Skip to content
CHANGES 184 KiB
Newer Older
 OpenSSL CHANGES
 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
  *) New options to 'ca' utility to support V2 CRL entry extensions.
     Currently CRL reason, invalidity date and hold instruction are
     supported. Add new CRL extensions to V3 code and some new objects.
     [Steve Henson]

  *) Add "-rand" option also to s_client and s_server.
     [Lutz Jaenicke]

  *) New function EVP_CIPHER_CTX_set_padding() this is used to
     disable standard block padding (aka PKCS#5 padding) in the EVP
     API, which was previously mandatory. This means that the data is
     not padded in any way and so the total length much be a multiple
     of the block size, otherwise an error occurs.
     [Steve Henson]

  *) Initial (incomplete) OCSP SSL support.
     [Steve Henson]

Ulf Möller's avatar
Ulf Möller committed
  *) Fix CPU detection on Irix 6.x.
     [Kurt Hockenbury <khockenb@stevens-tech.edu> and
      "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]

  *) New function OCSP_parse_url(). This splits up a URL into its host,
     port and path components: primarily to parse OCSP URLs. New -url
     option to ocsp utility.
     [Steve Henson]

  *) New nonce behavior. The return value of OCSP_check_nonce() now 
     reflects the various checks performed. Applications can decide
     whether to tolerate certain situations such as an absent nonce
     in a response when one was present in a request: the ocsp application
     just prints out a warning. New function OCSP_add1_basic_nonce()
     this is to allow responders to include a nonce in a response even if
     the request is nonce-less.
     [Steve Henson]

  *) Use the cached encoding of an X509_NAME structure rather than
     copying it. This is apparently the reason for the libsafe "errors"
     but the code is actually correct.
     [Steve Henson]

  *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
     skipped when using openssl x509 multiple times on a single input file,
     e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
     [Bodo Moeller]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
     set string type: to handle setting ASN1_TIME structures. Fix ca
     utility to correctly initialize revocation date of CRLs.
     [Steve Henson]

  *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
     the clients preferred ciphersuites and rather use its own preferences.
     Should help to work around M$ SGC (Server Gated Cryptography) bug in
     Internet Explorer by ensuring unchanged hash method during stepup.
     [Lutz Jaenicke]

  *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
     to aes and add a new 'exist' option to print out symbols that don't
     appear to exist.
     [Steve Henson]

  *) Additional options to ocsp utility to allow flags to be set and
     additional certificates supplied.
     [Steve Henson]

  *) Add the option -VAfile to 'openssl ocsp', so the user can give the
     OCSP client a number of certificate to only verify the response
     signature against.
     [Richard Levitte]

Ulf Möller's avatar
Ulf Möller committed
  *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
     Bleichenbacher's DSA attack.
     [Ulf Moeller, Bodo Moeller]
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
     handle the new API. Currently only ECB, CBC modes supported. Add new
     AES OIDs. Add TLS AES ciphersuites as described in the "AES Ciphersuites
     for TLS" draft-ietf-tls-ciphersuite-03.txt.
     [Ben Laurie, Steve Henson]

  *) In the NCONF_...-based implementations for CONF_... queries
     (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
     a temporary CONF structure with the data component set to NULL
     (which gives segmentation faults in lh_retrieve).
     Instead, use NULL for the CONF pointer in CONF_get_string and
     CONF_get_number (which may use environment variables) and directly
     return NULL from CONF_get_section.
     [Bodo Moeller]

  *) Fix potential buffer overrun for EBCDIC.
     [Ulf Moeller]

  *) New function OCSP_copy_nonce() to copy nonce value (if present) from
     request to response.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Functions for OCSP responders. OCSP_request_onereq_count(),
     OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
     extract information from a certificate request. OCSP_response_create()
     creates a response and optionally adds a basic response structure.
     OCSP_basic_add1_status() adds a complete single response to a basic
     reponse and returns the OCSP_SINGLERESP structure just added (to allow
     extensions to be included for example). OCSP_basic_add1_cert() adds a
     certificate to a basic response and OCSP_basic_sign() signs a basic
     response with various flags. New helper functions ASN1_TIME_check()
     (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
     (converts ASN1_TIME to GeneralizedTime).
     [Steve Henson]

  *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
     in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
     structure from a certificate. X509_pubkey_digest() digests tha public_key
     contents: this is used in various key identifiers. 
     [Steve Henson]

  *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
     keyUsage if basicConstraints absent for a CA.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  *) Make SMIME_write_PKCS7() write mail header values with a format that
     is more generally accepted (no spaces before the semicolon), since
     some programs can't parse those values properly otherwise.  Also make
     sure BIO's that break lines after each write do not create invalid
     headers.
     [Richard Levitte]

  *) Make sk_sort() tolerate a NULL argument.
     [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]

  *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
     passed by the function are trusted implicitly. If any of them signed the
     reponse then it is assumed to be valid and is not verified.
     [Steve Henson]

  *) Zero the premaster secret after deriving the master secret in
     DH ciphersuites.
     [Steve Henson]

  *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
     to data. This was previously part of the PKCS7 ASN1 code. This
     was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
     [Steve Henson, reported by Kenneth R. Robinette
				<support@securenetterm.com>]

  *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
     routines: without these tracing memory leaks is very painful.
     Fix leaks in PKCS12 and PKCS7 routines.
     [Steve Henson]

  *) Fix for Irix with NO_ASM.
     ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]

  *) Add some EVP_add_digest_alias registrations (as found in
     OpenSSL_add_all_digests()), to SSL_library_init()
     aka OpenSSL_add_ssl_algorithms().  This provides improved
     compatibility with peers using X.509 certificates
     with unconventional AlgorithmIdentifier OIDs.
     [Bodo Moeller]

  *) ./config script fixes.
     [Ulf Moeller, Richard Levitte]

  *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
     Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
     effectively meant GeneralizedTime would never be used. Now it
     is initialised to -1 but X509_time_adj() now has to check the value
     and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
     V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
     [Steve Henson, reported by Kenneth R. Robinette
				<support@securenetterm.com>]

  *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
     result in a zero length in the ASN1_INTEGER structure which was
     not consistent with the structure when d2i_ASN1_INTEGER() was used
     and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
     to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
     where it did not print out a minus for negative ASN1_INTEGER.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix 'openssl passwd -1'.
     [Bodo Moeller]

  *) Add summary printout to ocsp utility. The various functions which
     convert status values to strings have been renamed to:
     OCSP_response_status_str(), OCSP_cert_status_str() and
     OCSP_crl_reason_str() and are no longer static. New options
     to verify nonce values and to disable verification. OCSP response
     printout format cleaned up.
     [Steve Henson]

  *) Add additional OCSP certificate checks. These are those specified
     in RFC2560. This consists of two separate checks: the CA of the
     certificate being checked must either be the OCSP signer certificate
     or the issuer of the OCSP signer certificate. In the latter case the
     OCSP signer certificate must contain the OCSP signing extended key
     usage. This check is performed by attempting to match the OCSP
     signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
     in the OCSP_CERTID structures of the response.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Initial OCSP certificate verification added to OCSP_basic_verify()
     and related routines. This uses the standard OpenSSL certificate
     verify routines to perform initial checks (just CA validity) and
     to obtain the certificate chain. Then additional checks will be
     performed on the chain. Currently the root CA is checked to see
     if it is explicitly trusted for OCSP signing. This is used to set
     a root CA as a global signing root: that is any certificate that
     chains to that CA is an acceptable OCSP signing certificate.
     [Steve Henson]

  *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
     extensions from a separate configuration file.
     As when reading extensions from the main configuration file,
     the '-extensions ...' option may be used for specifying the
     section to use.
     [Massimiliano Pala <madwolf@comune.modena.it>]

  *) Change PKCS12_key_gen_asc() so it can cope with non null
     terminated strings whose length is passed in the passlen
     parameter, for example from PEM callbacks. This was done
     by adding an extra length parameter to asc2uni().
     [Steve Henson, reported by <oddissey@samsung.co.kr>]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) New OCSP utility. Allows OCSP requests to be generated or
     read. The request can be sent to a responder and the output
     parsed, outputed or printed in text form. Not complete yet:
     still needs to check the OCSP response validity.
     [Steve Henson]

  *) New subcommands for 'openssl ca':
     'openssl ca -status <serial>' prints the status of the cert with
     the given serial number (according to the index file).
     'openssl ca -updatedb' updates the expiry status of certificates
     in the index file.
     [Massimiliano Pala <madwolf@comune.modena.it>]

  *) New '-newreq-nodes' command option to CA.pl.  This is like
     '-newreq', but calls 'openssl req' with the '-nodes' option
     so that the resulting key is not encrypted.
     [Damien Miller <djm@mindrot.org>]

  *) New configuration for the GNU Hurd.
     [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Initial code to implement OCSP basic response verify. This
     is currently incomplete. Currently just finds the signer's
     certificate and verifies the signature on the response.
     [Steve Henson]

  *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
     value of OPENSSLDIR.  This is available via the new '-d' option
     to 'openssl version', and is also included in 'openssl version -a'.
     [Bodo Moeller]

  *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
     call failed, free the DSA structure.
     [Bodo Moeller]

  *) Allowing defining memory allocation callbacks that will be given
     file name and line number information in additional arguments
     (a const char* and an int).  The basic functionality remains, as
     well as the original possibility to just replace malloc(),
     realloc() and free() by functions that do not know about these
     additional arguments.  To register and find out the current
     settings for extended allocation functions, the following
     functions are provided:

	CRYPTO_set_mem_ex_functions
	CRYPTO_set_locked_mem_ex_functions
	CRYPTO_get_mem_ex_functions
	CRYPTO_get_locked_mem_ex_functions

     These work the same way as CRYPTO_set_mem_functions and friends.
     CRYPTO_get_[locked_]mem_functions now writes 0 where such an
     extended allocation function is enabled.
     Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
     a conventional allocation function is enabled.
     [Richard Levitte, Bodo Moeller]
  *) Fix to uni2asc() to cope with zero length Unicode strings.
     These are present in some PKCS#12 files.
     [Steve Henson]

  *) Finish off removing the remaining LHASH function pointer casts.
     There should no longer be any prototype-casting required when using
     the LHASH abstraction, and any casts that remain are "bugs". See
     the callback types and macros at the head of lhash.h for details
     (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
  *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
     If an EGD or PRNGD is running and enough entropy is returned, automatic
     seeding like with /dev/[u]random will be performed.
     Positions tried are: /etc/entropy, /var/run/egd-pool.
     [Lutz Jaenicke]

  *) Change the Unix RAND_poll() variant to be able to poll several
     random devices, as specified by DEVRANDOM, until a sufficient amount
     of data has been collected.   We spend at most 10 ms on each file
     (select timeout) and read in non-blocking mode.  DEVRANDOM now
     defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
     (previously it was just the string "/dev/urandom"), so on typical
     platforms the 10 ms delay will never occur.
     Also separate out the Unix variant to its own file, rand_unix.c.
     For VMS, there's a currently-empty rand_vms.c.
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Move OCSP client related routines to ocsp_cl.c. These
     provide utility functions which an application needing
     to issue a request to an OCSP responder and analyse the
     response will typically need: as opposed to those which an
     OCSP responder itself would need which will be added later.

     OCSP_request_sign() signs an OCSP request with an API similar
     to PKCS7_sign(). OCSP_response_status() returns status of OCSP
     response. OCSP_response_get1_basic() extracts basic response
     from response. OCSP_resp_find_status(): finds and extracts status
     information from an OCSP_CERTID structure (which will be created
     when the request structure is built). These are built from lower
     level functions which work on OCSP_SINGLERESP structures but
     wont normally be used unless the application wishes to examine
     extensions in the OCSP response for example.

     Replace nonce routines with a pair of functions.
     OCSP_request_add1_nonce() adds a nonce value and optionally
     generates a random value. OCSP_check_nonce() checks the
     validity of the nonce in an OCSP response.
     [Steve Henson]

  *) Change function OCSP_request_add() to OCSP_request_add0_id().
     This doesn't copy the supplied OCSP_CERTID and avoids the
     need to free up the newly created id. Change return type
     to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
     This can then be used to add extensions to the request.
     Deleted OCSP_request_new(), since most of its functionality
     is now in OCSP_REQUEST_new() (and the case insensitive name
     clash) apart from the ability to set the request name which
     will be added elsewhere.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Update OCSP API. Remove obsolete extensions argument from
     various functions. Extensions are now handled using the new
     OCSP extension code. New simple OCSP HTTP function which 
     can be used to send requests and parse the response.
     [Steve Henson]

  *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
     ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
     uses the special reorder version of SET OF to sort the attributes
     and reorder them to match the encoded order. This resolves a long
     standing problem: a verify on a PKCS7 structure just after signing
     it used to fail because the attribute order did not match the
     encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
     it uses the received order. This is necessary to tolerate some broken
     software that does not order SET OF. This is handled by encoding
     as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
     to produce the required SET OF.
     [Steve Henson]

Richard Levitte's avatar
Richard Levitte committed
  *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
     OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
     files to get correct declarations of the ASN.1 item variables.
     [Richard Levitte]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
     PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
     asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
     NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
     New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
     ASN1_ITEM and no wrapper functions.
     [Steve Henson]

  *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
     replace the old function pointer based I/O routines. Change most of
     the *_d2i_bio() and *_d2i_fp() functions to use these.
     [Steve Henson]

  *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
     lines, recognice more "algorithms" that can be deselected, and make
     it complain about algorithm deselection that isn't recognised.
     [Richard Levitte]

  *) New ASN1 functions to handle dup, sign, verify, digest, pack and
     unpack operations in terms of ASN1_ITEM. Modify existing wrappers
     to use new functions. Add NO_ASN1_OLD which can be set to remove
     some old style ASN1 functions: this can be used to determine if old
     code will still work when these eventually go away.
  *) New extension functions for OCSP structures, these follow the
     same conventions as certificates and CRLs.
     [Steve Henson]

  *) New function X509V3_add1_i2d(). This automatically encodes and
     adds an extension. Its behaviour can be customised with various
     flags to append, replace or delete. Various wrappers added for
     certifcates and CRLs.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Fix to avoid calling the underlying ASN1 print routine when
     an extension cannot be parsed. Correct a typo in the
     OCSP_SERVICELOC extension. Tidy up print OCSP format.
     [Steve Henson]

  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
     when writing a 32767 byte record.
     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]

  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.

     (RSA objects have a reference count access to which is protected
     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
     so they are meant to be shared between threads.)
     [Bodo Moeller, Geoff Thorpe; original patch submitted by
     "Reddie, Steven" <Steven.Reddie@ca.com>]
  *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
     entries for variables.
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     [Steve Henson]
  *) Fix a deadlock in CRYPTO_mem_leaks().
     [Bodo Moeller]

Bodo Möller's avatar
Bodo Möller committed
  *) Add functionality to apps/openssl.c for detecting locking
     problems: As the program is single-threaded, all we have
     to do is register a locking callback using an array for
     storing which locks are currently held by the program.
     [Bodo Moeller]

  *) Use a lock around the call to CRYPTO_get_ex_new_index() in
     SSL_get_ex_data_X509_STORE_idx(), which is used in
     ssl_verify_cert_chain() and thus can be called at any time
     during TLS/SSL handshakes so that thread-safety is essential.
     Unfortunately, the ex_data design is not at all suited
     for multi-threaded use, so it probably should be abolished.
     [Bodo Moeller]

  *) Added Broadcom "ubsec" ENGINE to OpenSSL.
     [Broadcom, tweaked and integrated by Geoff Thorpe]

  *) Move common extension printing code to new function
     X509V3_print_extensions(). Reorganise OCSP print routines and
     implement some needed OCSP ASN1 functions. Add OCSP extensions.
  *) New function X509_signature_print() to remove duplication in some
     print routines.
     [Steve Henson]

  *) Add a special meaning when SET OF and SEQUENCE OF flags are both
     set (this was treated exactly the same as SET OF previously). This
     is used to reorder the STACK representing the structure to match the
     encoding. This will be used to get round a problem where a PKCS7
     structure which was signed could not be verified because the STACK
     order did not reflect the encoded order.
     [Steve Henson]

  *) Reimplement the OCSP ASN1 module using the new code.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
     for its ASN1 operations. The old style function pointers still exist
     for now but they will eventually go away.
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Merge in replacement ASN1 code from the ASN1 branch. This almost
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     completely replaces the old ASN1 functionality with a table driven
     encoder and decoder which interprets an ASN1_ITEM structure describing
     the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
     largely maintained. Almost all of the old asn1_mac.h macro based ASN1
     has also been converted to the new form.
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     [Steve Henson]

  *) Change BN_mod_exp_recp so that negative moduli are tolerated
     (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
     so that BN_mod_exp_mont and BN_mod_exp_mont_word work
     for negative moduli.
     [Bodo Moeller]

  *) Fix BN_uadd and BN_usub: Always return non-negative results instead
     of not touching the result's sign bit.
     [Bodo Moeller]

  *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
     set.
     [Bodo Moeller]

  *) Changed the LHASH code to use prototypes for callbacks, and created
     macros to declare and implement thin (optionally static) functions
     that provide type-safety and avoid function pointer casting for the
     type-specific callbacks.
     [Geoff Thorpe]

Ulf Möller's avatar
Ulf Möller committed
  *) Use better test patterns in bntest.
     [Ulf Möller]

Bodo Möller's avatar
Bodo Möller committed
  *) Added Kerberos Cipher Suites to be used with TLS, as written in
     RFC 2712.
     [Veers Staats <staatsvr@asc.hpc.mil>,
Ulf Möller's avatar
Ulf Möller committed
      Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
Ulf Möller's avatar
Ulf Möller committed
  *) rand_win.c fix for Borland C.
     [Ulf Möller]
 
  *) BN_rshift bugfix for n == 0.
     [Bodo Moeller]

  *) Reformat the FAQ so the different questions and answers can be divided
Ulf Möller's avatar
Ulf Möller committed
     in sections depending on the subject.
  *) Have the zlib compression code load ZLIB.DLL dynamically under
     Windows.
     [Richard Levitte]

Bodo Möller's avatar
Bodo Möller committed
  *) New function BN_mod_sqrt for computing square roots modulo a prime
     (using the probabilistic Tonelli-Shanks algorithm unless
     p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
     be handled deterministically).
Bodo Möller's avatar
Bodo Möller committed
     [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]

  *) Store verify_result within SSL_SESSION also for client side to
     avoid potential security hole. (Re-used sessions on the client side
     always resulted in verify_result==X509_V_OK, not using the original
     result of the server certificate verification.)
     [Lutz Jaenicke]

  *) Make BN_mod_inverse faster by explicitly handling small quotients
     in the Euclid loop. (Speed gain about 20% for small moduli [256 or
     512 bits], about 30% for larger ones [1024 or 2048 bits].)
     [Bodo Moeller]

  *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
     SSL3_RT_APPLICATION_DATA, return 0.
     Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
     [Bodo Moeller]

  *) Fix SSL_peek:
     Both ssl2_peek and ssl3_peek, which were totally broken in earlier
     releases, have been re-implemented by renaming the previous
     implementations of ssl2_read and ssl3_read to ssl2_read_internal
     and ssl3_read_internal, respectively, and adding 'peek' parameters
     to them.  The new ssl[23]_{read,peek} functions are calls to
     ssl[23]_read_internal with the 'peek' flag set appropriately.
     A 'peek' parameter has also been added to ssl3_read_bytes, which
     does the actual work for ssl3_read_internal.
Bodo Möller's avatar
Bodo Möller committed
  *) New function BN_kronecker.
     [Bodo Moeller]

  *) Fix BN_gcd so that it works on negative inputs; the result is
     positive unless both parameters are zero.
     Previously something reasonably close to an infinite loop was
     possible because numbers could be growing instead of shrinking
     in the implementation of Euclid's algorithm.
     [Bodo Moeller]

  *) Fix BN_is_word() and BN_is_one() macros to take into account the
     sign of the number in question.

     Fix BN_is_word(a,w) to work correctly for w == 0.

     The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
     because its test if the absolute value of 'a' equals 'w'.
     Note that BN_abs_is_word does *not* handle w == 0 reliably;
     it exists mostly for use in the implementations of BN_is_zero(),
     BN_is_one(), and BN_is_word().
     [Bodo Moeller]

  *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
     the method-specific "init()" handler. Also clean up ex_data after
     calling the method-specific "finish()" handler. Previously, this was
     happening the other way round.
Bodo Möller's avatar
Bodo Möller committed
  *) New function BN_swap.
     [Bodo Moeller]

  *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
     the exponentiation functions are more likely to produce reasonable
     results on negative inputs.
     [Bodo Moeller]

  *) Change BN_mod_mul so that the result is always non-negative.
     Previously, it could be negative if one of the factors was negative;
     I don't think anyone really wanted that behaviour.
     [Bodo Moeller]

  *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
Ulf Möller's avatar
Ulf Möller committed
     (except for exponentiation, which stays in crypto/bn/bn_exp.c,
Bodo Möller's avatar
Bodo Möller committed
     and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
     and add new functions:
Bodo Möller's avatar
Bodo Möller committed
          BN_nnmod
          BN_mod_sqr
          BN_mod_add
Bodo Möller's avatar
Bodo Möller committed
          BN_mod_add_quick
Bodo Möller's avatar
Bodo Möller committed
          BN_mod_sub
Bodo Möller's avatar
Bodo Möller committed
          BN_mod_sub_quick
          BN_mod_lshift1
          BN_mod_lshift1_quick
          BN_mod_lshift
          BN_mod_lshift_quick

Bodo Möller's avatar
Bodo Möller committed
     These functions always generate non-negative results.
Bodo Möller's avatar
Bodo Möller committed
     BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
     such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
Bodo Möller's avatar
Bodo Möller committed

     BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
     BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
     be reduced modulo  m.
Bodo Möller's avatar
Bodo Möller committed
     [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]

  *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
     was actually never needed) and in BN_mul().  The removal in BN_mul()
     required a small change in bn_mul_part_recursive() and the addition
Ulf Möller's avatar
Ulf Möller committed
     of the functions bn_cmp_part_words(), bn_sub_part_words() and
     bn_add_part_words(), which do the same thing as bn_cmp_words(),
     bn_sub_words() and bn_add_words() except they take arrays with
     differing sizes.
     [Richard Levitte]

  *) In 'openssl passwd', verify passwords read from the terminal
     unless the '-salt' option is used (which usually means that
     verification would just waste user's time since the resulting
     hash is going to be compared with some given password hash)
     or the new '-noverify' option is used.

     This is an incompatible change, but it does not affect
     non-interactive use of 'openssl passwd' (passwords on the command
     line, '-stdin' option, '-in ...' option) and thus should not
     cause any problems.
     [Bodo Moeller]

  *) Remove all references to RSAref, since there's no more need for it.
     [Richard Levitte]

Bodo Möller's avatar
Bodo Möller committed
  *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
     The previous value, 12, was not always sufficient for BN_mod_exp().
     [Bodo Moeller]

  *) Make DSO load along a path given through an environment variable
     (SHLIB_PATH) with shl_load().
     [Richard Levitte]

  *) Constify the ENGINE code as a result of BIGNUM constification.
     Also constify the RSA code and most things related to it.  In a
     few places, most notable in the depth of the ASN.1 code, ugly
     casts back to non-const were required (to be solved at a later
     time)
  *) Make it so the openssl application has all engines loaded by default.
     [Richard Levitte]

  *) Constify the BIGNUM routines a little more.
     [Richard Levitte]

  *) Make sure that shared libraries get the internal name engine with
     the full version number and not just 0.  This should mark the
     shared libraries as not backward compatible.  Of course, this should
     be changed again when we can guarantee backward binary compatibility.
     [Richard Levitte]

  *) Add the following functions:

	ENGINE_load_cswift()
	ENGINE_load_chil()
	ENGINE_load_atalla()
	ENGINE_load_nuron()
	ENGINE_load_builtin_engines()

     That way, an application can itself choose if external engines that
     are built-in in OpenSSL shall ever be used or not.  The benefit is
     that applications won't have to be linked with libdl or other dso
     libraries unless it's really needed.

     Changed 'openssl engine' to load all engines on demand.
     Changed the engine header files to avoid the duplication of some
     declarations (they differed!).
     [Richard Levitte]

  *) 'openssl engine' can now list capabilities.
     [Richard Levitte]

  *) Better error reporting in 'openssl engine'.
     [Richard Levitte]

  *) Never call load_dh_param(NULL) in s_server.
     [Bodo Moeller]

  *) Add engine application.  It can currently list engines by name and
     identity, and test if they are actually available.
     [Richard Levitte]

  *) Add support for shared libraries under Irix.
     [Albert Chin-A-Young <china@thewrittenword.com>]

  *) Improve RPM specification file by forcing symbolic linking and making
     sure the installed documentation is also owned by root.root.
     [Damien Miller <djm@mindrot.org>]

  *) Add configuration option to build on Linux on both big-endian and
     little-endian MIPS.
     [Ralf Baechle <ralf@uni-koblenz.de>]

Richard Levitte's avatar
Richard Levitte committed
  *) Give the OpenSSL applications more possibilities to make use of
     keys (public as well as private) handled by engines.
     [Richard Levitte]

  *) Add OCSP code that comes from CertCo.
     [Richard Levitte]

Ulf Möller's avatar
.  
Ulf Möller committed
  *) Add VMS support for the Rijndael code.
     [Richard Levitte]

  *) Added untested support for Nuron crypto accelerator.
     [Ben Laurie]

  *) Add support for external cryptographic devices.  This code was
     previously distributed separately as the "engine" branch.
     [Geoff Thorpe, Richard Levitte]

  *) Rework the filename-translation in the DSO code. It is now possible to
     have far greater control over how a "name" is turned into a filename
     depending on the operating environment and any oddities about the
     different shared library filenames on each system.
     [Geoff Thorpe]

Richard Levitte's avatar
Richard Levitte committed
  *) Support threads on FreeBSD-elf in Configure.
     [Richard Levitte]

  *) Add the possibility to create shared libraries on HP-UX
     [Richard Levitte]

  *) Fix for SHA1 assembly problem with MASM: it produces
     warnings about corrupt line number information when assembling
     with debugging information. This is caused by the overlapping
     of two sections.
     [Bernd Matthes <mainbug@celocom.de>, Steve Henson]

  *) NCONF changes.
     NCONF_get_number() has no error checking at all.  As a replacement,
     NCONF_get_number_e() is defined (_e for "error checking") and is
     promoted strongly.  The old NCONF_get_number is kept around for
     binary backward compatibility.
     Make it possible for methods to load from something other than a BIO,
     by providing a function pointer that is given a name instead of a BIO.
     For example, this could be used to load configuration data from an
     LDAP server.
     [Richard Levitte]

  *) Fix typo in get_cert_by_subject() in by_dir.c
     [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]

  *) Rework the system to generate shared libraries:

     - Make note of the expected extension for the shared libraries and
       if there is a need for symbolic links from for example libcrypto.so.0
       to libcrypto.so.0.9.7.  There is extended info in Configure for
       that.

     - Make as few rebuilds of the shared libraries as possible.

     - Still avoid linking the OpenSSL programs with the shared libraries.

     - When installing, install the shared libraries separately from the
       static ones.
     [Richard Levitte]

  *) Fix for non blocking accept BIOs. Added new I/O special reason
     BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
     with non blocking I/O was not possible because no retry code was
     implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
     this case.
     [Steve Henson]

  *) Added the beginnings of Rijndael support.
     [Ben Laurie]

  *) Fix for bug in DirectoryString mask setting. Add support for
     X509_NAME_print_ex() in 'req' and X509_print_ex() function
     to allow certificate printing to more controllable, additional
     'certopt' option to 'x509' to allow new printing options to be
     set.
Richard Levitte's avatar
Richard Levitte committed
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]

  *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.

     Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
     and not in SSL_clear because the latter is also used by the
     accept/connect functions; previously, the settings made by
     SSL_set_read_ahead would be lost during the handshake.
     [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]     

Richard Levitte's avatar
Richard Levitte committed
  *) Correct util/mkdef.pl to be selective about disabled algorithms.
     Previously, it would create entries for disableed algorithms no
     matter what.
     [Richard Levitte]
 Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
Bodo Möller's avatar
Bodo Möller committed
  *) In ssl23_get_client_hello, generate an error message when faced
     with an initial SSL 3.0/TLS record that is too small to contain the
     first two bytes of the ClientHello message, i.e. client_version.
     (Note that this is a pathologic case that probably has never happened
     in real life.)  The previous approach was to use the version number
Bodo Möller's avatar
Bodo Möller committed
     from the record header as a substitute; but our protocol choice
Bodo Möller's avatar
Bodo Möller committed
     should not depend on that one because it is not authenticated
     by the Finished messages.
     [Bodo Moeller]

Ulf Möller's avatar
Ulf Möller committed
  *) More robust randomness gathering functions for Windows.
     [Jeffrey Altman <jaltman@columbia.edu>]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
     not set then we don't setup the error code for issuer check errors
     to avoid possibly overwriting other errors which the callback does
     handle. If an application does set the flag then we assume it knows
     what it is doing and can handle the new informational codes
     appropriately.
     [Steve Henson]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
     a general "ANY" type, as such it should be able to decode anything
     including tagged types. However it didn't check the class so it would
     wrongly interpret tagged types in the same way as their universal
     counterpart and unknown types were just rejected. Changed so that the
     tagged and unknown types are handled in the same way as a SEQUENCE:
     that is the encoding is stored intact. There is also a new type
     "V_ASN1_OTHER" which is used when the class is not universal, in this
     case we have no idea what the actual type is so we just lump them all
     together.
     [Steve Henson]

  *) On VMS, stdout may very well lead to a file that is written to
     in a record-oriented fashion.  That means that every write() will
     write a separate record, which will be read separately by the
     programs trying to read from it.  This can be very confusing.

     The solution is to put a BIO filter in the way that will buffer
     text until a linefeed is reached, and then write everything a
     line at a time, so every record written will be an actual line,
     not chunks of lines and not (usually doesn't happen, but I've
     seen it once) several lines in one record.  BIO_f_linebuffer() is
     the answer.

     Currently, it's a VMS-only method, because that's where it has
     been tested well enough.
     [Richard Levitte]

  *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
     it can return incorrect results.
     (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
     but it was in 0.9.6-beta[12].)
     [Bodo Moeller]

  *) Disable the check for content being present when verifying detached
     signatures in pk7_smime.c. Some versions of Netscape (wrongly)
     include zero length content when signing messages.
     [Steve Henson]

  *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
     BIO_ctrl (for BIO pairs).
Ulf Möller's avatar
Ulf Möller committed
     [Bodo Möller]
  *) Add DSO method for VMS.
     [Richard Levitte]

  *) Bug fix: Montgomery multiplication could produce results with the
     wrong sign.
     [Ulf Möller]

  *) Add RPM specification openssl.spec and modify it to build three
     packages.  The default package contains applications, application
     documentation and run-time libraries.  The devel package contains
     include files, static libraries and function documentation.  The
     doc package contains the contents of the doc directory.  The original
     openssl.spec was provided by Damien Miller <djm@mindrot.org>.
     [Richard Levitte]
     
  *) Add a large number of documentation files for many SSL routines.
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]

  *) Add a configuration entry for Sony News 4.
     [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]

Ulf Möller's avatar
Ulf Möller committed
  *) Don't set the two most significant bits to one when generating a
     random number < q in the DSA library.
Ulf Möller's avatar
Ulf Möller committed

  *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
     behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
     the underlying transport is blocking) if a handshake took place.
     (The default behaviour is needed by applications such as s_client
     and s_server that use select() to determine when to use SSL_read;
     but for applications that know in advance when to expect data, it
     just makes things more complicated.)
     [Bodo Moeller]

Ben Laurie's avatar
Ben Laurie committed
  *) Add RAND_egd_bytes(), which gives control over the number of bytes read
     from EGD.
     [Ben Laurie]

  *) Add a few more EBCDIC conditionals that make `req' and `x509'
     work better on such systems.
     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]

  *) Add two demo programs for PKCS12_parse() and PKCS12_create().
     Update PKCS12_parse() so it copies the friendlyName and the
     keyid to the certificates aux info.
     [Steve Henson]

  *) Fix bug in PKCS7_verify() which caused an infinite loop
     if there was more than one signature.
     [Sven Uszpelkat <su@celocom.de>]

  *) Major change in util/mkdef.pl to include extra information
     about each symbol, as well as presentig variables as well
     as functions.  This change means that there's n more need
     to rebuild the .num files when some algorithms are excluded.
     [Richard Levitte]

Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Allow the verify time to be set by an application,
     rather than always using the current time.
     [Steve Henson]
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  *) Phase 2 verify code reorganisation. The certificate
     verify code now looks up an issuer certificate by a
     number of criteria: subject name, authority key id
     and key usage. It also verifies self signed certificates
     by the same criteria. The main comparison function is
     X509_check_issued() which performs these checks.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     Lot of changes were necessary in order to support this
     without completely rewriting the lookup code.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     Authority and subject key identifier are now cached.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The LHASH 'certs' is X509_STORE has now been replaced
     by a STACK_OF(X509_OBJECT). This is mainly because an
     LHASH can't store or retrieve multiple objects with
     the same hash value.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     As a result various functions (which were all internal
     use only) have changed to handle the new X509_STORE
     structure. This will break anything that messed round
     with X509_STORE internally.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The functions X509_STORE_add_cert() now checks for an
     exact match, rather than just subject name.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The X509_STORE API doesn't directly support the retrieval
     of multiple certificates matching a given criteria, however
     this can be worked round by performing a lookup first
     (which will fill the cache with candidate certificates)
     and then examining the cache for matches. This is probably
     the best we can do without throwing out X509_LOOKUP
     entirely (maybe later...).
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The X509_VERIFY_CTX structure has been enhanced considerably.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     All certificate lookup operations now go via a get_issuer()
     callback. Although this currently uses an X509_STORE it
     can be replaced by custom lookups. This is a simple way
     to bypass the X509_STORE hackery necessary to make this
     work and makes it possible to use more efficient techniques
     in future. A very simple version which uses a simple
     STACK for its trusted certificate store is also provided
     using X509_STORE_CTX_trusted_stack().
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     The verify_cb() and verify() callbacks now have equivalents
     in the X509_STORE_CTX structure.
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
     X509_STORE_CTX also has a 'flags' field which can be used
     to customise the verify behaviour.
     [Steve Henson]
  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
     excludes S/MIME capabilities.
     [Steve Henson]

  *) When a certificate request is read in keep a copy of the
     original encoding of the signed data and use it when outputing
     again. Signatures then use the original encoding rather than
     a decoded, encoded version which may cause problems if the
     request is improperly encoded.