X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=f37645a502adf526a9b662bb225f7080decf3b7c;hp=09509c677a64ef605eed0f5273df12ab8e3faaa4;hb=b7cfcfb7f8e17c17f457b3384010eb027f3aad72;hpb=f76a8084df2a204e193f546c8defdfce3491bfde diff --git a/CHANGES b/CHANGES index 09509c677a..f37645a502 100644 --- a/CHANGES +++ b/CHANGES @@ -2,11 +2,580 @@ OpenSSL CHANGES _______________ - Changes between 0.9.3a and 0.9.4 + Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + + *) Correctly increment the reference count in the SSL_SESSION pointer + returned from SSL_get_session(). + [Geoff Thorpe ] + + *) Fix for 'req': it was adding a null to request attributes. + Also change the X509_LOOKUP and X509_INFO code to handle + certificate auxiliary information. + [Steve Henson] + + *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document + the 'enc' command. + [Steve Henson] + + *) Add the possibility to add extra information to the memory leak + detecting output, to form tracebacks, showing from where each + allocation was originated. Also updated sid code to be multi- + thread-safe. + [Richard Levitte] + + *) Add options -text and -noout to pkcs7 utility and delete the + encryption options which never did anything. Update docs. + [Steve Henson] + + *) Add options to some of the utilities to allow the pass phrase + to be included on either the command line (not recommended on + OSes like Unix) or read from the environment. Update the + manpages and fix a few bugs. + [Steve Henson] + + *) Add a few manpages for some of the openssl commands. + [Steve Henson] + + *) Fix the -revoke option in ca. It was freeing up memory twice, + leaking and not finding already revoked certificates. + [Steve Henson] + + *) Extensive changes to support certificate auxiliary information. + This involves the use of X509_CERT_AUX structure and X509_AUX + functions. An X509_AUX function such as PEM_read_X509_AUX() + can still read in a certificate file in the usual way but it + will also read in any additional "auxiliary information". By + doing things this way a fair degree of compatability can be + retained: existing certificates can have this information added + using the new 'x509' options. + + Current auxiliary information includes an "alias" and some trust + settings. The trust settings will ultimately be used in enhanced + certificate chain verification routines: currently a certificate + can only be trusted if it is self signed and then it is trusted + for all purposes. + [Steve Henson] + + *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD). The + problem was that one of the replacement routines had not been working since + SSLeay releases. For now the offending routine has been replaced with + non-optimised assembler. Even so, this now gives around 95% performance + improvement for 1024 bit RSA signs. + [Mark Cox] + + *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2 + handling. Most clients have the effective key size in bits equal to + the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key. + A few however don't do this and instead use the size of the decrypted key + to determine the RC2 key length and the AlgorithmIdentifier to determine + the effective key length. In this case the effective key lenth can still + be 40 bits but the key length can be 168 bits for example. This is fixed + by manually forcing an RC2 key into the EVP_PKEY structure because the + EVP code can't currently handle unusual RC2 key sizes: it always assumes + the key length and effective key length are equal. + [Steve Henson] + + *) Add a bunch of functions that should simplify the creation of + X509_NAME structures. Now you should be able to do: + X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0); + and have it automatically work out the correct field type and fill in + the structures. The more adventurous can try: + X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0); + and it will (hopefully) work out the correct multibyte encoding. + [Steve Henson] + + *) Change the 'req' utility to use the new field handling and multibyte + copy routines. Before the DN field creation was handled in an ad hoc + way in req, ca, and x509 which was rather broken and didn't support + BMPStrings or UTF8Strings. Since some software doesn't implement + BMPStrings or UTF8Strings yet, they can be enabled using the config file + using the dirstring_type option. See the new comment in the default + openssl.cnf for more info. + [Steve Henson] + + *) Make crypto/rand/md_rand.c more robust: + - Assure unique random numbers after fork(). + - Make sure that concurrent threads access the global counter and + md serializably so that we never lose entropy in them + or use exactly the same state in multiple threads. + Access to the large state is not always serializable because + the additional locking could be a performance killer, and + md should be large enough anyway. + [Bodo Moeller] + + *) New file apps/app_rand.c with commonly needed functionality + for handling the random seed file. + + Use the random seed file in some applications that previously did not: + ca, + dsaparam -genkey (which also ignored its `-rand' option), + s_client, + s_server, + x509 (when signing). + Except on systems with /dev/urandom, it is crucial to have a random + seed file at least for key creation, DSA signing, and for DH exchanges; + for RSA signatures we could do without one. + + gendh and gendsa (unlike genrsa) used to read only the first byte + of each file listed in the `-rand' option. The function as previously + found in genrsa is now in app_rand.c and is used by all programs + that support `-rand'. + [Bodo Moeller] + + *) In RAND_write_file, use mode 0600 for creating files; + don't just chmod when it may be too late. + [Bodo Moeller] + + *) Report an error from X509_STORE_load_locations + when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed. + [Bill Perry] + + *) New function ASN1_mbstring_copy() this copies a string in either + ASCII, Unicode, Universal (4 bytes per character) or UTF8 format + into an ASN1_STRING type. A mask of permissible types is passed + and it chooses the "minimal" type to use or an error if not type + is suitable. + [Steve Henson] + + *) Add function equivalents to the various macros in asn1.h. The old + macros are retained with an M_ prefix. Code inside the library can + use the M_ macros. External code (including the openssl utility) + should *NOT* in order to be "shared library friendly". + [Steve Henson] + + *) Add various functions that can check a certificate's extensions + to see if it usable for various purposes such as SSL client, + server or S/MIME and CAs of these types. This is currently + VERY EXPERIMENTAL but will ultimately be used for certificate chain + verification. Also added a -purpose flag to x509 utility to + print out all the purposes. + [Steve Henson] + + *) Add a CRYPTO_EX_DATA to X509 certificate structure and associated + functions. + [Steve Henson] + + *) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search + for, obtain and decode and extension and obtain its critical flag. + This allows all the necessary extension code to be handled in a + single function call. + [Steve Henson] + + *) RC4 tune-up featuring 30-40% performance improvement on most RISC + platforms. See crypto/rc4/rc4_enc.c for further details. + [Andy Polyakov] + + *) New -noout option to asn1parse. This causes no output to be produced + its main use is when combined with -strparse and -out to extract data + from a file (which may not be in ASN.1 format). + [Steve Henson] + + *) Fix for pkcs12 program. It was hashing an invalid certificate pointer + when producing the local key id. + [Richard Levitte ] + + *) New option -dhparam in s_server. This allows a DH parameter file to be + stated explicitly. If it is not stated then it tries the first server + certificate file. The previous behaviour hard coded the filename + "server.pem". + [Steve Henson] + + *) Add -pubin and -pubout options to the rsa and dsa commands. These allow + a public key to be input or output. For example: + openssl rsa -in key.pem -pubout -out pubkey.pem + Also added necessary DSA public key functions to handle this. + [Steve Henson] + + *) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained + in the message. This was handled by allowing + X509_find_by_issuer_and_serial() to tolerate a NULL passed to it. + [Steve Henson, reported by Sampo Kellomaki ] + + *) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null + to the end of the strings whereas this didn't. This would cause problems + if strings read with d2i_ASN1_bytes() were later modified. + [Steve Henson, reported by Arne Ansper ] + + *) Fix for base64 decode bug. When a base64 bio reads only one line of + data and it contains EOF it will end up returning an error. This is + caused by input 46 bytes long. The cause is due to the way base64 + BIOs find the start of base64 encoded data. They do this by trying a + trial decode on each line until they find one that works. When they + do a flag is set and it starts again knowing it can pass all the + data directly through the decoder. Unfortunately it doesn't reset + the context it uses. This means that if EOF is reached an attempt + is made to pass two EOFs through the context and this causes the + resulting error. This can also cause other problems as well. As is + usual with these problems it takes *ages* to find and the fix is + trivial: move one line. + [Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ] + + *) Ugly workaround to get s_client and s_server working under Windows. The + old code wouldn't work because it needed to select() on sockets and the + tty (for keypresses and to see if data could be written). Win32 only + supports select() on sockets so we select() with a 1s timeout on the + sockets and then see if any characters are waiting to be read, if none + are present then we retry, we also assume we can always write data to + the tty. This isn't nice because the code then blocks until we've + received a complete line of data and it is effectively polling the + keyboard at 1s intervals: however it's quite a bit better than not + working at all :-) A dedicated Windows application might handle this + with an event loop for example. + [Steve Henson] + + *) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign + and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions + will be called when RSA_sign() and RSA_verify() are used. This is useful + if rsa_pub_dec() and rsa_priv_enc() equivalents are not available. + For this to work properly RSA_public_decrypt() and RSA_private_encrypt() + should *not* be used: RSA_sign() and RSA_verify() must be used instead. + This necessitated the support of an extra signature type NID_md5_sha1 + for SSL signatures and modifications to the SSL library to use it instead + of calling RSA_public_decrypt() and RSA_private_encrypt(). + [Steve Henson] + + *) Add new -verify -CAfile and -CApath options to the crl program, these + will lookup a CRL issuers certificate and verify the signature in a + similar way to the verify program. Tidy up the crl program so it + no longer acesses structures directly. Make the ASN1 CRL parsing a bit + less strict. It will now permit CRL extensions even if it is not + a V2 CRL: this will allow it to tolerate some broken CRLs. + [Steve Henson] + + *) Initialize all non-automatic variables each time one of the openssl + sub-programs is started (this is necessary as they may be started + multiple times from the "OpenSSL>" prompt). + [Lennart Bang, Bodo Moeller] + + *) Preliminary compilation option RSA_NULL which disables RSA crypto without + removing all other RSA functionality (this is what NO_RSA does). This + is so (for example) those in the US can disable those operations covered + by the RSA patent while allowing storage and parsing of RSA keys and RSA + key generation. + [Steve Henson] + + *) Non-copying interface to BIO pairs. + (still largely untested) + [Bodo Moeller] + + *) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive + ASCII string. This was handled independently in various places before. + [Steve Henson] + + *) New functions UTF8_getc() and UTF8_putc() that parse and generate + UTF8 strings a character at a time. + [Steve Henson] + + *) Use client_version from client hello to select the protocol + (s23_srvr.c) and for RSA client key exchange verification + (s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications. + [Bodo Moeller] + + *) Add various utility functions to handle SPKACs, these were previously + handled by poking round in the structure internals. Added new function + NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to + print, verify and generate SPKACs. Based on an original idea from + Massimiliano Pala but extensively modified. + [Steve Henson] + + *) RIPEMD160 is operational on all platforms and is back in 'make test'. + [Andy Polyakov] + + *) Allow the config file extension section to be overwritten on the + command line. Based on an original idea from Massimiliano Pala + . The new option is called -extensions + and can be applied to ca, req and x509. Also -reqexts to override + the request extensions in req and -crlexts to override the crl extensions + in ca. + [Steve Henson] + + *) Add new feature to the SPKAC handling in ca. Now you can include + the same field multiple times by preceding it by "XXXX." for example: + 1.OU="Unit name 1" + 2.OU="Unit name 2" + this is the same syntax as used in the req config file. + [Steve Henson] + + *) Allow certificate extensions to be added to certificate requests. These + are specified in a 'req_extensions' option of the req section of the + config file. They can be printed out with the -text option to req but + are otherwise ignored at present. + [Steve Henson] + + *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first + data read consists of only the final block it would not decrypted because + EVP_CipherUpdate() would correctly report zero bytes had been decrypted. + A misplaced 'break' also meant the decrypted final block might not be + copied until the next read. + [Steve Henson] + + *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added + a few extra parameters to the DH structure: these will be useful if + for example we want the value of 'q' or implement X9.42 DH. + [Steve Henson] + + *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and + provides hooks that allow the default DSA functions or functions on a + "per key" basis to be replaced. This allows hardware acceleration and + hardware key storage to be handled without major modification to the + library. Also added low level modexp hooks and CRYPTO_EX structure and + associated functions. + [Steve Henson] + + *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO + as "read only": it can't be written to and the buffer it points to will + not be freed. Reading from a read only BIO is much more efficient than + a normal memory BIO. This was added because there are several times when + an area of memory needs to be read from a BIO. The previous method was + to create a memory BIO and write the data to it, this results in two + copies of the data and an O(n^2) reading algorithm. There is a new + function BIO_new_mem_buf() which creates a read only memory BIO from + an area of memory. Also modified the PKCS#7 routines to use read only + memory BIOSs. + [Steve Henson] + + *) Bugfix: ssl23_get_client_hello did not work properly when called in + state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of + a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, + but a retry condition occured while trying to read the rest. + [Bodo Moeller] + + *) The PKCS7_ENC_CONTENT_new() function was setting the content type as + NID_pkcs7_encrypted by default: this was wrong since this should almost + always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle + the encrypted data type: this is a more sensible place to put it and it + allows the PKCS#12 code to be tidied up that duplicated this + functionality. + [Steve Henson] + + *) Changed obj_dat.pl script so it takes its input and output files on + the command line. This should avoid shell escape redirection problems + under Win32. + [Steve Henson] + + *) Initial support for certificate extension requests, these are included + in things like Xenroll certificate requests. Included functions to allow + extensions to be obtained and added. + [Steve Henson] + + *) -crlf option to s_client and s_server for sending newlines as + CRLF (as required by many protocols). + [Bodo Moeller] + + Changes between 0.9.3a and 0.9.4 [09 Aug 1999] + + *) Install libRSAglue.a when OpenSSL is built with RSAref. + [Ralf S. Engelschall] + + *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. + [Andrija Antonijevic ] + + *) Fix -startdate and -enddate (which was missing) arguments to 'ca' + program. + [Steve Henson] + + *) New function DSA_dup_DH, which duplicates DSA parameters/keys as + DH parameters/keys (q is lost during that conversion, but the resulting + DH parameters contain its length). + + For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is + much faster than DH_generate_parameters (which creates parameters + where p = 2*q + 1), and also the smaller q makes DH computations + much more efficient (160-bit exponentiation instead of 1024-bit + exponentiation); so this provides a convenient way to support DHE + ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of + utter importance to use + SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + or + SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); + when such DH parameters are used, because otherwise small subgroup + attacks may become possible! + [Bodo Moeller] + + *) Avoid memory leak in i2d_DHparams. + [Bodo Moeller] + + *) Allow the -k option to be used more than once in the enc program: + this allows the same encrypted message to be read by multiple recipients. + [Steve Henson] + + *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts + an ASN1_OBJECT to a text string. If the "no_name" parameter is set then + it will always use the numerical form of the OID, even if it has a short + or long name. + [Steve Henson] + + *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp + method only got called if p,q,dmp1,dmq1,iqmp components were present, + otherwise bn_mod_exp was called. In the case of hardware keys for example + no private key components need be present and it might store extra data + in the RSA structure, which cannot be accessed from bn_mod_exp. + By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for + private key operations. + [Steve Henson] + + *) Added support for SPARC Linux. + [Andy Polyakov] + + *) pem_password_cb function type incompatibly changed from + typedef int pem_password_cb(char *buf, int size, int rwflag); + to + ....(char *buf, int size, int rwflag, void *userdata); + so that applications can pass data to their callbacks: + The PEM[_ASN1]_{read,write}... functions and macros now take an + additional void * argument, which is just handed through whenever + the password callback is called. + [Damien Miller ; tiny changes by Bodo Moeller] + + New function SSL_CTX_set_default_passwd_cb_userdata. + + Compatibility note: As many C implementations push function arguments + onto the stack in reverse order, the new library version is likely to + interoperate with programs that have been compiled with the old + pem_password_cb definition (PEM_whatever takes some data that + happens to be on the stack as its last argument, and the callback + just ignores this garbage); but there is no guarantee whatsoever that + this will work. + + *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... + (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused + problems not only on Windows, but also on some Unix platforms. + To avoid problematic command lines, these definitions are now in an + auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl + for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). + [Bodo Moeller] + + *) MIPS III/IV assembler module is reimplemented. + [Andy Polyakov] + + *) More DES library cleanups: remove references to srand/rand and + delete an unused file. + [Ulf Möller] + + *) Add support for the the free Netwide assembler (NASM) under Win32, + since not many people have MASM (ml) and it can be hard to obtain. + This is currently experimental but it seems to work OK and pass all + the tests. Check out INSTALL.W32 for info. + [Steve Henson] + + *) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections + without temporary keys kept an extra copy of the server key, + and connections with temporary keys did not free everything in case + of an error. + [Bodo Moeller] + + *) New function RSA_check_key and new openssl rsa option -check + for verifying the consistency of RSA keys. + [Ulf Moeller, Bodo Moeller] + + *) Various changes to make Win32 compile work: + 1. Casts to avoid "loss of data" warnings in p5_crpt2.c + 2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned + comparison" warnings. + 3. Add sk__sort to DEF file generator and do make update. + [Steve Henson] + + *) Add a debugging option to PKCS#5 v2 key generation function: when + you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and + derived keys are printed to stderr. + [Steve Henson] + + *) Copy the flags in ASN1_STRING_dup(). + [Roman E. Pavlov ] + + *) The x509 application mishandled signing requests containing DSA + keys when the signing key was also DSA and the parameters didn't match. + + It was supposed to omit the parameters when they matched the signing key: + the verifying software was then supposed to automatically use the CA's + parameters if they were absent from the end user certificate. + + Omitting parameters is no longer recommended. The test was also + the wrong way round! This was probably due to unusual behaviour in + EVP_cmp_parameters() which returns 1 if the parameters match. + This meant that parameters were omitted when they *didn't* match and + the certificate was useless. Certificates signed with 'ca' didn't have + this bug. + [Steve Henson, reported by Doug Erickson ] + + *) Memory leak checking (-DCRYPTO_MDEBUG) had some problems. + The interface is as follows: + Applications can use + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); + "off" is now the default. + The library internally uses + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() + to disable memory-checking temporarily. + + Some inconsistent states that previously were possible (and were + even the default) are now avoided. + + -DCRYPTO_MDEBUG_TIME is new and additionally stores the current time + with each memory chunk allocated; this is occasionally more helpful + than just having a counter. + + -DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID. + + -DCRYPTO_MDEBUG_ALL enables all of the above, plus any future + extensions. + [Bodo Moeller] + + *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), + which largely parallels "options", but is for changing API behaviour, + whereas "options" are about protocol behaviour. + Initial "mode" flags are: + + SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when + a single record has been written. + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write + retries use the same buffer location. + (But all of the contents must be + copied!) + [Bodo Moeller] + + *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode + worked. + + *) Fix problems with no-hmac etc. + [Ulf Möller, pointed out by Brian Wellington ] + + *) New functions RSA_get_default_method(), RSA_set_method() and + RSA_get_method(). These allows replacement of RSA_METHODs without having + to mess around with the internals of an RSA structure. + [Steve Henson] + + *) Fix memory leaks in DSA_do_sign and DSA_is_prime. + Also really enable memory leak checks in openssl.c and in some + test programs. + [Chad C. Mulligan, Bodo Moeller] + + *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess + up the length of negative integers. This has now been simplified to just + store the length when it is first determined and use it later, rather + than trying to keep track of where data is copied and updating it to + point to the end. + [Steve Henson, reported by Brien Wheeler + ] + + *) Add a new function PKCS7_signatureVerify. This allows the verification + of a PKCS#7 signature but with the signing certificate passed to the + function itself. This contrasts with PKCS7_dataVerify which assumes the + certificate is present in the PKCS#7 structure. This isn't always the + case: certificates can be omitted from a PKCS#7 structure and be + distributed by "out of band" means (such as a certificate database). + [Steve Henson] + + *) Complete the PEM_* macros with DECLARE_PEM versions to replace the + function prototypes in pem.h, also change util/mkdef.pl to add the + necessary function names. + [Steve Henson] *) mk1mf.pl (used by Windows builds) did not properly read the - options set by Configure in the top level Makefile; typo fixed, - now "no-idea" etc. works as intended. + options set by Configure in the top level Makefile, and Configure + was not even able to write more than one option correctly. + Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended. [Bodo Moeller] *) New functions CONF_load_bio() and CONF_load_fp() to allow a config