projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| 81a6c781 | 1 | |
| f1c236f8 | 2 | OpenSSL CHANGES |
| 651d0aff RE |
3 | _______________ |
| 4 | ||
| d5f686d8 | 5 | Changes between 0.9.7e and 0.9.8 [xx XXX xxxx] |
| 4d94ae00 | 6 | |
| 6951c23a RL |
7 | *) Add processing of proxy certificates (see RFC 3820). This work was |
| 8 | sponsored by KTH (The Royal Institute of Technology in Stockholm) and | |
| 9 | EGEE (Enabling Grids for E-science in Europe). | |
| 10 | [Richard Levitte] | |
| 11 | ||
| ea681ba8 AP |
12 | *) RC4 performance overhaul on modern architectures/implementations, such |
| 13 | as Intel P4, IA-64 and AMD64. | |
| 14 | [Andy Polyakov] | |
| 15 | ||
| 401ee37a DSH |
16 | *) New utility extract-section.pl. This can be used specify an alternative |
| 17 | section number in a pod file instead of having to treat each file as | |
| 18 | a separate case in Makefile. This can be done by adding two lines to the | |
| 19 | pod file: | |
| 20 | ||
| 21 | =for comment openssl_section:XXX | |
| 22 | ||
| 23 | The blank line is mandatory. | |
| 24 | ||
| 25 | [Steve Henson] | |
| 26 | ||
| 826a42a0 DSH |
27 | *) New arguments -certform, -keyform and -pass for s_client and s_server |
| 28 | to allow alternative format key and certificate files and passphrase | |
| 29 | sources. | |
| 30 | [Steve Henson] | |
| 31 | ||
| 5d7c222d DSH |
32 | *) New structure X509_VERIFY_PARAM which combines current verify parameters, |
| 33 | update associated structures and add various utility functions. | |
| 34 | ||
| 35 | Add new policy related verify parameters, include policy checking in | |
| 36 | standard verify code. Enhance 'smime' application with extra parameters | |
| 37 | to support policy checking and print out. | |
| 38 | [Steve Henson] | |
| 39 | ||
| 30fe028f GT |
40 | *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 |
| 41 | Nehemiah processors. These extensions support AES encryption in hardware | |
| 42 | as well as RNG (though RNG support is currently disabled). | |
| 43 | [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov] | |
| 44 | ||
| df11e1e9 GT |
45 | *) Deprecate BN_[get|set]_params() functions (they were ignored internally). |
| 46 | [Geoff Thorpe] | |
| 47 | ||
| ad500340 AP |
48 | *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. |
| 49 | [Andy Polyakov and a number of other people] | |
| 50 | ||
| e14f4aab AP |
51 | *) Improved PowerPC platform support. Most notably BIGNUM assembler |
| 52 | implementation contributed by IBM. | |
| 53 | [Suresh Chari, Peter Waltenberg, Andy Polyakov] | |
| 54 | ||
| bcfea9fb GT |
55 | *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public |
| 56 | exponent rather than 'unsigned long'. There is a corresponding change to | |
| 57 | the new 'rsa_keygen' element of the RSA_METHOD structure. | |
| 58 | [Jelte Jansen, Geoff Thorpe] | |
| 59 | ||
| d5f686d8 BM |
60 | *) Functionality for creating the initial serial number file is now |
| 61 | moved from CA.pl to the 'ca' utility with a new option -create_serial. | |
| 62 | ||
| 63 | (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial | |
| 64 | number file to 1, which is bound to cause problems. To avoid | |
| 65 | the problems while respecting compatibility between different 0.9.7 | |
| 66 | patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in | |
| 67 | CA.pl for serial number initialization. With the new release 0.9.8, | |
| 68 | we can fix the problem directly in the 'ca' utility.) | |
| 64674bcc DSH |
69 | [Steve Henson] |
| 70 | ||
| 3a87a9b9 GT |
71 | *) Reduced header interdepencies by declaring more opaque objects in |
| 72 | ossl_typ.h. As a consequence, including some headers (eg. engine.h) will | |
| 73 | give fewer recursive includes, which could break lazy source code - so | |
| 74 | this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always, | |
| 75 | developers should define this symbol when building and using openssl to | |
| 76 | ensure they track the recommended behaviour, interfaces, [etc], but | |
| 77 | backwards-compatible behaviour prevails when this isn't defined. | |
| 78 | [Geoff Thorpe] | |
| 79 | ||
| bf5773fa DSH |
80 | *) New function X509_POLICY_NODE_print() which prints out policy nodes. |
| 81 | [Steve Henson] | |
| 82 | ||
| 216659eb DSH |
83 | *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. |
| 84 | This will generate a random key of the appropriate length based on the | |
| 85 | cipher context. The EVP_CIPHER can provide its own random key generation | |
| 86 | routine to support keys of a specific form. This is used in the des and | |
| 87 | 3des routines to generate a key of the correct parity. Update S/MIME | |
| 88 | code to use new functions and hence generate correct parity DES keys. | |
| 89 | Add EVP_CHECK_DES_KEY #define to return an error if the key is not | |
| 90 | valid (weak or incorrect parity). | |
| 91 | [Steve Henson] | |
| 92 | ||
| e1a27eb3 DSH |
93 | *) Add a local set of CRLs that can be used by X509_verify_cert() as well |
| 94 | as looking them up. This is useful when the verified structure may contain | |
| 95 | CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs | |
| 96 | present unless the new PKCS7_NO_CRL flag is asserted. | |
| 97 | [Steve Henson] | |
| 98 | ||
| 6446e0c3 DSH |
99 | *) Extend ASN1 oid configuration module. It now additionally accepts the |
| 100 | syntax: | |
| 101 | ||
| 102 | shortName = some long name, 1.2.3.4 | |
| 103 | [Steve Henson] | |
| 104 | ||
| 5c98b2ca GT |
105 | *) Reimplemented the BN_CTX implementation. There is now no more static |
| 106 | limitation on the number of variables it can handle nor the depth of the | |
| 107 | "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack | |
| 108 | information can now expand as required, and rather than having a single | |
| 109 | static array of bignums, BN_CTX now uses a linked-list of such arrays | |
| 110 | allowing it to expand on demand whilst maintaining the usefulness of | |
| 111 | BN_CTX's "bundling". | |
| 112 | [Geoff Thorpe] | |
| 113 | ||
| 46ef873f GT |
114 | *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD |
| 115 | to allow all RSA operations to function using a single BN_CTX. | |
| 116 | [Geoff Thorpe] | |
| 117 | ||
| 4acc3e90 DSH |
118 | *) Preliminary support for certificate policy evaluation and checking. This |
| 119 | is initially intended to pass the tests outlined in "Conformance Testing | |
| 120 | of Relying Party Client Certificate Path Processing Logic" v1.07. | |
| 121 | [Steve Henson] | |
| 122 | ||
| 7f663ce4 GT |
123 | *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and |
| 124 | remained unused and not that useful. A variety of other little bignum | |
| 125 | tweaks and fixes have also been made continuing on from the audit (see | |
| 126 | below). | |
| 127 | [Geoff Thorpe] | |
| 128 | ||
| 875a644a RL |
129 | *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with |
| 130 | associated ASN1, EVP and SSL functions and old ASN1 macros. | |
| 7f663ce4 | 131 | [Richard Levitte] |
| 875a644a | 132 | |
| b6358c89 GT |
133 | *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, |
| 134 | and this should never fail. So the return value from the use of | |
| 135 | BN_set_word() (which can fail due to needless expansion) is now deprecated; | |
| 136 | if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. | |
| 137 | [Geoff Thorpe] | |
| 138 | ||
| 9e051bac GT |
139 | *) BN_CTX_get() should return zero-valued bignums, providing the same |
| 140 | initialised value as BN_new(). | |
| 141 |