Changes between 0.9.7c and 0.9.8 [xx XXX xxxx]
+ *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
+ This will generate a random key of the appropriate length based on the
+ cipher context. The EVP_CIPHER can provide its own random key generation
+ routine to support keys of a specific form. This is used in the des and
+ 3des routines to generate a key of the correct parity. Update S/MIME
+ code to use new functions and hence generate correct parity DES keys.
+ Add EVP_CHECK_DES_KEY #define to return an error if the key is not
+ valid (weak or incorrect parity).
+ [Steve Henson]
+
+ *) Add a local set of CRLs that can be used by X509_verify_cert() as well
+ as looking them up. This is useful when the verified structure may contain
+ CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
+ present unless the new PKCS7_NO_CRL flag is asserted.
+ [Steve Henson]
+
+ *) Extend ASN1 oid configuration module. It now additionally accepts the
+ syntax:
+
+ shortName = some long name, 1.2.3.4
+ [Steve Henson]
+
+ *) Reimplemented the BN_CTX implementation. There is now no more static
+ limitation on the number of variables it can handle nor the depth of the
+ "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
+ information can now expand as required, and rather than having a single
+ static array of bignums, BN_CTX now uses a linked-list of such arrays
+ allowing it to expand on demand whilst maintaining the usefulness of
+ BN_CTX's "bundling".
+ [Geoff Thorpe]
+
+ *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
+ to allow all RSA operations to function using a single BN_CTX.
+ [Geoff Thorpe]
+
+ *) Preliminary support for certificate policy evaluation and checking. This
+ is initially intended to pass the tests outlined in "Conformance Testing
+ of Relying Party Client Certificate Path Processing Logic" v1.07.
+ [Steve Henson]
+
+ *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
+ remained unused and not that useful. A variety of other little bignum
+ tweaks and fixes have also been made continuing on from the audit (see
+ below).
+ [Geoff Thorpe]
+
+ *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
+ associated ASN1, EVP and SSL functions and old ASN1 macros.
+ [Richard Levitte]
+
+ *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
+ and this should never fail. So the return value from the use of
+ BN_set_word() (which can fail due to needless expansion) is now deprecated;
+ if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
+ [Geoff Thorpe]
+
+ *) BN_CTX_get() should return zero-valued bignums, providing the same
+ initialised value as BN_new().
+ [Geoff Thorpe, suggested by Ulf Möller]
+
+ *) Support for inhibitAnyPolicy certificate extension.
+ [Steve Henson]
+
*) An audit of the BIGNUM code is underway, for which debugging code is
enabled when BN_DEBUG is defined. This makes stricter enforcements on what
is considered valid when processing BIGNUMs, and causes execution to
some point, these tighter rules will become openssl's default to improve
maintainability, though the assert()s and other overheads will remain only
in debugging configurations. See bn.h for more details.
- [Geoff Thorpe]
+ [Geoff Thorpe, Nils Larsch, Ulf Möller]
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
that can only be obtained through BN_CTX_new() (which implicitly
Changes between 0.9.7c and 0.9.7d [xx XXX XXXX]
+ *) X509 verify fixes. Disable broken certificate workarounds when
+ X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
+ keyUsage extension present. Don't accept CRLs with unhandled critical
+ extensions: since verify currently doesn't process CRL extensions this
+ rejects a CRL with *any* critical extensions. Add new verify error codes
+ for these cases.
+ [Steve Henson]
+
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
A clarification of RFC2560 will require the use of OCTET STRINGs and
some implementations cannot handle the current raw format. Since OpenSSL
projects / openssl.git / blobdiff