]>
Commit | Line | Data |
---|---|---|
f1c236f8 | 1 | OpenSSL CHANGES |
651d0aff RE |
2 | _______________ |
3 | ||
c5e8580e RL |
4 | Changes between 0.9.6 and 0.9.7 [xx XXX 2000] |
5 | ||
0b33bc65 DSH |
6 | *) Move OCSP client related routines to ocsp_cl.c. These |
7 | provide utility functions which an application needing | |
8 | to issue a request to an OCSP responder and analyse the | |
9 | response will typically need: as opposed to those which an | |
10 | OCSP responder itself would need which will be added later. | |
11 | ||
12 | OCSP_request_sign() signs an OCSP request with an API similar | |
13 | to PKCS7_sign(). OCSP_response_status() returns status of OCSP | |
14 | response. OCSP_response_get1_basic() extracts basic response | |
15 | from response. OCSP_resp_find_status(): finds and extracts status | |
16 | information from an OCSP_CERTID structure (which will be created | |
17 | when the request structure is built). These are built from lower | |
18 | level functions which work on OCSP_SINGLERESP structures but | |
19 | wont normally be used unless the application wishes to examine | |
20 | extensions in the OCSP response for example. | |
21 | ||
22 | Replace nonce routines with a pair of functions. | |
23 | OCSP_request_add1_nonce() adds a nonce value and optionally | |
24 | generates a random value. OCSP_check_nonce() checks the | |
25 | validity of the nonce in an OCSP response. | |
26 | [Steve Henson] | |
27 | ||
28 | *) Change function OCSP_request_add() to OCSP_request_add0_id(). | |
8e961835 DSH |
29 | This doesn't copy the supplied OCSP_CERTID and avoids the |
30 | need to free up the newly created id. Change return type | |
31 | to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure. | |
32 | This can then be used to add extensions to the request. | |
33 | Deleted OCSP_request_new(), since most of its functionality | |
34 | is now in OCSP_REQUEST_new() (and the case insensitive name | |
35 | clash) apart from the ability to set the request name which | |
36 | will be added elsewhere. | |
37 | [Steve Henson] | |
38 | ||
bf0d176e DSH |
39 | *) Update OCSP API. Remove obsolete extensions argument from |
40 | various functions. Extensions are now handled using the new | |
41 | OCSP extension code. New simple OCSP HTTP function which | |
42 | can be used to send requests and parse the response. | |
43 | [Steve Henson] | |
44 | ||
ec5add87 DSH |
45 | *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new |
46 | ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN | |
47 | uses the special reorder version of SET OF to sort the attributes | |
48 | and reorder them to match the encoded order. This resolves a long | |
49 | standing problem: a verify on a PKCS7 structure just after signing | |
50 | it used to fail because the attribute order did not match the | |
51 | encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes: | |
52 | it uses the received order. This is necessary to tolerate some broken | |
53 | software that does not order SET OF. This is handled by encoding | |
54 | as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class) | |
55 | to produce the required SET OF. | |
56 | [Steve Henson] | |
57 | ||
a6574c21 RL |
58 | *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and |
59 | OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header | |
60 | files to get correct declarations of the ASN.1 item variables. | |
61 | [Richard Levitte] | |
62 | ||
ecbe0781 DSH |
63 | *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many |
64 | PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs: | |
65 | asn1_check_tlen() would sometimes attempt to use 'ctx' when it was | |
66 | NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i(). | |
67 | New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant | |
68 | ASN1_ITEM and no wrapper functions. | |
69 | [Steve Henson] | |
70 | ||
4e1209eb DSH |
71 | *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These |
72 | replace the old function pointer based I/O routines. Change most of | |
73 | the *_d2i_bio() and *_d2i_fp() functions to use these. | |
74 | [Steve Henson] | |
75 | ||
3f07fe09 RL |
76 | *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor |
77 | lines, recognice more "algorithms" that can be deselected, and make | |
78 | it complain about algorithm deselection that isn't recognised. | |
79 | [Richard Levitte] | |
80 | ||
78d3b819 | 81 | *) New ASN1 functions to handle dup, sign, verify, digest, pack and |
73e92de5 DSH |
82 | unpack operations in terms of ASN1_ITEM. Modify existing wrappers |
83 | to use new functions. Add NO_ASN1_OLD which can be set to remove | |
84 | some old style ASN1 functions: this can be used to determine if old | |
85 | code will still work when these eventually go away. | |
09ab755c DSH |
86 | [Steve Henson] |
87 | ||
ec558b65 DSH |
88 | *) New extension functions for OCSP structures, these follow the |
89 | same conventions as certificates and CRLs. | |
90 | [Steve Henson] | |
91 | ||
57d2f217 DSH |
92 | *) New function X509V3_add1_i2d(). This automatically encodes and |
93 | adds an extension. Its behaviour can be customised with various | |
94 | flags to append, replace or delete. Various wrappers added for | |
95 | certifcates and CRLs. | |
96 | [Steve Henson] | |
97 | ||
5755cab4 DSH |
98 | *) Fix to avoid calling the underlying ASN1 print routine when |
99 | an extension cannot be parsed. Correct a typo in the | |
100 | OCSP_SERVICELOC extension. Tidy up print OCSP format. | |
101 | [Steve Henson] | |
102 | ||
3880cd35 BM |
103 | *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). |
104 | Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits | |
105 | when writing a 32767 byte record. | |
106 | [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] | |
107 | ||
f640ee90 | 108 | *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), |
126fe085 | 109 | obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. |
f640ee90 BM |
110 | |
111 | (RSA objects have a reference count access to which is protected | |
112 | by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], | |
113 | so they are meant to be shared between threads.) | |
126fe085 BM |
114 | [Bodo Moeller, Geoff Thorpe; original patch submitted by |
115 | "Reddie, Steven" <Steven.Reddie@ca.com>] | |
f640ee90 | 116 | |
9c67ab2f DSH |
117 | *) Make mkdef.pl parse some of the ASN1 macros and add apropriate |
118 | entries for variables. | |
5755cab4 | 119 | [Steve Henson] |
9c67ab2f | 120 | |
1456d186 BM |
121 | *) Fix a deadlock in CRYPTO_mem_leaks(). |
122 | [Bodo Moeller] | |
123 | ||
3ac82faa BM |
124 | *) Add functionality to apps/openssl.c for detecting locking |
125 | problems: As the program is single-threaded, all we have | |
126 | to do is register a locking callback using an array for | |
127 | storing which locks are currently held by the program. | |
3ac82faa BM |
128 | [Bodo Moeller] |
129 | ||
130 | *) Use a lock around the call to CRYPTO_get_ex_new_index() in | |
131 | SSL_get_ex_data_X509_STORE_idx(), which is used in | |
132 | ssl_verify_cert_chain() and thus can be called at any time | |
133 | during TLS/SSL handshakes so that thread-safety is essential. | |
134 | Unfortunately, the ex_data design is not at all suited | |
135 | for multi-threaded use, so it probably should be abolished. | |
136 | [Bodo Moeller] | |
137 | ||
2a86064f GT |
138 | *) Added Broadcom "ubsec" ENGINE to OpenSSL. |
139 | [Broadcom, tweaked and integrated by Geoff Thorpe] | |
140 | ||
2c15d426 DSH |
141 | *) Move common extension printing code to new function |
142 | X509V3_print_extensions(). Reorganise OCSP print routines and | |
c08523d8 | 143 | implement some needed OCSP ASN1 functions. Add OCSP extensions. |
2c15d426 DSH |
144 | [Steve Henson] |
145 | ||
de487514 DSH |
146 | *) New function X509_signature_print() to remove duplication in some |
147 | print routines. | |
148 | [Steve Henson] | |
149 | ||
06db4253 DSH |
150 | *) Add a special meaning when SET OF and SEQUENCE OF flags are both |
151 | set (this was treated exactly the same as SET OF previously). This | |
152 | is used to reorder the STACK representing the structure to match the | |
153 | encoding. This will be used to get round a problem where a PKCS7 | |
154 | structure which was signed could not be verified because the STACK | |
155 | order did not reflect the encoded order. | |
156 | [Steve Henson] | |
157 | ||
36f554d4 DSH |
158 | *) Reimplement the OCSP ASN1 module using the new code. |
159 | [Steve Henson] | |
160 | ||
2aff7727 DSH |
161 | *) Update the X509V3 code to permit the use of an ASN1_ITEM structure |
162 | for its ASN1 operations. The old style function pointers still exist | |
163 | for now but they will eventually go away. | |
164 | [Steve Henson] | |
165 | ||
9d6b1ce6 | 166 | *) Merge in replacement ASN1 code from the ASN1 branch. This almost |
5755cab4 DSH |
167 | completely replaces the old ASN1 functionality with a table driven |
168 | encoder and decoder which interprets an ASN1_ITEM structure describing | |
169 | the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is | |
170 | largely maintained. Almost all of the old asn1_mac.h macro based ASN1 | |
171 | has also been converted to the new form. | |
9d6b1ce6 DSH |
172 | [Steve Henson] |
173 | ||
8dea52fa BM |
174 | *) Change BN_mod_exp_recp so that negative moduli are tolerated |
175 | (the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set | |
176 | so that BN_mod_exp_mont and BN_mod_exp_mont_word work | |
177 | for negative moduli. | |
178 | [Bodo Moeller] | |
179 | ||
180 | *) Fix BN_uadd and BN_usub: Always return non-negative results instead | |
181 | of not touching the result's sign bit. | |
182 | [Bodo Moeller] | |
183 | ||
80d89e6a BM |
184 | *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be |
185 | set. | |
186 | [Bodo Moeller] | |
187 | ||
f1919c3d GT |
188 | *) Changed the LHASH code to use prototypes for callbacks, and created |
189 | macros to declare and implement thin (optionally static) functions | |
190 | that provide type-safety and avoid function pointer casting for the | |
191 | type-specific callbacks. | |
192 | [Geoff Thorpe] | |
193 | ||
1946cd8b UM |
194 | *) Use better test patterns in bntest. |
195 |