X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=a8402846220ca68e1e1515c17c99cab698b16093;hb=164bc7dae8277221564a4f0161eb86e736541220;hp=1cea4962c92ae932a2f5ba945d4e049d15b74960;hpb=f80153e20b9db5f0e18db6a259f8bdb88ff79273;p=oweals%2Fopenssl.git diff --git a/CHANGES b/CHANGES index 1cea4962c9..a840284622 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,75 @@ Changes between 0.9.7a and 0.9.8 [xx XXX xxxx] + *) Add support for STORE in ENGINE. + [Richard Levitte] + + *) Add the STORE type. The intention is to provide a common interface + to certificate and key stores, be they simple file-based stores, or + HSM-type store, or LDAP stores, or... + NOTE: The code is currently UNTESTED and isn't really used anywhere. + [Richard Levitte] + + *) Add a generic structure called OPENSSL_ITEM. This can be used to + pass a list of arguments to any function as well as provide a way + for a function to pass data back to the caller. + [Richard Levitte] + + *) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup() + works like BUF_strdup() but can be used to duplicate a portion of + a string. The copy gets NUL-terminated. BUF_memdup() duplicates + a memory area. + [Richard Levitte] + + *) Add the function sk_find_ex() which works like sk_find(), but will + return an index to an element even if an exact match couldn't be + found. The index is guaranteed to point at the element where the + searched-for key would be inserted to preserve sorting order. + [Richard Levitte] + + *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but + takes an extra flags argument for optional functionality. Currently, + the following flags are defined: + + OBJ_BSEARCH_VALUE_ON_NOMATCH + This one gets OBJ_bsearch_ex() to return a pointer to the first + element where the comparing function returns a negative or zero + number. + + OBJ_BSEARCH_FIRST_VALUE_ON_MATCH + This one gets OBJ_bsearch_ex() to return a pointer to the first + element where the comparing function returns zero. This is useful + if there are more than one element where the comparing function + returns zero. + [Richard Levitte] + + *) Make it possible to create self-signed certificates with 'openssl ca' + in such a way that the self-signed certificate becomes part of the + CA database and uses the same mechanisms for serial number generation + as all other certificate signing. The new flag '-selfsign' enables + this functionality. Adapt CA.sh and CA.pl.in. + [Richard Levitte] + + *) Add functionality to check the public key of a certificate request + against a given private. This is useful to check that a certificate + request can be signed by that key (self-signing). + [Richard Levitte] + + *) Make it possible to have multiple active certificates with the same + subject in the CA index file. This is done only if the keyword + 'unique_subject' is set to 'no' in the main CA section (default + if 'CA_default') of the configuration file. The value is saved + with the database itself in a separate index attribute file, + named like the index file with '.attr' appended to the name. + [Richard Levitte] + + *) Generate muti valued AVAs using '+' notation in config files for + req and dirName. + [Steve Henson] + + *) Support for nameConstraints certificate extension. + [Steve Henson] + *) Support for policyConstraints certificate extension. [Steve Henson] @@ -476,12 +545,17 @@ to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. - [Ben Laurie, Steve Henson, Geoff Thorpe] + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there - is no point in blinding anyway). + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). [Bodo Moeller] yet to be integrated into this CVS branch: @@ -2392,6 +2466,31 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6i and 0.9.6j [10 Apr 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked