Changes between 0.9.8i and 0.9.9 [xx XXX xxxx]
+ *) Delta CRL support. New use deltas option which will attempt to locate
+ and search any appropriate delta CRLs available.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Support for CRLs partitioned by reason code. Reorganise CRL processing
+ code and add additional score elements. Validate alternate CRL paths
+ as part of the CRL checking and indicate a new error "CRL path validation
+ error" in this case. Applications wanting additional details can use
+ the verify callback and check the new "parent" field. If this is not
+ NULL CRL path validation is taking place. Existing applications wont
+ see this because it requires extended CRL support which is off by
+ default.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Support for freshest CRL extension.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Initial indirect CRL support. Currently only supported in the CRLs
+ passed directly and not via lookup. Process certificate issuer
+ CRL entry extension and lookup CRL entries by bother issuer name
+ and serial number. Check and process CRL issuer entry in IDP extension.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Add support for distinct certificate and CRL paths. The CRL issuer
+ certificate is validated separately in this case. Only enabled if
+ an extended CRL support flag is set: this flag will enable additional
+ CRL functionality in future.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Add support for policy mappings extension.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Fixes to pathlength constraint, self issued certificate handling,
+ policy processing to align with RFC3280 and PKITS tests.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) Support for name constraints certificate extension. DN, email, DNS
+ and URI types are currently supported.
+
+ This work was sponsored by Google.
+ [Steve Henson]
+
+ *) To cater for systems that provide a pointer-based thread ID rather
+ than numeric, deprecate the current numeric thread ID mechanism and
+ replace it with a structure and associated callback type. This
+ mechanism allows a numeric "hash" to be extracted from a thread ID in
+ either case, and on platforms where pointers are larger than 'long',
+ mixing is done to help ensure the numeric 'hash' is usable even if it
+ can't be guaranteed unique. The default mechanism is to use "&errno"
+ as a pointer-based thread ID to distinguish between threads.
+
+ Applications that want to provide their own thread IDs should now use
+ CRYPTO_THREADID_set_callback() to register a callback that will call
+ either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
+
+ Note that ERR_remove_state() is now deprecated, because it is tied
+ to the assumption that thread IDs are numeric. ERR_remove_state(0)
+ to free the current thread's error state should be replaced by
+ ERR_remove_thread_state(NULL).
+
+ (This new approach replaces the functions CRYPTO_set_idptr_callback(),
+ CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
+ OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
+ application was previously providing a numeric thread callback that
+ was inappropriate for distinguishing threads, then uniqueness might
+ have been obtained with &errno that happened immediately in the
+ intermediate development versions of OpenSSL; this is no longer the
+ case, the numeric thread callback will now override the automatic use
+ of &errno.)
+ [Geoff Thorpe, with help from Bodo Moeller]
+
*) Initial support for different CRL issuing certificates. This covers a
simple case where the self issued certificates in the chain exist and
the real CRL issuer is higher in the existing chain.
+
+ This work was sponsored by Google.
[Steve Henson]
*) Removed effectively defunct crypto/store from the build.
list-message-digest-algorithms and list-cipher-algorithms.
[Steve Henson]
- *) In addition to the numerical (unsigned long) thread ID, provide
- for a pointer (void *) thread ID. This helps accomodate systems
- that do not provide an unsigned long thread ID. OpenSSL assumes
- it is in the same thread iff both the numerical and the pointer
- thread ID agree; so applications are just required to define one
- of them appropriately (e.g., by using a pointer to a per-thread
- memory object malloc()ed by the application for the pointer-type
- thread ID). Exactly analoguous to the existing functions
-
- void CRYPTO_set_id_callback(unsigned long (*func)(void));
- unsigned long (*CRYPTO_get_id_callback(void))(void);
- unsigned long CRYPTO_thread_id(void);
-
- we now have additional functions
-
- void CRYPTO_set_idptr_callback(void *(*func)(void));
- void *(*CRYPTO_get_idptr_callback(void))(void);
- void *CRYPTO_thread_idptr(void);
-
- also in <openssl/crypto.h>. The default value for
- CRYPTO_thread_idptr() if the application has not provided its own
- callback is &errno.
- [Bodo Moeller]
-
*) Change the array representation of binary polynomials: the list
of degrees of non-zero coefficients is now terminated with -1.
Previously it was terminated with 0, which was also part of the
Changes between 0.9.8h and 0.9.8i [xx XXX xxxx]
+ *) Various precautionary measures:
+
+ - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
+
+ - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
+ (NB: This would require knowledge of the secret session ticket key
+ to exploit, in which case you'd be SOL either way.)
+
+ - Change bn_nist.c so that it will properly handle input BIGNUMs
+ outside the expected range.
+
+ - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
+ builds.
+
+ [Neel Mehta, Bodo Moeller]
+
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
[Steve Henson]