-
OpenSSL CHANGES
_______________
- Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
+ Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+
+ *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
+ to aes and add a new 'exist' option to print out symbols that don't
+ appear to exist.
+ [Steve Henson]
+
+ *) Additional options to ocsp utility to allow flags to be set and
+ additional certificates supplied.
+ [Steve Henson]
+
+ *) Add the option -VAfile to 'openssl ocsp', so the user can give the
+ OCSP client a number of certificate to only verify the response
+ signature against.
+ [Richard Levitte]
+
+ *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
+ Bleichenbacher's DSA attack.
+ [Ulf Moeller, Bodo Moeller]
+
+ *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
+ handle the new API. Currently only ECB, CBC modes supported. Add new
+ AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites
+ for TLS" draft-ietf-tls-ciphersuite-03.txt.
+ [Ben Laurie, Steve Henson]
+
+ *) In the NCONF_...-based implementations for CONF_... queries
+ (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
+ a temporary CONF structure with the data component set to NULL
+ (which gives segmentation faults in lh_retrieve).
+ Instead, use NULL for the CONF pointer in CONF_get_string and
+ CONF_get_number (which may use environment variables) and directly
+ return NULL from CONF_get_section.
+ [Bodo Moeller]
+
+ *) Fix potential buffer overrun for EBCDIC.
+ [Ulf Moeller]
+
+ *) New function OCSP_copy_nonce() to copy nonce value (if present) from
+ request to response.
+ [Steve Henson]
+
+ *) Functions for OCSP responders. OCSP_request_onereq_count(),
+ OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
+ extract information from a certificate request. OCSP_response_create()
+ creates a response and optionally adds a basic response structure.
+ OCSP_basic_add1_status() adds a complete single response to a basic
+ reponse and returns the OCSP_SINGLERESP structure just added (to allow
+ extensions to be included for example). OCSP_basic_add1_cert() adds a
+ certificate to a basic response and OCSP_basic_sign() signs a basic
+ response with various flags. New helper functions ASN1_TIME_check()
+ (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
+ (converts ASN1_TIME to GeneralizedTime).
+ [Steve Henson]
+
+ *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
+ in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
+ structure from a certificate. X509_pubkey_digest() digests tha public_key
+ contents: this is used in various key identifiers.
+ [Steve Henson]
+
+ *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
+ keyUsage if basicConstraints absent for a CA.
+ [Steve Henson]
+
+ *) Make SMIME_write_PKCS7() write mail header values with a format that
+ is more generally accepted (no spaces before the semicolon), since
+ some programs can't parse those values properly otherwise. Also make
+ sure BIO's that break lines after each write do not create invalid
+ headers.
+ [Richard Levitte]
+
+ *) Make sk_sort() tolerate a NULL argument.
+ [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
+
+ *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
+ passed by the function are trusted implicitly. If any of them signed the
+ reponse then it is assumed to be valid and is not verified.
+ [Steve Henson]
+
+ *) Zero the premaster secret after deriving the master secret in
+ DH ciphersuites.
+ [Steve Henson]
+
+ *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
+ to data. This was previously part of the PKCS7 ASN1 code. This
+ was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
+ [Steve Henson, reported by Kenneth R. Robinette
+ <support@securenetterm.com>]
+
+ *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
+ routines: without these tracing memory leaks is very painful.
+ Fix leaks in PKCS12 and PKCS7 routines.
+ [Steve Henson]
+
+ *) Fix for Irix with NO_ASM.
+ ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
+
+ *) Add some EVP_add_digest_alias registrations (as found in
+ OpenSSL_add_all_digests()), to SSL_library_init()
+ aka OpenSSL_add_ssl_algorithms(). This provides improved
+ compatibility with peers using X.509 certificates
+ with unconventional AlgorithmIdentifier OIDs.
+ [Bodo Moeller]
+
+ *) ./config script fixes.
+ [Ulf Moeller, Richard Levitte]
+
+ *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
+ Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
+ effectively meant GeneralizedTime would never be used. Now it
+ is initialised to -1 but X509_time_adj() now has to check the value
+ and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
+ V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
+ [Steve Henson, reported by Kenneth R. Robinette
+ <support@securenetterm.com>]
+
+ *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
+ result in a zero length in the ASN1_INTEGER structure which was
+ not consistent with the structure when d2i_ASN1_INTEGER() was used
+ and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
+ to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
+ where it did not print out a minus for negative ASN1_INTEGER.
+ [Steve Henson]
+
+ *) Fix 'openssl passwd -1'.
+ [Bodo Moeller]
+
+ *) Add summary printout to ocsp utility. The various functions which
+ convert status values to strings have been renamed to:
+ OCSP_response_status_str(), OCSP_cert_status_str() and
+ OCSP_crl_reason_str() and are no longer static. New options
+ to verify nonce values and to disable verification. OCSP response
+ printout format cleaned up.
+ [Steve Henson]
+
+ *) Add additional OCSP certificate checks. These are those specified
+ in RFC2560. This consists of two separate checks: the CA of the
+ certificate being checked must either be the OCSP signer certificate
+ or the issuer of the OCSP signer certificate. In the latter case the
+ OCSP signer certificate must contain the OCSP signing extended key
+ usage. This check is performed by attempting to match the OCSP
+ signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
+ in the OCSP_CERTID structures of the response.
+ [Steve Henson]
+
+ *) Initial OCSP certificate verification added to OCSP_basic_verify()
+ and related routines. This uses the standard OpenSSL certificate
+ verify routines to perform initial checks (just CA validity) and
+ to obtain the certificate chain. Then additional checks will be
+ performed on the chain. Currently the root CA is checked to see
+ if it is explicitly trusted for OCSP signing. This is used to set
+ a root CA as a global signing root: that is any certificate that
+ chains to that CA is an acceptable OCSP signing certificate.
+ [Steve Henson]
+
+ *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
+ extensions from a separate configuration file.
+ As when reading extensions from the main configuration file,
+ the '-extensions ...' option may be used for specifying the
+ section to use.
+ [Massimiliano Pala <madwolf@comune.modena.it>]
+
+ *) Change PKCS12_key_gen_asc() so it can cope with non null
+ terminated strings whose length is passed in the passlen
+ parameter, for example from PEM callbacks. This was done
+ by adding an extra length parameter to asc2uni().
+ [Steve Henson, reported by <oddissey@samsung.co.kr>]
+
+ *) New OCSP utility. Allows OCSP requests to be generated or
+ read. The request can be sent to a responder and the output
+ parsed, outputed or printed in text form. Not complete yet:
+ still needs to check the OCSP response validity.
+ [Steve Henson]
+
+ *) New subcommands for 'openssl ca':
+ 'openssl ca -status <serial>' prints the status of the cert with
+ the given serial number (according to the index file).
+ 'openssl ca -updatedb' updates the expiry status of certificates
+ in the index file.
+ [Massimiliano Pala <madwolf@comune.modena.it>]
+
+ *) New '-newreq-nodes' command option to CA.pl. This is like
+ '-newreq', but calls 'openssl req' with the '-nodes' option
+ so that the resulting key is not encrypted.
+ [Damien Miller <djm@mindrot.org>]
+
+ *) New configuration for the GNU Hurd.
+ [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
+
+ *) Initial code to implement OCSP basic response verify. This
+ is currently incomplete. Currently just finds the signer's
+ certificate and verifies the signature on the response.
+ [Steve Henson]
+
+ *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
+ value of OPENSSLDIR. This is available via the new '-d' option
+ to 'openssl version', and is also included in 'openssl version -a'.
+ [Bodo Moeller]
+
+ *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
+ call failed, free the DSA structure.
+ [Bodo Moeller]
+
+ *) Allowing defining memory allocation callbacks that will be given
+ file name and line number information in additional arguments
+ (a const char* and an int). The basic functionality remains, as
+ well as the original possibility to just replace malloc(),
+ realloc() and free() by functions that do not know about these
+ additional arguments. To register and find out the current
+ settings for extended allocation functions, the following
+ functions are provided:
+
+ CRYPTO_set_mem_ex_functions
+ CRYPTO_set_locked_mem_ex_functions
+ CRYPTO_get_mem_ex_functions
+ CRYPTO_get_locked_mem_ex_functions
+
+ These work the same way as CRYPTO_set_mem_functions and friends.
+ CRYPTO_get_[locked_]mem_functions now writes 0 where such an
+ extended allocation function is enabled.
+ Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
+ a conventional allocation function is enabled.
+ [Richard Levitte, Bodo Moeller]
+
+ *) Fix to uni2asc() to cope with zero length Unicode strings.
+ These are present in some PKCS#12 files.
+ [Steve Henson]
+
+ *) Finish off removing the remaining LHASH function pointer casts.
+ There should no longer be any prototype-casting required when using
+ the LHASH abstraction, and any casts that remain are "bugs". See
+ the callback types and macros at the head of lhash.h for details
+ (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
+ [Geoff Thorpe]
+
+ *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
+ If an EGD or PRNGD is running and enough entropy is returned, automatic
+ seeding like with /dev/[u]random will be performed.
+ Positions tried are: /etc/entropy, /var/run/egd-pool.
+ [Lutz Jaenicke]
+
+ *) Change the Unix RAND_poll() variant to be able to poll several
+ random devices, as specified by DEVRANDOM, until a sufficient amount
+ of data has been collected. We spend at most 10 ms on each file
+ (select timeout) and read in non-blocking mode. DEVRANDOM now
+ defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
+ (previously it was just the string "/dev/urandom"), so on typical
+ platforms the 10 ms delay will never occur.
+ Also separate out the Unix variant to its own file, rand_unix.c.
+ For VMS, there's a currently-empty rand_vms.c.
+ [Richard Levitte]
+
+ *) Move OCSP client related routines to ocsp_cl.c. These
+ provide utility functions which an application needing
+ to issue a request to an OCSP responder and analyse the
+ response will typically need: as opposed to those which an
+ OCSP responder itself would need which will be added later.
+
+ OCSP_request_sign() signs an OCSP request with an API similar
+ to PKCS7_sign(). OCSP_response_status() returns status of OCSP
+ response. OCSP_response_get1_basic() extracts basic response
+ from response. OCSP_resp_find_status(): finds and extracts status
+ information from an OCSP_CERTID structure (which will be created
+ when the request structure is built). These are built from lower
+ level functions which work on OCSP_SINGLERESP structures but
+ wont normally be used unless the application wishes to examine
+ extensions in the OCSP response for example.
+
+ Replace nonce routines with a pair of functions.
+ OCSP_request_add1_nonce() adds a nonce value and optionally
+ generates a random value. OCSP_check_nonce() checks the
+ validity of the nonce in an OCSP response.
+ [Steve Henson]
+
+ *) Change function OCSP_request_add() to OCSP_request_add0_id().
+ This doesn't copy the supplied OCSP_CERTID and avoids the
+ need to free up the newly created id. Change return type
+ to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
+ This can then be used to add extensions to the request.
+ Deleted OCSP_request_new(), since most of its functionality
+ is now in OCSP_REQUEST_new() (and the case insensitive name
+ clash) apart from the ability to set the request name which
+ will be added elsewhere.
+ [Steve Henson]
+
+ *) Update OCSP API. Remove obsolete extensions argument from
+ various functions. Extensions are now handled using the new
+ OCSP extension code. New simple OCSP HTTP function which
+ can be used to send requests and parse the response.
+ [Steve Henson]
+
+ *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
+ ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
+ uses the special reorder version of SET OF to sort the attributes
+ and reorder them to match the encoded order. This resolves a long
+ standing problem: a verify on a PKCS7 structure just after signing
+ it used to fail because the attribute order did not match the
+ encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
+ it uses the received order. This is necessary to tolerate some broken
+ software that does not order SET OF. This is handled by encoding
+ as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
+ to produce the required SET OF.
+ [Steve Henson]
+
+ *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
+ OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
+ files to get correct declarations of the ASN.1 item variables.
+ [Richard Levitte]
+
+ *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
+ PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
+ asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
+ NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
+ New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
+ ASN1_ITEM and no wrapper functions.
+ [Steve Henson]
+
+ *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
+ replace the old function pointer based I/O routines. Change most of
+ the *_d2i_bio() and *_d2i_fp() functions to use these.
+ [Steve Henson]
+
+ *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
+ lines, recognice more "algorithms" that can be deselected, and make
+ it complain about algorithm deselection that isn't recognised.
+ [Richard Levitte]
+
+ *) New ASN1 functions to handle dup, sign, verify, digest, pack and
+ unpack operations in terms of ASN1_ITEM. Modify existing wrappers
+ to use new functions. Add NO_ASN1_OLD which can be set to remove
+ some old style ASN1 functions: this can be used to determine if old
+ code will still work when these eventually go away.
+ [Steve Henson]
+
+ *) New extension functions for OCSP structures, these follow the
+ same conventions as certificates and CRLs.
+ [Steve Henson]
+
+ *) New function X509V3_add1_i2d(). This automatically encodes and
+ adds an extension. Its behaviour can be customised with various
+ flags to append, replace or delete. Various wrappers added for
+ certifcates and CRLs.
+ [Steve Henson]
+
+ *) Fix to avoid calling the underlying ASN1 print routine when
+ an extension cannot be parsed. Correct a typo in the
+ OCSP_SERVICELOC extension. Tidy up print OCSP format.
+ [Steve Henson]
+
+ *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
+ Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
+ when writing a 32767 byte record.
+ [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
+
+ *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
+ obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
+
+ (RSA objects have a reference count access to which is protected
+ by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
+ so they are meant to be shared between threads.)
+ [Bodo Moeller, Geoff Thorpe; original patch submitted by
+ "Reddie, Steven" <Steven.Reddie@ca.com>]
+
+ *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
+ entries for variables.
+ [Steve Henson]
+
+ *) Fix a deadlock in CRYPTO_mem_leaks().
+ [Bodo Moeller]
+
+ *) Add functionality to apps/openssl.c for detecting locking
+ problems: As the program is single-threaded, all we have
+ to do is register a locking callback using an array for
+ storing which locks are currently held by the program.
+ [Bodo Moeller]
+
+ *) Use a lock around the call to CRYPTO_get_ex_new_index() in
+ SSL_get_ex_data_X509_STORE_idx(), which is used in
+ ssl_verify_cert_chain() and thus can be called at any time
+ during TLS/SSL handshakes so that thread-safety is essential.
+ Unfortunately, the ex_data design is not at all suited
+ for multi-threaded use, so it probably should be abolished.
+ [Bodo Moeller]
+
+ *) Added Broadcom "ubsec" ENGINE to OpenSSL.
+ [Broadcom, tweaked and integrated by Geoff Thorpe]
+
+ *) Move common extension printing code to new function
+ X509V3_print_extensions(). Reorganise OCSP print routines and
+ implement some needed OCSP ASN1 functions. Add OCSP extensions.
+ [Steve Henson]
+
+ *) New function X509_signature_print() to remove duplication in some
+ print routines.
+ [Steve Henson]
+
+ *) Add a special meaning when SET OF and SEQUENCE OF flags are both
+ set (this was treated exactly the same as SET OF previously). This
+ is used to reorder the STACK representing the structure to match the
+ encoding. This will be used to get round a problem where a PKCS7
+ structure which was signed could not be verified because the STACK
+ order did not reflect the encoded order.
+ [Steve Henson]
+
+ *) Reimplement the OCSP ASN1 module using the new code.
+ [Steve Henson]
+
+ *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
+ for its ASN1 operations. The old style function pointers still exist
+ for now but they will eventually go away.
+ [Steve Henson]
+
+ *) Merge in replacement ASN1 code from the ASN1 branch. This almost
+ completely replaces the old ASN1 functionality with a table driven
+ encoder and decoder which interprets an ASN1_ITEM structure describing
+ the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
+ largely maintained. Almost all of the old asn1_mac.h macro based ASN1
+ has also been converted to the new form.
+ [Steve Henson]
+
+ *) Change BN_mod_exp_recp so that negative moduli are tolerated
+ (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
+ so that BN_mod_exp_mont and BN_mod_exp_mont_word work
+ for negative moduli.
+ [Bodo Moeller]
+
+ *) Fix BN_uadd and BN_usub: Always return non-negative results instead
+ of not touching the result's sign bit.
+ [Bodo Moeller]
+
+ *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
+ set.
+ [Bodo Moeller]
+
+ *) Changed the LHASH code to use prototypes for callbacks, and created
+ macros to declare and implement thin (optionally static) functions
+ that provide type-safety and avoid function pointer casting for the
+ type-specific callbacks.
+ [Geoff Thorpe]
+
+ *) Use better test patterns in bntest.
+ [Ulf Möller]
+
+ *) Added Kerberos Cipher Suites to be used with TLS, as written in
+ RFC 2712.
+ [Veers Staats <staatsvr@asc.hpc.mil>,
+ Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
+
+ *) rand_win.c fix for Borland C.
+ [Ulf Möller]
+
+ *) BN_rshift bugfix for n == 0.
+ [Bodo Moeller]
+
+ *) Reformat the FAQ so the different questions and answers can be divided
+ in sections depending on the subject.
+ [Richard Levitte]
+
+ *) Have the zlib compression code load ZLIB.DLL dynamically under
+ Windows.
+ [Richard Levitte]
+
+ *) New function BN_mod_sqrt for computing square roots modulo a prime
+ (using the probabilistic Tonelli-Shanks algorithm unless
+ p == 3 (mod 4) or p == 5 (mod 8), which are cases that can
+ be handled deterministically).
+ [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
+
+ *) Store verify_result within SSL_SESSION also for client side to
+ avoid potential security hole. (Re-used sessions on the client side
+ always resulted in verify_result==X509_V_OK, not using the original
+ result of the server certificate verification.)
+ [Lutz Jaenicke]
+
+ *) Make BN_mod_inverse faster by explicitly handling small quotients
+ in the Euclid loop. (Speed gain about 20% for small moduli [256 or
+ 512 bits], about 30% for larger ones [1024 or 2048 bits].)
+ [Bodo Moeller]
+
+ *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
+ SSL3_RT_APPLICATION_DATA, return 0.
+ Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
+ [Bodo Moeller]
+
+ *) Fix SSL_peek:
+ Both ssl2_peek and ssl3_peek, which were totally broken in earlier
+ releases, have been re-implemented by renaming the previous
+ implementations of ssl2_read and ssl3_read to ssl2_read_internal
+ and ssl3_read_internal, respectively, and adding 'peek' parameters
+ to them. The new ssl[23]_{read,peek} functions are calls to
+ ssl[23]_read_internal with the 'peek' flag set appropriately.
+ A 'peek' parameter has also been added to ssl3_read_bytes, which
+ does the actual work for ssl3_read_internal.
+ [Bodo Moeller]
+
+ *) New function BN_kronecker.
+ [Bodo Moeller]
+
+ *) Fix BN_gcd so that it works on negative inputs; the result is
+ positive unless both parameters are zero.
+ Previously something reasonably close to an infinite loop was
+ possible because numbers could be growing instead of shrinking
+ in the implementation of Euclid's algorithm.
+ [Bodo Moeller]
+
+ *) Fix BN_is_word() and BN_is_one() macros to take into account the
+ sign of the number in question.
+
+ Fix BN_is_word(a,w) to work correctly for w == 0.
+
+ The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
+ because its test if the absolute value of 'a' equals 'w'.
+ Note that BN_abs_is_word does *not* handle w == 0 reliably;
+ it exists mostly for use in the implementations of BN_is_zero(),
+ BN_is_one(), and BN_is_word().
+ [Bodo Moeller]
+
+ *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
+ the method-specific "init()" handler. Also clean up ex_data after
+ calling the method-specific "finish()" handler. Previously, this was
+ happening the other way round.
+ [Geoff Thorpe]
+
+ *) New function BN_swap.
+ [Bodo Moeller]
+
+ *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
+ the exponentiation functions are more likely to produce reasonable
+ results on negative inputs.
+ [Bodo Moeller]
+
+ *) Change BN_mod_mul so that the result is always non-negative.
+ Previously, it could be negative if one of the factors was negative;
+ I don't think anyone really wanted that behaviour.
+ [Bodo Moeller]
+
+ *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
+ (except for exponentiation, which stays in crypto/bn/bn_exp.c,
+ and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
+ and add new functions:
+
+ BN_nnmod
+ BN_mod_sqr
+ BN_mod_add
+ BN_mod_add_quick
+ BN_mod_sub
+ BN_mod_sub_quick
+ BN_mod_lshift1
+ BN_mod_lshift1_quick
+ BN_mod_lshift
+ BN_mod_lshift_quick
+
+ These functions always generate non-negative results.
+
+ BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r
+ such that |m| < r < 0, BN_nnmod will output rem + |m| instead).
+
+ BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
+ BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b]
+ be reduced modulo m.
+ [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
+
+ *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
+ was actually never needed) and in BN_mul(). The removal in BN_mul()
+ required a small change in bn_mul_part_recursive() and the addition
+ of the functions bn_cmp_part_words(), bn_sub_part_words() and
+ bn_add_part_words(), which do the same thing as bn_cmp_words(),
+ bn_sub_words() and bn_add_words() except they take arrays with
+ differing sizes.
+ [Richard Levitte]
+
+ *) In 'openssl passwd', verify passwords read from the terminal
+ unless the '-salt' option is used (which usually means that
+ verification would just waste user's time since the resulting
+ hash is going to be compared with some given password hash)
+ or the new '-noverify' option is used.
+
+ This is an incompatible change, but it does not affect
+ non-interactive use of 'openssl passwd' (passwords on the command
+ line, '-stdin' option, '-in ...' option) and thus should not
+ cause any problems.
+ [Bodo Moeller]
+
+ *) Remove all references to RSAref, since there's no more need for it.
+ [Richard Levitte]
+
+ *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
+ The previous value, 12, was not always sufficient for BN_mod_exp().
+ [Bodo Moeller]
+
+ *) Make DSO load along a path given through an environment variable
+ (SHLIB_PATH) with shl_load().
+ [Richard Levitte]
+
+ *) Constify the ENGINE code as a result of BIGNUM constification.
+ Also constify the RSA code and most things related to it. In a
+ few places, most notable in the depth of the ASN.1 code, ugly
+ casts back to non-const were required (to be solved at a later
+ time)
+ [Richard Levitte]
+
+ *) Make it so the openssl application has all engines loaded by default.
+ [Richard Levitte]
+
+ *) Constify the BIGNUM routines a little more.
+ [Richard Levitte]
+
+ *) Make sure that shared libraries get the internal name engine with
+ the full version number and not just 0. This should mark the
+ shared libraries as not backward compatible. Of course, this should
+ be changed again when we can guarantee backward binary compatibility.
+ [Richard Levitte]
+
+ *) Add the following functions:
+
+ ENGINE_load_cswift()
+ ENGINE_load_chil()
+ ENGINE_load_atalla()
+ ENGINE_load_nuron()
+ ENGINE_load_builtin_engines()
+
+ That way, an application can itself choose if external engines that
+ are built-in in OpenSSL shall ever be used or not. The benefit is
+ that applications won't have to be linked with libdl or other dso
+ libraries unless it's really needed.
+
+ Changed 'openssl engine' to load all engines on demand.
+ Changed the engine header files to avoid the duplication of some
+ declarations (they differed!).
+ [Richard Levitte]
+
+ *) 'openssl engine' can now list capabilities.
+ [Richard Levitte]
+
+ *) Better error reporting in 'openssl engine'.
+ [Richard Levitte]
+
+ *) Never call load_dh_param(NULL) in s_server.
+ [Bodo Moeller]
+
+ *) Add engine application. It can currently list engines by name and
+ identity, and test if they are actually available.
+ [Richard Levitte]
+
+ *) Add support for shared libraries under Irix.
+ [Albert Chin-A-Young <china@thewrittenword.com>]
+
+ *) Improve RPM specification file by forcing symbolic linking and making
+ sure the installed documentation is also owned by root.root.
+ [Damien Miller <djm@mindrot.org>]
+
+ *) Add configuration option to build on Linux on both big-endian and
+ little-endian MIPS.
+ [Ralf Baechle <ralf@uni-koblenz.de>]
+
+ *) Give the OpenSSL applications more possibilities to make use of
+ keys (public as well as private) handled by engines.
+ [Richard Levitte]
+
+ *) Add OCSP code that comes from CertCo.
+ [Richard Levitte]
+
+ *) Add VMS support for the Rijndael code.
+ [Richard Levitte]
+
+ *) Added untested support for Nuron crypto accelerator.
+ [Ben Laurie]
+
+ *) Add support for external cryptographic devices. This code was
+ previously distributed separately as the "engine" branch.
+ [Geoff Thorpe, Richard Levitte]
+
+ *) Rework the filename-translation in the DSO code. It is now possible to
+ have far greater control over how a "name" is turned into a filename
+ depending on the operating environment and any oddities about the
+ different shared library filenames on each system.
+ [Geoff Thorpe]
+
+ *) Support threads on FreeBSD-elf in Configure.
+ [Richard Levitte]
+
+ *) Add the possibility to create shared libraries on HP-UX
+ [Richard Levitte]
+
+ *) Fix for SHA1 assembly problem with MASM: it produces
+ warnings about corrupt line number information when assembling
+ with debugging information. This is caused by the overlapping
+ of two sections.
+ [Bernd Matthes <mainbug@celocom.de>, Steve Henson]
+
+ *) NCONF changes.
+ NCONF_get_number() has no error checking at all. As a replacement,
+ NCONF_get_number_e() is defined (_e for "error checking") and is
+ promoted strongly. The old NCONF_get_number is kept around for
+ binary backward compatibility.
+ Make it possible for methods to load from something other than a BIO,
+ by providing a function pointer that is given a name instead of a BIO.
+ For example, this could be used to load configuration data from an
+ LDAP server.
+ [Richard Levitte]
+
+ *) Fix typo in get_cert_by_subject() in by_dir.c
+ [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
+
+ *) Rework the system to generate shared libraries:
+
+ - Make note of the expected extension for the shared libraries and
+ if there is a need for symbolic links from for example libcrypto.so.0
+ to libcrypto.so.0.9.7. There is extended info in Configure for
+ that.
+
+ - Make as few rebuilds of the shared libraries as possible.
+
+ - Still avoid linking the OpenSSL programs with the shared libraries.
+
+ - When installing, install the shared libraries separately from the
+ static ones.
+ [Richard Levitte]
+
+ *) Fix for non blocking accept BIOs. Added new I/O special reason
+ BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
+ with non blocking I/O was not possible because no retry code was
+ implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
+ this case.
+ [Steve Henson]
+
+ *) Added the beginnings of Rijndael support.
+ [Ben Laurie]
+
+ *) Fix for bug in DirectoryString mask setting. Add support for
+ X509_NAME_print_ex() in 'req' and X509_print_ex() function
+ to allow certificate printing to more controllable, additional
+ 'certopt' option to 'x509' to allow new printing options to be
+ set.
+ [Steve Henson]
+
+ *) Clean old EAY MD5 hack from e_os.h.
+ [Richard Levitte]
+
+ *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
+
+ Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
+ and not in SSL_clear because the latter is also used by the
+ accept/connect functions; previously, the settings made by
+ SSL_set_read_ahead would be lost during the handshake.
+ [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
+
+ *) Correct util/mkdef.pl to be selective about disabled algorithms.
+ Previously, it would create entries for disableed algorithms no
+ matter what.
+ [Richard Levitte]
+
+ Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
+
+ *) In ssl23_get_client_hello, generate an error message when faced
+ with an initial SSL 3.0/TLS record that is too small to contain the
+ first two bytes of the ClientHello message, i.e. client_version.
+ (Note that this is a pathologic case that probably has never happened
+ in real life.) The previous approach was to use the version number
+ from the record header as a substitute; but our protocol choice
+ should not depend on that one because it is not authenticated
+ by the Finished messages.
+ [Bodo Moeller]
+
+ *) More robust randomness gathering functions for Windows.
+ [Jeffrey Altman <jaltman@columbia.edu>]
+
+ *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
+ not set then we don't setup the error code for issuer check errors
+ to avoid possibly overwriting other errors which the callback does
+ handle. If an application does set the flag then we assume it knows
+ what it is doing and can handle the new informational codes
+ appropriately.
+ [Steve Henson]
+
+ *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
+ a general "ANY" type, as such it should be able to decode anything
+ including tagged types. However it didn't check the class so it would
+ wrongly interpret tagged types in the same way as their universal
+ counterpart and unknown types were just rejected. Changed so that the
+ tagged and unknown types are handled in the same way as a SEQUENCE:
+ that is the encoding is stored intact. There is also a new type
+ "V_ASN1_OTHER" which is used when the class is not universal, in this
+ case we have no idea what the actual type is so we just lump them all
+ together.
+ [Steve Henson]
+
+ *) On VMS, stdout may very well lead to a file that is written to
+ in a record-oriented fashion. That means that every write() will
+ write a separate record, which will be read separately by the
+ programs trying to read from it. This can be very confusing.
+
+ The solution is to put a BIO filter in the way that will buffer
+ text until a linefeed is reached, and then write everything a
+ line at a time, so every record written will be an actual line,
+ not chunks of lines and not (usually doesn't happen, but I've
+ seen it once) several lines in one record. BIO_f_linebuffer() is
+ the answer.
+
+ Currently, it's a VMS-only method, because that's where it has
+ been tested well enough.
+ [Richard Levitte]
+
+ *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
+ it can return incorrect results.
+ (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
+ but it was in 0.9.6-beta[12].)
+ [Bodo Moeller]
+
+ *) Disable the check for content being present when verifying detached
+ signatures in pk7_smime.c. Some versions of Netscape (wrongly)
+ include zero length content when signing messages.
+ [Steve Henson]
+
+ *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
+ BIO_ctrl (for BIO pairs).
+ [Bodo Möller]
+
+ *) Add DSO method for VMS.
+ [Richard Levitte]
+
+ *) Bug fix: Montgomery multiplication could produce results with the
+ wrong sign.
+ [Ulf Möller]
+
+ *) Add RPM specification openssl.spec and modify it to build three
+ packages. The default package contains applications, application
+ documentation and run-time libraries. The devel package contains
+ include files, static libraries and function documentation. The
+ doc package contains the contents of the doc directory. The original
+ openssl.spec was provided by Damien Miller <djm@mindrot.org>.
+ [Richard Levitte]
+
+ *) Add a large number of documentation files for many SSL routines.
+ [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
+
+ *) Add a configuration entry for Sony News 4.
+ [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
+
+ *) Don't set the two most significant bits to one when generating a
+ random number < q in the DSA library.
+ [Ulf Möller]
+
+ *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
+ behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
+ the underlying transport is blocking) if a handshake took place.
+ (The default behaviour is needed by applications such as s_client
+ and s_server that use select() to determine when to use SSL_read;
+ but for applications that know in advance when to expect data, it
+ just makes things more complicated.)
+ [Bodo Moeller]
+
+ *) Add RAND_egd_bytes(), which gives control over the number of bytes read
+ from EGD.
+ [Ben Laurie]
+
+ *) Add a few more EBCDIC conditionals that make `req' and `x509'
+ work better on such systems.
+ [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
+
+ *) Add two demo programs for PKCS12_parse() and PKCS12_create().
+ Update PKCS12_parse() so it copies the friendlyName and the
+ keyid to the certificates aux info.
+ [Steve Henson]
+
+ *) Fix bug in PKCS7_verify() which caused an infinite loop
+ if there was more than one signature.
+ [Sven Uszpelkat <su@celocom.de>]
+
+ *) Major change in util/mkdef.pl to include extra information
+ about each symbol, as well as presentig variables as well
+ as functions. This change means that there's n more need
+ to rebuild the .num files when some algorithms are excluded.
+ [Richard Levitte]
+
+ *) Allow the verify time to be set by an application,
+ rather than always using the current time.
+ [Steve Henson]
+
+ *) Phase 2 verify code reorganisation. The certificate
+ verify code now looks up an issuer certificate by a
+ number of criteria: subject name, authority key id
+ and key usage. It also verifies self signed certificates
+ by the same criteria. The main comparison function is
+ X509_check_issued() which performs these checks.
+
+ Lot of changes were necessary in order to support this
+ without completely rewriting the lookup code.
+
+ Authority and subject key identifier are now cached.
+
+ The LHASH 'certs' is X509_STORE has now been replaced
+ by a STACK_OF(X509_OBJECT). This is mainly because an
+ LHASH can't store or retrieve multiple objects with
+ the same hash value.
+
+ As a result various functions (which were all internal
+ use only) have changed to handle the new X509_STORE
+ structure. This will break anything that messed round
+ with X509_STORE internally.
+
+ The functions X509_STORE_add_cert() now checks for an
+ exact match, rather than just subject name.
+
+ The X509_STORE API doesn't directly support the retrieval
+ of multiple certificates matching a given criteria, however
+ this can be worked round by performing a lookup first
+ (which will fill the cache with candidate certificates)
+ and then examining the cache for matches. This is probably
+ the best we can do without throwing out X509_LOOKUP
+ entirely (maybe later...).
+
+ The X509_VERIFY_CTX structure has been enhanced considerably.
+
+ All certificate lookup operations now go via a get_issuer()
+ callback. Although this currently uses an X509_STORE it
+ can be replaced by custom lookups. This is a simple way
+ to bypass the X509_STORE hackery necessary to make this
+ work and makes it possible to use more efficient techniques
+ in future. A very simple version which uses a simple
+ STACK for its trusted certificate store is also provided
+ using X509_STORE_CTX_trusted_stack().
+
+ The verify_cb() and verify() callbacks now have equivalents
+ in the X509_STORE_CTX structure.
+
+ X509_STORE_CTX also has a 'flags' field which can be used
+ to customise the verify behaviour.
+ [Steve Henson]
+
+ *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
+ excludes S/MIME capabilities.
+ [Steve Henson]
+
+ *) When a certificate request is read in keep a copy of the
+ original encoding of the signed data and use it when outputing
+ again. Signatures then use the original encoding rather than
+ a decoded, encoded version which may cause problems if the
+ request is improperly encoded.
+ [Steve Henson]
+
+ *) For consistency with other BIO_puts implementations, call
+ buffer_write(b, ...) directly in buffer_puts instead of calling
+ BIO_write(b, ...).
+
+ In BIO_puts, increment b->num_write as in BIO_write.
+ [Peter.Sylvester@EdelWeb.fr]
+
+ *) Fix BN_mul_word for the case where the word is 0. (We have to use
+ BN_zero, we may not return a BIGNUM with an array consisting of
+ words set to zero.)
+ [Bodo Moeller]
+
+ *) Avoid calling abort() from within the library when problems are
+ detected, except if preprocessor symbols have been defined
+ (such as REF_CHECK, BN_DEBUG etc.).
+ [Bodo Moeller]
+
+ *) New openssl application 'rsautl'. This utility can be
+ used for low level RSA operations. DER public key
+ BIO/fp routines also added.
+ [Steve Henson]
+
+ *) New Configure entry and patches for compiling on QNX 4.
+ [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
+
+ *) A demo state-machine implementation was sponsored by
+ Nuron (http://www.nuron.com/) and is now available in
+ demos/state_machine.
+ [Ben Laurie]
+
+ *) New options added to the 'dgst' utility for signature
+ generation and verification.
+ [Steve Henson]
+
+ *) Unrecognized PKCS#7 content types are now handled via a
+ catch all ASN1_TYPE structure. This allows unsupported
+ types to be stored as a "blob" and an application can
+ encode and decode it manually.
+ [Steve Henson]
+
+ *) Fix various signed/unsigned issues to make a_strex.c
+ compile under VC++.
+ [Oscar Jacobsson <oscar.jacobsson@celocom.com>]
+
+ *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
+ length if passed a buffer. ASN1_INTEGER_to_BN failed
+ if passed a NULL BN and its argument was negative.
+ [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
+
+ *) Modification to PKCS#7 encoding routines to output definite
+ length encoding. Since currently the whole structures are in
+ memory there's not real point in using indefinite length
+ constructed encoding. However if OpenSSL is compiled with
+ the flag PKCS7_INDEFINITE_ENCODING the old form is used.
+ [Steve Henson]
+
+ *) Added BIO_vprintf() and BIO_vsnprintf().
+ [Richard Levitte]
+
+ *) Added more prefixes to parse for in the the strings written
+ through a logging bio, to cover all the levels that are available
+ through syslog. The prefixes are now:
+
+ PANIC, EMERG, EMR => LOG_EMERG
+ ALERT, ALR => LOG_ALERT
+ CRIT, CRI => LOG_CRIT
+ ERROR, ERR => LOG_ERR
+ WARNING, WARN, WAR => LOG_WARNING
+ NOTICE, NOTE, NOT => LOG_NOTICE
+ INFO, INF => LOG_INFO
+ DEBUG, DBG => LOG_DEBUG
+
+ and as before, if none of those prefixes are present at the
+ beginning of the string, LOG_ERR is chosen.
+
+ On Win32, the LOG_* levels are mapped according to this:
+
+ LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
+ LOG_WARNING => EVENTLOG_WARNING_TYPE
+ LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
+
+ [Richard Levitte]
+
+ *) Made it possible to reconfigure with just the configuration
+ argument "reconf" or "reconfigure". The command line arguments
+ are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
+ and are retrieved from there when reconfiguring.
+ [Richard Levitte]
+
+ *) MD4 implemented.
+ [Assar Westerlund <assar@sics.se>, Richard Levitte]
+
+ *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
+ [Richard Levitte]
+
+ *) The obj_dat.pl script was messing up the sorting of object
+ names. The reason was that it compared the quoted version
+ of strings as a result "OCSP" > "OCSP Signing" because
+ " > SPACE. Changed script to store unquoted versions of
+ names and add quotes on output. It was also omitting some
+ names from the lookup table if they were given a default
+ value (that is if SN is missing it is given the same
+ value as LN and vice versa), these are now added on the
+ grounds that if an object has a name we should be able to
+ look it up. Finally added warning output when duplicate
+ short or long names are found.
+ [Steve Henson]
+
+ *) Changes needed for Tandem NSK.
+ [Scott Uroff <scott@xypro.com>]
+
+ *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
+ RSA_padding_check_SSLv23(), special padding was never detected
+ and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
+ version rollback attacks was not effective.
+
+ In s23_clnt.c, don't use special rollback-attack detection padding
+ (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
+ client; similarly, in s23_srvr.c, don't do the rollback check if
+ SSL 2.0 is the only protocol enabled in the server.
+ [Bodo Moeller]
+
+ *) Make it possible to get hexdumps of unprintable data with 'openssl
+ asn1parse'. By implication, the functions ASN1_parse_dump() and
+ BIO_dump_indent() are added.
+ [Richard Levitte]
+
+ *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
+ these print out strings and name structures based on various
+ flags including RFC2253 support and proper handling of
+ multibyte characters. Added options to the 'x509' utility
+ to allow the various flags to be set.
+ [Steve Henson]
+
+ *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
+ Also change the functions X509_cmp_current_time() and
+ X509_gmtime_adj() work with an ASN1_TIME structure,
+ this will enable certificates using GeneralizedTime in validity
+ dates to be checked.
+ [Steve Henson]
+
+ *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
+ negative public key encodings) on by default,
+ NO_NEG_PUBKEY_BUG can be set to disable it.
+ [Steve Henson]
+
+ *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
+ content octets. An i2c_ASN1_OBJECT is unnecessary because
+ the encoding can be trivially obtained from the structure.
+ [Steve Henson]
+
+ *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
+ not read locks (CRYPTO_r_[un]lock).
+ [Bodo Moeller]
+
+ *) A first attempt at creating official support for shared
+ libraries through configuration. I've kept it so the
+ default is static libraries only, and the OpenSSL programs
+ are always statically linked for now, but there are
+ preparations for dynamic linking in place.
+ This has been tested on Linux and True64.
+ [Richard Levitte]
+
+ *) Randomness polling function for Win9x, as described in:
+ Peter Gutmann, Software Generation of Practically Strong
+ Random Numbers.
+ [Ulf Möller]
+
+ *) Fix so PRNG is seeded in req if using an already existing
+ DSA key.
+ [Steve Henson]
+
+ *) New options to smime application. -inform and -outform
+ allow alternative formats for the S/MIME message including
+ PEM and DER. The -content option allows the content to be
+ specified separately. This should allow things like Netscape
+ form signing output easier to verify.
+ [Steve Henson]
+
+ *) Fix the ASN1 encoding of tags using the 'long form'.
+ [Steve Henson]
*) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
STRING types. These convert content octets to and from the
projects / openssl.git / blobdiff