]>
Commit | Line | Data |
---|---|---|
81a6c781 | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
4d94ae00 BM |
5 | Changes between 0.9.7 and 0.9.8 [xx XXX 2002] |
6 | ||
254ef80d BM |
7 | *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access |
8 | functions | |
9 | EC_GROUP_set_asn1_flag() | |
10 | EC_GROUP_get_asn1_flag() | |
11 | EC_GROUP_set_point_conversion_form() | |
12 | EC_GROUP_get_point_conversion_form() | |
13 | These control ASN1 encoding details: | |
b8e0e123 BM |
14 | - Curves (i.e., groups) are encoded explicitly unless asn1_flag |
15 | has been set to OPENSSL_EC_NAMED_CURVE. | |
254ef80d BM |
16 | - Points are encoded in compressed form by default; options for |
17 | asn1_for are as for point2oct, namely | |
18 | POINT_CONVERSION_COMPRESSED | |
19 | POINT_CONVERSION_UNCOMPRESSED | |
20 | POINT_CONVERSION_HYBRID | |
458c2917 BM |
21 | [Nils Larsch <nla@trustcenter.de>] |
22 | ||
23 | *) Add 'field_type' member to EC_METHOD, which holds the NID | |
24 | of the appropriate field type OID. The new function | |
25 | EC_METHOD_get_field_type() returns this value. | |
26 | [Nils Larsch <nla@trustcenter.de>] | |
27 | ||
6cbe6382 BM |
28 | *) Add functions |
29 | EC_POINT_point2bn() | |
30 | EC_POINT_bn2point() | |
31 | EC_POINT_point2hex() | |
32 | EC_POINT_hex2point() | |
33 | providing useful interfaces to EC_POINT_point2oct() and | |
34 | EC_POINT_oct2point(). | |
35 | [Nils Larsch <nla@trustcenter.de>] | |
36 | ||
b6db386f BM |
37 | *) Change internals of the EC library so that the functions |
38 | EC_GROUP_set_generator() | |
39 | EC_GROUP_get_generator() | |
40 | EC_GROUP_get_order() | |
41 | EC_GROUP_get_cofactor() | |
42 | are implemented directly in crypto/ec/ec_lib.c and not dispatched | |
43 | to methods, which would lead to unnecessary code duplication when | |
44 | adding different types of curves. | |
6cbe6382 | 45 | [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller] |
b6db386f | 46 | |
47234cd3 BM |
47 | *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM |
48 | arithmetic, and such that modified wNAFs are generated | |
49 | (which avoid length expansion in many cases). | |
50 | [Bodo Moeller] | |
51 | ||
82652aaf BM |
52 | *) Add a function EC_GROUP_check_discriminant() (defined via |
53 | EC_METHOD) that verifies that the curve discriminant is non-zero. | |
54 | ||
55 | Add a function EC_GROUP_check() that makes some sanity tests | |
56 | on a EC_GROUP, its generator and order. This includes | |
57 | EC_GROUP_check_discriminant(). | |
58 | [Nils Larsch <nla@trustcenter.de>] | |
59 | ||
4d94ae00 BM |
60 | *) Add ECDSA in new directory crypto/ecdsa/. |
61 | ||
62 | Add applications 'openssl ecdsaparam' and 'openssl ecdsa' | |
63 | (these are variants of 'openssl dsaparam' and 'openssl dsa'). | |
64 | ||
65 | ECDSA support is also included in various other files across the | |
66 | library. Most notably, | |
67 | - 'openssl req' now has a '-newkey ecdsa:file' option; | |
68 | - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA; | |
69 | - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and | |
70 | d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make | |
71 | them suitable for ECDSA where domain parameters must be | |
72 | extracted before the specific public key. | |
f8e21776 | 73 | [Nils Larsch <nla@trustcenter.de>] |
4d94ae00 | 74 | |
af28dd6c BM |
75 | *) Include some named elliptic curves, and add OIDs from X9.62, |
76 | SECG, and WAP/WTLS. The curves can be obtained from the new | |
77 | functions | |
4d94ae00 BM |
78 | EC_GROUP_new_by_nid() |
79 | EC_GROUP_new_by_name() | |
254ef80d BM |
80 | Also add a 'curve_name' member to EC_GROUP objects, which can be |
81 | accessed via | |
4d94ae00 BM |
82 | EC_GROUP_set_nid() |
83 | EC_GROUP_get_nid() | |
84 | [Nils Larsch <nla@trustcenter.de, Bodo Moeller] | |
85 | ||
381a146d | 86 | Changes between 0.9.6d and 0.9.7 [XX xxx 2002] |
dc014d43 | 87 | |
d15711ef BL |
88 | *) Improve diagnostics in file reading and command-line digests. |
89 | [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] | |
90 | ||
fbb56e5b RL |
91 | *) Add AES modes CFB and OFB to the object database. Correct an |
92 | error in AES-CFB decryption. | |
93 | [Richard Levitte] | |
94 | ||
544a2aea DSH |
95 | *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this |
96 | allows existing EVP_CIPHER_CTX structures to be reused after | |
97 | calling EVP_*Final(). This behaviour is used by encryption | |
98 | BIOs and some applications. This has the side effect that | |
99 | applications must explicitly clean up cipher contexts with | |
100 | EVP_CIPHER_CTX_cleanup() or they will leak memory. | |
101 | [Steve Henson] | |
102 | ||
dc014d43 DSH |
103 | *) Check the values of dna and dnb in bn_mul_recursive before calling |
104 | bn_mul_comba (a non zero value means the a or b arrays do not contain | |
105 | n2 elements) and fallback to bn_mul_normal if either is not zero. | |
106 | [Steve Henson] | |
4d94ae00 | 107 | |
c0455cbb LJ |
108 | *) Fix escaping of non-ASCII characters when using the -subj option |
109 | of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>) | |
110 | [Lutz Jaenicke] | |
111 | ||
85fb12d5 | 112 | *) Make object definitions compliant to LDAP (RFC2256): SN is the short |
e9cbcb1d LJ |
113 | form for "surname", serialNumber has no short form. |
114 | Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; | |
115 | therefore remove "mail" short name for "internet 7". | |
e1f7ea25 LJ |
116 | The OID for unique identifiers in X509 certificates is |
117 | x500UniqueIdentifier, not uniqueIdentifier. | |
e9cbcb1d | 118 | Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>) |
08b977b5 | 119 | [Lutz Jaenicke] |
ffbe98b7 | 120 | |
85fb12d5 | 121 | *) Add an "init" command to the ENGINE config module and auto initialize |
0dc09233 DSH |
122 | ENGINEs. Without any "init" command the ENGINE will be initialized |
123 | after all ctrl commands have been executed on it. If init=1 the | |
124 | ENGINE is initailized at that point (ctrls before that point are run | |
125 | on the uninitialized ENGINE and after on the initialized one). If | |
126 | init=0 then the ENGINE will not be iniatialized at all. | |
127 | [Steve Henson] | |
128 | ||
85fb12d5 | 129 | *) Fix the 'app_verify_callback' interface so that the user-defined |
023ec151 BM |
130 | argument is actually passed to the callback: In the |
131 | SSL_CTX_set_cert_verify_callback() prototype, the callback | |
132 | declaration has been changed from | |
133 | int (*cb)() | |
134 | into | |
135 | int (*cb)(X509_STORE_CTX *,void *); | |
136 | in ssl_verify_cert_chain (ssl/ssl_cert.c), the call | |
137 | i=s->ctx->app_verify_callback(&ctx) | |
138 | has been changed into | |
139 | i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg). | |
140 | ||
141 | To update applications using SSL_CTX_set_cert_verify_callback(), | |
142 | a dummy argument can be added to their callback functions. | |
143 | [D. K. Smetters <smetters@parc.xerox.com>] | |
144 | ||
85fb12d5 | 145 | *) Added the '4758cca' ENGINE to support IBM 4758 cards. |
92d1bc09 GT |
146 | [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe] |
147 | ||
85fb12d5 | 148 | *) Add and OPENSSL_LOAD_CONF define which will cause |
e84be9b4 DSH |
149 | OpenSSL_add_all_algorithms() to load the openssl.cnf config file. |
150 | This allows older applications to transparently support certain | |
151 | OpenSSL features: such as crypto acceleration and dynamic ENGINE loading. | |
152 | Two new functions OPENSSL_add_all_algorithms_noconf() which will never | |
153 | load the config file and OPENSSL_add_all_algorithms_conf() which will | |
154 | always load it have also been added. | |
155 | [Steve Henson] | |
156 | ||
85fb12d5 | 157 | *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES. |
0d22b5da RL |
158 | Adjust NIDs and EVP layer. |
159 | [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] | |
160 | ||
85fb12d5 | 161 | *) Config modules support in openssl utility. |
3647bee2 DSH |
162 | |
163 | Most commands now load modules from the config file, | |
164 | though in a few (such as version) this isn't done | |
165 | because it couldn't be used for anything. | |
166 | ||
167 | In the case of ca and req the config file used is | |
168 | the same as the utility itself: that is the -config | |
169 | command line option can be used to specify an | |
170 | alternative file. | |
171 | [Steve Henson] | |
172 | ||
85fb12d5 | 173 | *) Move default behaviour from OPENSSL_config(). If appname is NULL |
92f91ff4 DSH |
174 | use "openssl_conf" if filename is NULL use default openssl config file. |
175 | [Steve Henson] | |
176 | ||
85fb12d5 | 177 | *) Add an argument to OPENSSL_config() to allow the use of an alternative |
92f91ff4 DSH |
178 | config section name. Add a new flag to tolerate a missing config file |
179 | and move code to CONF_modules_load_file(). | |
180 | [Steve Henson] | |
181 | ||
85fb12d5 | 182 | *) Support for crypto accelerator cards from Accelerated Encryption |
3cd039dd RL |
183 | Processing, www.aep.ie. (Use engine 'aep') |
184 | The support was copied from 0.9.6c [engine] and adapted/corrected | |
185 | to work with the new engine framework. | |
186 | [AEP Inc. and Richard Levitte] | |
187 | ||
85fb12d5 | 188 | *) Support for SureWare crypto accelerator cards from Baltimore |
3cd039dd RL |
189 | Technologies. (Use engine 'sureware') |
190 | The support was copied from 0.9.6c [engine] and adapted | |
191 | to work with the new engine framework. | |
192 | [Richard Levitte] | |
193 | ||
85fb12d5 | 194 | *) Have the CHIL engine fork-safe (as defined by nCipher) and actually |
1199e2d8 RL |
195 | make the newer ENGINE framework commands for the CHIL engine work. |
196 | [Toomas Kiisk <vix@cyber.ee> and Richard Levitte] | |
197 | ||
85fb12d5 | 198 | *) Make it possible to produce shared libraries on ReliantUNIX. |
a3fffd64 RL |
199 | [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte] |
200 | ||
85fb12d5 | 201 | *) Add the configuration target debug-linux-ppro. |
80bb905d RL |
202 | Make 'openssl rsa' use the general key loading routines |
203 | implemented in apps.c, and make those routines able to | |
204 | handle the key format FORMAT_NETSCAPE and the variant | |
205 | FORMAT_IISSGC. | |
206 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] | |
207 | ||
381a146d | 208 | *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). |
80bb905d RL |
209 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] |
210 | ||
85fb12d5 | 211 | *) Add -keyform to rsautl, and document -engine. |
8242a6a9 RL |
212 | [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>] |
213 | ||
85fb12d5 | 214 | *) Change BIO_new_file (crypto/bio/bss_file.c) to use new |
a14e2d9d BM |
215 | BIO_R_NO_SUCH_FILE error code rather than the generic |
216 | ERR_R_SYS_LIB error code if fopen() fails with ENOENT. | |
217 | [Ben Laurie] | |
218 | ||
85fb12d5 | 219 | *) Add new functions |
a14e2d9d BM |
220 | ERR_peek_last_error |
221 | ERR_peek_last_error_line | |
222 | ERR_peek_last_error_line_data. | |
223 | These are similar to | |
224 | ERR_peek_error | |
225 | ERR_peek_error_line | |
226 | ERR_peek_error_line_data, | |
227 | but report on the latest error recorded rather than the first one | |
228 | still in the error queue. | |
229 | [Ben Laurie, Bodo Moeller] | |
230 | ||
85fb12d5 | 231 | *) default_algorithms option in ENGINE config module. This allows things |
df5eaa8a DSH |
232 | like: |
233 | default_algorithms = ALL | |
234 | default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS | |
235 | [Steve Henson] | |
236 | ||
85fb12d5 | 237 | *) Prelminary ENGINE config module. |
c9501c22 DSH |
238 | [Steve Henson] |
239 | ||
85fb12d5 | 240 | *) New experimental application configuration code. |
bc37d996 DSH |
241 | [Steve Henson] |
242 | ||
85fb12d5 | 243 | *) Change the AES code to follow the same name structure as all other |
6f9079fd RL |
244 | symmetric ciphers, and behave the same way. Move everything to |
245 | the directory crypto/aes, thereby obsoleting crypto/rijndael. | |
246 | [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte] | |
247 | ||
85fb12d5 | 248 | *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c. |
7c517a04 BL |
249 | [Ben Laurie and Theo de Raadt] |
250 | ||
85fb12d5 | 251 | *) Add option to output public keys in req command. |
21a85f19 DSH |
252 | [Massimiliano Pala madwolf@openca.org] |
253 | ||
85fb12d5 | 254 | *) Use wNAFs in EC_POINTs_mul() for improved efficiency |
76c4336c | 255 | (up to about 10% better than before for P-192 and P-224). |
3ba1f111 BM |
256 | [Bodo Moeller] |
257 | ||
85fb12d5 | 258 | *) New functions/macros |
7aa983c6 BM |
259 | |
260 | SSL_CTX_set_msg_callback(ctx, cb) | |
261 | SSL_CTX_set_msg_callback_arg(ctx, arg) | |
262 | SSL_set_msg_callback(ssl, cb) | |
263 | SSL_set_msg_callback_arg(ssl, arg) | |
264 | ||
265 | to request calling a callback function | |
266 | ||
267 | void cb(int write_p, int version, int content_type, | |
268 | const void *buf, size_t len, SSL *ssl, void *arg) | |
269 | ||
270 | whenever a protocol message has been completely received | |
271 | (write_p == 0) or sent (write_p == 1). Here 'version' is the | |
272 | protocol version according to which the SSL library interprets | |
273 | the current protocol message (SSL2_VERSION, SSL3_VERSION, or | |
274 | TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or | |
275 | the content type as defined in the SSL 3.0/TLS 1.0 protocol | |
276 | specification (change_cipher_spec(20), alert(21), handshake(22)). | |
277 | 'buf' and 'len' point to the actual message, 'ssl' to the | |
278 | SSL object, and 'arg' is the application-defined value set by | |
279 | SSL[_CTX]_set_msg_callback_arg(). | |
280 | ||
281 | 'openssl s_client' and 'openssl s_server' have new '-msg' options | |
282 | to enable a callback that displays all protocol messages. | |
283 | [Bodo Moeller] | |
284 | ||
85fb12d5 | 285 | *) Change the shared library support so shared libraries are built as |
a7b42009 RL |
286 | soon as the corresponding static library is finished, and thereby get |
287 | openssl and the test programs linked against the shared library. | |
288 | This still only happens when the keyword "shard" has been given to | |
289 | the configuration scripts. | |
290 | ||
291 | NOTE: shared library support is still an experimental thing, and | |
292 | backward binary compatibility is still not guaranteed. | |
293 | ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte] | |
294 | ||
85fb12d5 | 295 | *) Add support for Subject Information Access extension. |
7d5b04db DSH |
296 | [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>] |
297 | ||
85fb12d5 | 298 | *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero |
48b0cf8b BM |
299 | additional bytes when new memory had to be allocated, not just |
300 | when reusing an existing buffer. | |
301 | [Bodo Moeller] | |
302 | ||
85fb12d5 | 303 | *) New command line and configuration option 'utf8' for the req command. |
1fc6d41b DSH |
304 | This allows field values to be specified as UTF8 strings. |
305 | [Steve Henson] | |
306 | ||
85fb12d5 | 307 | *) Add -multi and -mr options to "openssl speed" - giving multiple parallel |
0e211563 BL |
308 | runs for the former and machine-readable output for the latter. |
309 | [Ben Laurie] | |
310 | ||
85fb12d5 | 311 | *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion |
89da653f BM |
312 | of the e-mail address in the DN (i.e., it will go into a certificate |
313 | extension only). The new configuration file option 'email_in_dn = no' | |
314 | has the same effect. | |
315 | [Massimiliano Pala madwolf@openca.org] | |
316 | ||
85fb12d5 | 317 | *) Change all functions with names starting with des_ to be starting |
12852213 | 318 | with DES_ instead. Add wrappers that are compatible with libdes, |
2d57b73a | 319 | but are named _ossl_old_des_*. Finally, add macros that map the |
0d81c69b RL |
320 | des_* symbols to the corresponding _ossl_old_des_* if libdes |
321 | compatibility is desired. If OpenSSL 0.9.6c compatibility is | |
322 | desired, the des_* symbols will be mapped to DES_*, with one | |
323 | exception. | |
12852213 | 324 | |
0d81c69b RL |
325 | Since we provide two compatibility mappings, the user needs to |
326 | define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes | |
327 | compatibility is desired. The default (i.e., when that macro | |
328 | isn't defined) is OpenSSL 0.9.6c compatibility. | |
329 | ||
330 | There are also macros that enable and disable the support of old | |
331 | des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT | |
332 | and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those | |
333 | are defined, the default will apply: to support the old des routines. | |
334 | ||
335 | In either case, one must include openssl/des.h to get the correct | |
336 | definitions. Do not try to just include openssl/des_old.h, that | |
337 | won't work. | |
c2e4f17c RL |
338 | |
339 | NOTE: This is a major break of an old API into a new one. Software | |
340 | authors are encouraged to switch to the DES_ style functions. Some | |
341 | time in the future, des_old.h and the libdes compatibility functions | |
0d81c69b RL |
342 | will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the |
343 | default), and then completely removed. | |
c2e4f17c RL |
344 | [Richard Levitte] |
345 | ||
85fb12d5 | 346 | *) Test for certificates which contain unsupported critical extensions. |
f1558bb4 DSH |
347 | If such a certificate is found during a verify operation it is |
348 | rejected by default: this behaviour can be overridden by either | |
349 | handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or | |
350 | by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function | |
351 | X509_supported_extension() has also been added which returns 1 if a | |
352 | particular extension is supported. | |
353 | [Steve Henson] | |
354 | ||
85fb12d5 | 355 | *) Modify the behaviour of EVP cipher functions in similar way to digests |
581f1c84 DSH |
356 | to retain compatibility with existing code. |
357 | [Steve Henson] | |
358 | ||
85fb12d5 | 359 | *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain |
50d194af DSH |
360 | compatibility with existing code. In particular the 'ctx' parameter does |
361 | not have to be to be initialized before the call to EVP_DigestInit() and | |
362 | it is tidied up after a call to EVP_DigestFinal(). New function | |
363 | EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function | |
364 | EVP_MD_CTX_copy() changed to not require the destination to be | |
365 | initialized valid and new function EVP_MD_CTX_copy_ex() added which | |
366 | requires the destination to be valid. | |
367 | ||
368 | Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), | |
369 | EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). | |
20d2186c DSH |
370 | [Steve Henson] |
371 | ||
85fb12d5 | 372 | *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it |
48948d53 BM |
373 | so that complete 'Handshake' protocol structures are kept in memory |
374 | instead of overwriting 'msg_type' and 'length' with 'body' data. | |
375 | [Bodo Moeller] | |
376 | ||
85fb12d5 | 377 | *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32. |
285046ec RL |
378 | [Massimo Santin via Richard Levitte] |
379 | ||
85fb12d5 | 380 | *) Major restructuring to the underlying ENGINE code. This includes |
07cee702 GT |
381 | reduction of linker bloat, separation of pure "ENGINE" manipulation |
382 | (initialisation, etc) from functionality dealing with implementations | |
383 | of specific crypto iterfaces. This change also introduces integrated | |
384 | support for symmetric ciphers and digest implementations - so ENGINEs | |
385 | can now accelerate these by providing EVP_CIPHER and EVP_MD | |
386 | implementations of their own. This is detailed in crypto/engine/README | |
387 | as it couldn't be adequately described here. However, there are a few | |
388 | API changes worth noting - some RSA, DSA, DH, and RAND functions that | |
389 | were changed in the original introduction of ENGINE code have now | |
390 | reverted back - the hooking from this code to ENGINE is now a good | |
391 | deal more passive and at run-time, operations deal directly with | |
392 | RSA_METHODs, DSA_METHODs (etc) as they did before, rather than | |
393 | dereferencing through an ENGINE pointer any more. Also, the ENGINE | |
394 | functions dealing with BN_MOD_EXP[_CRT] handlers have been removed - | |
395 | they were not being used by the framework as there is no concept of a | |
396 | BIGNUM_METHOD and they could not be generalised to the new | |
397 | 'ENGINE_TABLE' mechanism that underlies the new code. Similarly, | |
398 | ENGINE_cpy() has been removed as it cannot be consistently defined in | |
399 | the new code. | |
400 | [Geoff Thorpe] | |
401 | ||
85fb12d5 | 402 | *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds. |
d46c1a81 DSH |
403 | [Steve Henson] |
404 | ||
85fb12d5 | 405 | *) Change mkdef.pl to sort symbols that get the same entry number, |
89eeccac RL |
406 | and make sure the automatically generated functions ERR_load_* |
407 | become part of libeay.num as well. | |
408 | [Richard Levitte] | |
409 | ||
85fb12d5 | 410 | *) New function SSL_renegotiate_pending(). This returns true once |
6b0e9fac BM |
411 | renegotiation has been requested (either SSL_renegotiate() call |
412 | or HelloRequest/ClientHello receveived from the peer) and becomes | |
413 | false once a handshake has been completed. | |
414 | (For servers, SSL_renegotiate() followed by SSL_do_handshake() | |
415 | sends a HelloRequest, but does not ensure that a handshake takes | |
416 | place. SSL_renegotiate_pending() is useful for checking if the | |
417 | client has followed the request.) | |
418 | [Bodo Moeller] | |
419 | ||
85fb12d5 | 420 | *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. |
6b0e9fac BM |
421 | By default, clients may request session resumption even during |
422 | renegotiation (if session ID contexts permit); with this option, | |
423 | session resumption is possible only in the first handshake. | |
c21506ba BM |
424 | |
425 | SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes | |
426 | more bits available for options that should not be part of | |
427 | SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). | |
6b0e9fac BM |
428 | [Bodo Moeller] |
429 | ||
85fb12d5 | 430 | *) Add some demos for certificate and certificate request creation. |
96bd6f73 DSH |
431 | [Steve Henson] |
432 | ||
85fb12d5 | 433 | *) Make maximum certificate chain size accepted from the peer application |
c0f5dd07 LJ |
434 | settable (SSL*_get/set_max_cert_list()), as proposed by |
435 | "Douglas E. Engert" <deengert@anl.gov>. | |
436 | [Lutz Jaenicke] | |
437 | ||
85fb12d5 | 438 | *) Add support for shared libraries for Unixware-7 |
b26ca340 | 439 | (Boyd Lynn Gerber <gerberb@zenez.com>). |
6c36f7a9 LJ |
440 | [Lutz Jaenicke] |
441 | ||
85fb12d5 | 442 | *) Add a "destroy" handler to ENGINEs that allows structural cleanup to |
908efd3b GT |
443 | be done prior to destruction. Use this to unload error strings from |
444 | ENGINEs that load their own error strings. NB: This adds two new API | |
445 | functions to "get" and "set" this destroy handler in an ENGINE. | |
a9ed4da8 | 446 | [Geoff Thorpe] |
908efd3b | 447 | |
85fb12d5 | 448 | *) Alter all existing ENGINE implementations (except "openssl" and |
541814c4 GT |
449 | "openbsd") to dynamically instantiate their own error strings. This |
450 | makes them more flexible to be built both as statically-linked ENGINEs | |
451 | and self-contained shared-libraries loadable via the "dynamic" ENGINE. | |
452 | Also, add stub code to each that makes building them as self-contained | |
453 | shared-libraries easier (see README.ENGINE). | |
454 | [Geoff Thorpe] | |
455 | ||
85fb12d5 | 456 | *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE |
541814c4 GT |
457 | implementations into applications that are completely implemented in |
458 | self-contained shared-libraries. The "dynamic" ENGINE exposes control | |
459 | commands that can be used to configure what shared-library to load and | |
460 | to control aspects of the way it is handled. Also, made an update to | |
461 | the README.ENGINE file that brings its information up-to-date and | |
462 | provides some information and instructions on the "dynamic" ENGINE | |
463 | (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc). | |
464 | [Geoff Thorpe] | |
465 | ||
85fb12d5 | 466 | *) Make it possible to unload ranges of ERR strings with a new |
5b166395 GT |
467 | "ERR_unload_strings" function. |
468 | [Geoff Thorpe] | |
469 | ||
85fb12d5 | 470 | *) Add a copy() function to EVP_MD. |
26188931 BL |
471 | [Ben Laurie] |
472 | ||
85fb12d5 | 473 | *) Make EVP_MD routines take a context pointer instead of just the |
e3fefbfd | 474 | md_data void pointer. |
26188931 BL |
475 | [Ben Laurie] |
476 | ||
85fb12d5 | 477 | *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates |
26188931 BL |
478 | that the digest can only process a single chunk of data |
479 | (typically because it is provided by a piece of | |
480 | hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application | |
481 | is only going to provide a single chunk of data, and hence the | |
482 | framework needn't accumulate the data for oneshot drivers. | |
483 | [Ben Laurie] | |
484 | ||
85fb12d5 | 485 | *) As with "ERR", make it possible to replace the underlying "ex_data" |
36026dfc GT |
486 | functions. This change also alters the storage and management of global |
487 | ex_data state - it's now all inside ex_data.c and all "class" code (eg. | |
488 | RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class | |
489 | index counters. The API functions that use this state have been changed | |
490 | to take a "class_index" rather than pointers to the class's local STACK | |
491 | and counter, and there is now an API function to dynamically create new | |
492 | classes. This centralisation allows us to (a) plug a lot of the | |
493 | thread-safety problems that existed, and (b) makes it possible to clean | |
494 | up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b) | |
495 | such data would previously have always leaked in application code and | |
496 | workarounds were in place to make the memory debugging turn a blind eye | |
497 | to it. Application code that doesn't use this new function will still | |
498 | leak as before, but their memory debugging output will announce it now | |
499 | rather than letting it slide. | |
6ee2a136 BM |
500 | |
501 | Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change | |
502 | induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now | |
503 | has a return value to indicate success or failure. | |
36026dfc GT |
504 | [Geoff Thorpe] |
505 | ||
85fb12d5 | 506 | *) Make it possible to replace the underlying "ERR" functions such that the |
0783bf15 GT |
507 | global state (2 LHASH tables and 2 locks) is only used by the "default" |
508 | implementation. This change also adds two functions to "get" and "set" | |
509 | the implementation prior to it being automatically set the first time | |
510 | any other ERR function takes place. Ie. an application can call "get", | |
511 | pass the return value to a module it has just loaded, and that module | |
512 | can call its own "set" function using that value. This means the | |
513 | module's "ERR" operations will use (and modify) the error state in the | |
514 | application and not in its own statically linked copy of OpenSSL code. | |
515 | [Geoff Thorpe] | |
516 | ||
85fb12d5 | 517 | *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment |
eb6dc02b GT |
518 | reference counts. This performs normal REF_PRINT/REF_CHECK macros on |
519 | the operation, and provides a more encapsulated way for external code | |
520 | (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code | |
521 | to use these functions rather than manually incrementing the counts. | |
3cad81f6 BM |
522 | |
523 | Also rename "DSO_up()" function to more descriptive "DSO_up_ref()". | |
eb6dc02b GT |
524 | [Geoff Thorpe] |
525 | ||
85fb12d5 | 526 | *) Add EVP test program. |
0e360199 BL |
527 | [Ben Laurie] |
528 | ||
85fb12d5 | 529 | *) Add symmetric cipher support to ENGINE. Expect the API to change! |
354c3ace BL |
530 | [Ben Laurie] |
531 | ||
85fb12d5 | 532 | *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() |
35bf3541 DSH |
533 | X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), |
534 | X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). | |
535 | These allow a CRL to be built without having to access X509_CRL fields | |
536 | directly. Modify 'ca' application to use new functions. | |
537 | [Steve Henson] | |
538 | ||
85fb12d5 | 539 | *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended |
06da6e49 | 540 | bug workarounds. Rollback attack detection is a security feature. |
6383bbe5 | 541 | The problem will only arise on OpenSSL servers when TLSv1 is not |
06da6e49 LJ |
542 | available (sslv3_server_method() or SSL_OP_NO_TLSv1). |
543 | Software authors not wanting to support TLSv1 will have special reasons | |
544 | for their choice and can explicitly enable this option. | |
545 | [Bodo Moeller, Lutz Jaenicke] | |
546 | ||
85fb12d5 | 547 | *) Rationalise EVP so it can be extended: don't include a union of |
dbad1690 BL |
548 | cipher/digest structures, add init/cleanup functions. This also reduces |
549 | the number of header dependencies. | |
4f4b1924 BM |
550 | Usage example: |
551 | ||
552 | EVP_MD_CTX md; | |
553 | ||
554 | EVP_MD_CTX_init(&md); /* new function call */ | |
555 | EVP_DigestInit(&md, EVP_sha1()); | |
556 | EVP_DigestUpdate(&md, in, len); | |
557 | EVP_DigestFinal(&md, out, NULL); | |
558 | EVP_MD_CTX_cleanup(&md); /* new function call */ | |
559 | ||
dbad1690 BL |
560 | [Ben Laurie] |
561 | ||
85fb12d5 | 562 | *) Make DES key schedule conform to the usual scheme, as well as |
8408f4fb BL |
563 | correcting its structure. This means that calls to DES functions |
564 | now have to pass a pointer to a des_key_schedule instead of a | |
565 | plain des_key_schedule (which was actually always a pointer | |
4f4b1924 BM |
566 | anyway): E.g., |
567 | ||
568 | des_key_schedule ks; | |
569 | ||
570 | des_set_key_checked(..., &ks); | |
571 | des_ncbc_encrypt(..., &ks, ...); | |
572 | ||
573 | (Note that a later change renames 'des_...' into 'DES_...'.) | |
dbad1690 BL |
574 | [Ben Laurie] |
575 | ||
85fb12d5 | 576 | *) Initial reduction of linker bloat: the use of some functions, such as |
19da1300 DSH |
577 | PEM causes large amounts of unused functions to be linked in due to |
578 | poor organisation. For example pem_all.c contains every PEM function | |
579 | which has a knock on effect of linking in large amounts of (unused) | |
580 | ASN1 code. Grouping together similar functions and splitting unrelated | |
581 | functions prevents this. | |
582 | [Steve Henson] | |
583 | ||
85fb12d5 | 584 | *) Cleanup of EVP macros. |
381a146d | 585 | [Ben Laurie] |
6aecef81 | 586 | |
85fb12d5 | 587 | *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the |
381a146d LJ |
588 | correct _ecb suffix. |
589 | [Ben Laurie] | |
c518ade1 | 590 | |
85fb12d5 | 591 | *) Add initial OCSP responder support to ocsp application. The |
ee306a13 DSH |
592 | revocation information is handled using the text based index |
593 | use by the ca application. The responder can either handle | |
594 | requests generated internally, supplied in files (for example | |
595 | via a CGI script) or using an internal minimal server. | |
596 | [Steve Henson] | |
597 | ||
85fb12d5 | 598 | *) Add configuration choices to get zlib compression for TLS. |
e452de9d RL |
599 | [Richard Levitte] |
600 | ||
85fb12d5 | 601 | *) Changes to Kerberos SSL for RFC 2712 compliance: |
0665dd68 RL |
602 | 1. Implemented real KerberosWrapper, instead of just using |
603 | KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>] | |
604 | 2. Implemented optional authenticator field of KerberosWrapper. | |
605 | ||
606 | Added openssl-style ASN.1 macros for Kerberos ticket, ap_req, | |
607 | and authenticator structs; see crypto/krb5/. | |
608 | ||
609 | Generalized Kerberos calls to support multiple Kerberos libraries. | |
610 | [Vern Staats <staatsvr@asc.hpc.mil>, | |
611 | Jeffrey Altman <jaltman@columbia.edu> | |
612 | via Richard Levitte] | |
613 | ||
85fb12d5 | 614 | *) Cause 'openssl speed' to use fully hard-coded DSA keys as it |
af436bc1 GT |
615 | already does with RSA. testdsa.h now has 'priv_key/pub_key' |
616 | values for each of the key sizes rather than having just | |
617 | parameters (and 'speed' generating keys each time). | |
618 | [Geoff Thorpe] | |
619 | ||
85fb12d5 | 620 | *) Speed up EVP routines. |
f31b1250 BL |
621 | Before: |
622 | encrypt | |
623 | type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes | |
624 | des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k | |
625 | des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k | |
626 | des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k | |
627 | decrypt | |
628 | des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k | |
629 | des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k | |
630 | des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k | |
631 | After: | |
632 | encrypt | |
c148d709 | 633 | des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k |
f31b1250 | 634 | decrypt |
c148d709 | 635 | des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k |
f31b1250 BL |
636 | [Ben Laurie] |
637 | ||
85fb12d5 | 638 | *) Added the OS2-EMX target. |
c80410c5 RL |
639 | ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte] |
640 | ||
85fb12d5 | 641 | *) Rewrite apps to use NCONF routines instead of the old CONF. New functions |
b7a26e6d DSH |
642 | to support NCONF routines in extension code. New function CONF_set_nconf() |
643 | to allow functions which take an NCONF to also handle the old LHASH | |
644 | structure: this means that the old CONF compatible routines can be | |
645 | retained (in particular wrt extensions) without having to duplicate the | |
646 | code. New function X509V3_add_ext_nconf_sk to add extensions to a stack. | |
647 | [Steve Henson] | |
648 | ||
85fb12d5 | 649 | *) Enhance the general user interface with mechanisms for inner control |
e3fefbfd | 650 | and with possibilities to have yes/no kind of prompts. |
235dd0a2 RL |
651 | [Richard Levitte] |
652 | ||
85fb12d5 | 653 | *) Change all calls to low level digest routines in the library and |
323f289c DSH |
654 | applications to use EVP. Add missing calls to HMAC_cleanup() and |
655 | don't assume HMAC_CTX can be copied using memcpy(). | |
656 | [Verdon Walker <VWalker@novell.com>, Steve Henson] | |
657 | ||
85fb12d5 | 658 | *) Add the possibility to control engines through control names but with |
839590f5 RL |
659 | arbitrary arguments instead of just a string. |
660 | Change the key loaders to take a UI_METHOD instead of a callback | |
661 | function pointer. NOTE: this breaks binary compatibility with earlier | |
662 | versions of OpenSSL [engine]. | |
e3fefbfd | 663 | Adapt the nCipher code for these new conditions and add a card insertion |
839590f5 RL |
664 | callback. |
665 | [Richard Levitte] | |
666 | ||
85fb12d5 | 667 | *) Enhance the general user interface with mechanisms to better support |
9ad0f681 RL |
668 | dialog box interfaces, application-defined prompts, the possibility |
669 | to use defaults (for example default passwords from somewhere else) | |
e3fefbfd | 670 | and interrupts/cancellations. |
9ad0f681 RL |
671 | [Richard Levitte] |
672 | ||
85fb12d5 | 673 | *) Tidy up PKCS#12 attribute handling. Add support for the CSP name |
f2a253e0 DSH |
674 | attribute in PKCS#12 files, add new -CSP option to pkcs12 utility. |
675 | [Steve Henson] | |
676 | ||
85fb12d5 | 677 | *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also |
e3fefbfd | 678 | tidy up some unnecessarily weird code in 'sk_new()'). |
d918f851 GT |
679 | [Geoff, reported by Diego Tartara <dtartara@novamens.com>] |
680 | ||
85fb12d5 | 681 | *) Change the key loading routines for ENGINEs to use the same kind |
79bb8d00 RL |
682 | callback (pem_password_cb) as all other routines that need this |
683 | kind of callback. | |
684 | [Richard Levitte] | |
685 | ||
85fb12d5 | 686 | *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with |
e8734731 LJ |
687 | 256 bit (=32 byte) keys. Of course seeding with more entropy bytes |
688 | than this minimum value is recommended. | |
7e978372 | 689 | [Lutz Jaenicke] |
4831e626 | 690 | |
85fb12d5 | 691 | *) New random seeder for OpenVMS, using the system process statistics |
496da8b9 RL |
692 | that are easily reachable. |
693 | [Richard Levitte] | |
694 | ||
85fb12d5 | 695 | *) Windows apparently can't transparently handle global |
4831e626 DSH |
696 | variables defined in DLLs. Initialisations such as: |
697 | ||
698 | const ASN1_ITEM *it = &ASN1_INTEGER_it; | |
699 | ||
700 | wont compile. This is used by the any applications that need to | |
e3fefbfd | 701 | declare their own ASN1 modules. This was fixed by adding the option |
4831e626 DSH |
702 | EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly |
703 | needed for static libraries under Win32. | |
704 | [Steve Henson] | |
705 | ||
85fb12d5 | 706 | *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle |
926a56bf DSH |
707 | setting of purpose and trust fields. New X509_STORE trust and |
708 | purpose functions and tidy up setting in other SSL functions. | |
709 | [Steve Henson] | |
710 | ||
85fb12d5 | 711 | *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE |
bdee69f7 DSH |
712 | structure. These are inherited by X509_STORE_CTX when it is |
713 | initialised. This allows various defaults to be set in the | |
714 | X509_STORE structure (such as flags for CRL checking and custom | |
715 | purpose or trust settings) for functions which only use X509_STORE_CTX | |
716 | internally such as S/MIME. | |
717 | ||
718 | Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and | |
719 | trust settings if they are not set in X509_STORE. This allows X509_STORE | |
720 | purposes and trust (in S/MIME for example) to override any set by default. | |
721 | ||
722 | Add command line options for CRL checking to smime, s_client and s_server | |
723 | applications. | |
724 | [Steve Henson] | |
725 | ||
85fb12d5 | 726 | *) Initial CRL based revocation checking. If the CRL checking flag(s) |
b545dc67 DSH |
727 | are set then the CRL is looked up in the X509_STORE structure and |
728 | its validity and signature checked, then if the certificate is found | |
729 | in the CRL the verify fails with a revoked error. | |
730 | ||
731 | Various new CRL related callbacks added to X509_STORE_CTX structure. | |
732 | ||
733 | Command line options added to 'verify' application to support this. | |
734 | ||
735 | This needs some additional work, such as being able to handle multiple | |
736 | CRLs with different times, extension based lookup (rather than just | |
737 | by subject name) and ultimately more complete V2 CRL extension | |
738 | handling. | |
739 | [Steve Henson] | |
740 | ||
85fb12d5 | 741 | *) Add a general user interface API (crypto/ui/). This is designed |
8a774dc9 BM |
742 | to replace things like des_read_password and friends (backward |
743 | compatibility functions using this new API are provided). | |
744 | The purpose is to remove prompting functions from the DES code | |
745 | section as well as provide for prompting through dialog boxes in | |
746 | a window system and the like. | |
a63d5eaa RL |
747 | [Richard Levitte] |
748 | ||
85fb12d5 | 749 | *) Add "ex_data" support to ENGINE so implementations can add state at a |
e5a77633 GT |
750 | per-structure level rather than having to store it globally. |
751 | [Geoff] | |
752 | ||
85fb12d5 | 753 | *) Make it possible for ENGINE structures to be copied when retrieved by |
e5a77633 GT |
754 | ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY. |
755 | This causes the "original" ENGINE structure to act like a template, | |
756 | analogous to the RSA vs. RSA_METHOD type of separation. Because of this | |
757 | operational state can be localised to each ENGINE structure, despite the | |
758 | fact they all share the same "methods". New ENGINE structures returned in | |
759 | this case have no functional references and the return value is the single | |
760 | structural reference. This matches the single structural reference returned | |
761 | by ENGINE_by_id() normally, when it is incremented on the pre-existing | |
762 | ENGINE structure. | |
763 | [Geoff] | |
764 | ||
85fb12d5 | 765 | *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this |
c962479b DSH |
766 | needs to match any other type at all we need to manually clear the |
767 | tag cache. | |
768 | [Steve Henson] | |
769 | ||
85fb12d5 | 770 | *) Changes to the "openssl engine" utility to include; |
2a8a10ed GT |
771 | - verbosity levels ('-v', '-vv', and '-vvv') that provide information |
772 | about an ENGINE's available control commands. | |
773 | - executing control commands from command line arguments using the | |
774 | '-pre' and '-post' switches. '-post' is only used if '-t' is | |
775 | specified and the ENGINE is successfully initialised. The syntax for | |
776 | the individual commands are colon-separated, for example; | |
777 | openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so | |
778 | [Geoff] | |
779 | ||
85fb12d5 | 780 | *) New dynamic control command support for ENGINEs. ENGINEs can now |
2a8a10ed GT |
781 | declare their own commands (numbers), names (strings), descriptions, |
782 | and input types for run-time discovery by calling applications. A | |
783 | subset of these commands are implicitly classed as "executable" | |
784 | depending on their input type, and only these can be invoked through | |
785 | the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this | |
786 | can be based on user input, config files, etc). The distinction is | |
787 | that "executable" commands cannot return anything other than a boolean | |
788 | result and can only support numeric or string input, whereas some | |
789 | discoverable commands may only be for direct use through | |
790 | ENGINE_ctrl(), eg. supporting the exchange of binary data, function | |
791 | pointers, or other custom uses. The "executable" commands are to | |
792 | support parameterisations of ENGINE behaviour that can be | |
793 | unambiguously defined by ENGINEs and used consistently across any | |
794 | OpenSSL-based application. Commands have been added to all the | |
795 | existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow | |
796 | control over shared-library paths without source code alterations. | |
797 | [Geoff] | |
798 | ||
85fb12d5 | 799 | *) Changed all ENGINE implementations to dynamically allocate their |
2a8a10ed GT |
800 | ENGINEs rather than declaring them statically. Apart from this being |
801 | necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction, | |
802 | this also allows the implementations to compile without using the | |
803 | internal engine_int.h header. | |
804 | [Geoff] | |
805 | ||
85fb12d5 | 806 | *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a |
4d6115a5 GT |
807 | 'const' value. Any code that should be able to modify a RAND_METHOD |
808 | should already have non-const pointers to it (ie. they should only | |
809 | modify their own ones). | |
810 | [Geoff] | |
811 | ||
85fb12d5 | 812 | *) Made a variety of little tweaks to the ENGINE code. |
4d6115a5 GT |
813 | - "atalla" and "ubsec" string definitions were moved from header files |
814 | to C code. "nuron" string definitions were placed in variables | |
815 | rather than hard-coded - allowing parameterisation of these values | |
816 | later on via ctrl() commands. | |
817 | - Removed unused "#if 0"'d code. | |
818 | - Fixed engine list iteration code so it uses ENGINE_free() to release | |
819 | structural references. | |
820 | - Constified the RAND_METHOD element of ENGINE structures. | |
821 | - Constified various get/set functions as appropriate and added | |
822 | missing functions (including a catch-all ENGINE_cpy that duplicates | |
823 | all ENGINE values onto a new ENGINE except reference counts/state). | |
824 | - Removed NULL parameter checks in get/set functions. Setting a method | |
e13ae96d | 825 | or function to NULL is a way of cancelling out a previously set |
4d6115a5 GT |
826 | value. Passing a NULL ENGINE parameter is just plain stupid anyway |
827 | and doesn't justify the extra error symbols and code. | |
828 | - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for | |
829 | flags from engine_int.h to engine.h. | |
830 | - Changed prototypes for ENGINE handler functions (init(), finish(), | |
831 | ctrl(), key-load functions, etc) to take an (ENGINE*) parameter. | |
832 | [Geoff] | |
833 | ||
85fb12d5 | 834 | *) Implement binary inversion algorithm for BN_mod_inverse in addition |
e3fefbfd | 835 | to the algorithm using long division. The binary algorithm can be |
1f224bf0 BM |
836 | used only if the modulus is odd. On 32-bit systems, it is faster |
837 | only for relatively small moduli (roughly 20-30% for 128-bit moduli, | |
838 | roughly 5-15% for 256-bit moduli), so we use it only for moduli | |
839 | up to 450 bits. In 64-bit environments, the binary algorithm | |
840 | appears to be advantageous for much longer moduli; here we use it | |
841 | for moduli up to 2048 bits. | |
7d0d0996 BM |
842 | [Bodo Moeller] |
843 | ||
85fb12d5 | 844 | *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code |
722ca278 DSH |
845 | could not support the combine flag in choice fields. |
846 | [Steve Henson] | |
847 | ||
85fb12d5 | 848 | *) Add a 'copy_extensions' option to the 'ca' utility. This copies |
791bd0cd DSH |
849 | extensions from a certificate request to the certificate. |
850 | [Steve Henson] | |
851 | ||
85fb12d5 | 852 | *) Allow multiple 'certopt' and 'nameopt' options to be separated |
535d79da DSH |
853 | by commas. Add 'namopt' and 'certopt' options to the 'ca' config |
854 | file: this allows the display of the certificate about to be | |
855 | signed to be customised, to allow certain fields to be included | |
856 | or excluded and extension details. The old system didn't display | |
857 | multicharacter strings properly, omitted fields not in the policy | |
858 | and couldn't display additional details such as extensions. | |
859 | [Steve Henson] | |
860 | ||
85fb12d5 | 861 | *) Function EC_POINTs_mul for multiple scalar multiplication |
3ba1f111 BM |
862 | of an arbitrary number of elliptic curve points |
863 | \sum scalars[i]*points[i], | |
864 | optionally including the generator defined for the EC_GROUP: | |
865 | scalar*generator + \sum scalars[i]*points[i]. | |
866 | ||
38374911 BM |
867 | EC_POINT_mul is a simple wrapper function for the typical case |
868 | that the point list has just one item (besides the optional | |
869 | generator). | |
48fe4d62 BM |
870 | [Bodo Moeller] |
871 | ||
85fb12d5 | 872 | *) First EC_METHODs for curves over GF(p): |
48fe4d62 BM |
873 | |
874 | EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr | |
875 | operations and provides various method functions that can also | |
876 | operate with faster implementations of modular arithmetic. | |
877 | ||
878 | EC_GFp_mont_method() reuses most functions that are part of | |
879 | EC_GFp_simple_method, but uses Montgomery arithmetic. | |
880 | ||
881 | [Bodo Moeller; point addition and point doubling | |
882 | implementation directly derived from source code provided by | |
883 | Lenka Fibikova <fibikova@exp-math.uni-essen.de>] | |
884 | ||
85fb12d5 | 885 | *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h, |
48fe4d62 BM |
886 | crypto/ec/ec_lib.c): |
887 | ||
6f8f4431 BM |
888 | Curves are EC_GROUP objects (with an optional group generator) |
889 | based on EC_METHODs that are built into the library. | |
48fe4d62 BM |
890 | |
891 | Points are EC_POINT objects based on EC_GROUP objects. | |
892 | ||
893 | Most of the framework would be able to handle curves over arbitrary | |
6f8f4431 BM |
894 | finite fields, but as there are no obvious types for fields other |
895 | than GF(p), some functions are limited to that for now. | |
48fe4d62 BM |
896 | [Bodo Moeller] |
897 | ||
85fb12d5 | 898 | *) Add the -HTTP option to s_server. It is similar to -WWW, but requires |
251cb4cf RL |
899 | that the file contains a complete HTTP response. |
900 | [Richard Levitte] | |
901 | ||
85fb12d5 | 902 | *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl |
b4f682d3 DSH |
903 | change the def and num file printf format specifier from "%-40sXXX" |
904 | to "%-39s XXX". The latter will always guarantee a space after the | |
905 | field while the former will cause them to run together if the field | |
906 | is 40 of more characters long. | |
907 | [Steve Henson] | |
908 | ||
85fb12d5 | 909 | *) Constify the cipher and digest 'method' functions and structures |
13588350 DSH |
910 | and modify related functions to take constant EVP_MD and EVP_CIPHER |
911 | pointers. | |
912 | [Steve Henson] | |
913 | ||
85fb12d5 | 914 | *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them |
48fe4d62 | 915 | in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32. |
c62b26fd BM |
916 | [Bodo Moeller] |
917 | ||
85fb12d5 | 918 | *) Modify EVP_Digest*() routines so they now return values. Although the |
2dc769a1 DSH |
919 | internal software routines can never fail additional hardware versions |
920 | might. | |
921 | [Steve Henson] | |
922 | ||
85fb12d5 | 923 | *) Clean up crypto/err/err.h and change some error codes to avoid conflicts: |
5277d7cb BM |
924 | |
925 | Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7 | |
926 | (= ERR_R_PKCS7_LIB); it is now 64 instead of 32. | |
927 | ||
928 | ASN1 error codes | |
929 | ERR_R_NESTED_ASN1_ERROR | |
930 | ... | |
931 | ERR_R_MISSING_ASN1_EOS | |
932 | were 4 .. 9, conflicting with | |
933 | ERR_LIB_RSA (= ERR_R_RSA_LIB) | |
934 | ... | |
935 | ERR_LIB_PEM (= ERR_R_PEM_LIB). | |
936 | They are now 58 .. 63 (i.e., just below ERR_R_FATAL). | |
937 | ||
938 | Add new error code 'ERR_R_INTERNAL_ERROR'. | |
939 | [Bodo Moeller] | |
940 | ||
85fb12d5 | 941 | *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock |
5277d7cb BM |
942 | suffices. |
943 | [Bodo Moeller] | |
944 | ||
85fb12d5 | 945 | *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This |
bad40585 BM |
946 | sets the subject name for a new request or supersedes the |
947 | subject name in a given request. Formats that can be parsed are | |
948 | 'CN=Some Name, OU=myOU, C=IT' | |
949 | and | |
950 | 'CN=Some Name/OU=myOU/C=IT'. | |
951 | ||
952 | Add options '-batch' and '-verbose' to 'openssl req'. | |
953 | [Massimiliano Pala <madwolf@hackmasters.net>] | |
954 | ||
85fb12d5 | 955 | *) Introduce the possibility to access global variables through |
62dc5aad RL |
956 | functions on platform were that's the best way to handle exporting |
957 | global variables in shared libraries. To enable this functionality, | |
958 | one must configure with "EXPORT_VAR_AS_FN" or defined the C macro | |
959 | "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter | |
960 | is normally done by Configure or something similar). | |
961 | ||
962 | To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL | |
963 | in the source file (foo.c) like this: | |
964 | ||
965 | OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1; | |
966 | OPENSSL_IMPLEMENT_GLOBAL(double,bar); | |
967 | ||
968 | To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL | |
969 | and OPENSSL_GLOBAL_REF in the header file (foo.h) like this: | |
970 | ||
971 | OPENSSL_DECLARE_GLOBAL(int,foo); | |
972 | #define foo OPENSSL_GLOBAL_REF(foo) | |
973 | OPENSSL_DECLARE_GLOBAL(double,bar); | |
974 | #define bar OPENSSL_GLOBAL_REF(bar) | |
975 | ||
976 | The #defines are very important, and therefore so is including the | |
e3fefbfd | 977 | header file everywhere where the defined globals are used. |
62dc5aad RL |
978 | |
979 | The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition | |
e3fefbfd | 980 | of ASN.1 items, but that structure is a bit different. |
62dc5aad RL |
981 | |
982 | The largest change is in util/mkdef.pl which has been enhanced with | |
983 | better and easier to understand logic to choose which symbols should | |
984 | go into the Windows .def files as well as a number of fixes and code | |
985 | cleanup (among others, algorithm keywords are now sorted | |
986 | lexicographically to avoid constant rewrites). | |
987 | [Richard Levitte] | |
988 | ||
85fb12d5 | 989 | *) In BN_div() keep a copy of the sign of 'num' before writing the |
3d2e469c DSH |
990 | result to 'rm' because if rm==num the value will be overwritten |
991 | and produce the wrong result if 'num' is negative: this caused | |
992 | problems with BN_mod() and BN_nnmod(). | |
993 | [Steve Henson] | |
994 | ||
85fb12d5 | 995 | *) Function OCSP_request_verify(). This checks the signature on an |
fafc7f98 DSH |
996 | OCSP request and verifies the signer certificate. The signer |
997 | certificate is just checked for a generic purpose and OCSP request | |
998 | trust settings. | |
999 | [Steve Henson] | |
1000 | ||
85fb12d5 | 1001 | *) Add OCSP_check_validity() function to check the validity of OCSP |
f1965221 DSH |
1002 | responses. OCSP responses are prepared in real time and may only |
1003 | be a few seconds old. Simply checking that the current time lies | |
1004 | between thisUpdate and nextUpdate max reject otherwise valid responses | |
e3fefbfd | 1005 | caused by either OCSP responder or client clock inaccuracy. Instead |
f1965221 DSH |
1006 | we allow thisUpdate and nextUpdate to fall within a certain period of |
1007 | the current time. The age of the response can also optionally be | |
1008 | checked. Two new options -validity_period and -status_age added to | |
1009 | ocsp utility. | |
1010 | [Steve Henson] | |
1011 | ||
85fb12d5 | 1012 | *) If signature or public key algorithm is unrecognized print out its |
e3fefbfd | 1013 | OID rather that just UNKNOWN. |
4ff18c8c DSH |
1014 | [Steve Henson] |
1015 | ||
85fb12d5 | 1016 | *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and |
d7c06e9e DSH |
1017 | OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate |
1018 | ID to be generated from the issuer certificate alone which can then be | |
1019 | passed to OCSP_id_issuer_cmp(). | |
1020 | [Steve Henson] | |
1021 | ||
85fb12d5 | 1022 | *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new |
386828d0 DSH |
1023 | ASN1 modules to export functions returning ASN1_ITEM pointers |
1024 | instead of the ASN1_ITEM structures themselves. This adds several | |
1025 | new macros which allow the underlying ASN1 function/structure to | |
1026 | be accessed transparently. As a result code should not use ASN1_ITEM | |
1027 | references directly (such as &X509_it) but instead use the relevant | |
1028 | macros (such as ASN1_ITEM_rptr(X509)). This option is to allow | |
1029 | use of the new ASN1 code on platforms where exporting structures | |
1030 | is problematical (for example in shared libraries) but exporting | |
1031 | functions returning pointers to structures is not. | |
1032 | [Steve Henson] | |
1033 | ||
85fb12d5 | 1034 | *) Add support for overriding the generation of SSL/TLS session IDs. |
fa2b8db4 GT |
1035 | These callbacks can be registered either in an SSL_CTX or per SSL. |
1036 | The purpose of this is to allow applications to control, if they wish, | |
1037 | the arbitrary values chosen for use as session IDs, particularly as it | |
1038 | can be useful for session caching in multiple-server environments. A | |
1039 | command-line switch for testing this (and any client code that wishes | |
1040 | to use such a feature) has been added to "s_server". | |
1041 | [Geoff Thorpe, Lutz Jaenicke] | |
1042 | ||
85fb12d5 | 1043 | *) Modify mkdef.pl to recognise and parse preprocessor conditionals |
d399fdf8 RL |
1044 | of the form '#if defined(...) || defined(...) || ...' and |
1045 | '#if !defined(...) && !defined(...) && ...'. This also avoids | |
1046 | the growing number of special cases it was previously handling. | |
1047 | [Richard Levitte] | |
1048 | ||
85fb12d5 | 1049 | *) Make all configuration macros available for application by making |
cf1b7d96 RL |
1050 | sure they are available in opensslconf.h, by giving them names starting |
1051 | with "OPENSSL_" to avoid conflicts with other packages and by making | |
1052 | sure e_os2.h will cover all platform-specific cases together with | |
1053 | opensslconf.h. | |
2affbab9 RL |
1054 | Additionally, it is now possible to define configuration/platform- |
1055 | specific names (called "system identities"). In the C code, these | |
1056 | are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another | |
1057 | macro with the name beginning with "OPENSSL_SYS_", which is determined | |
1058 | from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on | |
1059 | what is available. | |
cf1b7d96 RL |
1060 | [Richard Levitte] |
1061 | ||
85fb12d5 | 1062 | *) New option -set_serial to 'req' and 'x509' this allows the serial |
acba75c5 DSH |
1063 | number to use to be specified on the command line. Previously self |
1064 | signed certificates were hard coded with serial number 0 and the | |
1065 | CA options of 'x509' had to use a serial number in a file which was | |
1066 | auto incremented. | |
1067 | [Steve Henson] | |
1068 | ||
85fb12d5 | 1069 | *) New options to 'ca' utility to support V2 CRL entry extensions. |
a6b7ffdd DSH |
1070 | Currently CRL reason, invalidity date and hold instruction are |
1071 | supported. Add new CRL extensions to V3 code and some new objects. | |
1072 | [Steve Henson] | |
1073 | ||
85fb12d5 | 1074 | *) New function EVP_CIPHER_CTX_set_padding() this is used to |
f2e5ca84 DSH |
1075 | disable standard block padding (aka PKCS#5 padding) in the EVP |
1076 | API, which was previously mandatory. This means that the data is | |
1077 | not padded in any way and so the total length much be a multiple | |
1078 | of the block size, otherwise an error occurs. | |
1079 | [Steve Henson] | |
1080 | ||
85fb12d5 | 1081 | *) Initial (incomplete) OCSP SSL support. |
cdc7b8cc DSH |
1082 | [Steve Henson] |
1083 | ||
85fb12d5 | 1084 | *) New function OCSP_parse_url(). This splits up a URL into its host, |
67c18019 DSH |
1085 | port and path components: primarily to parse OCSP URLs. New -url |
1086 | option to ocsp utility. | |
1087 | [Steve Henson] | |
1088 | ||
85fb12d5 | 1089 | *) New nonce behavior. The return value of OCSP_check_nonce() now |
46a58ab9 DSH |
1090 | reflects the various checks performed. Applications can decide |
1091 | whether to tolerate certain situations such as an absent nonce | |
1092 | in a response when one was present in a request: the ocsp application | |
1093 | just prints out a warning. New function OCSP_add1_basic_nonce() | |
1094 | this is to allow responders to include a nonce in a response even if | |
1095 | the request is nonce-less. | |
1096 | [Steve Henson] | |
1097 | ||
85fb12d5 | 1098 | *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are |
620cea37 BM |
1099 | skipped when using openssl x509 multiple times on a single input file, |
1100 | e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs". | |
1101 | [Bodo Moeller] | |
1102 | ||
85fb12d5 | 1103 | *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() |
ccb08f98 DSH |
1104 | set string type: to handle setting ASN1_TIME structures. Fix ca |
1105 | utility to correctly initialize revocation date of CRLs. | |
1106 | [Steve Henson] | |
1107 | ||
85fb12d5 | 1108 | *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override |
836f9960 LJ |
1109 | the clients preferred ciphersuites and rather use its own preferences. |
1110 | Should help to work around M$ SGC (Server Gated Cryptography) bug in | |
1111 | Internet Explorer by ensuring unchanged hash method during stepup. | |
b72faddc | 1112 | (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) |
836f9960 LJ |
1113 | [Lutz Jaenicke] |
1114 | ||
85fb12d5 | 1115 | *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael |
c47c6196 DSH |
1116 | to aes and add a new 'exist' option to print out symbols that don't |
1117 | appear to exist. | |
1118 | [Steve Henson] | |
1119 | ||
85fb12d5 | 1120 | *) Additional options to ocsp utility to allow flags to be set and |
8c950429 DSH |
1121 | additional certificates supplied. |
1122 | [Steve Henson] | |
1123 | ||
85fb12d5 | 1124 | *) Add the option -VAfile to 'openssl ocsp', so the user can give the |
9235adbf RL |
1125 | OCSP client a number of certificate to only verify the response |
1126 | signature against. | |
1127 | [Richard Levitte] | |
1128 | ||
85fb12d5 | 1129 | *) Update Rijndael code to version 3.0 and change EVP AES ciphers to |
deb2c1a1 | 1130 | handle the new API. Currently only ECB, CBC modes supported. Add new |
47234cd3 BM |
1131 | AES OIDs. |
1132 | ||
1133 | Add TLS AES ciphersuites as described in the "AES Ciphersuites | |
f257d984 | 1134 | for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet |
47234cd3 BM |
1135 | official, they are not enabled by default and are not even part |
1136 | of the "ALL" ciphersuite alias; for now, they must be explicitly | |
1137 | requested by specifying the new "AESdraft" ciphersuite alias. If | |
1138 | you want the default ciphersuite list plus the new ciphersuites, | |
1139 | use "DEFAULT:AESdraft:@STRENGTH". | |
1140 | [Ben Laurie, Steve Henson, Bodo Moeller] | |
deb2c1a1 | 1141 | |
85fb12d5 | 1142 | *) New function OCSP_copy_nonce() to copy nonce value (if present) from |
26e083cc DSH |
1143 | request to response. |
1144 | [Steve Henson] | |
1145 | ||
85fb12d5 | 1146 | *) Functions for OCSP responders. OCSP_request_onereq_count(), |
02e4fbed DSH |
1147 | OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info() |
1148 | extract information from a certificate request. OCSP_response_create() | |
1149 | creates a response and optionally adds a basic response structure. | |
1150 | OCSP_basic_add1_status() adds a complete single response to a basic | |
e3fefbfd | 1151 | response and returns the OCSP_SINGLERESP structure just added (to allow |
02e4fbed DSH |
1152 | extensions to be included for example). OCSP_basic_add1_cert() adds a |
1153 | certificate to a basic response and OCSP_basic_sign() signs a basic | |
1154 | response with various flags. New helper functions ASN1_TIME_check() | |
1155 | (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime() | |
1156 | (converts ASN1_TIME to GeneralizedTime). | |
1157 | [Steve Henson] | |
1158 | ||
85fb12d5 | 1159 | *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() |
88ce56f8 | 1160 | in a single operation. X509_get0_pubkey_bitstr() extracts the public_key |
e3fefbfd | 1161 | structure from a certificate. X509_pubkey_digest() digests the public_key |
88ce56f8 DSH |
1162 | contents: this is used in various key identifiers. |
1163 | [Steve Henson] | |
1164 | ||
85fb12d5 | 1165 | *) Make sk_sort() tolerate a NULL argument. |
b8470240 DSH |
1166 | [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>] |
1167 | ||
85fb12d5 | 1168 | *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates |
50d51991 | 1169 | passed by the function are trusted implicitly. If any of them signed the |
e3fefbfd | 1170 | response then it is assumed to be valid and is not verified. |
50d51991 DSH |
1171 | [Steve Henson] |
1172 | ||
85fb12d5 | 1173 | *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT |
a43cf9fa DSH |
1174 | to data. This was previously part of the PKCS7 ASN1 code. This |
1175 | was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures. | |
1176 | [Steve Henson, reported by Kenneth R. Robinette | |
1177 | <support@securenetterm.com>] | |
1178 | ||
85fb12d5 | 1179 | *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1 |
a43cf9fa DSH |
1180 | routines: without these tracing memory leaks is very painful. |
1181 | Fix leaks in PKCS12 and PKCS7 routines. | |
1182 | [Steve Henson] | |
1183 | ||
85fb12d5 | 1184 | *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new(). |
ba8e2824 DSH |
1185 | Previously it initialised the 'type' argument to V_ASN1_UTCTIME which |
1186 | effectively meant GeneralizedTime would never be used. Now it | |
1187 | is initialised to -1 but X509_time_adj() now has to check the value | |
1188 | and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or | |
1189 | V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime. | |
1190 | [Steve Henson, reported by Kenneth R. Robinette | |
1191 | <support@securenetterm.com>] | |
1192 | ||
85fb12d5 | 1193 | *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously |
8e8972bb DSH |
1194 | result in a zero length in the ASN1_INTEGER structure which was |
1195 | not consistent with the structure when d2i_ASN1_INTEGER() was used | |
1196 | and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER() | |
1197 | to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER() | |
1198 | where it did not print out a minus for negative ASN1_INTEGER. | |
1199 | [Steve Henson] | |
1200 | ||
85fb12d5 | 1201 | *) Add summary printout to ocsp utility. The various functions which |
73758d43 DSH |
1202 | convert status values to strings have been renamed to: |
1203 | OCSP_response_status_str(), OCSP_cert_status_str() and | |
1204 | OCSP_crl_reason_str() and are no longer static. New options | |
1205 | to verify nonce values and to disable verification. OCSP response | |
1206 | printout format cleaned up. | |
1207 | [Steve Henson] | |
1208 | ||
85fb12d5 | 1209 | *) Add additional OCSP certificate checks. These are those specified |
e8af92fc DSH |
1210 | in RFC2560. This consists of two separate checks: the CA of the |
1211 | certificate being checked must either be the OCSP signer certificate | |
1212 | or the issuer of the OCSP signer certificate. In the latter case the | |
1213 | OCSP signer certificate must contain the OCSP signing extended key | |
1214 | usage. This check is performed by attempting to match the OCSP | |
1215 | signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash | |
1216 | in the OCSP_CERTID structures of the response. | |
1217 | [Steve Henson] | |
1218 | ||
85fb12d5 | 1219 | *) Initial OCSP certificate verification added to OCSP_basic_verify() |
81f169e9 DSH |
1220 | and related routines. This uses the standard OpenSSL certificate |
1221 | verify routines to perform initial checks (just CA validity) and | |
1222 | to obtain the certificate chain. Then additional checks will be | |
1223 | performed on the chain. Currently the root CA is checked to see | |
1224 | if it is explicitly trusted for OCSP signing. This is used to set | |
1225 | a root CA as a global signing root: that is any certificate that | |
1226 | chains to that CA is an acceptable OCSP signing certificate. | |
1227 | [Steve Henson] | |
1228 | ||
85fb12d5 | 1229 | *) New '-extfile ...' option to 'openssl ca' for reading X.509v3 |
dfebac32 BM |
1230 | extensions from a separate configuration file. |
1231 | As when reading extensions from the main configuration file, | |
1232 | the '-extensions ...' option may be used for specifying the | |
1233 | section to use. | |
1234 | [Massimiliano Pala <madwolf@comune.modena.it>] | |
1235 | ||
85fb12d5 | 1236 | *) New OCSP utility. Allows OCSP requests to be generated or |
5782ceb2 DSH |
1237 | read. The request can be sent to a responder and the output |
1238 | parsed, outputed or printed in text form. Not complete yet: | |
1239 | still needs to check the OCSP response validity. | |
1240 | [Steve Henson] | |
1241 | ||
85fb12d5 | 1242 | *) New subcommands for 'openssl ca': |
c67cdb50 BM |
1243 | 'openssl ca -status <serial>' prints the status of the cert with |
1244 | the given serial number (according to the index file). | |
1245 | 'openssl ca -updatedb' updates the expiry status of certificates | |
1246 | in the index file. | |
1247 | [Massimiliano Pala <madwolf@comune.modena.it>] | |
1248 | ||
85fb12d5 | 1249 | *) New '-newreq-nodes' command option to CA.pl. This is like |
d199858e BM |
1250 | '-newreq', but calls 'openssl req' with the '-nodes' option |
1251 | so that the resulting key is not encrypted. | |
1252 | [Damien Miller <djm@mindrot.org>] | |
1253 | ||
85fb12d5 | 1254 | *) New configuration for the GNU Hurd. |
10a2975a RL |
1255 | [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte] |
1256 | ||
85fb12d5 | 1257 | *) Initial code to implement OCSP basic response verify. This |
9b4dc830 DSH |
1258 | is currently incomplete. Currently just finds the signer's |
1259 | certificate and verifies the signature on the response. | |
1260 | [Steve Henson] | |
1261 | ||
85fb12d5 | 1262 | *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in |
673b3fde BM |
1263 | value of OPENSSLDIR. This is available via the new '-d' option |
1264 | to 'openssl version', and is also included in 'openssl version -a'. | |
1265 | [Bodo Moeller] | |
1266 | ||
85fb12d5 | 1267 | *) Allowing defining memory allocation callbacks that will be given |
a5435e8b BM |
1268 | file name and line number information in additional arguments |
1269 | (a const char* and an int). The basic functionality remains, as | |
1270 | well as the original possibility to just replace malloc(), | |
1271 | realloc() and free() by functions that do not know about these | |
1272 | additional arguments. To register and find out the current | |
1273 | settings for extended allocation functions, the following | |
1274 | functions are provided: | |
65a22e8e RL |
1275 | |
1276 | CRYPTO_set_mem_ex_functions | |
1277 | CRYPTO_set_locked_mem_ex_functions | |
1278 | CRYPTO_get_mem_ex_functions | |
1279 | CRYPTO_get_locked_mem_ex_functions | |
1280 | ||
a5435e8b BM |
1281 | These work the same way as CRYPTO_set_mem_functions and friends. |
1282 | CRYPTO_get_[locked_]mem_functions now writes 0 where such an | |
1283 | extended allocation function is enabled. | |
1284 | Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where | |
1285 | a conventional allocation function is enabled. | |
1286 | [Richard Levitte, Bodo Moeller] | |
65a22e8e | 1287 | |
85fb12d5 | 1288 | *) Finish off removing the remaining LHASH function pointer casts. |
3c914840 | 1289 | There should no longer be any prototype-casting required when using |
56a67adb GT |
1290 | the LHASH abstraction, and any casts that remain are "bugs". See |
1291 | the callback types and macros at the head of lhash.h for details | |
1292 | (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example). | |
3c914840 GT |
1293 | [Geoff Thorpe] |
1294 | ||
85fb12d5 | 1295 | *) Add automatic query of EGD sockets in RAND_poll() for the unix variant. |
3351b8d0 LJ |
1296 | If /dev/[u]random devices are not available or do not return enough |
1297 | entropy, EGD style sockets (served by EGD or PRNGD) will automatically | |
1298 | be queried. | |
1299 | The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and | |
1300 | /etc/entropy will be queried once each in this sequence, quering stops | |
1301 | when enough entropy was collected without querying more sockets. | |
599c0353 LJ |
1302 | [Lutz Jaenicke] |
1303 | ||
85fb12d5 | 1304 | *) Change the Unix RAND_poll() variant to be able to poll several |
361ef5f4 RL |
1305 | random devices, as specified by DEVRANDOM, until a sufficient amount |
1306 | of data has been collected. We spend at most 10 ms on each file | |
1307 | (select timeout) and read in non-blocking mode. DEVRANDOM now | |
1308 | defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom" | |
1309 | (previously it was just the string "/dev/urandom"), so on typical | |
1310 | platforms the 10 ms delay will never occur. | |
1311 | Also separate out the Unix variant to its own file, rand_unix.c. | |
1312 | For VMS, there's a currently-empty rand_vms.c. | |
0c61e299 RL |
1313 | [Richard Levitte] |
1314 | ||
85fb12d5 | 1315 | *) Move OCSP client related routines to ocsp_cl.c. These |
0b33bc65 DSH |
1316 | provide utility functions which an application needing |
1317 | to issue a request to an OCSP responder and analyse the | |
1318 | response will typically need: as opposed to those which an | |
1319 | OCSP responder itself would need which will be added later. | |
1320 | ||
1321 | OCSP_request_sign() signs an OCSP request with an API similar | |
1322 | to PKCS7_sign(). OCSP_response_status() returns status of OCSP | |
1323 | response. OCSP_response_get1_basic() extracts basic response | |
1324 | from response. OCSP_resp_find_status(): finds and extracts status | |
1325 | information from an OCSP_CERTID structure (which will be created | |
1326 | when the request structure is built). These are built from lower | |
1327 | level functions which work on OCSP_SINGLERESP structures but | |
1328 | wont normally be used unless the application wishes to examine | |
1329 | extensions in the OCSP response for example. | |
1330 | ||
1331 | Replace nonce routines with a pair of functions. | |
1332 | OCSP_request_add1_nonce() adds a nonce value and optionally | |
1333 | generates a random value. OCSP_check_nonce() checks the | |
1334 | validity of the nonce in an OCSP response. | |
1335 | [Steve Henson] | |
1336 | ||
85fb12d5 | 1337 | *) Change function OCSP_request_add() to OCSP_request_add0_id(). |
8e961835 DSH |
1338 | This doesn't copy the supplied OCSP_CERTID and avoids the |
1339 | need to free up the newly created id. Change return type | |
1340 | to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. | |
1341 | This can then be used to add extensions to the request. | |
1342 | Deleted OCSP_request_new(), since most of its functionality | |
1343 | is now in OCSP_REQUEST_new() (and the case insensitive name | |
1344 | clash) apart from the ability to set the request name which | |
1345 | will be added elsewhere. | |
1346 | [Steve Henson] | |
1347 | ||
85fb12d5 | 1348 | *) Update OCSP API. Remove obsolete extensions argument from |
bf0d176e DSH |
1349 | various functions. Extensions are now handled using the new |
1350 | OCSP extension code. New simple OCSP HTTP function which | |
1351 | can be used to send requests and parse the response. | |
1352 | [Steve Henson] | |
1353 | ||
85fb12d5 | 1354 | *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new |
ec5add87 DSH |
1355 | ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN |
1356 | uses the special reorder version of SET OF to sort the attributes | |
1357 | and reorder them to match the encoded order. This resolves a long | |
1358 | standing problem: a verify on a PKCS7 structure just after signing | |
1359 | it used to fail because the attribute order did not match the | |
1360 | encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: | |
1361 | it uses the received order. This is necessary to tolerate some broken | |
1362 | software that does not order SET OF. This is handled by encoding | |
1363 | as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) | |
1364 | to produce the required SET OF. | |
1365 | [Steve Henson] | |
1366 | ||
85fb12d5 | 1367 | *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and |
a6574c21 RL |
1368 | OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header |
1369 | files to get correct declarations of the ASN.1 item variables. | |
1370 | [Richard Levitte] | |
1371 | ||
85fb12d5 | 1372 | *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many |
ecbe0781 DSH |
1373 | PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: |
1374 | asn1_check_tlen() would sometimes attempt to use 'ctx' when it was | |
1375 | NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). | |
1376 | New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant | |
1377 | ASN1_ITEM and no wrapper functions. | |
1378 | [Steve Henson] | |
1379 | ||
85fb12d5 | 1380 | *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These |
4e1209eb DSH |
1381 | replace the old function pointer based I/O routines. Change most of |
1382 | the *_d2i_bio() and *_d2i_fp() functions to use these. | |
1383 | [Steve Henson] | |
1384 | ||
85fb12d5 | 1385 | *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor |
3f07fe09 RL |
1386 | lines, recognice more "algorithms" that can be deselected, and make |
1387 | it complain about algorithm deselection that isn't recognised. | |
1388 | [Richard Levitte] | |
1389 | ||
85fb12d5 | 1390 | *) New ASN1 functions to handle dup, sign, verify, digest, pack and |
73e92de5 DSH |
1391 | unpack operations in terms of ASN1_ITEM. Modify existing wrappers |
1392 | to use new functions. Add NO_ASN1_OLD which can be set to remove | |
1393 | some old style ASN1 functions: this can be used to determine if old | |
1394 | code will still work when these eventually go away. | |
09ab755c DSH |
1395 | [Steve Henson] |
1396 | ||
85fb12d5 | 1397 | *) New extension functions for OCSP structures, these follow the |
ec558b65 DSH |
1398 | same conventions as certificates and CRLs. |
1399 | [Steve Henson] | |
1400 | ||
85fb12d5 | 1401 | *) New function X509V3_add1_i2d(). This automatically encodes and |
57d2f217 DSH |
1402 | adds an extension. Its behaviour can be customised with various |
1403 | flags to append, replace or delete. Various wrappers added for | |
1404 | certifcates and CRLs. | |
1405 | [Steve Henson] | |
1406 | ||
85fb12d5 | 1407 | *) Fix to avoid calling the underlying ASN1 print routine when |
5755cab4 DSH |
1408 | an extension cannot be parsed. Correct a typo in the |
1409 | OCSP_SERVICELOC extension. Tidy up print OCSP format. | |
1410 | [Steve Henson] | |
1411 | ||
85fb12d5 | 1412 | *) Make mkdef.pl parse some of the ASN1 macros and add apropriate |
9c67ab2f | 1413 | entries for variables. |
5755cab4 | 1414 | [Steve Henson] |
9c67ab2f | 1415 | |
85fb12d5 | 1416 | *) Add functionality to apps/openssl.c for detecting locking |
3ac82faa BM |
1417 | problems: As the program is single-threaded, all we have |
1418 | to do is register a locking callback using an array for | |
1419 | storing which locks are currently held by the program. | |
3ac82faa BM |
1420 | [Bodo Moeller] |
1421 | ||
85fb12d5 | 1422 | *) Use a lock around the call to CRYPTO_get_ex_new_index() in |
3ac82faa BM |
1423 | SSL_get_ex_data_X509_STORE_idx(), which is used in |
1424 | ssl_verify_cert_chain() and thus can be called at any time | |
1425 | during TLS/SSL handshakes so that thread-safety is essential. | |
1426 | Unfortunately, the ex_data design is not at all suited | |
1427 | for multi-threaded use, so it probably should be abolished. | |
1428 | [Bodo Moeller] | |
1429 | ||
85fb12d5 | 1430 | *) Added Broadcom "ubsec" ENGINE to OpenSSL. |
2a86064f GT |
1431 | [Broadcom, tweaked and integrated by Geoff Thorpe] |
1432 | ||
85fb12d5 | 1433 | *) Move common extension printing code to new function |
2c15d426 | 1434 | X509V3_print_extensions(). Reorganise OCSP print routines and |
c08523d8 | 1435 | implement some needed OCSP ASN1 functions. Add OCSP extensions. |
2c15d426 DSH |
1436 | [Steve Henson] |
1437 | ||
85fb12d5 | 1438 | *) New function X509_signature_print() to remove duplication in some |
de487514 DSH |
1439 | print routines. |
1440 | [Steve Henson] | |
1441 | ||
85fb12d5 | 1442 | *) Add a special meaning when SET OF and SEQUENCE OF flags are both |
06db4253 DSH |
1443 | set (this was treated exactly the same as SET OF previously). This |
1444 | is used to reorder the STACK representing the structure to match the | |
1445 | encoding. This will be used to get round a problem where a PKCS7 | |
1446 | structure which was signed could not be verified because the STACK | |
1447 | order did not reflect the encoded order. | |
1448 | [Steve Henson] | |
1449 | ||
85fb12d5 | 1450 | *) Reimplement the OCSP ASN1 module using the new code. |
36f554d4 DSH |
1451 | [Steve Henson] |
1452 | ||
85fb12d5 | 1453 | *) Update the X509V3 code to permit the use of an ASN1_ITEM structure |
2aff7727 DSH |
1454 | for its ASN1 operations. The old style function pointers still exist |
1455 | for now but they will eventually go away. | |
1456 | [Steve Henson] | |
1457 | ||
85fb12d5 | 1458 | *) Merge in replacement ASN1 code from the ASN1 branch. This almost |
5755cab4 DSH |
1459 | completely replaces the old ASN1 functionality with a table driven |
1460 | encoder and decoder which interprets an ASN1_ITEM structure describing | |
1461 | the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is | |
1462 | largely maintained. Almost all of the old asn1_mac.h macro based ASN1 | |
1463 | has also been converted to the new form. | |
9d6b1ce6 DSH |
1464 | [Steve Henson] |
1465 | ||
85fb12d5 | 1466 | *) Change BN_mod_exp_recp so that negative moduli are tolerated |
8dea52fa BM |
1467 | (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set |
1468 | so that BN_mod_exp_mont and BN_mod_exp_mont_word work | |
1469 | for negative moduli. | |
1470 | [Bodo Moeller] | |
1471 | ||
85fb12d5 | 1472 | *) Fix BN_uadd and BN_usub: Always return non-negative results instead |
8dea52fa BM |
1473 | of not touching the result's sign bit. |
1474 | [Bodo Moeller] | |
1475 | ||
85fb12d5 | 1476 | *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be |
80d89e6a BM |
1477 | set. |
1478 | [Bodo Moeller] | |
1479 | ||
85fb12d5 | 1480 | *) Changed the LHASH code to use prototypes for callbacks, and created |
f1919c3d GT |
1481 | macros to declare and implement thin (optionally static) functions |
1482 | that provide type-safety and avoid function pointer casting for the | |
1483 | type-specific callbacks. | |
1484 | [Geoff Thorpe] | |
1485 | ||
85fb12d5 | 1486 | *) Added Kerberos Cipher Suites to be used with TLS, as written in |
a47b505e | 1487 | RFC 2712. |
33479d27 | 1488 | [Veers Staats <staatsvr@asc.hpc.mil>, |
1946cd8b | 1489 | Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte] |
33479d27 | 1490 | |
85fb12d5 | 1491 | *) Reformat the FAQ so the different questions and answers can be divided |
4b757c83 | 1492 | in sections depending on the subject. |
0ae485dc RL |
1493 | [Richard Levitte] |
1494 | ||
85fb12d5 | 1495 | *) Have the zlib compression code load ZLIB.DLL dynamically under |
20f88b9b RL |
1496 | Windows. |
1497 | [Richard Levitte] | |
1498 | ||
85fb12d5 | 1499 | *) New function BN_mod_sqrt for computing square roots modulo a prime |
aa66eba7 BM |
1500 | (using the probabilistic Tonelli-Shanks algorithm unless |
1501 | p == 3 (mod 4) or p == 5 (mod 8), which are cases that can | |
1502 | be handled deterministically). | |
6b5d39e8 BM |
1503 | [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
1504 | ||
85fb12d5 | 1505 | *) Make BN_mod_inverse faster by explicitly handling small quotients |
bdec3c53 BM |
1506 | in the Euclid loop. (Speed gain about 20% for small moduli [256 or |
1507 | 512 bits], about 30% for larger ones [1024 or 2048 bits].) | |
499e167f BM |
1508 | [Bodo Moeller] |
1509 | ||
85fb12d5 | 1510 | *) New function BN_kronecker. |
dcbd0d74 BM |
1511 | [Bodo Moeller] |
1512 | ||
85fb12d5 | 1513 | *) Fix BN_gcd so that it works on negative inputs; the result is |
dcbd0d74 BM |
1514 | positive unless both parameters are zero. |
1515 | Previously something reasonably close to an infinite loop was | |
1516 | possible because numbers could be growing instead of shrinking | |
1517 | in the implementation of Euclid's algorithm. | |
1518 | [Bodo Moeller] | |
1519 | ||
85fb12d5 | 1520 | *) Fix BN_is_word() and BN_is_one() macros to take into account the |
dcbd0d74 BM |
1521 | sign of the number in question. |
1522 | ||
1523 | Fix BN_is_word(a,w) to work correctly for w == 0. | |
1524 | ||
1525 | The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w) | |
1526 | because its test if the absolute value of 'a' equals 'w'. | |
1527 | Note that BN_abs_is_word does *not* handle w == 0 reliably; | |
1528 | it exists mostly for use in the implementations of BN_is_zero(), | |
1529 | BN_is_one(), and BN_is_word(). | |
1530 | [Bodo Moeller] | |
1531 | ||
85fb12d5 | 1532 | *) New function BN_swap. |
78a0c1f1 BM |
1533 | [Bodo Moeller] |
1534 | ||
85fb12d5 | 1535 | *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that |
78a0c1f1 BM |
1536 | the exponentiation functions are more likely to produce reasonable |
1537 | results on negative inputs. | |
1538 | [Bodo Moeller] | |
1539 | ||
85fb12d5 | 1540 | *) Change BN_mod_mul so that the result is always non-negative. |
78a0c1f1 BM |
1541 | Previously, it could be negative if one of the factors was negative; |
1542 | I don't think anyone really wanted that behaviour. | |
1543 | [Bodo Moeller] | |
1544 | ||
85fb12d5 | 1545 | *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c |
1946cd8b | 1546 | (except for exponentiation, which stays in crypto/bn/bn_exp.c, |
78a0c1f1 BM |
1547 | and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c) |
1548 | and add new functions: | |
5acaa495 | 1549 | |
78a0c1f1 BM |
1550 | BN_nnmod |
1551 | BN_mod_sqr | |
1552 | BN_mod_add | |
5acaa495 | 1553 | BN_mod_add_quick |
78a0c1f1 | 1554 | BN_mod_sub |
5acaa495 BM |
1555 | BN_mod_sub_quick |
1556 | BN_mod_lshift1 | |
1557 | BN_mod_lshift1_quick | |
1558 | BN_mod_lshift | |
1559 | BN_mod_lshift_quick | |
1560 | ||
78a0c1f1 | 1561 | These functions always generate non-negative results. |
5acaa495 | 1562 | |
78a0c1f1 BM |
1563 | BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r |
1564 | such that |m| < r < 0, BN_nnmod will output rem + |m| instead). | |
5acaa495 BM |
1565 | |
1566 | BN_mod_XXX_quick(r, a, [b,] m) generates the same result as | |
1567 | BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b] | |
1568 | be reduced modulo m. | |
78a0c1f1 BM |
1569 | [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller] |
1570 | ||
85fb12d5 | 1571 | *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there |
baa257f1 RL |
1572 | was actually never needed) and in BN_mul(). The removal in BN_mul() |
1573 | required a small change in bn_mul_part_recursive() and the addition | |
1946cd8b UM |
1574 | of the functions bn_cmp_part_words(), bn_sub_part_words() and |
1575 | bn_add_part_words(), which do the same thing as bn_cmp_words(), | |
baa257f1 RL |
1576 | bn_sub_words() and bn_add_words() except they take arrays with |
1577 | differing sizes. | |
1578 | [Richard Levitte] | |
1579 | ||
85fb12d5 | 1580 | *) In 'openssl passwd', verify passwords read from the terminal |
db70a3fd BM |
1581 | unless the '-salt' option is used (which usually means that |
1582 | verification would just waste user's time since the resulting | |
1583 | hash is going to be compared with some given password hash) | |
1584 | or the new '-noverify' option is used. | |
1585 | ||
1586 | This is an incompatible change, but it does not affect | |
1587 | non-interactive use of 'openssl passwd' (passwords on the command | |
1588 | line, '-stdin' option, '-in ...' option) and thus should not | |
1589 | cause any problems. | |
1590 | [Bodo Moeller] | |
1591 | ||
85fb12d5 | 1592 | *) Remove all references to RSAref, since there's no more need for it. |
ccb9643f RL |
1593 | [Richard Levitte] |
1594 | ||
85fb12d5 | 1595 | *) Make DSO load along a path given through an environment variable |
e06433d9 RL |
1596 | (SHLIB_PATH) with shl_load(). |
1597 | [Richard Levitte] | |
1598 | ||
85fb12d5 | 1599 | *) Constify the ENGINE code as a result of BIGNUM constification. |
55b3c877 RL |
1600 | Also constify the RSA code and most things related to it. In a |
1601 | few places, most notable in the depth of the ASN.1 code, ugly | |
1602 | casts back to non-const were required (to be solved at a later | |
1603 | time) | |
10e473e9 RL |
1604 | [Richard Levitte] |
1605 | ||
85fb12d5 | 1606 | *) Make it so the openssl application has all engines loaded by default. |
e7ef1a56 RL |
1607 | [Richard Levitte] |
1608 | ||
85fb12d5 | 1609 | *) Constify the BIGNUM routines a little more. |
020fc820 RL |
1610 | [Richard Levitte] |
1611 | ||
85fb12d5 | 1612 | *) Add the following functions: |
11c0f120 RL |
1613 | |
1614 | ENGINE_load_cswift() | |
1615 | ENGINE_load_chil() | |
1616 | ENGINE_load_atalla() | |
1617 | ENGINE_load_nuron() | |
1618 | ENGINE_load_builtin_engines() | |
1619 | ||
1620 | That way, an application can itself choose if external engines that | |
1621 | are built-in in OpenSSL shall ever be used or not. The benefit is | |
1622 | that applications won't have to be linked with libdl or other dso | |
1623 | libraries unless it's really needed. | |
1624 | ||
1625 | Changed 'openssl engine' to load all engines on demand. | |
1626 | Changed the engine header files to avoid the duplication of some | |
1627 | declarations (they differed!). | |
1628 | [Richard Levitte] | |
1629 | ||
85fb12d5 | 1630 | *) 'openssl engine' can now list capabilities. |
69e7805f RL |
1631 | [Richard Levitte] |
1632 | ||
85fb12d5 | 1633 | *) Better error reporting in 'openssl engine'. |
e264cfe1 RL |
1634 | [Richard Levitte] |
1635 | ||
85fb12d5 | 1636 | *) Never call load_dh_param(NULL) in s_server. |
15d52ddb BM |
1637 | [Bodo Moeller] |
1638 | ||
85fb12d5 | 1639 | *) Add engine application. It can currently list engines by name and |
14c6d27d RL |
1640 | identity, and test if they are actually available. |
1641 | [Richard Levitte] | |
1642 | ||
85fb12d5 | 1643 | *) Improve RPM specification file by forcing symbolic linking and making |
501ebf16 RL |
1644 | sure the installed documentation is also owned by root.root. |
1645 | [Damien Miller <djm@mindrot.org>] | |
1646 | ||
85fb12d5 | 1647 | *) Give the OpenSSL applications more possibilities to make use of |
3aba98e7 RL |
1648 | keys (public as well as private) handled by engines. |
1649 | [Richard Levitte] | |
1650 | ||
85fb12d5 | 1651 | *) Add OCSP code that comes from CertCo. |
7c155330 RL |
1652 | [Richard Levitte] |
1653 | ||
85fb12d5 | 1654 | *) Add VMS support for the Rijndael code. |
5270e702 RL |
1655 | [Richard Levitte] |
1656 | ||
85fb12d5 | 1657 | *) Added untested support for Nuron crypto accelerator. |
5270e702 RL |
1658 | [Ben Laurie] |
1659 | ||
85fb12d5 | 1660 | *) Add support for external cryptographic devices. This code was |
5270e702 RL |
1661 | previously distributed separately as the "engine" branch. |
1662 | [Geoff Thorpe, Richard Levitte] | |
1663 | ||
85fb12d5 | 1664 | *) Rework the filename-translation in the DSO code. It is now possible to |
1df586be GT |
1665 | have far greater control over how a "name" is turned into a filename |
1666 | depending on the operating environment and any oddities about the | |
1667 | different shared library filenames on each system. | |
1668 | [Geoff Thorpe] | |
1669 | ||
85fb12d5 | 1670 | *) Support threads on FreeBSD-elf in Configure. |
53400da7 RL |
1671 | [Richard Levitte] |
1672 | ||
85fb12d5 | 1673 | *) Fix for SHA1 assembly problem with MASM: it produces |
627ec355 DSH |
1674 | warnings about corrupt line number information when assembling |
1675 | with debugging information. This is caused by the overlapping | |
1676 | of two sections. | |
1677 | [Bernd Matthes <mainbug@celocom.de>, Steve Henson] | |
1678 | ||
85fb12d5 | 1679 | *) NCONF changes. |
567f17cf RL |
1680 | NCONF_get_number() has no error checking at all. As a replacement, |
1681 | NCONF_get_number_e() is defined (_e for "error checking") and is | |
1682 | promoted strongly. The old NCONF_get_number is kept around for | |
1683 | binary backward compatibility. | |
1684 | Make it possible for methods to load from something other than a BIO, | |
1685 | by providing a function pointer that is given a name instead of a BIO. | |
1686 | For example, this could be used to load configuration data from an | |
1687 | LDAP server. | |
1688 | [Richard Levitte] | |
1689 | ||
85fb12d5 | 1690 | *) Fix for non blocking accept BIOs. Added new I/O special reason |
924046ce DSH |
1691 | BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs |
1692 | with non blocking I/O was not possible because no retry code was | |
1693 | implemented. Also added new SSL code SSL_WANT_ACCEPT to cover | |
1694 | this case. | |
1695 | [Steve Henson] | |
1696 | ||
85fb12d5 | 1697 | *) Added the beginnings of Rijndael support. |
3ab56511 RL |
1698 | [Ben Laurie] |
1699 | ||
85fb12d5 | 1700 | *) Fix for bug in DirectoryString mask setting. Add support for |
8ca533e3 DSH |
1701 | X509_NAME_print_ex() in 'req' and X509_print_ex() function |
1702 | to allow certificate printing to more controllable, additional | |
1703 | 'certopt' option to 'x509' to allow new printing options to be | |
1704 | set. | |
d0c98589 DSH |
1705 | [Steve Henson] |
1706 | ||
85fb12d5 | 1707 | *) Clean old EAY MD5 hack from e_os.h. |
ef71cb6d RL |
1708 | [Richard Levitte] |
1709 | ||
46ffee47 BM |
1710 | Changes between 0.9.6d and 0.9.6e [XX xxx XXXX] |
1711 | ||
1712 | *) Fix EVP_dsa_sha macro. | |
1713 | [Nils Larsch] | |
1714 | ||
c21506ba BM |
1715 | *) New option |
1716 | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS | |
1717 | for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure | |
1718 | that was added in OpenSSL 0.9.6d. | |
1719 | ||
1720 | As the countermeasure turned out to be incompatible with some | |
1721 | broken SSL implementations, the new option is part of SSL_OP_ALL. | |
1722 | SSL_OP_ALL is usually employed when compatibility with weird SSL | |
1723 | implementations is desired (e.g. '-bugs' option to 's_client' and | |
1724 | 's_server'), so the new option is automatically set in many | |
1725 | applications. | |
1726 | [Bodo Moeller] | |
1727 | ||
46ffee47 | 1728 | Changes between 0.9.6c and 0.9.6d [9 May 2002] |
381a146d | 1729 | |
8df61b50 BM |
1730 | *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not |
1731 | encoded as NULL) with id-dsa-with-sha1. | |
1732 | [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller] | |
1733 | ||
1064acaf BM |
1734 | *) Check various X509_...() return values in apps/req.c. |
1735 | [Nils Larsch <nla@trustcenter.de>] | |
1736 | ||
2940a129 LJ |
1737 | *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines: |
1738 | an end-of-file condition would erronously be flagged, when the CRLF | |
1739 | was just at the end of a processed block. The bug was discovered when | |
1740 | processing data through a buffering memory BIO handing the data to a | |
1741 | BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov | |
1742 | <ptsekov@syntrex.com> and Nedelcho Stanev. | |
1743 | [Lutz Jaenicke] | |
1744 | ||
82b0bf0b BM |
1745 | *) Implement a countermeasure against a vulnerability recently found |
1746 | in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment | |
1747 | before application data chunks to avoid the use of known IVs | |
1748 | with data potentially chosen by the attacker. | |
1749 | [Bodo Moeller] | |
1750 | ||
1751 | *) Fix length checks in ssl3_get_client_hello(). | |
1752 | [Bodo Moeller] | |
1753 | ||
1754 | *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently | |
1755 | to prevent ssl3_read_internal() from incorrectly assuming that | |
1756 | ssl3_read_bytes() found application data while handshake | |
1757 | processing was enabled when in fact s->s3->in_read_app_data was | |
1758 | merely automatically cleared during the initial handshake. | |
1759 | [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>] | |
1760 | ||
381a146d LJ |
1761 | *) Fix object definitions for Private and Enterprise: they were not |
1762 | recognized in their shortname (=lowercase) representation. Extend | |
1763 | obj_dat.pl to issue an error when using undefined keywords instead | |
1764 | of silently ignoring the problem (Svenning Sorensen | |
1765 | <sss@sss.dnsalias.net>). | |
1766 | [Lutz Jaenicke] | |
1767 | ||
1768 | *) Fix DH_generate_parameters() so that it works for 'non-standard' | |
1769 | generators, i.e. generators other than 2 and 5. (Previously, the | |
1770 | code did not properly initialise the 'add' and 'rem' values to | |
1771 | BN_generate_prime().) | |
1772 | ||
1773 | In the new general case, we do not insist that 'generator' is | |
1774 | actually a primitive root: This requirement is rather pointless; | |
1775 | a generator of the order-q subgroup is just as good, if not | |
1776 | better. | |
1777 | [Bodo Moeller] | |
1778 | ||
1779 | *) Map new X509 verification errors to alerts. Discovered and submitted by | |
1780 | Tom Wu <tom@arcot.com>. | |
1781 | [Lutz Jaenicke] | |
1782 | ||
1783 | *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from | |
1784 | returning non-zero before the data has been completely received | |
1785 | when using non-blocking I/O. | |
1786 | [Bodo Moeller; problem pointed out by John Hughes] | |
1787 | ||
1788 | *) Some of the ciphers missed the strength entry (SSL_LOW etc). | |
1789 | [Ben Laurie, Lutz Jaenicke] | |
1790 | ||
1791 | *) Fix bug in SSL_clear(): bad sessions were not removed (found by | |
1792 | Yoram Zahavi <YoramZ@gilian.com>). | |
1793 | [Lutz Jaenicke] | |
1794 | ||
1795 | *) Add information about CygWin 1.3 and on, and preserve proper | |
1796 | configuration for the versions before that. | |
1797 | [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte] | |
1798 | ||
1799 | *) Make removal from session cache (SSL_CTX_remove_session()) more robust: | |
1800 | check whether we deal with a copy of a session and do not delete from | |
1801 | the cache in this case. Problem reported by "Izhar Shoshani Levi" | |
1802 | <izhar@checkpoint.com>. | |
1803 | [Lutz Jaenicke] | |
1804 | ||
1805 | *) Do not store session data into the internal session cache, if it | |
1806 | is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | |
1807 | flag is set). Proposed by Aslam <aslam@funk.com>. | |
1808 | [Lutz Jaenicke] | |
1809 | ||
1810 | *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested | |
1811 | value is 0. | |
1812 | [Richard Levitte] | |
1813 | ||
1814 | *) Add the configuration target linux-s390x. | |
1815 | [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte] | |
1816 | ||
1817 | *) [In 0.9.6d-engine release:] | |
1818 | Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). | |
1819 | [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] | |
1820 | ||
1821 | *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of | |
1822 | ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag | |
1823 | variable as an indication that a ClientHello message has been | |
1824 | received. As the flag value will be lost between multiple | |
1825 | invocations of ssl3_accept when using non-blocking I/O, the | |
1826 | function may not be aware that a handshake has actually taken | |
1827 | place, thus preventing a new session from being added to the | |
1828 | session cache. | |
1829 | ||
1830 | To avoid this problem, we now set s->new_session to 2 instead of | |
1831 | using a local variable. | |
1832 | [Lutz Jaenicke, Bodo Moeller] | |
1833 | ||
1834 | *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c) | |
1835 | if the SSL_R_LENGTH_MISMATCH error is detected. | |
1836 | [Geoff Thorpe, Bodo Moeller] | |
1837 | ||
1838 | *) New 'shared_ldflag' column in Configure platform table. | |
1839 | [Richard Levitte] | |
1840 | ||
1841 | *) Fix EVP_CIPHER_mode macro. | |
1842 | ["Dan S. Camper" <dan@bti.net>] | |
1843 | ||
1844 | *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown | |
1845 | type, we must throw them away by setting rr->length to 0. | |
1846 | [D P Chang <dpc@qualys.com>] | |
1847 | ||
1848 | Changes between 0.9.6b and 0.9.6c [21 dec 2001] | |
1849 | ||
1850 | *) Fix BN_rand_range bug pointed out by Dominikus Scherkl | |
1851 | <Dominikus.Scherkl@biodata.com>. (The previous implementation | |
1852 | worked incorrectly for those cases where range = 10..._2 and | |
1853 | 3*range is two bits longer than range.) | |
1854 | [Bodo Moeller] | |
1855 | ||
1856 | *) Only add signing time to PKCS7 structures if it is not already | |
1857 | present. | |
1858 | [Steve Henson] | |
1859 | ||
1860 | *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", | |
1861 | OBJ_ld_ce should be OBJ_id_ce. | |
1862 | Also some ip-pda OIDs in crypto/objects/objects.txt were | |
1863 | incorrect (cf. RFC 3039). | |
1864 | [Matt Cooper, Frederic Giudicelli, Bodo Moeller] | |
1865 | ||
1866 | *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() | |
1867 | returns early because it has nothing to do. | |
1868 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
1869 | ||
1870 | *) [In 0.9.6c-engine release:] | |
1871 | Fix mutex callback return values in crypto/engine/hw_ncipher.c. | |
1872 | [Andy Schneider <andy.schneider@bjss.co.uk>] | |
1873 | ||
1874 | *) [In 0.9.6c-engine release:] | |
1875 | Add support for Cryptographic Appliance's keyserver technology. | |
1876 | (Use engine 'keyclient') | |
1877 | [Cryptographic Appliances and Geoff Thorpe] | |
1878 | ||
1879 | *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' | |
1880 | is called via tools/c89.sh because arguments have to be | |
1881 | rearranged (all '-L' options must appear before the first object | |
1882 | modules). | |
1883 | [Richard Shapiro <rshapiro@abinitio.com>] | |
1884 | ||
1885 | *) [In 0.9.6c-engine release:] | |
1886 | Add support for Broadcom crypto accelerator cards, backported | |
1887 | from 0.9.7. | |
1888 | [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] | |
1889 | ||
1890 | *) [In 0.9.6c-engine release:] | |
1891 | Add support for SureWare crypto accelerator cards from | |
1892 | Baltimore Technologies. (Use engine 'sureware') | |
1893 | [Baltimore Technologies and Mark Cox] | |
1894 | ||
1895 | *) [In 0.9.6c-engine release:] | |
1896 | Add support for crypto accelerator cards from Accelerated | |
1897 | Encryption Processing, www.aep.ie. (Use engine 'aep') | |
1898 | [AEP Inc. and Mark Cox] | |
1899 | ||
1900 | *) Add a configuration entry for gcc on UnixWare. | |
1901 | [Gary Benson <gbenson@redhat.com>] | |
1902 | ||
1903 | *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake | |
1904 | messages are stored in a single piece (fixed-length part and | |
1905 | variable-length part combined) and fix various bugs found on the way. | |
1906 | [Bodo Moeller] | |
1907 | ||
1908 | *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() | |
1909 | instead. BIO_gethostbyname() does not know what timeouts are | |
1910 | appropriate, so entries would stay in cache even when they have | |
1911 | become invalid. | |
1912 | [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> | |
1913 | ||
1914 | *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when | |
1915 | faced with a pathologically small ClientHello fragment that does | |
1916 | not contain client_version: Instead of aborting with an error, | |
1917 | simply choose the highest available protocol version (i.e., | |
1918 | TLS 1.0 unless it is disabled). In practice, ClientHello | |
1919 | messages are never sent like this, but this change gives us | |
1920 | strictly correct behaviour at least for TLS. | |
1921 | [Bodo Moeller] | |
1922 | ||
1923 | *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() | |
1924 | never resets s->method to s->ctx->method when called from within | |
1925 | one of the SSL handshake functions. | |
1926 | [Bodo Moeller; problem pointed out by Niko Baric] | |
1927 | ||
1928 | *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert | |
1929 | (sent using the client's version number) if client_version is | |
1930 | smaller than the protocol version in use. Also change | |
1931 | ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if | |
1932 | the client demanded SSL 3.0 but only TLS 1.0 is enabled; then | |
1933 | the client will at least see that alert. | |
1934 | [Bodo Moeller] | |
1935 | ||
1936 | *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation | |
1937 | correctly. | |
1938 | [Bodo Moeller] | |
1939 | ||
1940 | *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a | |
1941 | client receives HelloRequest while in a handshake. | |
1942 | [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] | |
1943 | ||
1944 | *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C | |
1945 | should end in 'break', not 'goto end' which circuments various | |
1946 | cleanups done in state SSL_ST_OK. But session related stuff | |
1947 | must be disabled for SSL_ST_OK in the case that we just sent a | |
1948 | HelloRequest. | |
1949 | ||
1950 | Also avoid some overhead by not calling ssl_init_wbio_buffer() | |
1951 | before just sending a HelloRequest. | |
1952 | [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] | |
1953 | ||
1954 | *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't | |
1955 | reveal whether illegal block cipher padding was found or a MAC | |
1956 | verification error occured. (Neither SSLerr() codes nor alerts | |
1957 | are directly visible to potential attackers, but the information | |
1958 | may leak via logfiles.) | |
1959 | ||
1960 | Similar changes are not required for the SSL 2.0 implementation | |
1961 | because the number of padding bytes is sent in clear for SSL 2.0, | |
1962 | and the extra bytes are just ignored. However ssl/s2_pkt.c | |
1963 | failed to verify that the purported number of padding bytes is in | |
1964 | the legal range. | |
1965 | [Bodo Moeller] | |
1966 | ||
1967 | *) Add OpenUNIX-8 support including shared libraries | |
1968 | (Boyd Lynn Gerber <gerberb@zenez.com>). | |
1969 | [Lutz Jaenicke] | |
1970 | ||
1971 | *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid | |
1972 | 'wristwatch attack' using huge encoding parameters (cf. | |
1973 | James H. Manger's CRYPTO 2001 paper). Note that the | |
1974 | RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use | |
1975 | encoding parameters and hence was not vulnerable. | |
1976 | [Bodo Moeller] | |
1977 | ||
1978 | *) BN_sqr() bug fix. | |
1979 |