1: 2: OpenSSL CHANGES 3: _______________ 4: 5: Changes between 0.9.8f and 0.9.8g [19 Oct 2007] 6: 7: *) Fix various bugs: 8: + Binary incompatibility of ssl_ctx_st structure 9: + DTLS interoperation with non-compliant servers 10: + Don't call get_session_cb() without proposed session 11: + Fix ia64 assembler code 12: [Andy Polyakov, Steve Henson] 13: 14: Changes between 0.9.8e and 0.9.8f [11 Oct 2007] 15: 16: *) DTLS Handshake overhaul. There were longstanding issues with 17: OpenSSL DTLS implementation, which were making it impossible for 18: RFC 4347 compliant client to communicate with OpenSSL server. 19: Unfortunately just fixing these incompatibilities would "cut off" 20: pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e 21: server keeps tolerating non RFC compliant syntax. The opposite is 22: not true, 0.9.8f client can not communicate with earlier server. 23: This update even addresses CVE-2007-4995. 24: [Andy Polyakov] 25: 26: *) Changes to avoid need for function casts in OpenSSL: some compilers 27: (gcc 4.2 and later) reject their use. 28: [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>, 29: Steve Henson] 30: 31: *) Add RFC4507 support to OpenSSL. This includes the corrections in 32: RFC4507bis. The encrypted ticket format is an encrypted encoded 33: SSL_SESSION structure, that way new session features are automatically 34: supported. 35: 36: If a client application caches session in an SSL_SESSION structure 37: support is transparent because tickets are now stored in the encoded 38: SSL_SESSION. 39: 40: The SSL_CTX structure automatically generates keys for ticket 41: protection in servers so again support should be possible 42: with no application modification. 43: 44: If a client or server wishes to disable RFC4507 support then the option 45: SSL_OP_NO_TICKET can be set. 46: 47: Add a TLS extension debugging callback to allow the contents of any client 48: or server extensions to be examined. 49: 50: This work was sponsored by Google. 51: [Steve Henson] 52: 53: *) Add initial support for TLS extensions, specifically for the server_name 54: extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now 55: have new members for a host name. The SSL data structure has an 56: additional member SSL_CTX *initial_ctx so that new sessions can be 57: stored in that context to allow for session resumption, even after the 58: SSL has been switched to a new SSL_CTX in reaction to a client's 59: server_name extension. 60: 61: New functions (subject to change): 62: 63: SSL_get_servername() 64: SSL_get_servername_type() 65: SSL_set_SSL_CTX() 66: 67: New CTRL codes and macros (subject to change): 68: 69: SSL_CTRL_SET_TLSEXT_SERVERNAME_CB 70: - SSL_CTX_set_tlsext_servername_callback() 71: SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG 72: - SSL_CTX_set_tlsext_servername_arg() 73: SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name() 74: 75: openssl s_client has a new '-servername ...' option. 76: 77: openssl s_server has new options '-servername_host ...', '-cert2 ...', 78: '-key2 ...', '-servername_fatal' (subject to change). This allows 79: testing the HostName extension for a specific single host name ('-cert' 80: and '-key' remain fallbacks for handshakes without HostName 81: negotiation). If the unrecogninzed_name alert has to be sent, this by 82: default is a warning; it becomes fatal with the '-servername_fatal' 83: option. 84: 85: [Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson] 86: 87: *) Add AES and SSE2 assembly language support to VC++ build. 88: [Steve Henson] 89: 90: *) Mitigate attack on final subtraction in Montgomery reduction. 91: [Andy Polyakov] 92: 93: *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0 94: (which previously caused an internal error). 95: [Bodo Moeller] 96: 97: *) Squeeze another 10% out of IGE mode when in != out. 98: [Ben Laurie] 99: 100: *) AES IGE mode speedup. 101: [Dean Gaudet (Google)] 102: 103: *) Add the Korean symmetric 128-bit cipher SEED (see 104: http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and 105: add SEED ciphersuites from RFC 4162: 106: 107: TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" 108: TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" 109: TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" 110: TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" 111: 112: To minimize changes between patchlevels in the OpenSSL 0.9.8 113: series, SEED remains excluded from compilation unless OpenSSL 114: is configured with 'enable-seed'. 115: [KISA, Bodo Moeller] 116: 117: *) Mitigate branch prediction attacks, which can be practical if a 118: single processor is shared, allowing a spy process to extract 119: information. For detailed background information, see 120: http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, 121: J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL 122: and Necessary Software Countermeasures"). The core of the change 123: are new versions BN_div_no_branch() and 124: BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), 125: respectively, which are slower, but avoid the security-relevant 126: conditional branches. These are automatically called by BN_div() 127: and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one 128: of the input BIGNUMs. Also, BN_is_bit_set() has been changed to 129: remove a conditional branch. 130: 131: BN_FLG_CONSTTIME is the new name for the previous 132: BN_FLG_EXP_CONSTTIME flag, since it now affects more than just 133: modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag 134: in the exponent causes BN_mod_exp_mont() to use the alternative 135: implementation in BN_mod_exp_mont_consttime().) The old name 136: remains as a deprecated alias. 137: 138: Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general 139: RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses 140: constant-time implementations for more than just exponentiation. 141: Here too the old name is kept as a deprecated alias. 142: 143: BN_BLINDING_new() will now use BN_dup() for the modulus so that 144: the BN_BLINDING structure gets an independent copy of the 145: modulus. This means that the previous "BIGNUM *m" argument to 146: BN_BLINDING_new() and to BN_BLINDING_create_param() now 147: essentially becomes "const BIGNUM *m", although we can't actually 148: change this in the header file before 0.9.9. It allows 149: RSA_setup_blinding() to use BN_with_flags() on the modulus to 150: enable BN_FLG_CONSTTIME. 151: 152: [Matthew D Wood (Intel Corp)] 153: 154: *) In the SSL/TLS server implementation, be strict about session ID 155: context matching (which matters if an application uses a single 156: external cache for different purposes). Previously, 157: out-of-context reuse was forbidden only if SSL_VERIFY_PEER was 158: set. This did ensure strict client verification, but meant that, 159: with applications using a single external cache for quite 160: different requirements, clients could circumvent ciphersuite 161: restrictions for a given session ID context by starting a session 162: in a different context. 163: [Bodo Moeller] 164: 165: *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that 166: a ciphersuite string such as "DEFAULT:RSA" cannot enable 167: authentication-only ciphersuites. 168: [Bodo Moeller] 169: 170: Changes between 0.9.8d and 0.9.8e [23 Feb 2007] 171: 172: *) Since AES128 and AES256 (and similarly Camellia128 and 173: Camellia256) share a single mask bit in the logic of 174: ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a 175: kludge to work properly if AES128 is available and AES256 isn't 176: (or if Camellia128 is available and Camellia256 isn't). 177: [Victor Duchovni] 178: 179: *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c 180: (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): 181: When a point or a seed is encoded in a BIT STRING, we need to 182: prevent the removal of trailing zero bits to get the proper DER 183: encoding. (By default, crypto/asn1/a_bitstr.c assumes the case 184: of a NamedBitList, for which trailing 0 bits need to be removed.) 185: [Bodo Moeller] 186: 187: *) Have SSL/TLS server implementation tolerate "mismatched" record 188: protocol version while receiving ClientHello even if the 189: ClientHello is fragmented. (The server can't insist on the 190: particular protocol version it has chosen before the ServerHello 191: message has informed the client about his choice.) 192: [Bodo Moeller] 193: 194: *) Add RFC 3779 support. 195: [Rob Austein for ARIN, Ben Laurie] 196: 197: *) Load error codes if they are not already present instead of using a 198: static variable. This allows them to be cleanly unloaded and reloaded. 199: Improve header file function name parsing. 200: [Steve Henson] 201: 202: *) extend SMTP and IMAP protocol emulation in s_client to use EHLO 203: or CAPABILITY handshake as required by RFCs. 204: [Goetz Babin-Ebell] 205: 206: Changes between 0.9.8c and 0.9.8d [28 Sep 2006] 207: 208: *) Introduce limits to prevent malicious keys being able to 209: cause a denial of service. (CVE-2006-2940) 210: [Steve Henson, Bodo Moeller] 211: 212: *) Fix ASN.1 parsing of certain invalid structures that can result 213: in a denial of service. (CVE-2006-2937) [Steve Henson] 214: 215: *) Fix buffer overflow in SSL_get_shared_ciphers() function. 216: (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] 217: 218: *) Fix SSL client code which could crash if connecting to a 219: malicious SSLv2 server. (CVE-2006-4343) 220: [Tavis Ormandy and Will Drewry, Google Security Team] 221: 222: *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites 223: match only those. Before that, "AES256-SHA" would be interpreted 224: as a pattern and match "AES128-SHA" too (since AES128-SHA got 225: the same strength classification in 0.9.7h) as we currently only 226: have a single AES bit in the ciphersuite description bitmap. 227: That change, however, also applied to ciphersuite strings such as 228: "RC4-MD5" that intentionally matched multiple ciphersuites -- 229: namely, SSL 2.0 ciphersuites in addition to the more common ones 230: from SSL 3.0/TLS 1.0. 231: 232: So we change the selection algorithm again: Naming an explicit 233: ciphersuite selects this one ciphersuite, and any other similar 234: ciphersuite (same bitmap) from *other* protocol versions. 235: Thus, "RC4-MD5" again will properly select both the SSL 2.0 236: ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. 237: 238: Since SSL 2.0 does not have any ciphersuites for which the 239: 128/256 bit distinction would be relevant, this works for now. 240: The proper fix will be to use different bits for AES128 and 241: AES256, which would have avoided the problems from the beginning; 242: however, bits are scarce, so we can only do this in a new release 243: (not just a patchlevel) when we can change the SSL_CIPHER 244: definition to split the single 'unsigned long mask' bitmap into 245: multiple values to extend the available space. 246: 247: [Bodo Moeller] 248: 249: Changes between 0.9.8b and 0.9.8c [05 Sep 2006] 250: 251: *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher 252: (CVE-2006-4339) [Ben Laurie and Google Security Team] 253: 254: *) Add AES IGE and biIGE modes. 255: [Ben Laurie] 256: 257: *) Change the Unix randomness entropy gathering to use poll() when 258: possible instead of select(), since the latter has some 259: undesirable limitations. 260: [Darryl Miles via Richard Levitte and Bodo Moeller] 261: 262: *) Disable "ECCdraft" ciphersuites more thoroughly. Now special 263: treatment in ssl/ssl_ciph.s makes sure that these ciphersuites 264: cannot be implicitly activated as part of, e.g., the "AES" alias. 265: However, please upgrade to OpenSSL 0.9.9[-dev] for 266: non-experimental use of the ECC ciphersuites to get TLS extension 267: support, which is required for curve and point format negotiation 268: to avoid potential handshake problems. 269: [Bodo Moeller] 270: 271: *) Disable rogue ciphersuites: 272: 273: - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") 274: - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") 275: - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") 276: 277: The latter two were purportedly from 278: draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really 279: appear there. 280: 281: Also deactivate the remaining ciphersuites from 282: draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as 283: unofficial, and the ID has long expired. 284: [Bodo Moeller] 285: 286: *) Fix RSA blinding Heisenbug (problems sometimes occured on 287: dual-core machines) and other potential thread-safety issues. 288: [Bodo Moeller] 289: 290: *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key 291: versions), which is now available for royalty-free use 292: (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). 293: Also, add Camellia TLS ciphersuites from RFC 4132. 294: 295: To minimize changes between patchlevels in the OpenSSL 0.9.8 296: series, Camellia remains excluded from compilation unless OpenSSL 297: is configured with 'enable-camellia'. 298: [NTT] 299: 300: *) Disable the padding bug check when compression is in use. The padding 301: bug check assumes the first packet is of even length, this is not 302: necessarily true if compresssion is enabled and can result in false 303: positives causing handshake failure. The actual bug test is ancient 304: code so it is hoped that implementations will either have fixed it by 305: now or any which still have the bug do not support compression. 306: [Steve Henson] 307: 308: Changes between 0.9.8a and 0.9.8b [04 May 2006] 309: 310: *) When applying a cipher rule check to see if string match is an explicit 311: cipher suite and only match that one cipher suite if it is. 312: [Steve Henson] 313: 314: *) Link in manifests for VC++ if needed. 315: [Austin Ziegler <halostatue@gmail.com>] 316: 317: *) Update support for ECC-based TLS ciphersuites according to 318: draft-ietf-tls-ecc-12.txt with proposed changes (but without 319: TLS extensions, which are supported starting with the 0.9.9 320: branch, not in the OpenSSL 0.9.8 branch). 321: [Douglas Stebila] 322: 323: *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support 324: opaque EVP_CIPHER_CTX handling. 325: [Steve Henson] 326: 327: *) Fixes and enhancements to zlib compression code. We now only use 328: "zlib1.dll" and use the default __cdecl calling convention on Win32 329: to conform with the standards mentioned here: 330: http://www.zlib.net/DLL_FAQ.txt 331: Static zlib linking now works on Windows and the new --with-zlib-include 332: --with-zlib-lib options to Configure can be used to supply the location 333: of the headers and library. Gracefully handle case where zlib library 334: can't be loaded. 335: [Steve Henson] 336: 337: *) Several fixes and enhancements to the OID generation code. The old code 338: sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't 339: handle numbers larger than ULONG_MAX, truncated printing and had a 340: non standard OBJ_obj2txt() behaviour. 341: [Steve Henson] 342: 343: *) Add support for building of engines under engine/ as shared libraries 344: under VC++ build system. 345: [Steve Henson] 346: 347: *) Corrected the numerous bugs in the Win32 path splitter in DSO. 348: Hopefully, we will not see any false combination of paths any more. 349: [Richard Levitte] 350: 351: Changes between 0.9.8 and 0.9.8a [11 Oct 2005] 352: 353: *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING 354: (part of SSL_OP_ALL). This option used to disable the 355: countermeasure against man-in-the-middle protocol-version 356: rollback in the SSL 2.0 server implementation, which is a bad 357: idea. (CVE-2005-2969) 358: 359: [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center 360: for Information Security, National Institute of Advanced Industrial 361: Science and Technology [AIST], Japan)] 362: 363: *) Add two function to clear and return the verify parameter flags. 364: [Steve Henson] 365: 366: *) Keep cipherlists sorted in the source instead of sorting them at 367: runtime, thus removing the need for a lock. 368: [Nils Larsch] 369: 370: *) Avoid some small subgroup attacks in Diffie-Hellman. 371: [Nick Mathewson and Ben Laurie] 372: 373: *) Add functions for well-known primes. 374: [Nick Mathewson] 375: 376: *) Extended Windows CE support. 377: [Satoshi Nakamura and Andy Polyakov] 378: 379: *) Initialize SSL_METHOD structures at compile time instead of during 380: runtime, thus removing the need for a lock. 381: [Steve Henson] 382: 383: *) Make PKCS7_decrypt() work even if no certificate is supplied by 384: attempting to decrypt each encrypted key in turn. Add support to 385: smime utility. 386: [Steve Henson] 387: 388: Changes between 0.9.7h and 0.9.8 [05 Jul 2005] 389: 390: [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after 391: OpenSSL 0.9.8.] 392: 393: *) Add libcrypto.pc and libssl.pc for those who feel they need them. 394: [Richard Levitte] 395: 396: *) Change CA.sh and CA.pl so they don't bundle the CSR and the private 397: key into the same file any more. 398: [Richard Levitte] 399: 400: *) Add initial support for Win64, both IA64 and AMD64/x64 flavors. 401: [Andy Polyakov] 402: 403: *) Add -utf8 command line and config file option to 'ca'. 404: [Stefan <stf@udoma.org] 405: 406: *) Removed the macro des_crypt(), as it seems to conflict with some 407: libraries. Use DES_crypt(). 408: [Richard Levitte] 409: 410: *) Correct naming of the 'chil' and '4758cca' ENGINEs. This 411: involves renaming the source and generated shared-libs for 412: both. The engines will accept the corrected or legacy ids 413: ('ncipher' and '4758_cca' respectively) when binding. NB, 414: this only applies when building 'shared'. 415: [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe] 416: 417: *) Add attribute functions to EVP_PKEY structure. Modify 418: PKCS12_create() to recognize a CSP name attribute and 419: use it. Make -CSP option work again in pkcs12 utility. 420: [Steve Henson] 421: 422: *) Add new functionality to the bn blinding code: 423: - automatic re-creation of the BN_BLINDING parameters after 424: a fixed number of uses (currently 32) 425: - add new function for parameter creation 426: - introduce flags to control the update behaviour of the 427: BN_BLINDING parameters 428: - hide BN_BLINDING structure 429: Add a second BN_BLINDING slot to the RSA structure to improve 430: performance when a single RSA object is shared among several 431: threads. 432: [Nils Larsch] 433: 434: *) Add support for DTLS. 435: [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie] 436: 437: *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) 438: to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() 439: [Walter Goulet] 440: 441: *) Remove buggy and incompletet DH cert support from 442: ssl/ssl_rsa.c and ssl/s3_both.c 443: [Nils Larsch] 444: 445: *) Use SHA-1 instead of MD5 as the default digest algorithm for 446: the apps/openssl applications. 447: [Nils Larsch] 448: 449: *) Compile clean with "-Wall -Wmissing-prototypes 450: -Wstrict-prototypes -Wmissing-declarations -Werror". Currently 451: DEBUG_SAFESTACK must also be set. 452: [Ben Laurie] 453: 454: *) Change ./Configure so that certain algorithms can be disabled by default. 455: The new counterpiece to "no-xxx" is "enable-xxx". 456: 457: The patented RC5 and MDC2 algorithms will now be disabled unless 458: "enable-rc5" and "enable-mdc2", respectively, are specified. 459: 460: (IDEA remains enabled despite being patented. This is because IDEA 461: is frequently required for interoperability, and there is no license 462: fee for non-commercial use. As before, "no-idea" can be used to 463: avoid this algorithm.) 464: 465: [Bodo Moeller] 466: 467: *) Add processing of proxy certificates (see RFC 3820). This work was 468: sponsored by KTH (The Royal Institute of Technology in Stockholm) and 469: EGEE (Enabling Grids for E-science in Europe). 470: [Richard Levitte] 471: 472: *) RC4 performance overhaul on modern architectures/implementations, such 473: as Intel P4, IA-64 and AMD64. 474: [Andy Polyakov] 475: 476: *) New utility extract-section.pl. This can be used specify an alternative 477: section number in a pod file instead of having to treat each file as 478: a separate case in Makefile. This can be done by adding two lines to the 479: pod file: 480: 481: =for comment openssl_section:XXX 482: 483: The blank line is mandatory. 484: 485: [Steve Henson] 486: 487: *) New arguments -certform, -keyform and -pass for s_client and s_server 488: to allow alternative format key and certificate files and passphrase 489: sources. 490: [Steve Henson] 491: 492: *) New structure X509_VERIFY_PARAM which combines current verify parameters, 493: update associated structures and add various utility functions. 494: 495: Add new policy related verify parameters, include policy checking in 496: standard verify code. Enhance 'smime' application with extra parameters 497: to support policy checking and print out. 498: [Steve Henson] 499: 500: *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 501: Nehemiah processors. These extensions support AES encryption in hardware 502: as well as RNG (though RNG support is currently disabled). 503: [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] 504: 505: *) Deprecate BN_[get|set]_params() functions (they were ignored internally). 506: [Geoff Thorpe] 507: 508: *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. 509: [Andy Polyakov and a number of other people] 510: 511: *) Improved PowerPC platform support. Most notably BIGNUM assembler 512: implementation contributed by IBM. 513: [Suresh Chari, Peter Waltenberg, Andy Polyakov] 514: 515: *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public 516: exponent rather than 'unsigned long'. There is a corresponding change to 517: the new 'rsa_keygen' element of the RSA_METHOD structure. 518: [Jelte Jansen, Geoff Thorpe] 519: 520: *) Functionality for creating the initial serial number file is now 521: moved from CA.pl to the 'ca' utility with a new option -create_serial. 522: 523: (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial 524: number file to 1, which is bound to cause problems. To avoid 525: the problems while respecting compatibility between different 0.9.7 526: patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in 527: CA.pl for serial number initialization. With the new release 0.9.8, 528: we can fix the problem directly in the 'ca' utility.) 529: [Steve Henson] 530: 531: *) Reduced header interdepencies by declaring more opaque objects in 532: ossl_typ.h. As a consequence, including some headers (eg. engine.h) will 533: give fewer recursive includes, which could break lazy source code - so 534: this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, 535: developers should define this symbol when building and using openssl to 536: ensure they track the recommended behaviour, interfaces, [etc], but 537: backwards-compatible behaviour prevails when this isn't defined. 538: [Geoff Thorpe] 539: 540: *) New function X509_POLICY_NODE_print() which prints out policy nodes. 541: [Steve Henson] 542: 543: *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. 544: This will generate a random key of the appropriate length based on the 545: cipher context. The EVP_CIPHER can provide its own random key generation 546: routine to support keys of a specific form. This is used in the des and 547: 3des routines to generate a key of the correct parity. Update S/MIME 548: code to use new functions and hence generate correct parity DES keys. 549: Add EVP_CHECK_DES_KEY #define to return an error if the key is not 550: valid (weak or incorrect parity). 551: [Steve Henson] 552: 553: *) Add a local set of CRLs that can be used by X509_verify_cert() as well 554: as looking them up. This is useful when the verified structure may contain 555: CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs 556: present unless the new PKCS7_NO_CRL flag is asserted. 557: [Steve Henson] 558: 559: *) Extend ASN1 oid configuration module. It now additionally accepts the 560: syntax: 561: 562: shortName = some long name, 1.2.3.4 563: [Steve Henson] 564: 565: *) Reimplemented the BN_CTX implementation. There is now no more static 566: limitation on the number of variables it can handle nor the depth of the 567: "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack 568: information can now expand as required, and rather than having a single 569: static array of bignums, BN_CTX now uses a linked-list of such arrays 570: allowing it to expand on demand whilst maintaining the usefulness of 571: BN_CTX's "bundling". 572: [Geoff Thorpe] 573: 574: *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD 575: to allow all RSA operations to function using a single BN_CTX. 576: [Geoff Thorpe] 577: 578: *) Preliminary support for certificate policy evaluation and checking. This 579: is initially intended to pass the tests outlined in "Conformance Testing 580: of Relying Party Client Certificate Path Processing Logic" v1.07. 581: [Steve Henson] 582: 583: *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and 584: remained unused and not that useful. A variety of other little bignum 585: tweaks and fixes have also been made continuing on from the audit (see 586: below). 587: [Geoff Thorpe] 588: 589: *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with 590: associated ASN1, EVP and SSL functions and old ASN1 macros. 591: [Richard Levitte] 592: 593: *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, 594: and this should never fail. So the return value from the use of 595: BN_set_word() (which can fail due to needless expansion) is now deprecated; 596: if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. 597: [Geoff Thorpe] 598: 599: *) BN_CTX_get() should return zero-valued bignums, providing the same 600: initialised value as BN_new(). 601: [Geoff Thorpe, suggested by Ulf M?r] 602: 603: *) Support for inhibitAnyPolicy certificate extension. 604: [Steve Henson] 605: 606: *) An audit of the BIGNUM code is underway, for which debugging code is 607: enabled when BN_DEBUG is defined. This makes stricter enforcements on what 608: is considered valid when processing BIGNUMs, and causes execution to 609: assert() when a problem is discovered. If BN_DEBUG_RAND is defined, 610: further steps are taken to deliberately pollute unused data in BIGNUM 611: structures to try and expose faulty code further on. For now, openssl will 612: (in its default mode of operation) continue to tolerate the inconsistent 613: forms that it has tolerated in the past, but authors and packagers should 614: consider trying openssl and their own applications when compiled with 615: these debugging symbols defined. It will help highlight potential bugs in 616: their own code, and will improve the test coverage for OpenSSL itself. At 617: some point, these tighter rules will become openssl's default to improve 618: maintainability, though the assert()s and other overheads will remain only 619: in debugging configurations. See bn.h for more details. 620: [Geoff Thorpe, Nils Larsch, Ulf M?r] 621: 622: *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure 623: that can only be obtained through BN_CTX_new() (which implicitly 624: initialises it). The presence of this function only made it possible 625: to overwrite an existing structure (and cause memory leaks). 626: [Geoff Thorpe] 627: 628: *) Because of the callback-based approach for implementing LHASH as a 629: template type, lh_insert() adds opaque objects to hash-tables and 630: lh_doall() or lh_doall_arg() are typically used with a destructor callback 631: to clean up those corresponding objects before destroying the hash table 632: (and losing the object pointers). So some over-zealous constifications in 633: LHASH have been relaxed so that lh_insert() does not take (nor store) the 634: objects as "const" and the lh_doall[_arg] callback wrappers are not 635: prototyped to have "const" restrictions on the object pointers they are 636: given (and so aren't required to cast them away any more). 637: [Geoff Thorpe] 638: 639: *) The tmdiff.h API was so ugly and minimal that our own timing utility 640: (speed) prefers to use its own implementation. The two implementations 641: haven't been consolidated as yet (volunteers?) but the tmdiff API has had 642: its object type properly exposed (MS_TM) instead of casting to/from "char 643: *". This may still change yet if someone realises MS_TM and "ms_time_***" 644: aren't necessarily the greatest nomenclatures - but this is what was used 645: internally to the implementation so I've used that for now. 646: [Geoff Thorpe] 647: 648: *) Ensure that deprecated functions do not get compiled when 649: OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of 650: the self-tests were still using deprecated key-generation functions so 651: these have been updated also. 652: [Geoff Thorpe] 653: 654: *) Reorganise PKCS#7 code to separate the digest location functionality 655: into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest(). 656: New function PKCS7_set_digest() to set the digest type for PKCS#7 657: digestedData type. Add additional code to correctly generate the 658: digestedData type and add support for this type in PKCS7 initialization 659: functions. 660: [Steve Henson] 661: 662: *) New function PKCS7_set0_type_other() this initializes a PKCS7 663: structure of type "other". 664: [Steve Henson] 665: 666: *) Fix prime generation loop in crypto/bn/bn_prime.pl by making 667: sure the loop does correctly stop and breaking ("division by zero") 668: modulus operations are not performed. The (pre-generated) prime 669: table crypto/bn/bn_prime.h was already correct, but it could not be 670: re-generated on some platforms because of the "division by zero" 671: situation in the script. 672: [Ralf S. Engelschall] 673: 674: *) Update support for ECC-based TLS ciphersuites according to 675: draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with 676: SHA-1 now is only used for "small" curves (where the 677: representation of a field element takes up to 24 bytes); for 678: larger curves, the field element resulting from ECDH is directly 679: used as premaster secret. 680: [Douglas Stebila (Sun Microsystems Laboratories)] 681: 682: *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 683: curve secp160r1 to the tests. 684: [Douglas Stebila (Sun Microsystems Laboratories)] 685: 686: *) Add the possibility to load symbols globally with DSO. 687: [G?Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] 688: 689: *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better 690: control of the error stack. 691: [Richard Levitte] 692: 693: *) Add support for STORE in ENGINE. 694: [Richard Levitte] 695: 696: *) Add the STORE type. The intention is to provide a common interface 697: to certificate and key stores, be they simple file-based stores, or 698: HSM-type store, or LDAP stores, or... 699: NOTE: The code is currently UNTESTED and isn't really used anywhere. 700: [Richard Levitte] 701: 702: *) Add a generic structure called OPENSSL_ITEM. This can be used to 703: pass a list of arguments to any function as well as provide a way 704: for a function to pass data back to the caller. 705: [Richard Levitte] 706: 707: *) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() 708: works like BUF_strdup() but can be used to duplicate a portion of 709: a string. The copy gets NUL-terminated. BUF_memdup() duplicates 710: a memory area. 711: [Richard Levitte] 712: 713: *) Add the function sk_find_ex() which works like sk_find(), but will 714: return an index to an element even if an exact match couldn't be 715: found. The index is guaranteed to point at the element where the 716: searched-for key would be inserted to preserve sorting order. 717: [Richard Levitte] 718: 719: *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but 720: takes an extra flags argument for optional functionality. Currently, 721: the following flags are defined: 722: 723: OBJ_BSEARCH_VALUE_ON_NOMATCH 724: This one gets OBJ_bsearch_ex() to return a pointer to the first 725: element where the comparing function returns a negative or zero 726: number. 727: 728: OBJ_BSEARCH_FIRST_VALUE_ON_MATCH 729: This one gets OBJ_bsearch_ex() to return a pointer to the first 730: element where the comparing function returns zero. This is useful 731: if there are more than one element where the comparing function 732: returns zero. 733: [Richard Levitte] 734: 735: *) Make it possible to create self-signed certificates with 'openssl ca' 736: in such a way that the self-signed certificate becomes part of the 737: CA database and uses the same mechanisms for serial number generation 738: as all other certificate signing. The new flag '-selfsign' enables 739: this functionality. Adapt CA.sh and CA.pl.in. 740: [Richard Levitte] 741: 742: *) Add functionality to check the public key of a certificate request 743: against a given private. This is useful to check that a certificate 744: request can be signed by that key (self-signing). 745: [Richard Levitte] 746: 747: *) Make it possible to have multiple active certificates with the same 748: subject in the CA index file. This is done only if the keyword 749: 'unique_subject' is set to 'no' in the main CA section (default 750: if 'CA_default') of the configuration file. The value is saved 751: with the database itself in a separate index attribute file, 752: named like the index file with '.attr' appended to the name. 753: [Richard Levitte] 754: 755: *) Generate muti valued AVAs using '+' notation in config files for 756: req and dirName. 757: [Steve Henson] 758: