[thirdparty/openssl.git] / CHANGES

 OpenSSL CHANGES
 _______________

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

  *) Fix to avoid calling the underlying ASN1 print routine when
     an extension cannot be parsed. Correct a typo in the
     OCSP_SERVICELOC extension. Tidy up print OCSP format.
     [Steve Henson]

  *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
     Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
     when writing a 32767 byte record.
     [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]

  *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
     obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.

     (RSA objects have a reference count access to which is protected
     by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
     so they are meant to be shared between threads.)
     [Bodo Moeller, Geoff Thorpe; original patch submitted by
     "Reddie, Steven" <Steven.Reddie@ca.com>]

  *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
     entries for variables.
     [Steve Henson]

  *) Fix a deadlock in CRYPTO_mem_leaks().
     [Bodo Moeller]

  *) Add functionality to apps/openssl.c for detecting locking
     problems: As the program is single-threaded, all we have
     to do is register a locking callback using an array for
     storing which locks are currently held by the program.
     [Bodo Moeller]

  *) Use a lock around the call to CRYPTO_get_ex_new_index() in
     SSL_get_ex_data_X509_STORE_idx(), which is used in
     ssl_verify_cert_chain() and thus can be called at any time
     during TLS/SSL handshakes so that thread-safety is essential.
     Unfortunately, the ex_data design is not at all suited
     for multi-threaded use, so it probably should be abolished.
     [Bodo Moeller]

  *) Added Broadcom "ubsec" ENGINE to OpenSSL.
     [Broadcom, tweaked and integrated by Geoff Thorpe]

  *) Move common extension printing code to new function
     X509V3_print_extensions(). Reorganise OCSP print routines and
     implement some needed OCSP ASN1 functions. Add OCSP extensions.
     [Steve Henson]

  *) New function X509_signature_print() to remove duplication in some
     print routines.
     [Steve Henson]

  *) Add a special meaning when SET OF and SEQUENCE OF flags are both
     set (this was treated exactly the same as SET OF previously). This
     is used to reorder the STACK representing the structure to match the
     encoding. This will be used to get round a problem where a PKCS7
     structure which was signed could not be verified because the STACK
     order did not reflect the encoded order.
     [Steve Henson]

  *) Reimplement the OCSP ASN1 module using the new code.
     [Steve Henson]

  *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
     for its ASN1 operations. The old style function pointers still exist
     for now but they will eventually go away.
     [Steve Henson]

  *) Merge in replacement ASN1 code from the ASN1 branch. This almost
     completely replaces the old ASN1 functionality with a table driven
     encoder and decoder which interprets an ASN1_ITEM structure describing
     the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
     largely maintained. Almost all of the old asn1_mac.h macro based ASN1
     has also been converted to the new form.
     [Steve Henson]

  *) Change BN_mod_exp_recp so that negative moduli are tolerated
     (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
     so that BN_mod_exp_mont and BN_mod_exp_mont_word work
     for negative moduli.
     [Bodo Moeller]

  *) Fix BN_uadd and BN_usub: Always return non-negative results instead
     of not touching the result's sign bit.
     [Bodo Moeller]

  *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
     set.
     [Bodo Moeller]

  *) Changed the LHASH code to use prototypes for callbacks, and created
     macros to declare and implement thin (optionally static) functions
     that provide type-safety and avoid function pointer casting for the
     type-specific callbacks.
     [Geoff Thorpe]

  *) Use better test patterns in bntest.
Commit	Line	Data
f1c236f8	1	OpenSSL CHANGES
651d0aff RE	2	_______________
651d0aff RE	3
c5e8580e RL	4	Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
c5e8580e RL	5
5755cab4 DSH	6	*) Fix to avoid calling the underlying ASN1 print routine when
	7	an extension cannot be parsed. Correct a typo in the
	8	OCSP_SERVICELOC extension. Tidy up print OCSP format.
	9	[Steve Henson]
	10
3880cd35 BM	11	*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
	12	Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
	13	when writing a 32767 byte record.
	14	[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
	15
f640ee90	16	*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
126fe085	17	obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
f640ee90 BM	18
	19	(RSA objects have a reference count access to which is protected
	20	by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
	21	so they are meant to be shared between threads.)
126fe085 BM	22	[Bodo Moeller, Geoff Thorpe; original patch submitted by
126fe085 BM	23	"Reddie, Steven" <Steven.Reddie@ca.com>]
f640ee90	24
9c67ab2f DSH	25	*) Make mkdef.pl parse some of the ASN1 macros and add apropriate
9c67ab2f DSH	26	entries for variables.
5755cab4	27	[Steve Henson]
9c67ab2f	28
1456d186 BM	29	*) Fix a deadlock in CRYPTO_mem_leaks().
	30	[Bodo Moeller]
	31
3ac82faa BM	32	*) Add functionality to apps/openssl.c for detecting locking
	33	problems: As the program is single-threaded, all we have
	34	to do is register a locking callback using an array for
	35	storing which locks are currently held by the program.
3ac82faa BM	36	[Bodo Moeller]
	37
	38	*) Use a lock around the call to CRYPTO_get_ex_new_index() in
	39	SSL_get_ex_data_X509_STORE_idx(), which is used in
	40	ssl_verify_cert_chain() and thus can be called at any time
	41	during TLS/SSL handshakes so that thread-safety is essential.
	42	Unfortunately, the ex_data design is not at all suited
	43	for multi-threaded use, so it probably should be abolished.
	44	[Bodo Moeller]
	45
2a86064f GT	46	*) Added Broadcom "ubsec" ENGINE to OpenSSL.
	47	[Broadcom, tweaked and integrated by Geoff Thorpe]
	48
2c15d426 DSH	49	*) Move common extension printing code to new function
2c15d426 DSH	50	X509V3_print_extensions(). Reorganise OCSP print routines and
c08523d8	51	implement some needed OCSP ASN1 functions. Add OCSP extensions.
2c15d426 DSH	52	[Steve Henson]
2c15d426 DSH	53
de487514 DSH	54	*) New function X509_signature_print() to remove duplication in some
	55	print routines.
	56	[Steve Henson]
	57
06db4253 DSH	58	*) Add a special meaning when SET OF and SEQUENCE OF flags are both
	59	set (this was treated exactly the same as SET OF previously). This
	60	is used to reorder the STACK representing the structure to match the
	61	encoding. This will be used to get round a problem where a PKCS7
	62	structure which was signed could not be verified because the STACK
	63	order did not reflect the encoded order.
	64	[Steve Henson]
	65
36f554d4 DSH	66	*) Reimplement the OCSP ASN1 module using the new code.
	67	[Steve Henson]
	68
2aff7727 DSH	69	*) Update the X509V3 code to permit the use of an ASN1_ITEM structure
	70	for its ASN1 operations. The old style function pointers still exist
	71	for now but they will eventually go away.
	72	[Steve Henson]
	73
9d6b1ce6	74	*) Merge in replacement ASN1 code from the ASN1 branch. This almost
5755cab4 DSH	75	completely replaces the old ASN1 functionality with a table driven
	76	encoder and decoder which interprets an ASN1_ITEM structure describing
	77	the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
	78	largely maintained. Almost all of the old asn1_mac.h macro based ASN1
	79	has also been converted to the new form.
9d6b1ce6 DSH	80	[Steve Henson]
9d6b1ce6 DSH	81
8dea52fa BM	82	*) Change BN_mod_exp_recp so that negative moduli are tolerated
	83	(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
	84	so that BN_mod_exp_mont and BN_mod_exp_mont_word work
	85	for negative moduli.
	86	[Bodo Moeller]
	87
	88	*) Fix BN_uadd and BN_usub: Always return non-negative results instead
	89	of not touching the result's sign bit.
	90	[Bodo Moeller]
	91
80d89e6a BM	92	*) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
	93	set.
	94	[Bodo Moeller]
	95
f1919c3d GT	96	*) Changed the LHASH code to use prototypes for callbacks, and created
	97	macros to declare and implement thin (optionally static) functions
	98	that provide type-safety and avoid function pointer casting for the
	99	type-specific callbacks.
	100	[Geoff Thorpe]
	101
1946cd8b UM	102	*) Use better test patterns in bntest.
	103