[thirdparty/openssl.git] / CHANGES

 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

  *) Zero the premaster secret after deriving the master secret in
     DH ciphersuites.
     [Steve Henson]

  *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
     to data. This was previously part of the PKCS7 ASN1 code. This
     was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
     [Steve Henson, reported by Kenneth R. Robinette
				<support@securenetterm.com>]

  *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
     routines: without these tracing memory leaks is very painful.
     Fix leaks in PKCS12 and PKCS7 routines.
     [Steve Henson]

  *) Fix for Irix with NO_ASM.
     ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]

  *) Add some EVP_add_digest_alias registrations (as found in
     OpenSSL_add_all_digests()), to SSL_library_init()
     aka OpenSSL_add_ssl_algorithms().  This provides improved
     compatibility with peers using X.509 certificates
     with unconventional AlgorithmIdentifier OIDs.
     [Bodo Moeller]

  *) ./config script fixes.
     [Ulf Moeller, Richard Levitte]

  *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
     Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
     effectively meant GeneralizedTime would never be used. Now it
     is initialised to -1 but X509_time_adj() now has to check the value
     and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
     V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
     [Steve Henson, reported by Kenneth R. Robinette
				<support@securenetterm.com>]

  *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
     result in a zero length in the ASN1_INTEGER structure which was
     not consistent with the structure when d2i_ASN1_INTEGER() was used
     and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
     to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
     where it did not print out a minus for negative ASN1_INTEGER.
     [Steve Henson]

  *) Fix 'openssl passwd -1'.
     [Bodo Moeller]

  *) Add summary printout to ocsp utility. The various functions which
     convert status values to strings have been renamed to:
     OCSP_response_status_str(), OCSP_cert_status_str() and
     OCSP_crl_reason_str() and are no longer static. New options
     to verify nonce values and to disable verification. OCSP response
     printout format cleaned up.
     [Steve Henson]

  *) Add additional OCSP certificate checks. These are those specified
     in RFC2560. This consists of two separate checks: the CA of the
     certificate being checked must either be the OCSP signer certificate
     or the issuer of the OCSP signer certificate. In the latter case the
     OCSP signer certificate must contain the OCSP signing extended key
     usage. This check is performed by attempting to match the OCSP
     signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
     in the OCSP_CERTID structures of the response.
     [Steve Henson]

  *) Initial OCSP certificate verification added to OCSP_basic_verify()
     and related routines. This uses the standard OpenSSL certificate
     verify routines to perform initial checks (just CA validity) and
     to obtain the certificate chain. Then additional checks will be
     performed on the chain. Currently the root CA is checked to see
     if it is explicitly trusted for OCSP signing. This is used to set
     a root CA as a global signing root: that is any certificate that
     chains to that CA is an acceptable OCSP signing certificate.
     [Steve Henson]

  *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
     extensions from a separate configuration file.
     As when reading extensions from the main configuration file,
     the '-extensions ...' option may be used for specifying the
     section to use.
     [Massimiliano Pala <madwolf@comune.modena.it>]

  *) Change PKCS12_key_gen_asc() so it can cope with non null
     terminated strings whose length is passed in the passlen
     parameter, for example from PEM callbacks. This was done
     by adding an extra length parameter to asc2uni().
     [Steve Henson, reported by <oddissey@samsung.co.kr>]

  *) New OCSP utility. Allows OCSP requests to be generated or
     read. The request can be sent to a responder and the output
     parsed, outputed or printed in text form. Not complete yet:
     still needs to check the OCSP response validity.
     [Steve Henson]

  *) New subcommands for 'openssl ca':
     'openssl ca -status <serial>' prints the status of the cert with
     the given serial number (according to the index file).
     'openssl ca -updatedb' updates the expiry status of certificates
     in the index file.
     [Massimiliano Pala <madwolf@comune.modena.it>]

  *) New '-newreq-nodes' command option to CA.pl.  This is like
     '-newreq', but calls 'openssl req' with the '-nodes' option
     so that the resulting key is not encrypted.
     [Damien Miller <djm@mindrot.org>]

  *) New configuration for the GNU Hurd.
     [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]

  *) Initial code to implement OCSP basic response verify. This
     is currently incomplete. Currently just finds the signer's
     certificate and verifies the signature on the response.
     [Steve Henson]

  *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
     value of OPENSSLDIR.  This is available via the new '-d' option
     to 'openssl version', and is also included in 'openssl version -a'.
     [Bodo Moeller]

  *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
     call failed, free the DSA structure.
     [Bodo Moeller]

  *) Allowing defining memory allocation callbacks that will be given
     file name and line number information in additional arguments
     (a const char* and an int).  The basic functionality remains, as
     well as the original possibility to just replace malloc(),
     realloc() and free() by functions that do not know about these
     additional arguments.  To register and find out the current
     settings for extended allocation functions, the following
     functions are provided:

	CRYPTO_set_mem_ex_functions
	CRYPTO_set_locked_mem_ex_functions
	CRYPTO_get_mem_ex_functions
	CRYPTO_get_locked_mem_ex_functions

     These work the same way as CRYPTO_set_mem_functions and friends.
     CRYPTO_get_[locked_]mem_functions now writes 0 where such an
     extended allocation function is enabled.
     Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
     a conventional allocation function is enabled.
     [Richard Levitte, Bodo Moeller]

  *) Fix to uni2asc() to cope with zero length Unicode strings.
     These are present in some PKCS#12 files.
     [Steve Henson]

  *) Finish off removing the remaining LHASH function pointer casts.
     There should no longer be any prototype-casting required when using
     the LHASH abstraction, and any casts that remain are "bugs". See
     the callback types and macros at the head of lhash.h for details
     (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
     [Geoff Thorpe]

  *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
     If an EGD or PRNGD is running and enough entropy is returned, automatic
     seeding like with /dev/[u]random will be performed.
     Positions tried are: /etc/entropy, /var/run/egd-pool.
     [Lutz Jaenicke]

  *) Change the Unix RAND_poll() variant to be able to poll several
     random devices, as specified by DEVRANDOM, until a sufficient amount
     of data has been collected.   We spend at most 10 ms on each file
     (select timeout) and read in non-blocking mode.  DEVRANDOM now
     defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
     (previously it was just the string "/dev/urandom"), so on typical
     platforms the 10 ms delay will never occur.
     Also separate out the Unix variant to its own file, rand_unix.c.
     For VMS, there's a currently-empty rand_vms.c.
     [Richard Levitte]

  *) Move OCSP client related routines to ocsp_cl.c. These
     provide utility functions which an application needing
     to issue a request to an OCSP responder and analyse the
     response will typically need: as opposed to those which an
     OCSP responder itself would need which will be added later.

     OCSP_request_sign() signs an OCSP request with an API similar
     to PKCS7_sign(). OCSP_response_status() returns status of OCSP
     response. OCSP_response_get1_basic() extracts basic response
     from response. OCSP_resp_find_status(): finds and extracts status
     information from an OCSP_CERTID structure (which will be created
     when the request structure is built). These are built from lower
     level functions which work on OCSP_SINGLERESP structures but
     wont normally be used unless the application wishes to examine
     extensions in the OCSP response for example.

     Replace nonce routines with a pair of functions.
     OCSP_request_add1_nonce() adds a nonce value and optionally
     generates a random value. OCSP_check_nonce() checks the
     validity of the nonce in an OCSP response.
     [Steve Henson]

  *) Change function OCSP_request_add() to OCSP_request_add0_id().
     This doesn't copy the supplied OCSP_CERTID and avoids the
     need to free up the newly created id. Change return type
     to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
     This can then be used to add extensions to the request.
     Deleted OCSP_request_new(), since most of its functionality
     is now in OCSP_REQUEST_new() (and the case insensitive name
     clash) apart from the ability to set the request name which
     will be added elsewhere.
     [Steve Henson]

  *) Update OCSP API. Remove obsolete extensions argument from
     various functions. Extensions are now handled using the new
     OCSP extension code. New simple OCSP HTTP function which 
     can be used to send requests and parse the response.
     [Steve Henson]

  *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
     ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
     uses the special reorder version of SET OF to sort the attributes
     and reorder them to match the encoded order. This resolves a long
     standing problem: a verify on a PKCS7 structure just after signing
     it used to fail because the attribute order did not match the
     encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
     it uses the received order. This is necessary to tolerate some broken
     software that does not order SET OF. This is handled by encoding
     as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
     to produce the required SET OF.
     [Steve Henson]

  *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
     OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
     files to get correct declarations of the ASN.1 item variables.
     [Richard Levitte]

  *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
     PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
     asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
     NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
     New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
     ASN1_ITEM and no wrapper functions.
     [Steve Henson]

  *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
     replace the old function pointer based I/O routines. Change most of
     the *_d2i_bio() and *_d2i_fp() functions to use these.
     [Steve Henson]

  *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
     lines, recognice more "algorithms" that can be deselected, and make
     it complain about algorithm deselection that isn't recognised.
     [Richard Levitte]

  *) New ASN1 functions to handle dup, sign, verify, digest, pack and
     unpack operations in terms of ASN1_ITEM. Modify existing wrappers
     to use new functions. Add NO_ASN1_OLD which can be set to remove
     some old style ASN1 functions: this can be used to determine if old
     code will still work when these eventually go away.
     [Steve Henson]

  *) New extension functions for OCSP structures, these follow the
     same conventions as certificates and CRLs.
     [Steve Henson]

  *) New function X509V3_add1_i2d(). This automatically encodes and
     adds an extension. Its behaviour can be customised with various
     flags to append, replace or delete. Various wrappers added for
     certifcates and CRLs.
     [Steve Henson]

  *) Fix to avoid calling the underlying ASN1 print routine when
     an extension cannot be parsed. Correct a typo in the
     OCSP_SERVICELOC extension. Tidy up print OCSP format.
     [Steve Henson]

  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
     when writing a 32767 byte record.
     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]

  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.

     (RSA objects have a reference count access to which is protected
     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
     so they are meant to be shared between threads.)
     [Bodo Moeller, Geoff Thorpe; original patch submitted by
     "Reddie, Steven" <Steven.Reddie@ca.com>]

  *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
     entries for variables.
     [Steve Henson]

  *) Fix a deadlock in CRYPTO_mem_leaks().
     [Bodo Moeller]

  *) Add functionality to apps/openssl.c for detecting locking
     problems: As the program is single-threaded, all we have
     to do is register a locking callback using an array for
     storing which locks are currently held by the program.
     [Bodo Moeller]

  *) Use a lock around the call to CRYPTO_get_ex_new_index() in
     SSL_get_ex_data_X509_STORE_idx(), which is used in
     ssl_verify_cert_chain() and thus can be called at any time
     during TLS/SSL handshakes so that thread-safety is essential.
     Unfortunately, the ex_data design is not at all suited
     for multi-threaded use, so it probably should be abolished.
     [Bodo Moeller]

  *) Added Broadcom "ubsec" ENGINE to OpenSSL.
     [Broadcom, tweaked and integrated by Geoff Thorpe]

  *) Move common extension printing code to new function
     X509V3_print_extensions(). Reorganise OCSP print routines and
     implement some needed OCSP ASN1 functions. Add OCSP extensions.
     [Steve Henson]

  *) New function X509_signature_print() to remove duplication in some
     print routines.
     [Steve Henson]

  *) Add a special meaning when SET OF and SEQUENCE OF flags are both
     set (this was treated exactly the same as SET OF previously). This
     is used to reorder the STACK representing the structure to match the
     encoding. This will be used to get round a problem where a PKCS7
     structure which was signed could not be verified because the STACK
     order did not reflect the encoded order.
     [Steve Henson]

  *) Reimplement the OCSP ASN1 module using the new code.
     [Steve Henson]

  *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
     for its ASN1 operations. The old style function pointers still exist
     for now but they will eventually go away.
     [Steve Henson]

  *) Merge in replacement ASN1 code from the ASN1 branch. This almost
     completely replaces the old ASN1 functionality with a table driven
     encoder and decoder which interprets an ASN1_ITEM structure describing
     the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
     largely maintained. Almost all of the old asn1_mac.h macro based ASN1
     has also been converted to the new form.
     [Steve Henson]

  *) Change BN_mod_exp_recp so that negative moduli are tolerated
     (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
     so that BN_mod_exp_mont and BN_mod_exp_mont_word work
     for negative moduli.
     [Bodo Moeller]

  *) Fix BN_uadd and BN_usub: Always return non-negative results instead
     of not touching the result's sign bit.
     [Bodo Moeller]

  *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
     set.
     [Bodo Moeller]

  *) Changed the LHASH code to use prototypes for callbacks, and created
     macros to declare and implement thin (optionally static) functions
     that provide type-safety and avoid function pointer casting for the
     type-specific callbacks.
     [Geoff Thorpe]

  *) Use better test patterns in bntest.
Commit	Line	Data
f1c236f8	1	OpenSSL CHANGES
651d0aff RE	2	_______________
651d0aff RE	3
c5e8580e	4	Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
a43cf9fa	5
a342cc5a DSH	6	*) Zero the premaster secret after deriving the master secret in
	7	DH ciphersuites.
	8	[Steve Henson]
	9
a43cf9fa DSH	10	*) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
	11	to data. This was previously part of the PKCS7 ASN1 code. This
	12	was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
	13	[Steve Henson, reported by Kenneth R. Robinette
	14	<support@securenetterm.com>]
	15
	16	*) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
	17	routines: without these tracing memory leaks is very painful.
	18	Fix leaks in PKCS12 and PKCS7 routines.
	19	[Steve Henson]
	20
75802000 UM	21	*) Fix for Irix with NO_ASM.
	22	["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
	23
ae0665b8 BM	24	*) Add some EVP_add_digest_alias registrations (as found in
	25	OpenSSL_add_all_digests()), to SSL_library_init()
	26	aka OpenSSL_add_ssl_algorithms(). This provides improved
	27	compatibility with peers using X.509 certificates
	28	with unconventional AlgorithmIdentifier OIDs.
	29	[Bodo Moeller]
	30
893b76c5 UM	31	*) ./config script fixes.
	32	[Ulf Moeller, Richard Levitte]
	33
ba8e2824 DSH	34	*) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
	35	Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
	36	effectively meant GeneralizedTime would never be used. Now it
	37	is initialised to -1 but X509_time_adj() now has to check the value
	38	and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
	39	V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
	40	[Steve Henson, reported by Kenneth R. Robinette
	41	<support@securenetterm.com>]
	42
8e8972bb DSH	43	*) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
	44	result in a zero length in the ASN1_INTEGER structure which was
	45	not consistent with the structure when d2i_ASN1_INTEGER() was used
	46	and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
	47	to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
	48	where it did not print out a minus for negative ASN1_INTEGER.
	49	[Steve Henson]
	50
57108f0a BM	51	*) Fix 'openssl passwd -1'.
	52	[Bodo Moeller]
	53
73758d43 DSH	54	*) Add summary printout to ocsp utility. The various functions which
	55	convert status values to strings have been renamed to:
	56	OCSP_response_status_str(), OCSP_cert_status_str() and
	57	OCSP_crl_reason_str() and are no longer static. New options
	58	to verify nonce values and to disable verification. OCSP response
	59	printout format cleaned up.
	60	[Steve Henson]
	61
e8af92fc DSH	62	*) Add additional OCSP certificate checks. These are those specified
	63	in RFC2560. This consists of two separate checks: the CA of the
	64	certificate being checked must either be the OCSP signer certificate
	65	or the issuer of the OCSP signer certificate. In the latter case the
	66	OCSP signer certificate must contain the OCSP signing extended key
	67	usage. This check is performed by attempting to match the OCSP
	68	signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
	69	in the OCSP_CERTID structures of the response.
	70	[Steve Henson]
	71
81f169e9 DSH	72	*) Initial OCSP certificate verification added to OCSP_basic_verify()
	73	and related routines. This uses the standard OpenSSL certificate
	74	verify routines to perform initial checks (just CA validity) and
	75	to obtain the certificate chain. Then additional checks will be
	76	performed on the chain. Currently the root CA is checked to see
	77	if it is explicitly trusted for OCSP signing. This is used to set
	78	a root CA as a global signing root: that is any certificate that
	79	chains to that CA is an acceptable OCSP signing certificate.
	80	[Steve Henson]
	81
dfebac32 BM	82	*) New '-extfile ...' option to 'openssl ca' for reading X.509v3
	83	extensions from a separate configuration file.
	84	As when reading extensions from the main configuration file,
	85	the '-extensions ...' option may be used for specifying the
	86	section to use.
	87	[Massimiliano Pala <madwolf@comune.modena.it>]
	88
6308af19 DSH	89	*) Change PKCS12_key_gen_asc() so it can cope with non null
	90	terminated strings whose length is passed in the passlen
	91	parameter, for example from PEM callbacks. This was done
	92	by adding an extra length parameter to asc2uni().
	93	[Steve Henson, reported by <oddissey@samsung.co.kr>]
	94
5782ceb2 DSH	95	*) New OCSP utility. Allows OCSP requests to be generated or
	96	read. The request can be sent to a responder and the output
	97	parsed, outputed or printed in text form. Not complete yet:
	98	still needs to check the OCSP response validity.
	99	[Steve Henson]
	100
c67cdb50 BM	101	*) New subcommands for 'openssl ca':
	102	'openssl ca -status <serial>' prints the status of the cert with
	103	the given serial number (according to the index file).
	104	'openssl ca -updatedb' updates the expiry status of certificates
	105	in the index file.
	106	[Massimiliano Pala <madwolf@comune.modena.it>]
	107
d199858e BM	108	*) New '-newreq-nodes' command option to CA.pl. This is like
	109	'-newreq', but calls 'openssl req' with the '-nodes' option
	110	so that the resulting key is not encrypted.
	111	[Damien Miller <djm@mindrot.org>]
	112
10a2975a RL	113	*) New configuration for the GNU Hurd.
	114	[Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
	115
9b4dc830 DSH	116	*) Initial code to implement OCSP basic response verify. This
	117	is currently incomplete. Currently just finds the signer's
	118	certificate and verifies the signature on the response.
	119	[Steve Henson]
	120
673b3fde BM	121	*) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
	122	value of OPENSSLDIR. This is available via the new '-d' option
	123	to 'openssl version', and is also included in 'openssl version -a'.
	124	[Bodo Moeller]
	125
c06648f7 BM	126	*) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
	127	call failed, free the DSA structure.
	128	[Bodo Moeller]
	129
a5435e8b BM	130	*) Allowing defining memory allocation callbacks that will be given
	131	file name and line number information in additional arguments
	132	(a const char* and an int). The basic functionality remains, as
	133	well as the original possibility to just replace malloc(),
	134	realloc() and free() by functions that do not know about these
	135	additional arguments. To register and find out the current
	136	settings for extended allocation functions, the following
	137	functions are provided:
65a22e8e RL	138
	139	CRYPTO_set_mem_ex_functions
	140	CRYPTO_set_locked_mem_ex_functions
	141	CRYPTO_get_mem_ex_functions
	142	CRYPTO_get_locked_mem_ex_functions
	143
a5435e8b BM	144	These work the same way as CRYPTO_set_mem_functions and friends.
	145	CRYPTO_get_[locked_]mem_functions now writes 0 where such an
	146	extended allocation function is enabled.
	147	Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
	148	a conventional allocation function is enabled.
	149	[Richard Levitte, Bodo Moeller]
65a22e8e	150
cbf0f45f DSH	151	*) Fix to uni2asc() to cope with zero length Unicode strings.
	152	These are present in some PKCS#12 files.
	153	[Steve Henson]
	154
3c914840 GT	155	*) Finish off removing the remaining LHASH function pointer casts.
3c914840 GT	156	There should no longer be any prototype-casting required when using
56a67adb GT	157	the LHASH abstraction, and any casts that remain are "bugs". See
	158	the callback types and macros at the head of lhash.h for details
	159	(and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
3c914840 GT	160	[Geoff Thorpe]
3c914840 GT	161
599c0353 LJ	162	*) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
	163	If an EGD or PRNGD is running and enough entropy is returned, automatic
	164	seeding like with /dev/[u]random will be performed.
	165	Positions tried are: /etc/entropy, /var/run/egd-pool.
	166	[Lutz Jaenicke]
	167
0c61e299	168	*) Change the Unix RAND_poll() variant to be able to poll several
361ef5f4 RL	169	random devices, as specified by DEVRANDOM, until a sufficient amount
	170	of data has been collected. We spend at most 10 ms on each file
	171	(select timeout) and read in non-blocking mode. DEVRANDOM now
	172	defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
	173	(previously it was just the string "/dev/urandom"), so on typical
	174	platforms the 10 ms delay will never occur.
	175	Also separate out the Unix variant to its own file, rand_unix.c.
	176	For VMS, there's a currently-empty rand_vms.c.
0c61e299 RL	177	[Richard Levitte]
0c61e299 RL	178
0b33bc65 DSH	179	*) Move OCSP client related routines to ocsp_cl.c. These
	180	provide utility functions which an application needing
	181	to issue a request to an OCSP responder and analyse the
	182	response will typically need: as opposed to those which an
	183	OCSP responder itself would need which will be added later.
	184
	185	OCSP_request_sign() signs an OCSP request with an API similar
	186	to PKCS7_sign(). OCSP_response_status() returns status of OCSP
	187	response. OCSP_response_get1_basic() extracts basic response
	188	from response. OCSP_resp_find_status(): finds and extracts status
	189	information from an OCSP_CERTID structure (which will be created
	190	when the request structure is built). These are built from lower
	191	level functions which work on OCSP_SINGLERESP structures but
	192	wont normally be used unless the application wishes to examine
	193	extensions in the OCSP response for example.
	194
	195	Replace nonce routines with a pair of functions.
	196	OCSP_request_add1_nonce() adds a nonce value and optionally
	197	generates a random value. OCSP_check_nonce() checks the
	198	validity of the nonce in an OCSP response.
	199	[Steve Henson]
	200
	201	*) Change function OCSP_request_add() to OCSP_request_add0_id().
8e961835 DSH	202	This doesn't copy the supplied OCSP_CERTID and avoids the
	203	need to free up the newly created id. Change return type
	204	to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
	205	This can then be used to add extensions to the request.
	206	Deleted OCSP_request_new(), since most of its functionality
	207	is now in OCSP_REQUEST_new() (and the case insensitive name
	208	clash) apart from the ability to set the request name which
	209	will be added elsewhere.
	210	[Steve Henson]
	211
bf0d176e DSH	212	*) Update OCSP API. Remove obsolete extensions argument from
	213	various functions. Extensions are now handled using the new
	214	OCSP extension code. New simple OCSP HTTP function which
	215	can be used to send requests and parse the response.
	216	[Steve Henson]
	217
ec5add87 DSH	218	*) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
	219	ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
	220	uses the special reorder version of SET OF to sort the attributes
	221	and reorder them to match the encoded order. This resolves a long
	222	standing problem: a verify on a PKCS7 structure just after signing
	223	it used to fail because the attribute order did not match the
	224	encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
	225	it uses the received order. This is necessary to tolerate some broken
	226	software that does not order SET OF. This is handled by encoding
	227	as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
	228	to produce the required SET OF.
	229	[Steve Henson]
	230
a6574c21 RL	231	*) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
	232	OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
	233	files to get correct declarations of the ASN.1 item variables.
	234	[Richard Levitte]
	235
ecbe0781 DSH	236	*) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
	237	PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
	238	asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
	239	NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
	240	New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
	241	ASN1_ITEM and no wrapper functions.
	242	[Steve Henson]
	243
4e1209eb DSH	244	*) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
	245	replace the old function pointer based I/O routines. Change most of
	246	the _d2i_bio() and _d2i_fp() functions to use these.
	247	[Steve Henson]
	248
3f07fe09 RL	249	*) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
	250	lines, recognice more "algorithms" that can be deselected, and make
	251	it complain about algorithm deselection that isn't recognised.
	252	[Richard Levitte]
	253
78d3b819	254	*) New ASN1 functions to handle dup, sign, verify, digest, pack and
73e92de5 DSH	255	unpack operations in terms of ASN1_ITEM. Modify existing wrappers
	256	to use new functions. Add NO_ASN1_OLD which can be set to remove
	257	some old style ASN1 functions: this can be used to determine if old
	258	code will still work when these eventually go away.
09ab755c DSH	259	[Steve Henson]
09ab755c DSH	260
ec558b65 DSH	261	*) New extension functions for OCSP structures, these follow the
	262	same conventions as certificates and CRLs.
	263	[Steve Henson]
	264
57d2f217 DSH	265	*) New function X509V3_add1_i2d(). This automatically encodes and
	266	adds an extension. Its behaviour can be customised with various
	267	flags to append, replace or delete. Various wrappers added for
	268	certifcates and CRLs.
	269	[Steve Henson]
	270
5755cab4 DSH	271	*) Fix to avoid calling the underlying ASN1 print routine when
	272	an extension cannot be parsed. Correct a typo in the
	273	OCSP_SERVICELOC extension. Tidy up print OCSP format.
	274	[Steve Henson]
	275
3880cd35 BM	276	*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
	277	Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
	278	when writing a 32767 byte record.
	279	[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
	280
f640ee90	281	*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
126fe085	282	obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
f640ee90 BM	283
	284	(RSA objects have a reference count access to which is protected
	285	by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
	286	so they are meant to be shared between threads.)
126fe085 BM	287	[Bodo Moeller, Geoff Thorpe; original patch submitted by
126fe085 BM	288	"Reddie, Steven" <Steven.Reddie@ca.com>]
f640ee90	289
9c67ab2f DSH	290	*) Make mkdef.pl parse some of the ASN1 macros and add apropriate
9c67ab2f DSH	291	entries for variables.
5755cab4	292	[Steve Henson]
9c67ab2f	293
1456d186 BM	294	*) Fix a deadlock in CRYPTO_mem_leaks().
	295	[Bodo Moeller]
	296
3ac82faa BM	297	*) Add functionality to apps/openssl.c for detecting locking
	298	problems: As the program is single-threaded, all we have
	299	to do is register a locking callback using an array for
	300	storing which locks are currently held by the program.
3ac82faa BM	301	[Bodo Moeller]
	302
	303	*) Use a lock around the call to CRYPTO_get_ex_new_index() in
	304	SSL_get_ex_data_X509_STORE_idx(), which is used in
	305	ssl_verify_cert_chain() and thus can be called at any time
	306	during TLS/SSL handshakes so that thread-safety is essential.
	307	Unfortunately, the ex_data design is not at all suited
	308	for multi-threaded use, so it probably should be abolished.
	309	[Bodo Moeller]
	310
2a86064f GT	311	*) Added Broadcom "ubsec" ENGINE to OpenSSL.
	312	[Broadcom, tweaked and integrated by Geoff Thorpe]
	313
2c15d426 DSH	314	*) Move common extension printing code to new function
2c15d426 DSH	315	X509V3_print_extensions(). Reorganise OCSP print routines and
c08523d8	316	implement some needed OCSP ASN1 functions. Add OCSP extensions.
2c15d426 DSH	317	[Steve Henson]
2c15d426 DSH	318
de487514 DSH	319	*) New function X509_signature_print() to remove duplication in some
	320	print routines.
	321	[Steve Henson]
	322
06db4253 DSH	323	*) Add a special meaning when SET OF and SEQUENCE OF flags are both
	324	set (this was treated exactly the same as SET OF previously). This
	325	is used to reorder the STACK representing the structure to match the
	326	encoding. This will be used to get round a problem where a PKCS7
	327	structure which was signed could not be verified because the STACK
	328	order did not reflect the encoded order.
	329	[Steve Henson]
	330
36f554d4 DSH	331	*) Reimplement the OCSP ASN1 module using the new code.
	332	[Steve Henson]
	333
2aff7727 DSH	334	*) Update the X509V3 code to permit the use of an ASN1_ITEM structure
	335	for its ASN1 operations. The old style function pointers still exist
	336	for now but they will eventually go away.
	337	[Steve Henson]
	338
9d6b1ce6	339	*) Merge in replacement ASN1 code from the ASN1 branch. This almost
5755cab4 DSH	340	completely replaces the old ASN1 functionality with a table driven
	341	encoder and decoder which interprets an ASN1_ITEM structure describing
	342	the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
	343	largely maintained. Almost all of the old asn1_mac.h macro based ASN1
	344	has also been converted to the new form.
9d6b1ce6 DSH	345	[Steve Henson]
9d6b1ce6 DSH	346
8dea52fa BM	347	*) Change BN_mod_exp_recp so that negative moduli are tolerated
	348	(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
	349	so that BN_mod_exp_mont and BN_mod_exp_mont_word work
	350	for negative moduli.
	351	[Bodo Moeller]
	352
	353	*) Fix BN_uadd and BN_usub: Always return non-negative results instead
	354	of not touching the result's sign bit.
	355	[Bodo Moeller]
	356
80d89e6a BM	357	*) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
	358	set.
	359	[Bodo Moeller]
	360
f1919c3d GT	361	*) Changed the LHASH code to use prototypes for callbacks, and created
	362	macros to declare and implement thin (optionally static) functions
	363	that provide type-safety and avoid function pointer casting for the
	364	type-specific callbacks.
	365	[Geoff Thorpe]
	366
1946cd8b UM	367	*) Use better test patterns in bntest.
	368