storage to be handled without major modification to the | |
647 | library. Also added low level modexp hooks and CRYPTO_EX structure and | |
648 | associated functions. | |
649 | [Steve Henson] | |
650 | ||
8484721a DSH |
651 | *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO |
652 | as "read only": it can't be written to and the buffer it points to will | |
653 | not be freed. Reading from a read only BIO is much more efficient than | |
654 | a normal memory BIO. This was added because there are several times when | |
655 | an area of memory needs to be read from a BIO. The previous method was | |
656 | to create a memory BIO and write the data to it, this results in two | |
657 | copies of the data and an O(n^2) reading algorithm. There is a new | |
658 | function BIO_new_mem_buf() which creates a read only memory BIO from | |
659 | an area of memory. Also modified the PKCS#7 routines to use read only | |
660 | memory BIOSs. | |
661 | [Steve Henson] | |
662 | ||
de1915e4 BM |
663 | *) Bugfix: ssl23_get_client_hello did not work properly when called in |
664 | state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of | |
665 | a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, | |
666 | but a retry condition occured while trying to read the rest. | |
667 | [Bodo Moeller] | |
668 | ||
c6c34506 DSH |
669 | *) The PKCS7_ENC_CONTENT_new() function was setting the content type as |
670 | NID_pkcs7_encrypted by default: this was wrong since this should almost | |
671 | always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle | |
672 | the encrypted data type: this is a more sensible place to put it and it | |
673 | allows the PKCS#12 code to be tidied up that duplicated this | |
674 | functionality. | |
675 | [Steve Henson] | |
676 | ||
fd520577 DSH |
677 | *) Changed obj_dat.pl script so it takes its input and output files on |
678 | the command line. This should avoid shell escape redirection problems | |
679 | under Win32. | |
680 | [Steve Henson] | |
681 | ||
87c49f62 | 682 | *) Initial support for certificate extension requests, these are included |
fd520577 DSH |
683 | in things like Xenroll certificate requests. Included functions to allow |
684 | extensions to be obtained and added. | |
87c49f62 DSH |
685 | [Steve Henson] |
686 | ||
1b1a6e78 BM |
687 | *) -crlf option to s_client and s_server for sending newlines as |
688 | CRLF (as required by many protocols). | |
689 | [Bodo Moeller] | |
690 | ||
9a577e29 | 691 | Changes between 0.9.3a and 0.9.4 [09 Aug 1999] |
dfbaf956 | 692 | |
9a577e29 | 693 | *) Install libRSAglue.a when OpenSSL is built with RSAref. |
dfbaf956 | 694 | [Ralf S. Engelschall] |
74678cc2 | 695 | |
96395158 RE |
696 | *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. |
697 | [Andrija Antonijevic <TheAntony2@bigfoot.com>] | |
698 | ||
ed7f60fb DSH |
699 | *) Fix -startdate and -enddate (which was missing) arguments to 'ca' |
700 | program. | |
701 | [Steve Henson] | |
702 | ||
48c843c3 BM |
703 | *) New function DSA_dup_DH, which duplicates DSA parameters/keys as |
704 | DH parameters/keys (q is lost during that conversion, but the resulting | |
705 | DH parameters contain its length). | |
706 | ||
707 | For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is | |
708 | much faster than DH_generate_parameters (which creates parameters | |
709 | where p = 2*q + 1), and also the smaller q makes DH computations | |
710 | much more efficient (160-bit exponentiation instead of 1024-bit | |
711 | exponentiation); so this provides a convenient way to support DHE | |
712 | ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of | |
713 | utter importance to use | |
714 | SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); | |
715 | or | |
716 | SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); | |
717 | when such DH parameters are used, because otherwise small subgroup | |
718 | attacks may become possible! | |
719 | [Bodo Moeller] | |
720 | ||
721 | *) Avoid memory leak in i2d_DHparams. | |
722 | [Bodo Moeller] | |
723 | ||
922180d7 DSH |
724 | *) Allow the -k option to be used more than once in the enc program: |
725 | this allows the same encrypted message to be read by multiple recipients. | |
726 | [Steve Henson] | |
727 | ||
3e3d2ea2 DSH |
728 | *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts |
729 | an ASN1_OBJECT to a text string. If the "no_name" parameter is set then | |
730 | it will always use the numerical form of the OID, even if it has a short | |
731 | or long name. | |
732 | [Steve Henson] | |
733 | ||
770d19b8 DSH |
734 | *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp |
735 | method only got called if p,q,dmp1,dmq1,iqmp components were present, | |
736 | otherwise bn_mod_exp was called. In the case of hardware keys for example | |
737 | no private key components need be present and it might store extra data | |
96c2201b BM |
738 | in the RSA structure, which cannot be accessed from bn_mod_exp. |
739 | By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for | |
740 | private key operations. | |
770d19b8 DSH |
741 | [Steve Henson] |
742 | ||
a0618e3e AP |
743 | *) Added support for SPARC Linux. |
744 | [Andy Polyakov] | |
745 | ||
74678cc2 BM |
746 | *) pem_password_cb function type incompatibly changed from |
747 | typedef int pem_password_cb(char *buf, int size, int rwflag); | |
748 | to | |
749 | ....(char *buf, int size, int rwflag, void *userdata); | |
750 | so that applications can pass data to their callbacks: | |
751 | The PEM[_ASN1]_{read,write}... functions and macros now take an | |
752 | additional void * argument, which is just handed through whenever | |
753 | the password callback is called. | |
96c2201b | 754 | [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] |
74678cc2 BM |
755 | |
756 | New function SSL_CTX_set_default_passwd_cb_userdata. | |
757 | ||
758 | Compatibility note: As many C implementations push function arguments | |
759 | onto the stack in reverse order, the new library version is likely to | |
760 | interoperate with programs that have been compiled with the old | |
761 | pem_password_cb definition (PEM_whatever takes some data that | |
762 | happens to be on the stack as its last argument, and the callback | |
763 | just ignores this garbage); but there is no guarantee whatsoever that | |
764 | this will work. | |
0cceb1c7 | 765 | |
664b9985 BM |
766 | *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... |
767 | (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused | |
768 | problems not only on Windows, but also on some Unix platforms. | |
2e0fc875 | 769 | To avoid problematic command lines, these definitions are now in an |
57119943 BM |
770 | auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl |
771 | for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). | |
664b9985 BM |
772 | [Bodo Moeller] |
773 | ||
7363455f AP |
774 | *) MIPS III/IV assembler module is reimplemented. |
775 | [Andy Polyakov] | |
776 | ||
6434450c UM |
777 | *) More DES library cleanups: remove references to srand/rand and |
778 | delete an unused file. | |
779 |