4446 lines
187 KiB
Text
4446 lines
187 KiB
Text
|
||
OpenSSL CHANGES
|
||
_______________
|
||
|
||
Changes between 0.9.6i and 0.9.6j [xx XXX 2003]
|
||
|
||
*)
|
||
|
||
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
|
||
|
||
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
|
||
via timing by performing a MAC computation even if incorrrect
|
||
block cipher padding has been found. This is a countermeasure
|
||
against active attacks where the attacker has to distinguish
|
||
between bad padding and a MAC verification error. (CAN-2003-0078)
|
||
|
||
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
|
||
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
|
||
Martin Vuagnoux (EPFL, Ilion)]
|
||
|
||
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
|
||
|
||
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
|
||
memory from it's contents. This is done with a counter that will
|
||
place alternating values in each byte. This can be used to solve
|
||
two issues: 1) the removal of calls to memset() by highly optimizing
|
||
compilers, and 2) cleansing with other values than 0, since those can
|
||
be read through on certain media, for example a swap space on disk.
|
||
[Geoff Thorpe]
|
||
|
||
*) Bugfix: client side session caching did not work with external caching,
|
||
because the session->cipher setting was not restored when reloading
|
||
from the external cache. This problem was masked, when
|
||
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
|
||
(Found by Steve Haslam <steve@araqnid.ddts.net>.)
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total
|
||
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
|
||
[Zeev Lieber <zeev-l@yahoo.com>]
|
||
|
||
*) Undo an undocumented change introduced in 0.9.6e which caused
|
||
repeated calls to OpenSSL_add_all_ciphers() and
|
||
OpenSSL_add_all_digests() to be ignored, even after calling
|
||
EVP_cleanup().
|
||
[Richard Levitte]
|
||
|
||
*) Change the default configuration reader to deal with last line not
|
||
being properly terminated.
|
||
[Richard Levitte]
|
||
|
||
*) Change X509_NAME_cmp() so it applies the special rules on handling
|
||
DN values that are of type PrintableString, as well as RDNs of type
|
||
emailAddress where the value has the type ia5String.
|
||
[stefank@valicert.com via Richard Levitte]
|
||
|
||
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
|
||
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
|
||
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
|
||
the bitwise-OR of the two for use by the majority of applications
|
||
wanting this behaviour, and update the docs. The documented
|
||
behaviour and actual behaviour were inconsistent and had been
|
||
changing anyway, so this is more a bug-fix than a behavioural
|
||
change.
|
||
[Geoff Thorpe, diagnosed by Nadav Har'El]
|
||
|
||
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
|
||
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
|
||
[Bodo Moeller]
|
||
|
||
*) Fix initialization code race conditions in
|
||
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
|
||
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
|
||
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
|
||
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
|
||
ssl2_get_cipher_by_char(),
|
||
ssl3_get_cipher_by_char().
|
||
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
|
||
|
||
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
|
||
the cached sessions are flushed, as the remove_cb() might use ex_data
|
||
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
|
||
(see [openssl.org #212]).
|
||
[Geoff Thorpe, Lutz Jaenicke]
|
||
|
||
*) Fix typo in OBJ_txt2obj which incorrectly passed the content
|
||
length, instead of the encoding length to d2i_ASN1_OBJECT.
|
||
[Steve Henson]
|
||
|
||
Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
|
||
|
||
*) [In 0.9.6g-engine release:]
|
||
Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
|
||
[Lynn Gazis <lgazis@rainbow.com>]
|
||
|
||
Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
|
||
|
||
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
|
||
and get fix the header length calculation.
|
||
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
|
||
Alon Kantor <alonk@checkpoint.com> (and others),
|
||
Steve Henson]
|
||
|
||
*) Use proper error handling instead of 'assertions' in buffer
|
||
overflow checks added in 0.9.6e. This prevents DoS (the
|
||
assertions could call abort()).
|
||
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
|
||
|
||
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
|
||
|
||
*) Add various sanity checks to asn1_get_length() to reject
|
||
the ASN1 length bytes if they exceed sizeof(long), will appear
|
||
negative or the content length exceeds the length of the
|
||
supplied buffer.
|
||
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
|
||
|
||
*) Fix cipher selection routines: ciphers without encryption had no flags
|
||
for the cipher strength set and where therefore not handled correctly
|
||
by the selection routines (PR #130).
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix EVP_dsa_sha macro.
|
||
[Nils Larsch]
|
||
|
||
*) New option
|
||
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
|
||
that was added in OpenSSL 0.9.6d.
|
||
|
||
As the countermeasure turned out to be incompatible with some
|
||
broken SSL implementations, the new option is part of SSL_OP_ALL.
|
||
SSL_OP_ALL is usually employed when compatibility with weird SSL
|
||
implementations is desired (e.g. '-bugs' option to 's_client' and
|
||
's_server'), so the new option is automatically set in many
|
||
applications.
|
||
[Bodo Moeller]
|
||
|
||
*) Changes in security patch:
|
||
|
||
Changes marked "(CHATS)" were sponsored by the Defense Advanced
|
||
Research Projects Agency (DARPA) and Air Force Research Laboratory,
|
||
Air Force Materiel Command, USAF, under agreement number
|
||
F30602-01-2-0537.
|
||
|
||
*) Add various sanity checks to asn1_get_length() to reject
|
||
the ASN1 length bytes if they exceed sizeof(long), will appear
|
||
negative or the content length exceeds the length of the
|
||
supplied buffer. (CAN-2002-0659)
|
||
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
|
||
|
||
*) Assertions for various potential buffer overflows, not known to
|
||
happen in practice.
|
||
[Ben Laurie (CHATS)]
|
||
|
||
*) Various temporary buffers to hold ASCII versions of integers were
|
||
too small for 64 bit platforms. (CAN-2002-0655)
|
||
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
|
||
|
||
*) Remote buffer overflow in SSL3 protocol - an attacker could
|
||
supply an oversized session ID to a client. (CAN-2002-0656)
|
||
[Ben Laurie (CHATS)]
|
||
|
||
*) Remote buffer overflow in SSL2 protocol - an attacker could
|
||
supply an oversized client master key. (CAN-2002-0656)
|
||
[Ben Laurie (CHATS)]
|
||
|
||
Changes between 0.9.6c and 0.9.6d [9 May 2002]
|
||
|
||
*) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
|
||
encoded as NULL) with id-dsa-with-sha1.
|
||
[Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
|
||
|
||
*) Check various X509_...() return values in apps/req.c.
|
||
[Nils Larsch <nla@trustcenter.de>]
|
||
|
||
*) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
|
||
an end-of-file condition would erronously be flagged, when the CRLF
|
||
was just at the end of a processed block. The bug was discovered when
|
||
processing data through a buffering memory BIO handing the data to a
|
||
BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
|
||
<ptsekov@syntrex.com> and Nedelcho Stanev.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Implement a countermeasure against a vulnerability recently found
|
||
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
|
||
before application data chunks to avoid the use of known IVs
|
||
with data potentially chosen by the attacker.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix length checks in ssl3_get_client_hello().
|
||
[Bodo Moeller]
|
||
|
||
*) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
|
||
to prevent ssl3_read_internal() from incorrectly assuming that
|
||
ssl3_read_bytes() found application data while handshake
|
||
processing was enabled when in fact s->s3->in_read_app_data was
|
||
merely automatically cleared during the initial handshake.
|
||
[Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) Fix object definitions for Private and Enterprise: they were not
|
||
recognized in their shortname (=lowercase) representation. Extend
|
||
obj_dat.pl to issue an error when using undefined keywords instead
|
||
of silently ignoring the problem (Svenning Sorensen
|
||
<sss@sss.dnsalias.net>).
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix DH_generate_parameters() so that it works for 'non-standard'
|
||
generators, i.e. generators other than 2 and 5. (Previously, the
|
||
code did not properly initialise the 'add' and 'rem' values to
|
||
BN_generate_prime().)
|
||
|
||
In the new general case, we do not insist that 'generator' is
|
||
actually a primitive root: This requirement is rather pointless;
|
||
a generator of the order-q subgroup is just as good, if not
|
||
better.
|
||
[Bodo Moeller]
|
||
|
||
*) Map new X509 verification errors to alerts. Discovered and submitted by
|
||
Tom Wu <tom@arcot.com>.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
|
||
returning non-zero before the data has been completely received
|
||
when using non-blocking I/O.
|
||
[Bodo Moeller; problem pointed out by John Hughes]
|
||
|
||
*) Some of the ciphers missed the strength entry (SSL_LOW etc).
|
||
[Ben Laurie, Lutz Jaenicke]
|
||
|
||
*) Fix bug in SSL_clear(): bad sessions were not removed (found by
|
||
Yoram Zahavi <YoramZ@gilian.com>).
|
||
[Lutz Jaenicke]
|
||
|
||
*) Add information about CygWin 1.3 and on, and preserve proper
|
||
configuration for the versions before that.
|
||
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
|
||
|
||
*) Make removal from session cache (SSL_CTX_remove_session()) more robust:
|
||
check whether we deal with a copy of a session and do not delete from
|
||
the cache in this case. Problem reported by "Izhar Shoshani Levi"
|
||
<izhar@checkpoint.com>.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Do not store session data into the internal session cache, if it
|
||
is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
|
||
flag is set). Proposed by Aslam <aslam@funk.com>.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
|
||
value is 0.
|
||
[Richard Levitte]
|
||
|
||
*) [In 0.9.6d-engine release:]
|
||
Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
|
||
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
|
||
|
||
*) Add the configuration target linux-s390x.
|
||
[Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
|
||
|
||
*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
|
||
ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
|
||
variable as an indication that a ClientHello message has been
|
||
received. As the flag value will be lost between multiple
|
||
invocations of ssl3_accept when using non-blocking I/O, the
|
||
function may not be aware that a handshake has actually taken
|
||
place, thus preventing a new session from being added to the
|
||
session cache.
|
||
|
||
To avoid this problem, we now set s->new_session to 2 instead of
|
||
using a local variable.
|
||
[Lutz Jaenicke, Bodo Moeller]
|
||
|
||
*) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
|
||
if the SSL_R_LENGTH_MISMATCH error is detected.
|
||
[Geoff Thorpe, Bodo Moeller]
|
||
|
||
*) New 'shared_ldflag' column in Configure platform table.
|
||
[Richard Levitte]
|
||
|
||
*) Fix EVP_CIPHER_mode macro.
|
||
["Dan S. Camper" <dan@bti.net>]
|
||
|
||
*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
|
||
type, we must throw them away by setting rr->length to 0.
|
||
[D P Chang <dpc@qualys.com>]
|
||
|
||
Changes between 0.9.6b and 0.9.6c [21 dec 2001]
|
||
|
||
*) Fix BN_rand_range bug pointed out by Dominikus Scherkl
|
||
<Dominikus.Scherkl@biodata.com>. (The previous implementation
|
||
worked incorrectly for those cases where range = 10..._2 and
|
||
3*range is two bits longer than range.)
|
||
[Bodo Moeller]
|
||
|
||
*) Only add signing time to PKCS7 structures if it is not already
|
||
present.
|
||
[Steve Henson]
|
||
|
||
*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
|
||
OBJ_ld_ce should be OBJ_id_ce.
|
||
Also some ip-pda OIDs in crypto/objects/objects.txt were
|
||
incorrect (cf. RFC 3039).
|
||
[Matt Cooper, Frederic Giudicelli, Bodo Moeller]
|
||
|
||
*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
|
||
returns early because it has nothing to do.
|
||
[Andy Schneider <andy.schneider@bjss.co.uk>]
|
||
|
||
*) [In 0.9.6c-engine release:]
|
||
Fix mutex callback return values in crypto/engine/hw_ncipher.c.
|
||
[Andy Schneider <andy.schneider@bjss.co.uk>]
|
||
|
||
*) [In 0.9.6c-engine release:]
|
||
Add support for Cryptographic Appliance's keyserver technology.
|
||
(Use engine 'keyclient')
|
||
[Cryptographic Appliances and Geoff Thorpe]
|
||
|
||
*) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
|
||
is called via tools/c89.sh because arguments have to be
|
||
rearranged (all '-L' options must appear before the first object
|
||
modules).
|
||
[Richard Shapiro <rshapiro@abinitio.com>]
|
||
|
||
*) [In 0.9.6c-engine release:]
|
||
Add support for Broadcom crypto accelerator cards, backported
|
||
from 0.9.7.
|
||
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
|
||
|
||
*) [In 0.9.6c-engine release:]
|
||
Add support for SureWare crypto accelerator cards from
|
||
Baltimore Technologies. (Use engine 'sureware')
|
||
[Baltimore Technologies and Mark Cox]
|
||
|
||
*) [In 0.9.6c-engine release:]
|
||
Add support for crypto accelerator cards from Accelerated
|
||
Encryption Processing, www.aep.ie. (Use engine 'aep')
|
||
[AEP Inc. and Mark Cox]
|
||
|
||
*) Add a configuration entry for gcc on UnixWare.
|
||
[Gary Benson <gbenson@redhat.com>]
|
||
|
||
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
|
||
messages are stored in a single piece (fixed-length part and
|
||
variable-length part combined) and fix various bugs found on the way.
|
||
[Bodo Moeller]
|
||
|
||
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
|
||
instead. BIO_gethostbyname() does not know what timeouts are
|
||
appropriate, so entries would stay in cache even when they have
|
||
become invalid.
|
||
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
|
||
|
||
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
|
||
faced with a pathologically small ClientHello fragment that does
|
||
not contain client_version: Instead of aborting with an error,
|
||
simply choose the highest available protocol version (i.e.,
|
||
TLS 1.0 unless it is disabled). In practice, ClientHello
|
||
messages are never sent like this, but this change gives us
|
||
strictly correct behaviour at least for TLS.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
|
||
never resets s->method to s->ctx->method when called from within
|
||
one of the SSL handshake functions.
|
||
[Bodo Moeller; problem pointed out by Niko Baric]
|
||
|
||
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
|
||
(sent using the client's version number) if client_version is
|
||
smaller than the protocol version in use. Also change
|
||
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
|
||
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
|
||
the client will at least see that alert.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
|
||
correctly.
|
||
[Bodo Moeller]
|
||
|
||
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
|
||
client receives HelloRequest while in a handshake.
|
||
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
|
||
|
||
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
|
||
should end in 'break', not 'goto end' which circuments various
|
||
cleanups done in state SSL_ST_OK. But session related stuff
|
||
must be disabled for SSL_ST_OK in the case that we just sent a
|
||
HelloRequest.
|
||
|
||
Also avoid some overhead by not calling ssl_init_wbio_buffer()
|
||
before just sending a HelloRequest.
|
||
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
|
||
|
||
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
|
||
reveal whether illegal block cipher padding was found or a MAC
|
||
verification error occured. (Neither SSLerr() codes nor alerts
|
||
are directly visible to potential attackers, but the information
|
||
may leak via logfiles.)
|
||
|
||
Similar changes are not required for the SSL 2.0 implementation
|
||
because the number of padding bytes is sent in clear for SSL 2.0,
|
||
and the extra bytes are just ignored. However ssl/s2_pkt.c
|
||
failed to verify that the purported number of padding bytes is in
|
||
the legal range.
|
||
[Bodo Moeller]
|
||
|
||
*) Add OpenUNIX-8 support including shared libraries
|
||
(Boyd Lynn Gerber <gerberb@zenez.com>).
|
||
[Lutz Jaenicke]
|
||
|
||
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
|
||
'wristwatch attack' using huge encoding parameters (cf.
|
||
James H. Manger's CRYPTO 2001 paper). Note that the
|
||
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
|
||
encoding parameters and hence was not vulnerable.
|
||
[Bodo Moeller]
|
||
|
||
*) BN_sqr() bug fix.
|
||
[Ulf M<>ller, reported by Jim Ellis <jim.ellis@cavium.com>]
|
||
|
||
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
|
||
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
|
||
followed by modular reduction.
|
||
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
|
||
|
||
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
|
||
equivalent based on BN_pseudo_rand() instead of BN_rand().
|
||
[Bodo Moeller]
|
||
|
||
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
|
||
This function was broken, as the check for a new client hello message
|
||
to handle SGC did not allow these large messages.
|
||
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
|
||
[Lutz Jaenicke]
|
||
|
||
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
|
||
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
|
||
[Lutz Jaenicke]
|
||
|
||
*) Rework the configuration and shared library support for Tru64 Unix.
|
||
The configuration part makes use of modern compiler features and
|
||
still retains old compiler behavior for those that run older versions
|
||
of the OS. The shared library support part includes a variant that
|
||
uses the RPATH feature, and is available through the special
|
||
configuration target "alpha-cc-rpath", which will never be selected
|
||
automatically.
|
||
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
|
||
|
||
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
|
||
with the same message size as in ssl3_get_certificate_request().
|
||
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
|
||
messages might inadvertently be reject as too long.
|
||
[Petr Lampa <lampa@fee.vutbr.cz>]
|
||
|
||
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
|
||
[Andy Polyakov]
|
||
|
||
*) Modified SSL library such that the verify_callback that has been set
|
||
specificly for an SSL object with SSL_set_verify() is actually being
|
||
used. Before the change, a verify_callback set with this function was
|
||
ignored and the verify_callback() set in the SSL_CTX at the time of
|
||
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
|
||
to allow the necessary settings.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
|
||
explicitly to NULL, as at least on Solaris 8 this seems not always to be
|
||
done automatically (in contradiction to the requirements of the C
|
||
standard). This made problems when used from OpenSSH.
|
||
[Lutz Jaenicke]
|
||
|
||
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
|
||
dh->length and always used
|
||
|
||
BN_rand_range(priv_key, dh->p).
|
||
|
||
BN_rand_range() is not necessary for Diffie-Hellman, and this
|
||
specific range makes Diffie-Hellman unnecessarily inefficient if
|
||
dh->length (recommended exponent length) is much smaller than the
|
||
length of dh->p. We could use BN_rand_range() if the order of
|
||
the subgroup was stored in the DH structure, but we only have
|
||
dh->length.
|
||
|
||
So switch back to
|
||
|
||
BN_rand(priv_key, l, ...)
|
||
|
||
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
|
||
otherwise.
|
||
[Bodo Moeller]
|
||
|
||
*) In
|
||
|
||
RSA_eay_public_encrypt
|
||
RSA_eay_private_decrypt
|
||
RSA_eay_private_encrypt (signing)
|
||
RSA_eay_public_decrypt (signature verification)
|
||
|
||
(default implementations for RSA_public_encrypt,
|
||
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
|
||
always reject numbers >= n.
|
||
[Bodo Moeller]
|
||
|
||
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
|
||
to synchronize access to 'locking_thread'. This is necessary on
|
||
systems where access to 'locking_thread' (an 'unsigned long'
|
||
variable) is not atomic.
|
||
[Bodo Moeller]
|
||
|
||
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
|
||
*before* setting the 'crypto_lock_rand' flag. The previous code had
|
||
a race condition if 0 is a valid thread ID.
|
||
[Travis Vitek <vitek@roguewave.com>]
|
||
|
||
*) Add support for shared libraries under Irix.
|
||
[Albert Chin-A-Young <china@thewrittenword.com>]
|
||
|
||
*) Add configuration option to build on Linux on both big-endian and
|
||
little-endian MIPS.
|
||
[Ralf Baechle <ralf@uni-koblenz.de>]
|
||
|
||
*) Add the possibility to create shared libraries on HP-UX.
|
||
[Richard Levitte]
|
||
|
||
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
|
||
|
||
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
|
||
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
|
||
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
|
||
PRNG state recovery was possible based on the output of
|
||
one PRNG request appropriately sized to gain knowledge on
|
||
'md' followed by enough consecutive 1-byte PRNG requests
|
||
to traverse all of 'state'.
|
||
|
||
1. When updating 'md_local' (the current thread's copy of 'md')
|
||
during PRNG output generation, hash all of the previous
|
||
'md_local' value, not just the half used for PRNG output.
|
||
|
||
2. Make the number of bytes from 'state' included into the hash
|
||
independent from the number of PRNG bytes requested.
|
||
|
||
The first measure alone would be sufficient to avoid
|
||
Markku-Juhani's attack. (Actually it had never occurred
|
||
to me that the half of 'md_local' used for chaining was the
|
||
half from which PRNG output bytes were taken -- I had always
|
||
assumed that the secret half would be used.) The second
|
||
measure makes sure that additional data from 'state' is never
|
||
mixed into 'md_local' in small portions; this heuristically
|
||
further strengthens the PRNG.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix crypto/bn/asm/mips3.s.
|
||
[Andy Polyakov]
|
||
|
||
*) When only the key is given to "enc", the IV is undefined. Print out
|
||
an error message in this case.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Handle special case when X509_NAME is empty in X509 printing routines.
|
||
[Steve Henson]
|
||
|
||
*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
|
||
positive and less than q.
|
||
[Bodo Moeller]
|
||
|
||
*) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
|
||
used: it isn't thread safe and the add_lock_callback should handle
|
||
that itself.
|
||
[Paul Rose <Paul.Rose@bridge.com>]
|
||
|
||
*) Verify that incoming data obeys the block size in
|
||
ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
|
||
[Bodo Moeller]
|
||
|
||
*) Fix OAEP check.
|
||
[Ulf M<>ller, Bodo M<>ller]
|
||
|
||
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
|
||
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
|
||
when fixing the server behaviour for backwards-compatible 'client
|
||
hello' messages. (Note that the attack is impractical against
|
||
SSL 3.0 and TLS 1.0 anyway because length and version checking
|
||
means that the probability of guessing a valid ciphertext is
|
||
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
|
||
paper.)
|
||
|
||
Before 0.9.5, the countermeasure (hide the error by generating a
|
||
random 'decryption result') did not work properly because
|
||
ERR_clear_error() was missing, meaning that SSL_get_error() would
|
||
detect the supposedly ignored error.
|
||
|
||
Both problems are now fixed.
|
||
[Bodo Moeller]
|
||
|
||
*) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
|
||
(previously it was 1024).
|
||
[Bodo Moeller]
|
||
|
||
*) Fix for compatibility mode trust settings: ignore trust settings
|
||
unless some valid trust or reject settings are present.
|
||
[Steve Henson]
|
||
|
||
*) Fix for blowfish EVP: its a variable length cipher.
|
||
[Steve Henson]
|
||
|
||
*) Fix various bugs related to DSA S/MIME verification. Handle missing
|
||
parameters in DSA public key structures and return an error in the
|
||
DSA routines if parameters are absent.
|
||
[Steve Henson]
|
||
|
||
*) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
|
||
in the current directory if neither $RANDFILE nor $HOME was set.
|
||
RAND_file_name() in 0.9.6a returned NULL in this case. This has
|
||
caused some confusion to Windows users who haven't defined $HOME.
|
||
Thus RAND_file_name() is changed again: e_os.h can define a
|
||
DEFAULT_HOME, which will be used if $HOME is not set.
|
||
For Windows, we use "C:"; on other platforms, we still require
|
||
environment variables.
|
||
|
||
*) Move 'if (!initialized) RAND_poll()' into regions protected by
|
||
CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
|
||
having multiple threads call RAND_poll() concurrently.
|
||
[Bodo Moeller]
|
||
|
||
*) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
|
||
combination of a flag and a thread ID variable.
|
||
Otherwise while one thread is in ssleay_rand_bytes (which sets the
|
||
flag), *other* threads can enter ssleay_add_bytes without obeying
|
||
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
|
||
that they do not hold after the first thread unsets add_do_not_lock).
|
||
[Bodo Moeller]
|
||
|
||
*) Change bctest again: '-x' expressions are not available in all
|
||
versions of 'test'.
|
||
[Bodo Moeller]
|
||
|
||
Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
|
||
|
||
*) Fix a couple of memory leaks in PKCS7_dataDecode()
|
||
[Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
|
||
|
||
*) Change Configure and Makefiles to provide EXE_EXT, which will contain
|
||
the default extension for executables, if any. Also, make the perl
|
||
scripts that use symlink() to test if it really exists and use "cp"
|
||
if it doesn't. All this made OpenSSL compilable and installable in
|
||
CygWin.
|
||
[Richard Levitte]
|
||
|
||
*) Fix for asn1_GetSequence() for indefinite length constructed data.
|
||
If SEQUENCE is length is indefinite just set c->slen to the total
|
||
amount of data available.
|
||
[Steve Henson, reported by shige@FreeBSD.org]
|
||
[This change does not apply to 0.9.7.]
|
||
|
||
*) Change bctest to avoid here-documents inside command substitution
|
||
(workaround for FreeBSD /bin/sh bug).
|
||
For compatibility with Ultrix, avoid shell functions (introduced
|
||
in the bctest version that searches along $PATH).
|
||
[Bodo Moeller]
|
||
|
||
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
|
||
with des_encrypt() defined on some operating systems, like Solaris
|
||
and UnixWare.
|
||
[Richard Levitte]
|
||
|
||
*) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
|
||
On the Importance of Eliminating Errors in Cryptographic
|
||
Computations, J. Cryptology 14 (2001) 2, 101-119,
|
||
http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
|
||
[Ulf Moeller]
|
||
|
||
*) MIPS assembler BIGNUM division bug fix.
|
||
[Andy Polyakov]
|
||
|
||
*) Disabled incorrect Alpha assembler code.
|
||
[Richard Levitte]
|
||
|
||
*) Fix PKCS#7 decode routines so they correctly update the length
|
||
after reading an EOC for the EXPLICIT tag.
|
||
[Steve Henson]
|
||
[This change does not apply to 0.9.7.]
|
||
|
||
*) Fix bug in PKCS#12 key generation routines. This was triggered
|
||
if a 3DES key was generated with a 0 initial byte. Include
|
||
PKCS12_BROKEN_KEYGEN compilation option to retain the old
|
||
(but broken) behaviour.
|
||
[Steve Henson]
|
||
|
||
*) Enhance bctest to search for a working bc along $PATH and print
|
||
it when found.
|
||
[Tim Rice <tim@multitalents.net> via Richard Levitte]
|
||
|
||
*) Fix memory leaks in err.c: free err_data string if necessary;
|
||
don't write to the wrong index in ERR_set_error_data.
|
||
[Bodo Moeller]
|
||
|
||
*) Implement ssl23_peek (analogous to ssl23_read), which previously
|
||
did not exist.
|
||
[Bodo Moeller]
|
||
|
||
*) Replace rdtsc with _emit statements for VC++ version 5.
|
||
[Jeremy Cooper <jeremy@baymoo.org>]
|
||
|
||
*) Make it possible to reuse SSLv2 sessions.
|
||
[Richard Levitte]
|
||
|
||
*) In copy_email() check for >= 0 as a return value for
|
||
X509_NAME_get_index_by_NID() since 0 is a valid index.
|
||
[Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
|
||
|
||
*) Avoid coredump with unsupported or invalid public keys by checking if
|
||
X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
|
||
PKCS7_verify() fails with non detached data.
|
||
[Steve Henson]
|
||
|
||
*) Don't use getenv in library functions when run as setuid/setgid.
|
||
New function OPENSSL_issetugid().
|
||
[Ulf Moeller]
|
||
|
||
*) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
|
||
due to incorrect handling of multi-threading:
|
||
|
||
1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
|
||
|
||
2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
|
||
|
||
3. Count how many times MemCheck_off() has been called so that
|
||
nested use can be treated correctly. This also avoids
|
||
inband-signalling in the previous code (which relied on the
|
||
assumption that thread ID 0 is impossible).
|
||
[Bodo Moeller]
|
||
|
||
*) Add "-rand" option also to s_client and s_server.
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix CPU detection on Irix 6.x.
|
||
[Kurt Hockenbury <khockenb@stevens-tech.edu> and
|
||
"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
|
||
|
||
*) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
|
||
was empty.
|
||
[Steve Henson]
|
||
[This change does not apply to 0.9.7.]
|
||
|
||
*) Use the cached encoding of an X509_NAME structure rather than
|
||
copying it. This is apparently the reason for the libsafe "errors"
|
||
but the code is actually correct.
|
||
[Steve Henson]
|
||
|
||
*) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
|
||
Bleichenbacher's DSA attack.
|
||
Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
|
||
to be set and top=0 forces the highest bit to be set; top=-1 is new
|
||
and leaves the highest bit random.
|
||
[Ulf Moeller, Bodo Moeller]
|
||
|
||
*) In the NCONF_...-based implementations for CONF_... queries
|
||
(crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
|
||
a temporary CONF structure with the data component set to NULL
|
||
(which gives segmentation faults in lh_retrieve).
|
||
Instead, use NULL for the CONF pointer in CONF_get_string and
|
||
CONF_get_number (which may use environment variables) and directly
|
||
return NULL from CONF_get_section.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix potential buffer overrun for EBCDIC.
|
||
[Ulf Moeller]
|
||
|
||
*) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
|
||
keyUsage if basicConstraints absent for a CA.
|
||
[Steve Henson]
|
||
|
||
*) Make SMIME_write_PKCS7() write mail header values with a format that
|
||
is more generally accepted (no spaces before the semicolon), since
|
||
some programs can't parse those values properly otherwise. Also make
|
||
sure BIO's that break lines after each write do not create invalid
|
||
headers.
|
||
[Richard Levitte]
|
||
|
||
*) Make the CRL encoding routines work with empty SEQUENCE OF. The
|
||
macros previously used would not encode an empty SEQUENCE OF
|
||
and break the signature.
|
||
[Steve Henson]
|
||
[This change does not apply to 0.9.7.]
|
||
|
||
*) Zero the premaster secret after deriving the master secret in
|
||
DH ciphersuites.
|
||
[Steve Henson]
|
||
|
||
*) Add some EVP_add_digest_alias registrations (as found in
|
||
OpenSSL_add_all_digests()) to SSL_library_init()
|
||
aka OpenSSL_add_ssl_algorithms(). This provides improved
|
||
compatibility with peers using X.509 certificates
|
||
with unconventional AlgorithmIdentifier OIDs.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix for Irix with NO_ASM.
|
||
["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
|
||
|
||
*) ./config script fixes.
|
||
[Ulf Moeller, Richard Levitte]
|
||
|
||
*) Fix 'openssl passwd -1'.
|
||
[Bodo Moeller]
|
||
|
||
*) Change PKCS12_key_gen_asc() so it can cope with non null
|
||
terminated strings whose length is passed in the passlen
|
||
parameter, for example from PEM callbacks. This was done
|
||
by adding an extra length parameter to asc2uni().
|
||
[Steve Henson, reported by <oddissey@samsung.co.kr>]
|
||
|
||
*) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
|
||
call failed, free the DSA structure.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix to uni2asc() to cope with zero length Unicode strings.
|
||
These are present in some PKCS#12 files.
|
||
[Steve Henson]
|
||
|
||
*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
|
||
Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
|
||
when writing a 32767 byte record.
|
||
[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
|
||
|
||
*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
|
||
obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
|
||
|
||
(RSA objects have a reference count access to which is protected
|
||
by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
|
||
so they are meant to be shared between threads.)
|
||
[Bodo Moeller, Geoff Thorpe; original patch submitted by
|
||
"Reddie, Steven" <Steven.Reddie@ca.com>]
|
||
|
||
*) Fix a deadlock in CRYPTO_mem_leaks().
|
||
[Bodo Moeller]
|
||
|
||
*) Use better test patterns in bntest.
|
||
[Ulf M<>ller]
|
||
|
||
*) rand_win.c fix for Borland C.
|
||
[Ulf M<>ller]
|
||
|
||
*) BN_rshift bugfix for n == 0.
|
||
[Bodo Moeller]
|
||
|
||
*) Add a 'bctest' script that checks for some known 'bc' bugs
|
||
so that 'make test' does not abort just because 'bc' is broken.
|
||
[Bodo Moeller]
|
||
|
||
*) Store verify_result within SSL_SESSION also for client side to
|
||
avoid potential security hole. (Re-used sessions on the client side
|
||
always resulted in verify_result==X509_V_OK, not using the original
|
||
result of the server certificate verification.)
|
||
[Lutz Jaenicke]
|
||
|
||
*) Fix ssl3_pending: If the record in s->s3->rrec is not of type
|
||
SSL3_RT_APPLICATION_DATA, return 0.
|
||
Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix SSL_peek:
|
||
Both ssl2_peek and ssl3_peek, which were totally broken in earlier
|
||
releases, have been re-implemented by renaming the previous
|
||
implementations of ssl2_read and ssl3_read to ssl2_read_internal
|
||
and ssl3_read_internal, respectively, and adding 'peek' parameters
|
||
to them. The new ssl[23]_{read,peek} functions are calls to
|
||
ssl[23]_read_internal with the 'peek' flag set appropriately.
|
||
A 'peek' parameter has also been added to ssl3_read_bytes, which
|
||
does the actual work for ssl3_read_internal.
|
||
[Bodo Moeller]
|
||
|
||
*) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
|
||
the method-specific "init()" handler. Also clean up ex_data after
|
||
calling the method-specific "finish()" handler. Previously, this was
|
||
happening the other way round.
|
||
[Geoff Thorpe]
|
||
|
||
*) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
|
||
The previous value, 12, was not always sufficient for BN_mod_exp().
|
||
[Bodo Moeller]
|
||
|
||
*) Make sure that shared libraries get the internal name engine with
|
||
the full version number and not just 0. This should mark the
|
||
shared libraries as not backward compatible. Of course, this should
|
||
be changed again when we can guarantee backward binary compatibility.
|
||
[Richard Levitte]
|
||
|
||
*) Fix typo in get_cert_by_subject() in by_dir.c
|
||
[Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
|
||
|
||
*) Rework the system to generate shared libraries:
|
||
|
||
- Make note of the expected extension for the shared libraries and
|
||
if there is a need for symbolic links from for example libcrypto.so.0
|
||
to libcrypto.so.0.9.7. There is extended info in Configure for
|
||
that.
|
||
|
||
- Make as few rebuilds of the shared libraries as possible.
|
||
|
||
- Still avoid linking the OpenSSL programs with the shared libraries.
|
||
|
||
- When installing, install the shared libraries separately from the
|
||
static ones.
|
||
[Richard Levitte]
|
||
|
||
*) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
|
||
|
||
Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
|
||
and not in SSL_clear because the latter is also used by the
|
||
accept/connect functions; previously, the settings made by
|
||
SSL_set_read_ahead would be lost during the handshake.
|
||
[Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
|
||
|
||
*) Correct util/mkdef.pl to be selective about disabled algorithms.
|
||
Previously, it would create entries for disableed algorithms no
|
||
matter what.
|
||
[Richard Levitte]
|
||
|
||
*) Added several new manual pages for SSL_* function.
|
||
[Lutz Jaenicke]
|
||
|
||
Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
|
||
|
||
*) In ssl23_get_client_hello, generate an error message when faced
|
||
with an initial SSL 3.0/TLS record that is too small to contain the
|
||
first two bytes of the ClientHello message, i.e. client_version.
|
||
(Note that this is a pathologic case that probably has never happened
|
||
in real life.) The previous approach was to use the version number
|
||
from the record header as a substitute; but our protocol choice
|
||
should not depend on that one because it is not authenticated
|
||
by the Finished messages.
|
||
[Bodo Moeller]
|
||
|
||
*) More robust randomness gathering functions for Windows.
|
||
[Jeffrey Altman <jaltman@columbia.edu>]
|
||
|
||
*) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
|
||
not set then we don't setup the error code for issuer check errors
|
||
to avoid possibly overwriting other errors which the callback does
|
||
handle. If an application does set the flag then we assume it knows
|
||
what it is doing and can handle the new informational codes
|
||
appropriately.
|
||
[Steve Henson]
|
||
|
||
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
|
||
a general "ANY" type, as such it should be able to decode anything
|
||
including tagged types. However it didn't check the class so it would
|
||
wrongly interpret tagged types in the same way as their universal
|
||
counterpart and unknown types were just rejected. Changed so that the
|
||
tagged and unknown types are handled in the same way as a SEQUENCE:
|
||
that is the encoding is stored intact. There is also a new type
|
||
"V_ASN1_OTHER" which is used when the class is not universal, in this
|
||
case we have no idea what the actual type is so we just lump them all
|
||
together.
|
||
[Steve Henson]
|
||
|
||
*) On VMS, stdout may very well lead to a file that is written to
|
||
in a record-oriented fashion. That means that every write() will
|
||
write a separate record, which will be read separately by the
|
||
programs trying to read from it. This can be very confusing.
|
||
|
||
The solution is to put a BIO filter in the way that will buffer
|
||
text until a linefeed is reached, and then write everything a
|
||
line at a time, so every record written will be an actual line,
|
||
not chunks of lines and not (usually doesn't happen, but I've
|
||
seen it once) several lines in one record. BIO_f_linebuffer() is
|
||
the answer.
|
||
|
||
Currently, it's a VMS-only method, because that's where it has
|
||
been tested well enough.
|
||
[Richard Levitte]
|
||
|
||
*) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
|
||
it can return incorrect results.
|
||
(Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
|
||
but it was in 0.9.6-beta[12].)
|
||
[Bodo Moeller]
|
||
|
||
*) Disable the check for content being present when verifying detached
|
||
signatures in pk7_smime.c. Some versions of Netscape (wrongly)
|
||
include zero length content when signing messages.
|
||
[Steve Henson]
|
||
|
||
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
|
||
BIO_ctrl (for BIO pairs).
|
||
[Bodo M<>ller]
|
||
|
||
*) Add DSO method for VMS.
|
||
[Richard Levitte]
|
||
|
||
*) Bug fix: Montgomery multiplication could produce results with the
|
||
wrong sign.
|
||
[Ulf M<>ller]
|
||
|
||
*) Add RPM specification openssl.spec and modify it to build three
|
||
packages. The default package contains applications, application
|
||
documentation and run-time libraries. The devel package contains
|
||
include files, static libraries and function documentation. The
|
||
doc package contains the contents of the doc directory. The original
|
||
openssl.spec was provided by Damien Miller <djm@mindrot.org>.
|
||
[Richard Levitte]
|
||
|
||
*) Add a large number of documentation files for many SSL routines.
|
||
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
|
||
|
||
*) Add a configuration entry for Sony News 4.
|
||
[NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
|
||
|
||
*) Don't set the two most significant bits to one when generating a
|
||
random number < q in the DSA library.
|
||
[Ulf M<>ller]
|
||
|
||
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
|
||
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
|
||
the underlying transport is blocking) if a handshake took place.
|
||
(The default behaviour is needed by applications such as s_client
|
||
and s_server that use select() to determine when to use SSL_read;
|
||
but for applications that know in advance when to expect data, it
|
||
just makes things more complicated.)
|
||
[Bodo Moeller]
|
||
|
||
*) Add RAND_egd_bytes(), which gives control over the number of bytes read
|
||
from EGD.
|
||
[Ben Laurie]
|
||
|
||
*) Add a few more EBCDIC conditionals that make `req' and `x509'
|
||
work better on such systems.
|
||
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
|
||
|
||
*) Add two demo programs for PKCS12_parse() and PKCS12_create().
|
||
Update PKCS12_parse() so it copies the friendlyName and the
|
||
keyid to the certificates aux info.
|
||
[Steve Henson]
|
||
|
||
*) Fix bug in PKCS7_verify() which caused an infinite loop
|
||
if there was more than one signature.
|
||
[Sven Uszpelkat <su@celocom.de>]
|
||
|
||
*) Major change in util/mkdef.pl to include extra information
|
||
about each symbol, as well as presentig variables as well
|
||
as functions. This change means that there's n more need
|
||
to rebuild the .num files when some algorithms are excluded.
|
||
[Richard Levitte]
|
||
|
||
*) Allow the verify time to be set by an application,
|
||
rather than always using the current time.
|
||
[Steve Henson]
|
||
|
||
*) Phase 2 verify code reorganisation. The certificate
|
||
verify code now looks up an issuer certificate by a
|
||
number of criteria: subject name, authority key id
|
||
and key usage. It also verifies self signed certificates
|
||
by the same criteria. The main comparison function is
|
||
X509_check_issued() which performs these checks.
|
||
|
||
Lot of changes were necessary in order to support this
|
||
without completely rewriting the lookup code.
|
||
|
||
Authority and subject key identifier are now cached.
|
||
|
||
The LHASH 'certs' is X509_STORE has now been replaced
|
||
by a STACK_OF(X509_OBJECT). This is mainly because an
|
||
LHASH can't store or retrieve multiple objects with
|
||
the same hash value.
|
||
|
||
As a result various functions (which were all internal
|
||
use only) have changed to handle the new X509_STORE
|
||
structure. This will break anything that messed round
|
||
with X509_STORE internally.
|
||
|
||
The functions X509_STORE_add_cert() now checks for an
|
||
exact match, rather than just subject name.
|
||
|
||
The X509_STORE API doesn't directly support the retrieval
|
||
of multiple certificates matching a given criteria, however
|
||
this can be worked round by performing a lookup first
|
||
(which will fill the cache with candidate certificates)
|
||
and then examining the cache for matches. This is probably
|
||
the best we can do without throwing out X509_LOOKUP
|
||
entirely (maybe later...).
|
||
|
||
The X509_VERIFY_CTX structure has been enhanced considerably.
|
||
|
||
All certificate lookup operations now go via a get_issuer()
|
||
callback. Although this currently uses an X509_STORE it
|
||
can be replaced by custom lookups. This is a simple way
|
||
to bypass the X509_STORE hackery necessary to make this
|
||
work and makes it possible to use more efficient techniques
|
||
in future. A very simple version which uses a simple
|
||
STACK for its trusted certificate store is also provided
|
||
using X509_STORE_CTX_trusted_stack().
|
||
|
||
The verify_cb() and verify() callbacks now have equivalents
|
||
in the X509_STORE_CTX structure.
|
||
|
||
X509_STORE_CTX also has a 'flags' field which can be used
|
||
to customise the verify behaviour.
|
||
[Steve Henson]
|
||
|
||
*) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
|
||
excludes S/MIME capabilities.
|
||
[Steve Henson]
|
||
|
||
*) When a certificate request is read in keep a copy of the
|
||
original encoding of the signed data and use it when outputing
|
||
again. Signatures then use the original encoding rather than
|
||
a decoded, encoded version which may cause problems if the
|
||
request is improperly encoded.
|
||
[Steve Henson]
|
||
|
||
*) For consistency with other BIO_puts implementations, call
|
||
buffer_write(b, ...) directly in buffer_puts instead of calling
|
||
BIO_write(b, ...).
|
||
|
||
In BIO_puts, increment b->num_write as in BIO_write.
|
||
[Peter.Sylvester@EdelWeb.fr]
|
||
|
||
*) Fix BN_mul_word for the case where the word is 0. (We have to use
|
||
BN_zero, we may not return a BIGNUM with an array consisting of
|
||
words set to zero.)
|
||
[Bodo Moeller]
|
||
|
||
*) Avoid calling abort() from within the library when problems are
|
||
detected, except if preprocessor symbols have been defined
|
||
(such as REF_CHECK, BN_DEBUG etc.).
|
||
[Bodo Moeller]
|
||
|
||
*) New openssl application 'rsautl'. This utility can be
|
||
used for low level RSA operations. DER public key
|
||
BIO/fp routines also added.
|
||
[Steve Henson]
|
||
|
||
*) New Configure entry and patches for compiling on QNX 4.
|
||
[Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
|
||
|
||
*) A demo state-machine implementation was sponsored by
|
||
Nuron (http://www.nuron.com/) and is now available in
|
||
demos/state_machine.
|
||
[Ben Laurie]
|
||
|
||
*) New options added to the 'dgst' utility for signature
|
||
generation and verification.
|
||
[Steve Henson]
|
||
|
||
*) Unrecognized PKCS#7 content types are now handled via a
|
||
catch all ASN1_TYPE structure. This allows unsupported
|
||
types to be stored as a "blob" and an application can
|
||
encode and decode it manually.
|
||
[Steve Henson]
|
||
|
||
*) Fix various signed/unsigned issues to make a_strex.c
|
||
compile under VC++.
|
||
[Oscar Jacobsson <oscar.jacobsson@celocom.com>]
|
||
|
||
*) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
|
||
length if passed a buffer. ASN1_INTEGER_to_BN failed
|
||
if passed a NULL BN and its argument was negative.
|
||
[Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
|
||
|
||
*) Modification to PKCS#7 encoding routines to output definite
|
||
length encoding. Since currently the whole structures are in
|
||
memory there's not real point in using indefinite length
|
||
constructed encoding. However if OpenSSL is compiled with
|
||
the flag PKCS7_INDEFINITE_ENCODING the old form is used.
|
||
[Steve Henson]
|
||
|
||
*) Added BIO_vprintf() and BIO_vsnprintf().
|
||
[Richard Levitte]
|
||
|
||
*) Added more prefixes to parse for in the the strings written
|
||
through a logging bio, to cover all the levels that are available
|
||
through syslog. The prefixes are now:
|
||
|
||
PANIC, EMERG, EMR => LOG_EMERG
|
||
ALERT, ALR => LOG_ALERT
|
||
CRIT, CRI => LOG_CRIT
|
||
ERROR, ERR => LOG_ERR
|
||
WARNING, WARN, WAR => LOG_WARNING
|
||
NOTICE, NOTE, NOT => LOG_NOTICE
|
||
INFO, INF => LOG_INFO
|
||
DEBUG, DBG => LOG_DEBUG
|
||
|
||
and as before, if none of those prefixes are present at the
|
||
beginning of the string, LOG_ERR is chosen.
|
||
|
||
On Win32, the LOG_* levels are mapped according to this:
|
||
|
||
LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
|
||
LOG_WARNING => EVENTLOG_WARNING_TYPE
|
||
LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
|
||
|
||
[Richard Levitte]
|
||
|
||
*) Made it possible to reconfigure with just the configuration
|
||
argument "reconf" or "reconfigure". The command line arguments
|
||
are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
|
||
and are retrieved from there when reconfiguring.
|
||
[Richard Levitte]
|
||
|
||
*) MD4 implemented.
|
||
[Assar Westerlund <assar@sics.se>, Richard Levitte]
|
||
|
||
*) Add the arguments -CAfile and -CApath to the pkcs12 utility.
|
||
[Richard Levitte]
|
||
|
||
*) The obj_dat.pl script was messing up the sorting of object
|
||
names. The reason was that it compared the quoted version
|
||
of strings as a result "OCSP" > "OCSP Signing" because
|
||
" > SPACE. Changed script to store unquoted versions of
|
||
names and add quotes on output. It was also omitting some
|
||
names from the lookup table if they were given a default
|
||
value (that is if SN is missing it is given the same
|
||
value as LN and vice versa), these are now added on the
|
||
grounds that if an object has a name we should be able to
|
||
look it up. Finally added warning output when duplicate
|
||
short or long names are found.
|
||
[Steve Henson]
|
||
|
||
*) Changes needed for Tandem NSK.
|
||
[Scott Uroff <scott@xypro.com>]
|
||
|
||
*) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
|
||
RSA_padding_check_SSLv23(), special padding was never detected
|
||
and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
|
||
version rollback attacks was not effective.
|
||
|
||
In s23_clnt.c, don't use special rollback-attack detection padding
|
||
(RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
|
||
client; similarly, in s23_srvr.c, don't do the rollback check if
|
||
SSL 2.0 is the only protocol enabled in the server.
|
||
[Bodo Moeller]
|
||
|
||
*) Make it possible to get hexdumps of unprintable data with 'openssl
|
||
asn1parse'. By implication, the functions ASN1_parse_dump() and
|
||
BIO_dump_indent() are added.
|
||
[Richard Levitte]
|
||
|
||
*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
|
||
these print out strings and name structures based on various
|
||
flags including RFC2253 support and proper handling of
|
||
multibyte characters. Added options to the 'x509' utility
|
||
to allow the various flags to be set.
|
||
[Steve Henson]
|
||
|
||
*) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
|
||
Also change the functions X509_cmp_current_time() and
|
||
X509_gmtime_adj() work with an ASN1_TIME structure,
|
||
this will enable certificates using GeneralizedTime in validity
|
||
dates to be checked.
|
||
[Steve Henson]
|
||
|
||
*) Make the NEG_PUBKEY_BUG code (which tolerates invalid
|
||
negative public key encodings) on by default,
|
||
NO_NEG_PUBKEY_BUG can be set to disable it.
|
||
[Steve Henson]
|
||
|
||
*) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
|
||
content octets. An i2c_ASN1_OBJECT is unnecessary because
|
||
the encoding can be trivially obtained from the structure.
|
||
[Steve Henson]
|
||
|
||
*) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
|
||
not read locks (CRYPTO_r_[un]lock).
|
||
[Bodo Moeller]
|
||
|
||
*) A first attempt at creating official support for shared
|
||
libraries through configuration. I've kept it so the
|
||
default is static libraries only, and the OpenSSL programs
|
||
are always statically linked for now, but there are
|
||
preparations for dynamic linking in place.
|
||
This has been tested on Linux and Tru64.
|
||
[Richard Levitte]
|
||
|
||
*) Randomness polling function for Win9x, as described in:
|
||
Peter Gutmann, Software Generation of Practically Strong
|
||
Random Numbers.
|
||
[Ulf M<>ller]
|
||
|
||
*) Fix so PRNG is seeded in req if using an already existing
|
||
DSA key.
|
||
[Steve Henson]
|
||
|
||
*) New options to smime application. -inform and -outform
|
||
allow alternative formats for the S/MIME message including
|
||
PEM and DER. The -content option allows the content to be
|
||
specified separately. This should allow things like Netscape
|
||
form signing output easier to verify.
|
||
[Steve Henson]
|
||
|
||
*) Fix the ASN1 encoding of tags using the 'long form'.
|
||
[Steve Henson]
|
||
|
||
*) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
|
||
STRING types. These convert content octets to and from the
|
||
underlying type. The actual tag and length octets are
|
||
already assumed to have been read in and checked. These
|
||
are needed because all other string types have virtually
|
||
identical handling apart from the tag. By having versions
|
||
of the ASN1 functions that just operate on content octets
|
||
IMPLICIT tagging can be handled properly. It also allows
|
||
the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
|
||
and ASN1_INTEGER are identical apart from the tag.
|
||
[Steve Henson]
|
||
|
||
*) Change the handling of OID objects as follows:
|
||
|
||
- New object identifiers are inserted in objects.txt, following
|
||
the syntax given in objects.README.
|
||
- objects.pl is used to process obj_mac.num and create a new
|
||
obj_mac.h.
|
||
- obj_dat.pl is used to create a new obj_dat.h, using the data in
|
||
obj_mac.h.
|
||
|
||
This is currently kind of a hack, and the perl code in objects.pl
|
||
isn't very elegant, but it works as I intended. The simplest way
|
||
to check that it worked correctly is to look in obj_dat.h and
|
||
check the array nid_objs and make sure the objects haven't moved
|
||
around (this is important!). Additions are OK, as well as
|
||
consistent name changes.
|
||
[Richard Levitte]
|
||
|
||
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
|
||
[Bodo Moeller]
|
||
|
||
*) Addition of the command line parameter '-rand file' to 'openssl req'.
|
||
The given file adds to whatever has already been seeded into the
|
||
random pool through the RANDFILE configuration file option or
|
||
environment variable, or the default random state file.
|
||
[Richard Levitte]
|
||
|
||
*) mkstack.pl now sorts each macro group into lexical order.
|
||
Previously the output order depended on the order the files
|
||
appeared in the directory, resulting in needless rewriting
|
||
of safestack.h .
|
||
[Steve Henson]
|
||
|
||
*) Patches to make OpenSSL compile under Win32 again. Mostly
|
||
work arounds for the VC++ problem that it treats func() as
|
||
func(void). Also stripped out the parts of mkdef.pl that
|
||
added extra typesafe functions: these no longer exist.
|
||
[Steve Henson]
|
||
|
||
*) Reorganisation of the stack code. The macros are now all
|
||
collected in safestack.h . Each macro is defined in terms of
|
||
a "stack macro" of the form SKM_<name>(type, a, b). The
|
||
DEBUG_SAFESTACK is now handled in terms of function casts,
|
||
this has the advantage of retaining type safety without the
|
||
use of additional functions. If DEBUG_SAFESTACK is not defined
|
||
then the non typesafe macros are used instead. Also modified the
|
||
mkstack.pl script to handle the new form. Needs testing to see
|
||
if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
|
||
the default if no major problems. Similar behaviour for ASN1_SET_OF
|
||
and PKCS12_STACK_OF.
|
||
[Steve Henson]
|
||
|
||
*) When some versions of IIS use the 'NET' form of private key the
|
||
key derivation algorithm is different. Normally MD5(password) is
|
||
used as a 128 bit RC4 key. In the modified case
|
||
MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some
|
||
new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
|
||
as the old Netscape_RSA functions except they have an additional
|
||
'sgckey' parameter which uses the modified algorithm. Also added
|
||
an -sgckey command line option to the rsa utility. Thanks to
|
||
Adrian Peck <bertie@ncipher.com> for posting details of the modified
|
||
algorithm to openssl-dev.
|
||
[Steve Henson]
|
||
|
||
*) The evp_local.h macros were using 'c.##kname' which resulted in
|
||
invalid expansion on some systems (SCO 5.0.5 for example).
|
||
Corrected to 'c.kname'.
|
||
[Phillip Porch <root@theporch.com>]
|
||
|
||
*) New X509_get1_email() and X509_REQ_get1_email() functions that return
|
||
a STACK of email addresses from a certificate or request, these look
|
||
in the subject name and the subject alternative name extensions and
|
||
omit any duplicate addresses.
|
||
[Steve Henson]
|
||
|
||
*) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
|
||
This makes DSA verification about 2 % faster.
|
||
[Bodo Moeller]
|
||
|
||
*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
|
||
(meaning that now 2^5 values will be precomputed, which is only 4 KB
|
||
plus overhead for 1024 bit moduli).
|
||
This makes exponentiations about 0.5 % faster for 1024 bit
|
||
exponents (as measured by "openssl speed rsa2048").
|
||
[Bodo Moeller]
|
||
|
||
*) Rename memory handling macros to avoid conflicts with other
|
||
software:
|
||
Malloc => OPENSSL_malloc
|
||
Malloc_locked => OPENSSL_malloc_locked
|
||
Realloc => OPENSSL_realloc
|
||
Free => OPENSSL_free
|
||
[Richard Levitte]
|
||
|
||
*) New function BN_mod_exp_mont_word for small bases (roughly 15%
|
||
faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
|
||
[Bodo Moeller]
|
||
|
||
*) CygWin32 support.
|
||
[John Jarvie <jjarvie@newsguy.com>]
|
||
|
||
*) The type-safe stack code has been rejigged. It is now only compiled
|
||
in when OpenSSL is configured with the DEBUG_SAFESTACK option and
|
||
by default all type-specific stack functions are "#define"d back to
|
||
standard stack functions. This results in more streamlined output
|
||
but retains the type-safety checking possibilities of the original
|
||
approach.
|
||
[Geoff Thorpe]
|
||
|
||
*) The STACK code has been cleaned up, and certain type declarations
|
||
that didn't make a lot of sense have been brought in line. This has
|
||
also involved a cleanup of sorts in safestack.h to more correctly
|
||
map type-safe stack functions onto their plain stack counterparts.
|
||
This work has also resulted in a variety of "const"ifications of
|
||
lots of the code, especially "_cmp" operations which should normally
|
||
be prototyped with "const" parameters anyway.
|
||
[Geoff Thorpe]
|
||
|
||
*) When generating bytes for the first time in md_rand.c, 'stir the pool'
|
||
by seeding with STATE_SIZE dummy bytes (with zero entropy count).
|
||
(The PRNG state consists of two parts, the large pool 'state' and 'md',
|
||
where all of 'md' is used each time the PRNG is used, but 'state'
|
||
is used only indexed by a cyclic counter. As entropy may not be
|
||
well distributed from the beginning, 'md' is important as a
|
||
chaining variable. However, the output function chains only half
|
||
of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
|
||
all of 'md', and seeding with STATE_SIZE dummy bytes will result
|
||
in all of 'state' being rewritten, with the new values depending
|
||
on virtually all of 'md'. This overcomes the 80 bit limitation.)
|
||
[Bodo Moeller]
|
||
|
||
*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
|
||
the handshake is continued after ssl_verify_cert_chain();
|
||
otherwise, if SSL_VERIFY_NONE is set, remaining error codes
|
||
can lead to 'unexplainable' connection aborts later.
|
||
[Bodo Moeller; problem tracked down by Lutz Jaenicke]
|
||
|
||
*) Major EVP API cipher revision.
|
||
Add hooks for extra EVP features. This allows various cipher
|
||
parameters to be set in the EVP interface. Support added for variable
|
||
key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
|
||
setting of RC2 and RC5 parameters.
|
||
|
||
Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
|
||
ciphers.
|
||
|
||
Remove lots of duplicated code from the EVP library. For example *every*
|
||
cipher init() function handles the 'iv' in the same way according to the
|
||
cipher mode. They also all do nothing if the 'key' parameter is NULL and
|
||
for CFB and OFB modes they zero ctx->num.
|
||
|
||
New functionality allows removal of S/MIME code RC2 hack.
|
||
|
||
Most of the routines have the same form and so can be declared in terms
|
||
of macros.
|
||
|
||
By shifting this to the top level EVP_CipherInit() it can be removed from
|
||
all individual ciphers. If the cipher wants to handle IVs or keys
|
||
differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
|
||
flags.
|
||
|
||
Change lots of functions like EVP_EncryptUpdate() to now return a
|
||
value: although software versions of the algorithms cannot fail
|
||
any installed hardware versions can.
|
||
[Steve Henson]
|
||
|
||
*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
|
||
this option is set, tolerate broken clients that send the negotiated
|
||
protocol version number instead of the requested protocol version
|
||
number.
|
||
[Bodo Moeller]
|
||
|
||
*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
|
||
i.e. non-zero for export ciphersuites, zero otherwise.
|
||
Previous versions had this flag inverted, inconsistent with
|
||
rsa_tmp_cb (..._TMP_RSA_CB).
|
||
[Bodo Moeller; problem reported by Amit Chopra]
|
||
|
||
*) Add missing DSA library text string. Work around for some IIS
|
||
key files with invalid SEQUENCE encoding.
|
||
[Steve Henson]
|
||
|
||
*) Add a document (doc/standards.txt) that list all kinds of standards
|
||
and so on that are implemented in OpenSSL.
|
||
[Richard Levitte]
|
||
|
||
*) Enhance c_rehash script. Old version would mishandle certificates
|
||
with the same subject name hash and wouldn't handle CRLs at all.
|
||
Added -fingerprint option to crl utility, to support new c_rehash
|
||
features.
|
||
[Steve Henson]
|
||
|
||
*) Eliminate non-ANSI declarations in crypto.h and stack.h.
|
||
[Ulf M<>ller]
|
||
|
||
*) Fix for SSL server purpose checking. Server checking was
|
||
rejecting certificates which had extended key usage present
|
||
but no ssl client purpose.
|
||
[Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
|
||
|
||
*) Make PKCS#12 code work with no password. The PKCS#12 spec
|
||
is a little unclear about how a blank password is handled.
|
||
Since the password in encoded as a BMPString with terminating
|
||
double NULL a zero length password would end up as just the
|
||
double NULL. However no password at all is different and is
|
||
handled differently in the PKCS#12 key generation code. NS
|
||
treats a blank password as zero length. MSIE treats it as no
|
||
password on export: but it will try both on import. We now do
|
||
the same: PKCS12_parse() tries zero length and no password if
|
||
the password is set to "" or NULL (NULL is now a valid password:
|
||
it wasn't before) as does the pkcs12 application.
|
||
[Steve Henson]
|
||
|
||
*) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
|
||
perror when PEM_read_bio_X509_REQ fails, the error message must
|
||
be obtained from the error queue.
|
||
[Bodo Moeller]
|
||
|
||
*) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
|
||
it in ERR_remove_state if appropriate, and change ERR_get_state
|
||
accordingly to avoid race conditions (this is necessary because
|
||
thread_hash is no longer constant once set).
|
||
[Bodo Moeller]
|
||
|
||
*) Bugfix for linux-elf makefile.one.
|
||
[Ulf M<>ller]
|
||
|
||
*) RSA_get_default_method() will now cause a default
|
||
RSA_METHOD to be chosen if one doesn't exist already.
|
||
Previously this was only set during a call to RSA_new()
|
||
or RSA_new_method(NULL) meaning it was possible for
|
||
RSA_get_default_method() to return NULL.
|
||
[Geoff Thorpe]
|
||
|
||
*) Added native name translation to the existing DSO code
|
||
that will convert (if the flag to do so is set) filenames
|
||
that are sufficiently small and have no path information
|
||
into a canonical native form. Eg. "blah" converted to
|
||
"libblah.so" or "blah.dll" etc.
|
||
[Geoff Thorpe]
|
||
|
||
*) New function ERR_error_string_n(e, buf, len) which is like
|
||
ERR_error_string(e, buf), but writes at most 'len' bytes
|
||
including the 0 terminator. For ERR_error_string_n, 'buf'
|
||
may not be NULL.
|
||
[Damien Miller <djm@mindrot.org>, Bodo Moeller]
|
||
|
||
*) CONF library reworked to become more general. A new CONF
|
||
configuration file reader "class" is implemented as well as a
|
||
new functions (NCONF_*, for "New CONF") to handle it. The now
|
||
old CONF_* functions are still there, but are reimplemented to
|
||
work in terms of the new functions. Also, a set of functions
|
||
to handle the internal storage of the configuration data is
|
||
provided to make it easier to write new configuration file
|
||
reader "classes" (I can definitely see something reading a
|
||
configuration file in XML format, for example), called _CONF_*,
|
||
or "the configuration storage API"...
|
||
|
||
The new configuration file reading functions are:
|
||
|
||
NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
|
||
NCONF_get_section, NCONF_get_string, NCONF_get_numbre
|
||
|
||
NCONF_default, NCONF_WIN32
|
||
|
||
NCONF_dump_fp, NCONF_dump_bio
|
||
|
||
NCONF_default and NCONF_WIN32 are method (or "class") choosers,
|
||
NCONF_new creates a new CONF object. This works in the same way
|
||
as other interfaces in OpenSSL, like the BIO interface.
|
||
NCONF_dump_* dump the internal storage of the configuration file,
|
||
which is useful for debugging. All other functions take the same
|
||
arguments as the old CONF_* functions wth the exception of the
|
||
first that must be a `CONF *' instead of a `LHASH *'.
|
||
|
||
To make it easer to use the new classes with the old CONF_* functions,
|
||
the function CONF_set_default_method is provided.
|
||
[Richard Levitte]
|
||
|
||
*) Add '-tls1' option to 'openssl ciphers', which was already
|
||
mentioned in the documentation but had not been implemented.
|
||
(This option is not yet really useful because even the additional
|
||
experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
|
||
[Bodo Moeller]
|
||
|
||
*) Initial DSO code added into libcrypto for letting OpenSSL (and
|
||
OpenSSL-based applications) load shared libraries and bind to
|
||
them in a portable way.
|
||
[Geoff Thorpe, with contributions from Richard Levitte]
|
||
|
||
Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
|
||
|
||
*) Make sure _lrotl and _lrotr are only used with MSVC.
|
||
|
||
*) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
|
||
(the default implementation of RAND_status).
|
||
|
||
*) Rename openssl x509 option '-crlext', which was added in 0.9.5,
|
||
to '-clrext' (= clear extensions), as intended and documented.
|
||
[Bodo Moeller; inconsistency pointed out by Michael Attili
|
||
<attili@amaxo.com>]
|
||
|
||
*) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
|
||
was larger than the MD block size.
|
||
[Steve Henson, pointed out by Yost William <YostW@tce.com>]
|
||
|
||
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
|
||
fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
|
||
using the passed key: if the passed key was a private key the result
|
||
of X509_print(), for example, would be to print out all the private key
|
||
components.
|
||
[Steve Henson]
|
||
|
||
*) des_quad_cksum() byte order bug fix.
|
||
[Ulf M<>ller, using the problem description in krb4-0.9.7, where
|
||
the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
|
||
|
||
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
|
||
discouraged.
|
||
[Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]
|
||
|
||
*) For easily testing in shell scripts whether some command
|
||
'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
|
||
returns with exit code 0 iff no command of the given name is available.
|
||
'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
|
||
the output goes to stdout and nothing is printed to stderr.
|
||
Additional arguments are always ignored.
|
||
|
||
Since for each cipher there is a command of the same name,
|
||
the 'no-cipher' compilation switches can be tested this way.
|
||
|
||
('openssl no-XXX' is not able to detect pseudo-commands such
|
||
as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
|
||
[Bodo Moeller]
|
||
|
||
*) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
|
||
[Bodo Moeller]
|
||
|
||
*) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
|
||
is set; it will be thrown away anyway because each handshake creates
|
||
its own key.
|
||
ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
|
||
to parameters -- in previous versions (since OpenSSL 0.9.3) the
|
||
'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
|
||
you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
|
||
[Bodo Moeller]
|
||
|
||
*) New s_client option -ign_eof: EOF at stdin is ignored, and
|
||
'Q' and 'R' lose their special meanings (quit/renegotiate).
|
||
This is part of what -quiet does; unlike -quiet, -ign_eof
|
||
does not suppress any output.
|
||
[Richard Levitte]
|
||
|
||
*) Add compatibility options to the purpose and trust code. The
|
||
purpose X509_PURPOSE_ANY is "any purpose" which automatically
|
||
accepts a certificate or CA, this was the previous behaviour,
|
||
with all the associated security issues.
|
||
|
||
X509_TRUST_COMPAT is the old trust behaviour: only and
|
||
automatically trust self signed roots in certificate store. A
|
||
new trust setting X509_TRUST_DEFAULT is used to specify that
|
||
a purpose has no associated trust setting and it should instead
|
||
use the value in the default purpose.
|
||
[Steve Henson]
|
||
|
||
*) Fix the PKCS#8 DSA private key code so it decodes keys again
|
||
and fix a memory leak.
|
||
[Steve Henson]
|
||
|
||
*) In util/mkerr.pl (which implements 'make errors'), preserve
|
||
reason strings from the previous version of the .c file, as
|
||
the default to have only downcase letters (and digits) in
|
||
automatically generated reasons codes is not always appropriate.
|
||
[Bodo Moeller]
|
||
|
||
*) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
|
||
using strerror. Previously, ERR_reason_error_string() returned
|
||
library names as reason strings for SYSerr; but SYSerr is a special
|
||
case where small numbers are errno values, not library numbers.
|
||
[Bodo Moeller]
|
||
|
||
*) Add '-dsaparam' option to 'openssl dhparam' application. This
|
||
converts DSA parameters into DH parameters. (When creating parameters,
|
||
DSA_generate_parameters is used.)
|
||
[Bodo Moeller]
|
||
|
||
*) Include 'length' (recommended exponent length) in C code generated
|
||
by 'openssl dhparam -C'.
|
||
[Bodo Moeller]
|
||
|
||
*) The second argument to set_label in perlasm was already being used
|
||
so couldn't be used as a "file scope" flag. Moved to third argument
|
||
which was free.
|
||
[Steve Henson]
|
||
|
||
*) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
|
||
instead of RAND_bytes for encryption IVs and salts.
|
||
[Bodo Moeller]
|
||
|
||
*) Include RAND_status() into RAND_METHOD instead of implementing
|
||
it only for md_rand.c Otherwise replacing the PRNG by calling
|
||
RAND_set_rand_method would be impossible.
|
||
[Bodo Moeller]
|
||
|
||
*) Don't let DSA_generate_key() enter an infinite loop if the random
|
||
number generation fails.
|
||
[Bodo Moeller]
|
||
|
||
*) New 'rand' application for creating pseudo-random output.
|
||
[Bodo Moeller]
|
||
|
||
*) Added configuration support for Linux/IA64
|
||
[Rolf Haberrecker <rolf@suse.de>]
|
||
|
||
*) Assembler module support for Mingw32.
|
||
[Ulf M<>ller]
|
||
|
||
*) Shared library support for HPUX (in shlib/).
|
||
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
|
||
|
||
*) Shared library support for Solaris gcc.
|
||
[Lutz Behnke <behnke@trustcenter.de>]
|
||
|
||
Changes between 0.9.4 and 0.9.5 [28 Feb 2000]
|
||
|
||
*) PKCS7_encrypt() was adding text MIME headers twice because they
|
||
were added manually and by SMIME_crlf_copy().
|
||
[Steve Henson]
|
||
|
||
*) In bntest.c don't call BN_rand with zero bits argument.
|
||
[Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]
|
||
|
||
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
|
||
case was implemented. This caused BN_div_recp() to fail occasionally.
|
||
[Ulf M<>ller]
|
||
|
||
*) Add an optional second argument to the set_label() in the perl
|
||
assembly language builder. If this argument exists and is set
|
||
to 1 it signals that the assembler should use a symbol whose
|
||
scope is the entire file, not just the current function. This
|
||
is needed with MASM which uses the format label:: for this scope.
|
||
[Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
|
||
|
||
*) Change the ASN1 types so they are typedefs by default. Before
|
||
almost all types were #define'd to ASN1_STRING which was causing
|
||
STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
|
||
for example.
|
||
[Steve Henson]
|
||
|
||
*) Change names of new functions to the new get1/get0 naming
|
||
convention: After 'get1', the caller owns a reference count
|
||
and has to call ..._free; 'get0' returns a pointer to some
|
||
data structure without incrementing reference counters.
|
||
(Some of the existing 'get' functions increment a reference
|
||
counter, some don't.)
|
||
Similarly, 'set1' and 'add1' functions increase reference
|
||
counters or duplicate objects.
|
||
[Steve Henson]
|
||
|
||
*) Allow for the possibility of temp RSA key generation failure:
|
||
the code used to assume it always worked and crashed on failure.
|
||
[Steve Henson]
|
||
|
||
*) Fix potential buffer overrun problem in BIO_printf().
|
||
[Ulf M<>ller, using public domain code by Patrick Powell; problem
|
||
pointed out by David Sacerdote <das33@cornell.edu>]
|
||
|
||
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions
|
||
RAND_egd() and RAND_status(). In the command line application,
|
||
the EGD socket can be specified like a seed file using RANDFILE
|
||
or -rand.
|
||
[Ulf M<>ller]
|
||
|
||
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
|
||
Some CAs (e.g. Verisign) distribute certificates in this form.
|
||
[Steve Henson]
|
||
|
||
*) Remove the SSL_ALLOW_ADH compile option and set the default cipher
|
||
list to exclude them. This means that no special compilation option
|
||
is needed to use anonymous DH: it just needs to be included in the
|
||
cipher list.
|
||
[Steve Henson]
|
||
|
||
*) Change the EVP_MD_CTX_type macro so its meaning consistent with
|
||
EVP_MD_type. The old functionality is available in a new macro called
|
||
EVP_MD_md(). Change code that uses it and update docs.
|
||
[Steve Henson]
|
||
|
||
*) ..._ctrl functions now have corresponding ..._callback_ctrl functions
|
||
where the 'void *' argument is replaced by a function pointer argument.
|
||
Previously 'void *' was abused to point to functions, which works on
|
||
many platforms, but is not correct. As these functions are usually
|
||
called by macros defined in OpenSSL header files, most source code
|
||
should work without changes.
|
||
[Richard Levitte]
|
||
|
||
*) <openssl/opensslconf.h> (which is created by Configure) now contains
|
||
sections with information on -D... compiler switches used for
|
||
compiling the library so that applications can see them. To enable
|
||
one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
|
||
must be defined. E.g.,
|
||
#define OPENSSL_ALGORITHM_DEFINES
|
||
#include <openssl/opensslconf.h>
|
||
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
|
||
[Richard Levitte, Ulf and Bodo M<>ller]
|
||
|
||
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
|
||
record layer.
|
||
[Bodo Moeller]
|
||
|
||
*) Change the 'other' type in certificate aux info to a STACK_OF
|
||
X509_ALGOR. Although not an AlgorithmIdentifier as such it has
|
||
the required ASN1 format: arbitrary types determined by an OID.
|
||
[Steve Henson]
|
||
|
||
*) Add some PEM_write_X509_REQ_NEW() functions and a command line
|
||
argument to 'req'. This is not because the function is newer or
|
||
better than others it just uses the work 'NEW' in the certificate
|
||
request header lines. Some software needs this.
|
||
[Steve Henson]
|
||
|
||
*) Reorganise password command line arguments: now passwords can be
|
||
obtained from various sources. Delete the PEM_cb function and make
|
||
it the default behaviour: i.e. if the callback is NULL and the
|
||
usrdata argument is not NULL interpret it as a null terminated pass
|
||
phrase. If usrdata and the callback are NULL then the pass phrase
|
||
is prompted for as usual.
|
||
[Steve Henson]
|
||
|
||
*) Add support for the Compaq Atalla crypto accelerator. If it is installed,
|
||
the support is automatically enabled. The resulting binaries will
|
||
autodetect the card and use it if present.
|
||
[Ben Laurie and Compaq Inc.]
|
||
|
||
*) Work around for Netscape hang bug. This sends certificate request
|
||
and server done in one record. Since this is perfectly legal in the
|
||
SSL/TLS protocol it isn't a "bug" option and is on by default. See
|
||
the bugs/SSLv3 entry for more info.
|
||
[Steve Henson]
|
||
|
||
*) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
|
||
[Andy Polyakov]
|
||
|
||
*) Add -rand argument to smime and pkcs12 applications and read/write
|
||
of seed file.
|
||
[Steve Henson]
|
||
|
||
*) New 'passwd' tool for crypt(3) and apr1 password hashes.
|
||
[Bodo Moeller]
|
||
|
||
*) Add command line password options to the remaining applications.
|
||
[Steve Henson]
|
||
|
||
*) Bug fix for BN_div_recp() for numerators with an even number of
|
||
bits.
|
||
[Ulf M<>ller]
|
||
|
||
*) More tests in bntest.c, and changed test_bn output.
|
||
[Ulf M<>ller]
|
||
|
||
*) ./config recognizes MacOS X now.
|
||
[Andy Polyakov]
|
||
|
||
*) Bug fix for BN_div() when the first words of num and divsor are
|
||
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
|
||
[Ulf M<>ller]
|
||
|
||
*) Add support for various broken PKCS#8 formats, and command line
|
||
options to produce them.
|
||
[Steve Henson]
|
||
|
||
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
|
||
get temporary BIGNUMs from a BN_CTX.
|
||
[Ulf M<>ller]
|
||
|
||
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
|
||
for p == 0.
|
||
[Ulf M<>ller]
|
||
|
||
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
|
||
include a #define from the old name to the new. The original intent
|
||
was that statically linked binaries could for example just call
|
||
SSLeay_add_all_ciphers() to just add ciphers to the table and not
|
||
link with digests. This never worked becayse SSLeay_add_all_digests()
|
||
and SSLeay_add_all_ciphers() were in the same source file so calling
|
||
one would link with the other. They are now in separate source files.
|
||
[Steve Henson]
|
||
|
||
*) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
|
||
[Steve Henson]
|
||
|
||
*) Use a less unusual form of the Miller-Rabin primality test (it used
|
||
a binary algorithm for exponentiation integrated into the Miller-Rabin
|
||
loop, our standard modexp algorithms are faster).
|
||
[Bodo Moeller]
|
||
|
||
*) Support for the EBCDIC character set completed.
|
||
[Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]
|
||
|
||
*) Source code cleanups: use const where appropriate, eliminate casts,
|
||
use void * instead of char * in lhash.
|
||
[Ulf M<>ller]
|
||
|
||
*) Bugfix: ssl3_send_server_key_exchange was not restartable
|
||
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
|
||
this the server could overwrite ephemeral keys that the client
|
||
has already seen).
|
||
[Bodo Moeller]
|
||
|
||
*) Turn DSA_is_prime into a macro that calls BN_is_prime,
|
||
using 50 iterations of the Rabin-Miller test.
|
||
|
||
DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
|
||
iterations of the Rabin-Miller test as required by the appendix
|
||
to FIPS PUB 186[-1]) instead of DSA_is_prime.
|
||
As BN_is_prime_fasttest includes trial division, DSA parameter
|
||
generation becomes much faster.
|
||
|
||
This implies a change for the callback functions in DSA_is_prime
|
||
and DSA_generate_parameters: The callback function is called once
|
||
for each positive witness in the Rabin-Miller test, not just
|
||
occasionally in the inner loop; and the parameters to the
|
||
callback function now provide an iteration count for the outer
|
||
loop rather than for the current invocation of the inner loop.
|
||
DSA_generate_parameters additionally can call the callback
|
||
function with an 'iteration count' of -1, meaning that a
|
||
candidate has passed the trial division test (when q is generated
|
||
from an application-provided seed, trial division is skipped).
|
||
[Bodo Moeller]
|
||
|
||
*) New function BN_is_prime_fasttest that optionally does trial
|
||
division before starting the Rabin-Miller test and has
|
||
an additional BN_CTX * argument (whereas BN_is_prime always
|
||
has to allocate at least one BN_CTX).
|
||
'callback(1, -1, cb_arg)' is called when a number has passed the
|
||
trial division stage.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix for bug in CRL encoding. The validity dates weren't being handled
|
||
as ASN1_TIME.
|
||
[Steve Henson]
|
||
|
||
*) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
|
||
[Steve Henson]
|
||
|
||
*) New function BN_pseudo_rand().
|
||
[Ulf M<>ller]
|
||
|
||
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
|
||
bignum version of BN_from_montgomery() with the working code from
|
||
SSLeay 0.9.0 (the word based version is faster anyway), and clean up
|
||
the comments.
|
||
[Ulf M<>ller]
|
||
|
||
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that
|
||
made it impossible to use the same SSL_SESSION data structure in
|
||
SSL2 clients in multiple threads.
|
||
[Bodo Moeller]
|
||
|
||
*) The return value of RAND_load_file() no longer counts bytes obtained
|
||
by stat(). RAND_load_file(..., -1) is new and uses the complete file
|
||
to seed the PRNG (previously an explicit byte count was required).
|
||
[Ulf M<>ller, Bodo M<>ller]
|
||
|
||
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
|
||
used (char *) instead of (void *) and had casts all over the place.
|
||
[Steve Henson]
|
||
|
||
*) Make BN_generate_prime() return NULL on error if ret!=NULL.
|
||
[Ulf M<>ller]
|
||
|
||
*) Retain source code compatibility for BN_prime_checks macro:
|
||
BN_is_prime(..., BN_prime_checks, ...) now uses
|
||
BN_prime_checks_for_size to determine the appropriate number of
|
||
Rabin-Miller iterations.
|
||
[Ulf M<>ller]
|
||
|
||
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
|
||
DH_CHECK_P_NOT_SAFE_PRIME.
|
||
(Check if this is true? OpenPGP calls them "strong".)
|
||
[Ulf M<>ller]
|
||
|
||
*) Merge the functionality of "dh" and "gendh" programs into a new program
|
||
"dhparam". The old programs are retained for now but will handle DH keys
|
||
(instead of parameters) in future.
|
||
[Steve Henson]
|
||
|
||
*) Make the ciphers, s_server and s_client programs check the return values
|
||
when a new cipher list is set.
|
||
[Steve Henson]
|
||
|
||
*) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
|
||
ciphers. Before when the 56bit ciphers were enabled the sorting was
|
||
wrong.
|
||
|
||
The syntax for the cipher sorting has been extended to support sorting by
|
||
cipher-strength (using the strength_bits hard coded in the tables).
|
||
The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
|
||
|
||
Fix a bug in the cipher-command parser: when supplying a cipher command
|
||
string with an "undefined" symbol (neither command nor alphanumeric
|
||
[A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
|
||
an error is flagged.
|
||
|
||
Due to the strength-sorting extension, the code of the
|
||
ssl_create_cipher_list() function was completely rearranged. I hope that
|
||
the readability was also increased :-)
|
||
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
|
||
|
||
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
|
||
for the first serial number and places 2 in the serial number file. This
|
||
avoids problems when the root CA is created with serial number zero and
|
||
the first user certificate has the same issuer name and serial number
|
||
as the root CA.
|
||
[Steve Henson]
|
||
|
||
*) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
|
||
the new code. Add documentation for this stuff.
|
||
[Steve Henson]
|
||
|
||
*) Changes to X509_ATTRIBUTE utilities. These have been renamed from
|
||
X509_*() to X509at_*() on the grounds that they don't handle X509
|
||
structures and behave in an analagous way to the X509v3 functions:
|
||
they shouldn't be called directly but wrapper functions should be used
|
||
instead.
|
||
|
||
So we also now have some wrapper functions that call the X509at functions
|
||
when passed certificate requests. (TO DO: similar things can be done with
|
||
PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
|
||
things. Some of these need some d2i or i2d and print functionality
|
||
because they handle more complex structures.)
|
||
[Steve Henson]
|
||
|
||
*) Add missing #ifndefs that caused missing symbols when building libssl
|
||
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
|
||
NO_RSA in ssl/s2*.c.
|
||
[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf M<>ller]
|
||
|
||
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
|
||
has a return value which indicates the quality of the random data
|
||
(1 = ok, 0 = not seeded). Also an error is recorded on the thread's
|
||
error queue. New function RAND_pseudo_bytes() generates output that is
|
||
guaranteed to be unique but not unpredictable. RAND_add is like
|
||
RAND_seed, but takes an extra argument for an entropy estimate
|
||
(RAND_seed always assumes full entropy).
|
||
[Ulf M<>ller]
|
||
|
||
*) Do more iterations of Rabin-Miller probable prime test (specifically,
|
||
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
|
||
instead of only 2 for all lengths; see BN_prime_checks_for_size definition
|
||
in crypto/bn/bn_prime.c for the complete table). This guarantees a
|
||
false-positive rate of at most 2^-80 for random input.
|
||
[Bodo Moeller]
|
||
|
||
*) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
|
||
[Bodo Moeller]
|
||
|
||
*) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
|
||
in the 0.9.5 release), this returns the chain
|
||
from an X509_CTX structure with a dup of the stack and all
|
||
the X509 reference counts upped: so the stack will exist
|
||
after X509_CTX_cleanup() has been called. Modify pkcs12.c
|
||
to use this.
|
||
|
||
Also make SSL_SESSION_print() print out the verify return
|
||
code.
|
||
[Steve Henson]
|
||
|
||
*) Add manpage for the pkcs12 command. Also change the default
|
||
behaviour so MAC iteration counts are used unless the new
|
||
-nomaciter option is used. This improves file security and
|
||
only older versions of MSIE (4.0 for example) need it.
|
||
[Steve Henson]
|
||
|
||
*) Honor the no-xxx Configure options when creating .DEF files.
|
||
[Ulf M<>ller]
|
||
|
||
*) Add PKCS#10 attributes to field table: challengePassword,
|
||
unstructuredName and unstructuredAddress. These are taken from
|
||
draft PKCS#9 v2.0 but are compatible with v1.2 provided no
|
||
international characters are used.
|
||
|
||
More changes to X509_ATTRIBUTE code: allow the setting of types
|
||
based on strings. Remove the 'loc' parameter when adding
|
||
attributes because these will be a SET OF encoding which is sorted
|
||
in ASN1 order.
|
||
[Steve Henson]
|
||
|
||
*) Initial changes to the 'req' utility to allow request generation
|
||
automation. This will allow an application to just generate a template
|
||
file containing all the field values and have req construct the
|
||
request.
|
||
|
||
Initial support for X509_ATTRIBUTE handling. Stacks of these are
|
||
used all over the place including certificate requests and PKCS#7
|
||
structures. They are currently handled manually where necessary with
|
||
some primitive wrappers for PKCS#7. The new functions behave in a
|
||
manner analogous to the X509 extension functions: they allow
|
||
attributes to be looked up by NID and added.
|
||
|
||
Later something similar to the X509V3 code would be desirable to
|
||
automatically handle the encoding, decoding and printing of the
|
||
more complex types. The string types like challengePassword can
|
||
be handled by the string table functions.
|
||
|
||
Also modified the multi byte string table handling. Now there is
|
||
a 'global mask' which masks out certain types. The table itself
|
||
can use the flag STABLE_NO_MASK to ignore the mask setting: this
|
||
is useful when for example there is only one permissible type
|
||
(as in countryName) and using the mask might result in no valid
|
||
types at all.
|
||
[Steve Henson]
|
||
|
||
*) Clean up 'Finished' handling, and add functions SSL_get_finished and
|
||
SSL_get_peer_finished to allow applications to obtain the latest
|
||
Finished messages sent to the peer or expected from the peer,
|
||
respectively. (SSL_get_peer_finished is usually the Finished message
|
||
actually received from the peer, otherwise the protocol will be aborted.)
|
||
|
||
As the Finished message are message digests of the complete handshake
|
||
(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
|
||
be used for external authentication procedures when the authentication
|
||
provided by SSL/TLS is not desired or is not enough.
|
||
[Bodo Moeller]
|
||
|
||
*) Enhanced support for Alpha Linux is added. Now ./config checks if
|
||
the host supports BWX extension and if Compaq C is present on the
|
||
$PATH. Just exploiting of the BWX extension results in 20-30%
|
||
performance kick for some algorithms, e.g. DES and RC4 to mention
|
||
a couple. Compaq C in turn generates ~20% faster code for MD5 and
|
||
SHA1.
|
||
[Andy Polyakov]
|
||
|
||
*) Add support for MS "fast SGC". This is arguably a violation of the
|
||
SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
|
||
weak crypto and after checking the certificate is SGC a second one
|
||
with strong crypto. MS SGC stops the first handshake after receiving
|
||
the server certificate message and sends a second client hello. Since
|
||
a server will typically do all the time consuming operations before
|
||
expecting any further messages from the client (server key exchange
|
||
is the most expensive) there is little difference between the two.
|
||
|
||
To get OpenSSL to support MS SGC we have to permit a second client
|
||
hello message after we have sent server done. In addition we have to
|
||
reset the MAC if we do get this second client hello.
|
||
[Steve Henson]
|
||
|
||
*) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
|
||
if a DER encoded private key is RSA or DSA traditional format. Changed
|
||
d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
|
||
format DER encoded private key. Newer code should use PKCS#8 format which
|
||
has the key type encoded in the ASN1 structure. Added DER private key
|
||
support to pkcs8 application.
|
||
[Steve Henson]
|
||
|
||
*) SSL 3/TLS 1 servers now don't request certificates when an anonymous
|
||
ciphersuites has been selected (as required by the SSL 3/TLS 1
|
||
specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
|
||
is set, we interpret this as a request to violate the specification
|
||
(the worst that can happen is a handshake failure, and 'correct'
|
||
behaviour would result in a handshake failure anyway).
|
||
[Bodo Moeller]
|
||
|
||
*) In SSL_CTX_add_session, take into account that there might be multiple
|
||
SSL_SESSION structures with the same session ID (e.g. when two threads
|
||
concurrently obtain them from an external cache).
|
||
The internal cache can handle only one SSL_SESSION with a given ID,
|
||
so if there's a conflict, we now throw out the old one to achieve
|
||
consistency.
|
||
[Bodo Moeller]
|
||
|
||
*) Add OIDs for idea and blowfish in CBC mode. This will allow both
|
||
to be used in PKCS#5 v2.0 and S/MIME. Also add checking to
|
||
some routines that use cipher OIDs: some ciphers do not have OIDs
|
||
defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
|
||
example.
|
||
[Steve Henson]
|
||
|
||
*) Simplify the trust setting structure and code. Now we just have
|
||
two sequences of OIDs for trusted and rejected settings. These will
|
||
typically have values the same as the extended key usage extension
|
||
and any application specific purposes.
|
||
|
||
The trust checking code now has a default behaviour: it will just
|
||
check for an object with the same NID as the passed id. Functions can
|
||
be provided to override either the default behaviour or the behaviour
|
||
for a given id. SSL client, server and email already have functions
|
||
in place for compatibility: they check the NID and also return "trusted"
|
||
if the certificate is self signed.
|
||
[Steve Henson]
|
||
|
||
*) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
|
||
traditional format into an EVP_PKEY structure.
|
||
[Steve Henson]
|
||
|
||
*) Add a password callback function PEM_cb() which either prompts for
|
||
a password if usr_data is NULL or otherwise assumes it is a null
|
||
terminated password. Allow passwords to be passed on command line
|
||
environment or config files in a few more utilities.
|
||
[Steve Henson]
|
||
|
||
*) Add a bunch of DER and PEM functions to handle PKCS#8 format private
|
||
keys. Add some short names for PKCS#8 PBE algorithms and allow them
|
||
to be specified on the command line for the pkcs8 and pkcs12 utilities.
|
||
Update documentation.
|
||
[Steve Henson]
|
||
|
||
*) Support for ASN1 "NULL" type. This could be handled before by using
|
||
ASN1_TYPE but there wasn't any function that would try to read a NULL
|
||
and produce an error if it couldn't. For compatibility we also have
|
||
ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
|
||
don't allocate anything because they don't need to.
|
||
[Steve Henson]
|
||
|
||
*) Initial support for MacOS is now provided. Examine INSTALL.MacOS
|
||
for details.
|
||
[Andy Polyakov, Roy Woods <roy@centicsystems.ca>]
|
||
|
||
*) Rebuild of the memory allocation routines used by OpenSSL code and
|
||
possibly others as well. The purpose is to make an interface that
|
||
provide hooks so anyone can build a separate set of allocation and
|
||
deallocation routines to be used by OpenSSL, for example memory
|
||
pool implementations, or something else, which was previously hard
|
||
since Malloc(), Realloc() and Free() were defined as macros having
|
||
the values malloc, realloc and free, respectively (except for Win32
|
||
compilations). The same is provided for memory debugging code.
|
||
OpenSSL already comes with functionality to find memory leaks, but
|
||
this gives people a chance to debug other memory problems.
|
||
|
||
With these changes, a new set of functions and macros have appeared:
|
||
|
||
CRYPTO_set_mem_debug_functions() [F]
|
||
CRYPTO_get_mem_debug_functions() [F]
|
||
CRYPTO_dbg_set_options() [F]
|
||
CRYPTO_dbg_get_options() [F]
|
||
CRYPTO_malloc_debug_init() [M]
|
||
|
||
The memory debug functions are NULL by default, unless the library
|
||
is compiled with CRYPTO_MDEBUG or friends is defined. If someone
|
||
wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
|
||
gives the standard debugging functions that come with OpenSSL) or
|
||
CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
|
||
provided by the library user) must be used. When the standard
|
||
debugging functions are used, CRYPTO_dbg_set_options can be used to
|
||
request additional information:
|
||
CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
|
||
the CRYPTO_MDEBUG_xxx macro when compiling the library.
|
||
|
||
Also, things like CRYPTO_set_mem_functions will always give the
|
||
expected result (the new set of functions is used for allocation
|
||
and deallocation) at all times, regardless of platform and compiler
|
||
options.
|
||
|
||
To finish it up, some functions that were never use in any other
|
||
way than through macros have a new API and new semantic:
|
||
|
||
CRYPTO_dbg_malloc()
|
||
CRYPTO_dbg_realloc()
|
||
CRYPTO_dbg_free()
|
||
|
||
All macros of value have retained their old syntax.
|
||
[Richard Levitte and Bodo Moeller]
|
||
|
||
*) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
|
||
ordering of SMIMECapabilities wasn't in "strength order" and there
|
||
was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
|
||
algorithm.
|
||
[Steve Henson]
|
||
|
||
*) Some ASN1 types with illegal zero length encoding (INTEGER,
|
||
ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
|
||
[Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson]
|
||
|
||
*) Merge in my S/MIME library for OpenSSL. This provides a simple
|
||
S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
|
||
functionality to handle multipart/signed properly) and a utility
|
||
called 'smime' to call all this stuff. This is based on code I
|
||
originally wrote for Celo who have kindly allowed it to be
|
||
included in OpenSSL.
|
||
[Steve Henson]
|
||
|
||
*) Add variants des_set_key_checked and des_set_key_unchecked of
|
||
des_set_key (aka des_key_sched). Global variable des_check_key
|
||
decides which of these is called by des_set_key; this way
|
||
des_check_key behaves as it always did, but applications and
|
||
the library itself, which was buggy for des_check_key == 1,
|
||
have a cleaner way to pick the version they need.
|
||
[Bodo Moeller]
|
||
|
||
*) New function PKCS12_newpass() which changes the password of a
|
||
PKCS12 structure.
|
||
[Steve Henson]
|
||
|
||
*) Modify X509_TRUST and X509_PURPOSE so it also uses a static and
|
||
dynamic mix. In both cases the ids can be used as an index into the
|
||
table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
|
||
functions so they accept a list of the field values and the
|
||
application doesn't need to directly manipulate the X509_TRUST
|
||
structure.
|
||
[Steve Henson]
|
||
|
||
*) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
|
||
need initialising.
|
||
[Steve Henson]
|
||
|
||
*) Modify the way the V3 extension code looks up extensions. This now
|
||
works in a similar way to the object code: we have some "standard"
|
||
extensions in a static table which is searched with OBJ_bsearch()
|
||
and the application can add dynamic ones if needed. The file
|
||
crypto/x509v3/ext_dat.h now has the info: this file needs to be
|
||
updated whenever a new extension is added to the core code and kept
|
||
in ext_nid order. There is a simple program 'tabtest.c' which checks
|
||
this. New extensions are not added too often so this file can readily
|
||
be maintained manually.
|
||
|
||
There are two big advantages in doing things this way. The extensions
|
||
can be looked up immediately and no longer need to be "added" using
|
||
X509V3_add_standard_extensions(): this function now does nothing.
|
||
[Side note: I get *lots* of email saying the extension code doesn't
|
||
work because people forget to call this function]
|
||
Also no dynamic allocation is done unless new extensions are added:
|
||
so if we don't add custom extensions there is no need to call
|
||
X509V3_EXT_cleanup().
|
||
[Steve Henson]
|
||
|
||
*) Modify enc utility's salting as follows: make salting the default. Add a
|
||
magic header, so unsalted files fail gracefully instead of just decrypting
|
||
to garbage. This is because not salting is a big security hole, so people
|
||
should be discouraged from doing it.
|
||
[Ben Laurie]
|
||
|
||
*) Fixes and enhancements to the 'x509' utility. It allowed a message
|
||
digest to be passed on the command line but it only used this
|
||
parameter when signing a certificate. Modified so all relevant
|
||
operations are affected by the digest parameter including the
|
||
-fingerprint and -x509toreq options. Also -x509toreq choked if a
|
||
DSA key was used because it didn't fix the digest.
|
||
[Steve Henson]
|
||
|
||
*) Initial certificate chain verify code. Currently tests the untrusted
|
||
certificates for consistency with the verify purpose (which is set
|
||
when the X509_STORE_CTX structure is set up) and checks the pathlength.
|
||
|
||
There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
|
||
this is because it will reject chains with invalid extensions whereas
|
||
every previous version of OpenSSL and SSLeay made no checks at all.
|
||
|
||
Trust code: checks the root CA for the relevant trust settings. Trust
|
||
settings have an initial value consistent with the verify purpose: e.g.
|
||
if the verify purpose is for SSL client use it expects the CA to be
|
||
trusted for SSL client use. However the default value can be changed to
|
||
permit custom trust settings: one example of this would be to only trust
|
||
certificates from a specific "secure" set of CAs.
|
||
|
||
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
|
||
which should be used for version portability: especially since the
|
||
verify structure is likely to change more often now.
|
||
|
||
SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
|
||
to set them. If not set then assume SSL clients will verify SSL servers
|
||
and vice versa.
|
||
|
||
Two new options to the verify program: -untrusted allows a set of
|
||
untrusted certificates to be passed in and -purpose which sets the
|
||
intended purpose of the certificate. If a purpose is set then the
|
||
new chain verify code is used to check extension consistency.
|
||
[Steve Henson]
|
||
|
||
*) Support for the authority information access extension.
|
||
[Steve Henson]
|
||
|
||
*) Modify RSA and DSA PEM read routines to transparently handle
|
||
PKCS#8 format private keys. New *_PUBKEY_* functions that handle
|
||
public keys in a format compatible with certificate
|
||
SubjectPublicKeyInfo structures. Unfortunately there were already
|
||
functions called *_PublicKey_* which used various odd formats so
|
||
these are retained for compatibility: however the DSA variants were
|
||
never in a public release so they have been deleted. Changed dsa/rsa
|
||
utilities to handle the new format: note no releases ever handled public
|
||
keys so we should be OK.
|
||
|
||
The primary motivation for this change is to avoid the same fiasco
|
||
that dogs private keys: there are several incompatible private key
|
||
formats some of which are standard and some OpenSSL specific and
|
||
require various evil hacks to allow partial transparent handling and
|
||
even then it doesn't work with DER formats. Given the option anything
|
||
other than PKCS#8 should be dumped: but the other formats have to
|
||
stay in the name of compatibility.
|
||
|
||
With public keys and the benefit of hindsight one standard format
|
||
is used which works with EVP_PKEY, RSA or DSA structures: though
|
||
it clearly returns an error if you try to read the wrong kind of key.
|
||
|
||
Added a -pubkey option to the 'x509' utility to output the public key.
|
||
Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
|
||
(renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
|
||
EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
|
||
that do the same as the EVP_PKEY_assign_*() except they up the
|
||
reference count of the added key (they don't "swallow" the
|
||
supplied key).
|
||
[Steve Henson]
|
||
|
||
*) Fixes to crypto/x509/by_file.c the code to read in certificates and
|
||
CRLs would fail if the file contained no certificates or no CRLs:
|
||
added a new function to read in both types and return the number
|
||
read: this means that if none are read it will be an error. The
|
||
DER versions of the certificate and CRL reader would always fail
|
||
because it isn't possible to mix certificates and CRLs in DER format
|
||
without choking one or the other routine. Changed this to just read
|
||
a certificate: this is the best we can do. Also modified the code
|
||
in apps/verify.c to take notice of return codes: it was previously
|
||
attempting to read in certificates from NULL pointers and ignoring
|
||
any errors: this is one reason why the cert and CRL reader seemed
|
||
to work. It doesn't check return codes from the default certificate
|
||
routines: these may well fail if the certificates aren't installed.
|
||
[Steve Henson]
|
||
|
||
*) Code to support otherName option in GeneralName.
|
||
[Steve Henson]
|
||
|
||
*) First update to verify code. Change the verify utility
|
||
so it warns if it is passed a self signed certificate:
|
||
for consistency with the normal behaviour. X509_verify
|
||
has been modified to it will now verify a self signed
|
||
certificate if *exactly* the same certificate appears
|
||
in the store: it was previously impossible to trust a
|
||
single self signed certificate. This means that:
|
||
openssl verify ss.pem
|
||
now gives a warning about a self signed certificate but
|
||
openssl verify -CAfile ss.pem ss.pem
|
||
is OK.
|
||
[Steve Henson]
|
||
|
||
*) For servers, store verify_result in SSL_SESSION data structure
|
||
(and add it to external session representation).
|
||
This is needed when client certificate verifications fails,
|
||
but an application-provided verification callback (set by
|
||
SSL_CTX_set_cert_verify_callback) allows accepting the session
|
||
anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
|
||
but returns 1): When the session is reused, we have to set
|
||
ssl->verify_result to the appropriate error code to avoid
|
||
security holes.
|
||
[Bodo Moeller, problem pointed out by Lutz Jaenicke]
|
||
|
||
*) Fix a bug in the new PKCS#7 code: it didn't consider the
|
||
case in PKCS7_dataInit() where the signed PKCS7 structure
|
||
didn't contain any existing data because it was being created.
|
||
[Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]
|
||
|
||
*) Add a salt to the key derivation routines in enc.c. This
|
||
forms the first 8 bytes of the encrypted file. Also add a
|
||
-S option to allow a salt to be input on the command line.
|
||
[Steve Henson]
|
||
|
||
*) New function X509_cmp(). Oddly enough there wasn't a function
|
||
to compare two certificates. We do this by working out the SHA1
|
||
hash and comparing that. X509_cmp() will be needed by the trust
|
||
code.
|
||
[Steve Henson]
|
||
|
||
*) SSL_get1_session() is like SSL_get_session(), but increments
|
||
the reference count in the SSL_SESSION returned.
|
||
[Geoff Thorpe <geoff@eu.c2.net>]
|
||
|
||
*) Fix for 'req': it was adding a null to request attributes.
|
||
Also change the X509_LOOKUP and X509_INFO code to handle
|
||
certificate auxiliary information.
|
||
[Steve Henson]
|
||
|
||
*) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
|
||
the 'enc' command.
|
||
[Steve Henson]
|
||
|
||
*) Add the possibility to add extra information to the memory leak
|
||
detecting output, to form tracebacks, showing from where each
|
||
allocation was originated: CRYPTO_push_info("constant string") adds
|
||
the string plus current file name and line number to a per-thread
|
||
stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
|
||
is like calling CYRPTO_pop_info() until the stack is empty.
|
||
Also updated memory leak detection code to be multi-thread-safe.
|
||
[Richard Levitte]
|
||
|
||
*) Add options -text and -noout to pkcs7 utility and delete the
|
||
encryption options which never did anything. Update docs.
|
||
[Steve Henson]
|
||
|
||
*) Add options to some of the utilities to allow the pass phrase
|
||
to be included on either the command line (not recommended on
|
||
OSes like Unix) or read from the environment. Update the
|
||
manpages and fix a few bugs.
|
||
[Steve Henson]
|
||
|
||
*) Add a few manpages for some of the openssl commands.
|
||
[Steve Henson]
|
||
|
||
*) Fix the -revoke option in ca. It was freeing up memory twice,
|
||
leaking and not finding already revoked certificates.
|
||
[Steve Henson]
|
||
|
||
*) Extensive changes to support certificate auxiliary information.
|
||
This involves the use of X509_CERT_AUX structure and X509_AUX
|
||
functions. An X509_AUX function such as PEM_read_X509_AUX()
|
||
can still read in a certificate file in the usual way but it
|
||
will also read in any additional "auxiliary information". By
|
||
doing things this way a fair degree of compatibility can be
|
||
retained: existing certificates can have this information added
|
||
using the new 'x509' options.
|
||
|
||
Current auxiliary information includes an "alias" and some trust
|
||
settings. The trust settings will ultimately be used in enhanced
|
||
certificate chain verification routines: currently a certificate
|
||
can only be trusted if it is self signed and then it is trusted
|
||
for all purposes.
|
||
[Steve Henson]
|
||
|
||
*) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).
|
||
The problem was that one of the replacement routines had not been working
|
||
since SSLeay releases. For now the offending routine has been replaced
|
||
with non-optimised assembler. Even so, this now gives around 95%
|
||
performance improvement for 1024 bit RSA signs.
|
||
[Mark Cox]
|
||
|
||
*) Hack to fix PKCS#7 decryption when used with some unorthodox RC2
|
||
handling. Most clients have the effective key size in bits equal to
|
||
the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
|
||
A few however don't do this and instead use the size of the decrypted key
|
||
to determine the RC2 key length and the AlgorithmIdentifier to determine
|
||
the effective key length. In this case the effective key length can still
|
||
be 40 bits but the key length can be 168 bits for example. This is fixed
|
||
by manually forcing an RC2 key into the EVP_PKEY structure because the
|
||
EVP code can't currently handle unusual RC2 key sizes: it always assumes
|
||
the key length and effective key length are equal.
|
||
[Steve Henson]
|
||
|
||
*) Add a bunch of functions that should simplify the creation of
|
||
X509_NAME structures. Now you should be able to do:
|
||
X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
|
||
and have it automatically work out the correct field type and fill in
|
||
the structures. The more adventurous can try:
|
||
X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
|
||
and it will (hopefully) work out the correct multibyte encoding.
|
||
[Steve Henson]
|
||
|
||
*) Change the 'req' utility to use the new field handling and multibyte
|
||
copy routines. Before the DN field creation was handled in an ad hoc
|
||
way in req, ca, and x509 which was rather broken and didn't support
|
||
BMPStrings or UTF8Strings. Since some software doesn't implement
|
||
BMPStrings or UTF8Strings yet, they can be enabled using the config file
|
||
using the dirstring_type option. See the new comment in the default
|
||
openssl.cnf for more info.
|
||
[Steve Henson]
|
||
|
||
*) Make crypto/rand/md_rand.c more robust:
|
||
- Assure unique random numbers after fork().
|
||
- Make sure that concurrent threads access the global counter and
|
||
md serializably so that we never lose entropy in them
|
||
or use exactly the same state in multiple threads.
|
||
Access to the large state is not always serializable because
|
||
the additional locking could be a performance killer, and
|
||
md should be large enough anyway.
|
||
[Bodo Moeller]
|
||
|
||
*) New file apps/app_rand.c with commonly needed functionality
|
||
for handling the random seed file.
|
||
|
||
Use the random seed file in some applications that previously did not:
|
||
ca,
|
||
dsaparam -genkey (which also ignored its '-rand' option),
|
||
s_client,
|
||
s_server,
|
||
x509 (when signing).
|
||
Except on systems with /dev/urandom, it is crucial to have a random
|
||
seed file at least for key creation, DSA signing, and for DH exchanges;
|
||
for RSA signatures we could do without one.
|
||
|
||
gendh and gendsa (unlike genrsa) used to read only the first byte
|
||
of each file listed in the '-rand' option. The function as previously
|
||
found in genrsa is now in app_rand.c and is used by all programs
|
||
that support '-rand'.
|
||
[Bodo Moeller]
|
||
|
||
*) In RAND_write_file, use mode 0600 for creating files;
|
||
don't just chmod when it may be too late.
|
||
[Bodo Moeller]
|
||
|
||
*) Report an error from X509_STORE_load_locations
|
||
when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
|
||
[Bill Perry]
|
||
|
||
*) New function ASN1_mbstring_copy() this copies a string in either
|
||
ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
|
||
into an ASN1_STRING type. A mask of permissible types is passed
|
||
and it chooses the "minimal" type to use or an error if not type
|
||
is suitable.
|
||
[Steve Henson]
|
||
|
||
*) Add function equivalents to the various macros in asn1.h. The old
|
||
macros are retained with an M_ prefix. Code inside the library can
|
||
use the M_ macros. External code (including the openssl utility)
|
||
should *NOT* in order to be "shared library friendly".
|
||
[Steve Henson]
|
||
|
||
*) Add various functions that can check a certificate's extensions
|
||
to see if it usable for various purposes such as SSL client,
|
||
server or S/MIME and CAs of these types. This is currently
|
||
VERY EXPERIMENTAL but will ultimately be used for certificate chain
|
||
verification. Also added a -purpose flag to x509 utility to
|
||
print out all the purposes.
|
||
[Steve Henson]
|
||
|
||
*) Add a CRYPTO_EX_DATA to X509 certificate structure and associated
|
||
functions.
|
||
[Steve Henson]
|
||
|
||
*) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search
|
||
for, obtain and decode and extension and obtain its critical flag.
|
||
This allows all the necessary extension code to be handled in a
|
||
single function call.
|
||
[Steve Henson]
|
||
|
||
*) RC4 tune-up featuring 30-40% performance improvement on most RISC
|
||
platforms. See crypto/rc4/rc4_enc.c for further details.
|
||
[Andy Polyakov]
|
||
|
||
*) New -noout option to asn1parse. This causes no output to be produced
|
||
its main use is when combined with -strparse and -out to extract data
|
||
from a file (which may not be in ASN.1 format).
|
||
[Steve Henson]
|
||
|
||
*) Fix for pkcs12 program. It was hashing an invalid certificate pointer
|
||
when producing the local key id.
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) New option -dhparam in s_server. This allows a DH parameter file to be
|
||
stated explicitly. If it is not stated then it tries the first server
|
||
certificate file. The previous behaviour hard coded the filename
|
||
"server.pem".
|
||
[Steve Henson]
|
||
|
||
*) Add -pubin and -pubout options to the rsa and dsa commands. These allow
|
||
a public key to be input or output. For example:
|
||
openssl rsa -in key.pem -pubout -out pubkey.pem
|
||
Also added necessary DSA public key functions to handle this.
|
||
[Steve Henson]
|
||
|
||
*) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
|
||
in the message. This was handled by allowing
|
||
X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
|
||
[Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>]
|
||
|
||
*) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
|
||
to the end of the strings whereas this didn't. This would cause problems
|
||
if strings read with d2i_ASN1_bytes() were later modified.
|
||
[Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) Fix for base64 decode bug. When a base64 bio reads only one line of
|
||
data and it contains EOF it will end up returning an error. This is
|
||
caused by input 46 bytes long. The cause is due to the way base64
|
||
BIOs find the start of base64 encoded data. They do this by trying a
|
||
trial decode on each line until they find one that works. When they
|
||
do a flag is set and it starts again knowing it can pass all the
|
||
data directly through the decoder. Unfortunately it doesn't reset
|
||
the context it uses. This means that if EOF is reached an attempt
|
||
is made to pass two EOFs through the context and this causes the
|
||
resulting error. This can also cause other problems as well. As is
|
||
usual with these problems it takes *ages* to find and the fix is
|
||
trivial: move one line.
|
||
[Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ]
|
||
|
||
*) Ugly workaround to get s_client and s_server working under Windows. The
|
||
old code wouldn't work because it needed to select() on sockets and the
|
||
tty (for keypresses and to see if data could be written). Win32 only
|
||
supports select() on sockets so we select() with a 1s timeout on the
|
||
sockets and then see if any characters are waiting to be read, if none
|
||
are present then we retry, we also assume we can always write data to
|
||
the tty. This isn't nice because the code then blocks until we've
|
||
received a complete line of data and it is effectively polling the
|
||
keyboard at 1s intervals: however it's quite a bit better than not
|
||
working at all :-) A dedicated Windows application might handle this
|
||
with an event loop for example.
|
||
[Steve Henson]
|
||
|
||
*) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
|
||
and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
|
||
will be called when RSA_sign() and RSA_verify() are used. This is useful
|
||
if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
|
||
For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
|
||
should *not* be used: RSA_sign() and RSA_verify() must be used instead.
|
||
This necessitated the support of an extra signature type NID_md5_sha1
|
||
for SSL signatures and modifications to the SSL library to use it instead
|
||
of calling RSA_public_decrypt() and RSA_private_encrypt().
|
||
[Steve Henson]
|
||
|
||
*) Add new -verify -CAfile and -CApath options to the crl program, these
|
||
will lookup a CRL issuers certificate and verify the signature in a
|
||
similar way to the verify program. Tidy up the crl program so it
|
||
no longer accesses structures directly. Make the ASN1 CRL parsing a bit
|
||
less strict. It will now permit CRL extensions even if it is not
|
||
a V2 CRL: this will allow it to tolerate some broken CRLs.
|
||
[Steve Henson]
|
||
|
||
*) Initialize all non-automatic variables each time one of the openssl
|
||
sub-programs is started (this is necessary as they may be started
|
||
multiple times from the "OpenSSL>" prompt).
|
||
[Lennart Bang, Bodo Moeller]
|
||
|
||
*) Preliminary compilation option RSA_NULL which disables RSA crypto without
|
||
removing all other RSA functionality (this is what NO_RSA does). This
|
||
is so (for example) those in the US can disable those operations covered
|
||
by the RSA patent while allowing storage and parsing of RSA keys and RSA
|
||
key generation.
|
||
[Steve Henson]
|
||
|
||
*) Non-copying interface to BIO pairs.
|
||
(still largely untested)
|
||
[Bodo Moeller]
|
||
|
||
*) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive
|
||
ASCII string. This was handled independently in various places before.
|
||
[Steve Henson]
|
||
|
||
*) New functions UTF8_getc() and UTF8_putc() that parse and generate
|
||
UTF8 strings a character at a time.
|
||
[Steve Henson]
|
||
|
||
*) Use client_version from client hello to select the protocol
|
||
(s23_srvr.c) and for RSA client key exchange verification
|
||
(s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
|
||
[Bodo Moeller]
|
||
|
||
*) Add various utility functions to handle SPKACs, these were previously
|
||
handled by poking round in the structure internals. Added new function
|
||
NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
|
||
print, verify and generate SPKACs. Based on an original idea from
|
||
Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
|
||
[Steve Henson]
|
||
|
||
*) RIPEMD160 is operational on all platforms and is back in 'make test'.
|
||
[Andy Polyakov]
|
||
|
||
*) Allow the config file extension section to be overwritten on the
|
||
command line. Based on an original idea from Massimiliano Pala
|
||
<madwolf@comune.modena.it>. The new option is called -extensions
|
||
and can be applied to ca, req and x509. Also -reqexts to override
|
||
the request extensions in req and -crlexts to override the crl extensions
|
||
in ca.
|
||
[Steve Henson]
|
||
|
||
*) Add new feature to the SPKAC handling in ca. Now you can include
|
||
the same field multiple times by preceding it by "XXXX." for example:
|
||
1.OU="Unit name 1"
|
||
2.OU="Unit name 2"
|
||
this is the same syntax as used in the req config file.
|
||
[Steve Henson]
|
||
|
||
*) Allow certificate extensions to be added to certificate requests. These
|
||
are specified in a 'req_extensions' option of the req section of the
|
||
config file. They can be printed out with the -text option to req but
|
||
are otherwise ignored at present.
|
||
[Steve Henson]
|
||
|
||
*) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
|
||
data read consists of only the final block it would not decrypted because
|
||
EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
|
||
A misplaced 'break' also meant the decrypted final block might not be
|
||
copied until the next read.
|
||
[Steve Henson]
|
||
|
||
*) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
|
||
a few extra parameters to the DH structure: these will be useful if
|
||
for example we want the value of 'q' or implement X9.42 DH.
|
||
[Steve Henson]
|
||
|
||
*) Initial support for DSA_METHOD. This is based on the RSA_METHOD and
|
||
provides hooks that allow the default DSA functions or functions on a
|
||
"per key" basis to be replaced. This allows hardware acceleration and
|
||
hardware key storage to be handled without major modification to the
|
||
library. Also added low level modexp hooks and CRYPTO_EX structure and
|
||
associated functions.
|
||
[Steve Henson]
|
||
|
||
*) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
|
||
as "read only": it can't be written to and the buffer it points to will
|
||
not be freed. Reading from a read only BIO is much more efficient than
|
||
a normal memory BIO. This was added because there are several times when
|
||
an area of memory needs to be read from a BIO. The previous method was
|
||
to create a memory BIO and write the data to it, this results in two
|
||
copies of the data and an O(n^2) reading algorithm. There is a new
|
||
function BIO_new_mem_buf() which creates a read only memory BIO from
|
||
an area of memory. Also modified the PKCS#7 routines to use read only
|
||
memory BIOs.
|
||
[Steve Henson]
|
||
|
||
*) Bugfix: ssl23_get_client_hello did not work properly when called in
|
||
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
|
||
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
|
||
but a retry condition occured while trying to read the rest.
|
||
[Bodo Moeller]
|
||
|
||
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as
|
||
NID_pkcs7_encrypted by default: this was wrong since this should almost
|
||
always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
|
||
the encrypted data type: this is a more sensible place to put it and it
|
||
allows the PKCS#12 code to be tidied up that duplicated this
|
||
functionality.
|
||
[Steve Henson]
|
||
|
||
*) Changed obj_dat.pl script so it takes its input and output files on
|
||
the command line. This should avoid shell escape redirection problems
|
||
under Win32.
|
||
[Steve Henson]
|
||
|
||
*) Initial support for certificate extension requests, these are included
|
||
in things like Xenroll certificate requests. Included functions to allow
|
||
extensions to be obtained and added.
|
||
[Steve Henson]
|
||
|
||
*) -crlf option to s_client and s_server for sending newlines as
|
||
CRLF (as required by many protocols).
|
||
[Bodo Moeller]
|
||
|
||
Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
|
||
|
||
*) Install libRSAglue.a when OpenSSL is built with RSAref.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
|
||
[Andrija Antonijevic <TheAntony2@bigfoot.com>]
|
||
|
||
*) Fix -startdate and -enddate (which was missing) arguments to 'ca'
|
||
program.
|
||
[Steve Henson]
|
||
|
||
*) New function DSA_dup_DH, which duplicates DSA parameters/keys as
|
||
DH parameters/keys (q is lost during that conversion, but the resulting
|
||
DH parameters contain its length).
|
||
|
||
For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
|
||
much faster than DH_generate_parameters (which creates parameters
|
||
where p = 2*q + 1), and also the smaller q makes DH computations
|
||
much more efficient (160-bit exponentiation instead of 1024-bit
|
||
exponentiation); so this provides a convenient way to support DHE
|
||
ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of
|
||
utter importance to use
|
||
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
|
||
or
|
||
SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
|
||
when such DH parameters are used, because otherwise small subgroup
|
||
attacks may become possible!
|
||
[Bodo Moeller]
|
||
|
||
*) Avoid memory leak in i2d_DHparams.
|
||
[Bodo Moeller]
|
||
|
||
*) Allow the -k option to be used more than once in the enc program:
|
||
this allows the same encrypted message to be read by multiple recipients.
|
||
[Steve Henson]
|
||
|
||
*) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
|
||
an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
|
||
it will always use the numerical form of the OID, even if it has a short
|
||
or long name.
|
||
[Steve Henson]
|
||
|
||
*) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
|
||
method only got called if p,q,dmp1,dmq1,iqmp components were present,
|
||
otherwise bn_mod_exp was called. In the case of hardware keys for example
|
||
no private key components need be present and it might store extra data
|
||
in the RSA structure, which cannot be accessed from bn_mod_exp.
|
||
By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
|
||
private key operations.
|
||
[Steve Henson]
|
||
|
||
*) Added support for SPARC Linux.
|
||
[Andy Polyakov]
|
||
|
||
*) pem_password_cb function type incompatibly changed from
|
||
typedef int pem_password_cb(char *buf, int size, int rwflag);
|
||
to
|
||
....(char *buf, int size, int rwflag, void *userdata);
|
||
so that applications can pass data to their callbacks:
|
||
The PEM[_ASN1]_{read,write}... functions and macros now take an
|
||
additional void * argument, which is just handed through whenever
|
||
the password callback is called.
|
||
[Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller]
|
||
|
||
New function SSL_CTX_set_default_passwd_cb_userdata.
|
||
|
||
Compatibility note: As many C implementations push function arguments
|
||
onto the stack in reverse order, the new library version is likely to
|
||
interoperate with programs that have been compiled with the old
|
||
pem_password_cb definition (PEM_whatever takes some data that
|
||
happens to be on the stack as its last argument, and the callback
|
||
just ignores this garbage); but there is no guarantee whatsoever that
|
||
this will work.
|
||
|
||
*) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
|
||
(both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
|
||
problems not only on Windows, but also on some Unix platforms.
|
||
To avoid problematic command lines, these definitions are now in an
|
||
auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
|
||
for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
|
||
[Bodo Moeller]
|
||
|
||
*) MIPS III/IV assembler module is reimplemented.
|
||
[Andy Polyakov]
|
||
|
||
*) More DES library cleanups: remove references to srand/rand and
|
||
delete an unused file.
|
||
[Ulf M<>ller]
|
||
|
||
*) Add support for the the free Netwide assembler (NASM) under Win32,
|
||
since not many people have MASM (ml) and it can be hard to obtain.
|
||
This is currently experimental but it seems to work OK and pass all
|
||
the tests. Check out INSTALL.W32 for info.
|
||
[Steve Henson]
|
||
|
||
*) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
|
||
without temporary keys kept an extra copy of the server key,
|
||
and connections with temporary keys did not free everything in case
|
||
of an error.
|
||
[Bodo Moeller]
|
||
|
||
*) New function RSA_check_key and new openssl rsa option -check
|
||
for verifying the consistency of RSA keys.
|
||
[Ulf Moeller, Bodo Moeller]
|
||
|
||
*) Various changes to make Win32 compile work:
|
||
1. Casts to avoid "loss of data" warnings in p5_crpt2.c
|
||
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
|
||
comparison" warnings.
|
||
3. Add sk_<TYPE>_sort to DEF file generator and do make update.
|
||
[Steve Henson]
|
||
|
||
*) Add a debugging option to PKCS#5 v2 key generation function: when
|
||
you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
|
||
derived keys are printed to stderr.
|
||
[Steve Henson]
|
||
|
||
*) Copy the flags in ASN1_STRING_dup().
|
||
[Roman E. Pavlov <pre@mo.msk.ru>]
|
||
|
||
*) The x509 application mishandled signing requests containing DSA
|
||
keys when the signing key was also DSA and the parameters didn't match.
|
||
|
||
It was supposed to omit the parameters when they matched the signing key:
|
||
the verifying software was then supposed to automatically use the CA's
|
||
parameters if they were absent from the end user certificate.
|
||
|
||
Omitting parameters is no longer recommended. The test was also
|
||
the wrong way round! This was probably due to unusual behaviour in
|
||
EVP_cmp_parameters() which returns 1 if the parameters match.
|
||
This meant that parameters were omitted when they *didn't* match and
|
||
the certificate was useless. Certificates signed with 'ca' didn't have
|
||
this bug.
|
||
[Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
|
||
|
||
*) Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
|
||
The interface is as follows:
|
||
Applications can use
|
||
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
|
||
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
|
||
"off" is now the default.
|
||
The library internally uses
|
||
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
|
||
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
|
||
to disable memory-checking temporarily.
|
||
|
||
Some inconsistent states that previously were possible (and were
|
||
even the default) are now avoided.
|
||
|
||
-DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
|
||
with each memory chunk allocated; this is occasionally more helpful
|
||
than just having a counter.
|
||
|
||
-DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
|
||
|
||
-DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
|
||
extensions.
|
||
[Bodo Moeller]
|
||
|
||
*) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
|
||
which largely parallels "options", but is for changing API behaviour,
|
||
whereas "options" are about protocol behaviour.
|
||
Initial "mode" flags are:
|
||
|
||
SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when
|
||
a single record has been written.
|
||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write
|
||
retries use the same buffer location.
|
||
(But all of the contents must be
|
||
copied!)
|
||
[Bodo Moeller]
|
||
|
||
*) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options
|
||
worked.
|
||
|
||
*) Fix problems with no-hmac etc.
|
||
[Ulf M<>ller, pointed out by Brian Wellington <bwelling@tislabs.com>]
|
||
|
||
*) New functions RSA_get_default_method(), RSA_set_method() and
|
||
RSA_get_method(). These allows replacement of RSA_METHODs without having
|
||
to mess around with the internals of an RSA structure.
|
||
[Steve Henson]
|
||
|
||
*) Fix memory leaks in DSA_do_sign and DSA_is_prime.
|
||
Also really enable memory leak checks in openssl.c and in some
|
||
test programs.
|
||
[Chad C. Mulligan, Bodo Moeller]
|
||
|
||
*) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
|
||
up the length of negative integers. This has now been simplified to just
|
||
store the length when it is first determined and use it later, rather
|
||
than trying to keep track of where data is copied and updating it to
|
||
point to the end.
|
||
[Steve Henson, reported by Brien Wheeler
|
||
<bwheeler@authentica-security.com>]
|
||
|
||
*) Add a new function PKCS7_signatureVerify. This allows the verification
|
||
of a PKCS#7 signature but with the signing certificate passed to the
|
||
function itself. This contrasts with PKCS7_dataVerify which assumes the
|
||
certificate is present in the PKCS#7 structure. This isn't always the
|
||
case: certificates can be omitted from a PKCS#7 structure and be
|
||
distributed by "out of band" means (such as a certificate database).
|
||
[Steve Henson]
|
||
|
||
*) Complete the PEM_* macros with DECLARE_PEM versions to replace the
|
||
function prototypes in pem.h, also change util/mkdef.pl to add the
|
||
necessary function names.
|
||
[Steve Henson]
|
||
|
||
*) mk1mf.pl (used by Windows builds) did not properly read the
|
||
options set by Configure in the top level Makefile, and Configure
|
||
was not even able to write more than one option correctly.
|
||
Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
|
||
[Bodo Moeller]
|
||
|
||
*) New functions CONF_load_bio() and CONF_load_fp() to allow a config
|
||
file to be loaded from a BIO or FILE pointer. The BIO version will
|
||
for example allow memory BIOs to contain config info.
|
||
[Steve Henson]
|
||
|
||
*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
|
||
Whoever hopes to achieve shared-library compatibility across versions
|
||
must use this, not the compile-time macro.
|
||
(Exercise 0.9.4: Which is the minimum library version required by
|
||
such programs?)
|
||
Note: All this applies only to multi-threaded programs, others don't
|
||
need locks.
|
||
[Bodo Moeller]
|
||
|
||
*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
|
||
through a BIO pair triggered the default case, i.e.
|
||
SSLerr(...,SSL_R_UNKNOWN_STATE).
|
||
[Bodo Moeller]
|
||
|
||
*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
|
||
can use the SSL library even if none of the specific BIOs is
|
||
appropriate.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
|
||
for the encoded length.
|
||
[Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
|
||
|
||
*) Add initial documentation of the X509V3 functions.
|
||
[Steve Henson]
|
||
|
||
*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
|
||
PEM_write_bio_PKCS8PrivateKey() that are equivalent to
|
||
PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
|
||
secure PKCS#8 private key format with a high iteration count.
|
||
[Steve Henson]
|
||
|
||
*) Fix determination of Perl interpreter: A perl or perl5
|
||
_directory_ in $PATH was also accepted as the interpreter.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
|
||
wrong with it but it was very old and did things like calling
|
||
PEM_ASN1_read() directly and used MD5 for the hash not to mention some
|
||
unusual formatting.
|
||
[Steve Henson]
|
||
|
||
*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
|
||
to use the new extension code.
|
||
[Steve Henson]
|
||
|
||
*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
|
||
with macros. This should make it easier to change their form, add extra
|
||
arguments etc. Fix a few PEM prototypes which didn't have cipher as a
|
||
constant.
|
||
[Steve Henson]
|
||
|
||
*) Add to configuration table a new entry that can specify an alternative
|
||
name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
|
||
according to Mark Crispin <MRC@Panda.COM>.
|
||
[Bodo Moeller]
|
||
|
||
#if 0
|
||
*) DES CBC did not update the IV. Weird.
|
||
[Ben Laurie]
|
||
#else
|
||
des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
|
||
Changing the behaviour of the former might break existing programs --
|
||
where IV updating is needed, des_ncbc_encrypt can be used.
|
||
#endif
|
||
|
||
*) When bntest is run from "make test" it drives bc to check its
|
||
calculations, as well as internally checking them. If an internal check
|
||
fails, it needs to cause bc to give a non-zero result or make test carries
|
||
on without noticing the failure. Fixed.
|
||
[Ben Laurie]
|
||
|
||
*) DES library cleanups.
|
||
[Ulf M<>ller]
|
||
|
||
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
|
||
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
|
||
ciphers. NOTE: although the key derivation function has been verified
|
||
against some published test vectors it has not been extensively tested
|
||
yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
|
||
of v2.0.
|
||
[Steve Henson]
|
||
|
||
*) Instead of "mkdir -p", which is not fully portable, use new
|
||
Perl script "util/mkdir-p.pl".
|
||
[Bodo Moeller]
|
||
|
||
*) Rewrite the way password based encryption (PBE) is handled. It used to
|
||
assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
|
||
structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
|
||
but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
|
||
the 'parameter' field of the AlgorithmIdentifier is passed to the
|
||
underlying key generation function so it must do its own ASN1 parsing.
|
||
This has also changed the EVP_PBE_CipherInit() function which now has a
|
||
'parameter' argument instead of literal salt and iteration count values
|
||
and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
|
||
[Steve Henson]
|
||
|
||
*) Support for PKCS#5 v1.5 compatible password based encryption algorithms
|
||
and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
|
||
Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
|
||
KEY" because this clashed with PKCS#8 unencrypted string. Since this
|
||
value was just used as a "magic string" and not used directly its
|
||
value doesn't matter.
|
||
[Steve Henson]
|
||
|
||
*) Introduce some semblance of const correctness to BN. Shame C doesn't
|
||
support mutable.
|
||
[Ben Laurie]
|
||
|
||
*) "linux-sparc64" configuration (ultrapenguin).
|
||
[Ray Miller <ray.miller@oucs.ox.ac.uk>]
|
||
"linux-sparc" configuration.
|
||
[Christian Forster <fo@hawo.stw.uni-erlangen.de>]
|
||
|
||
*) config now generates no-xxx options for missing ciphers.
|
||
[Ulf M<>ller]
|
||
|
||
*) Support the EBCDIC character set (work in progress).
|
||
File ebcdic.c not yet included because it has a different license.
|
||
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
|
||
|
||
*) Support BS2000/OSD-POSIX.
|
||
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
|
||
|
||
*) Make callbacks for key generation use void * instead of char *.
|
||
[Ben Laurie]
|
||
|
||
*) Make S/MIME samples compile (not yet tested).
|
||
[Ben Laurie]
|
||
|
||
*) Additional typesafe stacks.
|
||
[Ben Laurie]
|
||
|
||
*) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
|
||
[Bodo Moeller]
|
||
|
||
|
||
Changes between 0.9.3 and 0.9.3a [29 May 1999]
|
||
|
||
*) New configuration variant "sco5-gcc".
|
||
|
||
*) Updated some demos.
|
||
[Sean O Riordain, Wade Scholine]
|
||
|
||
*) Add missing BIO_free at exit of pkcs12 application.
|
||
[Wu Zhigang]
|
||
|
||
*) Fix memory leak in conf.c.
|
||
[Steve Henson]
|
||
|
||
*) Updates for Win32 to assembler version of MD5.
|
||
[Steve Henson]
|
||
|
||
*) Set #! path to perl in apps/der_chop to where we found it
|
||
instead of using a fixed path.
|
||
[Bodo Moeller]
|
||
|
||
*) SHA library changes for irix64-mips4-cc.
|
||
[Andy Polyakov]
|
||
|
||
*) Improvements for VMS support.
|
||
[Richard Levitte]
|
||
|
||
|
||
Changes between 0.9.2b and 0.9.3 [24 May 1999]
|
||
|
||
*) Bignum library bug fix. IRIX 6 passes "make test" now!
|
||
This also avoids the problems with SC4.2 and unpatched SC5.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) New functions sk_num, sk_value and sk_set to replace the previous macros.
|
||
These are required because of the typesafe stack would otherwise break
|
||
existing code. If old code used a structure member which used to be STACK
|
||
and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
|
||
sk_num or sk_value it would produce an error because the num, data members
|
||
are not present in STACK_OF. Now it just produces a warning. sk_set
|
||
replaces the old method of assigning a value to sk_value
|
||
(e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
|
||
that does this will no longer work (and should use sk_set instead) but
|
||
this could be regarded as a "questionable" behaviour anyway.
|
||
[Steve Henson]
|
||
|
||
*) Fix most of the other PKCS#7 bugs. The "experimental" code can now
|
||
correctly handle encrypted S/MIME data.
|
||
[Steve Henson]
|
||
|
||
*) Change type of various DES function arguments from des_cblock
|
||
(which means, in function argument declarations, pointer to char)
|
||
to des_cblock * (meaning pointer to array with 8 char elements),
|
||
which allows the compiler to do more typechecking; it was like
|
||
that back in SSLeay, but with lots of ugly casts.
|
||
|
||
Introduce new type const_des_cblock.
|
||
[Bodo Moeller]
|
||
|
||
*) Reorganise the PKCS#7 library and get rid of some of the more obvious
|
||
problems: find RecipientInfo structure that matches recipient certificate
|
||
and initialise the ASN1 structures properly based on passed cipher.
|
||
[Steve Henson]
|
||
|
||
*) Belatedly make the BN tests actually check the results.
|
||
[Ben Laurie]
|
||
|
||
*) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
|
||
to and from BNs: it was completely broken. New compilation option
|
||
NEG_PUBKEY_BUG to allow for some broken certificates that encode public
|
||
key elements as negative integers.
|
||
[Steve Henson]
|
||
|
||
*) Reorganize and speed up MD5.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) VMS support.
|
||
[Richard Levitte <richard@levitte.org>]
|
||
|
||
*) New option -out to asn1parse to allow the parsed structure to be
|
||
output to a file. This is most useful when combined with the -strparse
|
||
option to examine the output of things like OCTET STRINGS.
|
||
[Steve Henson]
|
||
|
||
*) Make SSL library a little more fool-proof by not requiring any longer
|
||
that SSL_set_{accept,connect}_state be called before
|
||
SSL_{accept,connect} may be used (SSL_set_..._state is omitted
|
||
in many applications because usually everything *appeared* to work as
|
||
intended anyway -- now it really works as intended).
|
||
[Bodo Moeller]
|
||
|
||
*) Move openssl.cnf out of lib/.
|
||
[Ulf M<>ller]
|
||
|
||
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
|
||
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
|
||
-Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Various fixes to the EVP and PKCS#7 code. It may now be able to
|
||
handle PKCS#7 enveloped data properly.
|
||
[Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve]
|
||
|
||
*) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
|
||
copying pointers. The cert_st handling is changed by this in
|
||
various ways (and thus what used to be known as ctx->default_cert
|
||
is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
|
||
any longer when s->cert does not give us what we need).
|
||
ssl_cert_instantiate becomes obsolete by this change.
|
||
As soon as we've got the new code right (possibly it already is?),
|
||
we have solved a couple of bugs of the earlier code where s->cert
|
||
was used as if it could not have been shared with other SSL structures.
|
||
|
||
Note that using the SSL API in certain dirty ways now will result
|
||
in different behaviour than observed with earlier library versions:
|
||
Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
|
||
does not influence s as it used to.
|
||
|
||
In order to clean up things more thoroughly, inside SSL_SESSION
|
||
we don't use CERT any longer, but a new structure SESS_CERT
|
||
that holds per-session data (if available); currently, this is
|
||
the peer's certificate chain and, for clients, the server's certificate
|
||
and temporary key. CERT holds only those values that can have
|
||
meaningful defaults in an SSL_CTX.
|
||
[Bodo Moeller]
|
||
|
||
*) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
|
||
from the internal representation. Various PKCS#7 fixes: remove some
|
||
evil casts and set the enc_dig_alg field properly based on the signing
|
||
key type.
|
||
[Steve Henson]
|
||
|
||
*) Allow PKCS#12 password to be set from the command line or the
|
||
environment. Let 'ca' get its config file name from the environment
|
||
variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
|
||
and 'x509').
|
||
[Steve Henson]
|
||
|
||
*) Allow certificate policies extension to use an IA5STRING for the
|
||
organization field. This is contrary to the PKIX definition but
|
||
VeriSign uses it and IE5 only recognises this form. Document 'x509'
|
||
extension option.
|
||
[Steve Henson]
|
||
|
||
*) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
|
||
without disallowing inline assembler and the like for non-pedantic builds.
|
||
[Ben Laurie]
|
||
|
||
*) Support Borland C++ builder.
|
||
[Janez Jere <jj@void.si>, modified by Ulf M<>ller]
|
||
|
||
*) Support Mingw32.
|
||
[Ulf M<>ller]
|
||
|
||
*) SHA-1 cleanups and performance enhancements.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) Sparc v8plus assembler for the bignum library.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) Accept any -xxx and +xxx compiler options in Configure.
|
||
[Ulf M<>ller]
|
||
|
||
*) Update HPUX configuration.
|
||
[Anonymous]
|
||
|
||
*) Add missing sk_<type>_unshift() function to safestack.h
|
||
[Ralf S. Engelschall]
|
||
|
||
*) New function SSL_CTX_use_certificate_chain_file that sets the
|
||
"extra_cert"s in addition to the certificate. (This makes sense
|
||
only for "PEM" format files, as chains as a whole are not
|
||
DER-encoded.)
|
||
[Bodo Moeller]
|
||
|
||
*) Support verify_depth from the SSL API.
|
||
x509_vfy.c had what can be considered an off-by-one-error:
|
||
Its depth (which was not part of the external interface)
|
||
was actually counting the number of certificates in a chain;
|
||
now it really counts the depth.
|
||
[Bodo Moeller]
|
||
|
||
*) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
|
||
instead of X509err, which often resulted in confusing error
|
||
messages since the error codes are not globally unique
|
||
(e.g. an alleged error in ssl3_accept when a certificate
|
||
didn't match the private key).
|
||
|
||
*) New function SSL_CTX_set_session_id_context that allows to set a default
|
||
value (so that you don't need SSL_set_session_id_context for each
|
||
connection using the SSL_CTX).
|
||
[Bodo Moeller]
|
||
|
||
*) OAEP decoding bug fix.
|
||
[Ulf M<>ller]
|
||
|
||
*) Support INSTALL_PREFIX for package builders, as proposed by
|
||
David Harris.
|
||
[Bodo Moeller]
|
||
|
||
*) New Configure options "threads" and "no-threads". For systems
|
||
where the proper compiler options are known (currently Solaris
|
||
and Linux), "threads" is the default.
|
||
[Bodo Moeller]
|
||
|
||
*) New script util/mklink.pl as a faster substitute for util/mklink.sh.
|
||
[Bodo Moeller]
|
||
|
||
*) Install various scripts to $(OPENSSLDIR)/misc, not to
|
||
$(INSTALLTOP)/bin -- they shouldn't clutter directories
|
||
such as /usr/local/bin.
|
||
[Bodo Moeller]
|
||
|
||
*) "make linux-shared" to build shared libraries.
|
||
[Niels Poppe <niels@netbox.org>]
|
||
|
||
*) New Configure option no-<cipher> (rsa, idea, rc5, ...).
|
||
[Ulf M<>ller]
|
||
|
||
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
|
||
extension adding in x509 utility.
|
||
[Steve Henson]
|
||
|
||
*) Remove NOPROTO sections and error code comments.
|
||
[Ulf M<>ller]
|
||
|
||
*) Partial rewrite of the DEF file generator to now parse the ANSI
|
||
prototypes.
|
||
[Steve Henson]
|
||
|
||
*) New Configure options --prefix=DIR and --openssldir=DIR.
|
||
[Ulf M<>ller]
|
||
|
||
*) Complete rewrite of the error code script(s). It is all now handled
|
||
by one script at the top level which handles error code gathering,
|
||
header rewriting and C source file generation. It should be much better
|
||
than the old method: it now uses a modified version of Ulf's parser to
|
||
read the ANSI prototypes in all header files (thus the old K&R definitions
|
||
aren't needed for error creation any more) and do a better job of
|
||
translating function codes into names. The old 'ASN1 error code imbedded
|
||
in a comment' is no longer necessary and it doesn't use .err files which
|
||
have now been deleted. Also the error code call doesn't have to appear all
|
||
on one line (which resulted in some large lines...).
|
||
[Steve Henson]
|
||
|
||
*) Change #include filenames from <foo.h> to <openssl/foo.h>.
|
||
[Bodo Moeller]
|
||
|
||
*) Change behaviour of ssl2_read when facing length-0 packets: Don't return
|
||
0 (which usually indicates a closed connection), but continue reading.
|
||
[Bodo Moeller]
|
||
|
||
*) Fix some race conditions.
|
||
[Bodo Moeller]
|
||
|
||
*) Add support for CRL distribution points extension. Add Certificate
|
||
Policies and CRL distribution points documentation.
|
||
[Steve Henson]
|
||
|
||
*) Move the autogenerated header file parts to crypto/opensslconf.h.
|
||
[Ulf M<>ller]
|
||
|
||
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
|
||
8 of keying material. Merlin has also confirmed interop with this fix
|
||
between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
|
||
[Merlin Hughes <merlin@baltimore.ie>]
|
||
|
||
*) Fix lots of warnings.
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
|
||
the directory spec didn't end with a LIST_SEPARATOR_CHAR.
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) Fix problems with sizeof(long) == 8.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) Change functions to ANSI C.
|
||
[Ulf M<>ller]
|
||
|
||
*) Fix typos in error codes.
|
||
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf M<>ller]
|
||
|
||
*) Remove defunct assembler files from Configure.
|
||
[Ulf M<>ller]
|
||
|
||
*) SPARC v8 assembler BIGNUM implementation.
|
||
[Andy Polyakov <appro@fy.chalmers.se>]
|
||
|
||
*) Support for Certificate Policies extension: both print and set.
|
||
Various additions to support the r2i method this uses.
|
||
[Steve Henson]
|
||
|
||
*) A lot of constification, and fix a bug in X509_NAME_oneline() that could
|
||
return a const string when you are expecting an allocated buffer.
|
||
[Ben Laurie]
|
||
|
||
*) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
|
||
types DirectoryString and DisplayText.
|
||
[Steve Henson]
|
||
|
||
*) Add code to allow r2i extensions to access the configuration database,
|
||
add an LHASH database driver and add several ctx helper functions.
|
||
[Steve Henson]
|
||
|
||
*) Fix an evil bug in bn_expand2() which caused various BN functions to
|
||
fail when they extended the size of a BIGNUM.
|
||
[Steve Henson]
|
||
|
||
*) Various utility functions to handle SXNet extension. Modify mkdef.pl to
|
||
support typesafe stack.
|
||
[Steve Henson]
|
||
|
||
*) Fix typo in SSL_[gs]et_options().
|
||
[Nils Frostberg <nils@medcom.se>]
|
||
|
||
*) Delete various functions and files that belonged to the (now obsolete)
|
||
old X509V3 handling code.
|
||
[Steve Henson]
|
||
|
||
*) New Configure option "rsaref".
|
||
[Ulf M<>ller]
|
||
|
||
*) Don't auto-generate pem.h.
|
||
[Bodo Moeller]
|
||
|
||
*) Introduce type-safe ASN.1 SETs.
|
||
[Ben Laurie]
|
||
|
||
*) Convert various additional casted stacks to type-safe STACK_OF() variants.
|
||
[Ben Laurie, Ralf S. Engelschall, Steve Henson]
|
||
|
||
*) Introduce type-safe STACKs. This will almost certainly break lots of code
|
||
that links with OpenSSL (well at least cause lots of warnings), but fear
|
||
not: the conversion is trivial, and it eliminates loads of evil casts. A
|
||
few STACKed things have been converted already. Feel free to convert more.
|
||
In the fullness of time, I'll do away with the STACK type altogether.
|
||
[Ben Laurie]
|
||
|
||
*) Add `openssl ca -revoke <certfile>' facility which revokes a certificate
|
||
specified in <certfile> by updating the entry in the index.txt file.
|
||
This way one no longer has to edit the index.txt file manually for
|
||
revoking a certificate. The -revoke option does the gory details now.
|
||
[Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall]
|
||
|
||
*) Fix `openssl crl -noout -text' combination where `-noout' killed the
|
||
`-text' option at all and this way the `-noout -text' combination was
|
||
inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Make sure a corresponding plain text error message exists for the
|
||
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
|
||
verify callback function determined that a certificate was revoked.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Bugfix: In test/testenc, don't test "openssl <cipher>" for
|
||
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
|
||
all available cipers including rc5, which was forgotten until now.
|
||
In order to let the testing shell script know which algorithms
|
||
are available, a new (up to now undocumented) command
|
||
"openssl list-cipher-commands" is used.
|
||
[Bodo Moeller]
|
||
|
||
*) Bugfix: s_client occasionally would sleep in select() when
|
||
it should have checked SSL_pending() first.
|
||
[Bodo Moeller]
|
||
|
||
*) New functions DSA_do_sign and DSA_do_verify to provide access to
|
||
the raw DSA values prior to ASN.1 encoding.
|
||
[Ulf M<>ller]
|
||
|
||
*) Tweaks to Configure
|
||
[Niels Poppe <niels@netbox.org>]
|
||
|
||
*) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
|
||
yet...
|
||
[Steve Henson]
|
||
|
||
*) New variables $(RANLIB) and $(PERL) in the Makefiles.
|
||
[Ulf M<>ller]
|
||
|
||
*) New config option to avoid instructions that are illegal on the 80386.
|
||
The default code is faster, but requires at least a 486.
|
||
[Ulf M<>ller]
|
||
|
||
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
|
||
SSL2_SERVER_VERSION (not used at all) macros, which are now the
|
||
same as SSL2_VERSION anyway.
|
||
[Bodo Moeller]
|
||
|
||
*) New "-showcerts" option for s_client.
|
||
[Bodo Moeller]
|
||
|
||
*) Still more PKCS#12 integration. Add pkcs12 application to openssl
|
||
application. Various cleanups and fixes.
|
||
[Steve Henson]
|
||
|
||
*) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
|
||
modify error routines to work internally. Add error codes and PBE init
|
||
to library startup routines.
|
||
[Steve Henson]
|
||
|
||
*) Further PKCS#12 integration. Added password based encryption, PKCS#8 and
|
||
packing functions to asn1 and evp. Changed function names and error
|
||
codes along the way.
|
||
[Steve Henson]
|
||
|
||
*) PKCS12 integration: and so it begins... First of several patches to
|
||
slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
|
||
objects to objects.h
|
||
[Steve Henson]
|
||
|
||
*) Add a new 'indent' option to some X509V3 extension code. Initial ASN1
|
||
and display support for Thawte strong extranet extension.
|
||
[Steve Henson]
|
||
|
||
*) Add LinuxPPC support.
|
||
[Jeff Dubrule <igor@pobox.org>]
|
||
|
||
*) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
|
||
bn_div_words in alpha.s.
|
||
[Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie]
|
||
|
||
*) Make sure the RSA OAEP test is skipped under -DRSAref because
|
||
OAEP isn't supported when OpenSSL is built with RSAref.
|
||
[Ulf Moeller <ulf@fitug.de>]
|
||
|
||
*) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
|
||
so they no longer are missing under -DNOPROTO.
|
||
[Soren S. Jorvang <soren@t.dk>]
|
||
|
||
|
||
Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
|
||
|
||
*) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
|
||
doesn't work when the session is reused. Coming soon!
|
||
[Ben Laurie]
|
||
|
||
*) Fix a security hole, that allows sessions to be reused in the wrong
|
||
context thus bypassing client cert protection! All software that uses
|
||
client certs and session caches in multiple contexts NEEDS PATCHING to
|
||
allow session reuse! A fuller solution is in the works.
|
||
[Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
|
||
|
||
*) Some more source tree cleanups (removed obsolete files
|
||
crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
|
||
permission on "config" script to be executable) and a fix for the INSTALL
|
||
document.
|
||
[Ulf Moeller <ulf@fitug.de>]
|
||
|
||
*) Remove some legacy and erroneous uses of malloc, free instead of
|
||
Malloc, Free.
|
||
[Lennart Bang <lob@netstream.se>, with minor changes by Steve]
|
||
|
||
*) Make rsa_oaep_test return non-zero on error.
|
||
[Ulf Moeller <ulf@fitug.de>]
|
||
|
||
*) Add support for native Solaris shared libraries. Configure
|
||
solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
|
||
if someone would make that last step automatic.
|
||
[Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>]
|
||
|
||
*) ctx_size was not built with the right compiler during "make links". Fixed.
|
||
[Ben Laurie]
|
||
|
||
*) Change the meaning of 'ALL' in the cipher list. It now means "everything
|
||
except NULL ciphers". This means the default cipher list will no longer
|
||
enable NULL ciphers. They need to be specifically enabled e.g. with
|
||
the string "DEFAULT:eNULL".
|
||
[Steve Henson]
|
||
|
||
*) Fix to RSA private encryption routines: if p < q then it would
|
||
occasionally produce an invalid result. This will only happen with
|
||
externally generated keys because OpenSSL (and SSLeay) ensure p > q.
|
||
[Steve Henson]
|
||
|
||
*) Be less restrictive and allow also `perl util/perlpath.pl
|
||
/path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin',
|
||
because this way one can also use an interpreter named `perl5' (which is
|
||
usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
|
||
installed as `perl').
|
||
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
|
||
|
||
*) Let util/clean-depend.pl work also with older Perl 5.00x versions.
|
||
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
|
||
|
||
*) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
|
||
advapi32.lib to Win32 build and change the pem test comparision
|
||
to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
|
||
suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
|
||
and crypto/des/ede_cbcm_enc.c.
|
||
[Steve Henson]
|
||
|
||
*) DES quad checksum was broken on big-endian architectures. Fixed.
|
||
[Ben Laurie]
|
||
|
||
*) Comment out two functions in bio.h that aren't implemented. Fix up the
|
||
Win32 test batch file so it (might) work again. The Win32 test batch file
|
||
is horrible: I feel ill....
|
||
[Steve Henson]
|
||
|
||
*) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
|
||
in e_os.h. Audit of header files to check ANSI and non ANSI
|
||
sections: 10 functions were absent from non ANSI section and not exported
|
||
from Windows DLLs. Fixed up libeay.num for new functions.
|
||
[Steve Henson]
|
||
|
||
*) Make `openssl version' output lines consistent.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Fix Win32 symbol export lists for BIO functions: Added
|
||
BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
|
||
to ms/libeay{16,32}.def.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
|
||
fine under Unix and passes some trivial tests I've now added. But the
|
||
whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
|
||
added to make sure no one expects that this stuff really works in the
|
||
OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources
|
||
up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
|
||
openssl_bio.xs.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Fix the generation of two part addresses in perl.
|
||
[Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie]
|
||
|
||
*) Add config entry for Linux on MIPS.
|
||
[John Tobey <jtobey@channel1.com>]
|
||
|
||
*) Make links whenever Configure is run, unless we are on Windoze.
|
||
[Ben Laurie]
|
||
|
||
*) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
|
||
Currently only issuerAltName and AuthorityKeyIdentifier make any sense
|
||
in CRLs.
|
||
[Steve Henson]
|
||
|
||
*) Add a useful kludge to allow package maintainers to specify compiler and
|
||
other platforms details on the command line without having to patch the
|
||
Configure script everytime: One now can use ``perl Configure
|
||
<id>:<details>'', i.e. platform ids are allowed to have details appended
|
||
to them (seperated by colons). This is treated as there would be a static
|
||
pre-configured entry in Configure's %table under key <id> with value
|
||
<details> and ``perl Configure <id>'' is called. So, when you want to
|
||
perform a quick test-compile under FreeBSD 3.1 with pgcc and without
|
||
assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"''
|
||
now, which overrides the FreeBSD-elf entry on-the-fly.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Disable new TLS1 ciphersuites by default: they aren't official yet.
|
||
[Ben Laurie]
|
||
|
||
*) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
|
||
on the `perl Configure ...' command line. This way one can compile
|
||
OpenSSL libraries with Position Independent Code (PIC) which is needed
|
||
for linking it into DSOs.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Remarkably, export ciphers were totally broken and no-one had noticed!
|
||
Fixed.
|
||
[Ben Laurie]
|
||
|
||
*) Cleaned up the LICENSE document: The official contact for any license
|
||
questions now is the OpenSSL core team under openssl-core@openssl.org.
|
||
And add a paragraph about the dual-license situation to make sure people
|
||
recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
|
||
to the OpenSSL toolkit.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) General source tree makefile cleanups: Made `making xxx in yyy...'
|
||
display consistent in the source tree and replaced `/bin/rm' by `rm'.
|
||
Additonally cleaned up the `make links' target: Remove unnecessary
|
||
semicolons, subsequent redundant removes, inline point.sh into mklink.sh
|
||
to speed processing and no longer clutter the display with confusing
|
||
stuff. Instead only the actually done links are displayed.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Permit null encryption ciphersuites, used for authentication only. It used
|
||
to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
|
||
It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
|
||
encryption.
|
||
[Ben Laurie]
|
||
|
||
*) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
|
||
signed attributes when verifying signatures (this would break them),
|
||
the detached data encoding was wrong and public keys obtained using
|
||
X509_get_pubkey() weren't freed.
|
||
[Steve Henson]
|
||
|
||
*) Add text documentation for the BUFFER functions. Also added a work around
|
||
to a Win95 console bug. This was triggered by the password read stuff: the
|
||
last character typed gets carried over to the next fread(). If you were
|
||
generating a new cert request using 'req' for example then the last
|
||
character of the passphrase would be CR which would then enter the first
|
||
field as blank.
|
||
[Steve Henson]
|
||
|
||
*) Added the new `Includes OpenSSL Cryptography Software' button as
|
||
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
|
||
button and can be used by applications based on OpenSSL to show the
|
||
relationship to the OpenSSL project.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Remove confusing variables in function signatures in files
|
||
ssl/ssl_lib.c and ssl/ssl.h.
|
||
[Lennart Bong <lob@kulthea.stacken.kth.se>]
|
||
|
||
*) Don't install bss_file.c under PREFIX/include/
|
||
[Lennart Bong <lob@kulthea.stacken.kth.se>]
|
||
|
||
*) Get the Win32 compile working again. Modify mkdef.pl so it can handle
|
||
functions that return function pointers and has support for NT specific
|
||
stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
|
||
#ifdef WIN32 and WINNTs sprinkled about the place and some changes from
|
||
unsigned to signed types: this was killing the Win32 compile.
|
||
[Steve Henson]
|
||
|
||
*) Add new certificate file to stack functions,
|
||
SSL_add_dir_cert_subjects_to_stack() and
|
||
SSL_add_file_cert_subjects_to_stack(). These largely supplant
|
||
SSL_load_client_CA_file(), and can be used to add multiple certs easily
|
||
to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
|
||
This means that Apache-SSL and similar packages don't have to mess around
|
||
to add as many CAs as they want to the preferred list.
|
||
[Ben Laurie]
|
||
|
||
*) Experiment with doxygen documentation. Currently only partially applied to
|
||
ssl/ssl_lib.c.
|
||
See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
|
||
openssl.doxy as the configuration file.
|
||
[Ben Laurie]
|
||
|
||
*) Get rid of remaining C++-style comments which strict C compilers hate.
|
||
[Ralf S. Engelschall, pointed out by Carlos Amengual]
|
||
|
||
*) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
|
||
compiled in by default: it has problems with large keys.
|
||
[Steve Henson]
|
||
|
||
*) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
|
||
DH private keys and/or callback functions which directly correspond to
|
||
their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
|
||
is needed for applications which have to configure certificates on a
|
||
per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
|
||
(e.g. s_server).
|
||
For the RSA certificate situation is makes no difference, but
|
||
for the DSA certificate situation this fixes the "no shared cipher"
|
||
problem where the OpenSSL cipher selection procedure failed because the
|
||
temporary keys were not overtaken from the context and the API provided
|
||
no way to reconfigure them.
|
||
The new functions now let applications reconfigure the stuff and they
|
||
are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
|
||
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
|
||
non-public-API function ssl_cert_instantiate() is used as a helper
|
||
function and also to reduce code redundancy inside ssl_rsa.c.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Move s_server -dcert and -dkey options out of the undocumented feature
|
||
area because they are useful for the DSA situation and should be
|
||
recognized by the users.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Fix the cipher decision scheme for export ciphers: the export bits are
|
||
*not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
|
||
SSL_EXP_MASK. So, the original variable has to be used instead of the
|
||
already masked variable.
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
|
||
from `int' to `unsigned int' because it's a length and initialized by
|
||
EVP_DigestFinal() which expects an `unsigned int *'.
|
||
[Richard Levitte <levitte@stacken.kth.se>]
|
||
|
||
*) Don't hard-code path to Perl interpreter on shebang line of Configure
|
||
script. Instead use the usual Shell->Perl transition trick.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Make `openssl x509 -noout -modulus' functional also for DSA certificates
|
||
(in addition to RSA certificates) to match the behaviour of `openssl dsa
|
||
-noout -modulus' as it's already the case for `openssl rsa -noout
|
||
-modulus'. For RSA the -modulus is the real "modulus" while for DSA
|
||
currently the public key is printed (a decision which was already done by
|
||
`openssl dsa -modulus' in the past) which serves a similar purpose.
|
||
Additionally the NO_RSA no longer completely removes the whole -modulus
|
||
option; it now only avoids using the RSA stuff. Same applies to NO_DSA
|
||
now, too.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
|
||
BIO. See the source (crypto/evp/bio_ok.c) for more info.
|
||
[Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) Dump the old yucky req code that tried (and failed) to allow raw OIDs
|
||
to be added. Now both 'req' and 'ca' can use new objects defined in the
|
||
config file.
|
||
[Steve Henson]
|
||
|
||
*) Add cool BIO that does syslog (or event log on NT).
|
||
[Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie]
|
||
|
||
*) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
|
||
TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
|
||
TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
|
||
Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
|
||
[Ben Laurie]
|
||
|
||
*) Add preliminary config info for new extension code.
|
||
[Steve Henson]
|
||
|
||
*) Make RSA_NO_PADDING really use no padding.
|
||
[Ulf Moeller <ulf@fitug.de>]
|
||
|
||
*) Generate errors when private/public key check is done.
|
||
[Ben Laurie]
|
||
|
||
*) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
|
||
for some CRL extensions and new objects added.
|
||
[Steve Henson]
|
||
|
||
*) Really fix the ASN1 IMPLICIT bug this time... Partial support for private
|
||
key usage extension and fuller support for authority key id.
|
||
[Steve Henson]
|
||
|
||
*) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
|
||
padding method for RSA, which is recommended for new applications in PKCS
|
||
#1 v2.0 (RFC 2437, October 1998).
|
||
OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
|
||
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
|
||
against Bleichbacher's attack on RSA.
|
||
[Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
|
||
Ben Laurie]
|
||
|
||
*) Updates to the new SSL compression code
|
||
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
|
||
|
||
*) Fix so that the version number in the master secret, when passed
|
||
via RSA, checks that if TLS was proposed, but we roll back to SSLv3
|
||
(because the server will not accept higher), that the version number
|
||
is 0x03,0x01, not 0x03,0x00
|
||
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
|
||
|
||
*) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
|
||
leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
|
||
in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c
|
||
[Steve Henson]
|
||
|
||
*) Support for RAW extensions where an arbitrary extension can be
|
||
created by including its DER encoding. See apps/openssl.cnf for
|
||
an example.
|
||
[Steve Henson]
|
||
|
||
*) Make sure latest Perl versions don't interpret some generated C array
|
||
code as Perl array code in the crypto/err/err_genc.pl script.
|
||
[Lars Weber <3weber@informatik.uni-hamburg.de>]
|
||
|
||
*) Modify ms/do_ms.bat to not generate assembly language makefiles since
|
||
not many people have the assembler. Various Win32 compilation fixes and
|
||
update to the INSTALL.W32 file with (hopefully) more accurate Win32
|
||
build instructions.
|
||
[Steve Henson]
|
||
|
||
*) Modify configure script 'Configure' to automatically create crypto/date.h
|
||
file under Win32 and also build pem.h from pem.org. New script
|
||
util/mkfiles.pl to create the MINFO file on environments that can't do a
|
||
'make files': perl util/mkfiles.pl >MINFO should work.
|
||
[Steve Henson]
|
||
|
||
*) Major rework of DES function declarations, in the pursuit of correctness
|
||
and purity. As a result, many evil casts evaporated, and some weirdness,
|
||
too. You may find this causes warnings in your code. Zapping your evil
|
||
casts will probably fix them. Mostly.
|
||
[Ben Laurie]
|
||
|
||
*) Fix for a typo in asn1.h. Bug fix to object creation script
|
||
obj_dat.pl. It considered a zero in an object definition to mean
|
||
"end of object": none of the objects in objects.h have any zeros
|
||
so it wasn't spotted.
|
||
[Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>]
|
||
|
||
*) Add support for Triple DES Cipher Block Chaining with Output Feedback
|
||
Masking (CBCM). In the absence of test vectors, the best I have been able
|
||
to do is check that the decrypt undoes the encrypt, so far. Send me test
|
||
vectors if you have them.
|
||
[Ben Laurie]
|
||
|
||
*) Correct calculation of key length for export ciphers (too much space was
|
||
allocated for null ciphers). This has not been tested!
|
||
[Ben Laurie]
|
||
|
||
*) Modifications to the mkdef.pl for Win32 DEF file creation. The usage
|
||
message is now correct (it understands "crypto" and "ssl" on its
|
||
command line). There is also now an "update" option. This will update
|
||
the util/ssleay.num and util/libeay.num files with any new functions.
|
||
If you do a:
|
||
perl util/mkdef.pl crypto ssl update
|
||
it will update them.
|
||
[Steve Henson]
|
||
|
||
*) Overhauled the Perl interface (perl/*):
|
||
- ported BN stuff to OpenSSL's different BN library
|
||
- made the perl/ source tree CVS-aware
|
||
- renamed the package from SSLeay to OpenSSL (the files still contain
|
||
their history because I've copied them in the repository)
|
||
- removed obsolete files (the test scripts will be replaced
|
||
by better Test::Harness variants in the future)
|
||
[Ralf S. Engelschall]
|
||
|
||
*) First cut for a very conservative source tree cleanup:
|
||
1. merge various obsolete readme texts into doc/ssleay.txt
|
||
where we collect the old documents and readme texts.
|
||
2. remove the first part of files where I'm already sure that we no
|
||
longer need them because of three reasons: either they are just temporary
|
||
files which were left by Eric or they are preserved original files where
|
||
I've verified that the diff is also available in the CVS via "cvs diff
|
||
-rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
|
||
the crypto/md/ stuff).
|
||
[Ralf S. Engelschall]
|
||
|
||
*) More extension code. Incomplete support for subject and issuer alt
|
||
name, issuer and authority key id. Change the i2v function parameters
|
||
and add an extra 'crl' parameter in the X509V3_CTX structure: guess
|
||
what that's for :-) Fix to ASN1 macro which messed up
|
||
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
|
||
[Steve Henson]
|
||
|
||
*) Preliminary support for ENUMERATED type. This is largely copied from the
|
||
INTEGER code.
|
||
[Steve Henson]
|
||
|
||
*) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
|
||
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
|
||
|
||
*) Make sure `make rehash' target really finds the `openssl' program.
|
||
[Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
|
||
|
||
*) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
|
||
like to hear about it if this slows down other processors.
|
||
[Ben Laurie]
|
||
|
||
*) Add CygWin32 platform information to Configure script.
|
||
[Alan Batie <batie@aahz.jf.intel.com>]
|
||
|
||
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm'
|
||
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>]
|
||
|
||
*) New program nseq to manipulate netscape certificate sequences
|
||
[Steve Henson]
|
||
|
||
*) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
|
||
few typos.
|
||
[Steve Henson]
|
||
|
||
*) Fixes to BN code. Previously the default was to define BN_RECURSION
|
||
but the BN code had some problems that would cause failures when
|
||
doing certificate verification and some other functions.
|
||
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
|
||
|
||
*) Add ASN1 and PEM code to support netscape certificate sequences.
|
||
[Steve Henson]
|
||
|
||
*) Add ASN1 and PEM code to support netscape certificate sequences.
|
||
[Steve Henson]
|
||
|
||
*) Add several PKIX and private extended key usage OIDs.
|
||
[Steve Henson]
|
||
|
||
*) Modify the 'ca' program to handle the new extension code. Modify
|
||
openssl.cnf for new extension format, add comments.
|
||
[Steve Henson]
|
||
|
||
*) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
|
||
and add a sample to openssl.cnf so req -x509 now adds appropriate
|
||
CA extensions.
|
||
[Steve Henson]
|
||
|
||
*) Continued X509 V3 changes. Add to other makefiles, integrate with the
|
||
error code, add initial support to X509_print() and x509 application.
|
||
[Steve Henson]
|
||
|
||
*) Takes a deep breath and start addding X509 V3 extension support code. Add
|
||
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
|
||
stuff is currently isolated and isn't even compiled yet.
|
||
[Steve Henson]
|
||
|
||
*) Continuing patches for GeneralizedTime. Fix up certificate and CRL
|
||
ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
|
||
Removed the versions check from X509 routines when loading extensions:
|
||
this allows certain broken certificates that don't set the version
|
||
properly to be processed.
|
||
[Steve Henson]
|
||
|
||
*) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
|
||
Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
|
||
can still be regenerated with "make depend".
|
||
[Ben Laurie]
|
||
|
||
*) Spelling mistake in C version of CAST-128.
|
||
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>]
|
||
|
||
*) Changes to the error generation code. The perl script err-code.pl
|
||
now reads in the old error codes and retains the old numbers, only
|
||
adding new ones if necessary. It also only changes the .err files if new
|
||
codes are added. The makefiles have been modified to only insert errors
|
||
when needed (to avoid needlessly modifying header files). This is done
|
||
by only inserting errors if the .err file is newer than the auto generated
|
||
C file. To rebuild all the error codes from scratch (the old behaviour)
|
||
either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
|
||
or delete all the .err files.
|
||
[Steve Henson]
|
||
|
||
*) CAST-128 was incorrectly implemented for short keys. The C version has
|
||
been fixed, but is untested. The assembler versions are also fixed, but
|
||
new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
|
||
to regenerate it if needed.
|
||
[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
|
||
Hagino <itojun@kame.net>]
|
||
|
||
*) File was opened incorrectly in randfile.c.
|
||
[Ulf M<>ller <ulf@fitug.de>]
|
||
|
||
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
|
||
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
|
||
GeneralizedTime. ASN1_TIME is the proper type used in certificates et
|
||
al: it's just almost always a UTCTime. Note this patch adds new error
|
||
codes so do a "make errors" if there are problems.
|
||
[Steve Henson]
|
||
|
||
*) Correct Linux 1 recognition in config.
|
||
[Ulf M<>ller <ulf@fitug.de>]
|
||
|
||
*) Remove pointless MD5 hash when using DSA keys in ca.
|
||
[Anonymous <nobody@replay.com>]
|
||
|
||
*) Generate an error if given an empty string as a cert directory. Also
|
||
generate an error if handed NULL (previously returned 0 to indicate an
|
||
error, but didn't set one).
|
||
[Ben Laurie, reported by Anonymous <nobody@replay.com>]
|
||
|
||
*) Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
|
||
[Ben Laurie]
|
||
|
||
*) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
|
||
parameters. This was causing a warning which killed off the Win32 compile.
|
||
[Steve Henson]
|
||
|
||
*) Remove C++ style comments from crypto/bn/bn_local.h.
|
||
[Neil Costigan <neil.costigan@celocom.com>]
|
||
|
||
*) The function OBJ_txt2nid was broken. It was supposed to return a nid
|
||
based on a text string, looking up short and long names and finally
|
||
"dot" format. The "dot" format stuff didn't work. Added new function
|
||
OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
|
||
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
|
||
OID is not part of the table.
|
||
[Steve Henson]
|
||
|
||
*) Add prototypes to X509 lookup/verify methods, fixing a bug in
|
||
X509_LOOKUP_by_alias().
|
||
[Ben Laurie]
|
||
|
||
*) Sort openssl functions by name.
|
||
[Ben Laurie]
|
||
|
||
*) Get the gendsa program working (hopefully) and add it to app list. Remove
|
||
encryption from sample DSA keys (in case anyone is interested the password
|
||
was "1234").
|
||
[Steve Henson]
|
||
|
||
*) Make _all_ *_free functions accept a NULL pointer.
|
||
[Frans Heymans <fheymans@isaserver.be>]
|
||
|
||
*) If a DH key is generated in s3_srvr.c, don't blow it by trying to use
|
||
NULL pointers.
|
||
[Anonymous <nobody@replay.com>]
|
||
|
||
*) s_server should send the CAfile as acceptable CAs, not its own cert.
|
||
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
|
||
|
||
*) Don't blow it for numeric -newkey arguments to apps/req.
|
||
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
|
||
|
||
*) Temp key "for export" tests were wrong in s3_srvr.c.
|
||
[Anonymous <nobody@replay.com>]
|
||
|
||
*) Add prototype for temp key callback functions
|
||
SSL_CTX_set_tmp_{rsa,dh}_callback().
|
||
[Ben Laurie]
|
||
|
||
*) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
|
||
DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
|
||
[Steve Henson]
|
||
|
||
*) X509_name_add_entry() freed the wrong thing after an error.
|
||
[Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) rsa_eay.c would attempt to free a NULL context.
|
||
[Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) BIO_s_socket() had a broken should_retry() on Windoze.
|
||
[Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
|
||
[Arne Ansper <arne@ats.cyber.ee>]
|
||
|
||
*) Make sure the already existing X509_STORE->depth variable is initialized
|
||
in X509_STORE_new(), but document the fact that this variable is still
|
||
unused in the certificate verification process.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Fix the various library and apps files to free up pkeys obtained from
|
||
X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
|
||
[Steve Henson]
|
||
|
||
*) Fix reference counting in X509_PUBKEY_get(). This makes
|
||
demos/maurice/example2.c work, amongst others, probably.
|
||
[Steve Henson and Ben Laurie]
|
||
|
||
*) First cut of a cleanup for apps/. First the `ssleay' program is now named
|
||
`openssl' and second, the shortcut symlinks for the `openssl <command>'
|
||
are no longer created. This way we have a single and consistent command
|
||
line interface `openssl <command>', similar to `cvs <command>'.
|
||
[Ralf S. Engelschall, Paul Sutton and Ben Laurie]
|
||
|
||
*) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
|
||
BIT STRING wrapper always have zero unused bits.
|
||
[Steve Henson]
|
||
|
||
*) Add CA.pl, perl version of CA.sh, add extended key usage OID.
|
||
[Steve Henson]
|
||
|
||
*) Make the top-level INSTALL documentation easier to understand.
|
||
[Paul Sutton]
|
||
|
||
*) Makefiles updated to exit if an error occurs in a sub-directory
|
||
make (including if user presses ^C) [Paul Sutton]
|
||
|
||
*) Make Montgomery context stuff explicit in RSA data structure.
|
||
[Ben Laurie]
|
||
|
||
*) Fix build order of pem and err to allow for generated pem.h.
|
||
[Ben Laurie]
|
||
|
||
*) Fix renumbering bug in X509_NAME_delete_entry().
|
||
[Ben Laurie]
|
||
|
||
*) Enhanced the err-ins.pl script so it makes the error library number
|
||
global and can add a library name. This is needed for external ASN1 and
|
||
other error libraries.
|
||
[Steve Henson]
|
||
|
||
*) Fixed sk_insert which never worked properly.
|
||
[Steve Henson]
|
||
|
||
*) Fix ASN1 macros so they can handle indefinite length construted
|
||
EXPLICIT tags. Some non standard certificates use these: they can now
|
||
be read in.
|
||
[Steve Henson]
|
||
|
||
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
|
||
into a single doc/ssleay.txt bundle. This way the information is still
|
||
preserved but no longer messes up this directory. Now it's new room for
|
||
the new set of documenation files.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) SETs were incorrectly DER encoded. This was a major pain, because they
|
||
shared code with SEQUENCEs, which aren't coded the same. This means that
|
||
almost everything to do with SETs or SEQUENCEs has either changed name or
|
||
number of arguments.
|
||
[Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>]
|
||
|
||
*) Fix test data to work with the above.
|
||
[Ben Laurie]
|
||
|
||
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
|
||
was already fixed by Eric for 0.9.1 it seems.
|
||
[Ben Laurie - pointed out by Ulf M<>ller <ulf@fitug.de>]
|
||
|
||
*) Autodetect FreeBSD3.
|
||
[Ben Laurie]
|
||
|
||
*) Fix various bugs in Configure. This affects the following platforms:
|
||
nextstep
|
||
ncr-scde
|
||
unixware-2.0
|
||
unixware-2.0-pentium
|
||
sco5-cc.
|
||
[Ben Laurie]
|
||
|
||
*) Eliminate generated files from CVS. Reorder tests to regenerate files
|
||
before they are needed.
|
||
[Ben Laurie]
|
||
|
||
*) Generate Makefile.ssl from Makefile.org (to keep CVS happy).
|
||
[Ben Laurie]
|
||
|
||
|
||
Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
|
||
|
||
*) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
|
||
changed SSLeay to OpenSSL in version strings.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Some fixups to the top-level documents.
|
||
[Paul Sutton]
|
||
|
||
*) Fixed the nasty bug where rsaref.h was not found under compile-time
|
||
because the symlink to include/ was missing.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Incorporated the popular no-RSA/DSA-only patches
|
||
which allow to compile a RSA-free SSLeay.
|
||
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall]
|
||
|
||
*) Fixed nasty rehash problem under `make -f Makefile.ssl links'
|
||
when "ssleay" is still not found.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Added more platforms to Configure: Cray T3E, HPUX 11,
|
||
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>]
|
||
|
||
*) Updated the README file.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Added various .cvsignore files in the CVS repository subdirs
|
||
to make a "cvs update" really silent.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Recompiled the error-definition header files and added
|
||
missing symbols to the Win32 linker tables.
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Cleaned up the top-level documents;
|
||
o new files: CHANGES and LICENSE
|
||
o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
|
||
o merged COPYRIGHT into LICENSE
|
||
o removed obsolete TODO file
|
||
o renamed MICROSOFT to INSTALL.W32
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Removed dummy files from the 0.9.1b source tree:
|
||
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
|
||
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
|
||
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
|
||
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
|
||
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
|
||
[Ralf S. Engelschall]
|
||
|
||
*) Added various platform portability fixes.
|
||
[Mark J. Cox]
|
||
|
||
*) The Genesis of the OpenSSL rpject:
|
||
We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
|
||
Young and Tim J. Hudson created while they were working for C2Net until
|
||
summer 1998.
|
||
[The OpenSSL Project]
|
||
|
||
|
||
Changes between 0.9.0b and 0.9.1b [not released]
|
||
|
||
*) Updated a few CA certificates under certs/
|
||
[Eric A. Young]
|
||
|
||
*) Changed some BIGNUM api stuff.
|
||
[Eric A. Young]
|
||
|
||
*) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
|
||
DGUX x86, Linux Alpha, etc.
|
||
[Eric A. Young]
|
||
|
||
*) New COMP library [crypto/comp/] for SSL Record Layer Compression:
|
||
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
|
||
available).
|
||
[Eric A. Young]
|
||
|
||
*) Add -strparse option to asn1pars program which parses nested
|
||
binary structures
|
||
[Dr Stephen Henson <shenson@bigfoot.com>]
|
||
|
||
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
|
||
[Eric A. Young]
|
||
|
||
*) DSA fix for "ca" program.
|
||
[Eric A. Young]
|
||
|
||
*) Added "-genkey" option to "dsaparam" program.
|
||
[Eric A. Young]
|
||
|
||
*) Added RIPE MD160 (rmd160) message digest.
|
||
[Eric A. Young]
|
||
|
||
*) Added -a (all) option to "ssleay version" command.
|
||
[Eric A. Young]
|
||
|
||
*) Added PLATFORM define which is the id given to Configure.
|
||
[Eric A. Young]
|
||
|
||
*) Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
|
||
[Eric A. Young]
|
||
|
||
*) Extended the ASN.1 parser routines.
|
||
[Eric A. Young]
|
||
|
||
*) Extended BIO routines to support REUSEADDR, seek, tell, etc.
|
||
[Eric A. Young]
|
||
|
||
*) Added a BN_CTX to the BN library.
|
||
[Eric A. Young]
|
||
|
||
*) Fixed the weak key values in DES library
|
||
[Eric A. Young]
|
||
|
||
*) Changed API in EVP library for cipher aliases.
|
||
[Eric A. Young]
|
||
|
||
*) Added support for RC2/64bit cipher.
|
||
[Eric A. Young]
|
||
|
||
*) Converted the lhash library to the crypto/mem.c functions.
|
||
[Eric A. Young]
|
||
|
||
*) Added more recognized ASN.1 object ids.
|
||
[Eric A. Young]
|
||
|
||
*) Added more RSA padding checks for SSL/TLS.
|
||
[Eric A. Young]
|
||
|
||
*) Added BIO proxy/filter functionality.
|
||
[Eric A. Young]
|
||
|
||
*) Added extra_certs to SSL_CTX which can be used
|
||
send extra CA certificates to the client in the CA cert chain sending
|
||
process. It can be configured with SSL_CTX_add_extra_chain_cert().
|
||
[Eric A. Young]
|
||
|
||
*) Now Fortezza is denied in the authentication phase because
|
||
this is key exchange mechanism is not supported by SSLeay at all.
|
||
[Eric A. Young]
|
||
|
||
*) Additional PKCS1 checks.
|
||
[Eric A. Young]
|
||
|
||
*) Support the string "TLSv1" for all TLS v1 ciphers.
|
||
[Eric A. Young]
|
||
|
||
*) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
|
||
ex_data index of the SSL context in the X509_STORE_CTX ex_data.
|
||
[Eric A. Young]
|
||
|
||
*) Fixed a few memory leaks.
|
||
[Eric A. Young]
|
||
|
||
*) Fixed various code and comment typos.
|
||
[Eric A. Young]
|
||
|
||
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
|
||
bytes sent in the client random.
|
||
[Edward Bishop <ebishop@spyglass.com>]
|
||
|