]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
4d94ae00 BM |
5 | Changes between 0.9.7 and 0.9.8 [xx XXX 2002] |
6 | ||
47234cd3 BM |
7 | *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM |
8 | arithmetic, and such that modified wNAFs are generated | |
9 | (which avoid length expansion in many cases). | |
10 | [Bodo Moeller] | |
11 | ||
82652aaf BM |
12 | *) Add a function EC_GROUP_check_discriminant() (defined via |
13 | EC_METHOD) that verifies that the curve discriminant is non-zero. | |
14 | ||
15 | Add a function EC_GROUP_check() that makes some sanity tests | |
16 | on a EC_GROUP, its generator and order. This includes | |
17 | EC_GROUP_check_discriminant(). | |
18 | [Nils Larsch <nla@trustcenter.de>] | |
19 | ||
4d94ae00 BM |
20 | *) Add ECDSA in new directory crypto/ecdsa/. |
21 | ||
22 | Add applications 'openssl ecdsaparam' and 'openssl ecdsa' | |
23 | (these are variants of 'openssl dsaparam' and 'openssl dsa'). | |
24 | ||
25 | ECDSA support is also included in various other files across the | |
26 | library. Most notably, | |
27 | - 'openssl req' now has a '-newkey ecdsa:file' option; | |
28 | - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; | |
29 | - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and | |
30 | d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make | |
31 | them suitable for ECDSA where domain parameters must be | |
32 | extracted before the specific public key. | |
f8e21776 | 33 | [Nils Larsch <nla@trustcenter.de>] |
4d94ae00 | 34 | |
af28dd6c BM |
35 | *) Include some named elliptic curves, and add OIDs from X9.62, |
36 | SECG, and WAP/WTLS. The curves can be obtained from the new | |
37 | functions | |
4d94ae00 BM |
38 | EC_GROUP_new_by_nid() |
39 | EC_GROUP_new_by_name() | |
40 | Also add a 'nid' field to EC_GROUP objects, which can be accessed | |
41 | via | |
42 | EC_GROUP_set_nid() | |
43 | EC_GROUP_get_nid() | |
44 | [Nils Larsch <nla@trustcenter.de, Bodo Moeller] | |
45 | ||
381a146d | 46 | Changes between 0.9.6d and 0.9.7 [XX xxx 2002] |
4d94ae00 | 47 | |
c0455cbb LJ |
48 | *) Fix escaping of non-ASCII characters when using the -subj option |
49 | of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) | |
50 | [Lutz Jaenicke] | |
51 | ||
85fb12d5 | 52 | *) Make object definitions compliant to LDAP (RFC2256): SN is the short |
e9cbcb1d LJ |
53 | form for "surname", serialNumber has no short form. |
54 | Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; | |
55 | therefore remove "mail" short name for "internet 7". | |
56 | Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) | |
08b977b5 | 57 | [Lutz Jaenicke] |
ffbe98b7 | 58 | |
85fb12d5 | 59 | *) Add an "init" command to the ENGINE config module and auto initialize |
0dc09233 DSH |
60 | ENGINEs. Without any "init" command the ENGINE will be initialized |
61 | after all ctrl commands have been executed on it. If init=1 the | |
62 | ENGINE is initailized at that point (ctrls before that point are run | |
63 | on the uninitialized ENGINE and after on the initialized one). If | |
64 | init=0 then the ENGINE will not be iniatialized at all. | |
65 | [Steve Henson] | |
66 | ||
85fb12d5 | 67 | *) Fix the 'app_verify_callback' interface so that the user-defined |
023ec151 BM |
68 | argument is actually passed to the callback: In the |
69 | SSL_CTX_set_cert_verify_callback() prototype, the callback | |
70 | declaration has been changed from | |
71 | int (*cb)() | |
72 | into | |
73 | int (*cb)(X509_STORE_CTX *,void *); | |
74 | in ssl_verify_cert_chain (ssl/ssl_cert.c), the call | |
75 | i=s->ctx->app_verify_callback(&ctx) | |
76 | has been changed into | |
77 | i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). | |
78 | ||
79 | To update applications using SSL_CTX_set_cert_verify_callback(), | |
80 | a dummy argument can be added to their callback functions. | |
81 | [D. K. Smetters <smetters@parc.xerox.com>] | |
82 | ||
85fb12d5 | 83 | *) Added the '4758cca' ENGINE to support IBM 4758 cards. |
92d1bc09 GT |
84 | [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] |
85 | ||
85fb12d5 | 86 | *) Add and OPENSSL_LOAD_CONF define which will cause |
e84be9b4 DSH |
87 | OpenSSL_add_all_algorithms() to load the openssl.cnf config file. |
88 | This allows older applications to transparently support certain | |
89 | OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. | |
90 | Two new functions OPENSSL_add_all_algorithms_noconf() which will never | |
91 | load the config file and OPENSSL_add_all_algorithms_conf() which will | |
92 | always load it have also been added. | |
93 | [Steve Henson] | |
94 | ||
85fb12d5 | 95 | *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. |
0d22b5da RL |
96 | Adjust NIDs and EVP layer. |
97 | [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] | |
98 | ||
85fb12d5 | 99 | *) Config modules support in openssl utility. |
3647bee2 DSH |
100 | |
101 | Most commands now load modules from the config file, | |
102 | though in a few (such as version) this isn't done | |
103 | because it couldn't be used for anything. | |
104 | ||
105 | In the case of ca and req the config file used is | |
106 | the same as the utility itself: that is the -config | |
107 | command line option can be used to specify an | |
108 | alternative file. | |
109 | [Steve Henson] | |
110 | ||
85fb12d5 | 111 | *) Move default behaviour from OPENSSL_config(). If appname is NULL |
92f91ff4 DSH |
112 | use "openssl_conf" if filename is NULL use default openssl config file. |
113 | [Steve Henson] | |
114 | ||
85fb12d5 | 115 | *) Add an argument to OPENSSL_config() to allow the use of an alternative |
92f91ff4 DSH |
116 | config section name. Add a new flag to tolerate a missing config file |
117 | and move code to CONF_modules_load_file(). | |
118 | [Steve Henson] | |
119 | ||
85fb12d5 | 120 | *) Support for crypto accelerator cards from Accelerated Encryption |
3cd039dd RL |
121 | Processing, www.aep.ie. (Use engine 'aep') |
122 | The support was copied from 0.9.6c [engine] and adapted/corrected | |
123 | to work with the new engine framework. | |
124 | [AEP Inc. and Richard Levitte] | |
125 | ||
85fb12d5 | 126 | *) Support for SureWare crypto accelerator cards from Baltimore |
3cd039dd RL |
127 | Technologies. (Use engine 'sureware') |
128 | The support was copied from 0.9.6c [engine] and adapted | |
129 | to work with the new engine framework. | |
130 | [Richard Levitte] | |
131 | ||
85fb12d5 | 132 | *) Have the CHIL engine fork-safe (as defined by nCipher) and actually |
1199e2d8 RL |
133 | make the newer ENGINE framework commands for the CHIL engine work. |
134 | [Toomas Kiisk <vix@cyber.ee> and Richard Levitte] | |
135 | ||
85fb12d5 | 136 | *) Make it possible to produce shared libraries on ReliantUNIX. |
a3fffd64 RL |
137 | [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] |
138 | ||
85fb12d5 | 139 | *) Add the configuration target debug-linux-ppro. |
80bb905d RL |
140 | Make 'openssl rsa' use the general key loading routines |
141 | implemented in apps.c, and make those routines able to | |
142 | handle the key format FORMAT_NETSCAPE and the variant | |
143 | FORMAT_IISSGC. | |
144 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] | |
145 | ||
381a146d | 146 | *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
80bb905d RL |
147 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
148 | ||
85fb12d5 | 149 | *) Add -keyform to rsautl, and document -engine. |
8242a6a9 RL |
150 | [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] |
151 | ||
85fb12d5 | 152 | *) Change BIO_new_file (crypto/bio/bss_file.c) to use new |
a14e2d9d BM |
153 | BIO_R_NO_SUCH_FILE error code rather than the generic |
154 | ERR_R_SYS_LIB error code if fopen() fails with ENOENT. | |
155 | [Ben Laurie] | |
156 | ||
85fb12d5 | 157 | *) Add new functions |
a14e2d9d BM |
158 | ERR_peek_last_error |
159 | ERR_peek_last_error_line | |
160 | ERR_peek_last_error_line_data. | |
161 | These are similar to | |
162 | ERR_peek_error | |
163 | ERR_peek_error_line | |
164 | ERR_peek_error_line_data, | |
165 | but report on the latest error recorded rather than the first one | |
166 | still in the error queue. | |
167 | [Ben Laurie, Bodo Moeller] | |
168 | ||
85fb12d5 | 169 | *) default_algorithms option in ENGINE config module. This allows things |
df5eaa8a DSH |
170 | like: |
171 | default_algorithms = ALL | |
172 | default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS | |
173 | [Steve Henson] | |
174 | ||
85fb12d5 | 175 | *) Prelminary ENGINE config module. |
c9501c22 DSH |
176 | [Steve Henson] |
177 | ||
85fb12d5 | 178 | *) New experimental application configuration code. |
bc37d996 DSH |
179 | [Steve Henson] |
180 | ||
85fb12d5 | 181 | *) Change the AES code to follow the same name structure as all other |
6f9079fd RL |
182 | symmetric ciphers, and behave the same way. Move everything to |
183 | the directory crypto/aes, thereby obsoleting crypto/rijndael. | |
184 | [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] | |
185 | ||
85fb12d5 | 186 | *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. |
7c517a04 BL |
187 | [Ben Laurie and Theo de Raadt] |
188 | ||
85fb12d5 | 189 | *) Add option to output public keys in req command. |
21a85f19 DSH |
190 | [Massimiliano Pala madwolf@openca.org] |
191 | ||
85fb12d5 | 192 | *) Use wNAFs in EC_POINTs_mul() for improved efficiency |
76c4336c | 193 | (up to about 10% better than before for P-192 and P-224). |
3ba1f111 BM |
194 | [Bodo Moeller] |
195 | ||
85fb12d5 | 196 | *) New functions/macros |
7aa983c6 BM |
197 | |
198 | SSL_CTX_set_msg_callback(ctx, cb) | |
199 | SSL_CTX_set_msg_callback_arg(ctx, arg) | |
200 | SSL_set_msg_callback(ssl, cb) | |
201 | SSL_set_msg_callback_arg(ssl, arg) | |
202 | ||
203 | to request calling a callback function | |
204 | ||
205 | void cb(int write_p, int version, int content_type, | |
206 | const void *buf, size_t len, SSL *ssl, void *arg) | |
207 | ||
208 | whenever a protocol message has been completely received | |
209 | (write_p == 0) or sent (write_p == 1). Here 'version' is the | |
210 | protocol version according to which the SSL library interprets | |
211 | the current protocol message (SSL2_VERSION, SSL3_VERSION, or | |
212 | TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or | |
213 | the content type as defined in the SSL 3.0/TLS 1.0 protocol | |
214 | specification (change_cipher_spec(20), alert(21), handshake(22)). | |
215 | 'buf' and 'len' point to the actual message, 'ssl' to the | |
216 | SSL object, and 'arg' is the application-defined value set by | |
217 | SSL[_CTX]_set_msg_callback_arg(). | |
218 | ||
219 | 'openssl s_client' and 'openssl s_server' have new '-msg' options | |
220 | to enable a callback that displays all protocol messages. | |
221 | [Bodo Moeller] | |
222 | ||
85fb12d5 | 223 | *) Change the shared library support so shared libraries are built as |
a7b42009 RL |
224 | soon as the corresponding static library is finished, and thereby get |
225 | openssl and the test programs linked against the shared library. | |
226 | This still only happens when the keyword "shard" has been given to | |
227 | the configuration scripts. | |
228 | ||
229 | NOTE: shared library support is still an experimental thing, and | |
230 | backward binary compatibility is still not guaranteed. | |
231 | ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] | |
232 | ||
85fb12d5 | 233 | *) Add support for Subject Information Access extension. |
7d5b04db DSH |
234 | [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
235 | ||
85fb12d5 | 236 | *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero |
48b0cf8b BM |
237 | additional bytes when new memory had to be allocated, not just |
238 | when reusing an existing buffer. | |
239 | [Bodo Moeller] | |
240 | ||
85fb12d5 | 241 | *) New command line and configuration option 'utf8' for the req command. |
1fc6d41b DSH |
242 | This allows field values to be specified as UTF8 strings. |
243 | [Steve Henson] | |
244 | ||
85fb12d5 | 245 | *) Add -multi and -mr options to "openssl speed" - giving multiple parallel |
0e211563 BL |
246 | runs for the former and machine-readable output for the latter. |
247 | [Ben Laurie] | |
248 | ||
85fb12d5 | 249 | *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion |
89da653f BM |
250 | of the e-mail address in the DN (i.e., it will go into a certificate |
251 | extension only). The new configuration file option 'email_in_dn = no' | |
252 | has the same effect. | |
253 | [Massimiliano Pala madwolf@openca.org] | |
254 | ||
85fb12d5 | 255 | *) Change all functions with names starting with des_ to be starting |
12852213 | 256 | with DES_ instead. Add wrappers that are compatible with libdes, |
2d57b73a | 257 | but are named _ossl_old_des_*. Finally, add macros that map the |
0d81c69b RL |
258 | des_* symbols to the corresponding _ossl_old_des_* if libdes |
259 | compatibility is desired. If OpenSSL 0.9.6c compatibility is | |
260 | desired, the des_* symbols will be mapped to DES_*, with one | |
261 | exception. | |
12852213 | 262 | |
0d81c69b RL |
263 | Since we provide two compatibility mappings, the user needs to |
264 | define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes | |
265 | compatibility is desired. The default (i.e., when that macro | |
266 | isn't defined) is OpenSSL 0.9.6c compatibility. | |
267 | ||
268 | There are also macros that enable and disable the support of old | |
269 | des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT | |
270 | and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those | |
271 | are defined, the default will apply: to support the old des routines. | |
272 | ||
273 | In either case, one must include openssl/des.h to get the correct | |
274 | definitions. Do not try to just include openssl/des_old.h, that | |
275 | won't work. | |
c2e4f17c RL |
276 | |
277 | NOTE: This is a major break of an old API into a new one. Software | |
278 | authors are encouraged to switch to the DES_ style functions. Some | |
279 | time in the future, des_old.h and the libdes compatibility functions | |
0d81c69b RL |
280 | will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the |
281 | default), and then completely removed. | |
c2e4f17c RL |
282 | [Richard Levitte] |
283 | ||
85fb12d5 | 284 | *) Test for certificates which contain unsupported critical extensions. |
f1558bb4 DSH |
285 | If such a certificate is found during a verify operation it is |
286 | rejected by default: this behaviour can be overridden by either | |
287 | handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or | |
288 | by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function | |
289 | X509_supported_extension() has also been added which returns 1 if a | |
290 | particular extension is supported. | |
291 | [Steve Henson] | |
292 | ||
85fb12d5 | 293 | *) Modify the behaviour of EVP cipher functions in similar way to digests |
581f1c84 DSH |
294 | to retain compatibility with existing code. |
295 | [Steve Henson] | |
296 | ||
85fb12d5 | 297 | *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain |
50d194af DSH |
298 | compatibility with existing code. In particular the 'ctx' parameter does |
299 | not have to be to be initialized before the call to EVP_DigestInit() and | |
300 | it is tidied up after a call to EVP_DigestFinal(). New function | |
301 | EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function | |
302 | EVP_MD_CTX_copy() changed to not require the destination to be | |
303 | initialized valid and new function EVP_MD_CTX_copy_ex() added which | |
304 | requires the destination to be valid. | |
305 | ||
306 | Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), | |
307 | EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). | |
20d2186c DSH |
308 | [Steve Henson] |
309 | ||
85fb12d5 | 310 | *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it |
48948d53 BM |
311 | so that complete 'Handshake' protocol structures are kept in memory |
312 | instead of overwriting 'msg_type' and 'length' with 'body' data. | |
313 | [Bodo Moeller] | |
314 | ||
85fb12d5 | 315 | *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. |
285046ec RL |
316 | [Massimo Santin via Richard Levitte] |
317 | ||
85fb12d5 | 318 | *) Major restructuring to the underlying ENGINE code. This includes |
07cee702 GT |
319 | reduction of linker bloat, separation of pure "ENGINE" manipulation |
320 | (initialisation, etc) from functionality dealing with implementations | |
321 | of specific crypto iterfaces. This change also introduces integrated | |
322 | support for symmetric ciphers and digest implementations - so ENGINEs | |
323 | can now accelerate these by providing EVP_CIPHER and EVP_MD | |
324 | implementations of their own. This is detailed in crypto/engine/README | |
325 | as it couldn't be adequately described here. However, there are a few | |
326 | API changes worth noting - some RSA, DSA, DH, and RAND functions that | |
327 | were changed in the original introduction of ENGINE code have now | |
328 | reverted back - the hooking from this code to ENGINE is now a good | |
329 | deal more passive and at run-time, operations deal directly with | |
330 | RSA_METHODs, DSA_METHODs (etc) as they did before, rather than | |
331 | dereferencing through an ENGINE pointer any more. Also, the ENGINE | |
332 | functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - | |
333 | they were not being used by the framework as there is no concept of a | |
334 | BIGNUM_METHOD and they could not be generalised to the new | |
335 | 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, | |
336 | ENGINE_cpy() has been removed as it cannot be consistently defined in | |
337 | the new code. | |
338 | [Geoff Thorpe] | |
339 | ||
85fb12d5 | 340 | *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. |
d46c1a81 DSH |
341 | [Steve Henson] |
342 | ||
85fb12d5 | 343 | *) Change mkdef.pl to sort symbols that get the same entry number, |
89eeccac RL |
344 | and make sure the automatically generated functions ERR_load_* |
345 | become part of libeay.num as well. | |
346 | [Richard Levitte] | |
347 | ||
85fb12d5 | 348 | *) New function SSL_renegotiate_pending(). This returns true once |
6b0e9fac BM |
349 | renegotiation has been requested (either SSL_renegotiate() call |
350 | or HelloRequest/ClientHello receveived from the peer) and becomes | |
351 | false once a handshake has been completed. | |
352 | (For servers, SSL_renegotiate() followed by SSL_do_handshake() | |
353 | sends a HelloRequest, but does not ensure that a handshake takes | |
354 | place. SSL_renegotiate_pending() is useful for checking if the | |
355 | client has followed the request.) | |
356 | [Bodo Moeller] | |
357 | ||
85fb12d5 | 358 | *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. |
6b0e9fac BM |
359 | By default, clients may request session resumption even during |
360 | renegotiation (if session ID contexts permit); with this option, | |
361 | session resumption is possible only in the first handshake. | |
362 | [Bodo Moeller] | |
363 | ||
85fb12d5 | 364 | *) Add some demos for certificate and certificate request creation. |
96bd6f73 DSH |
365 | [Steve Henson] |
366 | ||
85fb12d5 | 367 | *) Make maximum certificate chain size accepted from the peer application |
c0f5dd07 LJ |
368 | settable (SSL*_get/set_max_cert_list()), as proposed by |
369 | "Douglas E. Engert" <deengert@anl.gov>. | |
370 | [Lutz Jaenicke] | |
371 | ||
85fb12d5 | 372 | *) Add support for shared libraries for Unixware-7 |
b26ca340 | 373 | (Boyd Lynn Gerber <gerberb@zenez.com>). |
6c36f7a9 LJ |
374 | [Lutz Jaenicke] |
375 | ||
85fb12d5 | 376 | *) Add a "destroy" handler to ENGINEs that allows structural cleanup to |
908efd3b GT |
377 | be done prior to destruction. Use this to unload error strings from |
378 | ENGINEs that load their own error strings. NB: This adds two new API | |
379 | functions to "get" and "set" this destroy handler in an ENGINE. | |
a9ed4da8 | 380 | [Geoff Thorpe] |
908efd3b | 381 | |
85fb12d5 | 382 | *) Alter all existing ENGINE implementations (except "openssl" and |
541814c4 GT |
383 | "openbsd") to dynamically instantiate their own error strings. This |
384 | makes them more flexible to be built both as statically-linked ENGINEs | |
385 | and self-contained shared-libraries loadable via the "dynamic" ENGINE. | |
386 | Also, add stub code to each that makes building them as self-contained | |
387 | shared-libraries easier (see README.ENGINE). | |
388 | [Geoff Thorpe] | |
389 | ||
85fb12d5 | 390 | *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE |
541814c4 GT |
391 | implementations into applications that are completely implemented in |
392 | self-contained shared-libraries. The "dynamic" ENGINE exposes control | |
393 | commands that can be used to configure what shared-library to load and | |
394 | to control aspects of the way it is handled. Also, made an update to | |
395 | the README.ENGINE file that brings its information up-to-date and | |
396 | provides some information and instructions on the "dynamic" ENGINE | |
397 | (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). | |
398 | [Geoff Thorpe] | |
399 | ||
85fb12d5 | 400 | *) Make it possible to unload ranges of ERR strings with a new |
5b166395 GT |
401 | "ERR_unload_strings" function. |
402 | [Geoff Thorpe] | |
403 | ||
85fb12d5 | 404 | *) Add a copy() function to EVP_MD. |
26188931 BL |
405 | [Ben Laurie] |
406 | ||
85fb12d5 | 407 | *) Make EVP_MD routines take a context pointer instead of just the |
e3fefbfd | 408 | md_data void pointer. |
26188931 BL |
409 | [Ben Laurie] |
410 | ||
85fb12d5 | 411 | *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates |
26188931 BL |
412 | that the digest can only process a single chunk of data |
413 | (typically because it is provided by a piece of | |
414 | hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application | |
415 | is only going to provide a single chunk of data, and hence the | |
416 | framework needn't accumulate the data for oneshot drivers. | |
417 | [Ben Laurie] | |
418 | ||
85fb12d5 | 419 | *) As with "ERR", make it possible to replace the underlying "ex_data" |
36026dfc GT |
420 | functions. This change also alters the storage and management of global |
421 | ex_data state - it's now all inside ex_data.c and all "class" code (eg. | |
422 | RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class | |
423 | index counters. The API functions that use this state have been changed | |
424 | to take a "class_index" rather than pointers to the class's local STACK | |
425 | and counter, and there is now an API function to dynamically create new | |
426 | classes. This centralisation allows us to (a) plug a lot of the | |
427 | thread-safety problems that existed, and (b) makes it possible to clean | |
428 | up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) | |
429 | such data would previously have always leaked in application code and | |
430 | workarounds were in place to make the memory debugging turn a blind eye | |
431 | to it. Application code that doesn't use this new function will still | |
432 | leak as before, but their memory debugging output will announce it now | |
433 | rather than letting it slide. | |
6ee2a136 BM |
434 | |
435 | Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change | |
436 | induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now | |
437 | has a return value to indicate success or failure. | |
36026dfc GT |
438 | [Geoff Thorpe] |
439 | ||
85fb12d5 | 440 | *) Make it possible to replace the underlying "ERR" functions such that the |
0783bf15 GT |
441 | global state (2 LHASH tables and 2 locks) is only used by the "default" |
442 | implementation. This change also adds two functions to "get" and "set" | |
443 | the implementation prior to it being automatically set the first time | |
444 | any other ERR function takes place. Ie. an application can call "get", | |
445 | pass the return value to a module it has just loaded, and that module | |
446 | can call its own "set" function using that value. This means the | |
447 | module's "ERR" operations will use (and modify) the error state in the | |
448 | application and not in its own statically linked copy of OpenSSL code. | |
449 | [Geoff Thorpe] | |
450 | ||
85fb12d5 | 451 | *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment |
eb6dc02b GT |
452 | reference counts. This performs normal REF_PRINT/REF_CHECK macros on |
453 | the operation, and provides a more encapsulated way for external code | |
454 | (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code | |
455 | to use these functions rather than manually incrementing the counts. | |
3cad81f6 BM |
456 | |
457 | Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". | |
eb6dc02b GT |
458 | [Geoff Thorpe] |
459 | ||
85fb12d5 | 460 | *) Add EVP test program. |
0e360199 BL |
461 | [Ben Laurie] |
462 | ||
85fb12d5 | 463 | *) Add symmetric cipher support to ENGINE. Expect the API to change! |
354c3ace BL |
464 | [Ben Laurie] |
465 | ||
85fb12d5 | 466 | *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() |
35bf3541 DSH |
467 | X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), |
468 | X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). | |
469 | These allow a CRL to be built without having to access X509_CRL fields | |
470 | directly. Modify 'ca' application to use new functions. | |
471 | [Steve Henson] | |
472 | ||
85fb12d5 | 473 | *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended |
06da6e49 | 474 | bug workarounds. Rollback attack detection is a security feature. |
6383bbe5 | 475 | The problem will only arise on OpenSSL servers when TLSv1 is not |
06da6e49 LJ |
476 | available (sslv3_server_method() or SSL_OP_NO_TLSv1). |
477 | Software authors not wanting to support TLSv1 will have special reasons | |
478 | for their choice and can explicitly enable this option. | |
479 | [Bodo Moeller, Lutz Jaenicke] | |
480 | ||
85fb12d5 | 481 | *) Rationalise EVP so it can be extended: don't include a union of |
dbad1690 BL |
482 | cipher/digest structures, add init/cleanup functions. This also reduces |
483 | the number of header dependencies. | |
4f4b1924 BM |
484 | Usage example: |
485 | ||
486 | EVP_MD_CTX md; | |
487 | ||
488 | EVP_MD_CTX_init(&md); /* new function call */ | |
489 | EVP_DigestInit(&md, EVP_sha1()); | |
490 | EVP_DigestUpdate(&md, in, len); | |
491 | EVP_DigestFinal(&md, out, NULL); | |
492 | EVP_MD_CTX_cleanup(&md); /* new function call */ | |
493 | ||
dbad1690 BL |
494 | [Ben Laurie] |
495 | ||
85fb12d5 | 496 | *) Make DES key schedule conform to the usual scheme, as well as |
8408f4fb BL |
497 | correcting its structure. This means that calls to DES functions |
498 | now have to pass a pointer to a des_key_schedule instead of a | |
499 | plain des_key_schedule (which was actually always a pointer | |
4f4b1924 BM |
500 | anyway): E.g., |
501 | ||
502 | des_key_schedule ks; | |
503 | ||
504 | des_set_key_checked(..., &ks); | |
505 | des_ncbc_encrypt(..., &ks, ...); | |
506 | ||
507 | (Note that a later change renames 'des_...' into 'DES_...'.) | |
dbad1690 BL |
508 | [Ben Laurie] |
509 | ||
85fb12d5 | 510 | *) Initial reduction of linker bloat: the use of some functions, such as |
19da1300 DSH |
511 | PEM causes large amounts of unused functions to be linked in due to |
512 | poor organisation. For example pem_all.c contains every PEM function | |
513 | which has a knock on effect of linking in large amounts of (unused) | |
514 | ASN1 code. Grouping together similar functions and splitting unrelated | |
515 | functions prevents this. | |
516 | [Steve Henson] | |
517 | ||
85fb12d5 | 518 | *) Cleanup of EVP macros. |
381a146d | 519 | [Ben Laurie] |
6aecef81 | 520 | |
85fb12d5 | 521 | *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the |
381a146d LJ |
522 | correct _ecb suffix. |
523 | [Ben Laurie] | |
c518ade1 | 524 | |
85fb12d5 | 525 | *) Add initial OCSP responder support to ocsp application. The |
ee306a13 DSH |
526 | revocation information is handled using the text based index |
527 | use by the ca application. The responder can either handle | |
528 | requests generated internally, supplied in files (for example | |
529 | via a CGI script) or using an internal minimal server. | |
530 | [Steve Henson] | |
531 | ||
85fb12d5 | 532 | *) Add configuration choices to get zlib compression for TLS. |
e452de9d RL |
533 | [Richard Levitte] |
534 | ||
85fb12d5 | 535 | *) Changes to Kerberos SSL for RFC 2712 compliance: |
0665dd68 RL |
536 | 1. Implemented real KerberosWrapper, instead of just using |
537 | KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] | |
538 | 2. Implemented optional authenticator field of KerberosWrapper. | |
539 | ||
540 | Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, | |
541 | and authenticator structs; see crypto/krb5/. | |
542 | ||
543 | Generalized Kerberos calls to support multiple Kerberos libraries. | |
544 | [Vern Staats <staatsvr@asc.hpc.mil>, | |
545 | Jeffrey Altman <jaltman@columbia.edu> | |
546 | via Richard Levitte] | |
547 | ||
85fb12d5 | 548 | *) Cause 'openssl speed' to use fully hard-coded DSA keys as it |
af436bc1 GT |
549 | already does with RSA. testdsa.h now has 'priv_key/pub_key' |
550 | values for each of the key sizes rather than having just | |
551 | parameters (and 'speed' generating keys each time). | |
552 | [Geoff Thorpe] | |
553 | ||
85fb12d5 | 554 | *) Speed up EVP routines. |
f31b1250 BL |
555 | Before: |
556 | encrypt | |
557 | type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes | |
558 | des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k | |
559 | des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k | |
560 | des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k | |
561 | decrypt | |
562 | des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k | |
563 | des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k | |
564 | des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k | |
565 | After: | |
566 | encrypt | |
c148d709 | 567 | des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k |
f31b1250 | 568 | decrypt |
c148d709 | 569 | des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
f31b1250 BL |
570 | [Ben Laurie] |
571 | ||
85fb12d5 | 572 | *) Added the OS2-EMX target. |
c80410c5 RL |
573 | ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] |
574 | ||
85fb12d5 | 575 | *) Rewrite apps to use NCONF routines instead of the old CONF. New functions |
b7a26e6d DSH |
576 | to support NCONF routines in extension code. New function CONF_set_nconf() |
577 | to allow functions which take an NCONF to also handle the old LHASH | |
578 | structure: this means that the old CONF compatible routines can be | |
579 | retained (in particular wrt extensions) without having to duplicate the | |
580 | code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. | |
581 | [Steve Henson] | |
582 | ||
85fb12d5 | 583 | *) Enhance the general user interface with mechanisms for inner control |
e3fefbfd | 584 | and with possibilities to have yes/no kind of prompts. |
235dd0a2 RL |
585 | [Richard Levitte] |
586 | ||
85fb12d5 | 587 | *) Change all calls to low level digest routines in the library and |
323f289c DSH |
588 | applications to use EVP. Add missing calls to HMAC_cleanup() and |
589 | don't assume HMAC_CTX can be copied using memcpy(). | |
590 | [Verdon Walker <VWalker@novell.com>, Steve Henson] | |
591 | ||
85fb12d5 | 592 | *) Add the possibility to control engines through control names but with |
839590f5 RL |
593 | arbitrary arguments instead of just a string. |
594 | Change the key loaders to take a UI_METHOD instead of a callback | |
595 | function pointer. NOTE: this breaks binary compatibility with earlier | |
596 | versions of OpenSSL [engine]. | |
e3fefbfd | 597 | Adapt the nCipher code for these new conditions and add a card insertion |
839590f5 RL |
598 | callback. |
599 | [Richard Levitte] | |
600 | ||
85fb12d5 | 601 | *) Enhance the general user interface with mechanisms to better support |
9ad0f681 RL |
602 | dialog box interfaces, application-defined prompts, the possibility |
603 | to use defaults (for example default passwords from somewhere else) | |
e3fefbfd | 604 | and interrupts/cancellations. |
9ad0f681 RL |
605 | [Richard Levitte] |
606 | ||
85fb12d5 | 607 | *) Tidy up PKCS#12 attribute handling. Add support for the CSP name |
f2a253e0 DSH |
608 | attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. |
609 | [Steve Henson] | |
610 | ||
85fb12d5 | 611 | *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also |
e3fefbfd | 612 | tidy up some unnecessarily weird code in 'sk_new()'). |
d918f851 GT |
613 | [Geoff, reported by Diego Tartara <dtartara@novamens.com>] |
614 | ||
85fb12d5 | 615 | *) Change the key loading routines for ENGINEs to use the same kind |
79bb8d00 RL |
616 | callback (pem_password_cb) as all other routines that need this |
617 | kind of callback. | |
618 | [Richard Levitte] | |
619 | ||
85fb12d5 | 620 | *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with |
e8734731 LJ |
621 | 256 bit (=32 byte) keys. Of course seeding with more entropy bytes |
622 | than this minimum value is recommended. | |
7e978372 | 623 | [Lutz Jaenicke] |
4831e626 | 624 | |
85fb12d5 | 625 | *) New random seeder for OpenVMS, using the system process statistics |
496da8b9 RL |
626 | that are easily reachable. |
627 | [Richard Levitte] | |
628 | ||
85fb12d5 | 629 | *) Windows apparently can't transparently handle global |
4831e626 DSH |
630 | variables defined in DLLs. Initialisations such as: |
631 | ||
632 | const ASN1_ITEM *it = &ASN1_INTEGER_it; | |
633 | ||
634 | wont compile. This is used by the any applications that need to | |
e3fefbfd | 635 | declare their own ASN1 modules. This was fixed by adding the option |
4831e626 DSH |
636 | EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly |
637 | needed for static libraries under Win32. | |
638 | [Steve Henson] | |
639 | ||
85fb12d5 | 640 | *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle |
926a56bf DSH |
641 | setting of purpose and trust fields. New X509_STORE trust and |
642 | purpose functions and tidy up setting in other SSL functions. | |
643 | [Steve Henson] | |
644 | ||
85fb12d5 | 645 | *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE |
bdee69f7 DSH |
646 | structure. These are inherited by X509_STORE_CTX when it is |
647 | initialised. This allows various defaults to be set in the | |
648 | X509_STORE structure (such as flags for CRL checking and custom | |
649 | purpose or trust settings) for functions which only use X509_STORE_CTX | |
650 | internally such as S/MIME. | |
651 | ||
652 | Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and | |
653 | trust settings if they are not set in X509_STORE. This allows X509_STORE | |
654 | purposes and trust (in S/MIME for example) to override any set by default. | |
655 | ||
656 | Add command line options for CRL checking to smime, s_client and s_server | |
657 | applications. | |
658 | [Steve Henson] | |
659 | ||
85fb12d5 | 660 | *) Initial CRL based revocation checking. If the CRL checking flag(s) |
b545dc67 DSH |
661 | are set then the CRL is looked up in the X509_STORE structure and |
662 | its validity and signature checked, then if the certificate is found | |
663 | in the CRL the verify fails with a revoked error. | |
664 | ||
665 | Various new CRL related callbacks added to X509_STORE_CTX structure. | |
666 | ||
667 | Command line options added to 'verify' application to support this. | |
668 | ||
669 | This needs some additional work, such as being able to handle multiple | |
670 | CRLs with different times, extension based lookup (rather than just | |
671 | by subject name) and ultimately more complete V2 CRL extension | |
672 | handling. | |
673 | [Steve Henson] | |
674 | ||
85fb12d5 | 675 | *) Add a general user interface API (crypto/ui/). This is designed |
8a774dc9 BM |
676 | to replace things like des_read_password and friends (backward |
677 | compatibility functions using this new API are provided). | |
678 | The purpose is to remove prompting functions from the DES code | |
679 | section as well as provide for prompting through dialog boxes in | |
680 | a window system and the like. | |
a63d5eaa RL |
681 | [Richard Levitte] |
682 | ||
85fb12d5 | 683 | *) Add "ex_data" support to ENGINE so implementations can add state at a |
e5a77633 GT |
684 | per-structure level rather than having to store it globally. |
685 | [Geoff] | |
686 | ||
85fb12d5 | 687 | *) Make it possible for ENGINE structures to be copied when retrieved by |
e5a77633 GT |
688 | ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. |
689 | This causes the "original" ENGINE structure to act like a template, | |
690 | analogous to the RSA vs. RSA_METHOD type of separation. Because of this | |
691 | operational state can be localised to each ENGINE structure, despite the | |
692 | fact they all share the same "methods". New ENGINE structures returned in | |
693 | this case have no functional references and the return value is the single | |
694 | structural reference. This matches the single structural reference returned | |
695 | by ENGINE_by_id() normally, when it is incremented on the pre-existing | |
696 | ENGINE structure. | |
697 | [Geoff] | |
698 | ||
85fb12d5 | 699 | *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this |
c962479b DSH |
700 | needs to match any other type at all we need to manually clear the |
701 | tag cache. | |
702 | [Steve Henson] | |
703 | ||
85fb12d5 | 704 | *) Changes to the "openssl engine" utility to include; |
2a8a10ed GT |
705 | - verbosity levels ('-v', '-vv', and '-vvv') that provide information |
706 | about an ENGINE's available control commands. | |
707 | - executing control commands from command line arguments using the | |
708 | '-pre' and '-post' switches. '-post' is only used if '-t' is | |
709 | specified and the ENGINE is successfully initialised. The syntax for | |
710 | the individual commands are colon-separated, for example; | |
711 | openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so | |
712 | [Geoff] | |
713 | ||
85fb12d5 | 714 | *) New dynamic control command support for ENGINEs. ENGINEs can now |
2a8a10ed GT |
715 | declare their own commands (numbers), names (strings), descriptions, |
716 | and input types for run-time discovery by calling applications. A | |
717 | subset of these commands are implicitly classed as "executable" | |
718 | depending on their input type, and only these can be invoked through | |
719 | the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this | |
720 | can be based on user input, config files, etc). The distinction is | |
721 | that "executable" commands cannot return anything other than a boolean | |
722 | result and can only support numeric or string input, whereas some | |
723 | discoverable commands may only be for direct use through | |
724 | ENGINE_ctrl(), eg. supporting the exchange of binary data, function | |
725 | pointers, or other custom uses. The "executable" commands are to | |
726 | support parameterisations of ENGINE behaviour that can be | |
727 | unambiguously defined by ENGINEs and used consistently across any | |
728 | OpenSSL-based application. Commands have been added to all the | |
729 | existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow | |
730 | control over shared-library paths without source code alterations. | |
731 | [Geoff] | |
732 | ||
85fb12d5 | 733 | *) Changed all ENGINE implementations to dynamically allocate their |
2a8a10ed GT |
734 | ENGINEs rather than declaring them statically. Apart from this being |
735 | necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, | |
736 | this also allows the implementations to compile without using the | |
737 | internal engine_int.h header. | |
738 | [Geoff] | |
739 | ||
85fb12d5 | 740 | *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a |
4d6115a5 GT |
741 | 'const' value. Any code that should be able to modify a RAND_METHOD |
742 | should already have non-const pointers to it (ie. they should only | |
743 | modify their own ones). | |
744 | [Geoff] | |
745 | ||
85fb12d5 | 746 | *) Made a variety of little tweaks to the ENGINE code. |
4d6115a5 GT |
747 | - "atalla" and "ubsec" string definitions were moved from header files |
748 | to C code. "nuron" string definitions were placed in variables | |
749 | rather than hard-coded - allowing parameterisation of these values | |
750 | later on via ctrl() commands. | |
751 | - Removed unused "#if 0"'d code. | |
752 | - Fixed engine list iteration code so it uses ENGINE_free() to release | |
753 | structural references. | |
754 | - Constified the RAND_METHOD element of ENGINE structures. | |
755 | - Constified various get/set functions as appropriate and added | |
756 | missing functions (including a catch-all ENGINE_cpy that duplicates | |
757 | all ENGINE values onto a new ENGINE except reference counts/state). | |
758 | - Removed NULL parameter checks in get/set functions. Setting a method | |
e13ae96d | 759 | or function to NULL is a way of cancelling out a previously set |
4d6115a5 GT |
760 | value. Passing a NULL ENGINE parameter is just plain stupid anyway |
761 | and doesn't justify the extra error symbols and code. | |
762 | - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for | |
763 | flags from engine_int.h to engine.h. | |
764 | - Changed prototypes for ENGINE handler functions (init(), finish(), | |
765 | ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. | |
766 | [Geoff] | |
767 | ||
85fb12d5 | 768 | *) Implement binary inversion algorithm for BN_mod_inverse in addition |
e3fefbfd | 769 | to the algorithm using long division. The binary algorithm can be |
1f224bf0 BM |
770 | used only if the modulus is odd. On 32-bit systems, it is faster |
771 | only for relatively small moduli (roughly 20-30% for 128-bit moduli, | |
772 | roughly 5-15% for 256-bit moduli), so we use it only for moduli | |
773 | up to 450 bits. In 64-bit environments, the binary algorithm | |
774 | appears to be advantageous for much longer moduli; here we use it | |
775 | for moduli up to 2048 bits. | |
7d0d0996 BM |
776 | [Bodo Moeller] |
777 | ||
85fb12d5 | 778 | *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code |
722ca278 DSH |
779 | could not support the combine flag in choice fields. |
780 | [Steve Henson] | |
781 | ||
85fb12d5 | 782 | *) Add a 'copy_extensions' option to the 'ca' utility. This copies |
791bd0cd DSH |
783 | extensions from a certificate request to the certificate. |
784 | [Steve Henson] | |
785 | ||
85fb12d5 | 786 | *) Allow multiple 'certopt' and 'nameopt' options to be separated |
535d79da DSH |
787 | by commas. Add 'namopt' and 'certopt' options to the 'ca' config |
788 | file: this allows the display of the certificate about to be | |
789 | signed to be customised, to allow certain fields to be included | |
790 | or excluded and extension details. The old system didn't display | |
791 | multicharacter strings properly, omitted fields not in the policy | |
792 | and couldn't display additional details such as extensions. | |
793 | [Steve Henson] | |
794 | ||
85fb12d5 | 795 | *) Function EC_POINTs_mul for multiple scalar multiplication |
3ba1f111 BM |
796 | of an arbitrary number of elliptic curve points |
797 | \sum scalars[i]*points[i], | |
798 | optionally including the generator defined for the EC_GROUP: | |
799 | scalar*generator + \sum scalars[i]*points[i]. | |
800 | ||
38374911 BM |
801 | EC_POINT_mul is a simple wrapper function for the typical case |
802 | that the point list has just one item (besides the optional | |
803 | generator). | |
48fe4d62 BM |
804 | [Bodo Moeller] |
805 | ||
85fb12d5 | 806 | *) First EC_METHODs for curves over GF(p): |
48fe4d62 BM |
807 | |
808 | EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr | |
809 | operations and provides various method functions that can also | |
810 | operate with faster implementations of modular arithmetic. | |
811 | ||
812 | EC_GFp_mont_method() reuses most functions that are part of | |
813 | EC_GFp_simple_method, but uses Montgomery arithmetic. | |
814 | ||
815 | [Bodo Moeller; point addition and point doubling | |
816 | implementation directly derived from source code provided by | |
817 | Lenka Fibikova <fibikova@exp-math.uni-essen.de>] | |
818 | ||
85fb12d5 | 819 | *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, |
48fe4d62 BM |
820 | crypto/ec/ec_lib.c): |
821 | ||
6f8f4431 BM |
822 | Curves are EC_GROUP objects (with an optional group generator) |
823 | based on EC_METHODs that are built into the library. | |
48fe4d62 BM |
824 | |
825 | Points are EC_POINT objects based on EC_GROUP objects. | |
826 | ||
827 | Most of the framework would be able to handle curves over arbitrary | |
6f8f4431 BM |
828 | finite fields, but as there are no obvious types for fields other |
829 | than GF(p), some functions are limited to that for now. | |
48fe4d62 BM |
830 | [Bodo Moeller] |
831 | ||
85fb12d5 | 832 | *) Add the -HTTP option to s_server. It is similar to -WWW, but requires |
251cb4cf RL |
833 | that the file contains a complete HTTP response. |
834 | [Richard Levitte] | |
835 | ||
85fb12d5 | 836 | *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl |
b4f682d3 DSH |
837 | change the def and num file printf format specifier from "%-40sXXX" |
838 | to "%-39s XXX". The latter will always guarantee a space after the | |
839 | field while the former will cause them to run together if the field | |
840 | is 40 of more characters long. | |
841 | [Steve Henson] | |
842 | ||
85fb12d5 | 843 | *) Constify the cipher and digest 'method' functions and structures |
13588350 DSH |
844 | and modify related functions to take constant EVP_MD and EVP_CIPHER |
845 | pointers. | |
846 | [Steve Henson] | |
847 | ||
85fb12d5 | 848 | *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them |
48fe4d62 | 849 | in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. |
c62b26fd BM |
850 | [Bodo Moeller] |
851 | ||
85fb12d5 | 852 | *) Modify EVP_Digest*() routines so they now return values. Although the |
2dc769a1 DSH |
853 | internal software routines can never fail additional hardware versions |
854 | might. | |
855 | [Steve Henson] | |
856 | ||
85fb12d5 | 857 | *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: |
5277d7cb BM |
858 | |
859 | Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 | |
860 | (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. | |
861 | ||
862 | ASN1 error codes | |
863 | ERR_R_NESTED_ASN1_ERROR | |
864 | ... | |
865 | ERR_R_MISSING_ASN1_EOS | |
866 | were 4 .. 9, conflicting with | |
867 | ERR_LIB_RSA (= ERR_R_RSA_LIB) | |
868 | ... | |
869 | ERR_LIB_PEM (= ERR_R_PEM_LIB). | |
870 | They are now 58 .. 63 (i.e., just below ERR_R_FATAL). | |
871 | ||
872 | Add new error code 'ERR_R_INTERNAL_ERROR'. | |
873 | [Bodo Moeller] | |
874 | ||
85fb12d5 | 875 | *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock |
5277d7cb BM |
876 | suffices. |
877 | [Bodo Moeller] | |
878 | ||
85fb12d5 | 879 | *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This |
bad40585 BM |
880 | sets the subject name for a new request or supersedes the |
881 | subject name in a given request. Formats that can be parsed are | |
882 | 'CN=Some Name, OU=myOU, C=IT' | |
883 | and | |
884 | 'CN=Some Name/OU=myOU/C=IT'. | |
885 | ||
886 | Add options '-batch' and '-verbose' to 'openssl req'. | |
887 | [Massimiliano Pala <madwolf@hackmasters.net>] | |
888 | ||
85fb12d5 | 889 | *) Introduce the possibility to access global variables through |
62dc5aad RL |
890 | functions on platform were that's the best way to handle exporting |
891 | global variables in shared libraries. To enable this functionality, | |
892 | one must configure with "EXPORT_VAR_AS_FN" or defined the C macro | |
893 | "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter | |
894 | is normally done by Configure or something similar). | |
895 | ||
896 | To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL | |
897 | in the source file (foo.c) like this: | |
898 | ||
899 | OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; | |
900 | OPENSSL_IMPLEMENT_GLOBAL(double,bar); | |
901 | ||
902 | To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL | |
903 | and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: | |
904 | ||
905 | OPENSSL_DECLARE_GLOBAL(int,foo); | |
906 | #define foo OPENSSL_GLOBAL_REF(foo) | |
907 | OPENSSL_DECLARE_GLOBAL(double,bar); | |
908 | #define bar OPENSSL_GLOBAL_REF(bar) | |
909 | ||
910 | The #defines are very important, and therefore so is including the | |
e3fefbfd | 911 | header file everywhere where the defined globals are used. |
62dc5aad RL |
912 | |
913 | The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition | |
e3fefbfd | 914 | of ASN.1 items, but that structure is a bit different. |
62dc5aad RL |
915 | |
916 | The largest change is in util/mkdef.pl which has been enhanced with | |
917 | better and easier to understand logic to choose which symbols should | |
918 | go into the Windows .def files as well as a number of fixes and code | |
919 | cleanup (among others, algorithm keywords are now sorted | |
920 | lexicographically to avoid constant rewrites). | |
921 | [Richard Levitte] | |
922 | ||
85fb12d5 | 923 | *) In BN_div() keep a copy of the sign of 'num' before writing the |
3d2e469c DSH |
924 | result to 'rm' because if rm==num the value will be overwritten |
925 | and produce the wrong result if 'num' is negative: this caused | |
926 | problems with BN_mod() and BN_nnmod(). | |
927 | [Steve Henson] | |
928 | ||
85fb12d5 | 929 | *) Function OCSP_request_verify(). This checks the signature on an |
fafc7f98 DSH |
930 | OCSP request and verifies the signer certificate. The signer |
931 | certificate is just checked for a generic purpose and OCSP request | |
932 | trust settings. | |
933 | [Steve Henson] | |
934 | ||
85fb12d5 | 935 | *) Add OCSP_check_validity() function to check the validity of OCSP |
f1965221 DSH |
936 | responses. OCSP responses are prepared in real time and may only |
937 | be a few seconds old. Simply checking that the current time lies | |
938 | between thisUpdate and nextUpdate max reject otherwise valid responses | |
e3fefbfd | 939 | caused by either OCSP responder or client clock inaccuracy. Instead |
f1965221 DSH |
940 | we allow thisUpdate and nextUpdate to fall within a certain period of |
941 | the current time. The age of the response can also optionally be | |
942 | checked. Two new options -validity_period and -status_age added to | |
943 | ocsp utility. | |
944 | [Steve Henson] | |
945 | ||
85fb12d5 | 946 | *) If signature or public key algorithm is unrecognized print out its |
e3fefbfd | 947 | OID rather that just UNKNOWN. |
4ff18c8c DSH |
948 | [Steve Henson] |
949 | ||
85fb12d5 | 950 | *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and |
d7c06e9e DSH |
951 | OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate |
952 | ID to be generated from the issuer certificate alone which can then be | |
953 | passed to OCSP_id_issuer_cmp(). | |
954 | [Steve Henson] | |
955 | ||
85fb12d5 | 956 | *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new |
386828d0 DSH |
957 | ASN1 modules to export functions returning ASN1_ITEM pointers |
958 | instead of the ASN1_ITEM structures themselves. This adds several | |
959 | new macros which allow the underlying ASN1 function/structure to | |
960 | be accessed transparently. As a result code should not use ASN1_ITEM | |
961 | references directly (such as &X509_it) but instead use the relevant | |
962 | macros (such as ASN1_ITEM_rptr(X509)). This option is to allow | |
963 | use of the new ASN1 code on platforms where exporting structures | |
964 | is problematical (for example in shared libraries) but exporting | |
965 | functions returning pointers to structures is not. | |
966 | [Steve Henson] | |
967 | ||
85fb12d5 | 968 | *) Add support for overriding the generation of SSL/TLS session IDs. |
fa2b8db4 GT |
969 | These callbacks can be registered either in an SSL_CTX or per SSL. |
970 | The purpose of this is to allow applications to control, if they wish, | |
971 | the arbitrary values chosen for use as session IDs, particularly as it | |
972 | can be useful for session caching in multiple-server environments. A | |
973 | command-line switch for testing this (and any client code that wishes | |
974 | to use such a feature) has been added to "s_server". | |
975 | [Geoff Thorpe, Lutz Jaenicke] | |
976 | ||
85fb12d5 | 977 | *) Modify mkdef.pl to recognise and parse preprocessor conditionals |
d399fdf8 RL |
978 | of the form '#if defined(...) || defined(...) || ...' and |
979 | '#if !defined(...) && !defined(...) && ...'. This also avoids | |
980 | the growing number of special cases it was previously handling. | |
981 | [Richard Levitte] | |
982 | ||
85fb12d5 | 983 | *) Make all configuration macros available for application by making |
cf1b7d96 RL |
984 | sure they are available in opensslconf.h, by giving them names starting |
985 | with "OPENSSL_" to avoid conflicts with other packages and by making | |
986 | sure e_os2.h will cover all platform-specific cases together with | |
987 | opensslconf.h. | |
2affbab9 RL |
988 | Additionally, it is now possible to define configuration/platform- |
989 | specific names (called "system identities"). In the C code, these | |
990 | are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another | |
991 | macro with the name beginning with "OPENSSL_SYS_", which is determined | |
992 | from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on | |
993 | what is available. | |
cf1b7d96 RL |
994 | [Richard Levitte] |
995 | ||
85fb12d5 | 996 | *) New option -set_serial to 'req' and 'x509' this allows the serial |
acba75c5 DSH |
997 | number to use to be specified on the command line. Previously self |
998 | signed certificates were hard coded with serial number 0 and the | |
999 | CA options of 'x509' had to use a serial number in a file which was | |
1000 | auto incremented. | |
1001 | [Steve Henson] | |
1002 | ||
85fb12d5 | 1003 | *) New options to 'ca' utility to support V2 CRL entry extensions. |
a6b7ffdd DSH |
1004 | Currently CRL reason, invalidity date and hold instruction are |
1005 | supported. Add new CRL extensions to V3 code and some new objects. | |
1006 | [Steve Henson] | |
1007 | ||
85fb12d5 | 1008 | *) New function EVP_CIPHER_CTX_set_padding() this is used to |
f2e5ca84 DSH |
1009 | disable standard block padding (aka PKCS#5 padding) in the EVP |
1010 | API, which was previously mandatory. This means that the data is | |
1011 | not padded in any way and so the total length much be a multiple | |
1012 | of the block size, otherwise an error occurs. | |
1013 | [Steve Henson] | |
1014 | ||
85fb12d5 | 1015 | *) Initial (incomplete) OCSP SSL support. |
cdc7b8cc DSH |
1016 | [Steve Henson] |
1017 | ||
85fb12d5 | 1018 | *) New function OCSP_parse_url(). This splits up a URL into its host, |
67c18019 DSH |
1019 | port and path components: primarily to parse OCSP URLs. New -url |
1020 | option to ocsp utility. | |
1021 | [Steve Henson] | |
1022 | ||
85fb12d5 | 1023 | *) New nonce behavior. The return value of OCSP_check_nonce() now |
46a58ab9 DSH |
1024 | reflects the various checks performed. Applications can decide |
1025 | whether to tolerate certain situations such as an absent nonce | |
1026 | in a response when one was present in a request: the ocsp application | |
1027 | just prints out a warning. New function OCSP_add1_basic_nonce() | |
1028 | this is to allow responders to include a nonce in a response even if | |
1029 | the request is nonce-less. | |
1030 | [Steve Henson] | |
1031 | ||
85fb12d5 | 1032 | *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are |
620cea37 BM |
1033 | skipped when using openssl x509 multiple times on a single input file, |
1034 | e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". | |
1035 | [Bodo Moeller] | |
1036 | ||
85fb12d5 | 1037 | *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() |
ccb08f98 DSH |
1038 | set string type: to handle setting ASN1_TIME structures. Fix ca |
1039 | utility to correctly initialize revocation date of CRLs. | |
1040 | [Steve Henson] | |
1041 | ||
85fb12d5 | 1042 | *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override |
836f9960 LJ |
1043 | the clients preferred ciphersuites and rather use its own preferences. |
1044 | Should help to work around M$ SGC (Server Gated Cryptography) bug in | |
1045 | Internet Explorer by ensuring unchanged hash method during stepup. | |
b72faddc | 1046 | (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) |
836f9960 LJ |
1047 | [Lutz Jaenicke] |
1048 | ||
85fb12d5 | 1049 | *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael |
c47c6196 DSH |
1050 | to aes and add a new 'exist' option to print out symbols that don't |
1051 | appear to exist. | |
1052 | [Steve Henson] | |
1053 | ||
85fb12d5 | 1054 | *) Additional options to ocsp utility to allow flags to be set and |
8c950429 DSH |
1055 | additional certificates supplied. |
1056 | [Steve Henson] | |
1057 | ||
85fb12d5 | 1058 | *) Add the option -VAfile to 'openssl ocsp', so the user can give the |
9235adbf RL |
1059 | OCSP client a number of certificate to only verify the response |
1060 | signature against. | |
1061 | [Richard Levitte] | |
1062 | ||
85fb12d5 | 1063 | *) Update Rijndael code to version 3.0 and change EVP AES ciphers to |
deb2c1a1 | 1064 | handle the new API. Currently only ECB, CBC modes supported. Add new |
47234cd3 BM |
1065 | AES OIDs. |
1066 | ||
1067 | Add TLS AES ciphersuites as described in the "AES Ciphersuites | |
f257d984 | 1068 | for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet |
47234cd3 BM |
1069 | official, they are not enabled by default and are not even part |
1070 | of the "ALL" ciphersuite alias; for now, they must be explicitly | |
1071 | requested by specifying the new "AESdraft" ciphersuite alias. If | |
1072 | you want the default ciphersuite list plus the new ciphersuites, | |
1073 | use "DEFAULT:AESdraft:@STRENGTH". | |
1074 | [Ben Laurie, Steve Henson, Bodo Moeller] | |
deb2c1a1 | 1075 | |
85fb12d5 | 1076 | *) New function OCSP_copy_nonce() to copy nonce value (if present) from |
26e083cc DSH |
1077 | request to response. |
1078 | [Steve Henson] | |
1079 | ||
85fb12d5 | 1080 | *) Functions for OCSP responders. OCSP_request_onereq_count(), |
02e4fbed DSH |
1081 | OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() |
1082 | extract information from a certificate request. OCSP_response_create() | |
1083 | creates a response and optionally adds a basic response structure. | |
1084 | OCSP_basic_add1_status() adds a complete single response to a basic | |
e3fefbfd | 1085 | response and returns the OCSP_SINGLERESP structure just added (to allow |
02e4fbed DSH |
1086 | extensions to be included for example). OCSP_basic_add1_cert() adds a |
1087 | certificate to a basic response and OCSP_basic_sign() signs a basic | |
1088 | response with various flags. New helper functions ASN1_TIME_check() | |
1089 | (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() | |
1090 | (converts ASN1_TIME to GeneralizedTime). | |
1091 | [Steve Henson] | |
1092 | ||
85fb12d5 | 1093 | *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() |
88ce56f8 | 1094 | in a single operation. X509_get0_pubkey_bitstr() extracts the public_key |
e3fefbfd | 1095 | structure from a certificate. X509_pubkey_digest() digests the public_key |
88ce56f8 DSH |
1096 | contents: this is used in various key identifiers. |
1097 | [Steve Henson] | |
1098 | ||
85fb12d5 | 1099 | *) Make sk_sort() tolerate a NULL argument. |
b8470240 DSH |
1100 | [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] |
1101 | ||
85fb12d5 | 1102 | *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates |
50d51991 | 1103 | passed by the function are trusted implicitly. If any of them signed the |
e3fefbfd | 1104 | response then it is assumed to be valid and is not verified. |
50d51991 DSH |
1105 | [Steve Henson] |
1106 | ||
85fb12d5 | 1107 | *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT |
a43cf9fa DSH |
1108 | to data. This was previously part of the PKCS7 ASN1 code. This |
1109 | was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. | |
1110 | [Steve Henson, reported by Kenneth R. Robinette | |
1111 | <support@securenetterm.com>] | |
1112 | ||
85fb12d5 | 1113 | *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 |
a43cf9fa DSH |
1114 | routines: without these tracing memory leaks is very painful. |
1115 | Fix leaks in PKCS12 and PKCS7 routines. | |
1116 | [Steve Henson] | |
1117 | ||
85fb12d5 | 1118 | *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). |
ba8e2824 DSH |
1119 | Previously it initialised the 'type' argument to V_ASN1_UTCTIME which |
1120 | effectively meant GeneralizedTime would never be used. Now it | |
1121 | is initialised to -1 but X509_time_adj() now has to check the value | |
1122 | and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or | |
1123 | V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. | |
1124 | [Steve Henson, reported by Kenneth R. Robinette | |
1125 | <support@securenetterm.com>] | |
1126 | ||
85fb12d5 | 1127 | *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously |
8e8972bb DSH |
1128 | result in a zero length in the ASN1_INTEGER structure which was |
1129 | not consistent with the structure when d2i_ASN1_INTEGER() was used | |
1130 | and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() | |
1131 | to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() | |
1132 | where it did not print out a minus for negative ASN1_INTEGER. | |
1133 | [Steve Henson] | |
1134 | ||
85fb12d5 | 1135 | *) Add summary printout to ocsp utility. The various functions which |
73758d43 DSH |
1136 | convert status values to strings have been renamed to: |
1137 | OCSP_response_status_str(), OCSP_cert_status_str() and | |
1138 | OCSP_crl_reason_str() and are no longer static. New options | |
1139 | to verify nonce values and to disable verification. OCSP response | |
1140 | printout format cleaned up. | |
1141 | [Steve Henson] | |
1142 | ||
85fb12d5 | 1143 | *) Add additional OCSP certificate checks. These are those specified |
e8af92fc DSH |
1144 | in RFC2560. This consists of two separate checks: the CA of the |
1145 | certificate being checked must either be the OCSP signer certificate | |
1146 | or the issuer of the OCSP signer certificate. In the latter case the | |
1147 | OCSP signer certificate must contain the OCSP signing extended key | |
1148 | usage. This check is performed by attempting to match the OCSP | |
1149 | signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash | |
1150 | in the OCSP_CERTID structures of the response. | |
1151 | [Steve Henson] | |
1152 | ||
85fb12d5 | 1153 | *) Initial OCSP certificate verification added to OCSP_basic_verify() |
81f169e9 DSH |
1154 | and related routines. This uses the standard OpenSSL certificate |
1155 | verify routines to perform initial checks (just CA validity) and | |
1156 | to obtain the certificate chain. Then additional checks will be | |
1157 | performed on the chain. Currently the root CA is checked to see | |
1158 | if it is explicitly trusted for OCSP signing. This is used to set | |
1159 | a root CA as a global signing root: that is any certificate that | |
1160 | chains to that CA is an acceptable OCSP signing certificate. | |
1161 | [Steve Henson] | |
1162 | ||
85fb12d5 | 1163 | *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 |
dfebac32 BM |
1164 | extensions from a separate configuration file. |
1165 | As when reading extensions from the main configuration file, | |
1166 | the '-extensions ...' option may be used for specifying the | |
1167 | section to use. | |
1168 | [Massimiliano Pala <madwolf@comune.modena.it>] | |
1169 | ||
85fb12d5 | 1170 | *) New OCSP utility. Allows OCSP requests to be generated or |
5782ceb2 DSH |
1171 | read. The request can be sent to a responder and the output |
1172 | parsed, outputed or printed in text form. Not complete yet: | |
1173 | still needs to check the OCSP response validity. | |
1174 | [Steve Henson] | |
1175 | ||
85fb12d5 | 1176 | *) New subcommands for 'openssl ca': |
c67cdb50 BM |
1177 | 'openssl ca -status <serial>' prints the status of the cert with |
1178 | the given serial number (according to the index file). | |
1179 | 'openssl ca -updatedb' updates the expiry status of certificates | |
1180 | in the index file. | |
1181 | [Massimiliano Pala <madwolf@comune.modena.it>] | |
1182 | ||
85fb12d5 | 1183 | *) New '-newreq-nodes' command option to CA.pl. This is like |
d199858e BM |
1184 | '-newreq', but calls 'openssl req' with the '-nodes' option |
1185 | so that the resulting key is not encrypted. | |
1186 | [Damien Miller <djm@mindrot.org>] | |
1187 | ||
85fb12d5 | 1188 | *) New configuration for the GNU Hurd. |
10a2975a RL |
1189 | [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] |
1190 | ||
85fb12d5 | 1191 | *) Initial code to implement OCSP basic response verify. This |
9b4dc830 DSH |
1192 | is currently incomplete. Currently just finds the signer's |
1193 | certificate and verifies the signature on the response. | |
1194 | [Steve Henson] | |
1195 | ||
85fb12d5 | 1196 | *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in |
673b3fde BM |
1197 | value of OPENSSLDIR. This is available via the new '-d' option |
1198 | to 'openssl version', and is also included in 'openssl version -a'. | |
1199 | [Bodo Moeller] | |
1200 | ||
85fb12d5 | 1201 | *) Allowing defining memory allocation callbacks that will be given |
a5435e8b BM |
1202 | file name and line number information in additional arguments |
1203 | (a const char* and an int). The basic functionality remains, as | |
1204 | well as the original possibility to just replace malloc(), | |
1205 | realloc() and free() by functions that do not know about these | |
1206 | additional arguments. To register and find out the current | |
1207 | settings for extended allocation functions, the following | |
1208 | functions are provided: | |
65a22e8e RL |
1209 | |
1210 | CRYPTO_set_mem_ex_functions | |
1211 | CRYPTO_set_locked_mem_ex_functions | |
1212 | CRYPTO_get_mem_ex_functions | |
1213 | CRYPTO_get_locked_mem_ex_functions | |
1214 | ||
a5435e8b BM |
1215 | These work the same way as CRYPTO_set_mem_functions and friends. |
1216 | CRYPTO_get_[locked_]mem_functions now writes 0 where such an | |
1217 | extended allocation function is enabled. | |
1218 | Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where | |
1219 | a conventional allocation function is enabled. | |
1220 | [Richard Levitte, Bodo Moeller] | |
65a22e8e | 1221 | |
85fb12d5 | 1222 | *) Finish off removing the remaining LHASH function pointer casts. |
3c914840 | 1223 | There should no longer be any prototype-casting required when using |
56a67adb GT |
1224 | the LHASH abstraction, and any casts that remain are "bugs". See |
1225 | the callback types and macros at the head of lhash.h for details | |
1226 | (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). | |
3c914840 GT |
1227 | [Geoff Thorpe] |
1228 | ||
85fb12d5 | 1229 | *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. |
3351b8d0 LJ |
1230 | If /dev/[u]random devices are not available or do not return enough |
1231 | entropy, EGD style sockets (served by EGD or PRNGD) will automatically | |
1232 | be queried. | |
1233 | The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and | |
1234 | /etc/entropy will be queried once each in this sequence, quering stops | |
1235 | when enough entropy was collected without querying more sockets. | |
599c0353 LJ |
1236 | [Lutz Jaenicke] |
1237 | ||
85fb12d5 | 1238 | *) Change the Unix RAND_poll() variant to be able to poll several |
361ef5f4 RL |
1239 | random devices, as specified by DEVRANDOM, until a sufficient amount |
1240 | of data has been collected. We spend at most 10 ms on each file | |
1241 | (select timeout) and read in non-blocking mode. DEVRANDOM now | |
1242 | defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" | |
1243 | (previously it was just the string "/dev/urandom"), so on typical | |
1244 | platforms the 10 ms delay will never occur. | |
1245 | Also separate out the Unix variant to its own file, rand_unix.c. | |
1246 | For VMS, there's a currently-empty rand_vms.c. | |
0c61e299 RL |
1247 | [Richard Levitte] |
1248 | ||
85fb12d5 | 1249 | *) Move OCSP client related routines to ocsp_cl.c. These |
0b33bc65 DSH |
1250 | provide utility functions which an application needing |
1251 | to issue a request to an OCSP responder and analyse the | |
1252 | response will typically need: as opposed to those which an | |
1253 | OCSP responder itself would need which will be added later. | |
1254 | ||
1255 | OCSP_request_sign() signs an OCSP request with an API similar | |
1256 | to PKCS7_sign(). OCSP_response_status() returns status of OCSP | |
1257 | response. OCSP_response_get1_basic() extracts basic response | |
1258 | from response. OCSP_resp_find_status(): finds and extracts status | |
1259 | information from an OCSP_CERTID structure (which will be created | |
1260 | when the request structure is built). These are built from lower | |
1261 | level functions which work on OCSP_SINGLERESP structures but | |
1262 | wont normally be used unless the application wishes to examine | |
1263 | extensions in the OCSP response for example. | |
1264 | ||
1265 | Replace nonce routines with a pair of functions. | |
1266 | OCSP_request_add1_nonce() adds a nonce value and optionally | |
1267 | generates a random value. OCSP_check_nonce() checks the | |
1268 | validity of the nonce in an OCSP response. | |
1269 | [Steve Henson] | |
1270 | ||
85fb12d5 | 1271 | *) Change function OCSP_request_add() to OCSP_request_add0_id(). |
8e961835 DSH |
1272 | This doesn't copy the supplied OCSP_CERTID and avoids the |
1273 | need to free up the newly created id. Change return type | |
1274 | to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. | |
1275 | This can then be used to add extensions to the request. | |
1276 | Deleted OCSP_request_new(), since most of its functionality | |
1277 | is now in OCSP_REQUEST_new() (and the case insensitive name | |
1278 | clash) apart from the ability to set the request name which | |
1279 | will be added elsewhere. | |
1280 | [Steve Henson] | |
1281 | ||
85fb12d5 | 1282 | *) Update OCSP API. Remove obsolete extensions argument from |
bf0d176e DSH |
1283 | various functions. Extensions are now handled using the new |
1284 | OCSP extension code. New simple OCSP HTTP function which | |
1285 | can be used to send requests and parse the response. | |
1286 | [Steve Henson] | |
1287 | ||
85fb12d5 | 1288 | *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new |
ec5add87 DSH |
1289 | ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN |
1290 | uses the special reorder version of SET OF to sort the attributes | |
1291 | and reorder them to match the encoded order. This resolves a long | |
1292 | standing problem: a verify on a PKCS7 structure just after signing | |
1293 | it used to fail because the attribute order did not match the | |
1294 | encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: | |
1295 | it uses the received order. This is necessary to tolerate some broken | |
1296 | software that does not order SET OF. This is handled by encoding | |
1297 | as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) | |
1298 | to produce the required SET OF. | |
1299 | [Steve Henson] | |
1300 | ||
85fb12d5 | 1301 | *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and |
a6574c21 RL |
1302 | OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header |
1303 | files to get correct declarations of the ASN.1 item variables. | |
1304 | [Richard Levitte] | |
1305 | ||
85fb12d5 | 1306 | *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many |
ecbe0781 DSH |
1307 | PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: |
1308 | asn1_check_tlen() would sometimes attempt to use 'ctx' when it was | |
1309 | NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). | |
1310 | New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant | |
1311 | ASN1_ITEM and no wrapper functions. | |
1312 | [Steve Henson] | |
1313 | ||
85fb12d5 | 1314 | *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These |
4e1209eb DSH |
1315 | replace the old function pointer based I/O routines. Change most of |
1316 | the *_d2i_bio() and *_d2i_fp() functions to use these. | |
1317 | [Steve Henson] | |
1318 | ||
85fb12d5 | 1319 | *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor |
3f07fe09 RL |
1320 | lines, recognice more "algorithms" that can be deselected, and make |
1321 | it complain about algorithm deselection that isn't recognised. | |
1322 | [Richard Levitte] | |
1323 | ||
85fb12d5 | 1324 | *) New ASN1 functions to handle dup, sign, verify, digest, pack and |
73e92de5 DSH |
1325 | unpack operations in terms of ASN1_ITEM. Modify existing wrappers |
1326 | to use new functions. Add NO_ASN1_OLD which can be set to remove | |
1327 | some old style ASN1 functions: this can be used to determine if old | |
1328 | code will still work when these eventually go away. | |
09ab755c DSH |
1329 | [Steve Henson] |
1330 | ||
85fb12d5 | 1331 | *) New extension functions for OCSP structures, these follow the |
ec558b65 DSH |
1332 | same conventions as certificates and CRLs. |
1333 | [Steve Henson] | |
1334 | ||
85fb12d5 | 1335 | *) New function X509V3_add1_i2d(). This automatically encodes and |
57d2f217 DSH |
1336 | adds an extension. Its behaviour can be customised with various |
1337 | flags to append, replace or delete. Various wrappers added for | |
1338 | certifcates and CRLs. | |
1339 | [Steve Henson] | |
1340 | ||
85fb12d5 | 1341 | *) Fix to avoid calling the underlying ASN1 print routine when |
5755cab4 DSH |
1342 | an extension cannot be parsed. Correct a typo in the |
1343 | OCSP_SERVICELOC extension. Tidy up print OCSP format. | |
1344 | [Steve Henson] | |
1345 | ||
85fb12d5 | 1346 | *) Make mkdef.pl parse some of the ASN1 macros and add apropriate |
9c67ab2f | 1347 | entries for variables. |
5755cab4 | 1348 | [Steve Henson] |
9c67ab2f | 1349 | |
85fb12d5 | 1350 | *) Add functionality to apps/openssl.c for detecting locking |
3ac82faa BM |
1351 | problems: As the program is single-threaded, all we have |
1352 | to do is register a locking callback using an array for | |
1353 | storing which locks are currently held by the program. | |
3ac82faa BM |
1354 | [Bodo Moeller] |
1355 | ||
85fb12d5 | 1356 | *) Use a lock around the call to CRYPTO_get_ex_new_index() in |
3ac82faa BM |
1357 | SSL_get_ex_data_X509_STORE_idx(), which is used in |
1358 | ssl_verify_cert_chain() and thus can be called at any time | |
1359 | during TLS/SSL handshakes so that thread-safety is essential. | |
1360 | Unfortunately, the ex_data design is not at all suited | |
1361 | for multi-threaded use, so it probably should be abolished. | |
1362 | [Bodo Moeller] | |
1363 | ||
85fb12d5 | 1364 | *) Added Broadcom "ubsec" ENGINE to OpenSSL. |
2a86064f GT |
1365 | [Broadcom, tweaked and integrated by Geoff Thorpe] |
1366 | ||
85fb12d5 | 1367 | *) Move common extension printing code to new function |
2c15d426 | 1368 | X509V3_print_extensions(). Reorganise OCSP print routines and |
c08523d8 | 1369 | implement some needed OCSP ASN1 functions. Add OCSP extensions. |
2c15d426 DSH |
1370 | [Steve Henson] |
1371 | ||
85fb12d5 | 1372 | *) New function X509_signature_print() to remove duplication in some |
de487514 DSH |
1373 | print routines. |
1374 | [Steve Henson] | |
1375 | ||
85fb12d5 | 1376 | *) Add a special meaning when SET OF and SEQUENCE OF flags are both |
06db4253 DSH |
1377 | set (this was treated exactly the same as SET OF previously). This |
1378 | is used to reorder the STACK representing the structure to match the | |
1379 | encoding. This will be used to get round a problem where a PKCS7 | |
1380 | structure which was signed could not be verified because the STACK | |
1381 | order did not reflect the encoded order. | |
1382 | [Steve Henson] | |
1383 | ||
85fb12d5 | 1384 | *) Reimplement the OCSP ASN1 module using the new code. |
36f554d4 DSH |
1385 | [Steve Henson] |
1386 | ||
85fb12d5 | 1387 | *) Update the X509V3 code to permit the use of an ASN1_ITEM structure |
2aff7727 DSH |
1388 | for its ASN1 operations. The old style function pointers still exist |
1389 | for now but they will eventually go away. | |
1390 | [Steve Henson] | |
1391 | ||
85fb12d5 | 1392 | *) Merge in replacement ASN1 code from the ASN1 branch. This almost |
5755cab4 DSH |
1393 | completely replaces the old ASN1 functionality with a table driven |
1394 | encoder and decoder which interprets an ASN1_ITEM structure describing | |
1395 | the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is | |
1396 | largely maintained. Almost all of the old asn1_mac.h macro based ASN1 | |
1397 | has also been converted to the new form. | |
9d6b1ce6 DSH |
1398 | [Steve Henson] |
1399 | ||
85fb12d5 | 1400 | *) Change BN_mod_exp_recp so that negative moduli are tolerated |
8dea52fa BM |
1401 | (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set |
1402 | so that BN_mod_exp_mont and BN_mod_exp_mont_word work | |
1403 | for negative moduli. | |
1404 | [Bodo Moeller] | |
1405 | ||
85fb12d5 | 1406 | *) Fix BN_uadd and BN_usub: Always return non-negative results instead |
8dea52fa BM |
1407 | of not touching the result's sign bit. |
1408 | [Bodo Moeller] | |
1409 | ||
85fb12d5 | 1410 | *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be |
80d89e6a BM |
1411 | set. |
1412 | [Bodo Moeller] | |
1413 | ||
85fb12d5 | 1414 | *) Changed the LHASH code to use prototypes for callbacks, and created |
f1919c3d GT |
1415 | macros to declare and implement thin (optionally static) functions |
1416 | that provide type-safety and avoid function pointer casting for the | |
1417 | type-specific callbacks. | |
1418 | [Geoff Thorpe] | |
1419 | ||
85fb12d5 | 1420 | *) Added Kerberos Cipher Suites to be used with TLS, as written in |
a47b505e | 1421 | RFC 2712. |
33479d27 | 1422 | [Veers Staats <staatsvr@asc.hpc.mil>, |
1946cd8b | 1423 | Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] |
33479d27 | 1424 | |
85fb12d5 | 1425 | *) Reformat the FAQ so the different questions and answers can be divided |
4b757c83 | 1426 | in sections depending on the subject. |
0ae485dc RL |
1427 | [Richard Levitte] |
1428 | ||
85fb12d5 | 1429 | *) Have the zlib compression code load ZLIB.DLL dynamically under |
20f88b9b RL |
1430 | Windows. |
1431 | [Richard Levitte] | |
1432 | ||
85fb12d5 | 1433 | *) New function BN_mod_sqrt for computing square roots modulo a prime |
aa66eba7 BM |
1434 | (using the probabilistic Tonelli-Shanks algorithm unless |
1435 | p == 3 (mod 4) or p == 5 (mod 8), which are cases that can | |
1436 | be handled deterministically). | |
6b5d39e8 BM |
1437 | [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
1438 | ||
85fb12d5 | 1439 | *) Make BN_mod_inverse faster by explicitly handling small quotients |
bdec3c53 BM |
1440 | in the Euclid loop. (Speed gain about 20% for small moduli [256 or |
1441 | 512 bits], about 30% for larger ones [1024 or 2048 bits].) | |
499e167f BM |
1442 | [Bodo Moeller] |
1443 | ||
85fb12d5 | 1444 | *) New function BN_kronecker. |
dcbd0d74 BM |
1445 | [Bodo Moeller] |
1446 | ||
85fb12d5 | 1447 | *) Fix BN_gcd so that it works on negative inputs; the result is |
dcbd0d74 BM |
1448 | positive unless both parameters are zero. |
1449 | Previously something reasonably close to an infinite loop was | |
1450 | possible because numbers could be growing instead of shrinking | |
1451 | in the implementation of Euclid's algorithm. | |
1452 | [Bodo Moeller] | |
1453 | ||
85fb12d5 | 1454 | *) Fix BN_is_word() and BN_is_one() macros to take into account the |
dcbd0d74 BM |
1455 | sign of the number in question. |
1456 | ||
1457 | Fix BN_is_word(a,w) to work correctly for w == 0. | |
1458 | ||
1459 | The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) | |
1460 | because its test if the absolute value of 'a' equals 'w'. | |
1461 | Note that BN_abs_is_word does *not* handle w == 0 reliably; | |
1462 | it exists mostly for use in the implementations of BN_is_zero(), | |
1463 | BN_is_one(), and BN_is_word(). | |
1464 | [Bodo Moeller] | |
1465 | ||
85fb12d5 | 1466 | *) New function BN_swap. |
78a0c1f1 BM |
1467 | [Bodo Moeller] |
1468 | ||
85fb12d5 | 1469 | *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that |
78a0c1f1 BM |
1470 | the exponentiation functions are more likely to produce reasonable |
1471 | results on negative inputs. | |
1472 | [Bodo Moeller] | |
1473 | ||
85fb12d5 | 1474 | *) Change BN_mod_mul so that the result is always non-negative. |
78a0c1f1 BM |
1475 | Previously, it could be negative if one of the factors was negative; |
1476 | I don't think anyone really wanted that behaviour. | |
1477 | [Bodo Moeller] | |
1478 | ||
85fb12d5 | 1479 | *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c |
1946cd8b | 1480 | (except for exponentiation, which stays in crypto/bn/bn_exp.c, |
78a0c1f1 BM |
1481 | and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) |
1482 | and add new functions: | |
5acaa495 | 1483 | |
78a0c1f1 BM |
1484 | BN_nnmod |
1485 | BN_mod_sqr | |
1486 | BN_mod_add | |
5acaa495 | 1487 | BN_mod_add_quick |
78a0c1f1 | 1488 | BN_mod_sub |
5acaa495 BM |
1489 | BN_mod_sub_quick |
1490 | BN_mod_lshift1 | |
1491 | BN_mod_lshift1_quick | |
1492 | BN_mod_lshift | |
1493 | BN_mod_lshift_quick | |
1494 | ||
78a0c1f1 | 1495 | These functions always generate non-negative results. |
5acaa495 | 1496 | |
78a0c1f1 BM |
1497 | BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r |
1498 | such that |m| < r < 0, BN_nnmod will output rem + |m| instead). | |
5acaa495 BM |
1499 | |
1500 | BN_mod_XXX_quick(r, a, [b,] m) generates the same result as | |
1501 | BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] | |
1502 | be reduced modulo m. | |
78a0c1f1 BM |
1503 | [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
1504 | ||
85fb12d5 | 1505 | *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
baa257f1 RL |
1506 | was actually never needed) and in BN_mul(). The removal in BN_mul() |
1507 | required a small change in bn_mul_part_recursive() and the addition | |
1946cd8b UM |
1508 | of the functions bn_cmp_part_words(), bn_sub_part_words() and |
1509 | bn_add_part_words(), which do the same thing as bn_cmp_words(), | |
baa257f1 RL |
1510 | bn_sub_words() and bn_add_words() except they take arrays with |
1511 | differing sizes. | |
1512 | [Richard Levitte] | |
1513 | ||
85fb12d5 | 1514 | *) In 'openssl passwd', verify passwords read from the terminal |
db70a3fd BM |
1515 | unless the '-salt' option is used (which usually means that |
1516 | verification would just waste user's time since the resulting | |
1517 | hash is going to be compared with some given password hash) | |
1518 | or the new '-noverify' option is used. | |
1519 | ||
1520 | This is an incompatible change, but it does not affect | |
1521 | non-interactive use of 'openssl passwd' (passwords on the command | |
1522 | line, '-stdin' option, '-in ...' option) and thus should not | |
1523 | cause any problems. | |
1524 | [Bodo Moeller] | |
1525 | ||
85fb12d5 | 1526 | *) Remove all references to RSAref, since there's no more need for it. |
ccb9643f RL |
1527 | [Richard Levitte] |
1528 | ||
85fb12d5 | 1529 | *) Make DSO load along a path given through an environment variable |
e06433d9 RL |
1530 | (SHLIB_PATH) with shl_load(). |
1531 | [Richard Levitte] | |
1532 | ||
85fb12d5 | 1533 | *) Constify the ENGINE code as a result of BIGNUM constification. |
55b3c877 RL |
1534 | Also constify the RSA code and most things related to it. In a |
1535 | few places, most notable in the depth of the ASN.1 code, ugly | |
1536 | casts back to non-const were required (to be solved at a later | |
1537 | time) | |
10e473e9 RL |
1538 | [Richard Levitte] |
1539 | ||
85fb12d5 | 1540 | *) Make it so the openssl application has all engines loaded by default. |
e7ef1a56 RL |
1541 | [Richard Levitte] |
1542 | ||
85fb12d5 | 1543 | *) Constify the BIGNUM routines a little more. |
020fc820 RL |
1544 | [Richard Levitte] |
1545 | ||
85fb12d5 | 1546 | *) Add the following functions: |
11c0f120 RL |
1547 | |
1548 | ENGINE_load_cswift() | |
1549 | ENGINE_load_chil() | |
1550 | ENGINE_load_atalla() | |
1551 | ENGINE_load_nuron() | |
1552 | ENGINE_load_builtin_engines() | |
1553 | ||
1554 | That way, an application can itself choose if external engines that | |
1555 | are built-in in OpenSSL shall ever be used or not. The benefit is | |
1556 | that applications won't have to be linked with libdl or other dso | |
1557 | libraries unless it's really needed. | |
1558 | ||
1559 | Changed 'openssl engine' to load all engines on demand. | |
1560 | Changed the engine header files to avoid the duplication of some | |
1561 | declarations (they differed!). | |
1562 | [Richard Levitte] | |
1563 | ||
85fb12d5 | 1564 | *) 'openssl engine' can now list capabilities. |
69e7805f RL |
1565 | [Richard Levitte] |
1566 | ||
85fb12d5 | 1567 | *) Better error reporting in 'openssl engine'. |
e264cfe1 RL |
1568 | [Richard Levitte] |
1569 | ||
85fb12d5 | 1570 | *) Never call load_dh_param(NULL) in s_server. |
15d52ddb BM |
1571 | [Bodo Moeller] |
1572 | ||
85fb12d5 | 1573 | *) Add engine application. It can currently list engines by name and |
14c6d27d RL |
1574 | identity, and test if they are actually available. |
1575 | [Richard Levitte] | |
1576 | ||
85fb12d5 | 1577 | *) Improve RPM specification file by forcing symbolic linking and making |
501ebf16 RL |
1578 | sure the installed documentation is also owned by root.root. |
1579 | [Damien Miller <djm@mindrot.org>] | |
1580 | ||
85fb12d5 | 1581 | *) Give the OpenSSL applications more possibilities to make use of |
3aba98e7 RL |
1582 | keys (public as well as private) handled by engines. |
1583 | [Richard Levitte] | |
1584 | ||
85fb12d5 | 1585 | *) Add OCSP code that comes from CertCo. |
7c155330 RL |
1586 | [Richard Levitte] |
1587 | ||
85fb12d5 | 1588 | *) Add VMS support for the Rijndael code. |
5270e702 RL |
1589 | [Richard Levitte] |
1590 | ||
85fb12d5 | 1591 | *) Added untested support for Nuron crypto accelerator. |
5270e702 RL |
1592 | [Ben Laurie] |
1593 | ||
85fb12d5 | 1594 | *) Add support for external cryptographic devices. This code was |
5270e702 RL |
1595 | previously distributed separately as the "engine" branch. |
1596 | [Geoff Thorpe, Richard Levitte] | |
1597 | ||
85fb12d5 | 1598 | *) Rework the filename-translation in the DSO code. It is now possible to |
1df586be GT |
1599 | have far greater control over how a "name" is turned into a filename |
1600 | depending on the operating environment and any oddities about the | |
1601 | different shared library filenames on each system. | |
1602 | [Geoff Thorpe] | |
1603 | ||
85fb12d5 | 1604 | *) Support threads on FreeBSD-elf in Configure. |
53400da7 RL |
1605 | [Richard Levitte] |
1606 | ||
85fb12d5 | 1607 | *) Fix for SHA1 assembly problem with MASM: it produces |
627ec355 DSH |
1608 | warnings about corrupt line number information when assembling |
1609 | with debugging information. This is caused by the overlapping | |
1610 | of two sections. | |
1611 | [Bernd Matthes <mainbug@celocom.de>, Steve Henson] | |
1612 | ||
85fb12d5 | 1613 | *) NCONF changes. |
567f17cf RL |
1614 | NCONF_get_number() has no error checking at all. As a replacement, |
1615 | NCONF_get_number_e() is defined (_e for "error checking") and is | |
1616 | promoted strongly. The old NCONF_get_number is kept around for | |
1617 | binary backward compatibility. | |
1618 | Make it possible for methods to load from something other than a BIO, | |
1619 | by providing a function pointer that is given a name instead of a BIO. | |
1620 | For example, this could be used to load configuration data from an | |
1621 | LDAP server. | |
1622 | [Richard Levitte] | |
1623 | ||
85fb12d5 | 1624 | *) Fix for non blocking accept BIOs. Added new I/O special reason |
924046ce DSH |
1625 | BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs |
1626 | with non blocking I/O was not possible because no retry code was | |
1627 | implemented. Also added new SSL code SSL_WANT_ACCEPT to cover | |
1628 | this case. | |
1629 | [Steve Henson] | |
1630 | ||
85fb12d5 | 1631 | *) Added the beginnings of Rijndael support. |
3ab56511 RL |
1632 | [Ben Laurie] |
1633 | ||
85fb12d5 | 1634 | *) Fix for bug in DirectoryString mask setting. Add support for |
8ca533e3 DSH |
1635 | X509_NAME_print_ex() in 'req' and X509_print_ex() function |
1636 | to allow certificate printing to more controllable, additional | |
1637 | 'certopt' option to 'x509' to allow new printing options to be | |
1638 | set. | |
d0c98589 DSH |
1639 | [Steve Henson] |
1640 | ||
85fb12d5 | 1641 | *) Clean old EAY MD5 hack from e_os.h. |
ef71cb6d RL |
1642 | [Richard Levitte] |
1643 | ||
381a146d LJ |
1644 | Changes between 0.9.6c and 0.9.6d [XX xxx 2002] |
1645 | ||
8df61b50 BM |
1646 | *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not |
1647 | encoded as NULL) with id-dsa-with-sha1. | |
1648 | [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] | |
1649 | ||
1064acaf BM |
1650 | *) Check various X509_...() return values in apps/req.c. |
1651 | [Nils Larsch <nla@trustcenter.de>] | |
1652 | ||
2940a129 LJ |
1653 | *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: |
1654 | an end-of-file condition would erronously be flagged, when the CRLF | |
1655 | was just at the end of a processed block. The bug was discovered when | |
1656 | processing data through a buffering memory BIO handing the data to a | |
1657 | BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov | |
1658 | <ptsekov@syntrex.com> and Nedelcho Stanev. | |
1659 | [Lutz Jaenicke] | |
1660 | ||
82b0bf0b BM |
1661 | *) Implement a countermeasure against a vulnerability recently found |
1662 | in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment | |
1663 | before application data chunks to avoid the use of known IVs | |
1664 | with data potentially chosen by the attacker. | |
1665 | [Bodo Moeller] | |
1666 | ||
1667 | *) Fix length checks in ssl3_get_client_hello(). | |
1668 | [Bodo Moeller] | |
1669 | ||
1670 | *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently | |
1671 | to prevent ssl3_read_internal() from incorrectly assuming that | |
1672 | ssl3_read_bytes() found application data while handshake | |
1673 | processing was enabled when in fact s->s3->in_read_app_data was | |
1674 | merely automatically cleared during the initial handshake. | |
1675 | [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] | |
1676 | ||
381a146d LJ |
1677 | *) Fix object definitions for Private and Enterprise: they were not |
1678 | recognized in their shortname (=lowercase) representation. Extend | |
1679 | obj_dat.pl to issue an error when using undefined keywords instead | |
1680 | of silently ignoring the problem (Svenning Sorensen | |
1681 | <sss@sss.dnsalias.net>). | |
1682 | [Lutz Jaenicke] | |
1683 | ||
1684 | *) Fix DH_generate_parameters() so that it works for 'non-standard' | |
1685 | generators, i.e. generators other than 2 and 5. (Previously, the | |
1686 | code did not properly initialise the 'add' and 'rem' values to | |
1687 | BN_generate_prime().) | |
1688 | ||
1689 | In the new general case, we do not insist that 'generator' is | |
1690 | actually a primitive root: This requirement is rather pointless; | |
1691 | a generator of the order-q subgroup is just as good, if not | |
1692 | better. | |
1693 | [Bodo Moeller] | |
1694 | ||
1695 | *) Map new X509 verification errors to alerts. Discovered and submitted by | |
1696 | Tom Wu <tom@arcot.com>. | |
1697 | [Lutz Jaenicke] | |
1698 | ||
1699 | *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from | |
1700 | returning non-zero before the data has been completely received | |
1701 | when using non-blocking I/O. | |
1702 | [Bodo Moeller; problem pointed out by John Hughes] | |
1703 | ||
1704 | *) Some of the ciphers missed the strength entry (SSL_LOW etc). | |
1705 | [Ben Laurie, Lutz Jaenicke] | |
1706 | ||
1707 | *) Fix bug in SSL_clear(): bad sessions were not removed (found by | |
1708 | Yoram Zahavi <YoramZ@gilian.com>). | |
1709 | [Lutz Jaenicke] | |
1710 | ||
1711 | *) Add information about CygWin 1.3 and on, and preserve proper | |
1712 | configuration for the versions before that. | |
1713 | [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] | |
1714 | ||
1715 | *) Make removal from session cache (SSL_CTX_remove_session()) more robust: | |
1716 | check whether we deal with a copy of a session and do not delete from | |
1717 | the cache in this case. Problem reported by "Izhar Shoshani Levi" | |
1718 | <izhar@checkpoint.com>. | |
1719 | [Lutz Jaenicke] | |
1720 | ||
1721 | *) Do not store session data into the internal session cache, if it | |
1722 | is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | |
1723 | flag is set). Proposed by Aslam <aslam@funk.com>. | |
1724 | [Lutz Jaenicke] | |
1725 | ||
1726 | *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested | |
1727 | value is 0. | |
1728 | [Richard Levitte] | |
1729 | ||
1730 | *) Add the configuration target linux-s390x. | |
1731 | [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] | |
1732 | ||
1733 | *) [In 0.9.6d-engine release:] | |
1734 | Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). | |
1735 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] | |
1736 | ||
1737 | *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of | |
1738 | ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag | |
1739 | variable as an indication that a ClientHello message has been | |
1740 | received. As the flag value will be lost between multiple | |
1741 | invocations of ssl3_accept when using non-blocking I/O, the | |
1742 | function may not be aware that a handshake has actually taken | |
1743 | place, thus preventing a new session from being added to the | |
1744 | session cache. | |
1745 | ||
1746 | To avoid this problem, we now set s->new_session to 2 instead of | |
1747 | using a local variable. | |
1748 | [Lutz Jaenicke, Bodo Moeller] | |
1749 | ||
1750 | *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) | |
1751 | if the SSL_R_LENGTH_MISMATCH error is detected. | |
1752 | [Geoff Thorpe, Bodo Moeller] | |
1753 | ||
1754 | *) New 'shared_ldflag' column in Configure platform table. | |
1755 | [Richard Levitte] | |
1756 | ||
1757 | *) Fix EVP_CIPHER_mode macro. | |
1758 | ["Dan S. Camper" <dan@bti.net>] | |
1759 | ||
1760 | *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown | |
1761 | type, we must throw them away by setting rr->length to 0. | |
1762 | [D P Chang <dpc@qualys.com>] | |
1763 | ||
1764 | Changes between 0.9.6b and 0.9.6c [21 dec 2001] | |
1765 | ||
1766 | *) Fix BN_rand_range bug pointed out by Dominikus Scherkl | |
1767 | <Dominikus.Scherkl@biodata.com>. (The previous implementation | |
1768 | worked incorrectly for those cases where range = 10..._2 and | |
1769 | 3*range is two bits longer than range.) | |
1770 | [Bodo Moeller] | |
1771 | ||
1772 | *) Only add signing time to PKCS7 structures if it is not already | |
1773 | present. | |
1774 | [Steve Henson] | |
1775 | ||
1776 | *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", | |
1777 | OBJ_ld_ce should be OBJ_id_ce. | |
1778 | Also some ip-pda OIDs in crypto/objects/objects.txt were | |
1779 | incorrect (cf. RFC 3039). | |
1780 | [Matt Cooper, Frederic Giudicelli, Bodo Moeller] | |
1781 | ||
1782 | *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() | |
1783 | returns early because it has nothing to do. | |
1784 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
1785 | ||
1786 | *) [In 0.9.6c-engine release:] | |
1787 | Fix mutex callback return values in crypto/engine/hw_ncipher.c. | |
1788 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
1789 | ||
1790 | *) [In 0.9.6c-engine release:] | |
1791 | Add support for Cryptographic Appliance's keyserver technology. | |
1792 | (Use engine 'keyclient') | |
1793 | [Cryptographic Appliances and Geoff Thorpe] | |
1794 | ||
1795 | *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' | |
1796 | is called via tools/c89.sh because arguments have to be | |
1797 | rearranged (all '-L' options must appear before the first object | |
1798 | modules). | |
1799 | [Richard Shapiro <rshapiro@abinitio.com>] | |
1800 | ||
1801 | *) [In 0.9.6c-engine release:] | |
1802 | Add support for Broadcom crypto accelerator cards, backported | |
1803 | from 0.9.7. | |
1804 | [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] | |
1805 | ||
1806 | *) [In 0.9.6c-engine release:] | |
1807 | Add support for SureWare crypto accelerator cards from | |
1808 | Baltimore Technologies. (Use engine 'sureware') | |
1809 | [Baltimore Technologies and Mark Cox] | |
1810 | ||
1811 | *) [In 0.9.6c-engine release:] | |
1812 | Add support for crypto accelerator cards from Accelerated | |
1813 | Encryption Processing, www.aep.ie. (Use engine 'aep') | |
1814 | [AEP Inc. and Mark Cox] | |
1815 | ||
1816 | *) Add a configuration entry for gcc on UnixWare. | |
1817 | [Gary Benson <gbenson@redhat.com>] | |
1818 | ||
1819 | *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake | |
1820 | messages are stored in a single piece (fixed-length part and | |
1821 | variable-length part combined) and fix various bugs found on the way. | |
1822 | [Bodo Moeller] | |
1823 | ||
1824 | *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() | |
1825 | instead. BIO_gethostbyname() does not know what timeouts are | |
1826 | appropriate, so entries would stay in cache even when they have | |
1827 | become invalid. | |
1828 | [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> | |
1829 | ||
1830 | *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when | |
1831 | faced with a pathologically small ClientHello fragment that does | |
1832 | not contain client_version: Instead of aborting with an error, | |
1833 | simply choose the highest available protocol version (i.e., | |
1834 | TLS 1.0 unless it is disabled). In practice, ClientHello | |
1835 | messages are never sent like this, but this change gives us | |
1836 | strictly correct behaviour at least for TLS. | |
1837 | [Bodo Moeller] | |
1838 | ||
1839 | *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() | |
1840 | never resets s->method to s->ctx->method when called from within | |
1841 | one of the SSL handshake functions. | |
1842 | [Bodo Moeller; problem pointed out by Niko Baric] | |
1843 | ||
1844 | *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert | |
1845 | (sent using the client's version number) if client_version is | |
1846 | smaller than the protocol version in use. Also change | |
1847 | ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if | |
1848 | the client demanded SSL 3.0 but only TLS 1.0 is enabled; then | |
1849 | the client will at least see that alert. | |
1850 | [Bodo Moeller] | |
1851 | ||
1852 | *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation | |
1853 | correctly. | |
1854 | [Bodo Moeller] | |
1855 | ||
1856 | *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a | |
1857 | client receives HelloRequest while in a handshake. | |
1858 | [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] | |
1859 | ||
1860 | *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C | |
1861 | should end in 'break', not 'goto end' which circuments various | |
1862 | cleanups done in state SSL_ST_OK. But session related stuff | |
1863 | must be disabled for SSL_ST_OK in the case that we just sent a | |
1864 | HelloRequest. | |
1865 | ||
1866 | Also avoid some overhead by not calling ssl_init_wbio_buffer() | |
1867 | before just sending a HelloRequest. | |
1868 | [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] | |
1869 | ||
1870 | *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't | |
1871 | reveal whether illegal block cipher padding was found or a MAC | |
1872 | verification error occured. (Neither SSLerr() codes nor alerts | |
1873 | are directly visible to potential attackers, but the information | |
1874 | may leak via logfiles.) | |
1875 | ||
1876 | Similar changes are not required for the SSL 2.0 implementation | |
1877 | because the number of padding bytes is sent in clear for SSL 2.0, | |
1878 | and the extra bytes are just ignored. However ssl/s2_pkt.c | |
1879 | failed to verify that the purported number of padding bytes is in | |
1880 | the legal range. | |
1881 | [Bodo Moeller] | |
1882 | ||
1883 | *) Add OpenUNIX-8 support including shared libraries | |
1884 | (Boyd Lynn Gerber <gerberb@zenez.com>). | |
1885 | [Lutz Jaenicke] | |
1886 | ||
1887 | *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid | |
1888 | 'wristwatch attack' using huge encoding parameters (cf. | |
1889 | James H. Manger's CRYPTO 2001 paper). Note that the | |
1890 | RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use | |
1891 | encoding parameters and hence was not vulnerable. | |
1892 | [Bodo Moeller] | |
1893 | ||
1894 | *) BN_sqr() bug fix. | |
1895 |