X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=da6d7699961d7263d118612cdd87208483f0c129;hp=a1217540f2f10ffbee635e753722bb4ac6c5bead;hb=d575d2924cf2ba202ccc0378ba646eec8fc8b5a0;hpb=bc420ac592df14384ba4acf7104482123e8729ba diff --git a/CHANGES b/CHANGES index a1217540f2..da6d769996 100644 --- a/CHANGES +++ b/CHANGES @@ -3,7 +3,263 @@ _______________ - Changes between 0.9.1c and 0.9.2 + Changes between 0.9.2b and 0.9.3 + + *) New script util/mklink.pl as a faster substitute for util/mklink.sh. + [Bodo Moeller] + + *) Install various scripts to $(OPENSSLDIR)/misc, not to + $(INSTALLTOP)/bin -- they shouldn't clutter directories + such as /usr/local/bin. + [Bodo Moeller] + + *) "make linux-shared" to build shared libraries. + [Niels Poppe ] + + *) New Configure option no- (rsa, idea, rc5, ...). + [Ulf Möller] + + *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for + extension adding in x509 utility. + [Steve Henson] + + *) Remove NOPROTO sections and error code comments. + [Ulf Möller] + + *) Partial rewrite of the DEF file generator to now parse the ANSI + prototypes. + [Steve Henson] + + *) New Configure options --prefix=DIR and --openssldir=DIR. + [Ulf Möller] + + *) Complete rewrite of the error code script(s). It is all now handled + by one script at the top level which handles error code gathering, + header rewriting and C source file generation. It should be much better + than the old method: it now uses a modified version of Ulf's parser to + read the ANSI prototypes in all header files (thus the old K&R definitions + aren't needed for error creation any more) and do a better job of + translating function codes into names. The old 'ASN1 error code imbedded + in a comment' is no longer necessary and it doesn't use .err files which + have now been deleted. Also the error code call doesn't have to appear all + on one line (which resulted in some large lines...). + [Steve Henson] + + *) Change #include filenames from to . + [Bodo Moeller] + + *) Change behaviour of ssl2_read when facing length-0 packets: Don't return + 0 (which usually indicates a closed connection), but continue reading. + [Bodo Moeller] + + *) Fix some race conditions. + [Bodo Moeller] + + *) Add support for CRL distribution points extension. Add Certificate + Policies and CRL distribution points documentation. + [Steve Henson] + + *) Move the autogenerated header file parts to crypto/opensslconf.h. + [Ulf Möller] + + *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of + 8 of keying material. Merlin has also confirmed interop with this fix + between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0. + [Merlin Hughes ] + + *) Fix lots of warnings. + [Richard Levitte ] + + *) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if + the directory spec didn't end with a LIST_SEPARATOR_CHAR. + [Richard Levitte ] + + *) Fix problems with sizeof(long) == 8. + [Andy Polyakov ] + + *) Change functions to ANSI C. + [Ulf Möller] + + *) Fix typos in error codes. + [Martin Kraemer , Ulf Möller] + + *) Remove defunct assembler files from Configure. + [Ulf Möller] + + *) SPARC v8 assembler BIGNUM implementation. + [Andy Polyakov ] + + *) Support for Certificate Policies extension: both print and set. + Various additions to support the r2i method this uses. + [Steve Henson] + + *) A lot of constification, and fix a bug in X509_NAME_oneline() that could + return a const string when you are expecting an allocated buffer. + [Ben Laurie] + + *) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE + types DirectoryString and DisplayText. + [Steve Henson] + + *) Add code to allow r2i extensions to access the configuration database, + add an LHASH database driver and add several ctx helper functions. + [Steve Henson] + + *) Fix an evil bug in bn_expand2() which caused various BN functions to + fail when they extended the size of a BIGNUM. + [Steve Henson] + + *) Various utility functions to handle SXNet extension. Modify mkdef.pl to + support typesafe stack. + [Steve Henson] + + *) Fix typo in SSL_[gs]et_options(). + [Nils Frostberg ] + + *) Delete various functions and files that belonged to the (now obsolete) + old X509V3 handling code. + [Steve Henson] + + *) New Configure option "rsaref". + [Ulf Möller] + + *) Don't auto-generate pem.h. + [Bodo Moeller] + + *) Introduce type-safe ASN.1 SETs. + [Ben Laurie] + + *) Introduce type-safe STACKs. This will almost certainly break lots of code + that links with OpenSSL (well at least cause lots of warnings), but fear + not: the conversion is trivial, and it eliminates loads of evil casts. A + few STACKed things have been converted already. Feel free to convert more. + In the fullness of time, I'll do away with the STACK type altogether. + [Ben Laurie] + + *) Add `openssl ca -revoke ' facility which revokes a certificate + specified in by updating the entry in the index.txt file. + This way one no longer has to edit the index.txt file manually for + revoking a certificate. The -revoke option does the gory details now. + [Massimiliano Pala , Ralf S. Engelschall] + + *) Fix `openssl crl -noout -text' combination where `-noout' killed the + `-text' option at all and this way the `-noout -text' combination was + inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'. + [Ralf S. Engelschall] + + *) Make sure a corresponding plain text error message exists for the + X509_V_ERR_CERT_REVOKED/23 error number which can occur when a + verify callback function determined that a certificate was revoked. + [Ralf S. Engelschall] + + *) Bugfix: In test/testenc, don't test "openssl " for + ciphers that were excluded, e.g. by -DNO_IDEA. Also, test + all available cipers including rc5, which was forgotten until now. + In order to let the testing shell script know which algorithms + are available, a new (up to now undocumented) command + "openssl list-cipher-commands" is used. + [Bodo Moeller] + + *) Bugfix: s_client occasionally would sleep in select() when + it should have checked SSL_pending() first. + [Bodo Moeller] + + *) New functions DSA_do_sign and DSA_do_verify to provide access to + the raw DSA values prior to ASN.1 encoding. + [Ulf Möller] + + *) Tweaks to Configure + Niels Poppe + + *) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, + yet... + [Steve Henson] + + *) New variables $(RANLIB) and $(PERL) in the Makefiles. + [Ulf Möller] + + *) New config option to avoid instructions that are illegal on the 80386. + The default code is faster, but requires at least a 486. + [Ulf Möller] + + *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and + SSL2_SERVER_VERSION (not used at all) macros, which are now the + same as SSL2_VERSION anyway. + [Bodo Moeller] + + *) New "-showcerts" option for s_client. + [Bodo Moeller] + + *) Still more PKCS#12 integration. Add pkcs12 application to openssl + application. Various cleanups and fixes. + [Steve Henson] + + *) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and + modify error routines to work internally. Add error codes and PBE init + to library startup routines. + [Steve Henson] + + *) Further PKCS#12 integration. Added password based encryption, PKCS#8 and + packing functions to asn1 and evp. Changed function names and error + codes along the way. + [Steve Henson] + + *) PKCS12 integration: and so it begins... First of several patches to + slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 + objects to objects.h + [Steve Henson] + + *) Add a new 'indent' option to some X509V3 extension code. Initial ASN1 + and display support for Thawte strong extranet extension. + [Steve Henson] + + *) Add LinuxPPC support. + [Jeff Dubrule ] + + *) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to + bn_div_words in alpha.s. + [Hannes Reinecke and Ben Laurie] + + *) Make sure the RSA OAEP test is skipped under -DRSAref because + OAEP isn't supported when OpenSSL is built with RSAref. + [Ulf Moeller ] + + *) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h + so they no longer are missing under -DNOPROTO. + [Soren S. Jorvang ] + + Changes between 0.9.1c and 0.9.2b + + *) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still + doesn't work when the session is reused. Coming soon! + [Ben Laurie] + + *) Fix a security hole, that allows sessions to be reused in the wrong + context thus bypassing client cert protection! All software that uses + client certs and session caches in multiple contexts NEEDS PATCHING to + allow session reuse! A fuller solution is in the works. + [Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)] + + *) Some more source tree cleanups (removed obsolete files + crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed + permission on "config" script to be executable) and a fix for the INSTALL + document. + [Ulf Moeller ] + + *) Remove some legacy and erroneous uses of malloc, free instead of + Malloc, Free. + [Lennart Bang , with minor changes by Steve] + + *) Make rsa_oaep_test return non-zero on error. + [Ulf Moeller ] + + *) Add support for native Solaris shared libraries. Configure + solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice + if someone would make that last step automatic. + [Matthias Loepfe ] + + *) ctx_size was not built with the right compiler during "make links". Fixed. + [Ben Laurie] *) Change the meaning of 'ALL' in the cipher list. It now means "everything except NULL ciphers". This means the default cipher list will no longer @@ -158,10 +414,11 @@ unsigned to signed types: this was killing the Win32 compile. [Steve Henson] - *) Add new certificate file to stack functions, SSL_add_cert_file_to_stack() - and SSL_add_cert_dir_to_stack(). These largely supplant - SSL_load_client_CA_file(), and can be used to add multiple certs easily to - a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). + *) Add new certificate file to stack functions, + SSL_add_dir_cert_subjects_to_stack() and + SSL_add_file_cert_subjects_to_stack(). These largely supplant + SSL_load_client_CA_file(), and can be used to add multiple certs easily + to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()). This means that Apache-SSL and similar packages don't have to mess around to add as many CAs as they want to the preferred list. [Ben Laurie]