| | 1 | |
| | 2 | OpenSSL CHANGES |
| | 3 | _______________ |
| | 4 | |
| | 5 | Changes between 0.9.4 and 0.9.5 [xx XXX 1999] |
| | 6 | |
| | 7 | *) Support for ASN1 "NULL" type. This could be handled before by using |
| | 8 | ASN1_TYPE but there wasn't any function that would try to read a NULL |
| | 9 | and produce an error if it couldn't. For compatibility we also have |
| | 10 | ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and |
| | 11 | don't allocate anything because they don't need to. |
| | 12 | [Steve Henson] |
| | 13 | |
| | 14 | *) Initial support for MacOS is now provided. Examine INSTALL.MacOS |
| | 15 | for details. |
| | 16 | [Andy Polyakov, Roy Woods <roy@centicsystems.ca>] |
| | 17 | |
| | 18 | *) Rebuild of the memory allocation routines used by OpenSSL code and |
| | 19 | possibly others as well. The purpose is to make an interface that |
| | 20 | provide hooks so anyone can build a separate set of allocation and |
| | 21 | deallocation routines to be used by OpenSSL, for example if memory |
| | 22 | pool implementations, or something else. The same is provided for |
| | 23 | memory debugging code. OpenSSL already comes with code that finds |
| | 24 | memory leaks, but this gives people a chance to debug other memory |
| | 25 | problems. |
| | 26 | |
| | 27 | With these changes, a new set of functions and macros have appeared: |
| | 28 | |
| | 29 | CRYPTO_set_mem_debug_functions() [F] |
| | 30 | CRYPTO_get_mem_debug_functions() [F] |
| | 31 | CRYPTO_dbg_set_options() [F] |
| | 32 | CRYPTO_dbg_get_options() [F] |
| | 33 | CRYPTO_melloc_debug_init() [M] |
| | 34 | |
| | 35 | The memory debug functions are NULL by default, unless the library |
| | 36 | is compiled with CRYPTO_MDEBUG or friends is defined. If someone |
| | 37 | wants to debug memory anyway, CRYPTO_malloc_debug_init() or |
| | 38 | CRYPTO_set_mem_debug_functions() must be used. |
| | 39 | |
| | 40 | Also, things like CRYPTO_set_mem_functions will always give the |
| | 41 | expected result (the new set of functions is used for allocation |
| | 42 | and deallocation) at all times, regardless of platform and compiler |
| | 43 | options. |
| | 44 | |
| | 45 | To finish it up, some functions that were never use in any other |
| | 46 | way than through macros have a new API and new semantic: |
| | 47 | |
| | 48 | CRYPTO_dbg_malloc() |
| | 49 | CRYPTO_dbg_realloc() |
| | 50 | CRYPTO_dbg_free() |
| | 51 | |
| | 52 | All macros of value have retained their old syntax. |
| | 53 | [Richard Levitte] |
| | 54 | |
| | 55 | *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the |
| | 56 | ordering of SMIMECapabilities wasn't in "strength order" and there |
| | 57 | was a missing NULL in the AlgorithmIdentifier for the SHA1 signature |
| | 58 | algorithm. |
| | 59 | [Steve Henson] |
| | 60 | |
| | 61 | *) Some ASN1 types with illegal zero length encoding (INTEGER, |
| | 62 | ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. |
| | 63 | [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson] |
| | 64 | |
| | 65 | *) Merge in my S/MIME library for OpenSSL. This provides a simple |
| | 66 | S/MIME API on top of the PKCS#7 code, a MIME parser (with enough |
| | 67 | functionality to handle multipart/signed properly) and a utility |
| | 68 | called 'smime' to call all this stuff. This is based on code I |
| | 69 | originally wrote for Celo who have kindly allowed it to be |
| | 70 | included in OpenSSL. |
| | 71 | [Steve Henson] |
| | 72 | |
| | 73 | *) Add variants des_set_key_checked and des_set_key_unchecked of |
| | 74 | des_set_key (aka des_key_sched). Global variable des_check_key |
| | 75 | decides which of these is called by des_set_key; this way |
| | 76 | des_check_key behaves as it always did, but applications and |
| | 77 | the library itself, which was buggy for des_check_key == 1, |
| | 78 | have a cleaner way to pick the version they need. |
| | 79 | [Bodo Moeller] |
| | 80 | |
| | 81 | *) New function PKCS12_newpass() which changes the password of a |
| | 82 | PKCS12 structure. |
| | 83 | [Steve Henson] |
| | 84 | |
| | 85 | *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and |
| | 86 | dynamic mix. In both cases the ids can be used as an index into the |
| | 87 | table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() |
| | 88 | functions so they accept a list of the field values and the |
| | 89 | application doesn't need to directly manipulate the X509_TRUST |
| | 90 | structure. |
| | 91 | [Steve Henson] |
| | 92 | |
| | 93 | *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't |
| | 94 | need initialising. |
| | 95 | [Steve Henson] |
| | 96 | |
| | 97 | *) Modify the way the V3 extension code looks up extensions. This now |
| | 98 | works in a similar way to the object code: we have some "standard" |
| | 99 | extensions in a static table which is searched with OBJ_bsearch() |
| | 100 | and the application can add dynamic ones if needed. The file |
| | 101 | crypto/x509v3/ext_dat.h now has the info: this file needs to be |
| | 102 | updated whenever a new extension is added to the core code and kept |
| | 103 | in ext_nid order. There is a simple program 'tabtest.c' which checks |
| | 104 | this. New extensions are not added too often so this file can readily |
| | 105 | be maintained manually. |
| | 106 | |
| | 107 | There are two big advantages in doing things this way. The extensions |
| | 108 | can be looked up immediately and no longer need to be "added" using |
| | 109 | X509V3_add_standard_extensions(): this function now does nothing. |
| | 110 | [Side note: I get *lots* of email saying the extension code doesn't |
| | 111 | work because people forget to call this function] |
| | 112 | Also no dynamic allocation is done unless new extensions are added: |
| | 113 | so if we don't add custom extensions there is no need to call |
| | 114 | X509V3_EXT_cleanup(). |
| | 115 | [Steve Henson] |
| | 116 | |
| | 117 | *) Modify enc utility's salting as follows: make salting the default. Add a |
| | 118 | magic header, so unsalted files fail gracefully instead of just decrypting |
| | 119 | to garbage. This is because not salting is a big security hole, so people |
| | 120 | should be discouraged from doing it. |
| | 121 | [Ben Laurie] |
| | 122 | |
| | 123 | *) Fixes and enhancements to the 'x509' utility. It allowed a message |
| | 124 | digest to be passed on the command line but it only used this |
| | 125 | parameter when signing a certificate. Modified so all relevant |
| | 126 | operations are affected by the digest parameter including the |
| | 127 | -fingerprint and -x509toreq options. Also -x509toreq choked if a |
| | 128 | DSA key was used because it didn't fix the digest. |
| | 129 | [Steve Henson] |
| | 130 | |
| | 131 | *) Initial certificate chain verify code. Currently tests the untrusted |
| | 132 | certificates for consistency with the verify purpose (which is set |
| | 133 | when the X509_STORE_CTX structure is set up) and checks the pathlength. |
| | 134 | |
| | 135 | There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour: |
| | 136 | this is because it will reject chains with invalid extensions whereas |
| | 137 | every previous version of OpenSSL and SSLeay made no checks at all. |
| | 138 | |
| | 139 | Trust code: checks the root CA for the relevant trust settings. Trust |
| | 140 | settings have an initial value consistent with the verify purpose: e.g. |
| | 141 | if the verify purpose is for SSL client use it expects the CA to be |
| | 142 | trusted for SSL client use. However the default value can be changed to |
| | 143 | permit custom trust settings: one example of this would be to only trust |
| | 144 | certificates from a specific "secure" set of CAs. |
| | 145 | |
| | 146 | Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions |
| | 147 | which should be used for version portability: especially since the |
| | 148 | verify structure is likely to change more often now. |
| | 149 | |
| | 150 | SSL integration. Add purpose and trust to SSL_CTX and SSL and functions |
| | 151 | to set them. If not set then assume SSL clients will verify SSL servers |
| | 152 | and vice versa. |
| | 153 | |
| | 154 | Two new options to the verify program: -untrusted allows a set of |
| | 155 | untrusted certificates to be passed in and -purpose which sets the |
| | 156 | intended purpose of the certificate. If a purpose is set then the |
| | 157 | new chain verify code is used to check extension consistency. |
| | 158 | [Steve Henson] |
| | 159 | |
| | 160 | *) Support for the authority information access extension. |
| | 161 | [Steve Henson] |
| | 162 | |
| | 163 | *) Modify RSA and DSA PEM read routines to transparently handle |
| | 164 | PKCS#8 format private keys. New *_PUBKEY_* functions that handle |
| | 165 | public keys in a format compatible with certificate |
| | 166 | SubjectPublicKeyInfo structures. Unfortunately there were already |
| | 167 | functions called *_PublicKey_* which used various odd formats so |
| | 168 | these are retained for compatibility: however the DSA variants were |
| | 169 | never in a public release so they have been deleted. Changed dsa/rsa |
| | 170 | utilities to handle the new format: note no releases ever handled public |
| | 171 | keys so we should be OK. |
| | 172 | |
| | 173 | The primary motivation for this change is to avoid the same fiasco |
| | 174 | that dogs private keys: there are several incompatible private key |
| | 175 | formats some of which are standard and some OpenSSL specific and |
| | 176 | require various evil hacks to allow partial transparent handling and |
| | 177 | even then it doesn't work with DER formats. Given the option anything |
| | 178 | other than PKCS#8 should be dumped: but the other formats have to |
| | 179 | stay in the name of compatibility. |
| | 180 | |
| | 181 | With public keys and the benefit of hindsight one standard format |
| | 182 | is used which works with EVP_PKEY, RSA or DSA structures: though |
| | 183 | it clearly returns an error if you try to read the wrong kind of key. |
| | 184 | |
| | 185 | Added a -pubkey option to the 'x509' utility to output the public key. |
| | 186 | Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() and add |
| | 187 | EVP_PKEY_rset_*() functions that do the same as the EVP_PKEY_assign_*() |
| | 188 | except they up the reference count of the added key (they don't "swallow" |
| | 189 | the supplied key). |
| | 190 | [Steve Henson] |
| | 191 | |
| | 192 | *) Fixes to crypto/x509/by_file.c the code to read in certificates and |
| | 193 | CRLs would fail if the file contained no certificates or no CRLs: |
| | 194 | added a new function to read in both types and return the number |
| | 195 | read: this means that if none are read it will be an error. The |
| | 196 | DER versions of the certificate and CRL reader would always fail |
| | 197 | because it isn't possible to mix certificates and CRLs in DER format |
| | 198 | without choking one or the other routine. Changed this to just read |
| | 199 | a certificate: this is the best we can do. Also modified the code |
| | 200 | in apps/verify.c to take notice of return codes: it was previously |
| | 201 | attempting to read in certificates from NULL pointers and ignoring |
| | 202 | any errors: this is one reason why the cert and CRL reader seemed |
| | 203 | to work. It doesn't check return codes from the default certificate |
| | 204 | routines: these may well fail if the certificates aren't installed. |
| | 205 | [Steve Henson] |
| | 206 | |
| | 207 | *) Code to support otherName option in GeneralName. |
| | 208 | [Steve Henson] |
| | 209 | |
| | 210 | *) First update to verify code. Change the verify utility |
| | 211 | so it warns if it is passed a self signed certificate: |
| | 212 | for consistency with the normal behaviour. X509_verify |
| | 213 | has been modified to it will now verify a self signed |
| | 214 | certificate if *exactly* the same certificate appears |
| | 215 | in the store: it was previously impossible to trust a |
| | 216 | single self signed certificate. This means that: |
| | 217 | openssl verify ss.pem |
| | 218 | now gives a warning about a self signed certificate but |
| | 219 | openssl verify -CAfile ss.pem ss.pem |
| | 220 | is OK. |
| | 221 | [Steve Henson] |
| | 222 | |
| | 223 | *) For servers, store verify_result in SSL_SESSION data structure |
| | 224 | (and add it to external session representation). |
| | 225 | This is needed when client certificate verifications fails, |
| | 226 | but an application-provided verification callback (set by |
| | 227 | SSL_CTX_set_cert_verify_callback) allows accepting the session |
| | 228 | anyway (i.e. leaves x509_store_ctx->error != X509_V_OK |
| | 229 | but returns 1): When the session is reused, we have to set |
| | 230 | ssl->verify_result to the appropriate error code to avoid |
| | 231 | security holes. |
| | 232 | [Bodo Moeller, problem pointed out by Lutz Jaenicke] |
| | 233 | |
| | 234 | *) Fix a bug in the new PKCS#7 code: it didn't consider the |
| | 235 | case in PKCS7_dataInit() where the signed PKCS7 structure |
| | 236 | didn't contain any existing data because it was being created. |
| | 237 | [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson] |
| | 238 | |
| | 239 | *) Add a salt to the key derivation routines in enc.c. This |
| | 240 | forms the first 8 bytes of the encrypted file. Also add a |
| | 241 | -S option to allow a salt to be input on the command line. |
| | 242 | [Steve Henson] |
| | 243 | |
| | 244 | *) New function X509_cmp(). Oddly enough there wasn't a function |
| | 245 | to compare two certificates. We do this by working out the SHA1 |
| | 246 | hash and comparing that. X509_cmp() will be needed by the trust |
| | 247 | code. |
| | 248 | [Steve Henson] |
| | 249 | |
| | 250 | *) Correctly increment the reference count in the SSL_SESSION pointer |
| | 251 | returned from SSL_get_session(). |
| | 252 | [Geoff Thorpe <geoff@eu.c2.net>] |
| | 253 | |
| | 254 | *) Fix for 'req': it was adding a null to request attributes. |
| | 255 | Also change the X509_LOOKUP and X509_INFO code to handle |
| | 256 | certificate auxiliary information. |
| | 257 | [Steve Henson] |
| | 258 | |
| | 259 | *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document |
| | 260 | the 'enc' command. |
| | 261 | [Steve Henson] |
| | 262 | |
| | 263 | *) Add the possibility to add extra information to the memory leak |
| | 264 | detecting output, to form tracebacks, showing from where each |
| | 265 | allocation was originated. Also updated sid code to be multi- |
| | 266 | thread-safe. |
| | 267 | [Richard Levitte] |
| | 268 | |
| | 269 | *) Add options -text and -noout to pkcs7 utility and delete the |
| | 270 | encryption options which never did anything. Update docs. |
| | 271 | [Steve Henson] |
| | 272 | |
| | 273 | *) Add options to some of the utilities to allow the pass phrase |
| | 274 | to be included on either the command line (not recommended on |
| | 275 | OSes like Unix) or read from the environment. Update the |
| | 276 | manpages and fix a few bugs. |
| | 277 | [Steve Henson] |
| | 278 | |
| | 279 | *) Add a few manpages for some of the openssl commands. |
| | 280 | [Steve Henson] |
| | 281 | |
| | 282 | *) Fix the -revoke option in ca. It was freeing up memory twice, |
| | 283 | leaking and not finding already revoked certificates. |
| | 284 | [Steve Henson] |
| | 285 | |
| | 286 | *) Extensive changes to support certificate auxiliary information. |
| | 287 | This involves the use of X509_CERT_AUX structure and X509_AUX |
| | 288 | functions. An X509_AUX function such as PEM_read_X509_AUX() |
| | 289 | can still read in a certificate file in the usual way but it |
| | 290 | will also read in any additional "auxiliary information". By |
| | 291 | doing things this way a fair degree of compatibility can be |
| | 292 | retained: existing certificates can have this information added |
| | 293 | using the new 'x509' options. |
| | 294 | |
| | 295 | Current auxiliary information includes an "alias" and some trust |
| | 296 | settings. The trust settings will ultimately be used in enhanced |
| | 297 | certificate chain verification routines: currently a certificate |
| | 298 | can only be trusted if it is self signed and then it is trusted |
| | 299 | for all purposes. |
| | 300 | [Steve Henson] |
| | 301 | |
| | 302 | *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The |
| | 303 | problem was that one of the replacement routines had not been working since |
| | 304 | SSLeay releases. For now the offending routine has been replaced with |
| | 305 | non-optimised assembler. Even so, this now gives around 95% performance |
| | 306 | improvement for 1024 bit RSA signs. |
| | 307 | [Mark Cox] |
| | 308 | |
| | 309 | *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 |
| | 310 | handling. Most clients have the effective key size in bits equal to |
| | 311 | the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. |
| | 312 | A few however don't do this and instead use the size of the decrypted key |
| | 313 | to determine the RC2 key length and the AlgorithmIdentifier to determine |
| | 314 | the effective key length. In this case the effective key lenth can still |
| | 315 | be 40 bits but the key length can be 168 bits for example. This is fixed |
| | 316 | by manually forcing an RC2 key into the EVP_PKEY structure because the |
| | 317 | EVP code can't currently handle unusual RC2 key sizes: it always assumes |
| | 318 | the key length and effective key length are equal. |
| | 319 | [Steve Henson] |
| | 320 | |
| | 321 | *) Add a bunch of functions that should simplify the creation of |
| | 322 | X509_NAME structures. Now you should be able to do: |
| | 323 | X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); |
| | 324 | and have it automatically work out the correct field type and fill in |
| | 325 | the structures. The more adventurous can try: |
| | 326 | X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); |
| | 327 | and it will (hopefully) work out the correct multibyte encoding. |
| | 328 | [Steve Henson] |
| | 329 | |
| | 330 | *) Change the 'req' utility to use the new field handling and multibyte |
| | 331 | copy routines. Before the DN field creation was handled in an ad hoc |
| | 332 | way in req, ca, and x509 which was rather broken and didn't support |
| | 333 | BMPStrings or UTF8Strings. Since some software doesn't implement |
| | 334 | BMPStrings or UTF8Strings yet, they can be enabled using the config file |
| | 335 | using the dirstring_type option. See the new comment in the default |
| | 336 | openssl.cnf for more info. |
| | 337 | [Steve Henson] |
| | 338 | |
| | 339 | *) Make crypto/rand/md_rand.c more robust: |
| | 340 | - Assure unique random numbers after fork(). |
| | 341 | - Make sure that concurrent threads access the global counter and |
| | 342 | md serializably so that we never lose entropy in them |
| | 343 | or use exactly the same state in multiple threads. |
| | 344 | Access to the large state is not always serializable because |
| | 345 | the additional locking could be a performance killer, and |
| | 346 | md should be large enough anyway. |
| | 347 | [Bodo Moeller] |
| | 348 | |
| | 349 | *) New file apps/app_rand.c with commonly needed functionality |
| | 350 | for handling the random seed file. |
| | 351 | |
| | 352 | Use the random seed file in some applications that previously did not: |
| | 353 | ca, |
| | 354 | dsaparam -genkey (which also ignored its '-rand' option), |
| | 355 | s_client, |
| | 356 | s_server, |
| | 357 | x509 (when signing). |
| | 358 | Except on systems with /dev/urandom, it is crucial to have a random |
| | 359 | seed file at least for key creation, DSA signing, and for DH exchanges; |
| | 360 | for RSA signatures we could do without one. |
| | 361 | |
| | 362 | gendh and gendsa (unlike genrsa) used to read only the first byte |
| | 363 | of each file listed in the '-rand' option. The function as previously |
| | 364 | found in genrsa is now in app_rand.c and is used by all programs |
| | 365 | that support '-rand'. |
| | 366 | [Bodo Moeller] |
| | 367 | |
| | 368 | *) In RAND_write_file, use mode 0600 for creating files; |
| | 369 | don't just chmod when it may be too late. |
| | 370 | [Bodo Moeller] |
| | 371 | |
| | 372 | *) Report an error from X509_STORE_load_locations |
| | 373 | when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. |
| | 374 | [Bill Perry] |
| | 375 | |
| | 376 | *) New function ASN1_mbstring_copy() this copies a string in either |
| | 377 | ASCII, Unicode, Universal (4 bytes per character) or UTF8 format |
| | 378 | into an ASN1_STRING type. A mask of permissible types is passed |
| | 379 | and it chooses the "minimal" type to use or an error if not type |
| | 380 | is suitable. |
| | 381 | [Steve Henson] |
| | 382 | |
| | 383 | *) Add function equivalents to the various macros in asn1.h. The old |
| | 384 | macros are retained with an M_ prefix. Code inside the library can |
| | 385 | use the M_ macros. External code (including the openssl utility) |
| | 386 | should *NOT* in order to be "shared library friendly". |
| | 387 | [Steve Henson] |
| | 388 | |
| | 389 | *) Add various functions that can check a certificate's extensions |
| | 390 | to see if it usable for various purposes such as SSL client, |
| | 391 | server or S/MIME and CAs of these types. This is currently |
| | 392 | VERY EXPERIMENTAL but will ultimately be used for certificate chain |
| | 393 | verification. Also added a -purpose flag to x509 utility to |
| | 394 | print out all the purposes. |
| | 395 | [Steve Henson] |
| | 396 | |
| | 397 | *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated |
| | 398 | functions. |
| | 399 | [Steve Henson] |
| | 400 | |
| | 401 | *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search |
| | 402 | for, obtain and decode and extension and obtain its critical flag. |
| | 403 | This allows all the necessary extension code to be handled in a |
| | 404 | single function call. |
| | 405 | [Steve Henson] |
| | 406 | |
| | 407 | *) RC4 tune-up featuring 30-40% performance improvement on most RISC |
| | 408 | platforms. See crypto/rc4/rc4_enc.c for further details. |
| | 409 | [Andy Polyakov] |
| | 410 | |
| | 411 | *) New -noout option to asn1parse. This causes no output to be produced |
| | 412 | its main use is when combined with -strparse and -out to extract data |
| | 413 | from a file (which may not be in ASN.1 format). |
| | 414 | [Steve Henson] |
| | 415 | |
| | 416 | *) Fix for pkcs12 program. It was hashing an invalid certificate pointer |
| | 417 | when producing the local key id. |
| | 418 | [Richard Levitte <levitte@stacken.kth.se>] |
| | 419 | |
| | 420 | *) New option -dhparam in s_server. This allows a DH parameter file to be |
| | 421 | stated explicitly. If it is not stated then it tries the first server |
| | 422 | certificate file. The previous behaviour hard coded the filename |
| | 423 | "server.pem". |
| | 424 | [Steve Henson] |
| | 425 | |
| | 426 | *) Add -pubin and -pubout options to the rsa and dsa commands. These allow |
| | 427 | a public key to be input or output. For example: |
| | 428 | openssl rsa -in key.pem -pubout -out pubkey.pem |
| | 429 | Also added necessary DSA public key functions to handle this. |
| | 430 | [Steve Henson] |
| | 431 | |
| | 432 | *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained |
| | 433 | in the message. This was handled by allowing |
| | 434 | X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. |
| | 435 | [Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>] |
| | 436 | |
| | 437 | *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null |
| | 438 | to the end of the strings whereas this didn't. This would cause problems |
| | 439 | if strings read with d2i_ASN1_bytes() were later modified. |
| | 440 | [Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>] |
| | 441 | |
| | 442 | *) Fix for base64 decode bug. When a base64 bio reads only one line of |
| | 443 | data and it contains EOF it will end up returning an error. This is |
| | 444 | caused by input 46 bytes long. The cause is due to the way base64 |
| | 445 | BIOs find the start of base64 encoded data. They do this by trying a |
| | 446 | trial decode on each line until they find one that works. When they |
| | 447 | do a flag is set and it starts again knowing it can pass all the |
| | 448 | data directly through the decoder. Unfortunately it doesn't reset |
| | 449 | the context it uses. This means that if EOF is reached an attempt |
| | 450 | is made to pass two EOFs through the context and this causes the |
| | 451 | resulting error. This can also cause other problems as well. As is |
| | 452 | usual with these problems it takes *ages* to find and the fix is |
| | 453 | trivial: move one line. |
| | 454 | [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] |
| | 455 | |
| | 456 | *) Ugly workaround to get s_client and s_server working under Windows. The |
| | 457 | old code wouldn't work because it needed to select() on sockets and the |
| | 458 | tty (for keypresses and to see if data could be written). Win32 only |
| | 459 | supports select() on sockets so we select() with a 1s timeout on the |
| | 460 | sockets and then see if any characters are waiting to be read, if none |
| | 461 | are present then we retry, we also assume we can always write data to |
| | 462 | the tty. This isn't nice because the code then blocks until we've |
| | 463 | received a complete line of data and it is effectively polling the |
| | 464 | keyboard at 1s intervals: however it's quite a bit better than not |
| | 465 | working at all :-) A dedicated Windows application might handle this |
| | 466 | with an event loop for example. |
| | 467 | [Steve Henson] |
| | 468 | |
| | 469 | *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign |
| | 470 | and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions |
| | 471 | will be called when RSA_sign() and RSA_verify() are used. This is useful |
| | 472 | if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. |
| | 473 | For this to work properly RSA_public_decrypt() and RSA_private_encrypt() |
| | 474 | should *not* be used: RSA_sign() and RSA_verify() must be used instead. |
| | 475 | This necessitated the support of an extra signature type NID_md5_sha1 |
| | 476 | for SSL signatures and modifications to the SSL library to use it instead |
| | 477 | of calling RSA_public_decrypt() and RSA_private_encrypt(). |
| | 478 | [Steve Henson] |
| | 479 | |
| | 480 | *) Add new -verify -CAfile and -CApath options to the crl program, these |
| | 481 | will lookup a CRL issuers certificate and verify the signature in a |
| | 482 | similar way to the verify program. Tidy up the crl program so it |
| | 483 | no longer acesses structures directly. Make the ASN1 CRL parsing a bit |
| | 484 | less strict. It will now permit CRL extensions even if it is not |
| | 485 | a V2 CRL: this will allow it to tolerate some broken CRLs. |
| | 486 | [Steve Henson] |
| | 487 | |
| | 488 | *) Initialize all non-automatic variables each time one of the openssl |
| | 489 | sub-programs is started (this is necessary as they may be started |
| | 490 | multiple times from the "OpenSSL>" prompt). |
| | 491 | [Lennart Bang, Bodo Moeller] |
| | 492 | |
| | 493 | *) Preliminary compilation option RSA_NULL which disables RSA crypto without |
| | 494 | removing all other RSA functionality (this is what NO_RSA does). This |
| | 495 | is so (for example) those in the US can disable those operations covered |
| | 496 | by the RSA patent while allowing storage and parsing of RSA keys and RSA |
| | 497 | key generation. |
| | 498 | [Steve Henson] |
| | 499 | |
| | 500 | *) Non-copying interface to BIO pairs. |
| | 501 | (still largely untested) |
| | 502 | [Bodo Moeller] |
| | 503 | |
| | 504 | *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive |
| | 505 | ASCII string. This was handled independently in various places before. |
| | 506 | [Steve Henson] |
| | 507 | |
| | 508 | *) New functions UTF8_getc() and UTF8_putc() that parse and generate |
| | 509 | UTF8 strings a character at a time. |
| | 510 | [Steve Henson] |
| | 511 | |
| | 512 | *) Use client_version from client hello to select the protocol |
| | 513 | (s23_srvr.c) and for RSA client key exchange verification |
| | 514 | (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. |
| | 515 | [Bodo Moeller] |
| | 516 | |
| | 517 | *) Add various utility functions to handle SPKACs, these were previously |
| | 518 | handled by poking round in the structure internals. Added new function |
| | 519 | NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to |
| | 520 | print, verify and generate SPKACs. Based on an original idea from |
| | 521 | Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. |
| | 522 | [Steve Henson] |
| | 523 | |
| | 524 | *) RIPEMD160 is operational on all platforms and is back in 'make test'. |
| | 525 | [Andy Polyakov] |
| | 526 | |
| | 527 | *) Allow the config file extension section to be overwritten on the |
| | 528 | command line. Based on an original idea from Massimiliano Pala |
| | 529 | <madwolf@comune.modena.it>. The new option is called -extensions |
| | 530 | and can be applied to ca, req and x509. Also -reqexts to override |
| | 531 | the request extensions in req and -crlexts to override the crl extensions |
| | 532 | in ca. |
| | 533 | [Steve Henson] |
| | 534 | |
| | 535 | *) Add new feature to the SPKAC handling in ca. Now you can include |
| | 536 | the same field multiple times by preceding it by "XXXX." for example: |
| | 537 | 1.OU="Unit name 1" |
| | 538 | 2.OU="Unit name 2" |
| | 539 | this is the same syntax as used in the req config file. |
| | 540 | [Steve Henson] |
| | 541 | |
| | 542 | *) Allow certificate extensions to be added to certificate requests. These |
| | 543 | are specified in a 'req_extensions' option of the req section of the |
| | 544 | config file. They can be printed out with the -text option to req but |
| | 545 | are otherwise ignored at present. |
| | 546 | [Steve Henson] |
| | 547 | |
| | 548 | *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first |
| | 549 | data read consists of only the final block it would not decrypted because |
| | 550 | EVP_CipherUpdate() would correctly report zero bytes had been decrypted. |
| | 551 | A misplaced 'break' also meant the decrypted final block might not be |
| | 552 | copied until the next read. |
| | 553 | [Steve Henson] |
| | 554 | |
| | 555 | *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added |
| | 556 | a few extra parameters to the DH structure: these will be useful if |
| | 557 | for example we want the value of 'q' or implement X9.42 DH. |
| | 558 | [Steve Henson] |
| | 559 | |
| | 560 | *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and |
| | 561 | provides hooks that allow the default DSA functions or functions on a |
| | 562 | "per key" basis to be replaced. This allows hardware acceleration and |
| | 563 | hardware key storage to be handled without major modification to the |
| | 564 | library. Also added low level modexp hooks and CRYPTO_EX structure and |
| | 565 | associated functions. |
| | 566 | [Steve Henson] |
| | 567 | |
| | 568 | *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO |
| | 569 | as "read only": it can't be written to and the buffer it points to will |
| | 570 | not be freed. Reading from a read only BIO is much more efficient than |
| | 571 | a normal memory BIO. This was added because there are several times when |
| | 572 | an area of memory needs to be read from a BIO. The previous method was |
| | 573 | to create a memory BIO and write the data to it, this results in two |
| | 574 | copies of the data and an O(n^2) reading algorithm. There is a new |
| | 575 | function BIO_new_mem_buf() which creates a read only memory BIO from |
| | 576 | an area of memory. Also modified the PKCS#7 routines to use read only |
| | 577 | memory BIOSs. |
| | 578 | [Steve Henson] |
| | 579 | |
| | 580 | *) Bugfix: ssl23_get_client_hello did not work properly when called in |
| | 581 | state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of |
| | 582 | a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, |
| | 583 | but a retry condition occured while trying to read the rest. |
| | 584 | [Bodo Moeller] |
| | 585 | |
| | 586 | *) The PKCS7_ENC_CONTENT_new() function was setting the content type as |
| | 587 | NID_pkcs7_encrypted by default: this was wrong since this should almost |
| | 588 | always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle |
| | 589 | the encrypted data type: this is a more sensible place to put it and it |
| | 590 | allows the PKCS#12 code to be tidied up that duplicated this |
| | 591 | functionality. |
| | 592 | [Steve Henson] |
| | 593 | |
| | 594 | *) Changed obj_dat.pl script so it takes its input and output files on |
| | 595 | the command line. This should avoid shell escape redirection problems |
| | 596 | under Win32. |
| | 597 | [Steve Henson] |
| | 598 | |
| | 599 | *) Initial support for certificate extension requests, these are included |
| | 600 | in things like Xenroll certificate requests. Included functions to allow |
| | 601 | extensions to be obtained and added. |
| | 602 | [Steve Henson] |
| | 603 | |
| | 604 | *) -crlf option to s_client and s_server for sending newlines as |
| | 605 | CRLF (as required by many protocols). |
| | 606 | [Bodo Moeller] |
| | 607 | |
| | 608 | Changes between 0.9.3a and 0.9.4 [09 Aug 1999] |
| | 609 | |
| | 610 | *) Install libRSAglue.a when OpenSSL is built with RSAref. |
| | 611 | [Ralf S. Engelschall] |
| | 612 | |
| | 613 | *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. |
| | 614 | [Andrija Antonijevic <TheAntony2@bigfoot.com>] |
| | 615 | |
| | 616 | *) Fix -startdate and -enddate (which was missing) arguments to 'ca' |
| | 617 | program. |
| | 618 | [Steve Henson] |
| | 619 | |
| | 620 | *) New function DSA_dup_DH, which duplicates DSA parameters/keys as |
| | 621 | DH parameters/keys (q is lost during that conversion, but the resulting |
| | 622 | DH parameters contain its length). |
| | 623 | |
| | 624 | For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is |
| | 625 | much faster than DH_generate_parameters (which creates parameters |
| | 626 | where p = 2*q + 1), and also the smaller q makes DH computations |
| | 627 | much more efficient (160-bit exponentiation instead of 1024-bit |
| | 628 | exponentiation); so this provides a convenient way to support DHE |
| | 629 | ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of |
| | 630 | utter importance to use |
| | 631 | SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
| | 632 | or |
| | 633 | SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); |
| | 634 | when such DH parameters are used, because otherwise small subgroup |
| | 635 | attacks may become possible! |
| | 636 | [Bodo Moeller] |
| | 637 | |
| | 638 | *) Avoid memory leak in i2d_DHparams. |
| | 639 | [Bodo Moeller] |
| | 640 | |
| | 641 | *) Allow the -k option to be used more than once in the enc program: |
| | 642 | this allows the same encrypted message to be read by multiple recipients. |
| | 643 | [Steve Henson] |
| | 644 | |
| | 645 | *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts |
| | 646 | an ASN1_OBJECT to a text string. If the "no_name" parameter is set then |
| | 647 | it will always use the numerical form of the OID, even if it has a short |
| | 648 | or long name. |
| | 649 | [Steve Henson] |
| | 650 | |
| | 651 | *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp |
| | 652 | method only got called if p,q,dmp1,dmq1,iqmp components were present, |
| | 653 | otherwise bn_mod_exp was called. In the case of hardware keys for example |
| | 654 | no private key components need be present and it might store extra data |
| | 655 | in the RSA structure, which cannot be accessed from bn_mod_exp. |
| | 656 | By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for |
| | 657 | private key operations. |
| | 658 | [Steve Henson] |
| | 659 | |
| | 660 | *) Added support for SPARC Linux. |
| | 661 | [Andy Polyakov] |
| | 662 | |
| | 663 | *) pem_password_cb function type incompatibly changed from |
| | 664 | typedef int pem_password_cb(char *buf, int size, int rwflag); |
| | 665 | to |
| | 666 | ....(char *buf, int size, int rwflag, void *userdata); |
| | 667 | so that applications can pass data to their callbacks: |
| | 668 | The PEM[_ASN1]_{read,write}... functions and macros now take an |
| | 669 | additional void * argument, which is just handed through whenever |
| | 670 | the password callback is called. |
| | 671 | [Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller] |
| | 672 | |
| | 673 | New function SSL_CTX_set_default_passwd_cb_userdata. |
| | 674 | |
| | 675 | Compatibility note: As many C implementations push function arguments |
| | 676 | onto the stack in reverse order, the new library version is likely to |
| | 677 | interoperate with programs that have been compiled with the old |
| | 678 | pem_password_cb definition (PEM_whatever takes some data that |
| | 679 | happens to be on the stack as its last argument, and the callback |
| | 680 | just ignores this garbage); but there is no guarantee whatsoever that |
| | 681 | this will work. |
| | 682 | |
| | 683 | *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... |
| | 684 | (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused |
| | 685 | problems not only on Windows, but also on some Unix platforms. |
| | 686 | To avoid problematic command lines, these definitions are now in an |
| | 687 | auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl |
| | 688 | for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). |
| | 689 | [Bodo Moeller] |
| | 690 | |
| | 691 | *) MIPS III/IV assembler module is reimplemented. |
| | 692 | [Andy Polyakov] |
| | 693 | |
| | 694 | *) More DES library cleanups: remove references to srand/rand and |
| | 695 | delete an unused file. |
| | 696 |
projects / thirdparty / openssl.git / blame_incremental