[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

  *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
     RSA_padding_check_SSLv23(), special padding was never detected
     and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
     version rollback attacks was not effective.

     In s23_clnt.c, don't use special rollback-attack detection padding
     (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
     client; similarly, in s23_srvr.c, don't do the rollback check if
     SSL 2.0 is the only protocol enabled in the server.
     [Bodo Moeller]

  *) Make it possible to get hexdumps of unprintable data with 'openssl
     asn1parse'.  By implication, the functions ASN1_parse_dump() and
     BIO_dump_indent() are added.
     [Richard Levitte]

  *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
     these print out strings and name structures based on various
     flags including RFC2253 support and proper handling of
     multibyte characters. Added options to the 'x509' utility 
     to allow the various flags to be set.
     [Steve Henson]

  *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
     Also change the functions X509_cmp_current_time() and
     X509_gmtime_adj() work with an ASN1_TIME structure,
     this will enable certificates using GeneralizedTime in validity
     dates to be checked.
     [Steve Henson]

  *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
     negative public key encodings) on by default,
     NO_NEG_PUBKEY_BUG can be set to disable it.
     [Steve Henson]

  *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
     content octets. An i2c_ASN1_OBJECT is unnecessary because
     the encoding can be trivially obtained from the structure.
     [Steve Henson]

  *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
     not read locks (CRYPTO_r_[un]lock).
     [Bodo Moeller]

  *) A first attempt at creating official support for shared
     libraries through configuration.  I've kept it so the
     default is static libraries only, and the OpenSSL programs
     are always statically linked for now, but there are
     preparations for dynamic linking in place.
     This has been tested on Linux and True64.
     [Richard Levitte]

  *) Randomness polling function for Win9x, as described in:
     Peter Gutmann, Software Generation of Practically Strong
     Random Numbers.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
c90341a1 RL	5	Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
c90341a1 RL	6
aa826d88 BM	7	*) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
	8	RSA_padding_check_SSLv23(), special padding was never detected
	9	and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
	10	version rollback attacks was not effective.
	11
37569e64 BM	12	In s23_clnt.c, don't use special rollback-attack detection padding
	13	(RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
	14	client; similarly, in s23_srvr.c, don't do the rollback check if
	15	SSL 2.0 is the only protocol enabled in the server.
	16	[Bodo Moeller]
	17
ca1e465f RL	18	*) Make it possible to get hexdumps of unprintable data with 'openssl
	19	asn1parse'. By implication, the functions ASN1_parse_dump() and
	20	BIO_dump_indent() are added.
	21	[Richard Levitte]
	22
a657546f DSH	23	*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
	24	these print out strings and name structures based on various
	25	flags including RFC2253 support and proper handling of
	26	multibyte characters. Added options to the 'x509' utility
	27	to allow the various flags to be set.
	28	[Steve Henson]
	29
284ef5f3 DSH	30	*) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
	31	Also change the functions X509_cmp_current_time() and
	32	X509_gmtime_adj() work with an ASN1_TIME structure,
	33	this will enable certificates using GeneralizedTime in validity
	34	dates to be checked.
	35	[Steve Henson]
	36
	37	*) Make the NEG_PUBKEY_BUG code (which tolerates invalid
	38	negative public key encodings) on by default,
	39	NO_NEG_PUBKEY_BUG can be set to disable it.
	40	[Steve Henson]
	41
	42	*) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
	43	content octets. An i2c_ASN1_OBJECT is unnecessary because
	44	the encoding can be trivially obtained from the structure.
	45	[Steve Henson]
	46
fa729135 BM	47	*) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
	48	not read locks (CRYPTO_r_[un]lock).
	49	[Bodo Moeller]
	50
b436a982 RL	51	*) A first attempt at creating official support for shared
	52	libraries through configuration. I've kept it so the
	53	default is static libraries only, and the OpenSSL programs
	54	are always statically linked for now, but there are
	55	preparations for dynamic linking in place.
	56	This has been tested on Linux and True64.
	57	[Richard Levitte]
	58
c0722725 UM	59	*) Randomness polling function for Win9x, as described in:
	60	Peter Gutmann, Software Generation of Practically Strong
	61	Random Numbers.
	62