Import OpenSSL-1.0.0e.
[dragonfly.git] / crypto / openssl / CHANGES
3 _______________
5 Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
7 *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
8 by initialising X509_STORE_CTX properly. (CVE-2011-3207)
9 [Kaspar Brand <>]
11 *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
12 for multi-threaded use of ECDH. (CVE-2011-3210)
13 [Adam Langley (Google)]
15 *) Fix x509_name_ex_d2i memory leak on bad inputs.
16 [Bodo Moeller]
18 *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
19 signature public key algorithm by using OID xref utilities instead.
20 Before this you could only use some ECC ciphersuites with SHA1 only.
21 [Steve Henson]
23 *) Add protection against ECDSA timing attacks as mentioned in the paper
24 by Billy Bob Brumley and Nicola Tuveri, see:
28 [Billy Bob Brumley and Nicola Tuveri]
30 Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
32 *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
33 [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
35 *) Fix bug in string printing code: if *any* escaping is enabled we must
36 escape the escape character (backslash) or the resulting string is
37 ambiguous.
38 [Steve Henson]
40 Changes between 1.0.0b and 1.0.0c [2 Dec 2010]
42 *) Disable code workaround for ancient and obsolete Netscape browsers
43 and servers: an attacker can use it in a ciphersuite downgrade attack.
44 Thanks to Martin Rex for discovering this bug. CVE-2010-4180
45 [Steve Henson]
47 *) Fixed J-PAKE implementation error, originally discovered by
48 Sebastien Martini, further info and confirmation from Stefan
49 Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
50 [Ben Laurie]
52 Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
54 *) Fix extension code to avoid race conditions which can result in a buffer
55 overrun vulnerability: resumed sessions must not be modified as they can
56 be shared by multiple threads. CVE-2010-3864
57 [Steve Henson]
59 *) Fix WIN32 build system to correctly link an ENGINE directory into
60 a DLL.
61 [Steve Henson]
63 Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
65 *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
66 (CVE-2010-1633)
67 [Steve Henson, Peter-Michael Hager <>]
69 Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
71 *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
72 context. The operation can be customised via the ctrl mechanism in
73 case ENGINEs want to include additional functionality.
74 [Steve Henson]
76 *) Tolerate yet another broken PKCS#8 key format: private key value negative.
77 [Steve Henson]
79 *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
80 output hashes compatible with older versions of OpenSSL.
81 [Willy Weisz <>]
83 *) Fix compression algorithm handling: if resuming a session use the
84 compression algorithm of the resumed session instead of determining
85 it from client hello again. Don't allow server to change algorithm.
86 [Steve Henson]
88 *) Add load_crls() function to apps tidying load_certs() too. Add option
89 to verify utility to allow additional CRLs to be included.
90 [Steve Henson]
92 *) Update OCSP request code to permit adding custom headers to the request:
93 some responders need this.
94 [Steve Henson]
96 *) The function EVP_PKEY_sign() returns <=0 on error: check return code
97 correctly.
98 [Julia Lawall <>]
100 *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
101 needlessly dereferenced structures, used obsolete functions and
102 didn't handle all updated verify codes correctly.
103 [Steve Henson]
105 *) Disable MD2 in the default configuration.
106 [Steve Henson]
108 *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
109 indicate the initial BIO being pushed or popped. This makes it possible
110 to determine whether the BIO is the one explicitly called or as a result
111 of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
112 it handles reference counts correctly and doesn't zero out the I/O bio
113 when it is not being explicitly popped. WARNING: applications which
114 included workarounds for the old buggy behaviour will need to be modified
115 or they could free up already freed BIOs.
116 [Steve Henson]
118 *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
119 renaming to all platforms (within the 0.9.8 branch, this was
120 done conditionally on Netware platforms to avoid a name clash).
121 [Guenter <>]
123 *) Add ECDHE and PSK support to DTLS.
124 [Michael Tuexen <>]
126 *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
127 be used on C++.
128 [Steve Henson]
130 *) Add "missing" function EVP_MD_flags() (without this the only way to
131 retrieve a digest flags is by accessing the structure directly. Update
132 EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
133 or cipher is registered as in the "from" argument. Print out all
134 registered digests in the dgst usage message instead of manually
135 attempting to work them out.
136 [Steve Henson]
138 *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
139 this allows the use of compression and extensions. Change default cipher
140 string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
141 by default unless an application cipher string requests it.
142 [Steve Henson]
144 *) Alter match criteria in PKCS12_parse(). It used to try to use local
145 key ids to find matching certificates and keys but some PKCS#12 files
146 don't follow the (somewhat unwritten) rules and this strategy fails.
147 Now just gather all certificates together and the first private key
148 then look for the first certificate that matches the key.
149 [Steve Henson]
151 *) Support use of registered digest and cipher names for dgst and cipher
152 commands instead of having to add each one as a special case. So now
153 you can do:
155 openssl sha256 foo
157 as well as:
159 openssl dgst -sha256 foo
161 and this works for ENGINE based algorithms too.
163 [Steve Henson]
165 *) Update Gost ENGINE to support parameter files.
166 [Victor B. Wagner <>]
168 *) Support GeneralizedTime in ca utility.
169 [Oliver Martin <>, Steve Henson]
171 *) Enhance the hash format used for certificate directory links. The new
172 form uses the canonical encoding (meaning equivalent names will work
173 even if they aren't identical) and uses SHA1 instead of MD5. This form
174 is incompatible with the older format and as a result c_rehash should
175 be used to rebuild symbolic links.
176 [Steve Henson]
178 *) Make PKCS#8 the default write format for private keys, replacing the
179 traditional format. This form is standardised, more secure and doesn't
180 include an implicit MD5 dependency.
181 [Steve Henson]
183 *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
184 committed to OpenSSL should pass this lot as a minimum.
185 [Steve Henson]
187 *) Add session ticket override functionality for use by EAP-FAST.
188 [Jouni Malinen <>]
190 *) Modify HMAC functions to return a value. Since these can be implemented
191 in an ENGINE errors can occur.
192 [Steve Henson]
194 *) Type-checked OBJ_bsearch_ex.
195 [Ben Laurie]
197 *) Type-checked OBJ_bsearch. Also some constification necessitated
198 by type-checking. Still to come: TXT_DB, bsearch(?),
199 OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
201 [Ben Laurie]
203 *) New function OPENSSL_gmtime_adj() to add a specific number of days and
204 seconds to a tm structure directly, instead of going through OS
205 specific date routines. This avoids any issues with OS routines such
206 as the year 2038 bug. New *_adj() functions for ASN1 time structures
207 and X509_time_adj_ex() to cover the extended range. The existing
208 X509_time_adj() is still usable and will no longer have any date issues.
209 [Steve Henson]
211 *) Delta CRL support. New use deltas option which will attempt to locate
212 and search any appropriate delta CRLs available.
214 This work was sponsored by Google.
215 [Steve Henson]
217 *) Support for CRLs partitioned by reason code. Reorganise CRL processing
218 code and add additional score elements. Validate alternate CRL paths
219 as part of the CRL checking and indicate a new error "CRL path validation
220 error" in this case. Applications wanting additional details can use
221 the verify callback and check the new "parent" field. If this is not
222 NULL CRL path validation is taking place. Existing applications wont
223 see this because it requires extended CRL support which is off by
224 default.
226 This work was sponsored by Google.
227 [Steve Henson]
229 *) Support for freshest CRL extension.
231 This work was sponsored by Google.
232 [Steve Henson]
234 *) Initial indirect CRL support. Currently only supported in the CRLs
235 passed directly and not via lookup. Process certificate issuer
236 CRL entry extension and lookup CRL entries by bother issuer name
237 and serial number. Check and process CRL issuer entry in IDP extension.
239 This work was sponsored by Google.
240 [Steve Henson]
242 *) Add support for distinct certificate and CRL paths. The CRL issuer
243 certificate is validated separately in this case. Only enabled if
244 an extended CRL support flag is set: this flag will enable additional
245 CRL functionality in future.
247 This work was sponsored by Google.
248 [Steve Henson]
250 *) Add support for policy mappings extension.
252 This work was sponsored by Google.
253 [Steve Henson]
255 *) Fixes to pathlength constraint, self issued certificate handling,
256 policy processing to align with RFC3280 and PKITS tests.
258 This work was sponsored by Google.
259 [Steve Henson]
261 *) Support for name constraints certificate extension. DN, email, DNS
262 and URI types are currently supported.
264 This work was sponsored by Google.
265 [Steve Henson]
267 *) To cater for systems that provide a pointer-based thread ID rather
268 than numeric, deprecate the current numeric thread ID mechanism and
269 replace it with a structure and associated callback type. This
270 mechanism allows a numeric "hash" to be extracted from a thread ID in
271 either case, and on platforms where pointers are larger than 'long',
272 mixing is done to help ensure the numeric 'hash' is usable even if it
273 can't be guaranteed unique. The default mechanism is to use "&errno"
274 as a pointer-based thread ID to distinguish between threads.
276 Applications that want to provide their own thread IDs should now use
277 CRYPTO_THREADID_set_callback() to register a callback that will call
278 either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
280 Note that ERR_remove_state() is now deprecated, because it is tied
281 to the assumption that thread IDs are numeric. ERR_remove_state(0)
282 to free the current thread's error state should be replaced by
283 ERR_remove_thread_state(NULL).
285 (This new approach replaces the functions CRYPTO_set_idptr_callback(),
286 CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
287 OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
288 application was previously providing a numeric thread callback that
289 was inappropriate for distinguishing threads, then uniqueness might
290 have been obtained with &errno that happened immediately in the
291 intermediate development versions of OpenSSL; this is no longer the
292 case, the numeric thread callback will now override the automatic use
293 of &errno.)
294 [Geoff Thorpe, with help from Bodo Moeller]
296 *) Initial support for different CRL issuing certificates. This covers a
297 simple case where the self issued certificates in the chain exist and
298 the real CRL issuer is higher in the existing chain.
300 This work was sponsored by Google.
301 [Steve Henson]
303 *) Removed effectively defunct crypto/store from the build.
304 [Ben Laurie]
306 *) Revamp of STACK to provide stronger type-checking. Still to come:
307 TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
309 [Ben Laurie]
311 *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
312 RAM on SSL connections. This option can save about 34k per idle SSL.
313 [Nick Mathewson]
315 *) Revamp of LHASH to provide stronger type-checking. Still to come:
316 STACK, TXT_DB, bsearch, qsort.
317 [Ben Laurie]
319 *) Initial support for Cryptographic Message Syntax (aka CMS) based
320 on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
321 support for data, signedData, compressedData, digestedData and
322 encryptedData, envelopedData types included. Scripts to check against
323 RFC4134 examples draft and interop and consistency checks of many
324 content types and variants.
325 [Steve Henson]
327 *) Add options to enc utility to support use of zlib compression BIO.
328 [Steve Henson]
330 *) Extend mk1mf to support importing of options and assembly language
331 files from Configure script, currently only included in VC-WIN32.
332 The assembly language rules can now optionally generate the source
333 files from the associated perl scripts.
334 [Steve Henson]
336 *) Implement remaining functionality needed to support GOST ciphersuites.
337 Interop testing has been performed using CryptoPro implementations.
338 [Victor B. Wagner <>]
340 *) s390x assembler pack.
341 [Andy Polyakov]
343 *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
344 "family."
345 [Andy Polyakov]
347 *) Implement Opaque PRF Input TLS extension as specified in
348 draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
349 official specification yet and no extension type assignment by
350 IANA exists, this extension (for now) will have to be explicitly
351 enabled when building OpenSSL by providing the extension number
352 to use. For example, specify an option
354 -DTLSEXT_TYPE_opaque_prf_input=0x9527
356 to the "config" or "Configure" script to enable the extension,
357 assuming extension number 0x9527 (which is a completely arbitrary
358 and unofficial assignment based on the MD5 hash of the Internet
359 Draft). Note that by doing so, you potentially lose
360 interoperability with other TLS implementations since these might
361 be using the same extension number for other purposes.
363 SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
364 opaque PRF input value to use in the handshake. This will create
365 an interal copy of the length-'len' string at 'src', and will
366 return non-zero for success.
368 To get more control and flexibility, provide a callback function
369 by using
371 SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
372 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
374 where
376 int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
377 void *arg;
379 Callback function 'cb' will be called in handshakes, and is
380 expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
381 Argument 'arg' is for application purposes (the value as given to
382 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
383 be provided to the callback function). The callback function
384 has to return non-zero to report success: usually 1 to use opaque
385 PRF input just if possible, or 2 to enforce use of the opaque PRF
386 input. In the latter case, the library will abort the handshake
387 if opaque PRF input is not successfully negotiated.
389 Arguments 'peerinput' and 'len' given to the callback function
390 will always be NULL and 0 in the case of a client. A server will
391 see the client's opaque PRF input through these variables if
392 available (NULL and 0 otherwise). Note that if the server
393 provides an opaque PRF input, the length must be the same as the
394 length of the client's opaque PRF input.
396 Note that the callback function will only be called when creating
397 a new session (session resumption can resume whatever was
398 previously negotiated), and will not be called in SSL 2.0
399 handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
400 SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
401 for applications that need to enforce opaque PRF input.
403 [Bodo Moeller]
405 *) Update ssl code to support digests other than SHA1+MD5 for handshake
406 MAC.
408 [Victor B. Wagner <>]
410 *) Add RFC4507 support to OpenSSL. This includes the corrections in
411 RFC4507bis. The encrypted ticket format is an encrypted encoded
412 SSL_SESSION structure, that way new session features are automatically
413 supported.
415 If a client application caches session in an SSL_SESSION structure
416 support is transparent because tickets are now stored in the encoded
419 The SSL_CTX structure automatically generates keys for ticket
420 protection in servers so again support should be possible
421 with no application modification.
423 If a client or server wishes to disable RFC4507 support then the option
424 SSL_OP_NO_TICKET can be set.
426 Add a TLS extension debugging callback to allow the contents of any client
427 or server extensions to be examined.
429 This work was sponsored by Google.
430 [Steve Henson]
432 *) Final changes to avoid use of pointer pointer casts in OpenSSL.
433 OpenSSL should now compile cleanly on gcc 4.2
434 [Peter Hartley <>, Steve Henson]
436 *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
437 support including streaming MAC support: this is required for GOST
438 ciphersuite support.
439 [Victor B. Wagner <>, Steve Henson]
441 *) Add option -stream to use PKCS#7 streaming in smime utility. New
442 function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
443 to output in BER and PEM format.
444 [Steve Henson]
446 *) Experimental support for use of HMAC via EVP_PKEY interface. This
447 allows HMAC to be handled via the EVP_DigestSign*() interface. The
448 EVP_PKEY "key" in this case is the HMAC key, potentially allowing
449 ENGINE support for HMAC keys which are unextractable. New -mac and
450 -macopt options to dgst utility.
451 [Steve Henson]
453 *) New option -sigopt to dgst utility. Update dgst to use
454 EVP_Digest{Sign,Verify}*. These two changes make it possible to use
455 alternative signing paramaters such as X9.31 or PSS in the dgst
456 utility.
457 [Steve Henson]
459 *) Change ssl_cipher_apply_rule(), the internal function that does
460 the work each time a ciphersuite string requests enabling
461 ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
462 removing ("!foo+bar") a class of ciphersuites: Now it maintains
463 the order of disabled ciphersuites such that those ciphersuites
464 that most recently went from enabled to disabled not only stay
465 in order with respect to each other, but also have higher priority
466 than other disabled ciphersuites the next time ciphersuites are
467 enabled again.
469 This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
470 the same ciphersuites as with "HIGH" alone, but in a specific
471 order where the PSK ciphersuites come first (since they are the
472 most recently disabled ciphersuites when "HIGH" is parsed).
474 Also, change ssl_create_cipher_list() (using this new
475 funcionality) such that between otherwise identical
476 cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
477 the default order.
478 [Bodo Moeller]
480 *) Change ssl_create_cipher_list() so that it automatically
481 arranges the ciphersuites in reasonable order before starting
482 to process the rule string. Thus, the definition for "DEFAULT"
483 (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
484 remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
485 This makes it much easier to arrive at a reasonable default order
486 in applications for which anonymous ciphers are OK (meaning
487 that you can't actually use DEFAULT).
488 [Bodo Moeller; suggested by Victor Duchovni]
490 *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
491 processing) into multiple integers instead of setting
493 "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
494 (These masks as well as the individual bit definitions are hidden
495 away into the non-exported interface ssl/ssl_locl.h, so this
496 change to the definition of the SSL_CIPHER structure shouldn't
497 affect applications.) This give us more bits for each of these
498 categories, so there is no longer a need to coagulate AES128 and
499 AES256 into a single algorithm bit, and to coagulate Camellia128
500 and Camellia256 into a single algorithm bit, which has led to all
501 kinds of kludges.
503 Thus, among other things, the kludge introduced in 0.9.7m and
504 0.9.8e for masking out AES256 independently of AES128 or masking
505 out Camellia256 independently of AES256 is not needed here in 0.9.9.
507 With the change, we also introduce new ciphersuite aliases that
508 so far were missing: "AES128", "AES256", "CAMELLIA128", and
509 "CAMELLIA256".
510 [Bodo Moeller]
512 *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
513 Use the leftmost N bytes of the signature input if the input is
514 larger than the prime q (with N being the size in bytes of q).
515 [Nils Larsch]
517 *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
518 it yet and it is largely untested.
519 [Steve Henson]
521 *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
522 [Nils Larsch]
524 *) Initial incomplete changes to avoid need for function casts in OpenSSL
525 some compilers (gcc 4.2 and later) reject their use. Safestack is
526 reimplemented. Update ASN1 to avoid use of legacy functions.
527 [Steve Henson]
529 *) Win32/64 targets are linked with Winsock2.
530 [Andy Polyakov]
532 *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
533 to external functions. This can be used to increase CRL handling
534 efficiency especially when CRLs are very large by (for example) storing
535 the CRL revoked certificates in a database.
536 [Steve Henson]
538 *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
539 new CRLs added to a directory can be used. New command line option
540 -verify_return_error to s_client and s_server. This causes real errors
541 to be returned by the verify callback instead of carrying on no matter
542 what. This reflects the way a "real world" verify callback would behave.
543 [Steve Henson]
545 *) GOST engine, supporting several GOST algorithms and public key formats.
546 Kindly donated by Cryptocom.
547 [Cryptocom]
549 *) Partial support for Issuing Distribution Point CRL extension. CRLs
550 partitioned by DP are handled but no indirect CRL or reason partitioning
551 (yet). Complete overhaul of CRL handling: now the most suitable CRL is
552 selected via a scoring technique which handles IDP and AKID in CRLs.
553 [Steve Henson]
555 *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
556 will ultimately be used for all verify operations: this will remove the
557 X509_STORE dependency on certificate verification and allow alternative
558 lookup methods. X509_STORE based implementations of these two callbacks.
559 [Steve Henson]
561 *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
562 Modify get_crl() to find a valid (unexpired) CRL if possible.
563 [Steve Henson]
565 *) New function X509_CRL_match() to check if two CRLs are identical. Normally
566 this would be called X509_CRL_cmp() but that name is already used by
567 a function that just compares CRL issuer names. Cache several CRL
568 extensions in X509_CRL structure and cache CRLDP in X509.
569 [Steve Henson]
571 *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
572 this maps equivalent X509_NAME structures into a consistent structure.
573 Name comparison can then be performed rapidly using memcmp().
574 [Steve Henson]
576 *) Non-blocking OCSP request processing. Add -timeout option to ocsp
577 utility.
578 [Steve Henson]
580 *) Allow digests to supply their own micalg string for S/MIME type using
581 the ctrl EVP_MD_CTRL_MICALG.
582 [Steve Henson]
584 *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
585 EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
586 ctrl. It can then customise the structure before and/or after signing
587 if necessary.
588 [Steve Henson]
590 *) New function OBJ_add_sigid() to allow application defined signature OIDs
591 to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
592 to free up any added signature OIDs.
593 [Steve Henson]
595 *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
596 EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
597 digest and cipher tables. New options added to openssl utility:
598 list-message-digest-algorithms and list-cipher-algorithms.
599 [Steve Henson]
601 *) Change the array representation of binary polynomials: the list
602 of degrees of non-zero coefficients is now terminated with -1.
603 Previously it was terminated with 0, which was also part of the
604 value; thus, the array representation was not applicable to
605 polynomials where t^0 has coefficient zero. This change makes
606 the array representation useful in a more general context.
607 [Douglas Stebila]
609 *) Various modifications and fixes to SSL/TLS cipher string
610 handling. For ECC, the code now distinguishes between fixed ECDH
611 with RSA certificates on the one hand and with ECDSA certificates
612 on the other hand, since these are separate ciphersuites. The
613 unused code for Fortezza ciphersuites has been removed.
615 For consistency with EDH, ephemeral ECDH is now called "EECDH"
616 (not "ECDHE"). For consistency with the code for DH
617 certificates, use of ECDH certificates is now considered ECDH
618 authentication, not RSA or ECDSA authentication (the latter is
619 merely the CA's signing algorithm and not actively used in the
620 protocol).
622 The temporary ciphersuite alias "ECCdraft" is no longer
623 available, and ECC ciphersuites are no longer excluded from "ALL"
624 and "DEFAULT". The following aliases now exist for RFC 4492
625 ciphersuites, most of these by analogy with the DH case:
627 kECDHr - ECDH cert, signed with RSA
628 kECDHe - ECDH cert, signed with ECDSA
629 kECDH - ECDH cert (signed with either RSA or ECDSA)
630 kEECDH - ephemeral ECDH
631 ECDH - ECDH cert or ephemeral ECDH
633 aECDH - ECDH cert
634 aECDSA - ECDSA cert
635 ECDSA - ECDSA cert
637 AECDH - anonymous ECDH
638 EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
640 [Bodo Moeller]
642 *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
643 Use correct micalg parameters depending on digest(s) in signed message.
644 [Steve Henson]
646 *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
647 an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
648 [Steve Henson]
650 *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
651 an engine to register a method. Add ENGINE lookups for methods and
652 functional reference processing.
653 [Steve Henson]
655 *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
656 EVP_{Sign,Verify}* which allow an application to customise the signature
657 process.
658 [Steve Henson]
660 *) New -resign option to smime utility. This adds one or more signers
661 to an existing PKCS#7 signedData structure. Also -md option to use an
662 alternative message digest algorithm for signing.
663 [Steve Henson]
665 *) Tidy up PKCS#7 routines and add new functions to make it easier to
666 create PKCS7 structures containing multiple signers. Update smime
667 application to support multiple signers.
668 [Steve Henson]
670 *) New -macalg option to pkcs12 utility to allow setting of an alternative
671 digest MAC.
672 [Steve Henson]
674 *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
675 Reorganize PBE internals to lookup from a static table using NIDs,
676 add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
677 EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
678 PRF which will be automatically used with PBES2.
679 [Steve Henson]
681 *) Replace the algorithm specific calls to generate keys in "req" with the
682 new API.
683 [Steve Henson]
685 *) Update PKCS#7 enveloped data routines to use new API. This is now
686 supported by any public key method supporting the encrypt operation. A
687 ctrl is added to allow the public key algorithm to examine or modify
688 the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
689 a no op.
690 [Steve Henson]
692 *) Add a ctrl to asn1 method to allow a public key algorithm to express
693 a default digest type to use. In most cases this will be SHA1 but some
694 algorithms (such as GOST) need to specify an alternative digest. The
695 return value indicates how strong the prefernce is 1 means optional and
696 2 is mandatory (that is it is the only supported type). Modify
697 ASN1_item_sign() to accept a NULL digest argument to indicate it should
698 use the default md. Update openssl utilities to use the default digest
699 type for signing if it is not explicitly indicated.
700 [Steve Henson]
702 *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
703 EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
704 signing method from the key type. This effectively removes the link
705 between digests and public key types.
706 [Steve Henson]
708 *) Add an OID cross reference table and utility functions. Its purpose is to
709 translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
710 rsaEncryption. This will allow some of the algorithm specific hackery
711 needed to use the correct OID to be removed.
712 [Steve Henson]
714 *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
715 structures for PKCS7_sign(). They are now set up by the relevant public
716 key ASN1 method.
717 [Steve Henson]
719 *) Add provisional EC pkey method with support for ECDSA and ECDH.
720 [Steve Henson]
722 *) Add support for key derivation (agreement) in the API, DH method and
723 pkeyutl.
724 [Steve Henson]
726 *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
727 public and private key formats. As a side effect these add additional
728 command line functionality not previously available: DSA signatures can be
729 generated and verified using pkeyutl and DH key support and generation in
730 pkey, genpkey.
731 [Steve Henson]
733 *) BeOS support.
734 [Oliver Tappe <>]
736 *) New make target "install_html_docs" installs HTML renditions of the
737 manual pages.
738 [Oliver Tappe <>]
740 *) New utility "genpkey" this is analagous to "genrsa" etc except it can
741 generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
742 support key and parameter generation and add initial key generation
743 functionality for RSA.
744 [Steve Henson]
746 *) Add functions for main EVP_PKEY_method operations. The undocumented
747 functions EVP_PKEY_{encrypt,decrypt} have been renamed to
748 EVP_PKEY_{encrypt,decrypt}_old.
749 [Steve Henson]
751 *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
752 key API, doesn't do much yet.
753 [Steve Henson]
755 *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
756 public key algorithms. New option to openssl utility:
757 "list-public-key-algorithms" to print out info.
758 [Steve Henson]
760 *) Implement the Supported Elliptic Curves Extension for
761 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
762 [Douglas Stebila]
764 *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
765 EVP_CIPHER structures to avoid later problems in EVP_cleanup().
766 [Steve Henson]
768 *) New utilities pkey and pkeyparam. These are similar to algorithm specific
769 utilities such as rsa, dsa, dsaparam etc except they process any key
770 type.
771 [Steve Henson]
773 *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
774 functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
775 EVP_PKEY_print_param() to print public key data from an EVP_PKEY
776 structure.
777 [Steve Henson]
779 *) Initial support for pluggable public key ASN1.
780 De-spaghettify the public key ASN1 handling. Move public and private
781 key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
782 algorithm specific handling to a single module within the relevant
783 algorithm directory. Add functions to allow (near) opaque processing
784 of public and private key structures.
785 [Steve Henson]
787 *) Implement the Supported Point Formats Extension for
788 ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
789 [Douglas Stebila]
791 *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
792 for the psk identity [hint] and the psk callback functions to the
793 SSL_SESSION, SSL and SSL_CTX structure.
795 New ciphersuites:
799 New functions:
800 SSL_CTX_use_psk_identity_hint
801 SSL_get_psk_identity_hint
802 SSL_get_psk_identity
803 SSL_use_psk_identity_hint
805 [Mika Kousa and Pasi Eronen of Nokia Corporation]
807 *) Add RFC 3161 compliant time stamp request creation, response generation
808 and response verification functionality.