« Changelog History


OpenSSL v0.9.7.h Release Notes

Release Date: 2005-07-05 // almost 19 years ago

  • 🚀 [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after OpenSSL 0.9.8.]

    • Add libcrypto.pc and libssl.pc for those who feel they need them.

    Richard Levitte

    • Change CA.sh and CA.pl so they don't bundle the CSR and the private key into the same file any more.

    Richard Levitte

    • Add initial support for Win64, both IA64 and AMD64/x64 flavors.

    Andy Polyakov

    • Add -utf8 command line and config file option to 'ca'.

    Stefan <[email protected]

    • Removed the macro des_crypt(), as it seems to conflict with some libraries. Use DES_crypt().

    Richard Levitte

    • Correct naming of the 'chil' and '4758cca' ENGINEs. This involves renaming the source and generated shared-libs for both. The engines will accept the corrected or legacy ids ('ncipher' and '4758_cca' respectively) when binding. NB, this only applies when building 'shared'.

    Corinna Vinschen [email protected] and Geoff Thorpe

    • Add attribute functions to EVP_PKEY structure. Modify PKCS12_create() to recognize a CSP name attribute and use it. Make -CSP option work again in pkcs12 utility.

    Steve Henson

    • Add new functionality to the bn blinding code:
      • automatic re-creation of the BN_BLINDING parameters after a fixed number of uses (currently 32)
      • add new function for parameter creation
      • introduce flags to control the update behaviour of the BN_BLINDING parameters
      • hide BN_BLINDING structure Add a second BN_BLINDING slot to the RSA structure to improve performance when a single RSA object is shared among several threads.

    Nils Larsch

    • Add support for DTLS.

    Nagendra Modadugu [email protected] and Ben Laurie

    • Add support for DER encoded private keys (SSL_FILETYPE_ASN1) to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()

    Walter Goulet

    • Remove buggy and incomplete DH cert support from ssl/ssl_rsa.c and ssl/s3_both.c

    Nils Larsch

    • Use SHA-1 instead of MD5 as the default digest algorithm for the apps/openssl applications.

    Nils Larsch

    • Compile clean with "-Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -Werror". Currently DEBUG_SAFESTACK must also be set.

    Ben Laurie

    • Change ./Configure so that certain algorithms can be disabled by default. The new counterpiece to "no-xxx" is "enable-xxx".

    The patented RC5 and MDC2 algorithms will now be disabled unless "enable-rc5" and "enable-mdc2", respectively, are specified.

    (IDEA remains enabled despite being patented. This is because IDEA is frequently required for interoperability, and there is no license fee for non-commercial use. As before, "no-idea" can be used to avoid this algorithm.)

    Bodo Moeller

    • Add processing of proxy certificates (see RFC 3820). This work was sponsored by KTH (The Royal Institute of Technology in Stockholm) and EGEE (Enabling Grids for E-science in Europe).

    Richard Levitte

    • RC4 performance overhaul on modern architectures/implementations, such as Intel P4, IA-64 and AMD64.

    Andy Polyakov

    • New utility extract-section.pl. This can be used specify an alternative section number in a pod file instead of having to treat each file as a separate case in Makefile. This can be done by adding two lines to the pod file:

    =for comment openssl_section:XXX

    The blank line is mandatory.

    Steve Henson

    • New arguments -certform, -keyform and -pass for s_client and s_server to allow alternative format key and certificate files and passphrase sources.

    Steve Henson

    • New structure X509_VERIFY_PARAM which combines current verify parameters, update associated structures and add various utility functions.

    Add new policy related verify parameters, include policy checking in standard verify code. Enhance 'smime' application with extra parameters to support policy checking and print out.

    Steve Henson

    • Add a new engine to support VIA PadLock ACE extensions in the VIA C3 Nehemiah processors. These extensions support AES encryption in hardware as well as RNG (though RNG support is currently disabled).

    Michal Ludvig [email protected], with help from Andy Polyakov

    • Deprecate BN_[get|set]_params() functions (they were ignored internally).

    Geoff Thorpe

    • New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.

    Andy Polyakov and a number of other people

    • Improved PowerPC platform support. Most notably BIGNUM assembler implementation contributed by IBM.

    Suresh Chari, Peter Waltenberg, Andy Polyakov

    • The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public exponent rather than 'unsigned long'. There is a corresponding change to the new 'rsa_keygen' element of the RSA_METHOD structure.

    Jelte Jansen, Geoff Thorpe

    • Functionality for creating the initial serial number file is now moved from CA.pl to the 'ca' utility with a new option -create_serial.

    (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial number file to 1, which is bound to cause problems. To avoid the problems while respecting compatibility between different 0.9.7 patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in CA.pl for serial number initialization. With the new release 0.9.8, we can fix the problem directly in the 'ca' utility.)

    Steve Henson

    • Reduced header interdependencies by declaring more opaque objects in ossl_typ.h. As a consequence, including some headers (eg. engine.h) will give fewer recursive includes, which could break lazy source code - so this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, developers should define this symbol when building and using openssl to ensure they track the recommended behaviour, interfaces, [etc], but backwards-compatible behaviour prevails when this isn't defined.

    Geoff Thorpe

    • New function X509_POLICY_NODE_print() which prints out policy nodes.

    Steve Henson

    • Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. This will generate a random key of the appropriate length based on the cipher context. The EVP_CIPHER can provide its own random key generation routine to support keys of a specific form. This is used in the des and 3des routines to generate a key of the correct parity. Update S/MIME code to use new functions and hence generate correct parity DES keys. Add EVP_CHECK_DES_KEY #define to return an error if the key is not valid (weak or incorrect parity).

    Steve Henson

    • Add a local set of CRLs that can be used by X509_verify_cert() as well as looking them up. This is useful when the verified structure may contain CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs present unless the new PKCS7_NO_CRL flag is asserted.

    Steve Henson

    • Extend ASN1 oid configuration module. It now additionally accepts the syntax:

    shortName = some long name, 1.2.3.4

    Steve Henson

    • Reimplemented the BN_CTX implementation. There is now no more static limitation on the number of variables it can handle nor the depth of the "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack information can now expand as required, and rather than having a single static array of bignums, BN_CTX now uses a linked-list of such arrays allowing it to expand on demand whilst maintaining the usefulness of BN_CTX's "bundling".

    Geoff Thorpe

    • Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD to allow all RSA operations to function using a single BN_CTX.

    Geoff Thorpe

    • Preliminary support for certificate policy evaluation and checking. This is initially intended to pass the tests outlined in "Conformance Testing of Relying Party Client Certificate Path Processing Logic" v1.07.

    Steve Henson

    • bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and remained unused and not that useful. A variety of other little bignum tweaks and fixes have also been made continuing on from the audit (see below).

    Geoff Thorpe

    • Constify all or almost all d2i, c2i, s2i and r2i functions, along with associated ASN1, EVP and SSL functions and old ASN1 macros.

    Richard Levitte

    • BN_zero() only needs to set 'top' and 'neg' to zero for correct results, and this should never fail. So the return value from the use of BN_set_word() (which can fail due to needless expansion) is now deprecated; if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.

    Geoff Thorpe

    • BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new().

    Geoff Thorpe, suggested by Ulf Möller

    • Support for inhibitAnyPolicy certificate extension.

    Steve Henson

    • An audit of the BIGNUM code is underway, for which debugging code is enabled when BN_DEBUG is defined. This makes stricter enforcements on what is considered valid when processing BIGNUMs, and causes execution to assert() when a problem is discovered. If BN_DEBUG_RAND is defined, further steps are taken to deliberately pollute unused data in BIGNUM structures to try and expose faulty code further on. For now, openssl will (in its default mode of operation) continue to tolerate the inconsistent forms that it has tolerated in the past, but authors and packagers should consider trying openssl and their own applications when compiled with these debugging symbols defined. It will help highlight potential bugs in their own code, and will improve the test coverage for OpenSSL itself. At some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details.

    Geoff Thorpe, Nils Larsch, Ulf Möller

    • BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly initialises it). The presence of this function only made it possible to overwrite an existing structure (and cause memory leaks).

    Geoff Thorpe

    • Because of the callback-based approach for implementing LHASH as a template type, lh_insert() adds opaque objects to hash-tables and lh_doall() or lh_doall_arg() are typically used with a destructor callback to clean up those corresponding objects before destroying the hash table (and losing the object pointers). So some over-zealous constifications in LHASH have been relaxed so that lh_insert() does not take (nor store) the objects as "const" and the lh_doall[_arg] callback wrappers are not prototyped to have "const" restrictions on the object pointers they are given (and so aren't required to cast them away any more).

    Geoff Thorpe

    • The tmdiff.h API was so ugly and minimal that our own timing utility (speed) prefers to use its own implementation. The two implementations haven't been consolidated as yet (volunteers?) but the tmdiff API has had its object type properly exposed (MS_TM) instead of casting to/from "char ". This may still change yet if someone realises MS_TM and "ms_time_**" aren't necessarily the greatest nomenclatures - but this is what was used internally to the implementation so I've used that for now.

    Geoff Thorpe

    • Ensure that deprecated functions do not get compiled when OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of the self-tests were still using deprecated key-generation functions so these have been updated also.

    Geoff Thorpe

    • Reorganise PKCS#7 code to separate the digest location functionality into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest(). New function PKCS7_set_digest() to set the digest type for PKCS#7 digestedData type. Add additional code to correctly generate the digestedData type and add support for this type in PKCS7 initialization functions.

    Steve Henson

    • New function PKCS7_set0_type_other() this initializes a PKCS7 structure of type "other".

    Steve Henson

    • Fix prime generation loop in crypto/bn/bn_prime.pl by making sure the loop does correctly stop and breaking ("division by zero") modulus operations are not performed. The (pre-generated) prime table crypto/bn/bn_prime.h was already correct, but it could not be re-generated on some platforms because of the "division by zero" situation in the script.

    Ralf S. Engelschall

    • Update support for ECC-based TLS ciphersuites according to draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with SHA-1 now is only used for "small" curves (where the representation of a field element takes up to 24 bytes); for larger curves, the field element resulting from ECDH is directly used as premaster secret.

    Douglas Stebila (Sun Microsystems Laboratories)

    • Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2 curve secp160r1 to the tests.

    Douglas Stebila (Sun Microsystems Laboratories)

    • Add the possibility to load symbols globally with DSO.

    Götz Babin-Ebell [email protected] via Richard Levitte

    • Add the functions ERR_set_mark() and ERR_pop_to_mark() for better control of the error stack.

    Richard Levitte

    • Add support for STORE in ENGINE.

    Richard Levitte

    • Add the STORE type. The intention is to provide a common interface to certificate and key stores, be they simple file-based stores, or HSM-type store, or LDAP stores, or... NOTE: The code is currently UNTESTED and isn't really used anywhere.

    Richard Levitte

    • Add a generic structure called OPENSSL_ITEM. This can be used to pass a list of arguments to any function as well as provide a way for a function to pass data back to the caller.

    Richard Levitte

    • Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() works like BUF_strdup() but can be used to duplicate a portion of a string. The copy gets NUL-terminated. BUF_memdup() duplicates a memory area.

    Richard Levitte

    • Add the function sk_find_ex() which works like sk_find(), but will return an index to an element even if an exact match couldn't be found. The index is guaranteed to point at the element where the searched-for key would be inserted to preserve sorting order.

    Richard Levitte

    • Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but takes an extra flags argument for optional functionality. Currently, the following flags are defined:

      OBJ_BSEARCH_VALUE_ON_NOMATCH This one gets OBJ_bsearch_ex() to return a pointer to the first element where the comparing function returns a negative or zero number.

      OBJ_BSEARCH_FIRST_VALUE_ON_MATCH This one gets OBJ_bsearch_ex() to return a pointer to the first element where the comparing function returns zero. This is useful if there are more than one element where the comparing function returns zero.

    Richard Levitte

    • Make it possible to create self-signed certificates with 'openssl ca' in such a way that the self-signed certificate becomes part of the CA database and uses the same mechanisms for serial number generation as all other certificate signing. The new flag '-selfsign' enables this functionality. Adapt CA.sh and CA.pl.in.

    Richard Levitte

    • Add functionality to check the public key of a certificate request against a given private. This is useful to check that a certificate request can be signed by that key (self-signing).

    Richard Levitte

    • Make it possible to have multiple active certificates with the same subject in the CA index file. This is done only if the keyword 'unique_subject' is set to 'no' in the main CA section (default if 'CA_default') of the configuration file. The value is saved with the database itself in a separate index attribute file, named like the index file with '.attr' appended to the name.

    Richard Levitte

    • Generate multi-valued AVAs using '+' notation in config files for req and dirName.

    Steve Henson

    • Support for nameConstraints certificate extension.

    Steve Henson

    • Support for policyConstraints certificate extension.

    Steve Henson

    • Support for policyMappings certificate extension.

    Steve Henson

    • Make sure the default DSA_METHOD implementation only uses its dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL, and change its own handlers to be NULL so as to remove unnecessary indirection. This lets alternative implementations fallback to the default implementation more easily.

    Geoff Thorpe

    • Support for directoryName in GeneralName related extensions in config files.

    Steve Henson

    • Make it possible to link applications using Makefile.shared. Make that possible even when linking against static libraries!

    Richard Levitte

    • Support for single pass processing for S/MIME signing. This now means that S/MIME signing can be done from a pipe, in addition cleartext signing (multipart/signed type) is effectively streaming and the signed data does not need to be all held in memory.

    This is done with a new flag PKCS7_STREAM. When this flag is set PKCS7_sign() only initializes the PKCS7 structure and the actual signing is done after the data is output (and digests calculated) in SMIME_write_PKCS7().

    Steve Henson

    • Add full support for -rpath/-R, both in shared libraries and applications, at least on the platforms where it's known how to do it.

    Richard Levitte

    • In crypto/ec/ec_mult.c, implement fast point multiplication with precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() will now compute a table of multiples of the generator that makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() faster (notably in the case of a single point multiplication, scalar * generator).

    Nils Larsch, Bodo Moeller

    • IPv6 support for certificate extensions. The various extensions which use the IP:a.b.c.d can now take IPv6 addresses using the formats of RFC1884 2.2 . IPv6 addresses are now also displayed correctly.

    Steve Henson

    • Added an ENGINE that implements RSA by performing private key exponentiations with the GMP library. The conversions to and from GMP's mpz_t format aren't optimised nor are any montgomery forms cached, and on x86 it appears OpenSSL's own performance has caught up. However there are likely to be other architectures where GMP could provide a boost. This ENGINE is not built in by default, but it can be specified at Configure time and should be accompanied by the necessary linker additions, eg; ./config -DOPENSSL_USE_GMP -lgmp

    Geoff Thorpe

    • "openssl engine" will not display ENGINE/DSO load failure errors when testing availability of engines with "-t" - the old behaviour is produced by increasing the feature's verbosity with "-tt".

    Geoff Thorpe

    • ECDSA routines: under certain error conditions uninitialized BN objects could be freed. Solution: make sure initialization is performed early enough. (Reported and fix supplied by Nils Larsch [email protected] via PR#459)

    Lutz Jaenicke

    • Key-generation can now be implemented in RSA_METHOD, DSA_METHOD and DH_METHOD (eg. by ENGINE implementations) to override the normal software implementations. For DSA and DH, parameter generation can also be overridden by providing the appropriate method callbacks.

    Geoff Thorpe

    • Change the "progress" mechanism used in key-generation and primality testing to functions that take a new BN_GENCB pointer in place of callback/argument pairs. The new API functions have "_ex" postfixes and the older functions are reimplemented as wrappers for the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide declarations of the old functions to help (graceful) attempts to migrate to the new functions. Also, the new key-generation API functions operate on a caller-supplied key-structure and return success/failure rather than returning a key or NULL - this is to help make "keygen" another member function of RSA_METHOD etc.

    Example for using the new callback interface:

           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
       void *my_arg = ...;
       BN_GENCB my_cb;

       BN_GENCB_set(&my_cb, my_callback, my_arg);

       return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
       /* For the meaning of a, b in calls to my_callback(), see the
        * documentation of the function that calls the callback.
        * cb will point to my_cb; my_arg can be retrieved as cb->arg.
        * my_callback should return 1 if it wants BN_is_prime_ex()
        * to continue, or 0 to stop.
        */

    Geoff Thorpe

    • Change the ZLIB compression method to be stateful, and make it available to TLS with the number defined in draft-ietf-tls-compression-04.txt.

    Richard Levitte

    • Add the ASN.1 structures and functions for CertificatePair, which is defined as follows (according to X.509_4thEditionDraftV6.pdf):

         CertificatePair ::= SEQUENCE {
      forward         [0]     Certificate OPTIONAL,
      reverse         [1]     Certificate OPTIONAL,
      -- at least one of the pair shall be present -- }

    Also implement the PEM functions to read and write certificate pairs, and defined the PEM tag as "CERTIFICATE PAIR".

    This needed to be defined, mostly for the sake of the LDAP attribute crossCertificatePair, but may prove useful elsewhere as well.

    Richard Levitte

    • Make it possible to inhibit symlinking of shared libraries in Makefile.shared, for Cygwin's sake.

    Richard Levitte

    • Extend the BIGNUM API by creating a function void BN_set_negative(BIGNUM *a, int neg); and a macro that behave like int BN_is_negative(const BIGNUM *a);

    to avoid the need to access 'a->neg' directly in applications.

    Nils Larsch

    • Implement fast modular reduction for pseudo-Mersenne primes used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). EC_GROUP_new_curve_GFp() will now automatically use this if applicable.

    Nils Larsch [email protected]

    • Add new lock type (CRYPTO_LOCK_BN).

    Bodo Moeller

    • Change the ENGINE framework to automatically load engines dynamically from specific directories unless they could be found to already be built in or loaded. Move all the current engines except for the cryptodev one to a new directory engines/. The engines in engines/ are built as shared libraries if the "shared" options was given to ./Configure or ./config. Otherwise, they are inserted in libcrypto.a. /usr/local/ssl/engines is the default directory for dynamic engines, but that can be overridden at configure time through the usual use of --prefix and/or --openssldir, and at run time with the environment variable OPENSSL_ENGINES.

    Geoff Thorpe and Richard Levitte

    • Add Makefile.shared, a helper makefile to build shared libraries. Adapt Makefile.org.

    Richard Levitte

    • Add version info to Win32 DLLs.

    Peter 'Luna' Runestig" [email protected]

    • Add new 'medium level' PKCS#12 API. Certificates and keys can be added using this API to created arbitrary PKCS#12 files while avoiding the low level API.

    New options to PKCS12_create(), key or cert can be NULL and will then be omitted from the output file. The encryption algorithm NIDs can be set to -1 for no encryption, the mac iteration count can be set to 0 to omit the mac.

    Enhance pkcs12 utility by making the -nokeys and -nocerts options work when creating a PKCS#12 file. New option -nomac to omit the mac, NONE can be set for an encryption algorithm. New code is modified to use the enhanced PKCS12_create() instead of the low level API.

    Steve Henson

    • Extend ASN1 encoder to support indefinite length constructed encoding. This can output sequences tags and octet strings in this form. Modify pk7_asn1.c to support indefinite length encoding. This is experimental and needs additional code to be useful, such as an ASN1 bio and some enhanced streaming PKCS#7 code.

    Extend template encode functionality so that tagging is passed down to the template encoder.

    Steve Henson

    • Let 'openssl req' fail if an argument to '-newkey' is not recognized instead of using RSA as a default.

    Bodo Moeller

    • Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. As these are not official, they are not included in "ALL"; the "ECCdraft" ciphersuite group alias can be used to select them.

    Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)

    • Add ECDH engine support.

    Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)

    • Add ECDH in new directory crypto/ecdh/.

    Douglas Stebila (Sun Microsystems Laboratories)

    • Let BN_rand_range() abort with an error after 100 iterations without success (which indicates a broken PRNG).

    Bodo Moeller

    • Change BN_mod_sqrt() so that it verifies that the input value is really the square of the return value. (Previously, BN_mod_sqrt would show GIGO behaviour.)

    Bodo Moeller

    • Add named elliptic curves over binary fields from X9.62, SECG, and WAP/WTLS; add OIDs that were still missing.

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • Extend the EC library for elliptic curves over binary fields (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/). New EC_METHOD:

         EC_GF2m_simple_method

    New API functions:

           EC_GROUP_new_curve_GF2m
       EC_GROUP_set_curve_GF2m
       EC_GROUP_get_curve_GF2m
       EC_POINT_set_affine_coordinates_GF2m
       EC_POINT_get_affine_coordinates_GF2m
       EC_POINT_set_compressed_coordinates_GF2m

    Point compression for binary fields is disabled by default for patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to enable it).

    As binary polynomials are represented as BIGNUMs, various members of the EC_GROUP and EC_POINT data structures can be shared between the implementations for prime fields and binary fields; the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m) are essentially identical to their ..._GFp counterparts. (For simplicity, the '..._GFp' prefix has been dropped from various internal method names.)

    An internal 'field_div' method (similar to 'field_mul' and 'field_sqr') has been added; this is used only for binary fields.

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult() through methods ('mul', 'precompute_mult').

    The generic implementations (now internally called 'ec_wNAF_mul' and 'ec_wNAF_precomputed_mult') remain the default if these methods are undefined.

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • New function EC_GROUP_get_degree, which is defined through EC_METHOD. For curves over prime fields, this returns the bit length of the modulus.

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • New functions EC_GROUP_dup, EC_POINT_dup. (These simply call ..._new and ..._copy).

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c. Polynomials are represented as BIGNUMs (where the sign bit is not used) in the following functions [macros]:

         BN_GF2m_add
   BN_GF2m_sub             [= BN_GF2m_add]
   BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
   BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
   BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
   BN_GF2m_mod_inv
   BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
   BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
   BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
   BN_GF2m_cmp             [= BN_ucmp]

    (Note that only the 'mod' functions are actually for fields GF(2m). BN_GF2m_add() is misnomer, but this is for the sake of consistency.)

    For some functions, an the irreducible polynomial defining a field can be given as an 'unsigned int[]' with strictly decreasing elements giving the indices of those bits that are set; i.e., p[] represents the polynomial f(t) = tp[0] + tp[1] + ... + tp[k] where p[0] > p[1] > ... > p[k] = 0. This applies to the following functions:

           BN_GF2m_mod_arr
       BN_GF2m_mod_mul_arr
       BN_GF2m_mod_sqr_arr
       BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
       BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
       BN_GF2m_mod_exp_arr
       BN_GF2m_mod_sqrt_arr
       BN_GF2m_mod_solve_quad_arr
       BN_GF2m_poly2arr
       BN_GF2m_arr2poly

    Conversion can be performed by the following functions:

           BN_GF2m_poly2arr
       BN_GF2m_arr2poly

    bntest.c has additional tests for binary polynomial arithmetic.

    Two implementations for BN_GF2m_mod_div() are available. The default algorithm simply uses BN_GF2m_mod_inv() and BN_GF2m_mod_mul(). The alternative algorithm is compiled in only if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the copyright notice in crypto/bn/bn_gf2m.c before enabling it).

    Sheueling Chang Shantz and Douglas Stebila (Sun Microsystems Laboratories)

    • Add new error code 'ERR_R_DISABLED' that can be used when some functionality is disabled at compile-time.

    Douglas Stebila [email protected]

    • Change default behaviour of 'openssl asn1parse' so that more information is visible when viewing, e.g., a certificate:

    Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump' mode the content of non-printable OCTET STRINGs is output in a style similar to INTEGERs, but with '[HEX DUMP]' prepended to avoid the appearance of a printable string.

    Nils Larsch [email protected]

    • Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access functions EC_GROUP_set_asn1_flag() EC_GROUP_get_asn1_flag() EC_GROUP_set_point_conversion_form() EC_GROUP_get_point_conversion_form() These control ASN1 encoding details:
      • Curves (i.e., groups) are encoded explicitly unless asn1_flag has been set to OPENSSL_EC_NAMED_CURVE.
      • Points are encoded in uncompressed form by default; options for asn1_for are as for point2oct, namely POINT_CONVERSION_COMPRESSED POINT_CONVERSION_UNCOMPRESSED POINT_CONVERSION_HYBRID

    Also add 'seed' and 'seed_len' members to EC_GROUP with access functions EC_GROUP_set_seed() EC_GROUP_get0_seed() EC_GROUP_get_seed_len() This is used only for ASN1 purposes (so far).

    Nils Larsch [email protected]

    • Add 'field_type' member to EC_METHOD, which holds the NID of the appropriate field type OID. The new function EC_METHOD_get_field_type() returns this value.

    Nils Larsch [email protected]

    • Add functions EC_POINT_point2bn() EC_POINT_bn2point() EC_POINT_point2hex() EC_POINT_hex2point() providing useful interfaces to EC_POINT_point2oct() and EC_POINT_oct2point().

    Nils Larsch [email protected]

    • Change internals of the EC library so that the functions EC_GROUP_set_generator() EC_GROUP_get_generator() EC_GROUP_get_order() EC_GROUP_get_cofactor() are implemented directly in crypto/ec/ec_lib.c and not dispatched to methods, which would lead to unnecessary code duplication when adding different types of curves.

    Nils Larsch [email protected] with input by Bodo Moeller

    • Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM arithmetic, and such that modified wNAFs are generated (which avoid length expansion in many cases).

    Bodo Moeller

    • Add a function EC_GROUP_check_discriminant() (defined via EC_METHOD) that verifies that the curve discriminant is non-zero.

    Add a function EC_GROUP_check() that makes some sanity tests on a EC_GROUP, its generator and order. This includes EC_GROUP_check_discriminant().

    Nils Larsch [email protected]

    • Add ECDSA in new directory crypto/ecdsa/.

    Add applications 'openssl ecparam' and 'openssl ecdsa' (these are based on 'openssl dsaparam' and 'openssl dsa').

    ECDSA support is also included in various other files across the library. Most notably,

    • 'openssl req' now has a '-newkey ecdsa:file' option;
    • EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
    • X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make them suitable for ECDSA where domain parameters must be extracted before the specific public key;
    • ECDSA engine support has been added.

    Nils Larsch [email protected]

    • Include some named elliptic curves, and add OIDs from X9.62, SECG, and WAP/WTLS. Each curve can be obtained from the new function EC_GROUP_new_by_curve_name(), and the list of available named curves can be obtained with EC_get_builtin_curves(). Also add a 'curve_name' member to EC_GROUP objects, which can be accessed via EC_GROUP_set_curve_name() EC_GROUP_get_curve_name()

    Nils Larsch <[email protected], Bodo Moeller

    • Remove a few calls to bn_wexpand() in BN_sqr() (the one in there was actually never needed) and in BN_mul(). The removal in BN_mul() required a small change in bn_mul_part_recursive() and the addition of the functions bn_cmp_part_words(), bn_sub_part_words() and bn_add_part_words(), which do the same thing as bn_cmp_words(), bn_sub_words() and bn_add_words() except they take arrays with differing sizes.

    Richard Levitte