*) applies to 0.9.6a (/0.9.6b) and 0.9.7
+) applies to 0.9.7 only
+ +) Initial CRL based revocation checking. If the CRL checking flag(s)
+ are set then the CRL is looked up in the X509_STORE structure and
+ its validity and signature checked, then if the certificate is found
+ in the CRL the verify fails with a revoked error.
+
+ Various new CRL related callbacks added to X509_STORE_CTX structure.
+
+ Command line options added to 'verify' application to support this.
+
+ This needs some additional work, such as being able to handle multiple
+ CRLs with different times, extension based lookup (rather than just
+ by subject name) and ultimately more complete V2 CRL extension
+ handling.
+ [Steve Henson]
+
+ +) Add a general user interface API. This is designed to replace things
+ like des_read_password and friends (backward compatibility functions
+ using this new API are provided). The purpose is to remove prompting
+ functions from the DES code section as well as provide for prompting
+ through dialog boxes in a window system and the like.
+ [Richard Levitte]
+
+ *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
+ in the current directory if neither $RANDFILE nor $HOME was set.
+ RAND_file_name() in 0.9.6a returned NULL in this case. This has
+ caused some confusion to Windows users who haven't defined $HOME.
+ Thus RAND_file_name() is changed again: e_os.h can define a
+ DEFAULT_HOME, which will be used if $HOME is not set.
+ For Windows, we use "C:"; on other platforms, we still require
+ environment variables.
+
+ +) Add "ex_data" support to ENGINE so implementations can add state at a
+ per-structure level rather than having to store it globally.
+ [Geoff]
+
+ +) Make it possible for ENGINE structures to be copied when retrieved by
+ ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
+ This causes the "original" ENGINE structure to act like a template,
+ analogous to the RSA vs. RSA_METHOD type of separation. Because of this
+ operational state can be localised to each ENGINE structure, despite the
+ fact they all share the same "methods". New ENGINE structures returned in
+ this case have no functional references and the return value is the single
+ structural reference. This matches the single structural reference returned
+ by ENGINE_by_id() normally, when it is incremented on the pre-existing
+ ENGINE structure.
+ [Geoff]
+
+ +) Fix various bugs related to DSA S/MIME verification. Handle missing
+ parameters in DSA public key structures and return an error in the
+ DSA routines if parameters are absent.
+ [Steve Henson]
+
+ +) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
+ needs to match any other type at all we need to manually clear the
+ tag cache.
+ [Steve Henson]
+
+ +) Changes to the "openssl engine" utility to include;
+ - verbosity levels ('-v', '-vv', and '-vvv') that provide information
+ about an ENGINE's available control commands.
+ - executing control commands from command line arguments using the
+ '-pre' and '-post' switches. '-post' is only used if '-t' is
+ specified and the ENGINE is successfully initialised. The syntax for
+ the individual commands are colon-separated, for example;
+ openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
+ [Geoff]
+
+ +) New dynamic control command support for ENGINEs. ENGINEs can now
+ declare their own commands (numbers), names (strings), descriptions,
+ and input types for run-time discovery by calling applications. A
+ subset of these commands are implicitly classed as "executable"
+ depending on their input type, and only these can be invoked through
+ the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
+ can be based on user input, config files, etc). The distinction is
+ that "executable" commands cannot return anything other than a boolean
+ result and can only support numeric or string input, whereas some
+ discoverable commands may only be for direct use through
+ ENGINE_ctrl(), eg. supporting the exchange of binary data, function
+ pointers, or other custom uses. The "executable" commands are to
+ support parameterisations of ENGINE behaviour that can be
+ unambiguously defined by ENGINEs and used consistently across any
+ OpenSSL-based application. Commands have been added to all the
+ existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
+ control over shared-library paths without source code alterations.
+ [Geoff]
+
+ +) Changed all ENGINE implementations to dynamically allocate their
+ ENGINEs rather than declaring them statically. Apart from this being
+ necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
+ this also allows the implementations to compile without using the
+ internal engine_int.h header.
+ [Geoff]
+
+ +) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
+ 'const' value. Any code that should be able to modify a RAND_METHOD
+ should already have non-const pointers to it (ie. they should only
+ modify their own ones).
+ [Geoff]
+
+ +) Made a variety of little tweaks to the ENGINE code.
+ - "atalla" and "ubsec" string definitions were moved from header files
+ to C code. "nuron" string definitions were placed in variables
+ rather than hard-coded - allowing parameterisation of these values
+ later on via ctrl() commands.
+ - Removed unused "#if 0"'d code.
+ - Fixed engine list iteration code so it uses ENGINE_free() to release
+ structural references.
+ - Constified the RAND_METHOD element of ENGINE structures.
+ - Constified various get/set functions as appropriate and added
+ missing functions (including a catch-all ENGINE_cpy that duplicates
+ all ENGINE values onto a new ENGINE except reference counts/state).
+ - Removed NULL parameter checks in get/set functions. Setting a method
+ or function to NULL is a way of cancelling out a previously set
+ value. Passing a NULL ENGINE parameter is just plain stupid anyway
+ and doesn't justify the extra error symbols and code.
+ - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
+ flags from engine_int.h to engine.h.
+ - Changed prototypes for ENGINE handler functions (init(), finish(),
+ ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
+ [Geoff]
+
*) Move 'if (!initialized) RAND_poll()' into regions protected by
CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
- having multiple threads calling RAND_poll() concurrently.
+ having multiple threads call RAND_poll() concurrently.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
projects / openssl.git / blobdiff