OpenSSL CHANGES
_______________
- Changes between 0.9.8g and 0.9.9 [xx XXX xxxx]
+ Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
- *) Revamp of LHASH to provide stronger type-checking. Still to come:
- STACK, TXT_DB, bsearch, qsort.
+ *) Removed effectively defunct crypto/store from the build.
[Ben Laurie]
- *) Not all of this is true any longer.
- Will have to be updated to reflect all subsequent changes to cryptlib.c.
- --bodo
-
-
- To support arbitrarily-typed thread IDs, deprecate the existing
- type-specific APIs for a general purpose CRYPTO_THREADID
- interface. Applications can choose the thread ID
- callback type it wishes to register, as before;
-
- void CRYPTO_set_id_callback(unsigned long (*func)(void));
- void CRYPTO_set_idptr_callback(void *(*func)(void));
-
- but retrieval, copies, and comparisons of thread IDs are via
- type-independent interfaces;
-
- void CRYPTO_THREADID_set(CRYPTO_THREADID *id);
- void CRYPTO_THREADID_cmp(const CRYPTO_THREADID *id1,
- const CRYPTO_THREADID *id2);
- void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dst,
- const CRYPTO_THREADID *src);
-
- Also, for code that needs a thread ID "value" for use in
- hash-tables or logging, a "hash" is available by;
-
- unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
-
- This hash value is likely to be the thread ID anyway, but
- otherwise it will be unique if possible or as collision-free as
- possible if uniqueness can't be guaranteed on the target
- architecture.
-
- The following functions are deprecated;
- unsigned long (*CRYPTO_get_id_callback(void))(void);
- unsigned long CRYPTO_thread_id(void);
-
- As a consequence of the above, there are similar deprecations of
- BN_BLINDING functions in favour of CRYPTO_THREADID-based
- alternatives;
-
- #ifndef OPENSSL_NO_DEPRECATED
- unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
- void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
- #endif
- void BN_BLINDING_set_thread(BN_BLINDING *);
- int BN_BLINDING_cmp_thread(const BN_BLINDING *, const
- CRYPTO_THREADID *);
-
- Also, the ERR_remove_state(int pid) API has been deprecated;
+ *) Revamp of STACK to provide stronger type-checking. Still to come:
+ TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
+ ASN1_STRING, CONF_VALUE.
+ [Ben Laurie]
- #ifndef OPENSSL_NO_DEPRECATED
- void ERR_remove_state(unsigned long pid)
- #endif
- void ERR_remove_thread_state(CRYPTO_THREADID *tid);
+ *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
+ RAM on SSL connections. This option can save about 34k per idle SSL.
+ [Nick Mathewson]
- [Geoff Thorpe]
+ *) Revamp of LHASH to provide stronger type-checking. Still to come:
+ STACK, TXT_DB, bsearch, qsort.
+ [Ben Laurie]
*) Initial support for Cryptographic Message Syntax (aka CMS) based
on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
callback is &errno.
[Bodo Moeller]
- -- NOTE -- this change has been reverted and replaced with a
- type-independent wrapper (ie. applications do not have to check
- two type-specific thread ID representations as implied in this
- change note). However, the "idptr" callback form described here
- can still be registered. Please see the more recent CHANGES note
- regarding CRYPTO_THREADID. [Geoff Thorpe]
- -- NOTE --
-
*) Change the array representation of binary polynomials: the list
of degrees of non-zero coefficients is now terminated with -1.
Previously it was terminated with 0, which was also part of the
*) Change 'Configure' script to enable Camellia by default.
[NTT]
- Changes between 0.9.8g and 0.9.8h [xx XXX xxxx]
+ Changes between 0.9.8h and 0.9.8i [xx XXX xxxx]
+
+ *) Add support for Local Machine Keyset attribute in PKCS#12 files.
+ [Steve Henson]
+
+ *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
+ [Huang Ying]
+
+ *) Expand ENGINE to support engine supplied SSL client certificate functions.
+
+ This work was sponsored by Logica.
+ [Steve Henson]
+
+ *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
+ keystores. Support for SSL/TLS client authentication too.
+ Not compiled unless enable-capieng specified to Configure.
+
+ This work was sponsored by Logica.
+ [Steve Henson]
+
+ Changes between 0.9.8g and 0.9.8h [28 May 2008]
+
+ *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
+ handshake which could lead to a cilent crash as found using the
+ Codenomicon TLS test suite (CVE-2008-1672)
+ [Steve Henson, Mark Cox]
+
+ *) Fix double free in TLS server name extensions which could lead to
+ a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
+ [Joe Orton]
*) Clear error queue in SSL_CTX_use_certificate_chain_file()