X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=25b0b6b303a0109eb6cdf6fa9deba93ea512a184;hb=cc1717eaa4501ce66b3b06aeec976c3010fd02ad;hp=4c3f5beb15746008efd6e2346e1a458d2ed3d1ef;hpb=e14f4aab0a0940d46045562bad9b0ce0f32ecb21;p=oweals%2Fopenssl.git diff --git a/CHANGES b/CHANGES index 4c3f5beb15..25b0b6b303 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,81 @@ OpenSSL CHANGES _______________ - Changes between 0.9.7e and 0.9.8 [xx XXX xxxx] + Changes between 0.9.7g and 0.9.8 [xx XXX xxxx] + + *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1) + to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file() + [Walter Goulet] + + *) Remove buggy and incompletet DH cert support from + ssl/ssl_rsa.c and ssl/s3_both.c + [Nils Larsch] + + *) Use SHA-1 instead of MD5 as the default digest algorithm for + the apps/openssl applications. + [Nils Larsch] + + *) Compile clean with "-Wall -Wmissing-prototypes + -Wstrict-prototypes -Wmissing-declarations -Werror". Currently + DEBUG_SAFESTACK must also be set. + [Ben Laurie] + + *) Change ./Configure so that certain algorithms can be disabled by default. + The new counterpiece to "no-xxx" is "enable-xxx". + + The patented RC5 and MDC2 algorithms will now be disabled unless + "enable-rc5" and "enable-mdc2", respectively, are specified. + + (IDEA remains enabled despite being patented. This is because IDEA + is frequently required for interoperability, and there is no license + fee for non-commercial use. As before, "no-idea" can be used to + avoid this algorithm.) + + [Bodo Moeller] + + *) Add processing of proxy certificates (see RFC 3820). This work was + sponsored by KTH (The Royal Institute of Technology in Stockholm) and + EGEE (Enabling Grids for E-science in Europe). + [Richard Levitte] + + *) RC4 performance overhaul on modern architectures/implementations, such + as Intel P4, IA-64 and AMD64. + [Andy Polyakov] + + *) New utility extract-section.pl. This can be used specify an alternative + section number in a pod file instead of having to treat each file as + a separate case in Makefile. This can be done by adding two lines to the + pod file: + + =for comment openssl_section:XXX + + The blank line is mandatory. + + [Steve Henson] + + *) New arguments -certform, -keyform and -pass for s_client and s_server + to allow alternative format key and certificate files and passphrase + sources. + [Steve Henson] + + *) New structure X509_VERIFY_PARAM which combines current verify parameters, + update associated structures and add various utility functions. + + Add new policy related verify parameters, include policy checking in + standard verify code. Enhance 'smime' application with extra parameters + to support policy checking and print out. + [Steve Henson] + + *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3 + Nehemiah processors. These extensions support AES encryption in hardware + as well as RNG (though RNG support is currently disabled). + [Michal Ludvig , with help from Andy Polyakov] + + *) Deprecate BN_[get|set]_params() functions (they were ignored internally). + [Geoff Thorpe] + + *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented. + [Andy Polyakov and a number of other people] *) Improved PowerPC platform support. Most notably BIGNUM assembler implementation contributed by IBM. @@ -388,14 +462,13 @@ Makefile.shared, for Cygwin's sake. [Richard Levitte] - *) Extend the BIGNUM API by creating new macros that behave like - functions - - void BN_set_sign(BIGNUM *a, int neg); - int BN_get_sign(const BIGNUM *a); + *) Extend the BIGNUM API by creating a function + void BN_set_negative(BIGNUM *a, int neg); + and a macro that behave like + int BN_is_negative(const BIGNUM *a); - and avoid the need to access 'a->neg' directly in applications. - [Nils Larsch ] + to avoid the need to access 'a->neg' directly in applications. + [Nils Larsch] *) Implement fast modular reduction for pseudo-Mersenne primes used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c). @@ -704,7 +777,109 @@ differing sizes. [Richard Levitte] - Changes between 0.9.7d and 0.9.7e [XX xxx XXXX] + Changes between 0.9.7g and 0.9.7h [XX xxx XXXX] + + *) Include the fixed error library code in the C error file definitions + instead of fixing them up at runtime. This keeps the error code + structures constant. + [Steve Henson] + + Changes between 0.9.7f and 0.9.7g [11 Apr 2005] + + *) Fixes for newer kerberos headers. NB: the casts are needed because + the 'length' field is signed on one version and unsigned on another + with no (?) obvious way to tell the difference, without these VC++ + complains. Also the "definition" of FAR (blank) is no longer included + nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up + some needed definitions. + [Steve Henson] + + *) Undo Cygwin change. + [Ulf Möller] + + *) Added support for proxy certificates according to RFC 3820. + Because they may be a security thread to unaware applications, + they must be explicitely allowed in run-time. See + docs/HOWTO/proxy_certificates.txt for further information. + [Richard Levitte] + + Changes between 0.9.7e and 0.9.7f [22 Mar 2005] + + *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating + server and client random values. Previously + (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in + less random data when sizeof(time_t) > 4 (some 64 bit platforms). + + This change has negligible security impact because: + + 1. Server and client random values still have 24 bytes of pseudo random + data. + + 2. Server and client random values are sent in the clear in the initial + handshake. + + 3. The master secret is derived using the premaster secret (48 bytes in + size for static RSA ciphersuites) as well as client server and random + values. + + The OpenSSL team would like to thank the UK NISCC for bringing this issue + to our attention. + + [Stephen Henson, reported by UK NISCC] + + *) Use Windows randomness collection on Cygwin. + [Ulf Möller] + + *) Fix hang in EGD/PRNGD query when communication socket is closed + prematurely by EGD/PRNGD. + [Darren Tucker via Lutz Jänicke, resolves #1014] + + *) Prompt for pass phrases when appropriate for PKCS12 input format. + [Steve Henson] + + *) Back-port of selected performance improvements from development + branch, as well as improved support for PowerPC platforms. + [Andy Polyakov] + + *) Add lots of checks for memory allocation failure, error codes to indicate + failure and freeing up memory if a failure occurs. + [Nauticus Networks SSL Team , Steve Henson] + + *) Add new -passin argument to dgst. + [Steve Henson] + + *) Perform some character comparisons of different types in X509_NAME_cmp: + this is needed for some certificates that reencode DNs into UTF8Strings + (in violation of RFC3280) and can't or wont issue name rollover + certificates. + [Steve Henson] + + *) Make an explicit check during certificate validation to see that + the CA setting in each certificate on the chain is correct. As a + side effect always do the following basic checks on extensions, + not just when there's an associated purpose to the check: + + - if there is an unhandled critical extension (unless the user + has chosen to ignore this fault) + - if the path length has been exceeded (if one is set at all) + - that certain extensions fit the associated purpose (if one has + been given) + [Richard Levitte] + + Changes between 0.9.7d and 0.9.7e [25 Oct 2004] + + *) Avoid a race condition when CRLs are checked in a multi threaded + environment. This would happen due to the reordering of the revoked + entries during signature checking and serial number lookup. Now the + encoding is cached and the serial number sort performed under a lock. + Add new STACK function sk_is_sorted(). + [Steve Henson] + + *) Add Delta CRL to the extension code. + [Steve Henson] + + *) Various fixes to s3_pkt.c so alerts are sent properly. + [David Holmes ] *) Reduce the chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities.