]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
5dd24ead DSH |
5 | Changes between 0.9.8e and 0.9.8f [xx XXX xxxx] |
6 | ||
7cdb8158 BM |
7 | *) Mitigate branch prediction attacks, which can be practical if a |
8 | single processor is shared, allowing a spy process to extract | |
9 | information. For detailed background information, see | |
10 | http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, | |
11 | J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL | |
12 | and Necessary Software Countermeasures"). The core of the change | |
13 | are new versions BN_div_no_branch() and | |
14 | BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), | |
15 | respectively, which are slower, but avoid the security-relevant | |
16 | conditional branches. These are automatically called by BN_div() | |
17 | and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for the | |
18 | modulus. Also, BN_is_bit_set() has been changed to remove a | |
19 | conditional branch. | |
20 | ||
21 | BN_FLG_CONSTTIME is the new name for the previous | |
22 | BN_FLG_EXP_CONSTTIME flag, since it now affects more than just | |
23 | modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag | |
24 | in the exponent causes BN_mod_exp_mont() to use the alternative | |
25 | implementation in BN_mod_exp_mont_consttime().) The old name | |
26 | remains as a deprecated alias. | |
27 | ||
28 | Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general | |
29 | RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses | |
30 | constant-time implementations for more than just exponentiation. | |
31 | Here too the old name is kept as a deprecated alias. | |
32 | ||
33 | BN_BLINDING_new() will now use BN_dup() for the modulus so that | |
34 | the BN_BLINDING structure gets an independent copy of the | |
35 | modulus. This means that the previous "BIGNUM *m" argument to | |
36 | BN_BLINDING_new() and to BN_BLINDING_create_param() now | |
37 | essentially becomes "const BIGNUM *m", although we can't actually | |
38 | change this in the header file before 0.9.9. It allows | |
39 | RSA_setup_blinding() to use BN_with_flags() on the modulus to | |
40 | enable BN_FLG_CONSTTIME. | |
41 | ||
42 | [Matthew D Wood (Intel Corp)] | |
43 | ||
6fd3f326 BM |
44 | *) In the SSL/TLS server implementation, be strict about session ID |
45 | context matching (which matters if an application uses a single | |
46 | external cache for different purposes). Previously, | |
47 | out-of-context reuse was forbidden only if SSL_VERIFY_PEER was | |
48 | set. This did ensure strict client verification, but meant that, | |
49 | with applications using a single external cache for quite | |
50 | different requirements, clients could circumvent ciphersuite | |
51 | restrictions for a given session ID context by starting a session | |
52 | in a different context. | |
53 | [Bodo Moeller] | |
54 | ||
55f05012 BM |
55 | *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that |
56 | a ciphersuite string such as "DEFAULT:RSA" cannot enable | |
57 | authentication-only ciphersuites. | |
58 | [Bodo Moeller] | |
59 | ||
d9e26244 BM |
60 | Changes between 0.9.8d and 0.9.8e [23 Feb 2007] |
61 | ||
5f4cc234 BM |
62 | *) Since AES128 and AES256 (and similarly Camellia128 and |
63 | Camellia256) share a single mask bit in the logic of | |
64 | ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a | |
65 | kludge to work properly if AES128 is available and AES256 isn't | |
66 | (or if Camellia128 is available and Camellia256 isn't). | |
67 | [Victor Duchovni] | |
68 | ||
1a8521ff BM |
69 | *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c |
70 | (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): | |
71 | When a point or a seed is encoded in a BIT STRING, we need to | |
72 | prevent the removal of trailing zero bits to get the proper DER | |
73 | encoding. (By default, crypto/asn1/a_bitstr.c assumes the case | |
74 | of a NamedBitList, for which trailing 0 bits need to be removed.) | |
75 | [Bodo Moeller] | |
76 | ||
5c6f76da BM |
77 | *) Have SSL/TLS server implementation tolerate "mismatched" record |
78 | protocol version while receiving ClientHello even if the | |
79 | ClientHello is fragmented. (The server can't insist on the | |
80 | particular protocol version it has chosen before the ServerHello | |
81 | message has informed the client about his choice.) | |
82 | [Bodo Moeller] | |
83 | ||
4636341b BL |
84 | *) Add RFC 3779 support. |
85 | [Rob Austein for ARIN, Ben Laurie] | |
25e52a78 | 86 | |
900f7a87 DSH |
87 | *) Load error codes if they are not already present instead of using a |
88 | static variable. This allows them to be cleanly unloaded and reloaded. | |
89 | Improve header file function name parsing. | |
90 | [Steve Henson] | |
91 | ||
cdb13ae8 LJ |
92 | *) extend SMTP and IMAP protocol emulation in s_client to use EHLO |
93 | or CAPABILITY handshake as required by RFCs. | |
94 | [Goetz Babin-Ebell] | |
95 | ||
47c4bb2d | 96 | Changes between 0.9.8c and 0.9.8d [28 Sep 2006] |
da1841a0 | 97 | |
951dfbb1 MC |
98 | *) Introduce limits to prevent malicious keys being able to |
99 | cause a denial of service. (CVE-2006-2940) | |
100 | [Steve Henson, Bodo Moeller] | |
101 | ||
102 | *) Fix ASN.1 parsing of certain invalid structures that can result | |
103 | in a denial of service. (CVE-2006-2937) [Steve Henson] | |
104 | ||
105 | *) Fix buffer overflow in SSL_get_shared_ciphers() function. | |
106 | (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] | |
107 | ||
108 | *) Fix SSL client code which could crash if connecting to a | |
109 | malicious SSLv2 server. (CVE-2006-4343) | |
110 | [Tavis Ormandy and Will Drewry, Google Security Team] | |
111 | ||
879b30aa BM |
112 | *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites |
113 | match only those. Before that, "AES256-SHA" would be interpreted | |
8fdb296c BM |
114 | as a pattern and match "AES128-SHA" too (since AES128-SHA got |
115 | the same strength classification in 0.9.7h) as we currently only | |
879b30aa BM |
116 | have a single AES bit in the ciphersuite description bitmap. |
117 | That change, however, also applied to ciphersuite strings such as | |
118 | "RC4-MD5" that intentionally matched multiple ciphersuites -- | |
119 | namely, SSL 2.0 ciphersuites in addition to the more common ones | |
120 | from SSL 3.0/TLS 1.0. | |
121 | ||
122 | So we change the selection algorithm again: Naming an explicit | |
123 | ciphersuite selects this one ciphersuite, and any other similar | |
124 | ciphersuite (same bitmap) from *other* protocol versions. | |
125 | Thus, "RC4-MD5" again will properly select both the SSL 2.0 | |
126 | ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. | |
127 | ||
128 | Since SSL 2.0 does not have any ciphersuites for which the | |
129 | 128/256 bit distinction would be relevant, this works for now. | |
130 | The proper fix will be to use different bits for AES128 and | |
131 | AES256, which would have avoided the problems from the beginning; | |
132 | however, bits are scarce, so we can only do this in a new release | |
133 | (not just a patchlevel) when we can change the SSL_CIPHER | |
134 | definition to split the single 'unsigned long mask' bitmap into | |
135 | multiple values to extend the available space. | |
136 | ||
137 | [Bodo Moeller] | |
138 | ||
0a0a10d1 | 139 | Changes between 0.9.8b and 0.9.8c [05 Sep 2006] |
1c5dc844 | 140 | |
df20b6e7 MC |
141 | *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher |
142 | (CVE-2006-4339) [Ben Laurie and Google Security Team] | |
143 | ||
4b9dcd82 BL |
144 | *) Add AES IGE and biIGE modes. |
145 | [Ben Laurie] | |
146 | ||
ec67e3b7 BM |
147 | *) Change the Unix randomness entropy gathering to use poll() when |
148 | possible instead of select(), since the latter has some | |
149 | undesirable limitations. | |
150 | [Darryl Miles via Richard Levitte and Bodo Moeller] | |
151 | ||
aa17ab7e BM |
152 | *) Disable "ECCdraft" ciphersuites more thoroughly. Now special |
153 | treatment in ssl/ssl_ciph.s makes sure that these ciphersuites | |
154 | cannot be implicitly activated as part of, e.g., the "AES" alias. | |
155 | However, please upgrade to OpenSSL 0.9.9[-dev] for | |
156 | non-experimental use of the ECC ciphersuites to get TLS extension | |
157 | support, which is required for curve and point format negotiation | |
158 | to avoid potential handshake problems. | |
35908bd0 BM |
159 | [Bodo Moeller] |
160 | ||
0e73294e BM |
161 | *) Disable rogue ciphersuites: |
162 | ||
163 | - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") | |
164 | - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") | |
165 | - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") | |
166 | ||
167 | The latter two were purportedly from | |
168 | draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really | |
169 | appear there. | |
170 | ||
68bb9815 | 171 | Also deactivate the remaining ciphersuites from |
0e73294e BM |
172 | draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as |
173 | unofficial, and the ID has long expired. | |
174 | [Bodo Moeller] | |
175 | ||
6d2cd23f BM |
176 | *) Fix RSA blinding Heisenbug (problems sometimes occured on |
177 | dual-core machines) and other potential thread-safety issues. | |
178 | [Bodo Moeller] | |
179 | ||
e18eef3d BM |
180 | *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key |
181 | versions), which is now available for royalty-free use | |
182 | (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). | |
183 | Also, add Camellia TLS ciphersuites from RFC 4132. | |
184 | ||
185 | To minimize changes between patchlevels in the OpenSSL 0.9.8 | |
186 | series, Camellia remains excluded from compilation unless OpenSSL | |
187 | is configured with 'enable-camellia'. | |
188 | [NTT] | |
189 | ||
b723a7b1 DSH |
190 | *) Disable the padding bug check when compression is in use. The padding |
191 | bug check assumes the first packet is of even length, this is not | |
192 | necessarily true if compresssion is enabled and can result in false | |
193 | positives causing handshake failure. The actual bug test is ancient | |
194 | code so it is hoped that implementations will either have fixed it by | |
195 | now or any which still have the bug do not support compression. | |
196 | [Steve Henson] | |
1c5dc844 | 197 | |
f871949e | 198 | Changes between 0.9.8a and 0.9.8b [04 May 2006] |
d8b408b1 | 199 | |
cbb0b734 DSH |
200 | *) When applying a cipher rule check to see if string match is an explicit |
201 | cipher suite and only match that one cipher suite if it is. | |
202 | [Steve Henson] | |
203 | ||
217382d5 DSH |
204 | *) Link in manifests for VC++ if needed. |
205 | [Austin Ziegler <halostatue@gmail.com>] | |
206 | ||
bc932045 | 207 | *) Update support for ECC-based TLS ciphersuites according to |
5586a71a BM |
208 | draft-ietf-tls-ecc-12.txt with proposed changes (but without |
209 | TLS extensions, which are supported starting with the 0.9.9 | |
210 | branch, not in the OpenSSL 0.9.8 branch). | |
bc932045 BM |
211 | [Douglas Stebila] |
212 | ||
23d43aae BM |
213 | *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support |
214 | opaque EVP_CIPHER_CTX handling. | |
215 | [Steve Henson] | |
216 | ||
7614f0e5 DSH |
217 | *) Fixes and enhancements to zlib compression code. We now only use |
218 | "zlib1.dll" and use the default __cdecl calling convention on Win32 | |
219 | to conform with the standards mentioned here: | |
220 | http://www.zlib.net/DLL_FAQ.txt | |
221 | Static zlib linking now works on Windows and the new --with-zlib-include | |
222 | --with-zlib-lib options to Configure can be used to supply the location | |
223 | of the headers and library. Gracefully handle case where zlib library | |
224 | can't be loaded. | |
225 | [Steve Henson] | |
226 | ||
feef17fd DSH |
227 | *) Several fixes and enhancements to the OID generation code. The old code |
228 | sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't | |
229 | handle numbers larger than ULONG_MAX, truncated printing and had a | |
230 | non standard OBJ_obj2txt() behaviour. | |
231 | [Steve Henson] | |
232 | ||
abb0c2bb DSH |
233 | *) Add support for building of engines under engine/ as shared libraries |
234 | under VC++ build system. | |
235 | [Steve Henson] | |
236 | ||
d3afc92b RL |
237 | *) Corrected the numerous bugs in the Win32 path splitter in DSO. |
238 | Hopefully, we will not see any false combination of paths any more. | |
239 | [Richard Levitte] | |
240 | ||
64932f9e MC |
241 | Changes between 0.9.8 and 0.9.8a [11 Oct 2005] |
242 | ||
243 | *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING | |
244 | (part of SSL_OP_ALL). This option used to disable the | |
245 | countermeasure against man-in-the-middle protocol-version | |
246 | rollback in the SSL 2.0 server implementation, which is a bad | |
802c0146 | 247 | idea. (CVE-2005-2969) |
64932f9e MC |
248 | |
249 | [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center | |
250 | for Information Security, National Institute of Advanced Industrial | |
251 | Science and Technology [AIST], Japan)] | |
750cb3d2 | 252 | |
0fce007b DSH |
253 | *) Add two function to clear and return the verify parameter flags. |
254 | [Steve Henson] | |
255 | ||
3c0e39c5 NL |
256 | *) Keep cipherlists sorted in the source instead of sorting them at |
257 | runtime, thus removing the need for a lock. | |
258 | [Nils Larsch] | |
259 | ||
19fddebf | 260 | *) Avoid some small subgroup attacks in Diffie-Hellman. |
60864221 BL |
261 | [Nick Mathewson and Ben Laurie] |
262 | ||
263 | *) Add functions for well-known primes. | |
264 | [Nick Mathewson] | |
9ddb11f1 | 265 | |
98e98614 AP |
266 | *) Extended Windows CE support. |
267 | [Satoshi Nakamura and Andy Polyakov] | |
268 | ||
222f2246 DSH |
269 | *) Initialize SSL_METHOD structures at compile time instead of during |
270 | runtime, thus removing the need for a lock. | |
271 | [Steve Henson] | |
272 | ||
1682e8fb DSH |
273 | *) Make PKCS7_decrypt() work even if no certificate is supplied by |
274 | attempting to decrypt each encrypted key in turn. Add support to | |
275 | smime utility. | |
276 | [Steve Henson] | |
750cb3d2 | 277 | |
f254b540 | 278 | Changes between 0.9.7h and 0.9.8 [05 Jul 2005] |
12bdb643 | 279 | |
6d2cd23f BM |
280 | [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after |
281 | OpenSSL 0.9.8.] | |
282 | ||
1d01c9d4 RL |
283 | *) Add libcrypto.pc and libssl.pc for those who feel they need them. |
284 | [Richard Levitte] | |
285 | ||
286 | *) Change CA.sh and CA.pl so they don't bundle the CSR and the private | |
287 | key into the same file any more. | |
288 | [Richard Levitte] | |
289 | ||
e32ea818 AP |
290 | *) Add initial support for Win64, both IA64 and AMD64/x64 flavors. |
291 | [Andy Polyakov] | |
292 | ||
09c1a425 DSH |
293 | *) Add -utf8 command line and config file option to 'ca'. |
294 | [Stefan <stf@udoma.org] | |
295 | ||
1d01c9d4 RL |
296 | *) Removed the macro des_crypt(), as it seems to conflict with some |
297 | libraries. Use DES_crypt(). | |
298 | [Richard Levitte] | |
299 | ||
a4578a54 GT |
300 | *) Correct naming of the 'chil' and '4758cca' ENGINEs. This |
301 | involves renaming the source and generated shared-libs for | |
302 | both. The engines will accept the corrected or legacy ids | |
303 | ('ncipher' and '4758_cca' respectively) when binding. NB, | |
304 | this only applies when building 'shared'. | |
305 | [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] | |
306 | ||
b6995add DSH |
307 | *) Add attribute functions to EVP_PKEY structure. Modify |
308 | PKCS12_create() to recognize a CSP name attribute and | |
309 | use it. Make -CSP option work again in pkcs12 utility. | |
310 | [Steve Henson] | |
311 | ||
800e400d NL |
312 | *) Add new functionality to the bn blinding code: |
313 | - automatic re-creation of the BN_BLINDING parameters after | |
314 | a fixed number of uses (currently 32) | |
315 | - add new function for parameter creation | |
316 | - introduce flags to control the update behaviour of the | |
317 | BN_BLINDING parameters | |
318 | - hide BN_BLINDING structure | |
319 | Add a second BN_BLINDING slot to the RSA structure to improve | |
320 | performance when a single RSA object is shared among several | |
321 | threads. | |
322 | [Nils Larsch] | |
323 | ||
36d16f8e BL |
324 | *) Add support for DTLS. |
325 | [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] | |
326 | ||
dc0ed30c NL |
327 | *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) |
328 | to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() | |
329 | [Walter Goulet] | |
330 | ||
6049399b NL |
331 | *) Remove buggy and incompletet DH cert support from |
332 | ssl/ssl_rsa.c and ssl/s3_both.c | |
333 | [Nils Larsch] | |
334 | ||
12bdb643 NL |
335 | *) Use SHA-1 instead of MD5 as the default digest algorithm for |
336 | the apps/openssl applications. | |
337 | [Nils Larsch] | |
4d94ae00 | 338 | |
41a15c4f BL |
339 | *) Compile clean with "-Wall -Wmissing-prototypes |
340 | -Wstrict-prototypes -Wmissing-declarations -Werror". Currently | |
341 | DEBUG_SAFESTACK must also be set. | |
342 | [Ben Laurie] | |
343 | ||
c9a112f5 | 344 | *) Change ./Configure so that certain algorithms can be disabled by default. |
ecc5ef87 BM |
345 | The new counterpiece to "no-xxx" is "enable-xxx". |
346 | ||
347 | The patented RC5 and MDC2 algorithms will now be disabled unless | |
348 | "enable-rc5" and "enable-mdc2", respectively, are specified. | |
349 | ||
350 | (IDEA remains enabled despite being patented. This is because IDEA | |
351 | is frequently required for interoperability, and there is no license | |
352 | fee for non-commercial use. As before, "no-idea" can be used to | |
353 | avoid this algorithm.) | |
354 | ||
c9a112f5 BM |
355 | [Bodo Moeller] |
356 | ||
6951c23a RL |
357 | *) Add processing of proxy certificates (see RFC 3820). This work was |
358 | sponsored by KTH (The Royal Institute of Technology in Stockholm) and | |
359 | EGEE (Enabling Grids for E-science in Europe). | |
360 | [Richard Levitte] | |
361 | ||
ea681ba8 AP |
362 | *) RC4 performance overhaul on modern architectures/implementations, such |
363 | as Intel P4, IA-64 and AMD64. | |
364 | [Andy Polyakov] | |
365 | ||
401ee37a DSH |
366 | *) New utility extract-section.pl. This can be used specify an alternative |
367 | section number in a pod file instead of having to treat each file as | |
368 | a separate case in Makefile. This can be done by adding two lines to the | |
369 | pod file: | |
370 | ||
371 | =for comment openssl_section:XXX | |
372 | ||
373 | The blank line is mandatory. | |
374 | ||
375 | [Steve Henson] | |
376 | ||
826a42a0 DSH |
377 | *) New arguments -certform, -keyform and -pass for s_client and s_server |
378 | to allow alternative format key and certificate files and passphrase | |
379 | sources. | |
380 | [Steve Henson] | |
381 | ||
5d7c222d DSH |
382 | *) New structure X509_VERIFY_PARAM which combines current verify parameters, |
383 | update associated structures and add various utility functions. | |
384 | ||
385 | Add new policy related verify parameters, include policy checking in | |
386 | standard verify code. Enhance 'smime' application with extra parameters | |
387 | to support policy checking and print out. | |
388 | [Steve Henson] | |
389 | ||
30fe028f GT |
390 | *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 |
391 | Nehemiah processors. These extensions support AES encryption in hardware | |
392 | as well as RNG (though RNG support is currently disabled). | |
393 | [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] | |
394 | ||
df11e1e9 GT |
395 | *) Deprecate BN_[get|set]_params() functions (they were ignored internally). |
396 | [Geoff Thorpe] | |
397 | ||
ad500340 AP |
398 | *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. |
399 | [Andy Polyakov and a number of other people] | |
400 | ||
e14f4aab AP |
401 | *) Improved PowerPC platform support. Most notably BIGNUM assembler |
402 | implementation contributed by IBM. | |
403 | [Suresh Chari, Peter Waltenberg, Andy Polyakov] | |
404 | ||
bcfea9fb GT |
405 | *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public |
406 | exponent rather than 'unsigned long'. There is a corresponding change to | |
407 | the new 'rsa_keygen' element of the RSA_METHOD structure. | |
408 | [Jelte Jansen, Geoff Thorpe] | |
409 | ||
d5f686d8 BM |
410 | *) Functionality for creating the initial serial number file is now |
411 | moved from CA.pl to the 'ca' utility with a new option -create_serial. | |
412 | ||
413 | (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial | |
414 | number file to 1, which is bound to cause problems. To avoid | |
415 | the problems while respecting compatibility between different 0.9.7 | |
416 | patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in | |
417 | CA.pl for serial number initialization. With the new release 0.9.8, | |
418 | we can fix the problem directly in the 'ca' utility.) | |
64674bcc DSH |
419 | [Steve Henson] |
420 | ||
3a87a9b9 GT |
421 | *) Reduced header interdepencies by declaring more opaque objects in |
422 | ossl_typ.h. As a consequence, including some headers (eg. engine.h) will | |
423 | give fewer recursive includes, which could break lazy source code - so | |
424 | this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, | |
425 | developers should define this symbol when building and using openssl to | |
426 | ensure they track the recommended behaviour, interfaces, [etc], but | |
427 | backwards-compatible behaviour prevails when this isn't defined. | |
428 | [Geoff Thorpe] | |
429 | ||
bf5773fa DSH |
430 | *) New function X509_POLICY_NODE_print() which prints out policy nodes. |
431 | [Steve Henson] | |
432 | ||
216659eb DSH |
433 | *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. |
434 | This will generate a random key of the appropriate length based on the | |
435 | cipher context. The EVP_CIPHER can provide its own random key generation | |
436 | routine to support keys of a specific form. This is used in the des and | |
437 | 3des routines to generate a key of the correct parity. Update S/MIME | |
438 | code to use new functions and hence generate correct parity DES keys. | |
439 | Add EVP_CHECK_DES_KEY #define to return an error if the key is not | |
440 | valid (weak or incorrect parity). | |
441 | [Steve Henson] | |
442 | ||
e1a27eb3 DSH |
443 | *) Add a local set of CRLs that can be used by X509_verify_cert() as well |
444 | as looking them up. This is useful when the verified structure may contain | |
445 | CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs | |
446 | present unless the new PKCS7_NO_CRL flag is asserted. | |
447 | [Steve Henson] | |
448 | ||
6446e0c3 DSH |
449 | *) Extend ASN1 oid configuration module. It now additionally accepts the |
450 | syntax: | |
451 | ||
452 | shortName = some long name, 1.2.3.4 | |
453 | [Steve Henson] | |
454 | ||
5c98b2ca GT |
455 | *) Reimplemented the BN_CTX implementation. There is now no more static |
456 | limitation on the number of variables it can handle nor the depth of the | |
457 | "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack | |
458 | information can now expand as required, and rather than having a single | |
459 | static array of bignums, BN_CTX now uses a linked-list of such arrays | |
460 | allowing it to expand on demand whilst maintaining the usefulness of | |
461 | BN_CTX's "bundling". | |
462 | [Geoff Thorpe] | |
463 | ||
46ef873f GT |
464 | *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD |
465 | to allow all RSA operations to function using a single BN_CTX. | |
466 | [Geoff Thorpe] | |
467 | ||
4acc3e90 DSH |
468 | *) Preliminary support for certificate policy evaluation and checking. This |
469 | is initially intended to pass the tests outlined in "Conformance Testing | |
470 | of Relying Party Client Certificate Path Processing Logic" v1.07. | |
471 | [Steve Henson] | |
472 | ||
7f663ce4 GT |
473 | *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and |
474 | remained unused and not that useful. A variety of other little bignum | |
475 | tweaks and fixes have also been made continuing on from the audit (see | |
476 | below). | |
477 | [Geoff Thorpe] | |
478 | ||
875a644a RL |
479 | *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with |
480 | associated ASN1, EVP and SSL functions and old ASN1 macros. | |
7f663ce4 | 481 | [Richard Levitte] |
875a644a | 482 | |
b6358c89 GT |
483 | *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, |
484 | and this should never fail. So the return value from the use of | |
485 | BN_set_word() (which can fail due to needless expansion) is now deprecated; | |
486 | if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. | |
487 | [Geoff Thorpe] | |
488 | ||
9e051bac GT |
489 | *) BN_CTX_get() should return zero-valued bignums, providing the same |
490 | initialised value as BN_new(). | |
491 |