Changes between 0.9.7 and 0.9.8 [xx XXX 2002]
+ *) Let BN_rand_range() abort with an error after 100 iterations
+ without success (which indicates a broken PRNG).
+ [Bodo Moeller]
+
+ *) Change BN_mod_sqrt() so that it verifies that the input value
+ is really the square of the return value. (Previously,
+ BN_mod_sqrt would show GIGO behaviour.)
+ [Bodo Moeller]
+
+ *) Add named elliptic curves over binary fields from X9.62, SECG,
+ and WAP/WTLS; add OIDs that were still missing.
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) Extend the EC library for elliptic curves over binary fields
+ (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
+ New EC_METHOD:
+
+ EC_GF2m_simple_method
+
+ New API functions:
+
+ EC_GROUP_new_curve_GF2m
+ EC_GROUP_set_curve_GF2m
+ EC_GROUP_get_curve_GF2m
+ EC_POINT_set_affine_coordinates_GF2m
+ EC_POINT_get_affine_coordinates_GF2m
+ EC_POINT_set_compressed_coordinates_GF2m
+
+ Point compression for binary fields is disabled by default for
+ patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
+ enable it).
+
+ As binary polynomials are represented as BIGNUMs, various members
+ of the EC_GROUP and EC_POINT data structures can be shared
+ between the implementations for prime fields and binary fields;
+ the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
+ are essentially identical to their ..._GFp counterparts.
+ (For simplicity, the '..._GFp' prefix has been dropped from
+ various internal method names.)
+
+ An internal 'field_div' method (similar to 'field_mul' and
+ 'field_sqr') has been added; this is used only for binary fields.
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
+ through methods ('mul', 'precompute_mult').
+
+ The generic implementations (now internally called 'ec_wNAF_mul'
+ and 'ec_wNAF_precomputed_mult') remain the default if these
+ methods are undefined.
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) New function EC_GROUP_get_degree, which is defined through
+ EC_METHOD. For curves over prime fields, this returns the bit
+ length of the modulus.
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) New functions EC_GROUP_dup, EC_POINT_dup.
+ (These simply call ..._new and ..._copy).
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
+ Polynomials are represented as BIGNUMs (where the sign bit is not
+ used) in the following functions [macros]:
+
+ BN_GF2m_add
+ BN_GF2m_sub [= BN_GF2m_add]
+ BN_GF2m_mod [wrapper for BN_GF2m_mod_arr]
+ BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr]
+ BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr]
+ BN_GF2m_mod_inv
+ BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr]
+ BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr]
+ BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr]
+ BN_GF2m_cmp [= BN_ucmp]
+
+ (Note that only the 'mod' functions are actually for fields GF(2^m).
+ BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
+
+ For some functions, an the irreducible polynomial defining a
+ field can be given as an 'unsigned int[]' with strictly
+ decreasing elements giving the indices of those bits that are set;
+ i.e., p[] represents the polynomial
+ f(t) = t^p[0] + t^p[1] + ... + t^p[k]
+ where
+ p[0] > p[1] > ... > p[k] = 0.
+ This applies to the following functions:
+
+ BN_GF2m_mod_arr
+ BN_GF2m_mod_mul_arr
+ BN_GF2m_mod_sqr_arr
+ BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv]
+ BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div]
+ BN_GF2m_mod_exp_arr
+ BN_GF2m_mod_sqrt_arr
+ BN_GF2m_mod_solve_quad_arr
+ BN_GF2m_poly2arr
+ BN_GF2m_arr2poly
+
+ Conversion can be performed by the following functions:
+
+ BN_GF2m_poly2arr
+ BN_GF2m_arr2poly
+
+ bntest.c has additional tests for binary polynomial arithmetic.
+
+ Two implementations for BN_GF2m_mod_div() are available (selected
+ at compile-time). ...
+TBD ... OPENSSL_NO_SUN_DIV ... --Bodo
+
+ [Sheueling Chang Shantz and Douglas Stebila
+ (Sun Microsystems Laboratories)]
+
+ *) Add new error code 'ERR_R_DISABLED' that can be used when some
+ functionality is disabled at compile-time.
+ [Douglas Stebila <douglas.stebila@sun.com>]
+
+ *) Change default behaviour of 'openssl asn1parse' so that more
+ information is visible when viewing, e.g., a certificate:
+
+ Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
+ mode the content of non-printable OCTET STRINGs is output in a
+ style similar to INTEGERs, but with '[HEX DUMP]' prepended to
+ avoid the appearance of a printable string.
+ [Nils Larsch <nla@trustcenter.de>]
+
+ *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
+ functions
+ EC_GROUP_set_asn1_flag()
+ EC_GROUP_get_asn1_flag()
+ EC_GROUP_set_point_conversion_form()
+ EC_GROUP_get_point_conversion_form()
+ These control ASN1 encoding details:
+ - Curves (i.e., groups) are encoded explicitly unless asn1_flag
+ has been set to OPENSSL_EC_NAMED_CURVE.
+ - Points are encoded in uncompressed form by default; options for
+ asn1_for are as for point2oct, namely
+ POINT_CONVERSION_COMPRESSED
+ POINT_CONVERSION_UNCOMPRESSED
+ POINT_CONVERSION_HYBRID
+
+ Also add 'seed' and 'seed_len' members to EC_GROUP with access
+ functions
+ EC_GROUP_set_seed()
+ EC_GROUP_get0_seed()
+ EC_GROUP_get_seed_len()
+ This is used only for ASN1 purposes (so far).
+ [Nils Larsch <nla@trustcenter.de>]
+
+ *) Add 'field_type' member to EC_METHOD, which holds the NID
+ of the appropriate field type OID. The new function
+ EC_METHOD_get_field_type() returns this value.
+ [Nils Larsch <nla@trustcenter.de>]
+
+ *) Add functions
+ EC_POINT_point2bn()
+ EC_POINT_bn2point()
+ EC_POINT_point2hex()
+ EC_POINT_hex2point()
+ providing useful interfaces to EC_POINT_point2oct() and
+ EC_POINT_oct2point().
+ [Nils Larsch <nla@trustcenter.de>]
+
+ *) Change internals of the EC library so that the functions
+ EC_GROUP_set_generator()
+ EC_GROUP_get_generator()
+ EC_GROUP_get_order()
+ EC_GROUP_get_cofactor()
+ are implemented directly in crypto/ec/ec_lib.c and not dispatched
+ to methods, which would lead to unnecessary code duplication when
+ adding different types of curves.
+ [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
+
+ *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
+ arithmetic, and such that modified wNAFs are generated
+ (which avoid length expansion in many cases).
+ [Bodo Moeller]
+
+ *) Add a function EC_GROUP_check_discriminant() (defined via
+ EC_METHOD) that verifies that the curve discriminant is non-zero.
+
+ Add a function EC_GROUP_check() that makes some sanity tests
+ on a EC_GROUP, its generator and order. This includes
+ EC_GROUP_check_discriminant().
+ [Nils Larsch <nla@trustcenter.de>]
+
*) Add ECDSA in new directory crypto/ecdsa/.
- Add applications 'openssl ecdsaparam' and 'openssl ecdsa'
- (these are variants of 'openssl dsaparam' and 'openssl dsa').
+ Add applications 'openssl ecparam' and 'openssl ecdsa'
+ (these are based on 'openssl dsaparam' and 'openssl dsa').
ECDSA support is also included in various other files across the
library. Most notably,
extracted before the specific public key.
[Nils Larsch <nla@trustcenter.de>]
- *) Add reference counting for EC_GROUP objects.
- [Nils Larsch <nla@trustcenter.de>]
-
- *) Include some named elliptic curves. These can be obtained from
- the new functions
+ *) Include some named elliptic curves, and add OIDs from X9.62,
+ SECG, and WAP/WTLS. The curves can be obtained from the new
+ functions
EC_GROUP_new_by_nid()
EC_GROUP_new_by_name()
- Also add a 'nid' field to EC_GROUP objects, which can be accessed
- via
+ Also add a 'curve_name' member to EC_GROUP objects, which can be
+ accessed via
EC_GROUP_set_nid()
EC_GROUP_get_nid()
[Nils Larsch <nla@trustcenter.de, Bodo Moeller]
- Changes between 0.9.6 and 0.9.7 [xx XXX 2002]
+ Changes between 0.9.6e and 0.9.7 [XX xxx 2002]
+
+ *) Make sure tests can be performed even if the corresponding algorithms
+ have been removed entirely. This was also the last step to make
+ OpenSSL compilable with DJGPP under all reasonable conditions.
+ [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
+
+ *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
+ to allow version independent disabling of normally unselected ciphers,
+ which may be activated as a side-effect of selecting a single cipher.
+
+ (E.g., cipher list string "RSA" enables ciphersuites that are left
+ out of "ALL" because they do not provide symmetric encryption.
+ "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
+ [Lutz Jaenicke, Bodo Moeller]
+
+ *) Add appropriate support for separate platform-dependent build
+ directories. The recommended way to make a platform-dependent
+ build directory is the following (tested on Linux), maybe with
+ some local tweaks:
+
+ # Place yourself outside of the OpenSSL source tree. In
+ # this example, the environment variable OPENSSL_SOURCE
+ # is assumed to contain the absolute OpenSSL source directory.
+ mkdir -p objtree/`uname -s`-`uname -r`-`uname -m`
+ cd objtree/`uname -s`-`uname -r`-`uname -m`
+ (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
+ mkdir -p `dirname $F`
+ ln -s $OPENSSL_SOURCE/$F $F
+ done
+
+ To be absolutely sure not to disturb the source tree, a "make clean"
+ is a good thing. If it isn't successfull, don't worry about it,
+ it probably means the source directory is very clean.
+ [Richard Levitte]
+
+ *) Make sure any ENGINE control commands make local copies of string
+ pointers passed to them whenever necessary. Otherwise it is possible
+ the caller may have overwritten (or deallocated) the original string
+ data when a later ENGINE operation tries to use the stored values.
+ [Götz Babin-Ebell <babinebell@trustcenter.de>]
+
+ *) Improve diagnostics in file reading and command-line digests.
+ [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
+
+ *) Add AES modes CFB and OFB to the object database. Correct an
+ error in AES-CFB decryption.
+ [Richard Levitte]
+
+ *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
+ allows existing EVP_CIPHER_CTX structures to be reused after
+ calling EVP_*Final(). This behaviour is used by encryption
+ BIOs and some applications. This has the side effect that
+ applications must explicitly clean up cipher contexts with
+ EVP_CIPHER_CTX_cleanup() or they will leak memory.
+ [Steve Henson]
+
+ *) Check the values of dna and dnb in bn_mul_recursive before calling
+ bn_mul_comba (a non zero value means the a or b arrays do not contain
+ n2 elements) and fallback to bn_mul_normal if either is not zero.
+ [Steve Henson]
+
+ *) Fix escaping of non-ASCII characters when using the -subj option
+ of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
+ [Lutz Jaenicke]
- OpenSSL 0.9.6a/0.9.6b/0.9.6c/0.9.6d (bugfix releases, 5 Apr 2001,
- 9 July 2001, 21 Dec 2001 and xx XXX 2002) and OpenSSL 0.9.7 were
- developed in parallel, based on OpenSSL 0.9.6.
+ *) Make object definitions compliant to LDAP (RFC2256): SN is the short
+ form for "surname", serialNumber has no short form.
+ Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
+ therefore remove "mail" short name for "internet 7".
+ The OID for unique identifiers in X509 certificates is
+ x500UniqueIdentifier, not uniqueIdentifier.
+ Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
+ [Lutz Jaenicke]
- Change log entries are tagged as follows:
- -) applies to 0.9.6a ... 0.9.6d only
- *) applies to 0.9.6a ... 0.9.6d and 0.9.7
- +) applies to 0.9.7 only
+ *) Add an "init" command to the ENGINE config module and auto initialize
+ ENGINEs. Without any "init" command the ENGINE will be initialized
+ after all ctrl commands have been executed on it. If init=1 the
+ ENGINE is initailized at that point (ctrls before that point are run
+ on the uninitialized ENGINE and after on the initialized one). If
+ init=0 then the ENGINE will not be iniatialized at all.
+ [Steve Henson]
+
+ *) Fix the 'app_verify_callback' interface so that the user-defined
+ argument is actually passed to the callback: In the
+ SSL_CTX_set_cert_verify_callback() prototype, the callback
+ declaration has been changed from
+ int (*cb)()
+ into
+ int (*cb)(X509_STORE_CTX *,void *);
+ in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
+ i=s->ctx->app_verify_callback(&ctx)
+ has been changed into
+ i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
+
+ To update applications using SSL_CTX_set_cert_verify_callback(),
+ a dummy argument can be added to their callback functions.
+ [D. K. Smetters <smetters@parc.xerox.com>]
+
+ *) Added the '4758cca' ENGINE to support IBM 4758 cards.
+ [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
+
+ *) Add and OPENSSL_LOAD_CONF define which will cause
+ OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
+ This allows older applications to transparently support certain
+ OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
+ Two new functions OPENSSL_add_all_algorithms_noconf() which will never
+ load the config file and OPENSSL_add_all_algorithms_conf() which will
+ always load it have also been added.
+ [Steve Henson]
+
+ *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
+ Adjust NIDs and EVP layer.
+ [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
- +) Config modules support in openssl utility.
+ *) Config modules support in openssl utility.
Most commands now load modules from the config file,
though in a few (such as version) this isn't done
alternative file.
[Steve Henson]
- +) Move default behaviour from OPENSSL_config(). If appname is NULL
+ *) Move default behaviour from OPENSSL_config(). If appname is NULL
use "openssl_conf" if filename is NULL use default openssl config file.
[Steve Henson]
- +) Add an argument to OPENSSL_config() to allow the use of an alternative
+ *) Add an argument to OPENSSL_config() to allow the use of an alternative
config section name. Add a new flag to tolerate a missing config file
and move code to CONF_modules_load_file().
[Steve Henson]
- *) Add information about CygWin 1.3 and on, and preserve proper
- configuration for the versions before that.
- [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
-
- *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
- check whether we deal with a copy of a session and do not delete from
- the cache in this case. Problem reported by "Izhar Shoshani Levi"
- <izhar@checkpoint.com>.
- [Lutz Jaenicke]
-
- *) Do not store session data into the internal session cache, if it
- is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
- flag is set). Proposed by Aslam <aslam@funk.com>.
- [Lutz Jaenicke]
-
- +) Support for crypto accelerator cards from Accelerated Encryption
+ *) Support for crypto accelerator cards from Accelerated Encryption
Processing, www.aep.ie. (Use engine 'aep')
The support was copied from 0.9.6c [engine] and adapted/corrected
to work with the new engine framework.
[AEP Inc. and Richard Levitte]
- +) Support for SureWare crypto accelerator cards from Baltimore
+ *) Support for SureWare crypto accelerator cards from Baltimore
Technologies. (Use engine 'sureware')
The support was copied from 0.9.6c [engine] and adapted
to work with the new engine framework.
[Richard Levitte]
- *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
- value is 0.
- [Richard Levitte]
-
- +) Have the CHIL engine fork-safe (as defined by nCipher) and actually
+ *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
make the newer ENGINE framework commands for the CHIL engine work.
[Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
- +) Make it possible to produce shared libraries on ReliantUNIX.
+ *) Make it possible to produce shared libraries on ReliantUNIX.
[Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
- *) Add the configuration target linux-s390x.
- [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
-
- +) Add the configuration target debug-linux-ppro.
+ *) Add the configuration target debug-linux-ppro.
Make 'openssl rsa' use the general key loading routines
implemented in apps.c, and make those routines able to
handle the key format FORMAT_NETSCAPE and the variant
FORMAT_IISSGC.
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
- *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
+ *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
- +) Add -keyform to rsautl, and document -engine.
+ *) Add -keyform to rsautl, and document -engine.
[Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
- +) Change BIO_new_file (crypto/bio/bss_file.c) to use new
+ *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
BIO_R_NO_SUCH_FILE error code rather than the generic
ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
[Ben Laurie]
- +) Add new functions
+ *) Add new functions
ERR_peek_last_error
ERR_peek_last_error_line
ERR_peek_last_error_line_data.
still in the error queue.
[Ben Laurie, Bodo Moeller]
- +) default_algorithms option in ENGINE config module. This allows things
+ *) default_algorithms option in ENGINE config module. This allows things
like:
default_algorithms = ALL
default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
[Steve Henson]
- +) Prelminary ENGINE config module.
+ *) Prelminary ENGINE config module.
[Steve Henson]
- *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
- ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
- variable as an indication that a ClientHello message has been
- received. As the flag value will be lost between multiple
- invocations of ssl3_accept when using non-blocking I/O, the
- function may not be aware that a handshake has actually taken
- place, thus preventing a new session from being added to the
- session cache.
-
- To avoid this problem, we now set s->new_session to 2 instead of
- using a local variable.
- [Lutz Jaenicke, Bodo Moeller]
-
- *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
- if the SSL_R_LENGTH_MISMATCH error is detected.
- [Geoff Thorpe, Bodo Moeller]
-
- +) New experimental application configuration code.
+ *) New experimental application configuration code.
[Steve Henson]
- *) New 'shared_ldflag' column in Configure platform table.
- [Richard Levitte]
-
- *) Fix EVP_CIPHER_mode macro.
- ["Dan S. Camper" <dan@bti.net>]
-
- +) Change the AES code to follow the same name structure as all other
+ *) Change the AES code to follow the same name structure as all other
symmetric ciphers, and behave the same way. Move everything to
the directory crypto/aes, thereby obsoleting crypto/rijndael.
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
- *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
- type, we must throw them away by setting rr->length to 0.
- [D P Chang <dpc@qualys.com>]
-
- -) OpenSSL 0.9.6c released [21 dec 2001]
-
- +) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
+ *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
[Ben Laurie and Theo de Raadt]
- *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
- <Dominikus.Scherkl@biodata.com>. (The previous implementation
- worked incorrectly for those cases where range = 10..._2 and
- 3*range is two bits longer than range.)
- [Bodo Moeller]
-
- *) Only add signing time to PKCS7 structures if it is not already
- present.
- [Steve Henson]
-
- *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
- OBJ_ld_ce should be OBJ_id_ce.
- Also some ip-pda OIDs in crypto/objects/objects.txt were
- incorrect (cf. RFC 3039).
- [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
-
- +) Add option to output public keys in req command.
+ *) Add option to output public keys in req command.
[Massimiliano Pala madwolf@openca.org]
- *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
- returns early because it has nothing to do.
- [Andy Schneider <andy.schneider@bjss.co.uk>]
-
- *) [In 0.9.6c-engine and 0.9.7 release:]
- Fix mutex callback return values in crypto/engine/hw_ncipher.c.
- [Andy Schneider <andy.schneider@bjss.co.uk>]
-
- -) [In 0.9.6c-engine release:]
- Add support for Cryptographic Appliance's keyserver technology.
- (Use engine 'keyclient')
- [Cryptographic Appliances and Geoff Thorpe]
-
- *) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
- is called via tools/c89.sh because arguments have to be
- rearranged (all '-L' options must appear before the first object
- modules).
- [Richard Shapiro <rshapiro@abinitio.com>]
-
- +) Use wNAFs in EC_POINTs_mul() for improved efficiency
+ *) Use wNAFs in EC_POINTs_mul() for improved efficiency
(up to about 10% better than before for P-192 and P-224).
[Bodo Moeller]
- -) [In 0.9.6c-engine release:]
- Add support for Broadcom crypto accelerator cards, backported
- from 0.9.7.
- [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
-
- -) [In 0.9.6c-engine release:]
- Add support for SureWare crypto accelerator cards from
- Baltimore Technologies. (Use engine 'sureware')
- [Baltimore Technologies and Mark Cox]
-
- -) [In 0.9.6c-engine release:]
- Add support for crypto accelerator cards from Accelerated
- Encryption Processing, www.aep.ie. (Use engine 'aep')
- [AEP Inc. and Mark Cox]
-
- *) Add a configuration entry for gcc on UnixWare.
- [Gary Benson <gbenson@redhat.com>]
-
- +) New functions/macros
+ *) New functions/macros
SSL_CTX_set_msg_callback(ctx, cb)
SSL_CTX_set_msg_callback_arg(ctx, arg)
to enable a callback that displays all protocol messages.
[Bodo Moeller]
- *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
- messages are stored in a single piece (fixed-length part and
- variable-length part combined) and fix various bugs found on the way.
- [Bodo Moeller]
-
- +) Change the shared library support so shared libraries are built as
+ *) Change the shared library support so shared libraries are built as
soon as the corresponding static library is finished, and thereby get
openssl and the test programs linked against the shared library.
This still only happens when the keyword "shard" has been given to
backward binary compatibility is still not guaranteed.
["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
- +) Add support for Subject Information Access extension.
+ *) Add support for Subject Information Access extension.
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
- +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
+ *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
additional bytes when new memory had to be allocated, not just
when reusing an existing buffer.
[Bodo Moeller]
- *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
- instead. BIO_gethostbyname() does not know what timeouts are
- appropriate, so entries would stay in cache even when they have
- become invalid.
- [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
-
- +) New command line and configuration option 'utf8' for the req command.
+ *) New command line and configuration option 'utf8' for the req command.
This allows field values to be specified as UTF8 strings.
[Steve Henson]
- +) Add -multi and -mr options to "openssl speed" - giving multiple parallel
+ *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
runs for the former and machine-readable output for the latter.
[Ben Laurie]
- +) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
+ *) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
of the e-mail address in the DN (i.e., it will go into a certificate
extension only). The new configuration file option 'email_in_dn = no'
has the same effect.
[Massimiliano Pala madwolf@openca.org]
- *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
- faced with a pathologically small ClientHello fragment that does
- not contain client_version: Instead of aborting with an error,
- simply choose the highest available protocol version (i.e.,
- TLS 1.0 unless it is disabled). In practice, ClientHello
- messages are never sent like this, but this change gives us
- strictly correct behaviour at least for TLS.
- [Bodo Moeller]
-
- +) Change all functions with names starting with des_ to be starting
+ *) Change all functions with names starting with des_ to be starting
with DES_ instead. Add wrappers that are compatible with libdes,
but are named _ossl_old_des_*. Finally, add macros that map the
- des_* symbols to the corresponding _ossl_old_des_*.
+ des_* symbols to the corresponding _ossl_old_des_* if libdes
+ compatibility is desired. If OpenSSL 0.9.6c compatibility is
+ desired, the des_* symbols will be mapped to DES_*, with one
+ exception.
+
+ Since we provide two compatibility mappings, the user needs to
+ define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
+ compatibility is desired. The default (i.e., when that macro
+ isn't defined) is OpenSSL 0.9.6c compatibility.
- All this is done because there are increasing clashes with libdes
- and other DES libraries that are currently used by other projects.
- The old libdes interface (including crypt()) is provided if
- <openssl/des_old.h> is included. For now, this automatically
- happens in <openssl/des.h> unless OPENSSL_DISABLE_OLD_DES_SUPPORT is
- defined. Note that crypt() is no longer declared in <openssl/des.h>.
+ There are also macros that enable and disable the support of old
+ des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
+ and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those
+ are defined, the default will apply: to support the old des routines.
+
+ In either case, one must include openssl/des.h to get the correct
+ definitions. Do not try to just include openssl/des_old.h, that
+ won't work.
NOTE: This is a major break of an old API into a new one. Software
authors are encouraged to switch to the DES_ style functions. Some
time in the future, des_old.h and the libdes compatibility functions
- will be completely removed.
+ will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
+ default), and then completely removed.
[Richard Levitte]
- *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
- never resets s->method to s->ctx->method when called from within
- one of the SSL handshake functions.
- [Bodo Moeller; problem pointed out by Niko Baric]
-
- +) Test for certificates which contain unsupported critical extensions.
+ *) Test for certificates which contain unsupported critical extensions.
If such a certificate is found during a verify operation it is
rejected by default: this behaviour can be overridden by either
handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
particular extension is supported.
[Steve Henson]
- *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
- (sent using the client's version number) if client_version is
- smaller than the protocol version in use. Also change
- ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
- the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
- the client will at least see that alert.
- [Bodo Moeller]
-
- +) Modify the behaviour of EVP cipher functions in similar way to digests
+ *) Modify the behaviour of EVP cipher functions in similar way to digests
to retain compatibility with existing code.
[Steve Henson]
- +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
+ *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
compatibility with existing code. In particular the 'ctx' parameter does
not have to be to be initialized before the call to EVP_DigestInit() and
it is tidied up after a call to EVP_DigestFinal(). New function
EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
[Steve Henson]
- +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
+ *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
so that complete 'Handshake' protocol structures are kept in memory
instead of overwriting 'msg_type' and 'length' with 'body' data.
[Bodo Moeller]
- *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
- correctly.
- [Bodo Moeller]
-
- +) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
+ *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
[Massimo Santin via Richard Levitte]
- +) Major restructuring to the underlying ENGINE code. This includes
+ *) Major restructuring to the underlying ENGINE code. This includes
reduction of linker bloat, separation of pure "ENGINE" manipulation
(initialisation, etc) from functionality dealing with implementations
of specific crypto iterfaces. This change also introduces integrated
the new code.
[Geoff Thorpe]
- +) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
+ *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
[Steve Henson]
- +) Change mkdef.pl to sort symbols that get the same entry number,
+ *) Change mkdef.pl to sort symbols that get the same entry number,
and make sure the automatically generated functions ERR_load_*
become part of libeay.num as well.
[Richard Levitte]
- *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
- client receives HelloRequest while in a handshake.
- [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
-
- +) New function SSL_renegotiate_pending(). This returns true once
+ *) New function SSL_renegotiate_pending(). This returns true once
renegotiation has been requested (either SSL_renegotiate() call
or HelloRequest/ClientHello receveived from the peer) and becomes
false once a handshake has been completed.
client has followed the request.)
[Bodo Moeller]
- +) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
+ *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
By default, clients may request session resumption even during
renegotiation (if session ID contexts permit); with this option,
session resumption is possible only in the first handshake.
- [Bodo Moeller]
-
- *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
- should end in 'break', not 'goto end' which circuments various
- cleanups done in state SSL_ST_OK. But session related stuff
- must be disabled for SSL_ST_OK in the case that we just sent a
- HelloRequest.
-
- Also avoid some overhead by not calling ssl_init_wbio_buffer()
- before just sending a HelloRequest.
- [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
-
- *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
- reveal whether illegal block cipher padding was found or a MAC
- verification error occured. (Neither SSLerr() codes nor alerts
- are directly visible to potential attackers, but the information
- may leak via logfiles.)
- Similar changes are not required for the SSL 2.0 implementation
- because the number of padding bytes is sent in clear for SSL 2.0,
- and the extra bytes are just ignored. However ssl/s2_pkt.c
- failed to verify that the purported number of padding bytes is in
- the legal range.
+ SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes
+ more bits available for options that should not be part of
+ SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
[Bodo Moeller]
- +) Add some demos for certificate and certificate request creation.
+ *) Add some demos for certificate and certificate request creation.
[Steve Henson]
- +) Make maximum certificate chain size accepted from the peer application
+ *) Make maximum certificate chain size accepted from the peer application
settable (SSL*_get/set_max_cert_list()), as proposed by
"Douglas E. Engert" <deengert@anl.gov>.
[Lutz Jaenicke]
- +) Add support for shared libraries for Unixware-7
- (Boyd Lynn Gerber <gerberb@zenez.com>).
- [Lutz Jaenicke]
-
- *) Add OpenUNIX-8 support including shared libraries
+ *) Add support for shared libraries for Unixware-7
(Boyd Lynn Gerber <gerberb@zenez.com>).
[Lutz Jaenicke]
- *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
- 'wristwatch attack' using huge encoding parameters (cf.
- James H. Manger's CRYPTO 2001 paper). Note that the
- RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
- encoding parameters and hence was not vulnerable.
- [Bodo Moeller]
-
- +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
+ *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
be done prior to destruction. Use this to unload error strings from
ENGINEs that load their own error strings. NB: This adds two new API
functions to "get" and "set" this destroy handler in an ENGINE.
[Geoff Thorpe]
- +) Alter all existing ENGINE implementations (except "openssl" and
+ *) Alter all existing ENGINE implementations (except "openssl" and
"openbsd") to dynamically instantiate their own error strings. This
makes them more flexible to be built both as statically-linked ENGINEs
and self-contained shared-libraries loadable via the "dynamic" ENGINE.
shared-libraries easier (see README.ENGINE).
[Geoff Thorpe]
- +) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
+ *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
implementations into applications that are completely implemented in
self-contained shared-libraries. The "dynamic" ENGINE exposes control
commands that can be used to configure what shared-library to load and
(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
[Geoff Thorpe]
- *) BN_sqr() bug fix.
- [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
-
- +) Make it possible to unload ranges of ERR strings with a new
+ *) Make it possible to unload ranges of ERR strings with a new
"ERR_unload_strings" function.
[Geoff Thorpe]
- *) Rabin-Miller test analyses assume uniformly distributed witnesses,
- so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
- followed by modular reduction.
- [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
-
- *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
- equivalent based on BN_pseudo_rand() instead of BN_rand().
- [Bodo Moeller]
-
- +) Add a copy() function to EVP_MD.
+ *) Add a copy() function to EVP_MD.
[Ben Laurie]
- +) Make EVP_MD routines take a context pointer instead of just the
+ *) Make EVP_MD routines take a context pointer instead of just the
md_data void pointer.
[Ben Laurie]
- +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
+ *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
that the digest can only process a single chunk of data
(typically because it is provided by a piece of
hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
framework needn't accumulate the data for oneshot drivers.
[Ben Laurie]
- +) As with "ERR", make it possible to replace the underlying "ex_data"
+ *) As with "ERR", make it possible to replace the underlying "ex_data"
functions. This change also alters the storage and management of global
ex_data state - it's now all inside ex_data.c and all "class" code (eg.
RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
has a return value to indicate success or failure.
[Geoff Thorpe]
- +) Make it possible to replace the underlying "ERR" functions such that the
+ *) Make it possible to replace the underlying "ERR" functions such that the
global state (2 LHASH tables and 2 locks) is only used by the "default"
implementation. This change also adds two functions to "get" and "set"
the implementation prior to it being automatically set the first time
application and not in its own statically linked copy of OpenSSL code.
[Geoff Thorpe]
- +) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
+ *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
reference counts. This performs normal REF_PRINT/REF_CHECK macros on
the operation, and provides a more encapsulated way for external code
(crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
[Geoff Thorpe]
- *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
- This function was broken, as the check for a new client hello message
- to handle SGC did not allow these large messages.
- (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
- [Lutz Jaenicke]
-
- *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
- [Lutz Jaenicke]
-
- +) Add EVP test program.
+ *) Add EVP test program.
[Ben Laurie]
- +) Add symmetric cipher support to ENGINE. Expect the API to change!
+ *) Add symmetric cipher support to ENGINE. Expect the API to change!
[Ben Laurie]
- +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
+ *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
These allow a CRL to be built without having to access X509_CRL fields
directly. Modify 'ca' application to use new functions.
[Steve Henson]
- *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
- for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
- [Lutz Jaenicke]
-
- *) Rework the configuration and shared library support for Tru64 Unix.
- The configuration part makes use of modern compiler features and
- still retains old compiler behavior for those that run older versions
- of the OS. The shared library support part includes a variant that
- uses the RPATH feature, and is available through the special
- configuration target "alpha-cc-rpath", which will never be selected
- automatically.
- [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
-
- *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
- with the same message size as in ssl3_get_certificate_request().
- Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
- messages might inadvertently be reject as too long.
- [Petr Lampa <lampa@fee.vutbr.cz>]
-
- +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
+ *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
bug workarounds. Rollback attack detection is a security feature.
The problem will only arise on OpenSSL servers when TLSv1 is not
available (sslv3_server_method() or SSL_OP_NO_TLSv1).
for their choice and can explicitly enable this option.
[Bodo Moeller, Lutz Jaenicke]
- +) Rationalise EVP so it can be extended: don't include a union of
- cipher/digest structures, add init/cleanup functions. This also reduces
- the number of header dependencies.
+ *) Rationalise EVP so it can be extended: don't include a union of
+ cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
+ (similar to those existing for EVP_CIPHER_CTX).
+ Usage example:
+
+ EVP_MD_CTX md;
+
+ EVP_MD_CTX_init(&md); /* new function call */
+ EVP_DigestInit(&md, EVP_sha1());
+ EVP_DigestUpdate(&md, in, len);
+ EVP_DigestFinal(&md, out, NULL);
+ EVP_MD_CTX_cleanup(&md); /* new function call */
+
[Ben Laurie]
- +) Make DES key schedule conform to the usual scheme, as well as
+ *) Make DES key schedule conform to the usual scheme, as well as
correcting its structure. This means that calls to DES functions
now have to pass a pointer to a des_key_schedule instead of a
plain des_key_schedule (which was actually always a pointer
- anyway).
- [Ben Laurie]
+ anyway): E.g.,
- *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
- [Andy Polyakov]
+ des_key_schedule ks;
- *) Modified SSL library such that the verify_callback that has been set
- specificly for an SSL object with SSL_set_verify() is actually being
- used. Before the change, a verify_callback set with this function was
- ignored and the verify_callback() set in the SSL_CTX at the time of
- the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
- to allow the necessary settings.
- [Lutz Jaenicke]
+ des_set_key_checked(..., &ks);
+ des_ncbc_encrypt(..., &ks, ...);
+
+ (Note that a later change renames 'des_...' into 'DES_...'.)
+ [Ben Laurie]
- +) Initial reduction of linker bloat: the use of some functions, such as
+ *) Initial reduction of linker bloat: the use of some functions, such as
PEM causes large amounts of unused functions to be linked in due to
poor organisation. For example pem_all.c contains every PEM function
which has a knock on effect of linking in large amounts of (unused)
functions prevents this.
[Steve Henson]
- *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
- explicitly to NULL, as at least on Solaris 8 this seems not always to be
- done automatically (in contradiction to the requirements of the C
- standard). This made problems when used from OpenSSH.
- [Lutz Jaenicke]
-
- *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
- dh->length and always used
-
- BN_rand_range(priv_key, dh->p).
-
- BN_rand_range() is not necessary for Diffie-Hellman, and this
- specific range makes Diffie-Hellman unnecessarily inefficient if
- dh->length (recommended exponent length) is much smaller than the
- length of dh->p. We could use BN_rand_range() if the order of
- the subgroup was stored in the DH structure, but we only have
- dh->length.
-
- So switch back to
-
- BN_rand(priv_key, l, ...)
-
- where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
- otherwise.
- [Bodo Moeller]
-
- *) In
-
- RSA_eay_public_encrypt
- RSA_eay_private_decrypt
- RSA_eay_private_encrypt (signing)
- RSA_eay_public_decrypt (signature verification)
-
- (default implementations for RSA_public_encrypt,
- RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
- always reject numbers >= n.
- [Bodo Moeller]
-
- *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
- to synchronize access to 'locking_thread'. This is necessary on
- systems where access to 'locking_thread' (an 'unsigned long'
- variable) is not atomic.
- [Bodo Moeller]
-
- *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
- *before* setting the 'crypto_lock_rand' flag. The previous code had
- a race condition if 0 is a valid thread ID.
- [Travis Vitek <vitek@roguewave.com>]
-
- +) Cleanup of EVP macros.
+ *) Cleanup of EVP macros.
[Ben Laurie]
- +) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
+ *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
correct _ecb suffix.
[Ben Laurie]
- +) Add initial OCSP responder support to ocsp application. The
+ *) Add initial OCSP responder support to ocsp application. The
revocation information is handled using the text based index
use by the ca application. The responder can either handle
requests generated internally, supplied in files (for example
via a CGI script) or using an internal minimal server.
[Steve Henson]
- +) Add configuration choices to get zlib compression for TLS.
+ *) Add configuration choices to get zlib compression for TLS.
[Richard Levitte]
- +) Changes to Kerberos SSL for RFC 2712 compliance:
+ *) Changes to Kerberos SSL for RFC 2712 compliance:
1. Implemented real KerberosWrapper, instead of just using
KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
2. Implemented optional authenticator field of KerberosWrapper.
Jeffrey Altman <jaltman@columbia.edu>
via Richard Levitte]
- +) Cause 'openssl speed' to use fully hard-coded DSA keys as it
+ *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
already does with RSA. testdsa.h now has 'priv_key/pub_key'
values for each of the key sizes rather than having just
parameters (and 'speed' generating keys each time).
[Geoff Thorpe]
- *) Add support for shared libraries under Irix.
- [Albert Chin-A-Young <china@thewrittenword.com>]
-
- *) Add configuration option to build on Linux on both big-endian and
- little-endian MIPS.
- [Ralf Baechle <ralf@uni-koblenz.de>]
-
- *) Add the possibility to create shared libraries on HP-UX.
- [Richard Levitte]
-
- -) OpenSSL 0.9.6b released [9 July 2001]
-
- *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
- to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
- Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
- PRNG state recovery was possible based on the output of
- one PRNG request appropriately sized to gain knowledge on
- 'md' followed by enough consecutive 1-byte PRNG requests
- to traverse all of 'state'.
-
- 1. When updating 'md_local' (the current thread's copy of 'md')
- during PRNG output generation, hash all of the previous
- 'md_local' value, not just the half used for PRNG output.
-
- 2. Make the number of bytes from 'state' included into the hash
- independent from the number of PRNG bytes requested.
-
- The first measure alone would be sufficient to avoid
- Markku-Juhani's attack. (Actually it had never occurred
- to me that the half of 'md_local' used for chaining was the
- half from which PRNG output bytes were taken -- I had always
- assumed that the secret half would be used.) The second
- measure makes sure that additional data from 'state' is never
- mixed into 'md_local' in small portions; this heuristically
- further strengthens the PRNG.
- [Bodo Moeller]
-
- +) Speed up EVP routines.
+ *) Speed up EVP routines.
Before:
encrypt
type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Ben Laurie]
- *) Fix crypto/bn/asm/mips3.s.
- [Andy Polyakov]
-
- *) When only the key is given to "enc", the IV is undefined. Print out
- an error message in this case.
- [Lutz Jaenicke]
-
- +) Added the OS2-EMX target.
+ *) Added the OS2-EMX target.
["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
- +) Rewrite apps to use NCONF routines instead of the old CONF. New functions
+ *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
to support NCONF routines in extension code. New function CONF_set_nconf()
to allow functions which take an NCONF to also handle the old LHASH
structure: this means that the old CONF compatible routines can be
code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
[Steve Henson]
- *) Handle special case when X509_NAME is empty in X509 printing routines.
- [Steve Henson]
-
- *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
- positive and less than q.
- [Bodo Moeller]
-
- +) Enhance the general user interface with mechanisms for inner control
+ *) Enhance the general user interface with mechanisms for inner control
and with possibilities to have yes/no kind of prompts.
[Richard Levitte]
- +) Change all calls to low level digest routines in the library and
+ *) Change all calls to low level digest routines in the library and
applications to use EVP. Add missing calls to HMAC_cleanup() and
don't assume HMAC_CTX can be copied using memcpy().
[Verdon Walker <VWalker@novell.com>, Steve Henson]
- +) Add the possibility to control engines through control names but with
+ *) Add the possibility to control engines through control names but with
arbitrary arguments instead of just a string.
Change the key loaders to take a UI_METHOD instead of a callback
function pointer. NOTE: this breaks binary compatibility with earlier
callback.
[Richard Levitte]
- +) Enhance the general user interface with mechanisms to better support
+ *) Enhance the general user interface with mechanisms to better support
dialog box interfaces, application-defined prompts, the possibility
to use defaults (for example default passwords from somewhere else)
and interrupts/cancellations.
[Richard Levitte]
- *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
- used: it isn't thread safe and the add_lock_callback should handle
- that itself.
- [Paul Rose <Paul.Rose@bridge.com>]
-
- *) Verify that incoming data obeys the block size in
- ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
- [Bodo Moeller]
-
- +) Tidy up PKCS#12 attribute handling. Add support for the CSP name
+ *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
[Steve Henson]
- *) Fix OAEP check.
- [Ulf Möller, Bodo Möller]
-
- *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
- RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
- when fixing the server behaviour for backwards-compatible 'client
- hello' messages. (Note that the attack is impractical against
- SSL 3.0 and TLS 1.0 anyway because length and version checking
- means that the probability of guessing a valid ciphertext is
- around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
- paper.)
-
- Before 0.9.5, the countermeasure (hide the error by generating a
- random 'decryption result') did not work properly because
- ERR_clear_error() was missing, meaning that SSL_get_error() would
- detect the supposedly ignored error.
-
- Both problems are now fixed.
- [Bodo Moeller]
-
- *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
- (previously it was 1024).
- [Bodo Moeller]
-
- +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
+ *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
tidy up some unnecessarily weird code in 'sk_new()').
[Geoff, reported by Diego Tartara <dtartara@novamens.com>]
- +) Change the key loading routines for ENGINEs to use the same kind
+ *) Change the key loading routines for ENGINEs to use the same kind
callback (pem_password_cb) as all other routines that need this
kind of callback.
[Richard Levitte]
- *) Fix for compatibility mode trust settings: ignore trust settings
- unless some valid trust or reject settings are present.
- [Steve Henson]
-
- *) Fix for blowfish EVP: its a variable length cipher.
- [Steve Henson]
-
- +) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
+ *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
256 bit (=32 byte) keys. Of course seeding with more entropy bytes
than this minimum value is recommended.
[Lutz Jaenicke]
- +) New random seeder for OpenVMS, using the system process statistics
+ *) New random seeder for OpenVMS, using the system process statistics
that are easily reachable.
[Richard Levitte]
- +) Windows apparently can't transparently handle global
+ *) Windows apparently can't transparently handle global
variables defined in DLLs. Initialisations such as:
const ASN1_ITEM *it = &ASN1_INTEGER_it;
needed for static libraries under Win32.
[Steve Henson]
- +) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
+ *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
setting of purpose and trust fields. New X509_STORE trust and
purpose functions and tidy up setting in other SSL functions.
[Steve Henson]
- +) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
+ *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
structure. These are inherited by X509_STORE_CTX when it is
initialised. This allows various defaults to be set in the
X509_STORE structure (such as flags for CRL checking and custom
applications.
[Steve Henson]
- +) Initial CRL based revocation checking. If the CRL checking flag(s)
+ *) Initial CRL based revocation checking. If the CRL checking flag(s)
are set then the CRL is looked up in the X509_STORE structure and
its validity and signature checked, then if the certificate is found
in the CRL the verify fails with a revoked error.
handling.
[Steve Henson]
- +) Add a general user interface API (crypto/ui/). This is designed
+ *) Add a general user interface API (crypto/ui/). This is designed
to replace things like des_read_password and friends (backward
compatibility functions using this new API are provided).
The purpose is to remove prompting functions from the DES code
a window system and the like.
[Richard Levitte]
- *) Fix various bugs related to DSA S/MIME verification. Handle missing
- parameters in DSA public key structures and return an error in the
- DSA routines if parameters are absent.
- [Steve Henson]
-
- *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
- in the current directory if neither $RANDFILE nor $HOME was set.
- RAND_file_name() in 0.9.6a returned NULL in this case. This has
- caused some confusion to Windows users who haven't defined $HOME.
- Thus RAND_file_name() is changed again: e_os.h can define a
- DEFAULT_HOME, which will be used if $HOME is not set.
- For Windows, we use "C:"; on other platforms, we still require
- environment variables.
-
- +) Add "ex_data" support to ENGINE so implementations can add state at a
+ *) Add "ex_data" support to ENGINE so implementations can add state at a
per-structure level rather than having to store it globally.
[Geoff]
- +) Make it possible for ENGINE structures to be copied when retrieved by
+ *) Make it possible for ENGINE structures to be copied when retrieved by
ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
This causes the "original" ENGINE structure to act like a template,
analogous to the RSA vs. RSA_METHOD type of separation. Because of this
ENGINE structure.
[Geoff]
- +) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
+ *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
needs to match any other type at all we need to manually clear the
tag cache.
[Steve Henson]
- +) Changes to the "openssl engine" utility to include;
+ *) Changes to the "openssl engine" utility to include;
- verbosity levels ('-v', '-vv', and '-vvv') that provide information
about an ENGINE's available control commands.
- executing control commands from command line arguments using the
openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
[Geoff]
- +) New dynamic control command support for ENGINEs. ENGINEs can now
+ *) New dynamic control command support for ENGINEs. ENGINEs can now
declare their own commands (numbers), names (strings), descriptions,
and input types for run-time discovery by calling applications. A
subset of these commands are implicitly classed as "executable"
control over shared-library paths without source code alterations.
[Geoff]
- +) Changed all ENGINE implementations to dynamically allocate their
+ *) Changed all ENGINE implementations to dynamically allocate their
ENGINEs rather than declaring them statically. Apart from this being
necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
this also allows the implementations to compile without using the
internal engine_int.h header.
[Geoff]
- +) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
+ *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
'const' value. Any code that should be able to modify a RAND_METHOD
should already have non-const pointers to it (ie. they should only
modify their own ones).
[Geoff]
- +) Made a variety of little tweaks to the ENGINE code.
+ *) Made a variety of little tweaks to the ENGINE code.
- "atalla" and "ubsec" string definitions were moved from header files
to C code. "nuron" string definitions were placed in variables
rather than hard-coded - allowing parameterisation of these values
ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
[Geoff]
- *) Move 'if (!initialized) RAND_poll()' into regions protected by
- CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
- having multiple threads call RAND_poll() concurrently.
- [Bodo Moeller]
-
- *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
- combination of a flag and a thread ID variable.
- Otherwise while one thread is in ssleay_rand_bytes (which sets the
- flag), *other* threads can enter ssleay_add_bytes without obeying
- the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
- that they do not hold after the first thread unsets add_do_not_lock).
- [Bodo Moeller]
-
- +) Implement binary inversion algorithm for BN_mod_inverse in addition
+ *) Implement binary inversion algorithm for BN_mod_inverse in addition
to the algorithm using long division. The binary algorithm can be
used only if the modulus is odd. On 32-bit systems, it is faster
only for relatively small moduli (roughly 20-30% for 128-bit moduli,
for moduli up to 2048 bits.
[Bodo Moeller]
- *) Change bctest again: '-x' expressions are not available in all
- versions of 'test'.
- [Bodo Moeller]
-
- -) OpenSSL 0.9.6a released [5 Apr 2001]
-
- *) Fix a couple of memory leaks in PKCS7_dataDecode()
- [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
-
- *) Change Configure and Makefiles to provide EXE_EXT, which will contain
- the default extension for executables, if any. Also, make the perl
- scripts that use symlink() to test if it really exists and use "cp"
- if it doesn't. All this made OpenSSL compilable and installable in
- CygWin.
- [Richard Levitte]
-
- +) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
+ *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
could not support the combine flag in choice fields.
[Steve Henson]
- -) Fix for asn1_GetSequence() for indefinite length constructed data.
- If SEQUENCE is length is indefinite just set c->slen to the total
- amount of data available.
- [Steve Henson, reported by shige@FreeBSD.org]
- [This change does not apply to 0.9.7.]
-
- *) Change bctest to avoid here-documents inside command substitution
- (workaround for FreeBSD /bin/sh bug).
- For compatibility with Ultrix, avoid shell functions (introduced
- in the bctest version that searches along $PATH).
- [Bodo Moeller]
-
- *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
- with des_encrypt() defined on some operating systems, like Solaris
- and UnixWare.
- [Richard Levitte]
-
- *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
- On the Importance of Eliminating Errors in Cryptographic
- Computations, J. Cryptology 14 (2001) 2, 101-119,
- http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
- [Ulf Moeller]
-
- *) MIPS assembler BIGNUM division bug fix.
- [Andy Polyakov]
-
- *) Disabled incorrect Alpha assembler code.
- [Richard Levitte]
-
- -) Fix PKCS#7 decode routines so they correctly update the length
- after reading an EOC for the EXPLICIT tag.
- [Steve Henson]
- [This change does not apply to 0.9.7.]
-
- *) Fix bug in PKCS#12 key generation routines. This was triggered
- if a 3DES key was generated with a 0 initial byte. Include
- PKCS12_BROKEN_KEYGEN compilation option to retain the old
- (but broken) behaviour.
- [Steve Henson]
-
- *) Enhance bctest to search for a working bc along $PATH and print
- it when found.
- [Tim Rice <tim@multitalents.net> via Richard Levitte]
-
- +) Add a 'copy_extensions' option to the 'ca' utility. This copies
+ *) Add a 'copy_extensions' option to the 'ca' utility. This copies
extensions from a certificate request to the certificate.
[Steve Henson]
- +) Allow multiple 'certopt' and 'nameopt' options to be separated
+ *) Allow multiple 'certopt' and 'nameopt' options to be separated
by commas. Add 'namopt' and 'certopt' options to the 'ca' config
file: this allows the display of the certificate about to be
signed to be customised, to allow certain fields to be included
and couldn't display additional details such as extensions.
[Steve Henson]
- *) Fix memory leaks in err.c: free err_data string if necessary;
- don't write to the wrong index in ERR_set_error_data.
- [Bodo Moeller]
-
- +) Function EC_POINTs_mul for multiple scalar multiplication
+ *) Function EC_POINTs_mul for multiple scalar multiplication
of an arbitrary number of elliptic curve points
\sum scalars[i]*points[i],
optionally including the generator defined for the EC_GROUP:
generator).
[Bodo Moeller]
- +) First EC_METHODs for curves over GF(p):
+ *) First EC_METHODs for curves over GF(p):
EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
operations and provides various method functions that can also
implementation directly derived from source code provided by
Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
- +) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
+ *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
crypto/ec/ec_lib.c):
Curves are EC_GROUP objects (with an optional group generator)
than GF(p), some functions are limited to that for now.
[Bodo Moeller]
- +) Add the -HTTP option to s_server. It is similar to -WWW, but requires
+ *) Add the -HTTP option to s_server. It is similar to -WWW, but requires
that the file contains a complete HTTP response.
[Richard Levitte]
- +) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
+ *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
change the def and num file printf format specifier from "%-40sXXX"
to "%-39s XXX". The latter will always guarantee a space after the
field while the former will cause them to run together if the field
is 40 of more characters long.
[Steve Henson]
- +) Constify the cipher and digest 'method' functions and structures
+ *) Constify the cipher and digest 'method' functions and structures
and modify related functions to take constant EVP_MD and EVP_CIPHER
pointers.
[Steve Henson]
- *) Implement ssl23_peek (analogous to ssl23_read), which previously
- did not exist.
- [Bodo Moeller]
-
- *) Replace rdtsc with _emit statements for VC++ version 5.
- [Jeremy Cooper <jeremy@baymoo.org>]
-
- +) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
+ *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32.
[Bodo Moeller]
- +) Modify EVP_Digest*() routines so they now return values. Although the
+ *) Modify EVP_Digest*() routines so they now return values. Although the
internal software routines can never fail additional hardware versions
might.
[Steve Henson]
- +) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
+ *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
(= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
Add new error code 'ERR_R_INTERNAL_ERROR'.
[Bodo Moeller]
- +) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
+ *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
suffices.
[Bodo Moeller]
- +) New option '-subj arg' for 'openssl req' and 'openssl ca'. This
+ *) New option '-subj arg' for 'openssl req' and 'openssl ca'. This
sets the subject name for a new request or supersedes the
subject name in a given request. Formats that can be parsed are
'CN=Some Name, OU=myOU, C=IT'
Add options '-batch' and '-verbose' to 'openssl req'.
[Massimiliano Pala <madwolf@hackmasters.net>]
- *) Make it possible to reuse SSLv2 sessions.
- [Richard Levitte]
-
- +) Introduce the possibility to access global variables through
+ *) Introduce the possibility to access global variables through
functions on platform were that's the best way to handle exporting
global variables in shared libraries. To enable this functionality,
one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
lexicographically to avoid constant rewrites).
[Richard Levitte]
- *) In copy_email() check for >= 0 as a return value for
- X509_NAME_get_index_by_NID() since 0 is a valid index.
- [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
-
- +) In BN_div() keep a copy of the sign of 'num' before writing the
+ *) In BN_div() keep a copy of the sign of 'num' before writing the
result to 'rm' because if rm==num the value will be overwritten
and produce the wrong result if 'num' is negative: this caused
problems with BN_mod() and BN_nnmod().
[Steve Henson]
- +) Function OCSP_request_verify(). This checks the signature on an
+ *) Function OCSP_request_verify(). This checks the signature on an
OCSP request and verifies the signer certificate. The signer
certificate is just checked for a generic purpose and OCSP request
trust settings.
[Steve Henson]
- +) Add OCSP_check_validity() function to check the validity of OCSP
+ *) Add OCSP_check_validity() function to check the validity of OCSP
responses. OCSP responses are prepared in real time and may only
be a few seconds old. Simply checking that the current time lies
between thisUpdate and nextUpdate max reject otherwise valid responses
ocsp utility.
[Steve Henson]
- +) If signature or public key algorithm is unrecognized print out its
+ *) If signature or public key algorithm is unrecognized print out its
OID rather that just UNKNOWN.
[Steve Henson]
- *) Avoid coredump with unsupported or invalid public keys by checking if
- X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
- PKCS7_verify() fails with non detached data.
- [Steve Henson]
-
- +) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
+ *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
ID to be generated from the issuer certificate alone which can then be
passed to OCSP_id_issuer_cmp().
[Steve Henson]
- +) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
+ *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
ASN1 modules to export functions returning ASN1_ITEM pointers
instead of the ASN1_ITEM structures themselves. This adds several
new macros which allow the underlying ASN1 function/structure to
functions returning pointers to structures is not.
[Steve Henson]
- +) Add support for overriding the generation of SSL/TLS session IDs.
+ *) Add support for overriding the generation of SSL/TLS session IDs.
These callbacks can be registered either in an SSL_CTX or per SSL.
The purpose of this is to allow applications to control, if they wish,
the arbitrary values chosen for use as session IDs, particularly as it
to use such a feature) has been added to "s_server".
[Geoff Thorpe, Lutz Jaenicke]
- +) Modify mkdef.pl to recognise and parse preprocessor conditionals
+ *) Modify mkdef.pl to recognise and parse preprocessor conditionals
of the form '#if defined(...) || defined(...) || ...' and
'#if !defined(...) && !defined(...) && ...'. This also avoids
the growing number of special cases it was previously handling.
[Richard Levitte]
- *) Don't use getenv in library functions when run as setuid/setgid.
- New function OPENSSL_issetugid().
- [Ulf Moeller]
-
- +) Make all configuration macros available for application by making
+ *) Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
what is available.
[Richard Levitte]
- +) New option -set_serial to 'req' and 'x509' this allows the serial
+ *) New option -set_serial to 'req' and 'x509' this allows the serial
number to use to be specified on the command line. Previously self
signed certificates were hard coded with serial number 0 and the
CA options of 'x509' had to use a serial number in a file which was
auto incremented.
[Steve Henson]
- *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
- due to incorrect handling of multi-threading:
-
- 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
-
- 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
-
- 3. Count how many times MemCheck_off() has been called so that
- nested use can be treated correctly. This also avoids
- inband-signalling in the previous code (which relied on the
- assumption that thread ID 0 is impossible).
- [Bodo Moeller]
-
- +) New options to 'ca' utility to support V2 CRL entry extensions.
+ *) New options to 'ca' utility to support V2 CRL entry extensions.
Currently CRL reason, invalidity date and hold instruction are
supported. Add new CRL extensions to V3 code and some new objects.
[Steve Henson]
- *) Add "-rand" option also to s_client and s_server.
- [Lutz Jaenicke]
-
- +) New function EVP_CIPHER_CTX_set_padding() this is used to
+ *) New function EVP_CIPHER_CTX_set_padding() this is used to
disable standard block padding (aka PKCS#5 padding) in the EVP
API, which was previously mandatory. This means that the data is
not padded in any way and so the total length much be a multiple
of the block size, otherwise an error occurs.
[Steve Henson]
- +) Initial (incomplete) OCSP SSL support.
+ *) Initial (incomplete) OCSP SSL support.
[Steve Henson]
- *) Fix CPU detection on Irix 6.x.
- [Kurt Hockenbury <khockenb@stevens-tech.edu> and
- "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
-
- +) New function OCSP_parse_url(). This splits up a URL into its host,
+ *) New function OCSP_parse_url(). This splits up a URL into its host,
port and path components: primarily to parse OCSP URLs. New -url
option to ocsp utility.
[Steve Henson]
- +) New nonce behavior. The return value of OCSP_check_nonce() now
+ *) New nonce behavior. The return value of OCSP_check_nonce() now
reflects the various checks performed. Applications can decide
whether to tolerate certain situations such as an absent nonce
in a response when one was present in a request: the ocsp application
the request is nonce-less.
[Steve Henson]
- *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
- was empty.
- [Steve Henson]
- [This change does not apply to 0.9.7.]
-
- *) Use the cached encoding of an X509_NAME structure rather than
- copying it. This is apparently the reason for the libsafe "errors"
- but the code is actually correct.
- [Steve Henson]
-
- +) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
+ *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
skipped when using openssl x509 multiple times on a single input file,
e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
[Bodo Moeller]
- +) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
+ *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
set string type: to handle setting ASN1_TIME structures. Fix ca
utility to correctly initialize revocation date of CRLs.
[Steve Henson]
- +) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
+ *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
the clients preferred ciphersuites and rather use its own preferences.
Should help to work around M$ SGC (Server Gated Cryptography) bug in
Internet Explorer by ensuring unchanged hash method during stepup.
(Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
[Lutz Jaenicke]
- +) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
+ *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
to aes and add a new 'exist' option to print out symbols that don't
appear to exist.
[Steve Henson]
- +) Additional options to ocsp utility to allow flags to be set and
+ *) Additional options to ocsp utility to allow flags to be set and
additional certificates supplied.
[Steve Henson]
- +) Add the option -VAfile to 'openssl ocsp', so the user can give the
+ *) Add the option -VAfile to 'openssl ocsp', so the user can give the
OCSP client a number of certificate to only verify the response
signature against.
[Richard Levitte]
- *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
- Bleichenbacher's DSA attack.
- Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
- to be set and top=0 forces the highest bit to be set; top=-1 is new
- and leaves the highest bit random.
- [Ulf Moeller, Bodo Moeller]
-
- +) Update Rijndael code to version 3.0 and change EVP AES ciphers to
+ *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
handle the new API. Currently only ECB, CBC modes supported. Add new
- AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites
- for TLS" draft-ietf-tls-ciphersuite-03.txt.
- [Ben Laurie, Steve Henson]
-
- *) In the NCONF_...-based implementations for CONF_... queries
- (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
- a temporary CONF structure with the data component set to NULL
- (which gives segmentation faults in lh_retrieve).
- Instead, use NULL for the CONF pointer in CONF_get_string and
- CONF_get_number (which may use environment variables) and directly
- return NULL from CONF_get_section.
- [Bodo Moeller]
-
- *) Fix potential buffer overrun for EBCDIC.
- [Ulf Moeller]
-
- +) New function OCSP_copy_nonce() to copy nonce value (if present) from
+ AES OIDs.
+
+ Add TLS AES ciphersuites as described in RFC3268, "Advanced
+ Encryption Standard (AES) Ciphersuites for Transport Layer
+ Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were
+ not enabled by default and were not part of the "ALL" ciphersuite
+ alias because they were not yet official; they could be
+ explicitly requested by specifying the "AESdraft" ciphersuite
+ group alias. In the final release of OpenSSL 0.9.7, the group
+ alias is called "AES" and is part of "ALL".)
+ [Ben Laurie, Steve Henson, Bodo Moeller]
+
+ *) New function OCSP_copy_nonce() to copy nonce value (if present) from
request to response.
[Steve Henson]
- +) Functions for OCSP responders. OCSP_request_onereq_count(),
+ *) Functions for OCSP responders. OCSP_request_onereq_count(),
OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
extract information from a certificate request. OCSP_response_create()
creates a response and optionally adds a basic response structure.
(converts ASN1_TIME to GeneralizedTime).
[Steve Henson]
- +) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
+ *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
structure from a certificate. X509_pubkey_digest() digests the public_key
contents: this is used in various key identifiers.
[Steve Henson]
- *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
- keyUsage if basicConstraints absent for a CA.
- [Steve Henson]
-
- *) Make SMIME_write_PKCS7() write mail header values with a format that
- is more generally accepted (no spaces before the semicolon), since
- some programs can't parse those values properly otherwise. Also make
- sure BIO's that break lines after each write do not create invalid
- headers.
- [Richard Levitte]
-
- +) Make sk_sort() tolerate a NULL argument.
+ *) Make sk_sort() tolerate a NULL argument.
[Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
- +) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
+ *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
passed by the function are trusted implicitly. If any of them signed the
response then it is assumed to be valid and is not verified.
[Steve Henson]
- -) Make the CRL encoding routines work with empty SEQUENCE OF. The
- macros previously used would not encode an empty SEQUENCE OF
- and break the signature.
- [Steve Henson]
- [This change does not apply to 0.9.7.]
-
- *) Zero the premaster secret after deriving the master secret in
- DH ciphersuites.
- [Steve Henson]
-
- +) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
+ *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
to data. This was previously part of the PKCS7 ASN1 code. This
was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
[Steve Henson, reported by Kenneth R. Robinette
<support@securenetterm.com>]
- +) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
+ *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
routines: without these tracing memory leaks is very painful.
Fix leaks in PKCS12 and PKCS7 routines.
[Steve Henson]
- *) Add some EVP_add_digest_alias registrations (as found in
- OpenSSL_add_all_digests()) to SSL_library_init()
- aka OpenSSL_add_ssl_algorithms(). This provides improved
- compatibility with peers using X.509 certificates
- with unconventional AlgorithmIdentifier OIDs.
- [Bodo Moeller]
-
- *) Fix for Irix with NO_ASM.
- ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
-
- *) ./config script fixes.
- [Ulf Moeller, Richard Levitte]
-
- +) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
+ *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
effectively meant GeneralizedTime would never be used. Now it
is initialised to -1 but X509_time_adj() now has to check the value
[Steve Henson, reported by Kenneth R. Robinette
<support@securenetterm.com>]
- +) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
+ *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
result in a zero length in the ASN1_INTEGER structure which was
not consistent with the structure when d2i_ASN1_INTEGER() was used
and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
where it did not print out a minus for negative ASN1_INTEGER.
[Steve Henson]
- *) Fix 'openssl passwd -1'.
- [Bodo Moeller]
-
- +) Add summary printout to ocsp utility. The various functions which
+ *) Add summary printout to ocsp utility. The various functions which
convert status values to strings have been renamed to:
OCSP_response_status_str(), OCSP_cert_status_str() and
OCSP_crl_reason_str() and are no longer static. New options
printout format cleaned up.
[Steve Henson]
- +) Add additional OCSP certificate checks. These are those specified
+ *) Add additional OCSP certificate checks. These are those specified
in RFC2560. This consists of two separate checks: the CA of the
certificate being checked must either be the OCSP signer certificate
or the issuer of the OCSP signer certificate. In the latter case the
in the OCSP_CERTID structures of the response.
[Steve Henson]
- +) Initial OCSP certificate verification added to OCSP_basic_verify()
+ *) Initial OCSP certificate verification added to OCSP_basic_verify()
and related routines. This uses the standard OpenSSL certificate
verify routines to perform initial checks (just CA validity) and
to obtain the certificate chain. Then additional checks will be
chains to that CA is an acceptable OCSP signing certificate.
[Steve Henson]
- +) New '-extfile ...' option to 'openssl ca' for reading X.509v3
+ *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
extensions from a separate configuration file.
As when reading extensions from the main configuration file,
the '-extensions ...' option may be used for specifying the
section to use.
[Massimiliano Pala <madwolf@comune.modena.it>]
- *) Change PKCS12_key_gen_asc() so it can cope with non null
- terminated strings whose length is passed in the passlen
- parameter, for example from PEM callbacks. This was done
- by adding an extra length parameter to asc2uni().
- [Steve Henson, reported by <oddissey@samsung.co.kr>]
-
- +) New OCSP utility. Allows OCSP requests to be generated or
+ *) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
parsed, outputed or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]
- +) New subcommands for 'openssl ca':
+ *) New subcommands for 'openssl ca':
'openssl ca -status <serial>' prints the status of the cert with
the given serial number (according to the index file).
'openssl ca -updatedb' updates the expiry status of certificates
in the index file.
[Massimiliano Pala <madwolf@comune.modena.it>]
- +) New '-newreq-nodes' command option to CA.pl. This is like
+ *) New '-newreq-nodes' command option to CA.pl. This is like
'-newreq', but calls 'openssl req' with the '-nodes' option
so that the resulting key is not encrypted.
[Damien Miller <djm@mindrot.org>]
- +) New configuration for the GNU Hurd.
+ *) New configuration for the GNU Hurd.
[Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
- +) Initial code to implement OCSP basic response verify. This
+ *) Initial code to implement OCSP basic response verify. This
is currently incomplete. Currently just finds the signer's
certificate and verifies the signature on the response.
[Steve Henson]
- +) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
+ *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
value of OPENSSLDIR. This is available via the new '-d' option
to 'openssl version', and is also included in 'openssl version -a'.
[Bodo Moeller]
- *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
- call failed, free the DSA structure.
- [Bodo Moeller]
-
- +) Allowing defining memory allocation callbacks that will be given
+ *) Allowing defining memory allocation callbacks that will be given
file name and line number information in additional arguments
(a const char* and an int). The basic functionality remains, as
well as the original possibility to just replace malloc(),
a conventional allocation function is enabled.
[Richard Levitte, Bodo Moeller]
- *) Fix to uni2asc() to cope with zero length Unicode strings.
- These are present in some PKCS#12 files.
- [Steve Henson]
-
- +) Finish off removing the remaining LHASH function pointer casts.
+ *) Finish off removing the remaining LHASH function pointer casts.
There should no longer be any prototype-casting required when using
the LHASH abstraction, and any casts that remain are "bugs". See
the callback types and macros at the head of lhash.h for details
(and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
[Geoff Thorpe]
- +) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
+ *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
If /dev/[u]random devices are not available or do not return enough
entropy, EGD style sockets (served by EGD or PRNGD) will automatically
be queried.
when enough entropy was collected without querying more sockets.
[Lutz Jaenicke]
- +) Change the Unix RAND_poll() variant to be able to poll several
+ *) Change the Unix RAND_poll() variant to be able to poll several
random devices, as specified by DEVRANDOM, until a sufficient amount
of data has been collected. We spend at most 10 ms on each file
(select timeout) and read in non-blocking mode. DEVRANDOM now
For VMS, there's a currently-empty rand_vms.c.
[Richard Levitte]
- +) Move OCSP client related routines to ocsp_cl.c. These
+ *) Move OCSP client related routines to ocsp_cl.c. These
provide utility functions which an application needing
to issue a request to an OCSP responder and analyse the
response will typically need: as opposed to those which an
validity of the nonce in an OCSP response.
[Steve Henson]
- +) Change function OCSP_request_add() to OCSP_request_add0_id().
+ *) Change function OCSP_request_add() to OCSP_request_add0_id().
This doesn't copy the supplied OCSP_CERTID and avoids the
need to free up the newly created id. Change return type
to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
will be added elsewhere.
[Steve Henson]
- +) Update OCSP API. Remove obsolete extensions argument from
+ *) Update OCSP API. Remove obsolete extensions argument from
various functions. Extensions are now handled using the new
OCSP extension code. New simple OCSP HTTP function which
can be used to send requests and parse the response.
[Steve Henson]
- +) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
+ *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
uses the special reorder version of SET OF to sort the attributes
and reorder them to match the encoded order. This resolves a long
to produce the required SET OF.
[Steve Henson]
- +) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
+ *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
files to get correct declarations of the ASN.1 item variables.
[Richard Levitte]
- +) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
+ *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
ASN1_ITEM and no wrapper functions.
[Steve Henson]
- +) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
+ *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
replace the old function pointer based I/O routines. Change most of
the *_d2i_bio() and *_d2i_fp() functions to use these.
[Steve Henson]
- +) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
+ *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
lines, recognice more "algorithms" that can be deselected, and make
it complain about algorithm deselection that isn't recognised.
[Richard Levitte]
- +) New ASN1 functions to handle dup, sign, verify, digest, pack and
+ *) New ASN1 functions to handle dup, sign, verify, digest, pack and
unpack operations in terms of ASN1_ITEM. Modify existing wrappers
to use new functions. Add NO_ASN1_OLD which can be set to remove
some old style ASN1 functions: this can be used to determine if old
code will still work when these eventually go away.
[Steve Henson]
- +) New extension functions for OCSP structures, these follow the
+ *) New extension functions for OCSP structures, these follow the
same conventions as certificates and CRLs.
[Steve Henson]
- +) New function X509V3_add1_i2d(). This automatically encodes and
+ *) New function X509V3_add1_i2d(). This automatically encodes and
adds an extension. Its behaviour can be customised with various
flags to append, replace or delete. Various wrappers added for
certifcates and CRLs.
[Steve Henson]
- +) Fix to avoid calling the underlying ASN1 print routine when
+ *) Fix to avoid calling the underlying ASN1 print routine when
an extension cannot be parsed. Correct a typo in the
OCSP_SERVICELOC extension. Tidy up print OCSP format.
[Steve Henson]
- *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
- Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
- when writing a 32767 byte record.
- [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
-
- *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
- obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
-
- (RSA objects have a reference count access to which is protected
- by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
- so they are meant to be shared between threads.)
- [Bodo Moeller, Geoff Thorpe; original patch submitted by
- "Reddie, Steven" <Steven.Reddie@ca.com>]
-
- +) Make mkdef.pl parse some of the ASN1 macros and add apropriate
+ *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
entries for variables.
[Steve Henson]
- *) Fix a deadlock in CRYPTO_mem_leaks().
- [Bodo Moeller]
-
- +) Add functionality to apps/openssl.c for detecting locking
+ *) Add functionality to apps/openssl.c for detecting locking
problems: As the program is single-threaded, all we have
to do is register a locking callback using an array for
storing which locks are currently held by the program.
[Bodo Moeller]
- +) Use a lock around the call to CRYPTO_get_ex_new_index() in
+ *) Use a lock around the call to CRYPTO_get_ex_new_index() in
SSL_get_ex_data_X509_STORE_idx(), which is used in
ssl_verify_cert_chain() and thus can be called at any time
during TLS/SSL handshakes so that thread-safety is essential.
for multi-threaded use, so it probably should be abolished.
[Bodo Moeller]
- +) Added Broadcom "ubsec" ENGINE to OpenSSL.
+ *) Added Broadcom "ubsec" ENGINE to OpenSSL.
[Broadcom, tweaked and integrated by Geoff Thorpe]
- +) Move common extension printing code to new function
+ *) Move common extension printing code to new function
X509V3_print_extensions(). Reorganise OCSP print routines and
implement some needed OCSP ASN1 functions. Add OCSP extensions.
[Steve Henson]
- +) New function X509_signature_print() to remove duplication in some
+ *) New function X509_signature_print() to remove duplication in some
print routines.
[Steve Henson]
- +) Add a special meaning when SET OF and SEQUENCE OF flags are both
+ *) Add a special meaning when SET OF and SEQUENCE OF flags are both
set (this was treated exactly the same as SET OF previously). This
is used to reorder the STACK representing the structure to match the
encoding. This will be used to get round a problem where a PKCS7
order did not reflect the encoded order.
[Steve Henson]
- +) Reimplement the OCSP ASN1 module using the new code.
+ *) Reimplement the OCSP ASN1 module using the new code.
[Steve Henson]
- +) Update the X509V3 code to permit the use of an ASN1_ITEM structure
+ *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
for its ASN1 operations. The old style function pointers still exist
for now but they will eventually go away.
[Steve Henson]
- +) Merge in replacement ASN1 code from the ASN1 branch. This almost
+ *) Merge in replacement ASN1 code from the ASN1 branch. This almost
completely replaces the old ASN1 functionality with a table driven
encoder and decoder which interprets an ASN1_ITEM structure describing
the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
has also been converted to the new form.
[Steve Henson]
- +) Change BN_mod_exp_recp so that negative moduli are tolerated
+ *) Change BN_mod_exp_recp so that negative moduli are tolerated
(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
so that BN_mod_exp_mont and BN_mod_exp_mont_word work
for negative moduli.
[Bodo Moeller]
- +) Fix BN_uadd and BN_usub: Always return non-negative results instead
+ *) Fix BN_uadd and BN_usub: Always return non-negative results instead
of not touching the result's sign bit.
[Bodo Moeller]
- +) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
+ *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
set.
[Bodo Moeller]
- +) Changed the LHASH code to use prototypes for callbacks, and created
+ *) Changed the LHASH code to use prototypes for callbacks, and created
macros to declare and implement thin (optionally static) functions
that provide type-safety and avoid function pointer casting for the
type-specific callbacks.
[Geoff Thorpe]
- *) Use better test patterns in bntest.
- [Ulf Möller]
-
- +) Added Kerberos Cipher Suites to be used with TLS, as written in
+ *) Added Kerberos Cipher Suites to be used with TLS, as written in
RFC 2712.
[Veers Staats <staatsvr@asc.hpc.mil>,
Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
- *) rand_win.c fix for Borland C.
- [Ulf Möller]
-
- *) BN_rshift bugfix for n == 0.
- [Bodo Moeller]
-
- +) Reformat the FAQ so the different questions and answers can be divided
+ *) Reformat the FAQ so the different questions and answers can be divided
in sections depending on the subject.
[Richard Levitte]
- +) Have the zlib compression code load ZLIB.DLL dynamically under
+ *) Have the zlib compression code load ZLIB.DLL dynamically under
Windows.
[Richard Levitte]
- +) New function BN_mod_sqrt for computing square roots modulo a prime
+ *) New function BN_mod_sqrt for computing square roots modulo a prime
(using the probabilistic Tonelli-Shanks algorithm unless
p == 3 (mod 4) or p == 5 (mod 8), which are cases that can
be handled deterministically).
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
- *) Add a 'bctest' script that checks for some known 'bc' bugs
- so that 'make test' does not abort just because 'bc' is broken.
- [Bodo Moeller]
-
- *) Store verify_result within SSL_SESSION also for client side to
- avoid potential security hole. (Re-used sessions on the client side
- always resulted in verify_result==X509_V_OK, not using the original
- result of the server certificate verification.)
- [Lutz Jaenicke]
-
- +) Make BN_mod_inverse faster by explicitly handling small quotients
+ *) Make BN_mod_inverse faster by explicitly handling small quotients
in the Euclid loop. (Speed gain about 20% for small moduli [256 or
512 bits], about 30% for larger ones [1024 or 2048 bits].)
[Bodo Moeller]
- *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
- SSL3_RT_APPLICATION_DATA, return 0.
- Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
- [Bodo Moeller]
-
- *) Fix SSL_peek:
- Both ssl2_peek and ssl3_peek, which were totally broken in earlier
- releases, have been re-implemented by renaming the previous
- implementations of ssl2_read and ssl3_read to ssl2_read_internal
- and ssl3_read_internal, respectively, and adding 'peek' parameters
- to them. The new ssl[23]_{read,peek} functions are calls to
- ssl[23]_read_internal with the 'peek' flag set appropriately.
- A 'peek' parameter has also been added to ssl3_read_bytes, which
- does the actual work for ssl3_read_internal.
- [Bodo Moeller]
-
- +) New function BN_kronecker.
+ *) New function BN_kronecker.
[Bodo Moeller]
- +) Fix BN_gcd so that it works on negative inputs; the result is
+ *) Fix BN_gcd so that it works on negative inputs; the result is
positive unless both parameters are zero.
Previously something reasonably close to an infinite loop was
possible because numbers could be growing instead of shrinking
in the implementation of Euclid's algorithm.
[Bodo Moeller]
- +) Fix BN_is_word() and BN_is_one() macros to take into account the
+ *) Fix BN_is_word() and BN_is_one() macros to take into account the
sign of the number in question.
Fix BN_is_word(a,w) to work correctly for w == 0.
BN_is_one(), and BN_is_word().
[Bodo Moeller]
- *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
- the method-specific "init()" handler. Also clean up ex_data after
- calling the method-specific "finish()" handler. Previously, this was
- happening the other way round.
- [Geoff Thorpe]
-
- +) New function BN_swap.
+ *) New function BN_swap.
[Bodo Moeller]
- +) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
+ *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
the exponentiation functions are more likely to produce reasonable
results on negative inputs.
[Bodo Moeller]
- +) Change BN_mod_mul so that the result is always non-negative.
+ *) Change BN_mod_mul so that the result is always non-negative.
Previously, it could be negative if one of the factors was negative;
I don't think anyone really wanted that behaviour.
[Bodo Moeller]
- +) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
+ *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
(except for exponentiation, which stays in crypto/bn/bn_exp.c,
and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
and add new functions:
be reduced modulo m.
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
- +) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
+ *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
was actually never needed) and in BN_mul(). The removal in BN_mul()
required a small change in bn_mul_part_recursive() and the addition
of the functions bn_cmp_part_words(), bn_sub_part_words() and
differing sizes.
[Richard Levitte]
- +) In 'openssl passwd', verify passwords read from the terminal
+ *) In 'openssl passwd', verify passwords read from the terminal
unless the '-salt' option is used (which usually means that
verification would just waste user's time since the resulting
hash is going to be compared with some given password hash)
cause any problems.
[Bodo Moeller]
- +) Remove all references to RSAref, since there's no more need for it.
+ *) Remove all references to RSAref, since there's no more need for it.
[Richard Levitte]
- *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
- The previous value, 12, was not always sufficient for BN_mod_exp().
- [Bodo Moeller]
-
- +) Make DSO load along a path given through an environment variable
+ *) Make DSO load along a path given through an environment variable
(SHLIB_PATH) with shl_load().
[Richard Levitte]
- +) Constify the ENGINE code as a result of BIGNUM constification.
+ *) Constify the ENGINE code as a result of BIGNUM constification.
Also constify the RSA code and most things related to it. In a
few places, most notable in the depth of the ASN.1 code, ugly
casts back to non-const were required (to be solved at a later
time)
[Richard Levitte]
- +) Make it so the openssl application has all engines loaded by default.
+ *) Make it so the openssl application has all engines loaded by default.
[Richard Levitte]
- +) Constify the BIGNUM routines a little more.
+ *) Constify the BIGNUM routines a little more.
[Richard Levitte]
- *) Make sure that shared libraries get the internal name engine with
- the full version number and not just 0. This should mark the
- shared libraries as not backward compatible. Of course, this should
- be changed again when we can guarantee backward binary compatibility.
- [Richard Levitte]
-
- +) Add the following functions:
+ *) Add the following functions:
ENGINE_load_cswift()
ENGINE_load_chil()
declarations (they differed!).
[Richard Levitte]
- +) 'openssl engine' can now list capabilities.
+ *) 'openssl engine' can now list capabilities.
[Richard Levitte]
- +) Better error reporting in 'openssl engine'.
+ *) Better error reporting in 'openssl engine'.
[Richard Levitte]
- +) Never call load_dh_param(NULL) in s_server.
+ *) Never call load_dh_param(NULL) in s_server.
[Bodo Moeller]
- +) Add engine application. It can currently list engines by name and
+ *) Add engine application. It can currently list engines by name and
identity, and test if they are actually available.
[Richard Levitte]
- +) Improve RPM specification file by forcing symbolic linking and making
+ *) Improve RPM specification file by forcing symbolic linking and making
sure the installed documentation is also owned by root.root.
[Damien Miller <djm@mindrot.org>]
- +) Give the OpenSSL applications more possibilities to make use of
+ *) Give the OpenSSL applications more possibilities to make use of
keys (public as well as private) handled by engines.
[Richard Levitte]
- +) Add OCSP code that comes from CertCo.
+ *) Add OCSP code that comes from CertCo.
[Richard Levitte]
- +) Add VMS support for the Rijndael code.
+ *) Add VMS support for the Rijndael code.
[Richard Levitte]
- +) Added untested support for Nuron crypto accelerator.
+ *) Added untested support for Nuron crypto accelerator.
[Ben Laurie]
- +) Add support for external cryptographic devices. This code was
+ *) Add support for external cryptographic devices. This code was
previously distributed separately as the "engine" branch.
[Geoff Thorpe, Richard Levitte]
- +) Rework the filename-translation in the DSO code. It is now possible to
+ *) Rework the filename-translation in the DSO code. It is now possible to
have far greater control over how a "name" is turned into a filename
depending on the operating environment and any oddities about the
different shared library filenames on each system.
[Geoff Thorpe]
- +) Support threads on FreeBSD-elf in Configure.
+ *) Support threads on FreeBSD-elf in Configure.
[Richard Levitte]
- +) Fix for SHA1 assembly problem with MASM: it produces
+ *) Fix for SHA1 assembly problem with MASM: it produces
warnings about corrupt line number information when assembling
with debugging information. This is caused by the overlapping
of two sections.
[Bernd Matthes <mainbug@celocom.de>, Steve Henson]
- +) NCONF changes.
+ *) NCONF changes.
NCONF_get_number() has no error checking at all. As a replacement,
NCONF_get_number_e() is defined (_e for "error checking") and is
promoted strongly. The old NCONF_get_number is kept around for
LDAP server.
[Richard Levitte]
- *) Fix typo in get_cert_by_subject() in by_dir.c
- [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
-
- *) Rework the system to generate shared libraries:
-
- - Make note of the expected extension for the shared libraries and
- if there is a need for symbolic links from for example libcrypto.so.0
- to libcrypto.so.0.9.7. There is extended info in Configure for
- that.
-
- - Make as few rebuilds of the shared libraries as possible.
-
- - Still avoid linking the OpenSSL programs with the shared libraries.
-
- - When installing, install the shared libraries separately from the
- static ones.
- [Richard Levitte]
-
- +) Fix for non blocking accept BIOs. Added new I/O special reason
+ *) Fix for non blocking accept BIOs. Added new I/O special reason
BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
with non blocking I/O was not possible because no retry code was
implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
this case.
[Steve Henson]
- +) Added the beginnings of Rijndael support.
+ *) Added the beginnings of Rijndael support.
[Ben Laurie]
- +) Fix for bug in DirectoryString mask setting. Add support for
+ *) Fix for bug in DirectoryString mask setting. Add support for
X509_NAME_print_ex() in 'req' and X509_print_ex() function
to allow certificate printing to more controllable, additional
'certopt' option to 'x509' to allow new printing options to be
set.
[Steve Henson]
- +) Clean old EAY MD5 hack from e_os.h.
+ *) Clean old EAY MD5 hack from e_os.h.
+ [Richard Levitte]
+
+ Changes between 0.9.6e and 0.9.6f [XX xxx XXXX]
+
+ *) Use proper error handling instead of 'assertions' in buffer
+ overflow checks added in 0.9.6e. This prevents DoS (the
+ assertions could call abort()).
+ [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
+
+ Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
+
+ *) Add various sanity checks to asn1_get_length() to reject
+ the ASN1 length bytes if they exceed sizeof(long), will appear
+ negative or the content length exceeds the length of the
+ supplied buffer.
+ [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
+ *) Fix cipher selection routines: ciphers without encryption had no flags
+ for the cipher strength set and where therefore not handled correctly
+ by the selection routines (PR #130).
+ [Lutz Jaenicke]
+
+ *) Fix EVP_dsa_sha macro.
+ [Nils Larsch]
+
+ *) New option
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
+ that was added in OpenSSL 0.9.6d.
+
+ As the countermeasure turned out to be incompatible with some
+ broken SSL implementations, the new option is part of SSL_OP_ALL.
+ SSL_OP_ALL is usually employed when compatibility with weird SSL
+ implementations is desired (e.g. '-bugs' option to 's_client' and
+ 's_server'), so the new option is automatically set in many
+ applications.
+ [Bodo Moeller]
+
+ *) Changes in security patch:
+
+ Changes marked "(CHATS)" were sponsored by the Defense Advanced
+ Research Projects Agency (DARPA) and Air Force Research Laboratory,
+ Air Force Materiel Command, USAF, under agreement number
+ F30602-01-2-0537.
+
+ *) Add various sanity checks to asn1_get_length() to reject
+ the ASN1 length bytes if they exceed sizeof(long), will appear
+ negative or the content length exceeds the length of the
+ supplied buffer. (CAN-2002-0659)
+ [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
+ *) Assertions for various potential buffer overflows, not known to
+ happen in practice.
+ [Ben Laurie (CHATS)]
+
+ *) Various temporary buffers to hold ASCII versions of integers were
+ too small for 64 bit platforms. (CAN-2002-0655)
+ [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
+
+ *) Remote buffer overflow in SSL3 protocol - an attacker could
+ supply an oversized master key in Kerberos-enabled versions.
+ (CAN-2002-0657)
+ [Ben Laurie (CHATS)]
+
+ *) Remote buffer overflow in SSL3 protocol - an attacker could
+ supply an oversized session ID to a client. (CAN-2002-0656)
+ [Ben Laurie (CHATS)]
+
+ *) Remote buffer overflow in SSL2 protocol - an attacker could
+ supply an oversized client master key. (CAN-2002-0656)
+ [Ben Laurie (CHATS)]
+
+ Changes between 0.9.6c and 0.9.6d [9 May 2002]
+
+ *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
+ encoded as NULL) with id-dsa-with-sha1.
+ [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
+
+ *) Check various X509_...() return values in apps/req.c.
+ [Nils Larsch <nla@trustcenter.de>]
+
+ *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
+ an end-of-file condition would erronously be flagged, when the CRLF
+ was just at the end of a processed block. The bug was discovered when
+ processing data through a buffering memory BIO handing the data to a
+ BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
+ <ptsekov@syntrex.com> and Nedelcho Stanev.
+ [Lutz Jaenicke]
+
+ *) Implement a countermeasure against a vulnerability recently found
+ in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
+ before application data chunks to avoid the use of known IVs
+ with data potentially chosen by the attacker.
+ [Bodo Moeller]
+
+ *) Fix length checks in ssl3_get_client_hello().
+ [Bodo Moeller]
+
+ *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
+ to prevent ssl3_read_internal() from incorrectly assuming that
+ ssl3_read_bytes() found application data while handshake
+ processing was enabled when in fact s->s3->in_read_app_data was
+ merely automatically cleared during the initial handshake.
+ [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
+
+ *) Fix object definitions for Private and Enterprise: they were not
+ recognized in their shortname (=lowercase) representation. Extend
+ obj_dat.pl to issue an error when using undefined keywords instead
+ of silently ignoring the problem (Svenning Sorensen
+ <sss@sss.dnsalias.net>).
+ [Lutz Jaenicke]
+
+ *) Fix DH_generate_parameters() so that it works for 'non-standard'
+ generators, i.e. generators other than 2 and 5. (Previously, the
+ code did not properly initialise the 'add' and 'rem' values to
+ BN_generate_prime().)
+
+ In the new general case, we do not insist that 'generator' is
+ actually a primitive root: This requirement is rather pointless;
+ a generator of the order-q subgroup is just as good, if not
+ better.
+ [Bodo Moeller]
+
+ *) Map new X509 verification errors to alerts. Discovered and submitted by
+ Tom Wu <tom@arcot.com>.
+ [Lutz Jaenicke]
+
+ *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
+ returning non-zero before the data has been completely received
+ when using non-blocking I/O.
+ [Bodo Moeller; problem pointed out by John Hughes]
+
+ *) Some of the ciphers missed the strength entry (SSL_LOW etc).
+ [Ben Laurie, Lutz Jaenicke]
+
+ *) Fix bug in SSL_clear(): bad sessions were not removed (found by
+ Yoram Zahavi <YoramZ@gilian.com>).
+ [Lutz Jaenicke]
+
+ *) Add information about CygWin 1.3 and on, and preserve proper
+ configuration for the versions before that.
+ [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
+
+ *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
+ check whether we deal with a copy of a session and do not delete from
+ the cache in this case. Problem reported by "Izhar Shoshani Levi"
+ <izhar@checkpoint.com>.
+ [Lutz Jaenicke]
+
+ *) Do not store session data into the internal session cache, if it
+ is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
+ flag is set). Proposed by Aslam <aslam@funk.com>.
+ [Lutz Jaenicke]
+
+ *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
+ value is 0.
+ [Richard Levitte]
+
+ *) Add the configuration target linux-s390x.
+ [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
+
+ *) [In 0.9.6d-engine release:]
+ Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
+ [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
+
+ *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
+ ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
+ variable as an indication that a ClientHello message has been
+ received. As the flag value will be lost between multiple
+ invocations of ssl3_accept when using non-blocking I/O, the
+ function may not be aware that a handshake has actually taken
+ place, thus preventing a new session from being added to the
+ session cache.
+
+ To avoid this problem, we now set s->new_session to 2 instead of
+ using a local variable.
+ [Lutz Jaenicke, Bodo Moeller]
+
+ *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
+ if the SSL_R_LENGTH_MISMATCH error is detected.
+ [Geoff Thorpe, Bodo Moeller]
+
+ *) New 'shared_ldflag' column in Configure platform table.
+ [Richard Levitte]
+
+ *) Fix EVP_CIPHER_mode macro.
+ ["Dan S. Camper" <dan@bti.net>]
+
+ *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
+ type, we must throw them away by setting rr->length to 0.
+ [D P Chang <dpc@qualys.com>]
+
+ Changes between 0.9.6b and 0.9.6c [21 dec 2001]
+
+ *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
+ <Dominikus.Scherkl@biodata.com>. (The previous implementation
+ worked incorrectly for those cases where range = 10..._2 and
+ 3*range is two bits longer than range.)
+ [Bodo Moeller]
+
+ *) Only add signing time to PKCS7 structures if it is not already
+ present.
+ [Steve Henson]
+
+ *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
+ OBJ_ld_ce should be OBJ_id_ce.
+ Also some ip-pda OIDs in crypto/objects/objects.txt were
+ incorrect (cf. RFC 3039).
+ [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
+
+ *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
+ returns early because it has nothing to do.
+ [Andy Schneider <andy.schneider@bjss.co.uk>]
+
+ *) [In 0.9.6c-engine release:]
+ Fix mutex callback return values in crypto/engine/hw_ncipher.c.
+ [Andy Schneider <andy.schneider@bjss.co.uk>]
+
+ *) [In 0.9.6c-engine release:]
+ Add support for Cryptographic Appliance's keyserver technology.
+ (Use engine 'keyclient')
+ [Cryptographic Appliances and Geoff Thorpe]
+
+ *) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
+ is called via tools/c89.sh because arguments have to be
+ rearranged (all '-L' options must appear before the first object
+ modules).
+ [Richard Shapiro <rshapiro@abinitio.com>]
+
+ *) [In 0.9.6c-engine release:]
+ Add support for Broadcom crypto accelerator cards, backported
+ from 0.9.7.
+ [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
+
+ *) [In 0.9.6c-engine release:]
+ Add support for SureWare crypto accelerator cards from
+ Baltimore Technologies. (Use engine 'sureware')
+ [Baltimore Technologies and Mark Cox]
+
+ *) [In 0.9.6c-engine release:]
+ Add support for crypto accelerator cards from Accelerated
+ Encryption Processing, www.aep.ie. (Use engine 'aep')
+ [AEP Inc. and Mark Cox]
+
+ *) Add a configuration entry for gcc on UnixWare.
+ [Gary Benson <gbenson@redhat.com>]
+
+ *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
+ messages are stored in a single piece (fixed-length part and
+ variable-length part combined) and fix various bugs found on the way.
+ [Bodo Moeller]
+
+ *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
+ instead. BIO_gethostbyname() does not know what timeouts are
+ appropriate, so entries would stay in cache even when they have
+ become invalid.
+ [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
+
+ *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
+ faced with a pathologically small ClientHello fragment that does
+ not contain client_version: Instead of aborting with an error,
+ simply choose the highest available protocol version (i.e.,
+ TLS 1.0 unless it is disabled). In practice, ClientHello
+ messages are never sent like this, but this change gives us
+ strictly correct behaviour at least for TLS.
+ [Bodo Moeller]
+
+ *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
+ never resets s->method to s->ctx->method when called from within
+ one of the SSL handshake functions.
+ [Bodo Moeller; problem pointed out by Niko Baric]
+
+ *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
+ (sent using the client's version number) if client_version is
+ smaller than the protocol version in use. Also change
+ ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
+ the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
+ the client will at least see that alert.
+ [Bodo Moeller]
+
+ *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
+ correctly.
+ [Bodo Moeller]
+
+ *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
+ client receives HelloRequest while in a handshake.
+ [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
+
+ *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
+ should end in 'break', not 'goto end' which circuments various
+ cleanups done in state SSL_ST_OK. But session related stuff
+ must be disabled for SSL_ST_OK in the case that we just sent a
+ HelloRequest.
+
+ Also avoid some overhead by not calling ssl_init_wbio_buffer()
+ before just sending a HelloRequest.
+ [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
+
+ *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
+ reveal whether illegal block cipher padding was found or a MAC
+ verification error occured. (Neither SSLerr() codes nor alerts
+ are directly visible to potential attackers, but the information
+ may leak via logfiles.)
+
+ Similar changes are not required for the SSL 2.0 implementation
+ because the number of padding bytes is sent in clear for SSL 2.0,
+ and the extra bytes are just ignored. However ssl/s2_pkt.c
+ failed to verify that the purported number of padding bytes is in
+ the legal range.
+ [Bodo Moeller]
+
+ *) Add OpenUNIX-8 support including shared libraries
+ (Boyd Lynn Gerber <gerberb@zenez.com>).
+ [Lutz Jaenicke]
+
+ *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
+ 'wristwatch attack' using huge encoding parameters (cf.
+ James H. Manger's CRYPTO 2001 paper). Note that the
+ RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
+ encoding parameters and hence was not vulnerable.
+ [Bodo Moeller]
+
+ *) BN_sqr() bug fix.
+ [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
+
+ *) Rabin-Miller test analyses assume uniformly distributed witnesses,
+ so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
+ followed by modular reduction.
+ [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
+
+ *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
+ equivalent based on BN_pseudo_rand() instead of BN_rand().
+ [Bodo Moeller]
+
+ *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
+ This function was broken, as the check for a new client hello message
+ to handle SGC did not allow these large messages.
+ (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
+ [Lutz Jaenicke]
+
+ *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
+ [Lutz Jaenicke]
+
+ *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
+ for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
+ [Lutz Jaenicke]
+
+ *) Rework the configuration and shared library support for Tru64 Unix.
+ The configuration part makes use of modern compiler features and
+ still retains old compiler behavior for those that run older versions
+ of the OS. The shared library support part includes a variant that
+ uses the RPATH feature, and is available through the special
+ configuration target "alpha-cc-rpath", which will never be selected
+ automatically.
+ [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
+
+ *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
+ with the same message size as in ssl3_get_certificate_request().
+ Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
+ messages might inadvertently be reject as too long.
+ [Petr Lampa <lampa@fee.vutbr.cz>]
+
+ *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
+ [Andy Polyakov]
+
+ *) Modified SSL library such that the verify_callback that has been set
+ specificly for an SSL object with SSL_set_verify() is actually being
+ used. Before the change, a verify_callback set with this function was
+ ignored and the verify_callback() set in the SSL_CTX at the time of
+ the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
+ to allow the necessary settings.
+ [Lutz Jaenicke]
+
+ *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
+ explicitly to NULL, as at least on Solaris 8 this seems not always to be
+ done automatically (in contradiction to the requirements of the C
+ standard). This made problems when used from OpenSSH.
+ [Lutz Jaenicke]
+
+ *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
+ dh->length and always used
+
+ BN_rand_range(priv_key, dh->p).
+
+ BN_rand_range() is not necessary for Diffie-Hellman, and this
+ specific range makes Diffie-Hellman unnecessarily inefficient if
+ dh->length (recommended exponent length) is much smaller than the
+ length of dh->p. We could use BN_rand_range() if the order of
+ the subgroup was stored in the DH structure, but we only have
+ dh->length.
+
+ So switch back to
+
+ BN_rand(priv_key, l, ...)
+
+ where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
+ otherwise.
+ [Bodo Moeller]
+
+ *) In
+
+ RSA_eay_public_encrypt
+ RSA_eay_private_decrypt
+ RSA_eay_private_encrypt (signing)
+ RSA_eay_public_decrypt (signature verification)
+
+ (default implementations for RSA_public_encrypt,
+ RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
+ always reject numbers >= n.
+ [Bodo Moeller]
+
+ *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
+ to synchronize access to 'locking_thread'. This is necessary on
+ systems where access to 'locking_thread' (an 'unsigned long'
+ variable) is not atomic.
+ [Bodo Moeller]
+
+ *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
+ *before* setting the 'crypto_lock_rand' flag. The previous code had
+ a race condition if 0 is a valid thread ID.
+ [Travis Vitek <vitek@roguewave.com>]
+
+ *) Add support for shared libraries under Irix.
+ [Albert Chin-A-Young <china@thewrittenword.com>]
+
+ *) Add configuration option to build on Linux on both big-endian and
+ little-endian MIPS.
+ [Ralf Baechle <ralf@uni-koblenz.de>]
+
+ *) Add the possibility to create shared libraries on HP-UX.
+ [Richard Levitte]
+
+ Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
+
+ *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
+ to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
+ Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
+ PRNG state recovery was possible based on the output of
+ one PRNG request appropriately sized to gain knowledge on
+ 'md' followed by enough consecutive 1-byte PRNG requests
+ to traverse all of 'state'.
+
+ 1. When updating 'md_local' (the current thread's copy of 'md')
+ during PRNG output generation, hash all of the previous
+ 'md_local' value, not just the half used for PRNG output.
+
+ 2. Make the number of bytes from 'state' included into the hash
+ independent from the number of PRNG bytes requested.
+
+ The first measure alone would be sufficient to avoid
+ Markku-Juhani's attack. (Actually it had never occurred
+ to me that the half of 'md_local' used for chaining was the
+ half from which PRNG output bytes were taken -- I had always
+ assumed that the secret half would be used.) The second
+ measure makes sure that additional data from 'state' is never
+ mixed into 'md_local' in small portions; this heuristically
+ further strengthens the PRNG.
+ [Bodo Moeller]
+
+ *) Fix crypto/bn/asm/mips3.s.
+ [Andy Polyakov]
+
+ *) When only the key is given to "enc", the IV is undefined. Print out
+ an error message in this case.
+ [Lutz Jaenicke]
+
+ *) Handle special case when X509_NAME is empty in X509 printing routines.
+ [Steve Henson]
+
+ *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
+ positive and less than q.
+ [Bodo Moeller]
+
+ *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
+ used: it isn't thread safe and the add_lock_callback should handle
+ that itself.
+ [Paul Rose <Paul.Rose@bridge.com>]
+
+ *) Verify that incoming data obeys the block size in
+ ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
+ [Bodo Moeller]
+
+ *) Fix OAEP check.
+ [Ulf Möller, Bodo Möller]
+
+ *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+ RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
+ when fixing the server behaviour for backwards-compatible 'client
+ hello' messages. (Note that the attack is impractical against
+ SSL 3.0 and TLS 1.0 anyway because length and version checking
+ means that the probability of guessing a valid ciphertext is
+ around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+ paper.)
+
+ Before 0.9.5, the countermeasure (hide the error by generating a
+ random 'decryption result') did not work properly because
+ ERR_clear_error() was missing, meaning that SSL_get_error() would
+ detect the supposedly ignored error.
+
+ Both problems are now fixed.
+ [Bodo Moeller]
+
+ *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+ (previously it was 1024).
+ [Bodo Moeller]
+
+ *) Fix for compatibility mode trust settings: ignore trust settings
+ unless some valid trust or reject settings are present.
+ [Steve Henson]
+
+ *) Fix for blowfish EVP: its a variable length cipher.
+ [Steve Henson]
+
+ *) Fix various bugs related to DSA S/MIME verification. Handle missing
+ parameters in DSA public key structures and return an error in the
+ DSA routines if parameters are absent.
+ [Steve Henson]
+
+ *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
+ in the current directory if neither $RANDFILE nor $HOME was set.
+ RAND_file_name() in 0.9.6a returned NULL in this case. This has
+ caused some confusion to Windows users who haven't defined $HOME.
+ Thus RAND_file_name() is changed again: e_os.h can define a
+ DEFAULT_HOME, which will be used if $HOME is not set.
+ For Windows, we use "C:"; on other platforms, we still require
+ environment variables.
+
+ *) Move 'if (!initialized) RAND_poll()' into regions protected by
+ CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
+ having multiple threads call RAND_poll() concurrently.
+ [Bodo Moeller]
+
+ *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
+ combination of a flag and a thread ID variable.
+ Otherwise while one thread is in ssleay_rand_bytes (which sets the
+ flag), *other* threads can enter ssleay_add_bytes without obeying
+ the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
+ that they do not hold after the first thread unsets add_do_not_lock).
+ [Bodo Moeller]
+
+ *) Change bctest again: '-x' expressions are not available in all
+ versions of 'test'.
+ [Bodo Moeller]
+
+ Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
+
+ *) Fix a couple of memory leaks in PKCS7_dataDecode()
+ [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
+
+ *) Change Configure and Makefiles to provide EXE_EXT, which will contain
+ the default extension for executables, if any. Also, make the perl
+ scripts that use symlink() to test if it really exists and use "cp"
+ if it doesn't. All this made OpenSSL compilable and installable in
+ CygWin.
+ [Richard Levitte]
+
+ *) Fix for asn1_GetSequence() for indefinite length constructed data.
+ If SEQUENCE is length is indefinite just set c->slen to the total
+ amount of data available.
+ [Steve Henson, reported by shige@FreeBSD.org]
+ [This change does not apply to 0.9.7.]
+
+ *) Change bctest to avoid here-documents inside command substitution
+ (workaround for FreeBSD /bin/sh bug).
+ For compatibility with Ultrix, avoid shell functions (introduced
+ in the bctest version that searches along $PATH).
+ [Bodo Moeller]
+
+ *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
+ with des_encrypt() defined on some operating systems, like Solaris
+ and UnixWare.
+ [Richard Levitte]
+
+ *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
+ On the Importance of Eliminating Errors in Cryptographic
+ Computations, J. Cryptology 14 (2001) 2, 101-119,
+ http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
+ [Ulf Moeller]
+
+ *) MIPS assembler BIGNUM division bug fix.
+ [Andy Polyakov]
+
+ *) Disabled incorrect Alpha assembler code.
+ [Richard Levitte]
+
+ *) Fix PKCS#7 decode routines so they correctly update the length
+ after reading an EOC for the EXPLICIT tag.
+ [Steve Henson]
+ [This change does not apply to 0.9.7.]
+
+ *) Fix bug in PKCS#12 key generation routines. This was triggered
+ if a 3DES key was generated with a 0 initial byte. Include
+ PKCS12_BROKEN_KEYGEN compilation option to retain the old
+ (but broken) behaviour.
+ [Steve Henson]
+
+ *) Enhance bctest to search for a working bc along $PATH and print
+ it when found.
+ [Tim Rice <tim@multitalents.net> via Richard Levitte]
+
+ *) Fix memory leaks in err.c: free err_data string if necessary;
+ don't write to the wrong index in ERR_set_error_data.
+ [Bodo Moeller]
+
+ *) Implement ssl23_peek (analogous to ssl23_read), which previously
+ did not exist.
+ [Bodo Moeller]
+
+ *) Replace rdtsc with _emit statements for VC++ version 5.
+ [Jeremy Cooper <jeremy@baymoo.org>]
+
+ *) Make it possible to reuse SSLv2 sessions.
+ [Richard Levitte]
+
+ *) In copy_email() check for >= 0 as a return value for
+ X509_NAME_get_index_by_NID() since 0 is a valid index.
+ [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
+
+ *) Avoid coredump with unsupported or invalid public keys by checking if
+ X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
+ PKCS7_verify() fails with non detached data.
+ [Steve Henson]
+
+ *) Don't use getenv in library functions when run as setuid/setgid.
+ New function OPENSSL_issetugid().
+ [Ulf Moeller]
+
+ *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
+ due to incorrect handling of multi-threading:
+
+ 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
+
+ 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
+
+ 3. Count how many times MemCheck_off() has been called so that
+ nested use can be treated correctly. This also avoids
+ inband-signalling in the previous code (which relied on the
+ assumption that thread ID 0 is impossible).
+ [Bodo Moeller]
+
+ *) Add "-rand" option also to s_client and s_server.
+ [Lutz Jaenicke]
+
+ *) Fix CPU detection on Irix 6.x.
+ [Kurt Hockenbury <khockenb@stevens-tech.edu> and
+ "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+ *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
+ was empty.
+ [Steve Henson]
+ [This change does not apply to 0.9.7.]
+
+ *) Use the cached encoding of an X509_NAME structure rather than
+ copying it. This is apparently the reason for the libsafe "errors"
+ but the code is actually correct.
+ [Steve Henson]
+
+ *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+ Bleichenbacher's DSA attack.
+ Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+ to be set and top=0 forces the highest bit to be set; top=-1 is new
+ and leaves the highest bit random.
+ [Ulf Moeller, Bodo Moeller]
+
+ *) In the NCONF_...-based implementations for CONF_... queries
+ (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
+ a temporary CONF structure with the data component set to NULL
+ (which gives segmentation faults in lh_retrieve).
+ Instead, use NULL for the CONF pointer in CONF_get_string and
+ CONF_get_number (which may use environment variables) and directly
+ return NULL from CONF_get_section.
+ [Bodo Moeller]
+
+ *) Fix potential buffer overrun for EBCDIC.
+ [Ulf Moeller]
+
+ *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+ keyUsage if basicConstraints absent for a CA.
+ [Steve Henson]
+
+ *) Make SMIME_write_PKCS7() write mail header values with a format that
+ is more generally accepted (no spaces before the semicolon), since
+ some programs can't parse those values properly otherwise. Also make
+ sure BIO's that break lines after each write do not create invalid
+ headers.
+ [Richard Levitte]
+
+ *) Make the CRL encoding routines work with empty SEQUENCE OF. The
+ macros previously used would not encode an empty SEQUENCE OF
+ and break the signature.
+ [Steve Henson]
+ [This change does not apply to 0.9.7.]
+
+ *) Zero the premaster secret after deriving the master secret in
+ DH ciphersuites.
+ [Steve Henson]
+
+ *) Add some EVP_add_digest_alias registrations (as found in
+ OpenSSL_add_all_digests()) to SSL_library_init()
+ aka OpenSSL_add_ssl_algorithms(). This provides improved
+ compatibility with peers using X.509 certificates
+ with unconventional AlgorithmIdentifier OIDs.
+ [Bodo Moeller]
+
+ *) Fix for Irix with NO_ASM.
+ ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+ *) ./config script fixes.
+ [Ulf Moeller, Richard Levitte]
+
+ *) Fix 'openssl passwd -1'.
+ [Bodo Moeller]
+
+ *) Change PKCS12_key_gen_asc() so it can cope with non null
+ terminated strings whose length is passed in the passlen
+ parameter, for example from PEM callbacks. This was done
+ by adding an extra length parameter to asc2uni().
+ [Steve Henson, reported by <oddissey@samsung.co.kr>]
+
+ *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
+ call failed, free the DSA structure.
+ [Bodo Moeller]
+
+ *) Fix to uni2asc() to cope with zero length Unicode strings.
+ These are present in some PKCS#12 files.
+ [Steve Henson]
+
+ *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
+ Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
+ when writing a 32767 byte record.
+ [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
+
+ *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
+ obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+
+ (RSA objects have a reference count access to which is protected
+ by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
+ so they are meant to be shared between threads.)
+ [Bodo Moeller, Geoff Thorpe; original patch submitted by
+ "Reddie, Steven" <Steven.Reddie@ca.com>]
+
+ *) Fix a deadlock in CRYPTO_mem_leaks().
+ [Bodo Moeller]
+
+ *) Use better test patterns in bntest.
+ [Ulf Möller]
+
+ *) rand_win.c fix for Borland C.
+ [Ulf Möller]
+
+ *) BN_rshift bugfix for n == 0.
+ [Bodo Moeller]
+
+ *) Add a 'bctest' script that checks for some known 'bc' bugs
+ so that 'make test' does not abort just because 'bc' is broken.
+ [Bodo Moeller]
+
+ *) Store verify_result within SSL_SESSION also for client side to
+ avoid potential security hole. (Re-used sessions on the client side
+ always resulted in verify_result==X509_V_OK, not using the original
+ result of the server certificate verification.)
+ [Lutz Jaenicke]
+
+ *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
+ SSL3_RT_APPLICATION_DATA, return 0.
+ Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
+ [Bodo Moeller]
+
+ *) Fix SSL_peek:
+ Both ssl2_peek and ssl3_peek, which were totally broken in earlier
+ releases, have been re-implemented by renaming the previous
+ implementations of ssl2_read and ssl3_read to ssl2_read_internal
+ and ssl3_read_internal, respectively, and adding 'peek' parameters
+ to them. The new ssl[23]_{read,peek} functions are calls to
+ ssl[23]_read_internal with the 'peek' flag set appropriately.
+ A 'peek' parameter has also been added to ssl3_read_bytes, which
+ does the actual work for ssl3_read_internal.
+ [Bodo Moeller]
+
+ *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
+ the method-specific "init()" handler. Also clean up ex_data after
+ calling the method-specific "finish()" handler. Previously, this was
+ happening the other way round.
+ [Geoff Thorpe]
+
+ *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
+ The previous value, 12, was not always sufficient for BN_mod_exp().
+ [Bodo Moeller]
+
+ *) Make sure that shared libraries get the internal name engine with
+ the full version number and not just 0. This should mark the
+ shared libraries as not backward compatible. Of course, this should
+ be changed again when we can guarantee backward binary compatibility.
+ [Richard Levitte]
+
+ *) Fix typo in get_cert_by_subject() in by_dir.c
+ [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
+
+ *) Rework the system to generate shared libraries:
+
+ - Make note of the expected extension for the shared libraries and
+ if there is a need for symbolic links from for example libcrypto.so.0
+ to libcrypto.so.0.9.7. There is extended info in Configure for
+ that.
+
+ - Make as few rebuilds of the shared libraries as possible.
+
+ - Still avoid linking the OpenSSL programs with the shared libraries.
+
+ - When installing, install the shared libraries separately from the
+ static ones.
[Richard Levitte]
*) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
projects / openssl.git / blobdiff