]> git.ipfire.org Git - thirdparty/openssl.git/blame - CHANGES
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
typo
[thirdparty/openssl.git] / CHANGES
CommitLineData
81a6c781 1
f1c236f8 2 OpenSSL CHANGES
651d0aff
RE		 3 _______________
4
4d94ae00
BM		 5 Changes between 0.9.7 and 0.9.8 [xx XXX 2002]
6
254ef80d
BM		 7 *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
8 functions
9 EC_GROUP_set_asn1_flag()
10 EC_GROUP_get_asn1_flag()
11 EC_GROUP_set_point_conversion_form()
12 EC_GROUP_get_point_conversion_form()
13 These control ASN1 encoding details:
b8e0e123
BM		 14 - Curves (i.e., groups) are encoded explicitly unless asn1_flag
15 has been set to OPENSSL_EC_NAMED_CURVE.
254ef80d
BM		 16 - Points are encoded in compressed form by default; options for
17 asn1_for are as for point2oct, namely
18 POINT_CONVERSION_COMPRESSED
19 POINT_CONVERSION_UNCOMPRESSED
20 POINT_CONVERSION_HYBRID
458c2917
BM		 21 [Nils Larsch <nla@trustcenter.de>]
22
23 *) Add 'field_type' member to EC_METHOD, which holds the NID
24 of the appropriate field type OID. The new function
25 EC_METHOD_get_field_type() returns this value.
26 [Nils Larsch <nla@trustcenter.de>]
27
6cbe6382
BM		 28 *) Add functions
29 EC_POINT_point2bn()
30 EC_POINT_bn2point()
31 EC_POINT_point2hex()
32 EC_POINT_hex2point()
33 providing useful interfaces to EC_POINT_point2oct() and
34 EC_POINT_oct2point().
35 [Nils Larsch <nla@trustcenter.de>]
36
b6db386f
BM		 37 *) Change internals of the EC library so that the functions
38 EC_GROUP_set_generator()
39 EC_GROUP_get_generator()
40 EC_GROUP_get_order()
41 EC_GROUP_get_cofactor()
42 are implemented directly in crypto/ec/ec_lib.c and not dispatched
43 to methods, which would lead to unnecessary code duplication when
44 adding different types of curves.
6cbe6382 45 [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
b6db386f 46
47234cd3
BM		 47 *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
48 arithmetic, and such that modified wNAFs are generated
49 (which avoid length expansion in many cases).
50 [Bodo Moeller]
51
82652aaf
BM		 52 *) Add a function EC_GROUP_check_discriminant() (defined via
53 EC_METHOD) that verifies that the curve discriminant is non-zero.
54
55 Add a function EC_GROUP_check() that makes some sanity tests
56 on a EC_GROUP, its generator and order. This includes
57 EC_GROUP_check_discriminant().
58 [Nils Larsch <nla@trustcenter.de>]
59
4d94ae00
BM		 60 *) Add ECDSA in new directory crypto/ecdsa/.
61
62 Add applications 'openssl ecdsaparam' and 'openssl ecdsa'
63 (these are variants of 'openssl dsaparam' and 'openssl dsa').
64
65 ECDSA support is also included in various other files across the
66 library. Most notably,
67 - 'openssl req' now has a '-newkey ecdsa:file' option;
68 - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
69 - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
70 d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
71 them suitable for ECDSA where domain parameters must be
72 extracted before the specific public key.
f8e21776 73 [Nils Larsch <nla@trustcenter.de>]
4d94ae00 74
af28dd6c
BM		 75 *) Include some named elliptic curves, and add OIDs from X9.62,
76 SECG, and WAP/WTLS. The curves can be obtained from the new
77 functions
4d94ae00
BM		 78 EC_GROUP_new_by_nid()
79 EC_GROUP_new_by_name()
254ef80d
BM		 80 Also add a 'curve_name' member to EC_GROUP objects, which can be
81 accessed via
4d94ae00
BM		 82 EC_GROUP_set_nid()
83 EC_GROUP_get_nid()
84 [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
85
381a146d 86 Changes between 0.9.6d and 0.9.7 [XX xxx 2002]
dc014d43 87
d15711ef
BL		 88 *) Improve diagnostics in file reading and command-line digests.
89 [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
90
fbb56e5b
RL		 91 *) Add AES modes CFB and OFB to the object database. Correct an
92 error in AES-CFB decryption.
93 [Richard Levitte]
94
544a2aea
DSH		 95 *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
96 allows existing EVP_CIPHER_CTX structures to be reused after
97 calling EVP_*Final(). This behaviour is used by encryption
98 BIOs and some applications. This has the side effect that
99 applications must explicitly clean up cipher contexts with
100 EVP_CIPHER_CTX_cleanup() or they will leak memory.
101 [Steve Henson]
102
dc014d43
DSH		 103 *) Check the values of dna and dnb in bn_mul_recursive before calling
104 bn_mul_comba (a non zero value means the a or b arrays do not contain
105 n2 elements) and fallback to bn_mul_normal if either is not zero.
106 [Steve Henson]
4d94ae00 107
c0455cbb
LJ		 108 *) Fix escaping of non-ASCII characters when using the -subj option
109 of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
110 [Lutz Jaenicke]
111
85fb12d5 112 *) Make object definitions compliant to LDAP (RFC2256): SN is the short
e9cbcb1d
LJ		 113 form for "surname", serialNumber has no short form.
114 Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
115 therefore remove "mail" short name for "internet 7".
e1f7ea25
LJ		 116 The OID for unique identifiers in X509 certificates is
117 x500UniqueIdentifier, not uniqueIdentifier.
e9cbcb1d 118 Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
08b977b5 119 [Lutz Jaenicke]
ffbe98b7 120
85fb12d5 121 *) Add an "init" command to the ENGINE config module and auto initialize
0dc09233
DSH		 122 ENGINEs. Without any "init" command the ENGINE will be initialized
123 after all ctrl commands have been executed on it. If init=1 the
124 ENGINE is initailized at that point (ctrls before that point are run
125 on the uninitialized ENGINE and after on the initialized one). If
126 init=0 then the ENGINE will not be iniatialized at all.
127 [Steve Henson]
128
85fb12d5 129 *) Fix the 'app_verify_callback' interface so that the user-defined
023ec151
BM		 130 argument is actually passed to the callback: In the
131 SSL_CTX_set_cert_verify_callback() prototype, the callback
132 declaration has been changed from
133 int (*cb)()
134 into
135 int (*cb)(X509_STORE_CTX *,void *);
136 in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
137 i=s->ctx->app_verify_callback(&ctx)
138 has been changed into
139 i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
140
141 To update applications using SSL_CTX_set_cert_verify_callback(),
142 a dummy argument can be added to their callback functions.
143 [D. K. Smetters <smetters@parc.xerox.com>]
144
85fb12d5 145 *) Added the '4758cca' ENGINE to support IBM 4758 cards.
92d1bc09
GT		 146 [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
147
85fb12d5 148 *) Add and OPENSSL_LOAD_CONF define which will cause
e84be9b4
DSH		 149 OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
150 This allows older applications to transparently support certain
151 OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
152 Two new functions OPENSSL_add_all_algorithms_noconf() which will never
153 load the config file and OPENSSL_add_all_algorithms_conf() which will
154 always load it have also been added.
155 [Steve Henson]
156
85fb12d5 157 *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
0d22b5da
RL		 158 Adjust NIDs and EVP layer.
159 [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
160
85fb12d5 161 *) Config modules support in openssl utility.
3647bee2
DSH		 162
163 Most commands now load modules from the config file,
164 though in a few (such as version) this isn't done
165 because it couldn't be used for anything.
166
167 In the case of ca and req the config file used is
168 the same as the utility itself: that is the -config
169 command line option can be used to specify an
170 alternative file.
171 [Steve Henson]
172
85fb12d5 173 *) Move default behaviour from OPENSSL_config(). If appname is NULL
92f91ff4
DSH		 174 use "openssl_conf" if filename is NULL use default openssl config file.
175 [Steve Henson]
176
85fb12d5 177 *) Add an argument to OPENSSL_config() to allow the use of an alternative
92f91ff4
DSH		 178 config section name. Add a new flag to tolerate a missing config file
179 and move code to CONF_modules_load_file().
180 [Steve Henson]
181
85fb12d5 182 *) Support for crypto accelerator cards from Accelerated Encryption
3cd039dd
RL		 183 Processing, www.aep.ie. (Use engine 'aep')
184 The support was copied from 0.9.6c [engine] and adapted/corrected
185 to work with the new engine framework.
186 [AEP Inc. and Richard Levitte]
187
85fb12d5 188 *) Support for SureWare crypto accelerator cards from Baltimore
3cd039dd
RL		 189 Technologies. (Use engine 'sureware')
190 The support was copied from 0.9.6c [engine] and adapted
191 to work with the new engine framework.
192 [Richard Levitte]
193
85fb12d5 194 *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
1199e2d8
RL		 195 make the newer ENGINE framework commands for the CHIL engine work.
196 [Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
197
85fb12d5 198 *) Make it possible to produce shared libraries on ReliantUNIX.
a3fffd64
RL		 199 [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
200
85fb12d5 201 *) Add the configuration target debug-linux-ppro.
80bb905d
RL		 202 Make 'openssl rsa' use the general key loading routines
203 implemented in apps.c, and make those routines able to
204 handle the key format FORMAT_NETSCAPE and the variant
205 FORMAT_IISSGC.
206 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
207
381a146d 208 *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
80bb905d
RL		 209 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
210
85fb12d5 211 *) Add -keyform to rsautl, and document -engine.
8242a6a9
RL		 212 [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
213
85fb12d5 214 *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
a14e2d9d
BM		 215 BIO_R_NO_SUCH_FILE error code rather than the generic
216 ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
217 [Ben Laurie]
218
85fb12d5 219 *) Add new functions
a14e2d9d
BM		 220 ERR_peek_last_error
221 ERR_peek_last_error_line
222 ERR_peek_last_error_line_data.
223 These are similar to
224 ERR_peek_error
225 ERR_peek_error_line
226 ERR_peek_error_line_data,
227 but report on the latest error recorded rather than the first one
228 still in the error queue.
229 [Ben Laurie, Bodo Moeller]
230
85fb12d5 231 *) default_algorithms option in ENGINE config module. This allows things
df5eaa8a
DSH		 232 like:
233 default_algorithms = ALL
234 default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
235 [Steve Henson]
236
85fb12d5 237 *) Prelminary ENGINE config module.
c9501c22
DSH		 238 [Steve Henson]
239
85fb12d5 240 *) New experimental application configuration code.
bc37d996
DSH		 241 [Steve Henson]
242
85fb12d5 243 *) Change the AES code to follow the same name structure as all other
6f9079fd
RL		 244 symmetric ciphers, and behave the same way. Move everything to
245 the directory crypto/aes, thereby obsoleting crypto/rijndael.
246 [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
247
85fb12d5 248 *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
7c517a04
BL		 249 [Ben Laurie and Theo de Raadt]
250
85fb12d5 251 *) Add option to output public keys in req command.
21a85f19
DSH		 252 [Massimiliano Pala madwolf@openca.org]
253
85fb12d5 254 *) Use wNAFs in EC_POINTs_mul() for improved efficiency
76c4336c 255 (up to about 10% better than before for P-192 and P-224).
3ba1f111
BM		 256 [Bodo Moeller]
257
85fb12d5 258 *) New functions/macros
7aa983c6
BM		 259
260 SSL_CTX_set_msg_callback(ctx, cb)
261 SSL_CTX_set_msg_callback_arg(ctx, arg)
262 SSL_set_msg_callback(ssl, cb)
263 SSL_set_msg_callback_arg(ssl, arg)
264
265 to request calling a callback function
266
267 void cb(int write_p, int version, int content_type,
268 const void *buf, size_t len, SSL *ssl, void *arg)
269
270 whenever a protocol message has been completely received
271 (write_p == 0) or sent (write_p == 1). Here 'version' is the
272 protocol version according to which the SSL library interprets
273 the current protocol message (SSL2_VERSION, SSL3_VERSION, or
274 TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or
275 the content type as defined in the SSL 3.0/TLS 1.0 protocol
276 specification (change_cipher_spec(20), alert(21), handshake(22)).
277 'buf' and 'len' point to the actual message, 'ssl' to the
278 SSL object, and 'arg' is the application-defined value set by
279 SSL[_CTX]_set_msg_callback_arg().
280
281 'openssl s_client' and 'openssl s_server' have new '-msg' options
282 to enable a callback that displays all protocol messages.
283 [Bodo Moeller]
284
85fb12d5 285 *) Change the shared library support so shared libraries are built as
a7b42009
RL		 286 soon as the corresponding static library is finished, and thereby get
287 openssl and the test programs linked against the shared library.
288 This still only happens when the keyword "shard" has been given to
289 the configuration scripts.
290
291 NOTE: shared library support is still an experimental thing, and
292 backward binary compatibility is still not guaranteed.
293 ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
294
85fb12d5 295 *) Add support for Subject Information Access extension.
7d5b04db
DSH		 296 [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
297
85fb12d5 298 *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
48b0cf8b
BM		 299 additional bytes when new memory had to be allocated, not just
300 when reusing an existing buffer.
301 [Bodo Moeller]
302
85fb12d5 303 *) New command line and configuration option 'utf8' for the req command.
1fc6d41b
DSH		 304 This allows field values to be specified as UTF8 strings.
305 [Steve Henson]
306
85fb12d5 307 *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
0e211563
BL		 308 runs for the former and machine-readable output for the latter.
309 [Ben Laurie]
310
85fb12d5 311 *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
89da653f
BM		 312 of the e-mail address in the DN (i.e., it will go into a certificate
313 extension only). The new configuration file option 'email_in_dn = no'
314 has the same effect.
315 [Massimiliano Pala madwolf@openca.org]
316
85fb12d5 317 *) Change all functions with names starting with des_ to be starting
12852213 318 with DES_ instead. Add wrappers that are compatible with libdes,
2d57b73a 319 but are named _ossl_old_des_*. Finally, add macros that map the
0d81c69b
RL		 320 des_* symbols to the corresponding _ossl_old_des_* if libdes
321 compatibility is desired. If OpenSSL 0.9.6c compatibility is
322 desired, the des_* symbols will be mapped to DES_*, with one
323 exception.
12852213 324
0d81c69b
RL		 325 Since we provide two compatibility mappings, the user needs to
326 define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
327 compatibility is desired. The default (i.e., when that macro
328 isn't defined) is OpenSSL 0.9.6c compatibility.
329
330 There are also macros that enable and disable the support of old
331 des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
332 and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those
333 are defined, the default will apply: to support the old des routines.
334
335 In either case, one must include openssl/des.h to get the correct
336 definitions. Do not try to just include openssl/des_old.h, that
337 won't work.
c2e4f17c
RL		 338
339 NOTE: This is a major break of an old API into a new one. Software
340 authors are encouraged to switch to the DES_ style functions. Some
341 time in the future, des_old.h and the libdes compatibility functions
0d81c69b
RL		 342 will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
343 default), and then completely removed.
c2e4f17c
RL		 344 [Richard Levitte]
345
85fb12d5 346 *) Test for certificates which contain unsupported critical extensions.
f1558bb4
DSH		 347 If such a certificate is found during a verify operation it is
348 rejected by default: this behaviour can be overridden by either
349 handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
350 by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
351 X509_supported_extension() has also been added which returns 1 if a
352 particular extension is supported.
353 [Steve Henson]
354
85fb12d5 355 *) Modify the behaviour of EVP cipher functions in similar way to digests
581f1c84
DSH		 356 to retain compatibility with existing code.
357 [Steve Henson]
358
85fb12d5 359 *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
50d194af
DSH		 360 compatibility with existing code. In particular the 'ctx' parameter does
361 not have to be to be initialized before the call to EVP_DigestInit() and
362 it is tidied up after a call to EVP_DigestFinal(). New function
363 EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
364 EVP_MD_CTX_copy() changed to not require the destination to be
365 initialized valid and new function EVP_MD_CTX_copy_ex() added which
366 requires the destination to be valid.
367
368 Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
369 EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
20d2186c
DSH		 370 [Steve Henson]
371
85fb12d5 372 *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
48948d53
BM		 373 so that complete 'Handshake' protocol structures are kept in memory
374 instead of overwriting 'msg_type' and 'length' with 'body' data.
375 [Bodo Moeller]
376
85fb12d5 377 *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
285046ec
RL		 378 [Massimo Santin via Richard Levitte]
379
85fb12d5 380 *) Major restructuring to the underlying ENGINE code. This includes
07cee702
GT		 381 reduction of linker bloat, separation of pure "ENGINE" manipulation
382 (initialisation, etc) from functionality dealing with implementations
383 of specific crypto iterfaces. This change also introduces integrated
384 support for symmetric ciphers and digest implementations - so ENGINEs
385 can now accelerate these by providing EVP_CIPHER and EVP_MD
386 implementations of their own. This is detailed in crypto/engine/README
387 as it couldn't be adequately described here. However, there are a few
388 API changes worth noting - some RSA, DSA, DH, and RAND functions that
389 were changed in the original introduction of ENGINE code have now
390 reverted back - the hooking from this code to ENGINE is now a good
391 deal more passive and at run-time, operations deal directly with
392 RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
393 dereferencing through an ENGINE pointer any more. Also, the ENGINE
394 functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
395 they were not being used by the framework as there is no concept of a
396 BIGNUM_METHOD and they could not be generalised to the new
397 'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
398 ENGINE_cpy() has been removed as it cannot be consistently defined in
399 the new code.
400 [Geoff Thorpe]
401
85fb12d5 402 *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
d46c1a81
DSH		 403 [Steve Henson]
404
85fb12d5 405 *) Change mkdef.pl to sort symbols that get the same entry number,
89eeccac
RL		 406 and make sure the automatically generated functions ERR_load_*
407 become part of libeay.num as well.
408 [Richard Levitte]
409
85fb12d5 410 *) New function SSL_renegotiate_pending(). This returns true once
6b0e9fac
BM		 411 renegotiation has been requested (either SSL_renegotiate() call
412 or HelloRequest/ClientHello receveived from the peer) and becomes
413 false once a handshake has been completed.
414 (For servers, SSL_renegotiate() followed by SSL_do_handshake()
415 sends a HelloRequest, but does not ensure that a handshake takes
416 place. SSL_renegotiate_pending() is useful for checking if the
417 client has followed the request.)
418 [Bodo Moeller]
419
85fb12d5 420 *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
6b0e9fac
BM		 421 By default, clients may request session resumption even during
422 renegotiation (if session ID contexts permit); with this option,
423 session resumption is possible only in the first handshake.
c21506ba
BM		 424
425 SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes
426 more bits available for options that should not be part of
427 SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
6b0e9fac
BM		 428 [Bodo Moeller]
429
85fb12d5 430 *) Add some demos for certificate and certificate request creation.
96bd6f73
DSH		 431 [Steve Henson]
432
85fb12d5 433 *) Make maximum certificate chain size accepted from the peer application
c0f5dd07
LJ		 434 settable (SSL*_get/set_max_cert_list()), as proposed by
435 "Douglas E. Engert" <deengert@anl.gov>.
436 [Lutz Jaenicke]
437
85fb12d5 438 *) Add support for shared libraries for Unixware-7
b26ca340 439 (Boyd Lynn Gerber <gerberb@zenez.com>).
6c36f7a9
LJ		 440 [Lutz Jaenicke]
441
85fb12d5 442 *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
908efd3b
GT		 443 be done prior to destruction. Use this to unload error strings from
444 ENGINEs that load their own error strings. NB: This adds two new API
445 functions to "get" and "set" this destroy handler in an ENGINE.
a9ed4da8 446 [Geoff Thorpe]
908efd3b 447
85fb12d5 448 *) Alter all existing ENGINE implementations (except "openssl" and
541814c4
GT		 449 "openbsd") to dynamically instantiate their own error strings. This
450 makes them more flexible to be built both as statically-linked ENGINEs
451 and self-contained shared-libraries loadable via the "dynamic" ENGINE.
452 Also, add stub code to each that makes building them as self-contained
453 shared-libraries easier (see README.ENGINE).
454 [Geoff Thorpe]
455
85fb12d5 456 *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
541814c4
GT		 457 implementations into applications that are completely implemented in
458 self-contained shared-libraries. The "dynamic" ENGINE exposes control
459 commands that can be used to configure what shared-library to load and
460 to control aspects of the way it is handled. Also, made an update to
461 the README.ENGINE file that brings its information up-to-date and
462 provides some information and instructions on the "dynamic" ENGINE
463 (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
464 [Geoff Thorpe]
465
85fb12d5 466 *) Make it possible to unload ranges of ERR strings with a new
5b166395
GT		 467 "ERR_unload_strings" function.
468 [Geoff Thorpe]
469
85fb12d5 470 *) Add a copy() function to EVP_MD.
26188931
BL		 471 [Ben Laurie]
472
85fb12d5 473 *) Make EVP_MD routines take a context pointer instead of just the
e3fefbfd 474 md_data void pointer.
26188931
BL		 475 [Ben Laurie]
476
85fb12d5 477 *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
26188931
BL		 478 that the digest can only process a single chunk of data
479 (typically because it is provided by a piece of
480 hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
481 is only going to provide a single chunk of data, and hence the
482 framework needn't accumulate the data for oneshot drivers.
483 [Ben Laurie]
484
85fb12d5 485 *) As with "ERR", make it possible to replace the underlying "ex_data"
36026dfc
GT		 486 functions. This change also alters the storage and management of global
487 ex_data state - it's now all inside ex_data.c and all "class" code (eg.
488 RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
489 index counters. The API functions that use this state have been changed
490 to take a "class_index" rather than pointers to the class's local STACK
491 and counter, and there is now an API function to dynamically create new
492 classes. This centralisation allows us to (a) plug a lot of the
493 thread-safety problems that existed, and (b) makes it possible to clean
494 up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
495 such data would previously have always leaked in application code and
496 workarounds were in place to make the memory debugging turn a blind eye
497 to it. Application code that doesn't use this new function will still
498 leak as before, but their memory debugging output will announce it now
499 rather than letting it slide.
6ee2a136
BM		 500
501 Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
502 induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
503 has a return value to indicate success or failure.
36026dfc
GT		 504 [Geoff Thorpe]
505
85fb12d5 506 *) Make it possible to replace the underlying "ERR" functions such that the
0783bf15
GT		 507 global state (2 LHASH tables and 2 locks) is only used by the "default"
508 implementation. This change also adds two functions to "get" and "set"
509 the implementation prior to it being automatically set the first time
510 any other ERR function takes place. Ie. an application can call "get",
511 pass the return value to a module it has just loaded, and that module
512 can call its own "set" function using that value. This means the
513 module's "ERR" operations will use (and modify) the error state in the
514 application and not in its own statically linked copy of OpenSSL code.
515 [Geoff Thorpe]
516
85fb12d5 517 *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
eb6dc02b
GT		 518 reference counts. This performs normal REF_PRINT/REF_CHECK macros on
519 the operation, and provides a more encapsulated way for external code
520 (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
521 to use these functions rather than manually incrementing the counts.
3cad81f6
BM		 522
523 Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
eb6dc02b
GT		 524 [Geoff Thorpe]
525
85fb12d5 526 *) Add EVP test program.
0e360199
BL		 527 [Ben Laurie]
528
85fb12d5 529 *) Add symmetric cipher support to ENGINE. Expect the API to change!
354c3ace
BL		 530 [Ben Laurie]
531
85fb12d5 532 *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
35bf3541
DSH		 533 X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
534 X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
535 These allow a CRL to be built without having to access X509_CRL fields
536 directly. Modify 'ca' application to use new functions.
537 [Steve Henson]
538
85fb12d5 539 *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
06da6e49 540 bug workarounds. Rollback attack detection is a security feature.
6383bbe5 541 The problem will only arise on OpenSSL servers when TLSv1 is not
06da6e49
LJ		 542 available (sslv3_server_method() or SSL_OP_NO_TLSv1).
543 Software authors not wanting to support TLSv1 will have special reasons
544 for their choice and can explicitly enable this option.
545 [Bodo Moeller, Lutz Jaenicke]
546
85fb12d5 547 *) Rationalise EVP so it can be extended: don't include a union of
dbad1690
BL		 548 cipher/digest structures, add init/cleanup functions. This also reduces
549 the number of header dependencies.
4f4b1924
BM		 550 Usage example:
551
552 EVP_MD_CTX md;
553
554 EVP_MD_CTX_init(&md); /* new function call */
555 EVP_DigestInit(&md, EVP_sha1());
556 EVP_DigestUpdate(&md, in, len);
557 EVP_DigestFinal(&md, out, NULL);
558 EVP_MD_CTX_cleanup(&md); /* new function call */
559
dbad1690
BL		 560 [Ben Laurie]
561
85fb12d5 562 *) Make DES key schedule conform to the usual scheme, as well as
8408f4fb
BL		 563 correcting its structure. This means that calls to DES functions
564 now have to pass a pointer to a des_key_schedule instead of a
565 plain des_key_schedule (which was actually always a pointer
4f4b1924
BM		 566 anyway): E.g.,
567
568 des_key_schedule ks;
569
570 des_set_key_checked(..., &ks);
571 des_ncbc_encrypt(..., &ks, ...);
572
573 (Note that a later change renames 'des_...' into 'DES_...'.)
dbad1690
BL		 574 [Ben Laurie]
575
85fb12d5 576 *) Initial reduction of linker bloat: the use of some functions, such as
19da1300
DSH		 577 PEM causes large amounts of unused functions to be linked in due to
578 poor organisation. For example pem_all.c contains every PEM function
579 which has a knock on effect of linking in large amounts of (unused)
580 ASN1 code. Grouping together similar functions and splitting unrelated
581 functions prevents this.
582 [Steve Henson]
583
85fb12d5 584 *) Cleanup of EVP macros.
381a146d 585 [Ben Laurie]
6aecef81 586
85fb12d5 587 *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
381a146d
LJ		 588 correct _ecb suffix.
589 [Ben Laurie]
c518ade1 590
85fb12d5 591 *) Add initial OCSP responder support to ocsp application. The
ee306a13
DSH		 592 revocation information is handled using the text based index
593 use by the ca application. The responder can either handle
594 requests generated internally, supplied in files (for example
595 via a CGI script) or using an internal minimal server.
596 [Steve Henson]
597
85fb12d5 598 *) Add configuration choices to get zlib compression for TLS.
e452de9d
RL		 599 [Richard Levitte]
600
85fb12d5 601 *) Changes to Kerberos SSL for RFC 2712 compliance:
0665dd68
RL		 602 1. Implemented real KerberosWrapper, instead of just using
603 KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
604 2. Implemented optional authenticator field of KerberosWrapper.
605
606 Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
607 and authenticator structs; see crypto/krb5/.
608
609 Generalized Kerberos calls to support multiple Kerberos libraries.
610 [Vern Staats <staatsvr@asc.hpc.mil>,
611 Jeffrey Altman <jaltman@columbia.edu>
612 via Richard Levitte]
613
85fb12d5 614 *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
af436bc1
GT		 615 already does with RSA. testdsa.h now has 'priv_key/pub_key'
616 values for each of the key sizes rather than having just
617 parameters (and 'speed' generating keys each time).
618 [Geoff Thorpe]
619
85fb12d5 620 *) Speed up EVP routines.
f31b1250
BL		 621 Before:
622encrypt
623type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
624des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
625des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
626des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
627decrypt
628des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
629des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
630des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
631 After:
632encrypt
c148d709 633des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
f31b1250 634decrypt
c148d709 635des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
f31b1250
BL		 636 [Ben Laurie]
637
85fb12d5 638 *) Added the OS2-EMX target.
c80410c5
RL		 639 ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
640
85fb12d5 641 *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
b7a26e6d
DSH		 642 to support NCONF routines in extension code. New function CONF_set_nconf()
643 to allow functions which take an NCONF to also handle the old LHASH
644 structure: this means that the old CONF compatible routines can be
645 retained (in particular wrt extensions) without having to duplicate the
646 code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
647 [Steve Henson]
648
85fb12d5 649 *) Enhance the general user interface with mechanisms for inner control
e3fefbfd 650 and with possibilities to have yes/no kind of prompts.
235dd0a2
RL		 651 [Richard Levitte]
652
85fb12d5 653 *) Change all calls to low level digest routines in the library and
323f289c
DSH		 654 applications to use EVP. Add missing calls to HMAC_cleanup() and
655 don't assume HMAC_CTX can be copied using memcpy().
656 [Verdon Walker <VWalker@novell.com>, Steve Henson]
657
85fb12d5 658 *) Add the possibility to control engines through control names but with
839590f5
RL		 659 arbitrary arguments instead of just a string.
660 Change the key loaders to take a UI_METHOD instead of a callback
661 function pointer. NOTE: this breaks binary compatibility with earlier
662 versions of OpenSSL [engine].
e3fefbfd 663 Adapt the nCipher code for these new conditions and add a card insertion
839590f5
RL		 664 callback.
665 [Richard Levitte]
666
85fb12d5 667 *) Enhance the general user interface with mechanisms to better support
9ad0f681
RL		 668 dialog box interfaces, application-defined prompts, the possibility
669 to use defaults (for example default passwords from somewhere else)
e3fefbfd 670 and interrupts/cancellations.
9ad0f681
RL		 671 [Richard Levitte]
672
85fb12d5 673 *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
f2a253e0
DSH		 674 attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
675 [Steve Henson]
676
85fb12d5 677 *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
e3fefbfd 678 tidy up some unnecessarily weird code in 'sk_new()').
d918f851
GT		 679 [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
680
85fb12d5 681 *) Change the key loading routines for ENGINEs to use the same kind
79bb8d00
RL		 682 callback (pem_password_cb) as all other routines that need this
683 kind of callback.
684 [Richard Levitte]
685
85fb12d5 686 *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
e8734731
LJ		 687 256 bit (=32 byte) keys. Of course seeding with more entropy bytes
688 than this minimum value is recommended.
7e978372 689 [Lutz Jaenicke]
4831e626 690
85fb12d5 691 *) New random seeder for OpenVMS, using the system process statistics
496da8b9
RL		 692 that are easily reachable.
693 [Richard Levitte]
694
85fb12d5 695 *) Windows apparently can't transparently handle global
4831e626
DSH		 696 variables defined in DLLs. Initialisations such as:
697
698 const ASN1_ITEM *it = &ASN1_INTEGER_it;
699
700 wont compile. This is used by the any applications that need to
e3fefbfd 701 declare their own ASN1 modules. This was fixed by adding the option
4831e626
DSH		 702 EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
703 needed for static libraries under Win32.
704 [Steve Henson]
705
85fb12d5 706 *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
926a56bf
DSH		 707 setting of purpose and trust fields. New X509_STORE trust and
708 purpose functions and tidy up setting in other SSL functions.
709 [Steve Henson]
710
85fb12d5 711 *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
bdee69f7
DSH		 712 structure. These are inherited by X509_STORE_CTX when it is
713 initialised. This allows various defaults to be set in the
714 X509_STORE structure (such as flags for CRL checking and custom
715 purpose or trust settings) for functions which only use X509_STORE_CTX
716 internally such as S/MIME.
717
718 Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
719 trust settings if they are not set in X509_STORE. This allows X509_STORE
720 purposes and trust (in S/MIME for example) to override any set by default.
721
722 Add command line options for CRL checking to smime, s_client and s_server
723 applications.
724 [Steve Henson]
725
85fb12d5 726 *) Initial CRL based revocation checking. If the CRL checking flag(s)
b545dc67
DSH		 727 are set then the CRL is looked up in the X509_STORE structure and
728 its validity and signature checked, then if the certificate is found
729 in the CRL the verify fails with a revoked error.
730
731 Various new CRL related callbacks added to X509_STORE_CTX structure.
732
733 Command line options added to 'verify' application to support this.
734
735 This needs some additional work, such as being able to handle multiple
736 CRLs with different times, extension based lookup (rather than just
737 by subject name) and ultimately more complete V2 CRL extension
738 handling.
739 [Steve Henson]
740
85fb12d5 741 *) Add a general user interface API (crypto/ui/). This is designed
8a774dc9
BM		 742 to replace things like des_read_password and friends (backward
743 compatibility functions using this new API are provided).
744 The purpose is to remove prompting functions from the DES code
745 section as well as provide for prompting through dialog boxes in
746 a window system and the like.
a63d5eaa
RL		 747 [Richard Levitte]
748
85fb12d5 749 *) Add "ex_data" support to ENGINE so implementations can add state at a
e5a77633
GT		 750 per-structure level rather than having to store it globally.
751 [Geoff]
752
85fb12d5 753 *) Make it possible for ENGINE structures to be copied when retrieved by
e5a77633
GT		 754 ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
755 This causes the "original" ENGINE structure to act like a template,
756 analogous to the RSA vs. RSA_METHOD type of separation. Because of this
757 operational state can be localised to each ENGINE structure, despite the
758 fact they all share the same "methods". New ENGINE structures returned in
759 this case have no functional references and the return value is the single
760 structural reference. This matches the single structural reference returned
761 by ENGINE_by_id() normally, when it is incremented on the pre-existing
762 ENGINE structure.
763 [Geoff]
764
85fb12d5 765 *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
c962479b
DSH		 766 needs to match any other type at all we need to manually clear the
767 tag cache.
768 [Steve Henson]
769
85fb12d5 770 *) Changes to the "openssl engine" utility to include;
2a8a10ed
GT		 771 - verbosity levels ('-v', '-vv', and '-vvv') that provide information
772 about an ENGINE's available control commands.
773 - executing control commands from command line arguments using the
774 '-pre' and '-post' switches. '-post' is only used if '-t' is
775 specified and the ENGINE is successfully initialised. The syntax for
776 the individual commands are colon-separated, for example;
777 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
778 [Geoff]
779
85fb12d5 780 *) New dynamic control command support for ENGINEs. ENGINEs can now
2a8a10ed
GT		 781 declare their own commands (numbers), names (strings), descriptions,
782 and input types for run-time discovery by calling applications. A
783 subset of these commands are implicitly classed as "executable"
784 depending on their input type, and only these can be invoked through
785 the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
786 can be based on user input, config files, etc). The distinction is
787 that "executable" commands cannot return anything other than a boolean
788 result and can only support numeric or string input, whereas some
789 discoverable commands may only be for direct use through
790 ENGINE_ctrl(), eg. supporting the exchange of binary data, function
791 pointers, or other custom uses. The "executable" commands are to
792 support parameterisations of ENGINE behaviour that can be
793 unambiguously defined by ENGINEs and used consistently across any
794 OpenSSL-based application. Commands have been added to all the
795 existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
796 control over shared-library paths without source code alterations.
797 [Geoff]
798
85fb12d5 799 *) Changed all ENGINE implementations to dynamically allocate their
2a8a10ed
GT		 800 ENGINEs rather than declaring them statically. Apart from this being
801 necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
802 this also allows the implementations to compile without using the
803 internal engine_int.h header.
804 [Geoff]
805
85fb12d5 806 *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
4d6115a5
GT		 807 'const' value. Any code that should be able to modify a RAND_METHOD
808 should already have non-const pointers to it (ie. they should only
809 modify their own ones).
810 [Geoff]
811
85fb12d5 812 *) Made a variety of little tweaks to the ENGINE code.
4d6115a5
GT		 813 - "atalla" and "ubsec" string definitions were moved from header files
814 to C code. "nuron" string definitions were placed in variables
815 rather than hard-coded - allowing parameterisation of these values
816 later on via ctrl() commands.
817 - Removed unused "#if 0"'d code.
818 - Fixed engine list iteration code so it uses ENGINE_free() to release
819 structural references.
820 - Constified the RAND_METHOD element of ENGINE structures.
821 - Constified various get/set functions as appropriate and added
822 missing functions (including a catch-all ENGINE_cpy that duplicates
823 all ENGINE values onto a new ENGINE except reference counts/state).
824 - Removed NULL parameter checks in get/set functions. Setting a method
e13ae96d 825 or function to NULL is a way of cancelling out a previously set
4d6115a5
GT		 826 value. Passing a NULL ENGINE parameter is just plain stupid anyway
827 and doesn't justify the extra error symbols and code.
828 - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
829 flags from engine_int.h to engine.h.
830 - Changed prototypes for ENGINE handler functions (init(), finish(),
831 ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
832 [Geoff]
833
85fb12d5 834 *) Implement binary inversion algorithm for BN_mod_inverse in addition
e3fefbfd 835 to the algorithm using long division. The binary algorithm can be
1f224bf0
BM		 836 used only if the modulus is odd. On 32-bit systems, it is faster
837 only for relatively small moduli (roughly 20-30% for 128-bit moduli,
838 roughly 5-15% for 256-bit moduli), so we use it only for moduli
839 up to 450 bits. In 64-bit environments, the binary algorithm
840 appears to be advantageous for much longer moduli; here we use it
841 for moduli up to 2048 bits.
7d0d0996
BM		 842 [Bodo Moeller]
843
85fb12d5 844 *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
722ca278
DSH		 845 could not support the combine flag in choice fields.
846 [Steve Henson]
847
85fb12d5 848 *) Add a 'copy_extensions' option to the 'ca' utility. This copies
791bd0cd
DSH		 849 extensions from a certificate request to the certificate.
850 [Steve Henson]
851
85fb12d5 852 *) Allow multiple 'certopt' and 'nameopt' options to be separated
535d79da
DSH		 853 by commas. Add 'namopt' and 'certopt' options to the 'ca' config
854 file: this allows the display of the certificate about to be
855 signed to be customised, to allow certain fields to be included
856 or excluded and extension details. The old system didn't display
857 multicharacter strings properly, omitted fields not in the policy
858 and couldn't display additional details such as extensions.
859 [Steve Henson]
860
85fb12d5 861 *) Function EC_POINTs_mul for multiple scalar multiplication
3ba1f111
BM		 862 of an arbitrary number of elliptic curve points
863 \sum scalars[i]*points[i],
864 optionally including the generator defined for the EC_GROUP:
865 scalar*generator + \sum scalars[i]*points[i].
866
38374911
BM		 867 EC_POINT_mul is a simple wrapper function for the typical case
868 that the point list has just one item (besides the optional
869 generator).
48fe4d62
BM		 870 [Bodo Moeller]
871
85fb12d5 872 *) First EC_METHODs for curves over GF(p):
48fe4d62
BM		 873
874 EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
875 operations and provides various method functions that can also
876 operate with faster implementations of modular arithmetic.
877
878 EC_GFp_mont_method() reuses most functions that are part of
879 EC_GFp_simple_method, but uses Montgomery arithmetic.
880
881 [Bodo Moeller; point addition and point doubling
882 implementation directly derived from source code provided by
883 Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
884
85fb12d5 885 *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
48fe4d62
BM		 886 crypto/ec/ec_lib.c):
887
6f8f4431
BM		 888 Curves are EC_GROUP objects (with an optional group generator)
889 based on EC_METHODs that are built into the library.
48fe4d62
BM		 890
891 Points are EC_POINT objects based on EC_GROUP objects.
892
893 Most of the framework would be able to handle curves over arbitrary
6f8f4431
BM		 894 finite fields, but as there are no obvious types for fields other
895 than GF(p), some functions are limited to that for now.
48fe4d62
BM		 896 [Bodo Moeller]
897
85fb12d5 898 *) Add the -HTTP option to s_server. It is similar to -WWW, but requires
251cb4cf
RL		 899 that the file contains a complete HTTP response.
900 [Richard Levitte]
901
85fb12d5 902 *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
b4f682d3
DSH		 903 change the def and num file printf format specifier from "%-40sXXX"
904 to "%-39s XXX". The latter will always guarantee a space after the
905 field while the former will cause them to run together if the field
906 is 40 of more characters long.
907 [Steve Henson]
908
85fb12d5 909 *) Constify the cipher and digest 'method' functions and structures
13588350
DSH		 910 and modify related functions to take constant EVP_MD and EVP_CIPHER
911 pointers.
912 [Steve Henson]
913
85fb12d5 914 *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
48fe4d62 915 in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32.
c62b26fd
BM		 916 [Bodo Moeller]
917
85fb12d5 918 *) Modify EVP_Digest*() routines so they now return values. Although the
2dc769a1
DSH		 919 internal software routines can never fail additional hardware versions
920 might.
921 [Steve Henson]
922
85fb12d5 923 *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
5277d7cb
BM		 924
925 Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
926 (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
927
928 ASN1 error codes
929 ERR_R_NESTED_ASN1_ERROR
930 ...
931 ERR_R_MISSING_ASN1_EOS
932 were 4 .. 9, conflicting with
933 ERR_LIB_RSA (= ERR_R_RSA_LIB)
934 ...
935 ERR_LIB_PEM (= ERR_R_PEM_LIB).
936 They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
937
938 Add new error code 'ERR_R_INTERNAL_ERROR'.
939 [Bodo Moeller]
940
85fb12d5 941 *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
5277d7cb
BM		 942 suffices.
943 [Bodo Moeller]
944
85fb12d5 945 *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This
bad40585
BM		 946 sets the subject name for a new request or supersedes the
947 subject name in a given request. Formats that can be parsed are
948 'CN=Some Name, OU=myOU, C=IT'
949 and
950 'CN=Some Name/OU=myOU/C=IT'.
951
952 Add options '-batch' and '-verbose' to 'openssl req'.
953 [Massimiliano Pala <madwolf@hackmasters.net>]
954
85fb12d5 955 *) Introduce the possibility to access global variables through
62dc5aad
RL		 956 functions on platform were that's the best way to handle exporting
957 global variables in shared libraries. To enable this functionality,
958 one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
959 "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
960 is normally done by Configure or something similar).
961
962 To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
963 in the source file (foo.c) like this:
964
965 OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
966 OPENSSL_IMPLEMENT_GLOBAL(double,bar);
967
968 To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
969 and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
970
971 OPENSSL_DECLARE_GLOBAL(int,foo);
972 #define foo OPENSSL_GLOBAL_REF(foo)
973 OPENSSL_DECLARE_GLOBAL(double,bar);
974 #define bar OPENSSL_GLOBAL_REF(bar)
975
976 The #defines are very important, and therefore so is including the
e3fefbfd 977 header file everywhere where the defined globals are used.
62dc5aad
RL		 978
979 The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
e3fefbfd 980 of ASN.1 items, but that structure is a bit different.
62dc5aad
RL		 981
982 The largest change is in util/mkdef.pl which has been enhanced with
983 better and easier to understand logic to choose which symbols should
984 go into the Windows .def files as well as a number of fixes and code
985 cleanup (among others, algorithm keywords are now sorted
986 lexicographically to avoid constant rewrites).
987 [Richard Levitte]
988
85fb12d5 989 *) In BN_div() keep a copy of the sign of 'num' before writing the
3d2e469c
DSH		 990 result to 'rm' because if rm==num the value will be overwritten
991 and produce the wrong result if 'num' is negative: this caused
992 problems with BN_mod() and BN_nnmod().
993 [Steve Henson]
994
85fb12d5 995 *) Function OCSP_request_verify(). This checks the signature on an
fafc7f98
DSH		 996 OCSP request and verifies the signer certificate. The signer
997 certificate is just checked for a generic purpose and OCSP request
998 trust settings.
999 [Steve Henson]
1000
85fb12d5 1001 *) Add OCSP_check_validity() function to check the validity of OCSP
f1965221
DSH		 1002 responses. OCSP responses are prepared in real time and may only
1003 be a few seconds old. Simply checking that the current time lies
1004 between thisUpdate and nextUpdate max reject otherwise valid responses
e3fefbfd 1005 caused by either OCSP responder or client clock inaccuracy. Instead
f1965221
DSH		 1006 we allow thisUpdate and nextUpdate to fall within a certain period of
1007 the current time. The age of the response can also optionally be
1008 checked. Two new options -validity_period and -status_age added to
1009 ocsp utility.
1010 [Steve Henson]
1011
85fb12d5 1012 *) If signature or public key algorithm is unrecognized print out its
e3fefbfd 1013 OID rather that just UNKNOWN.
4ff18c8c
DSH		 1014 [Steve Henson]
1015
85fb12d5 1016 *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
d7c06e9e
DSH		 1017 OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
1018 ID to be generated from the issuer certificate alone which can then be
1019 passed to OCSP_id_issuer_cmp().
1020 [Steve Henson]
1021
85fb12d5 1022 *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
386828d0
DSH		 1023 ASN1 modules to export functions returning ASN1_ITEM pointers
1024 instead of the ASN1_ITEM structures themselves. This adds several
1025 new macros which allow the underlying ASN1 function/structure to
1026 be accessed transparently. As a result code should not use ASN1_ITEM
1027 references directly (such as &X509_it) but instead use the relevant
1028 macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
1029 use of the new ASN1 code on platforms where exporting structures
1030 is problematical (for example in shared libraries) but exporting
1031 functions returning pointers to structures is not.
1032 [Steve Henson]
1033
85fb12d5 1034 *) Add support for overriding the generation of SSL/TLS session IDs.
fa2b8db4
GT		 1035 These callbacks can be registered either in an SSL_CTX or per SSL.
1036 The purpose of this is to allow applications to control, if they wish,
1037 the arbitrary values chosen for use as session IDs, particularly as it
1038 can be useful for session caching in multiple-server environments. A
1039 command-line switch for testing this (and any client code that wishes
1040 to use such a feature) has been added to "s_server".
1041 [Geoff Thorpe, Lutz Jaenicke]
1042
85fb12d5 1043 *) Modify mkdef.pl to recognise and parse preprocessor conditionals
d399fdf8
RL		 1044 of the form '#if defined(...) || defined(...) || ...' and
1045 '#if !defined(...) && !defined(...) && ...'. This also avoids
1046 the growing number of special cases it was previously handling.
1047 [Richard Levitte]
1048
85fb12d5 1049 *) Make all configuration macros available for application by making
cf1b7d96
RL		 1050 sure they are available in opensslconf.h, by giving them names starting
1051 with "OPENSSL_" to avoid conflicts with other packages and by making
1052 sure e_os2.h will cover all platform-specific cases together with
1053 opensslconf.h.
2affbab9
RL		 1054 Additionally, it is now possible to define configuration/platform-
1055 specific names (called "system identities"). In the C code, these
1056 are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another
1057 macro with the name beginning with "OPENSSL_SYS_", which is determined
1058 from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
1059 what is available.
cf1b7d96
RL		 1060 [Richard Levitte]
1061
85fb12d5 1062 *) New option -set_serial to 'req' and 'x509' this allows the serial
acba75c5
DSH		 1063 number to use to be specified on the command line. Previously self
1064 signed certificates were hard coded with serial number 0 and the
1065 CA options of 'x509' had to use a serial number in a file which was
1066 auto incremented.
1067 [Steve Henson]
1068
85fb12d5 1069 *) New options to 'ca' utility to support V2 CRL entry extensions.
a6b7ffdd
DSH		 1070 Currently CRL reason, invalidity date and hold instruction are
1071 supported. Add new CRL extensions to V3 code and some new objects.
1072 [Steve Henson]
1073
85fb12d5 1074 *) New function EVP_CIPHER_CTX_set_padding() this is used to
f2e5ca84
DSH		 1075 disable standard block padding (aka PKCS#5 padding) in the EVP
1076 API, which was previously mandatory. This means that the data is
1077 not padded in any way and so the total length much be a multiple
1078 of the block size, otherwise an error occurs.
1079 [Steve Henson]
1080
85fb12d5 1081 *) Initial (incomplete) OCSP SSL support.
cdc7b8cc
DSH		 1082 [Steve Henson]
1083
85fb12d5 1084 *) New function OCSP_parse_url(). This splits up a URL into its host,
67c18019
DSH		 1085 port and path components: primarily to parse OCSP URLs. New -url
1086 option to ocsp utility.
1087 [Steve Henson]
1088
85fb12d5 1089 *) New nonce behavior. The return value of OCSP_check_nonce() now
46a58ab9
DSH		 1090 reflects the various checks performed. Applications can decide
1091 whether to tolerate certain situations such as an absent nonce
1092 in a response when one was present in a request: the ocsp application
1093 just prints out a warning. New function OCSP_add1_basic_nonce()
1094 this is to allow responders to include a nonce in a response even if
1095 the request is nonce-less.
1096 [Steve Henson]
1097
85fb12d5 1098 *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
620cea37
BM		 1099 skipped when using openssl x509 multiple times on a single input file,
1100 e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
1101 [Bodo Moeller]
1102
85fb12d5 1103 *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
ccb08f98
DSH		 1104 set string type: to handle setting ASN1_TIME structures. Fix ca
1105 utility to correctly initialize revocation date of CRLs.
1106 [Steve Henson]
1107
85fb12d5 1108 *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
836f9960
LJ		 1109 the clients preferred ciphersuites and rather use its own preferences.
1110 Should help to work around M$ SGC (Server Gated Cryptography) bug in
1111 Internet Explorer by ensuring unchanged hash method during stepup.
b72faddc 1112 (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
836f9960
LJ		 1113 [Lutz Jaenicke]
1114
85fb12d5 1115 *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
c47c6196
DSH		 1116 to aes and add a new 'exist' option to print out symbols that don't
1117 appear to exist.
1118 [Steve Henson]
1119
85fb12d5 1120 *) Additional options to ocsp utility to allow flags to be set and
8c950429
DSH		 1121 additional certificates supplied.
1122 [Steve Henson]
1123
85fb12d5 1124 *) Add the option -VAfile to 'openssl ocsp', so the user can give the
9235adbf
RL		 1125 OCSP client a number of certificate to only verify the response
1126 signature against.
1127 [Richard Levitte]
1128
85fb12d5 1129 *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
deb2c1a1 1130 handle the new API. Currently only ECB, CBC modes supported. Add new
47234cd3
BM		 1131 AES OIDs.
1132
1133 Add TLS AES ciphersuites as described in the "AES Ciphersuites
f257d984 1134 for TLS" draft-ietf-tls-ciphersuite-06.txt. As these are not yet
47234cd3
BM		 1135 official, they are not enabled by default and are not even part
1136 of the "ALL" ciphersuite alias; for now, they must be explicitly
1137 requested by specifying the new "AESdraft" ciphersuite alias. If
1138 you want the default ciphersuite list plus the new ciphersuites,
1139 use "DEFAULT:AESdraft:@STRENGTH".
1140 [Ben Laurie, Steve Henson, Bodo Moeller]
deb2c1a1 1141
85fb12d5 1142 *) New function OCSP_copy_nonce() to copy nonce value (if present) from
26e083cc
DSH		 1143 request to response.
1144 [Steve Henson]
1145
85fb12d5 1146 *) Functions for OCSP responders. OCSP_request_onereq_count(),
02e4fbed
DSH		 1147 OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
1148 extract information from a certificate request. OCSP_response_create()
1149 creates a response and optionally adds a basic response structure.
1150 OCSP_basic_add1_status() adds a complete single response to a basic
e3fefbfd 1151 response and returns the OCSP_SINGLERESP structure just added (to allow
02e4fbed
DSH		 1152 extensions to be included for example). OCSP_basic_add1_cert() adds a
1153 certificate to a basic response and OCSP_basic_sign() signs a basic
1154 response with various flags. New helper functions ASN1_TIME_check()
1155 (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
1156 (converts ASN1_TIME to GeneralizedTime).
1157 [Steve Henson]
1158
85fb12d5 1159 *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
88ce56f8 1160 in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
e3fefbfd 1161 structure from a certificate. X509_pubkey_digest() digests the public_key
88ce56f8
DSH		 1162 contents: this is used in various key identifiers.
1163 [Steve Henson]
1164
85fb12d5 1165 *) Make sk_sort() tolerate a NULL argument.
b8470240
DSH		 1166 [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
1167
85fb12d5 1168 *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
50d51991 1169 passed by the function are trusted implicitly. If any of them signed the
e3fefbfd 1170 response then it is assumed to be valid and is not verified.
50d51991
DSH		 1171 [Steve Henson]
1172
85fb12d5 1173 *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
a43cf9fa
DSH		 1174 to data. This was previously part of the PKCS7 ASN1 code. This
1175 was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
1176 [Steve Henson, reported by Kenneth R. Robinette
1177 <support@securenetterm.com>]
1178
85fb12d5 1179 *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
a43cf9fa
DSH		 1180 routines: without these tracing memory leaks is very painful.
1181 Fix leaks in PKCS12 and PKCS7 routines.
1182 [Steve Henson]
1183
85fb12d5 1184 *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
ba8e2824
DSH		 1185 Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
1186 effectively meant GeneralizedTime would never be used. Now it
1187 is initialised to -1 but X509_time_adj() now has to check the value
1188 and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
1189 V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
1190 [Steve Henson, reported by Kenneth R. Robinette
1191 <support@securenetterm.com>]
1192
85fb12d5 1193 *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
8e8972bb
DSH		 1194 result in a zero length in the ASN1_INTEGER structure which was
1195 not consistent with the structure when d2i_ASN1_INTEGER() was used
1196 and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
1197 to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
1198 where it did not print out a minus for negative ASN1_INTEGER.
1199 [Steve Henson]
1200
85fb12d5 1201 *) Add summary printout to ocsp utility. The various functions which
73758d43
DSH		 1202 convert status values to strings have been renamed to:
1203 OCSP_response_status_str(), OCSP_cert_status_str() and
1204 OCSP_crl_reason_str() and are no longer static. New options
1205 to verify nonce values and to disable verification. OCSP response
1206 printout format cleaned up.
1207 [Steve Henson]
1208
85fb12d5 1209 *) Add additional OCSP certificate checks. These are those specified
e8af92fc
DSH		 1210 in RFC2560. This consists of two separate checks: the CA of the
1211 certificate being checked must either be the OCSP signer certificate
1212 or the issuer of the OCSP signer certificate. In the latter case the
1213 OCSP signer certificate must contain the OCSP signing extended key
1214 usage. This check is performed by attempting to match the OCSP
1215 signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
1216 in the OCSP_CERTID structures of the response.
1217 [Steve Henson]
1218
85fb12d5 1219 *) Initial OCSP certificate verification added to OCSP_basic_verify()
81f169e9
DSH		 1220 and related routines. This uses the standard OpenSSL certificate
1221 verify routines to perform initial checks (just CA validity) and
1222 to obtain the certificate chain. Then additional checks will be
1223 performed on the chain. Currently the root CA is checked to see
1224 if it is explicitly trusted for OCSP signing. This is used to set
1225 a root CA as a global signing root: that is any certificate that
1226 chains to that CA is an acceptable OCSP signing certificate.
1227 [Steve Henson]
1228
85fb12d5 1229 *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
dfebac32
BM		 1230 extensions from a separate configuration file.
1231 As when reading extensions from the main configuration file,
1232 the '-extensions ...' option may be used for specifying the
1233 section to use.
1234 [Massimiliano Pala <madwolf@comune.modena.it>]
1235
85fb12d5 1236 *) New OCSP utility. Allows OCSP requests to be generated or
5782ceb2
DSH		 1237 read. The request can be sent to a responder and the output
1238 parsed, outputed or printed in text form. Not complete yet:
1239 still needs to check the OCSP response validity.
1240 [Steve Henson]
1241
85fb12d5 1242 *) New subcommands for 'openssl ca':
c67cdb50
BM		 1243 'openssl ca -status <serial>' prints the status of the cert with
1244 the given serial number (according to the index file).
1245 'openssl ca -updatedb' updates the expiry status of certificates
1246 in the index file.
1247 [Massimiliano Pala <madwolf@comune.modena.it>]
1248
85fb12d5 1249 *) New '-newreq-nodes' command option to CA.pl. This is like
d199858e
BM		 1250 '-newreq', but calls 'openssl req' with the '-nodes' option
1251 so that the resulting key is not encrypted.
1252 [Damien Miller <djm@mindrot.org>]
1253
85fb12d5 1254 *) New configuration for the GNU Hurd.
10a2975a
RL		 1255 [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
1256
85fb12d5 1257 *) Initial code to implement OCSP basic response verify. This
9b4dc830
DSH		 1258 is currently incomplete. Currently just finds the signer's
1259 certificate and verifies the signature on the response.
1260 [Steve Henson]
1261
85fb12d5 1262 *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
673b3fde
BM		 1263 value of OPENSSLDIR. This is available via the new '-d' option
1264 to 'openssl version', and is also included in 'openssl version -a'.
1265 [Bodo Moeller]
1266
85fb12d5 1267 *) Allowing defining memory allocation callbacks that will be given
a5435e8b
BM		 1268 file name and line number information in additional arguments
1269 (a const char* and an int). The basic functionality remains, as
1270 well as the original possibility to just replace malloc(),
1271 realloc() and free() by functions that do not know about these
1272 additional arguments. To register and find out the current
1273 settings for extended allocation functions, the following
1274 functions are provided:
65a22e8e
RL		 1275
1276 CRYPTO_set_mem_ex_functions
1277 CRYPTO_set_locked_mem_ex_functions
1278 CRYPTO_get_mem_ex_functions
1279 CRYPTO_get_locked_mem_ex_functions
1280
a5435e8b
BM		 1281 These work the same way as CRYPTO_set_mem_functions and friends.
1282 CRYPTO_get_[locked_]mem_functions now writes 0 where such an
1283 extended allocation function is enabled.
1284 Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
1285 a conventional allocation function is enabled.
1286 [Richard Levitte, Bodo Moeller]
65a22e8e 1287
85fb12d5 1288 *) Finish off removing the remaining LHASH function pointer casts.
3c914840 1289 There should no longer be any prototype-casting required when using
56a67adb
GT		 1290 the LHASH abstraction, and any casts that remain are "bugs". See
1291 the callback types and macros at the head of lhash.h for details
1292 (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
3c914840
GT		 1293 [Geoff Thorpe]
1294
85fb12d5 1295 *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
3351b8d0
LJ		 1296 If /dev/[u]random devices are not available or do not return enough
1297 entropy, EGD style sockets (served by EGD or PRNGD) will automatically
1298 be queried.
1299 The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
1300 /etc/entropy will be queried once each in this sequence, quering stops
1301 when enough entropy was collected without querying more sockets.
599c0353
LJ		 1302 [Lutz Jaenicke]
1303
85fb12d5 1304 *) Change the Unix RAND_poll() variant to be able to poll several
361ef5f4
RL		 1305 random devices, as specified by DEVRANDOM, until a sufficient amount
1306 of data has been collected. We spend at most 10 ms on each file
1307 (select timeout) and read in non-blocking mode. DEVRANDOM now
1308 defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
1309 (previously it was just the string "/dev/urandom"), so on typical
1310 platforms the 10 ms delay will never occur.
1311 Also separate out the Unix variant to its own file, rand_unix.c.
1312 For VMS, there's a currently-empty rand_vms.c.
0c61e299
RL		 1313 [Richard Levitte]
1314
85fb12d5 1315 *) Move OCSP client related routines to ocsp_cl.c. These
0b33bc65
DSH		 1316 provide utility functions which an application needing
1317 to issue a request to an OCSP responder and analyse the
1318 response will typically need: as opposed to those which an
1319 OCSP responder itself would need which will be added later.
1320
1321 OCSP_request_sign() signs an OCSP request with an API similar
1322 to PKCS7_sign(). OCSP_response_status() returns status of OCSP
1323 response. OCSP_response_get1_basic() extracts basic response
1324 from response. OCSP_resp_find_status(): finds and extracts status
1325 information from an OCSP_CERTID structure (which will be created
1326 when the request structure is built). These are built from lower
1327 level functions which work on OCSP_SINGLERESP structures but
1328 wont normally be used unless the application wishes to examine
1329 extensions in the OCSP response for example.
1330
1331 Replace nonce routines with a pair of functions.
1332 OCSP_request_add1_nonce() adds a nonce value and optionally
1333 generates a random value. OCSP_check_nonce() checks the
1334 validity of the nonce in an OCSP response.
1335 [Steve Henson]
1336
85fb12d5 1337 *) Change function OCSP_request_add() to OCSP_request_add0_id().
8e961835
DSH		 1338 This doesn't copy the supplied OCSP_CERTID and avoids the
1339 need to free up the newly created id. Change return type
1340 to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
1341 This can then be used to add extensions to the request.
1342 Deleted OCSP_request_new(), since most of its functionality
1343 is now in OCSP_REQUEST_new() (and the case insensitive name
1344 clash) apart from the ability to set the request name which
1345 will be added elsewhere.
1346 [Steve Henson]
1347
85fb12d5 1348 *) Update OCSP API. Remove obsolete extensions argument from
bf0d176e
DSH		 1349 various functions. Extensions are now handled using the new
1350 OCSP extension code. New simple OCSP HTTP function which
1351 can be used to send requests and parse the response.
1352 [Steve Henson]
1353
85fb12d5 1354 *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
ec5add87
DSH		 1355 ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
1356 uses the special reorder version of SET OF to sort the attributes
1357 and reorder them to match the encoded order. This resolves a long
1358 standing problem: a verify on a PKCS7 structure just after signing
1359 it used to fail because the attribute order did not match the
1360 encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
1361 it uses the received order. This is necessary to tolerate some broken
1362 software that does not order SET OF. This is handled by encoding
1363 as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
1364 to produce the required SET OF.
1365 [Steve Henson]
1366
85fb12d5 1367 *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
a6574c21
RL		 1368 OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
1369 files to get correct declarations of the ASN.1 item variables.
1370 [Richard Levitte]
1371
85fb12d5 1372 *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
ecbe0781
DSH		 1373 PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
1374 asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
1375 NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
1376 New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
1377 ASN1_ITEM and no wrapper functions.
1378 [Steve Henson]
1379
85fb12d5 1380 *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
4e1209eb
DSH		 1381 replace the old function pointer based I/O routines. Change most of
1382 the *_d2i_bio() and *_d2i_fp() functions to use these.
1383 [Steve Henson]
1384
85fb12d5 1385 *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
3f07fe09
RL		 1386 lines, recognice more "algorithms" that can be deselected, and make
1387 it complain about algorithm deselection that isn't recognised.
1388 [Richard Levitte]
1389
85fb12d5 1390 *) New ASN1 functions to handle dup, sign, verify, digest, pack and
73e92de5
DSH		 1391 unpack operations in terms of ASN1_ITEM. Modify existing wrappers
1392 to use new functions. Add NO_ASN1_OLD which can be set to remove
1393 some old style ASN1 functions: this can be used to determine if old
1394 code will still work when these eventually go away.
09ab755c
DSH		 1395 [Steve Henson]
1396
85fb12d5 1397 *) New extension functions for OCSP structures, these follow the
ec558b65
DSH		 1398 same conventions as certificates and CRLs.
1399 [Steve Henson]
1400
85fb12d5 1401 *) New function X509V3_add1_i2d(). This automatically encodes and
57d2f217
DSH		 1402 adds an extension. Its behaviour can be customised with various
1403 flags to append, replace or delete. Various wrappers added for
1404 certifcates and CRLs.
1405 [Steve Henson]
1406
85fb12d5 1407 *) Fix to avoid calling the underlying ASN1 print routine when
5755cab4
DSH		 1408 an extension cannot be parsed. Correct a typo in the
1409 OCSP_SERVICELOC extension. Tidy up print OCSP format.
1410 [Steve Henson]
1411
85fb12d5 1412 *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
9c67ab2f 1413 entries for variables.
5755cab4 1414 [Steve Henson]
9c67ab2f 1415
85fb12d5 1416 *) Add functionality to apps/openssl.c for detecting locking
3ac82faa
BM		 1417 problems: As the program is single-threaded, all we have
1418 to do is register a locking callback using an array for
1419 storing which locks are currently held by the program.
3ac82faa
BM		 1420 [Bodo Moeller]
1421
85fb12d5 1422 *) Use a lock around the call to CRYPTO_get_ex_new_index() in
3ac82faa
BM		 1423 SSL_get_ex_data_X509_STORE_idx(), which is used in
1424 ssl_verify_cert_chain() and thus can be called at any time
1425 during TLS/SSL handshakes so that thread-safety is essential.
1426 Unfortunately, the ex_data design is not at all suited
1427 for multi-threaded use, so it probably should be abolished.
1428 [Bodo Moeller]
1429
85fb12d5 1430 *) Added Broadcom "ubsec" ENGINE to OpenSSL.
2a86064f
GT		 1431 [Broadcom, tweaked and integrated by Geoff Thorpe]
1432
85fb12d5 1433 *) Move common extension printing code to new function
2c15d426 1434 X509V3_print_extensions(). Reorganise OCSP print routines and
c08523d8 1435 implement some needed OCSP ASN1 functions. Add OCSP extensions.
2c15d426
DSH		 1436 [Steve Henson]
1437
85fb12d5 1438 *) New function X509_signature_print() to remove duplication in some
de487514
DSH		 1439 print routines.
1440 [Steve Henson]
1441
85fb12d5 1442 *) Add a special meaning when SET OF and SEQUENCE OF flags are both
06db4253
DSH		 1443 set (this was treated exactly the same as SET OF previously). This
1444 is used to reorder the STACK representing the structure to match the
1445 encoding. This will be used to get round a problem where a PKCS7
1446 structure which was signed could not be verified because the STACK
1447 order did not reflect the encoded order.
1448 [Steve Henson]
1449
85fb12d5 1450 *) Reimplement the OCSP ASN1 module using the new code.
36f554d4
DSH		 1451 [Steve Henson]
1452
85fb12d5 1453 *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
2aff7727
DSH		 1454 for its ASN1 operations. The old style function pointers still exist
1455 for now but they will eventually go away.
1456 [Steve Henson]
1457
85fb12d5 1458 *) Merge in replacement ASN1 code from the ASN1 branch. This almost
5755cab4
DSH		 1459 completely replaces the old ASN1 functionality with a table driven
1460 encoder and decoder which interprets an ASN1_ITEM structure describing
1461 the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
1462 largely maintained. Almost all of the old asn1_mac.h macro based ASN1
1463 has also been converted to the new form.
9d6b1ce6
DSH		 1464 [Steve Henson]
1465
85fb12d5 1466 *) Change BN_mod_exp_recp so that negative moduli are tolerated
8dea52fa
BM		 1467 (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
1468 so that BN_mod_exp_mont and BN_mod_exp_mont_word work
1469 for negative moduli.
1470 [Bodo Moeller]
1471
85fb12d5 1472 *) Fix BN_uadd and BN_usub: Always return non-negative results instead
8dea52fa
BM		 1473 of not touching the result's sign bit.
1474 [Bodo Moeller]
1475
85fb12d5 1476 *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
80d89e6a
BM		 1477 set.
1478 [Bodo Moeller]
1479
85fb12d5 1480 *) Changed the LHASH code to use prototypes for callbacks, and created
f1919c3d
GT		 1481 macros to declare and implement thin (optionally static) functions
1482 that provide type-safety and avoid function pointer casting for the
1483 type-specific callbacks.
1484 [Geoff Thorpe]
1485
85fb12d5 1486 *) Added Kerberos Cipher Suites to be used with TLS, as written in
a47b505e 1487 RFC 2712.
33479d27 1488 [Veers Staats <staatsvr@asc.hpc.mil>,
1946cd8b 1489 Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
33479d27 1490
85fb12d5 1491 *) Reformat the FAQ so the different questions and answers can be divided
4b757c83 1492 in sections depending on the subject.
0ae485dc
RL		 1493 [Richard Levitte]
1494
85fb12d5 1495 *) Have the zlib compression code load ZLIB.DLL dynamically under
20f88b9b
RL		 1496 Windows.
1497 [Richard Levitte]
1498
85fb12d5 1499 *) New function BN_mod_sqrt for computing square roots modulo a prime
aa66eba7
BM		 1500 (using the probabilistic Tonelli-Shanks algorithm unless
1501 p == 3 (mod 4) or p == 5 (mod 8), which are cases that can
1502 be handled deterministically).
6b5d39e8
BM		 1503 [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
1504
85fb12d5 1505 *) Make BN_mod_inverse faster by explicitly handling small quotients
bdec3c53
BM		 1506 in the Euclid loop. (Speed gain about 20% for small moduli [256 or
1507 512 bits], about 30% for larger ones [1024 or 2048 bits].)
499e167f
BM		 1508 [Bodo Moeller]
1509
85fb12d5 1510 *) New function BN_kronecker.
dcbd0d74
BM		 1511 [Bodo Moeller]
1512
85fb12d5 1513 *) Fix BN_gcd so that it works on negative inputs; the result is
dcbd0d74
BM		 1514 positive unless both parameters are zero.
1515 Previously something reasonably close to an infinite loop was
1516 possible because numbers could be growing instead of shrinking
1517 in the implementation of Euclid's algorithm.
1518 [Bodo Moeller]
1519
85fb12d5 1520 *) Fix BN_is_word() and BN_is_one() macros to take into account the
dcbd0d74
BM		 1521 sign of the number in question.
1522
1523 Fix BN_is_word(a,w) to work correctly for w == 0.
1524
1525 The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
1526 because its test if the absolute value of 'a' equals 'w'.
1527 Note that BN_abs_is_word does *not* handle w == 0 reliably;
1528 it exists mostly for use in the implementations of BN_is_zero(),
1529 BN_is_one(), and BN_is_word().
1530 [Bodo Moeller]
1531
85fb12d5 1532 *) New function BN_swap.
78a0c1f1
BM		 1533 [Bodo Moeller]
1534
85fb12d5 1535 *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
78a0c1f1
BM		 1536 the exponentiation functions are more likely to produce reasonable
1537 results on negative inputs.
1538 [Bodo Moeller]
1539
85fb12d5 1540 *) Change BN_mod_mul so that the result is always non-negative.
78a0c1f1
BM		 1541 Previously, it could be negative if one of the factors was negative;
1542 I don't think anyone really wanted that behaviour.
1543 [Bodo Moeller]
1544
85fb12d5 1545 *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
1946cd8b 1546 (except for exponentiation, which stays in crypto/bn/bn_exp.c,
78a0c1f1
BM		 1547 and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
1548 and add new functions:
5acaa495 1549
78a0c1f1
BM		 1550 BN_nnmod
1551 BN_mod_sqr
1552 BN_mod_add
5acaa495 1553 BN_mod_add_quick
78a0c1f1 1554 BN_mod_sub
5acaa495
BM		 1555 BN_mod_sub_quick
1556 BN_mod_lshift1
1557 BN_mod_lshift1_quick
1558 BN_mod_lshift
1559 BN_mod_lshift_quick
1560
78a0c1f1 1561 These functions always generate non-negative results.
5acaa495 1562
78a0c1f1
BM		 1563 BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r
1564 such that |m| < r < 0, BN_nnmod will output rem + |m| instead).
5acaa495
BM		 1565
1566 BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
1567 BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b]
1568 be reduced modulo m.
78a0c1f1
BM		 1569 [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
1570
85fb12d5 1571 *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
baa257f1
RL		 1572 was actually never needed) and in BN_mul(). The removal in BN_mul()
1573 required a small change in bn_mul_part_recursive() and the addition
1946cd8b
UM		 1574 of the functions bn_cmp_part_words(), bn_sub_part_words() and
1575 bn_add_part_words(), which do the same thing as bn_cmp_words(),
baa257f1
RL		 1576 bn_sub_words() and bn_add_words() except they take arrays with
1577 differing sizes.
1578 [Richard Levitte]
1579
85fb12d5 1580 *) In 'openssl passwd', verify passwords read from the terminal
db70a3fd
BM		 1581 unless the '-salt' option is used (which usually means that
1582 verification would just waste user's time since the resulting
1583 hash is going to be compared with some given password hash)
1584 or the new '-noverify' option is used.
1585
1586 This is an incompatible change, but it does not affect
1587 non-interactive use of 'openssl passwd' (passwords on the command
1588 line, '-stdin' option, '-in ...' option) and thus should not
1589 cause any problems.
1590 [Bodo Moeller]
1591
85fb12d5 1592 *) Remove all references to RSAref, since there's no more need for it.
ccb9643f
RL		 1593 [Richard Levitte]
1594
85fb12d5 1595 *) Make DSO load along a path given through an environment variable
e06433d9
RL		 1596 (SHLIB_PATH) with shl_load().
1597 [Richard Levitte]
1598
85fb12d5 1599 *) Constify the ENGINE code as a result of BIGNUM constification.
55b3c877
RL		 1600 Also constify the RSA code and most things related to it. In a
1601 few places, most notable in the depth of the ASN.1 code, ugly
1602 casts back to non-const were required (to be solved at a later
1603 time)
10e473e9
RL		 1604 [Richard Levitte]
1605
85fb12d5 1606 *) Make it so the openssl application has all engines loaded by default.
e7ef1a56
RL		 1607 [Richard Levitte]
1608
85fb12d5 1609 *) Constify the BIGNUM routines a little more.
020fc820
RL		 1610 [Richard Levitte]
1611
85fb12d5 1612 *) Add the following functions:
11c0f120
RL		 1613
1614 ENGINE_load_cswift()
1615 ENGINE_load_chil()
1616 ENGINE_load_atalla()
1617 ENGINE_load_nuron()
1618 ENGINE_load_builtin_engines()
1619
1620 That way, an application can itself choose if external engines that
1621 are built-in in OpenSSL shall ever be used or not. The benefit is
1622 that applications won't have to be linked with libdl or other dso
1623 libraries unless it's really needed.
1624
1625 Changed 'openssl engine' to load all engines on demand.
1626 Changed the engine header files to avoid the duplication of some
1627 declarations (they differed!).
1628 [Richard Levitte]
1629
85fb12d5 1630 *) 'openssl engine' can now list capabilities.
69e7805f
RL		 1631 [Richard Levitte]
1632
85fb12d5 1633 *) Better error reporting in 'openssl engine'.
e264cfe1
RL		 1634 [Richard Levitte]
1635
85fb12d5 1636 *) Never call load_dh_param(NULL) in s_server.
15d52ddb
BM		 1637 [Bodo Moeller]
1638
85fb12d5 1639 *) Add engine application. It can currently list engines by name and
14c6d27d
RL		 1640 identity, and test if they are actually available.
1641 [Richard Levitte]
1642
85fb12d5 1643 *) Improve RPM specification file by forcing symbolic linking and making
501ebf16
RL		 1644 sure the installed documentation is also owned by root.root.
1645 [Damien Miller <djm@mindrot.org>]
1646
85fb12d5 1647 *) Give the OpenSSL applications more possibilities to make use of
3aba98e7
RL		 1648 keys (public as well as private) handled by engines.
1649 [Richard Levitte]
1650
85fb12d5 1651 *) Add OCSP code that comes from CertCo.
7c155330
RL		 1652 [Richard Levitte]
1653
85fb12d5 1654 *) Add VMS support for the Rijndael code.
5270e702
RL		 1655 [Richard Levitte]
1656
85fb12d5 1657 *) Added untested support for Nuron crypto accelerator.
5270e702
RL		 1658 [Ben Laurie]
1659
85fb12d5 1660 *) Add support for external cryptographic devices. This code was
5270e702
RL		 1661 previously distributed separately as the "engine" branch.
1662 [Geoff Thorpe, Richard Levitte]
1663
85fb12d5 1664 *) Rework the filename-translation in the DSO code. It is now possible to
1df586be
GT		 1665 have far greater control over how a "name" is turned into a filename
1666 depending on the operating environment and any oddities about the
1667 different shared library filenames on each system.
1668 [Geoff Thorpe]
1669
85fb12d5 1670 *) Support threads on FreeBSD-elf in Configure.
53400da7
RL		 1671 [Richard Levitte]
1672
85fb12d5 1673 *) Fix for SHA1 assembly problem with MASM: it produces
627ec355
DSH		 1674 warnings about corrupt line number information when assembling
1675 with debugging information. This is caused by the overlapping
1676 of two sections.
1677 [Bernd Matthes <mainbug@celocom.de>, Steve Henson]
1678
85fb12d5 1679 *) NCONF changes.
567f17cf
RL		 1680 NCONF_get_number() has no error checking at all. As a replacement,
1681 NCONF_get_number_e() is defined (_e for "error checking") and is
1682 promoted strongly. The old NCONF_get_number is kept around for
1683 binary backward compatibility.
1684 Make it possible for methods to load from something other than a BIO,
1685 by providing a function pointer that is given a name instead of a BIO.
1686 For example, this could be used to load configuration data from an
1687 LDAP server.
1688 [Richard Levitte]
1689
85fb12d5 1690 *) Fix for non blocking accept BIOs. Added new I/O special reason
924046ce
DSH		 1691 BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
1692 with non blocking I/O was not possible because no retry code was
1693 implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
1694 this case.
1695 [Steve Henson]
1696
85fb12d5 1697 *) Added the beginnings of Rijndael support.
3ab56511
RL		 1698 [Ben Laurie]
1699
85fb12d5 1700 *) Fix for bug in DirectoryString mask setting. Add support for
8ca533e3
DSH		 1701 X509_NAME_print_ex() in 'req' and X509_print_ex() function
1702 to allow certificate printing to more controllable, additional
1703 'certopt' option to 'x509' to allow new printing options to be
1704 set.
d0c98589
DSH		 1705 [Steve Henson]
1706
85fb12d5 1707 *) Clean old EAY MD5 hack from e_os.h.
ef71cb6d
RL		 1708 [Richard Levitte]
1709
46ffee47
BM		 1710 Changes between 0.9.6d and 0.9.6e [XX xxx XXXX]
1711
1712 *) Fix EVP_dsa_sha macro.
1713 [Nils Larsch]
1714
c21506ba
BM		 1715 *) New option
1716 SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1717 for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
1718 that was added in OpenSSL 0.9.6d.
1719
1720 As the countermeasure turned out to be incompatible with some
1721 broken SSL implementations, the new option is part of SSL_OP_ALL.
1722 SSL_OP_ALL is usually employed when compatibility with weird SSL
1723 implementations is desired (e.g. '-bugs' option to 's_client' and
1724 's_server'), so the new option is automatically set in many
1725 applications.
1726 [Bodo Moeller]
1727
46ffee47 1728 Changes between 0.9.6c and 0.9.6d [9 May 2002]
381a146d 1729
8df61b50
BM		 1730 *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
1731 encoded as NULL) with id-dsa-with-sha1.
1732 [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
1733
1064acaf
BM		 1734 *) Check various X509_...() return values in apps/req.c.
1735 [Nils Larsch <nla@trustcenter.de>]
1736
2940a129
LJ		 1737 *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
1738 an end-of-file condition would erronously be flagged, when the CRLF
1739 was just at the end of a processed block. The bug was discovered when
1740 processing data through a buffering memory BIO handing the data to a
1741 BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
1742 <ptsekov@syntrex.com> and Nedelcho Stanev.
1743 [Lutz Jaenicke]
1744
82b0bf0b
BM		 1745 *) Implement a countermeasure against a vulnerability recently found
1746 in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
1747 before application data chunks to avoid the use of known IVs
1748 with data potentially chosen by the attacker.
1749 [Bodo Moeller]
1750
1751 *) Fix length checks in ssl3_get_client_hello().
1752 [Bodo Moeller]
1753
1754 *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
1755 to prevent ssl3_read_internal() from incorrectly assuming that
1756 ssl3_read_bytes() found application data while handshake
1757 processing was enabled when in fact s->s3->in_read_app_data was
1758 merely automatically cleared during the initial handshake.
1759 [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
1760
381a146d
LJ		 1761 *) Fix object definitions for Private and Enterprise: they were not
1762 recognized in their shortname (=lowercase) representation. Extend
1763 obj_dat.pl to issue an error when using undefined keywords instead
1764 of silently ignoring the problem (Svenning Sorensen
1765 <sss@sss.dnsalias.net>).
1766 [Lutz Jaenicke]
1767
1768 *) Fix DH_generate_parameters() so that it works for 'non-standard'
1769 generators, i.e. generators other than 2 and 5. (Previously, the
1770 code did not properly initialise the 'add' and 'rem' values to
1771 BN_generate_prime().)
1772
1773 In the new general case, we do not insist that 'generator' is
1774 actually a primitive root: This requirement is rather pointless;
1775 a generator of the order-q subgroup is just as good, if not
1776 better.
1777 [Bodo Moeller]
1778
1779 *) Map new X509 verification errors to alerts. Discovered and submitted by
1780 Tom Wu <tom@arcot.com>.
1781 [Lutz Jaenicke]
1782
1783 *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
1784 returning non-zero before the data has been completely received
1785 when using non-blocking I/O.
1786 [Bodo Moeller; problem pointed out by John Hughes]
1787
1788 *) Some of the ciphers missed the strength entry (SSL_LOW etc).
1789 [Ben Laurie, Lutz Jaenicke]
1790
1791 *) Fix bug in SSL_clear(): bad sessions were not removed (found by
1792 Yoram Zahavi <YoramZ@gilian.com>).
1793 [Lutz Jaenicke]
1794
1795 *) Add information about CygWin 1.3 and on, and preserve proper
1796 configuration for the versions before that.
1797 [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
1798
1799 *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
1800 check whether we deal with a copy of a session and do not delete from
1801 the cache in this case. Problem reported by "Izhar Shoshani Levi"
1802 <izhar@checkpoint.com>.
1803 [Lutz Jaenicke]
1804
1805 *) Do not store session data into the internal session cache, if it
1806 is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
1807 flag is set). Proposed by Aslam <aslam@funk.com>.
1808 [Lutz Jaenicke]
1809
1810 *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
1811 value is 0.
1812 [Richard Levitte]
1813
1814 *) Add the configuration target linux-s390x.
1815 [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
1816
1817 *) [In 0.9.6d-engine release:]
1818 Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
1819 [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
1820
1821 *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
1822 ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
1823 variable as an indication that a ClientHello message has been
1824 received. As the flag value will be lost between multiple
1825 invocations of ssl3_accept when using non-blocking I/O, the
1826 function may not be aware that a handshake has actually taken
1827 place, thus preventing a new session from being added to the
1828 session cache.
1829
1830 To avoid this problem, we now set s->new_session to 2 instead of
1831 using a local variable.
1832 [Lutz Jaenicke, Bodo Moeller]
1833
1834 *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
1835 if the SSL_R_LENGTH_MISMATCH error is detected.
1836 [Geoff Thorpe, Bodo Moeller]
1837
1838 *) New 'shared_ldflag' column in Configure platform table.
1839 [Richard Levitte]
1840
1841 *) Fix EVP_CIPHER_mode macro.
1842 ["Dan S. Camper" <dan@bti.net>]
1843
1844 *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
1845 type, we must throw them away by setting rr->length to 0.
1846 [D P Chang <dpc@qualys.com>]
1847
1848 Changes between 0.9.6b and 0.9.6c [21 dec 2001]
1849
1850 *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
1851 <Dominikus.Scherkl@biodata.com>. (The previous implementation
1852 worked incorrectly for those cases where range = 10..._2 and
1853 3*range is two bits longer than range.)
1854 [Bodo Moeller]
1855
1856 *) Only add signing time to PKCS7 structures if it is not already
1857 present.
1858 [Steve Henson]
1859
1860 *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
1861 OBJ_ld_ce should be OBJ_id_ce.
1862 Also some ip-pda OIDs in crypto/objects/objects.txt were
1863 incorrect (cf. RFC 3039).
1864 [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
1865
1866 *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
1867 returns early because it has nothing to do.
1868 [Andy Schneider <andy.schneider@bjss.co.uk>]
1869
1870 *) [In 0.9.6c-engine release:]
1871 Fix mutex callback return values in crypto/engine/hw_ncipher.c.
1872 [Andy Schneider <andy.schneider@bjss.co.uk>]
1873
1874 *) [In 0.9.6c-engine release:]
1875 Add support for Cryptographic Appliance's keyserver technology.
1876 (Use engine 'keyclient')
1877 [Cryptographic Appliances and Geoff Thorpe]
1878
1879 *) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
1880 is called via tools/c89.sh because arguments have to be
1881 rearranged (all '-L' options must appear before the first object
1882 modules).
1883 [Richard Shapiro <rshapiro@abinitio.com>]
1884
1885 *) [In 0.9.6c-engine release:]
1886 Add support for Broadcom crypto accelerator cards, backported
1887 from 0.9.7.
1888 [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
1889
1890 *) [In 0.9.6c-engine release:]
1891 Add support for SureWare crypto accelerator cards from
1892 Baltimore Technologies. (Use engine 'sureware')
1893 [Baltimore Technologies and Mark Cox]
1894
1895 *) [In 0.9.6c-engine release:]
1896 Add support for crypto accelerator cards from Accelerated
1897 Encryption Processing, www.aep.ie. (Use engine 'aep')
1898 [AEP Inc. and Mark Cox]
1899
1900 *) Add a configuration entry for gcc on UnixWare.
1901 [Gary Benson <gbenson@redhat.com>]
1902
1903 *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
1904 messages are stored in a single piece (fixed-length part and
1905 variable-length part combined) and fix various bugs found on the way.
1906 [Bodo Moeller]
1907
1908 *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
1909 instead. BIO_gethostbyname() does not know what timeouts are
1910 appropriate, so entries would stay in cache even when they have
1911 become invalid.
1912 [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
1913
1914 *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
1915 faced with a pathologically small ClientHello fragment that does
1916 not contain client_version: Instead of aborting with an error,
1917 simply choose the highest available protocol version (i.e.,
1918 TLS 1.0 unless it is disabled). In practice, ClientHello
1919 messages are never sent like this, but this change gives us
1920 strictly correct behaviour at least for TLS.
1921 [Bodo Moeller]
1922
1923 *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
1924 never resets s->method to s->ctx->method when called from within
1925 one of the SSL handshake functions.
1926 [Bodo Moeller; problem pointed out by Niko Baric]
1927
1928 *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
1929 (sent using the client's version number) if client_version is
1930 smaller than the protocol version in use. Also change
1931 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
1932 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
1933 the client will at least see that alert.
1934 [Bodo Moeller]
1935
1936 *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
1937 correctly.
1938 [Bodo Moeller]
1939
1940 *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
1941 client receives HelloRequest while in a handshake.
1942 [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
1943
1944 *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
1945 should end in 'break', not 'goto end' which circuments various
1946 cleanups done in state SSL_ST_OK. But session related stuff
1947 must be disabled for SSL_ST_OK in the case that we just sent a
1948 HelloRequest.
1949
1950 Also avoid some overhead by not calling ssl_init_wbio_buffer()
1951 before just sending a HelloRequest.
1952 [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
1953
1954 *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
1955 reveal whether illegal block cipher padding was found or a MAC
1956 verification error occured. (Neither SSLerr() codes nor alerts
1957 are directly visible to potential attackers, but the information
1958 may leak via logfiles.)
1959
1960 Similar changes are not required for the SSL 2.0 implementation
1961 because the number of padding bytes is sent in clear for SSL 2.0,
1962 and the extra bytes are just ignored. However ssl/s2_pkt.c
1963 failed to verify that the purported number of padding bytes is in
1964 the legal range.
1965 [Bodo Moeller]
1966
1967 *) Add OpenUNIX-8 support including shared libraries
1968 (Boyd Lynn Gerber <gerberb@zenez.com>).
1969 [Lutz Jaenicke]
1970
1971 *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
1972 'wristwatch attack' using huge encoding parameters (cf.
1973 James H. Manger's CRYPTO 2001 paper). Note that the
1974 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
1975 encoding parameters and hence was not vulnerable.
1976 [Bodo Moeller]
1977
1978 *) BN_sqr() bug fix.
1979