]>
Commit | Line | Data |
---|---|---|
651d0aff | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
c90341a1 RL |
5 | Changes between 0.9.5a and 0.9.6 [xx XXX 2000] |
6 | ||
affadbef BM |
7 | *) For consistency with other BIO_puts implementations, call |
8 | buffer_write(b, ...) directly in buffer_puts instead of calling | |
9 | BIO_write(b, ...). | |
10 | [Peter.Sylvester@EdelWeb.fr] | |
11 | ||
bbb8de09 BM |
12 | *) Fix BN_mul_word for the case where the word is 0. (We have to use |
13 | BN_zero, we may not return a BIGNUM with an array consisting of | |
14 | words set to zero.) | |
15 | [Bodo Moeller] | |
16 | ||
17 | *) Avoid calling abort() from within the library when problems are | |
18 | detected, except if preprocessor symbols have been defined | |
19 | (such as REF_CHECK, BN_DEBUG etc.). | |
20 | [Bodo Moeller] | |
21 | ||
bd08a2bd DSH |
22 | *) New openssl application 'rsautl'. This utility can be |
23 | used for low level RSA operations. DER public key | |
24 | BIO/fp routines also added. | |
25 | [Steve Henson] | |
26 | ||
a545c6f6 BM |
27 | *) New Configure entry and patches for compiling on QNX 4. |
28 | [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>] | |
29 | ||
7049ef5f BL |
30 | *) A demo state-machine implementation was sponsored by |
31 | Nuron (http://www.nuron.com/) and is now available in | |
32 | demos/state_machine. | |
33 | [Ben Laurie] | |
34 | ||
7df1c720 DSH |
35 | *) New options added to the 'dgst' utility for signature |
36 | generation and verification. | |
37 | [Steve Henson] | |
38 | ||
d096b524 DSH |
39 | *) Unrecognized PKCS#7 content types are now handled via a |
40 | catch all ASN1_TYPE structure. This allows unsupported | |
41 | types to be stored as a "blob" and an application can | |
42 | encode and decode it manually. | |
43 | [Steve Henson] | |
44 | ||
7df1c720 | 45 | *) Fix various signed/unsigned issues to make a_strex.c |
469938cb DSH |
46 | compile under VC++. |
47 | [Oscar Jacobsson <oscar.jacobsson@celocom.com>] | |
48 | ||
49 | *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct | |
50 | length if passed a buffer. ASN1_INTEGER_to_BN failed | |
51 | if passed a NULL BN and its argument was negative. | |
52 | [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>] | |
53 | ||
eaa28181 DSH |
54 | *) Modification to PKCS#7 encoding routines to output definite |
55 | length encoding. Since currently the whole structures are in | |
56 | memory there's not real point in using indefinite length | |
57 | constructed encoding. However if OpenSSL is compiled with | |
58 | the flag PKCS7_INDEFINITE_ENCODING the old form is used. | |
59 | [Steve Henson] | |
60 | ||
e6629837 RL |
61 | *) Added BIO_vprintf() and BIO_vsnprintf(). |
62 | [Richard Levitte] | |
63 | ||
6fd5a047 RL |
64 | *) Added more prefixes to parse for in the the strings written |
65 | through a logging bio, to cover all the levels that are available | |
66 | through syslog. The prefixes are now: | |
67 | ||
68 | PANIC, EMERG, EMR => LOG_EMERG | |
69 | ALERT, ALR => LOG_ALERT | |
70 | CRIT, CRI => LOG_CRIT | |
71 | ERROR, ERR => LOG_ERR | |
72 | WARNING, WARN, WAR => LOG_WARNING | |
73 | NOTICE, NOTE, NOT => LOG_NOTICE | |
74 | INFO, INF => LOG_INFO | |
75 | DEBUG, DBG => LOG_DEBUG | |
76 | ||
77 | and as before, if none of those prefixes are present at the | |
78 | beginning of the string, LOG_ERR is chosen. | |
79 | ||
80 | On Win32, the LOG_* levels are mapped according to this: | |
81 | ||
82 | LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE | |
83 | LOG_WARNING => EVENTLOG_WARNING_TYPE | |
84 | LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE | |
85 | ||
86 | [Richard Levitte] | |
87 | ||
368f8554 RL |
88 | *) Made it possible to reconfigure with just the configuration |
89 | argument "reconf" or "reconfigure". The command line arguments | |
90 | are stored in Makefile.ssl in the variable CONFIGURE_ARGS, | |
91 | and are retrieved from there when reconfiguring. | |
92 | [Richard Levitte] | |
93 | ||
3009458e | 94 | *) MD4 implemented. |
bb531a0a | 95 | [Assar Westerlund <assar@sics.se>, Richard Levitte] |
3009458e | 96 | |
88364bc2 RL |
97 | *) Add the arguments -CAfile and -CApath to the pkcs12 utility. |
98 | [Richard Levitte] | |
99 | ||
d4fbe318 DSH |
100 | *) The obj_dat.pl script was messing up the sorting of object |
101 | names. The reason was that it compared the quoted version | |
102 | of strings as a result "OCSP" > "OCSP Signing" because | |
103 | " > SPACE. Changed script to store unquoted versions of | |
104 | names and add quotes on output. It was also omitting some | |
105 | names from the lookup table if they were given a default | |
106 | value (that is if SN is missing it is given the same | |
107 | value as LN and vice versa), these are now added on the | |
108 | grounds that if an object has a name we should be able to | |
109 | look it up. Finally added warning output when duplicate | |
110 | short or long names are found. | |
111 | [Steve Henson] | |
112 | ||
2d978cbd | 113 | *) Changes needed for Tandem NSK. |
d4fbe318 | 114 | [Scott Uroff scott@xypro.com] |
2d978cbd | 115 | |
aa826d88 BM |
116 | *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in |
117 | RSA_padding_check_SSLv23(), special padding was never detected | |
118 | and thus the SSL 3.0/TLS 1.0 countermeasure against protocol | |
119 | version rollback attacks was not effective. | |
120 | ||
37569e64 BM |
121 | In s23_clnt.c, don't use special rollback-attack detection padding |
122 | (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the | |
123 | client; similarly, in s23_srvr.c, don't do the rollback check if | |
124 | SSL 2.0 is the only protocol enabled in the server. | |
125 | [Bodo Moeller] | |
126 | ||
ca1e465f RL |
127 | *) Make it possible to get hexdumps of unprintable data with 'openssl |
128 | asn1parse'. By implication, the functions ASN1_parse_dump() and | |
129 | BIO_dump_indent() are added. | |
130 | [Richard Levitte] | |
131 | ||
a657546f DSH |
132 | *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() |
133 | these print out strings and name structures based on various | |
134 | flags including RFC2253 support and proper handling of | |
135 | multibyte characters. Added options to the 'x509' utility | |
136 | to allow the various flags to be set. | |
137 | [Steve Henson] | |
138 | ||
284ef5f3 DSH |
139 | *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. |
140 | Also change the functions X509_cmp_current_time() and | |
141 | X509_gmtime_adj() work with an ASN1_TIME structure, | |
142 | this will enable certificates using GeneralizedTime in validity | |
143 | dates to be checked. | |
144 | [Steve Henson] | |
145 | ||
146 | *) Make the NEG_PUBKEY_BUG code (which tolerates invalid | |
147 | negative public key encodings) on by default, | |
148 | NO_NEG_PUBKEY_BUG can be set to disable it. | |
149 | [Steve Henson] | |
150 | ||
151 | *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT | |
152 | content octets. An i2c_ASN1_OBJECT is unnecessary because | |
153 | the encoding can be trivially obtained from the structure. | |
154 | [Steve Henson] | |
155 | ||
fa729135 BM |
156 | *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), |
157 | not read locks (CRYPTO_r_[un]lock). | |
158 | [Bodo Moeller] | |
159 | ||
b436a982 RL |
160 | *) A first attempt at creating official support for shared |
161 | libraries through configuration. I've kept it so the | |
162 | default is static libraries only, and the OpenSSL programs | |
163 | are always statically linked for now, but there are | |
164 | preparations for dynamic linking in place. | |
165 | This has been tested on Linux and True64. | |
166 | [Richard Levitte] | |
167 | ||
c0722725 UM |
168 | *) Randomness polling function for Win9x, as described in: |
169 | Peter Gutmann, Software Generation of Practically Strong | |
170 | Random Numbers. | |
171 |