]>
Commit | Line | Data |
---|---|---|
1 | ||
2 | OpenSSL CHANGES | |
3 | _______________ | |
4 | ||
5 | Changes between 0.9.4 and 0.9.5 [xx XXX 1999] | |
6 | ||
7 | *) Add various utility functions to handle SPKACs, these were previously | |
8 | handled by poking round in the structure internals. Added new function | |
9 | NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to | |
10 | print, verify and generate SPKACs. Based on an original idea from | |
11 | Massimiliano Pala <madwolf@comune.modena.it> but extensively modified. | |
12 | [Steve Henson] | |
13 | ||
14 | *) RIPEMD160 is operational on all platforms and is back in 'make test'. | |
15 | [Andy Polyakov] | |
16 | ||
17 | *) Allow the config file extension section to be overwritten on the | |
18 | command line. Based on an original idea from Massimiliano Pala | |
19 | <madwolf@comune.modena.it>. The new option is called -extensions | |
20 | and can be applied to ca, req and x509. Also -reqexts to override | |
21 | the request extensions in req and -crlexts to override the crl extensions | |
22 | in ca. | |
23 | [Steve Henson] | |
24 | ||
25 | *) Add new feature to the SPKAC handling in ca. Now you can include | |
26 | the same field multiple times by preceding it by "XXXX." for example: | |
27 | 1.OU="Unit name 1" | |
28 | 2.OU="Unit name 2" | |
29 | this is the same syntax as used in the req config file. | |
30 | [Steve Henson] | |
31 | ||
32 | *) Allow certificate extensions to be added to certificate requests. These | |
33 | are specified in a 'req_extensions' option of the req section of the | |
34 | config file. They can be printed out with the -text option to req but | |
35 | are otherwise ignored at present. | |
36 | [Steve Henson] | |
37 | ||
38 | *) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first data | |
39 | read consists of only the final block it would not decrypted because | |
40 | EVP_CipherUpdate() would correctly report zero bytes had been decrypted. | |
41 | A misplaced 'break' also meant the decrypted final block might not be | |
42 | copied until the next read. | |
43 | [Steve Henson] | |
44 | ||
45 | *) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added | |
46 | a few extra parameters to the DH structure: these will be useful if | |
47 | for example we want the value of 'q' or implement X9.42 DH. | |
48 | [Steve Henson] | |
49 | ||
50 | *) Initial support for DSA_METHOD. This is based on the RSA_METHOD and | |
51 | provides hooks that allow the default DSA functions or functions on a | |
52 | "per key" basis to be replaced. This allows hardware acceleration and | |
53 | hardware key storage to be handled without major modification to the | |
54 | library. Also added low level modexp hooks and CRYPTO_EX structure and | |
55 | associated functions. | |
56 | [Steve Henson] | |
57 | ||
58 | *) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO | |
59 | as "read only": it can't be written to and the buffer it points to will | |
60 | not be freed. Reading from a read only BIO is much more efficient than | |
61 | a normal memory BIO. This was added because there are several times when | |
62 | an area of memory needs to be read from a BIO. The previous method was | |
63 | to create a memory BIO and write the data to it, this results in two | |
64 | copies of the data and an O(n^2) reading algorithm. There is a new | |
65 | function BIO_new_mem_buf() which creates a read only memory BIO from | |
66 | an area of memory. Also modified the PKCS#7 routines to use read only | |
67 | memory BIOSs. | |
68 | [Steve Henson] | |
69 | ||
70 | *) Bugfix: ssl23_get_client_hello did not work properly when called in | |
71 | state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of | |
72 | a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read, | |
73 | but a retry condition occured while trying to read the rest. | |
74 | [Bodo Moeller] | |
75 | ||
76 | *) The PKCS7_ENC_CONTENT_new() function was setting the content type as | |
77 | NID_pkcs7_encrypted by default: this was wrong since this should almost | |
78 | always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle | |
79 | the encrypted data type: this is a more sensible place to put it and it | |
80 | allows the PKCS#12 code to be tidied up that duplicated this | |
81 | functionality. | |
82 | [Steve Henson] | |
83 | ||
84 | *) Changed obj_dat.pl script so it takes its input and output files on | |
85 | the command line. This should avoid shell escape redirection problems | |
86 | under Win32. | |
87 | [Steve Henson] | |
88 | ||
89 | *) Initial support for certificate extension requests, these are included | |
90 | in things like Xenroll certificate requests. Included functions to allow | |
91 | extensions to be obtained and added. | |
92 | [Steve Henson] | |
93 | ||
94 | *) -crlf option to s_client and s_server for sending newlines as | |
95 | CRLF (as required by many protocols). | |
96 | [Bodo Moeller] | |
97 | ||
98 | Changes between 0.9.3a and 0.9.4 [09 Aug 1999] | |
99 | ||
100 | *) Install libRSAglue.a when OpenSSL is built with RSAref. | |
101 | [Ralf S. Engelschall] | |
102 | ||
103 | *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency. | |
104 | [Andrija Antonijevic <TheAntony2@bigfoot.com>] | |
105 | ||
106 | *) Fix -startdate and -enddate (which was missing) arguments to 'ca' | |
107 | program. | |
108 | [Steve Henson] | |
109 | ||
110 | *) New function DSA_dup_DH, which duplicates DSA parameters/keys as | |
111 | DH parameters/keys (q is lost during that conversion, but the resulting | |
112 | DH parameters contain its length). | |
113 | ||
114 | For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is | |
115 | much faster than DH_generate_parameters (which creates parameters | |
116 | where p = 2*q + 1), and also the smaller q makes DH computations | |
117 | much more efficient (160-bit exponentiation instead of 1024-bit | |
118 | exponentiation); so this provides a convenient way to support DHE | |
119 | ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of | |
120 | utter importance to use | |
121 | SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); | |
122 | or | |
123 | SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); | |
124 | when such DH parameters are used, because otherwise small subgroup | |
125 | attacks may become possible! | |
126 | [Bodo Moeller] | |
127 | ||
128 | *) Avoid memory leak in i2d_DHparams. | |
129 | [Bodo Moeller] | |
130 | ||
131 | *) Allow the -k option to be used more than once in the enc program: | |
132 | this allows the same encrypted message to be read by multiple recipients. | |
133 | [Steve Henson] | |
134 | ||
135 | *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts | |
136 | an ASN1_OBJECT to a text string. If the "no_name" parameter is set then | |
137 | it will always use the numerical form of the OID, even if it has a short | |
138 | or long name. | |
139 | [Steve Henson] | |
140 | ||
141 | *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp | |
142 | method only got called if p,q,dmp1,dmq1,iqmp components were present, | |
143 | otherwise bn_mod_exp was called. In the case of hardware keys for example | |
144 | no private key components need be present and it might store extra data | |
145 | in the RSA structure, which cannot be accessed from bn_mod_exp. By setting | |
146 | RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key | |
147 | operations. | |
148 | [Steve Henson] | |
149 | ||
150 | *) Added support for SPARC Linux. | |
151 | [Andy Polyakov] | |
152 | ||
153 | *) pem_password_cb function type incompatibly changed from | |
154 | typedef int pem_password_cb(char *buf, int size, int rwflag); | |
155 | to | |
156 | ....(char *buf, int size, int rwflag, void *userdata); | |
157 | so that applications can pass data to their callbacks: | |
158 | The PEM[_ASN1]_{read,write}... functions and macros now take an | |
159 | additional void * argument, which is just handed through whenever | |
160 | the password callback is called. | |
161 | [Damien Miller <dmiller@ilogic.com.au>, with tiny changes by Bodo Moeller] | |
162 | ||
163 | New function SSL_CTX_set_default_passwd_cb_userdata. | |
164 | ||
165 | Compatibility note: As many C implementations push function arguments | |
166 | onto the stack in reverse order, the new library version is likely to | |
167 | interoperate with programs that have been compiled with the old | |
168 | pem_password_cb definition (PEM_whatever takes some data that | |
169 | happens to be on the stack as its last argument, and the callback | |
170 | just ignores this garbage); but there is no guarantee whatsoever that | |
171 | this will work. | |
172 | ||
173 | *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=... | |
174 | (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused | |
175 | problems not only on Windows, but also on some Unix platforms. | |
176 | To avoid problematic command lines, these definitions are now in an | |
177 | auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl | |
178 | for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds). | |
179 | [Bodo Moeller] | |
180 | ||
181 | *) MIPS III/IV assembler module is reimplemented. | |
182 | [Andy Polyakov] | |
183 | ||
184 | *) More DES library cleanups: remove references to srand/rand and | |
185 | delete an unused file. | |
186 |