]>
Commit | Line | Data |
---|---|---|
1 | ||
2 | OpenSSL CHANGES | |
3 | _______________ | |
4 | ||
5 | Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] | |
6 | ||
7 | *) Add support for STORE in ENGINE. | |
8 | [Richard Levitte] | |
9 | ||
10 | *) Add the STORE type. The intention is to provide a common interface | |
11 | to certificate and key stores, be they simple file-based stores, or | |
12 | HSM-type store, or LDAP stores, or... | |
13 | NOTE: The code is currently UNTESTED and isn't really used anywhere. | |
14 | [Richard Levitte] | |
15 | ||
16 | *) Add a generic structure called OPENSSL_ITEM. This can be used to | |
17 | pass a list of arguments to any function as well as provide a way | |
18 | for a function to pass data back to the caller. | |
19 | [Richard Levitte] | |
20 | ||
21 | *) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() | |
22 | works like BUF_strdup() but can be used to duplicate a portion of | |
23 | a string. The copy gets NUL-terminated. BUF_memdup() duplicates | |
24 | a memory area. | |
25 | [Richard Levitte] | |
26 | ||
27 | *) Add the function sk_find_ex() which works like sk_find(), but will | |
28 | return an index to an element even if an exact match couldn't be | |
29 | found. The index is guaranteed to point at the element where the | |
30 | searched-for key would be inserted to preserve sorting order. | |
31 | [Richard Levitte] | |
32 | ||
33 | *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but | |
34 | takes an extra flags argument for optional functionality. Currently, | |
35 | the following flags are defined: | |
36 | ||
37 | OBJ_BSEARCH_VALUE_ON_NOMATCH | |
38 | This one gets OBJ_bsearch_ex() to return a pointer to the first | |
39 | element where the comparing function returns a negative or zero | |
40 | number. | |
41 | ||
42 | OBJ_BSEARCH_FIRST_VALUE_ON_MATCH | |
43 | This one gets OBJ_bsearch_ex() to return a pointer to the first | |
44 | element where the comparing function returns zero. This is useful | |
45 | if there are more than one element where the comparing function | |
46 | returns zero. | |
47 | [Richard Levitte] | |
48 | ||
49 | *) Make it possible to create self-signed certificates with 'openssl ca' | |
50 | in such a way that the self-signed certificate becomes part of the | |
51 | CA database and uses the same mechanisms for serial number generation | |
52 | as all other certificate signing. The new flag '-selfsign' enables | |
53 | this functionality. Adapt CA.sh and CA.pl.in. | |
54 | [Richard Levitte] | |
55 | ||
56 | *) Add functionality to check the public key of a certificate request | |
57 | against a given private. This is useful to check that a certificate | |
58 | request can be signed by that key (self-signing). | |
59 | [Richard Levitte] | |
60 | ||
61 | *) Make it possible to have multiple active certificates with the same | |
62 | subject in the CA index file. This is done only if the keyword | |
63 | 'unique_subject' is set to 'no' in the main CA section (default | |
64 | if 'CA_default') of the configuration file. The value is saved | |
65 | with the database itself in a separate index attribute file, | |
66 | named like the index file with '.attr' appended to the name. | |
67 | [Richard Levitte] | |
68 | ||
69 | *) Generate muti valued AVAs using '+' notation in config files for | |
70 | req and dirName. | |
71 | [Steve Henson] | |
72 | ||
73 | *) Support for nameConstraints certificate extension. | |
74 | [Steve Henson] | |
75 | ||
76 | *) Support for policyConstraints certificate extension. | |
77 | [Steve Henson] | |
78 | ||
79 | *) Support for policyMappings certificate extension. | |
80 | [Steve Henson] | |
81 | ||
82 | *) Fixed a typo bug that would cause ENGINE_set_default() to set an | |
83 | ENGINE as defaults for all supported algorithms irrespective of | |
84 | the 'flags' parameter. 'flags' is now honoured, so applications | |
85 | should make sure they are passing it correctly. | |
86 | [Geoff Thorpe] | |
87 | ||
88 | *) Make sure the default DSA_METHOD implementation only uses its | |
89 | dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, | |
90 | and change its own handlers to be NULL so as to remove unnecessary | |
91 | indirection. This lets alternative implementations fallback to the | |
92 | default implementation more easily. | |
93 | [Geoff Thorpe] | |
94 | ||
95 | *) Support for directoryName in GeneralName related extensions | |
96 | in config files. | |
97 | [Steve Henson] | |
98 | ||
99 | *) Make it possible to link applications using Makefile.shared. | |
100 | Make that possible even when linking against static libraries! | |
101 | [Richard Levitte] | |
102 | ||
103 | *) Support for single pass processing for S/MIME signing. This now | |
104 | means that S/MIME signing can be done from a pipe, in addition | |
105 | cleartext signing (multipart/signed type) is effectively streaming | |
106 | and the signed data does not need to be all held in memory. | |
107 | ||
108 | This is done with a new flag PKCS7_STREAM. When this flag is set | |
109 | PKCS7_sign() only initializes the PKCS7 structure and the actual signing | |
110 | is done after the data is output (and digests calculated) in | |
111 | SMIME_write_PKCS7(). | |
112 | [Steve Henson] | |
113 | ||
114 | *) Add full support for -rpath/-R, both in shared libraries and | |
115 | applications, at least on the platforms where it's known how | |
116 | to do it. | |
117 | [Richard Levitte] | |
118 | ||
119 | *) In crypto/ec/ec_mult.c, implement fast point multiplication with | |
120 | precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() | |
121 | will now compute a table of multiples of the generator that | |
122 | makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() | |
123 | faster (notably in the case of a single point multiplication, | |
124 | scalar * generator). | |
125 | [Nils Larsch, Bodo Moeller] | |
126 | ||
127 | *) IPv6 support for certificate extensions. The various extensions | |
128 | which use the IP:a.b.c.d can now take IPv6 addresses using the | |
129 | formats of RFC1884 2.2 . IPv6 addresses are now also displayed | |
130 | correctly. | |
131 | [Steve Henson] | |
132 | ||
133 | *) Added an ENGINE that implements RSA by performing private key | |
134 | exponentiations with the GMP library. The conversions to and from | |
135 | GMP's mpz_t format aren't optimised nor are any montgomery forms | |
136 | cached, and on x86 it appears OpenSSL's own performance has caught up. | |
137 | However there are likely to be other architectures where GMP could | |
138 | provide a boost. This ENGINE is not built in by default, but it can be | |
139 | specified at Configure time and should be accompanied by the necessary | |
140 | linker additions, eg; | |
141 | ./config -DOPENSSL_USE_GMP -lgmp | |
142 | [Geoff Thorpe] | |
143 | ||
144 | *) "openssl engine" will not display ENGINE/DSO load failure errors when | |
145 | testing availability of engines with "-t" - the old behaviour is | |
146 | produced by increasing the feature's verbosity with "-tt". | |
147 | [Geoff Thorpe] | |
148 | ||
149 | *) ECDSA routines: under certain error conditions uninitialized BN objects | |
150 | could be freed. Solution: make sure initialization is performed early | |
151 | enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de> | |
152 | via PR#459) | |
153 | [Lutz Jaenicke] | |
154 | ||
155 | *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD | |
156 | and DH_METHOD (eg. by ENGINE implementations) to override the normal | |
157 | software implementations. For DSA and DH, parameter generation can | |
158 | also be overriden by providing the appropriate method callbacks. | |
159 | [Geoff Thorpe] | |
160 | ||
161 | *) Change the "progress" mechanism used in key-generation and | |
162 | primality testing to functions that take a new BN_GENCB pointer in | |
163 | place of callback/argument pairs. The new API functions have "_ex" | |
164 | postfixes and the older functions are reimplemented as wrappers for | |
165 | the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide | |
166 | declarations of the old functions to help (graceful) attempts to | |
167 | migrate to the new functions. Also, the new key-generation API | |
168 | functions operate on a caller-supplied key-structure and return | |
169 | success/failure rather than returning a key or NULL - this is to | |
170 | help make "keygen" another member function of RSA_METHOD etc. | |
171 | ||
172 | Example for using the new callback interface: | |
173 | ||
174 | int (*my_callback)(int a, int b, BN_GENCB *cb) = ...; | |
175 | void *my_arg = ...; | |
176 | BN_GENCB my_cb; | |
177 | ||
178 | BN_GENCB_set(&my_cb, my_callback, my_arg); | |
179 | ||
180 | return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb); | |
181 | /* For the meaning of a, b in calls to my_callback(), see the | |
182 | * documentation of the function that calls the callback. | |
183 | * cb will point to my_cb; my_arg can be retrieved as cb->arg. | |
184 | * my_callback should return 1 if it wants BN_is_prime_ex() | |
185 | * to continue, or 0 to stop. | |
186 | */ | |
187 | ||
188 | [Geoff Thorpe] | |
189 | ||
190 | *) Change the ZLIB compression method to be stateful, and make it | |
191 | available to TLS with the number defined in | |
192 | draft-ietf-tls-compression-04.txt. | |
193 | [Richard Levitte] | |
194 | ||
195 | *) Add the ASN.1 structures and functions for CertificatePair, which | |
196 | is defined as follows (according to X.509_4thEditionDraftV6.pdf): | |
197 | ||
198 | CertificatePair ::= SEQUENCE { | |
199 | forward [0] Certificate OPTIONAL, | |
200 | reverse [1] Certificate OPTIONAL, | |
201 | -- at least one of the pair shall be present -- } | |
202 | ||
203 | Also implement the PEM functions to read and write certificate | |
204 | pairs, and defined the PEM tag as "CERTIFICATE PAIR". | |
205 | ||
206 | This needed to be defined, mostly for the sake of the LDAP | |
207 | attribute crossCertificatePair, but may prove useful elsewhere as | |
208 | well. | |
209 | [Richard Levitte] | |
210 | ||
211 | *) Make it possible to inhibit symlinking of shared libraries in | |
212 | Makefile.shared, for Cygwin's sake. | |
213 | [Richard Levitte] | |
214 | ||
215 | *) Extend the BIGNUM API by creating new macros that behave like | |
216 | functions | |
217 | ||
218 | void BN_set_sign(BIGNUM *a, int neg); | |
219 | int BN_get_sign(const BIGNUM *a); | |
220 | ||
221 | and avoid the need to access 'a->neg' directly in applications. | |
222 | [Nils Larsch <nla@trustcenter.de>] | |
223 | ||
224 | *) Implement fast modular reduction for pseudo-Mersenne primes | |
225 | used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). | |
226 | EC_GROUP_new_curve_GFp() will now automatically use this | |
227 | if applicable. | |
228 | [Nils Larsch <nla@trustcenter.de>] | |
229 | ||
230 | *) Add new lock type (CRYPTO_LOCK_BN). | |
231 | [Bodo Moeller] | |
232 | ||
233 | *) Change the ENGINE framework to automatically load engines | |
234 | dynamically from specific directories unless they could be | |
235 | found to already be built in or loaded. Move all the | |
236 | current engines except for the cryptodev one to a new | |
237 | directory engines/. | |
238 | The engines in engines/ are built as shared libraries if | |
239 | the "shared" options was given to ./Configure or ./config. | |
240 | Otherwise, they are inserted in libcrypto.a. | |
241 | /usr/local/ssl/engines is the default directory for dynamic | |
242 | engines, but that can be overriden at configure time through | |
243 | the usual use of --prefix and/or --openssldir, and at run | |
244 | time with the environment variable OPENSSL_ENGINES. | |
245 | [Geoff Thorpe and Richard Levitte] | |
246 | ||
247 | *) Add Makefile.shared, a helper makefile to build shared | |
248 | libraries. Addapt Makefile.org. | |
249 | [Richard Levitte] | |
250 | ||
251 | *) Add version info to Win32 DLLs. | |
252 | [Peter 'Luna' Runestig" <peter@runestig.com>] | |
253 | ||
254 | *) Add new 'medium level' PKCS#12 API. Certificates and keys | |
255 | can be added using this API to created arbitrary PKCS#12 | |
256 | files while avoiding the low level API. | |
257 | ||
258 | New options to PKCS12_create(), key or cert can be NULL and | |
259 | will then be omitted from the output file. The encryption | |
260 | algorithm NIDs can be set to -1 for no encryption, the mac | |
261 | iteration count can be set to 0 to omit the mac. | |
262 | ||
263 | Enhance pkcs12 utility by making the -nokeys and -nocerts | |
264 | options work when creating a PKCS#12 file. New option -nomac | |
265 | to omit the mac, NONE can be set for an encryption algorithm. | |
266 | New code is modified to use the enhanced PKCS12_create() | |
267 | instead of the low level API. | |
268 | [Steve Henson] | |
269 | ||
270 | *) Extend ASN1 encoder to support indefinite length constructed | |
271 | encoding. This can output sequences tags and octet strings in | |
272 | this form. Modify pk7_asn1.c to support indefinite length | |
273 | encoding. This is experimental and needs additional code to | |
274 | be useful, such as an ASN1 bio and some enhanced streaming | |
275 | PKCS#7 code. | |
276 | ||
277 | Extend template encode functionality so that tagging is passed | |
278 | down to the template encoder. | |
279 | [Steve Henson] | |
280 | ||
281 | *) Let 'openssl req' fail if an argument to '-newkey' is not | |
282 | recognized instead of using RSA as a default. | |
283 | [Bodo Moeller] | |
284 | ||
285 | *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. | |
286 | As these are not official, they are not included in "ALL"; | |
287 | the "ECCdraft" ciphersuite group alias can be used to select them. | |
288 | [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] | |
289 | ||
290 | *) Add ECDH engine support. | |
291 | [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] | |
292 | ||
293 | *) Add ECDH in new directory crypto/ecdh/. | |
294 | [Douglas Stebila (Sun Microsystems Laboratories)] | |
295 | ||
296 | *) Let BN_rand_range() abort with an error after 100 iterations | |
297 | without success (which indicates a broken PRNG). | |
298 | [Bodo Moeller] | |
299 | ||
300 | *) Change BN_mod_sqrt() so that it verifies that the input value | |
301 | is really the square of the return value. (Previously, | |
302 | BN_mod_sqrt would show GIGO behaviour.) | |
303 | [Bodo Moeller] | |
304 | ||
305 | *) Add named elliptic curves over binary fields from X9.62, SECG, | |
306 | and WAP/WTLS; add OIDs that were still missing. | |
307 | ||
308 | [Sheueling Chang Shantz and Douglas Stebila | |
309 | (Sun Microsystems Laboratories)] | |
310 | ||
311 | *) Extend the EC library for elliptic curves over binary fields | |
312 | (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). | |
313 | New EC_METHOD: | |
314 | ||
315 | EC_GF2m_simple_method | |
316 | ||
317 | New API functions: | |
318 | ||
319 | EC_GROUP_new_curve_GF2m | |
320 | EC_GROUP_set_curve_GF2m | |
321 | EC_GROUP_get_curve_GF2m | |
322 | EC_POINT_set_affine_coordinates_GF2m | |
323 | EC_POINT_get_affine_coordinates_GF2m | |
324 | EC_POINT_set_compressed_coordinates_GF2m | |
325 | ||
326 | Point compression for binary fields is disabled by default for | |
327 | patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to | |
328 | enable it). | |
329 | ||
330 | As binary polynomials are represented as BIGNUMs, various members | |
331 | of the EC_GROUP and EC_POINT data structures can be shared | |
332 | between the implementations for prime fields and binary fields; | |
333 | the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) | |
334 | are essentially identical to their ..._GFp counterparts. | |
335 | (For simplicity, the '..._GFp' prefix has been dropped from | |
336 | various internal method names.) | |
337 | ||
338 | An internal 'field_div' method (similar to 'field_mul' and | |
339 | 'field_sqr') has been added; this is used only for binary fields. | |
340 | ||
341 | [Sheueling Chang Shantz and Douglas Stebila | |
342 | (Sun Microsystems Laboratories)] | |
343 | ||
344 | *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() | |
345 | through methods ('mul', 'precompute_mult'). | |
346 | ||
347 | The generic implementations (now internally called 'ec_wNAF_mul' | |
348 | and 'ec_wNAF_precomputed_mult') remain the default if these | |
349 | methods are undefined. | |
350 | ||
351 | [Sheueling Chang Shantz and Douglas Stebila | |
352 | (Sun Microsystems Laboratories)] | |
353 | ||
354 | *) New function EC_GROUP_get_degree, which is defined through | |
355 | EC_METHOD. For curves over prime fields, this returns the bit | |
356 | length of the modulus. | |
357 | ||
358 | [Sheueling Chang Shantz and Douglas Stebila | |
359 | (Sun Microsystems Laboratories)] | |
360 | ||
361 | *) New functions EC_GROUP_dup, EC_POINT_dup. | |
362 | (These simply call ..._new and ..._copy). | |
363 | ||
364 | [Sheueling Chang Shantz and Douglas Stebila | |
365 | (Sun Microsystems Laboratories)] | |
366 | ||
367 | *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. | |
368 | Polynomials are represented as BIGNUMs (where the sign bit is not | |
369 | used) in the following functions [macros]: | |
370 | ||
371 | BN_GF2m_add | |
372 | BN_GF2m_sub [= BN_GF2m_add] | |
373 | BN_GF2m_mod [wrapper for BN_GF2m_mod_arr] | |
374 | BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr] | |
375 | BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr] | |
376 | BN_GF2m_mod_inv | |
377 | BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr] | |
378 | BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr] | |
379 | BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr] | |
380 | BN_GF2m_cmp [= BN_ucmp] | |
381 | ||
382 | (Note that only the 'mod' functions are actually for fields GF(2^m). | |
383 | BN_GF2m_add() is misnomer, but this is for the sake of consistency.) | |
384 | ||
385 | For some functions, an the irreducible polynomial defining a | |
386 | field can be given as an 'unsigned int[]' with strictly | |
387 | decreasing elements giving the indices of those bits that are set; | |
388 | i.e., p[] represents the polynomial | |
389 | f(t) = t^p[0] + t^p[1] + ... + t^p[k] | |
390 | where | |
391 | p[0] > p[1] > ... > p[k] = 0. | |
392 | This applies to the following functions: | |
393 | ||
394 | BN_GF2m_mod_arr | |
395 | BN_GF2m_mod_mul_arr | |
396 | BN_GF2m_mod_sqr_arr | |
397 | BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv] | |
398 | BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div] | |
399 | BN_GF2m_mod_exp_arr | |
400 | BN_GF2m_mod_sqrt_arr | |
401 | BN_GF2m_mod_solve_quad_arr | |
402 | BN_GF2m_poly2arr | |
403 | BN_GF2m_arr2poly | |
404 | ||
405 | Conversion can be performed by the following functions: | |
406 | ||
407 | BN_GF2m_poly2arr | |
408 | BN_GF2m_arr2poly | |
409 | ||
410 | bntest.c has additional tests for binary polynomial arithmetic. | |
411 | ||
412 | Two implementations for BN_GF2m_mod_div() are available. | |
413 | The default algorithm simply uses BN_GF2m_mod_inv() and | |
414 | BN_GF2m_mod_mul(). The alternative algorithm is compiled in only | |
415 | if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the | |
416 | copyright notice in crypto/bn/bn_gf2m.c before enabling it). | |
417 | ||
418 | [Sheueling Chang Shantz and Douglas Stebila | |
419 | (Sun Microsystems Laboratories)] | |
420 | ||
421 | *) Add new error code 'ERR_R_DISABLED' that can be used when some | |
422 | functionality is disabled at compile-time. | |
423 | [Douglas Stebila <douglas.stebila@sun.com>] | |
424 | ||
425 | *) Change default behaviour of 'openssl asn1parse' so that more | |
426 | information is visible when viewing, e.g., a certificate: | |
427 | ||
428 | Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' | |
429 | mode the content of non-printable OCTET STRINGs is output in a | |
430 | style similar to INTEGERs, but with '[HEX DUMP]' prepended to | |
431 | avoid the appearance of a printable string. | |
432 | [Nils Larsch <nla@trustcenter.de>] | |
433 | ||
434 | *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access | |
435 | functions | |
436 | EC_GROUP_set_asn1_flag() | |
437 | EC_GROUP_get_asn1_flag() | |
438 | EC_GROUP_set_point_conversion_form() | |
439 | EC_GROUP_get_point_conversion_form() | |
440 | These control ASN1 encoding details: | |
441 | - Curves (i.e., groups) are encoded explicitly unless asn1_flag | |
442 | has been set to OPENSSL_EC_NAMED_CURVE. | |
443 | - Points are encoded in uncompressed form by default; options for | |
444 | asn1_for are as for point2oct, namely | |
445 | POINT_CONVERSION_COMPRESSED | |
446 | POINT_CONVERSION_UNCOMPRESSED | |
447 | POINT_CONVERSION_HYBRID | |
448 | ||
449 | Also add 'seed' and 'seed_len' members to EC_GROUP with access | |
450 | functions | |
451 | EC_GROUP_set_seed() | |
452 | EC_GROUP_get0_seed() | |
453 | EC_GROUP_get_seed_len() | |
454 | This is used only for ASN1 purposes (so far). | |
455 | [Nils Larsch <nla@trustcenter.de>] | |
456 | ||
457 | *) Add 'field_type' member to EC_METHOD, which holds the NID | |
458 | of the appropriate field type OID. The new function | |
459 | EC_METHOD_get_field_type() returns this value. | |
460 | [Nils Larsch <nla@trustcenter.de>] | |
461 | ||
462 | *) Add functions | |
463 | EC_POINT_point2bn() | |
464 | EC_POINT_bn2point() | |
465 | EC_POINT_point2hex() | |
466 | EC_POINT_hex2point() | |
467 | providing useful interfaces to EC_POINT_point2oct() and | |
468 | EC_POINT_oct2point(). | |
469 | [Nils Larsch <nla@trustcenter.de>] | |
470 | ||
471 | *) Change internals of the EC library so that the functions | |
472 | EC_GROUP_set_generator() | |
473 | EC_GROUP_get_generator() | |
474 | EC_GROUP_get_order() | |
475 | EC_GROUP_get_cofactor() | |
476 | are implemented directly in crypto/ec/ec_lib.c and not dispatched | |
477 | to methods, which would lead to unnecessary code duplication when | |
478 | adding different types of curves. | |
479 | [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] | |
480 | ||
481 | *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM | |
482 | arithmetic, and such that modified wNAFs are generated | |
483 | (which avoid length expansion in many cases). | |
484 | [Bodo Moeller] | |
485 | ||
486 | *) Add a function EC_GROUP_check_discriminant() (defined via | |
487 | EC_METHOD) that verifies that the curve discriminant is non-zero. | |
488 | ||
489 | Add a function EC_GROUP_check() that makes some sanity tests | |
490 | on a EC_GROUP, its generator and order. This includes | |
491 | EC_GROUP_check_discriminant(). | |
492 | [Nils Larsch <nla@trustcenter.de>] | |
493 | ||
494 | *) Add ECDSA in new directory crypto/ecdsa/. | |
495 | ||
496 | Add applications 'openssl ecparam' and 'openssl ecdsa' | |
497 | (these are based on 'openssl dsaparam' and 'openssl dsa'). | |
498 | ||
499 | ECDSA support is also included in various other files across the | |
500 | library. Most notably, | |
501 | - 'openssl req' now has a '-newkey ecdsa:file' option; | |
502 | - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; | |
503 | - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and | |
504 | d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make | |
505 | them suitable for ECDSA where domain parameters must be | |
506 | extracted before the specific public key; | |
507 | - ECDSA engine support has been added. | |
508 | [Nils Larsch <nla@trustcenter.de>] | |
509 | ||
510 | *) Include some named elliptic curves, and add OIDs from X9.62, | |
511 | SECG, and WAP/WTLS. Each curve can be obtained from the new | |
512 | function | |
513 | EC_GROUP_new_by_nid(), | |
514 | and the list of available named curves can be obtained with | |
515 | EC_get_builtin_curves(). | |
516 | Also add a 'curve_name' member to EC_GROUP objects, which can be | |
517 | accessed via | |
518 | EC_GROUP_set_nid() | |
519 | EC_GROUP_get_nid() | |
520 | [Nils Larsch <nla@trustcenter.de, Bodo Moeller] | |
521 | ||
522 | *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there | |
523 | was actually never needed) and in BN_mul(). The removal in BN_mul() | |
524 | required a small change in bn_mul_part_recursive() and the addition | |
525 | of the functions bn_cmp_part_words(), bn_sub_part_words() and | |
526 | bn_add_part_words(), which do the same thing as bn_cmp_words(), | |
527 | bn_sub_words() and bn_add_words() except they take arrays with | |
528 | differing sizes. | |
529 | [Richard Levitte] | |
530 | ||
531 | Changes between 0.9.7b and 0.9.7c [xx XXX 2003] | |
532 | ||
533 | *) Various fixes to base64 BIO and non blocking I/O. On write | |
534 | flushes were not handled properly if the BIO retried. On read | |
535 | data was not being buffered properly and had various logic bugs. | |
536 | This also affects blocking I/O when the data being decoded is a | |
537 | certain size. | |
538 | [Steve Henson] | |
539 | ||
540 | *) Various S/MIME bugfixes and compatibility changes: | |
541 | output correct application/pkcs7 MIME type if | |
542 | PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. | |
543 | Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening | |
544 | of files as .eml work). Correctly handle very long lines in MIME | |
545 | parser. | |
546 | [Steve Henson] | |
547 | ||
548 | Changes between 0.9.7a and 0.9.7b [10 Apr 2003] | |
549 | ||
550 | *) Countermeasure against the Klima-Pokorny-Rosa extension of | |
551 | Bleichbacher's attack on PKCS #1 v1.5 padding: treat | |
552 | a protocol version number mismatch like a decryption error | |
553 | in ssl3_get_client_key_exchange (ssl/s3_srvr.c). | |
554 | [Bodo Moeller] | |
555 | ||
556 | *) Turn on RSA blinding by default in the default implementation | |
557 | to avoid a timing attack. Applications that don't want it can call | |
558 | RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. | |
559 | They would be ill-advised to do so in most cases. | |
560 | [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] | |
561 | ||
562 | *) Change RSA blinding code so that it works when the PRNG is not | |
563 | seeded (in this case, the secret RSA exponent is abused as | |
564 | an unpredictable seed -- if it is not unpredictable, there | |
565 | is no point in blinding anyway). Make RSA blinding thread-safe | |
566 | by remembering the creator's thread ID in rsa->blinding and | |
567 | having all other threads use local one-time blinding factors | |
568 | (this requires more computation than sharing rsa->blinding, but | |
569 | avoids excessive locking; and if an RSA object is not shared | |
570 | between threads, blinding will still be very fast). | |
571 | [Bodo Moeller] | |
572 | ||
573 | yet to be integrated into this CVS branch: | |
574 | - Geoff's ENGINE_set_default() fix | |
575 | ||
576 | *) Target "mingw" now allows native Windows code to be generated in | |
577 | the Cygwin environment as well as with the MinGW compiler. | |
578 | [Ulf Moeller] | |
579 | ||
580 | Changes between 0.9.7 and 0.9.7a [19 Feb 2003] | |
581 | ||
582 | *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked | |
583 | via timing by performing a MAC computation even if incorrrect | |
584 | block cipher padding has been found. This is a countermeasure | |
585 | against active attacks where the attacker has to distinguish | |
586 | between bad padding and a MAC verification error. (CAN-2003-0078) | |
587 | ||
588 | [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), | |
589 | Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and | |
590 | Martin Vuagnoux (EPFL, Ilion)] | |
591 | ||
592 | *) Make the no-err option work as intended. The intention with no-err | |
593 | is not to have the whole error stack handling routines removed from | |
594 | libcrypto, it's only intended to remove all the function name and | |
595 | reason texts, thereby removing some of the footprint that may not | |
596 | be interesting if those errors aren't displayed anyway. | |
597 | ||
598 | NOTE: it's still possible for any application or module to have it's | |
599 | own set of error texts inserted. The routines are there, just not | |
600 | used by default when no-err is given. | |
601 | [Richard Levitte] | |
602 | ||
603 | *) Add support for FreeBSD on IA64. | |
604 | [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] | |
605 | ||
606 | *) Adjust DES_cbc_cksum() so it returns the same value as the MIT | |
607 | Kerberos function mit_des_cbc_cksum(). Before this change, | |
608 | the value returned by DES_cbc_cksum() was like the one from | |
609 | mit_des_cbc_cksum(), except the bytes were swapped. | |
610 | [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte] | |
611 | ||
612 | *) Allow an application to disable the automatic SSL chain building. | |
613 | Before this a rather primitive chain build was always performed in | |
614 | ssl3_output_cert_chain(): an application had no way to send the | |
615 | correct chain if the automatic operation produced an incorrect result. | |
616 | ||
617 | Now the chain builder is disabled if either: | |
618 | ||
619 | 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). | |
620 | ||
621 | 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. | |
622 | ||
623 | The reasoning behind this is that an application would not want the | |
624 | auto chain building to take place if extra chain certificates are | |
625 | present and it might also want a means of sending no additional | |
626 | certificates (for example the chain has two certificates and the | |
627 | root is omitted). | |
628 | [Steve Henson] | |
629 | ||
630 | *) Add the possibility to build without the ENGINE framework. | |
631 | [Steven Reddie <smr@essemer.com.au> via Richard Levitte] | |
632 | ||
633 | *) Under Win32 gmtime() can return NULL: check return value in | |
634 | OPENSSL_gmtime(). Add error code for case where gmtime() fails. | |
635 | [Steve Henson] | |
636 | ||
637 | *) DSA routines: under certain error conditions uninitialized BN objects | |
638 | could be freed. Solution: make sure initialization is performed early | |
639 | enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>, | |
640 | Nils Larsch <nla@trustcenter.de> via PR#459) | |
641 | [Lutz Jaenicke] | |
642 | ||
643 | *) Another fix for SSLv2 session ID handling: the session ID was incorrectly | |
644 | checked on reconnect on the client side, therefore session resumption | |
645 | could still fail with a "ssl session id is different" error. This | |
646 | behaviour is masked when SSL_OP_ALL is used due to | |
647 | SSL_OP_MICROSOFT_SESS_ID_BUG being set. | |
648 | Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as | |
649 | followup to PR #377. | |
650 | [Lutz Jaenicke] | |
651 | ||
652 | *) IA-32 assembler support enhancements: unified ELF targets, support | |
653 | for SCO/Caldera platforms, fix for Cygwin shared build. | |
654 | [Andy Polyakov] | |
655 | ||
656 | *) Add support for FreeBSD on sparc64. As a consequence, support for | |
657 | FreeBSD on non-x86 processors is separate from x86 processors on | |
658 | the config script, much like the NetBSD support. | |
659 | [Richard Levitte & Kris Kennaway <kris@obsecurity.org>] | |
660 | ||
661 | Changes between 0.9.6h and 0.9.7 [31 Dec 2002] | |
662 | ||
663 | *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED | |
664 | code (06) was taken as the first octet of the session ID and the last | |
665 | octet was ignored consequently. As a result SSLv2 client side session | |
666 | caching could not have worked due to the session ID mismatch between | |
667 | client and server. | |
668 | Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as | |
669 | PR #377. | |
670 | [Lutz Jaenicke] | |
671 | ||
672 | *) Change the declaration of needed Kerberos libraries to use EX_LIBS | |
673 | instead of the special (and badly supported) LIBKRB5. LIBKRB5 is | |
674 | removed entirely. | |
675 | [Richard Levitte] | |
676 | ||
677 | *) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it | |
678 | seems that in spite of existing for more than a year, many application | |
679 | author have done nothing to provide the necessary callbacks, which | |
680 | means that this particular engine will not work properly anywhere. | |
681 | This is a very unfortunate situation which forces us, in the name | |
682 | of usability, to give the hw_ncipher.c a static lock, which is part | |
683 | of libcrypto. | |
684 | NOTE: This is for the 0.9.7 series ONLY. This hack will never | |
685 | appear in 0.9.8 or later. We EXPECT application authors to have | |
686 | dealt properly with this when 0.9.8 is released (unless we actually | |
687 | make such changes in the libcrypto locking code that changes will | |
688 | have to be made anyway). | |
689 | [Richard Levitte] | |
690 | ||
691 | *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content | |
692 | octets have been read, EOF or an error occurs. Without this change | |
693 | some truncated ASN1 structures will not produce an error. | |
694 | [Steve Henson] | |
695 | ||
696 | *) Disable Heimdal support, since it hasn't been fully implemented. | |
697 | Still give the possibility to force the use of Heimdal, but with | |
698 | warnings and a request that patches get sent to openssl-dev. | |
699 | [Richard Levitte] | |
700 | ||
701 | *) Add the VC-CE target, introduce the WINCE sysname, and add | |
702 | INSTALL.WCE and appropriate conditionals to make it build. | |
703 | [Steven Reddie <smr@essemer.com.au> via Richard Levitte] | |
704 | ||
705 | *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and | |
706 | cygssl-x.y.z.dll, where x, y and z are the major, minor and | |
707 | edit numbers of the version. | |
708 | [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] | |
709 | ||
710 | *) Introduce safe string copy and catenation functions | |
711 | (BUF_strlcpy() and BUF_strlcat()). | |
712 | [Ben Laurie (CHATS) and Richard Levitte] | |
713 | ||
714 | *) Avoid using fixed-size buffers for one-line DNs. | |
715 | [Ben Laurie (CHATS)] | |
716 | ||
717 | *) Add BUF_MEM_grow_clean() to avoid information leakage when | |
718 | resizing buffers containing secrets, and use where appropriate. | |
719 | [Ben Laurie (CHATS)] | |
720 | ||
721 | *) Avoid using fixed size buffers for configuration file location. | |
722 | [Ben Laurie (CHATS)] | |
723 | ||
724 | *) Avoid filename truncation for various CA files. | |
725 | [Ben Laurie (CHATS)] | |
726 | ||
727 | *) Use sizeof in preference to magic numbers. | |
728 | [Ben Laurie (CHATS)] | |
729 | ||
730 | *) Avoid filename truncation in cert requests. | |
731 | [Ben Laurie (CHATS)] | |
732 | ||
733 | *) Add assertions to check for (supposedly impossible) buffer | |
734 | overflows. | |
735 | [Ben Laurie (CHATS)] | |
736 | ||
737 | *) Don't cache truncated DNS entries in the local cache (this could | |
738 | potentially lead to a spoofing attack). | |
739 | [Ben Laurie (CHATS)] | |
740 | ||
741 | *) Fix various buffers to be large enough for hex/decimal | |
742 | representations in a platform independent manner. | |
743 | [Ben Laurie (CHATS)] | |
744 | ||
745 | *) Add CRYPTO_realloc_clean() to avoid information leakage when | |
746 | resizing buffers containing secrets, and use where appropriate. | |
747 | [Ben Laurie (CHATS)] | |
748 | ||
749 | *) Add BIO_indent() to avoid much slightly worrying code to do | |
750 | indents. | |
751 | [Ben Laurie (CHATS)] | |
752 | ||
753 | *) Convert sprintf()/BIO_puts() to BIO_printf(). | |
754 | [Ben Laurie (CHATS)] | |
755 | ||
756 | *) buffer_gets() could terminate with the buffer only half | |
757 | full. Fixed. | |
758 | [Ben Laurie (CHATS)] | |
759 | ||
760 | *) Add assertions to prevent user-supplied crypto functions from | |
761 | overflowing internal buffers by having large block sizes, etc. | |
762 | [Ben Laurie (CHATS)] | |
763 | ||
764 | *) New OPENSSL_assert() macro (similar to assert(), but enabled | |
765 | unconditionally). | |
766 | [Ben Laurie (CHATS)] | |
767 | ||
768 | *) Eliminate unused copy of key in RC4. | |
769 | [Ben Laurie (CHATS)] | |
770 | ||
771 | *) Eliminate unused and incorrectly sized buffers for IV in pem.h. | |
772 | [Ben Laurie (CHATS)] | |
773 | ||
774 | *) Fix off-by-one error in EGD path. | |
775 | [Ben Laurie (CHATS)] | |
776 | ||
777 | *) If RANDFILE path is too long, ignore instead of truncating. | |
778 | [Ben Laurie (CHATS)] | |
779 | ||
780 | *) Eliminate unused and incorrectly sized X.509 structure | |
781 | CBCParameter. | |
782 | [Ben Laurie (CHATS)] | |
783 | ||
784 | *) Eliminate unused and dangerous function knumber(). | |
785 | [Ben Laurie (CHATS)] | |
786 | ||
787 | *) Eliminate unused and dangerous structure, KSSL_ERR. | |
788 | [Ben Laurie (CHATS)] | |
789 | ||
790 | *) Protect against overlong session ID context length in an encoded | |
791 | session object. Since these are local, this does not appear to be | |
792 | exploitable. | |
793 | [Ben Laurie (CHATS)] | |
794 | ||
795 | *) Change from security patch (see 0.9.6e below) that did not affect | |
796 | the 0.9.6 release series: | |
797 | ||
798 | Remote buffer overflow in SSL3 protocol - an attacker could | |
799 | supply an oversized master key in Kerberos-enabled versions. | |
800 | (CAN-2002-0657) | |
801 | [Ben Laurie (CHATS)] | |
802 | ||
803 | *) Change the SSL kerb5 codes to match RFC 2712. | |
804 | [Richard Levitte] | |
805 | ||
806 | *) Make -nameopt work fully for req and add -reqopt switch. | |
807 | [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson] | |
808 | ||
809 | *) The "block size" for block ciphers in CFB and OFB mode should be 1. | |
810 | [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>] | |
811 | ||
812 | *) Make sure tests can be performed even if the corresponding algorithms | |
813 | have been removed entirely. This was also the last step to make | |
814 | OpenSSL compilable with DJGPP under all reasonable conditions. | |
815 | [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>] | |
816 | ||
817 | *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT | |
818 | to allow version independent disabling of normally unselected ciphers, | |
819 | which may be activated as a side-effect of selecting a single cipher. | |
820 | ||
821 | (E.g., cipher list string "RSA" enables ciphersuites that are left | |
822 | out of "ALL" because they do not provide symmetric encryption. | |
823 | "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.) | |
824 | [Lutz Jaenicke, Bodo Moeller] | |
825 | ||
826 | *) Add appropriate support for separate platform-dependent build | |
827 | directories. The recommended way to make a platform-dependent | |
828 | build directory is the following (tested on Linux), maybe with | |
829 | some local tweaks: | |
830 | ||
831 | # Place yourself outside of the OpenSSL source tree. In | |
832 | # this example, the environment variable OPENSSL_SOURCE | |
833 | # is assumed to contain the absolute OpenSSL source directory. | |
834 | mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" | |
835 | cd objtree/"`uname -s`-`uname -r`-`uname -m`" | |
836 | (cd $OPENSSL_SOURCE; find . -type f) | while read F; do | |
837 | mkdir -p `dirname $F` | |
838 | ln -s $OPENSSL_SOURCE/$F $F | |
839 | done | |
840 | ||
841 | To be absolutely sure not to disturb the source tree, a "make clean" | |
842 | is a good thing. If it isn't successfull, don't worry about it, | |
843 | it probably means the source directory is very clean. | |
844 | [Richard Levitte] | |
845 | ||
846 | *) Make sure any ENGINE control commands make local copies of string | |
847 | pointers passed to them whenever necessary. Otherwise it is possible | |
848 | the caller may have overwritten (or deallocated) the original string | |
849 | data when a later ENGINE operation tries to use the stored values. | |
850 |