X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=966a90021c9b6e62d777e523aaddad604c40a027;hp=f2a467bb248c59ed5ba4bd8b7bc8c6fb6817176a;hb=1cbf663a6c89dcf8f7706d30a8bae675e2e0199a;hpb=6bf79e30eaa376df1bccaa6608e55b157044335d diff --git a/CHANGES b/CHANGES index f2a467bb24..966a90021c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,68 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8g and 0.9.9 [xx XXX xxxx] + Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] + + *) Add support for distinct certificate and CRL paths. The CRL issuer + certificate is validated separately in this case. Only enabled if + an extended CRL support flag is set: this flag will enable additional + CRL functionality in future. + + This work was sponsored by Google. + [Steve Henson] + + *) Add support for policy mappings extension. + + This work was sponsored by Google. + [Steve Henson] + + *) Fixes to pathlength constraint, self issued certificate handling, + policy processing to align with RFC3280 and PKITS tests. + + This work was sponsored by Google. + [Steve Henson] + + *) Support for name constraints certificate extension. DN, email, DNS + and URI types are currently supported. + + This work was sponsored by Google. + [Steve Henson] + + *) To cater for systems that provide a pointer-based thread ID rather + than numeric, deprecate the current numeric thread ID mechanism and + replace it with a structure and associated callback type. This + mechanism allows a numeric "hash" to be extracted from a thread ID in + either case, and on platforms where pointers are larger than 'long', + mixing is done to help ensure the numeric 'hash' is usable even if it + can't be guaranteed unique. The default mechanism is to use "&errno" + as a pointer-based thread ID to distinguish between threads. + + Applications that want to provide their own thread IDs should now use + CRYPTO_THREADID_set_callback() to register a callback that will call + either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer(). + + Note that ERR_remove_state() is now deprecated, because it is tied + to the assumption that thread IDs are numeric. ERR_remove_state(0) + to free the current thread's error state should be replaced by + ERR_remove_thread_state(NULL). + + (This new approach replaces the functions CRYPTO_set_idptr_callback(), + CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in + OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an + application was previously providing a numeric thread callback that + was inappropriate for distinguishing threads, then uniqueness might + have been obtained with &errno that happened immediately in the + intermediate development versions of OpenSSL; this is no longer the + case, the numeric thread callback will now override the automatic use + of &errno.) + [Geoff Thorpe, with help from Bodo Moeller] + + *) Initial support for different CRL issuing certificates. This covers a + simple case where the self issued certificates in the chain exist and + the real CRL issuer is higher in the existing chain. + + This work was sponsored by Google. + [Steve Henson] *) Removed effectively defunct crypto/store from the build. [Ben Laurie] @@ -20,63 +81,6 @@ STACK, TXT_DB, bsearch, qsort. [Ben Laurie] - *) Not all of this is true any longer. - Will have to be updated to reflect all subsequent changes to cryptlib.c. - --bodo - - - To support arbitrarily-typed thread IDs, deprecate the existing - type-specific APIs for a general purpose CRYPTO_THREADID - interface. Applications can choose the thread ID - callback type it wishes to register, as before; - - void CRYPTO_set_id_callback(unsigned long (*func)(void)); - void CRYPTO_set_idptr_callback(void *(*func)(void)); - - but retrieval, copies, and comparisons of thread IDs are via - type-independent interfaces; - - void CRYPTO_THREADID_set(CRYPTO_THREADID *id); - void CRYPTO_THREADID_cmp(const CRYPTO_THREADID *id1, - const CRYPTO_THREADID *id2); - void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dst, - const CRYPTO_THREADID *src); - - Also, for code that needs a thread ID "value" for use in - hash-tables or logging, a "hash" is available by; - - unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); - - This hash value is likely to be the thread ID anyway, but - otherwise it will be unique if possible or as collision-free as - possible if uniqueness can't be guaranteed on the target - architecture. - - The following functions are deprecated; - unsigned long (*CRYPTO_get_id_callback(void))(void); - unsigned long CRYPTO_thread_id(void); - - As a consequence of the above, there are similar deprecations of - BN_BLINDING functions in favour of CRYPTO_THREADID-based - alternatives; - - #ifndef OPENSSL_NO_DEPRECATED - unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); - void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); - #endif - void BN_BLINDING_set_thread(BN_BLINDING *); - int BN_BLINDING_cmp_thread(const BN_BLINDING *, const - CRYPTO_THREADID *); - - Also, the ERR_remove_state(int pid) API has been deprecated; - - #ifndef OPENSSL_NO_DEPRECATED - void ERR_remove_state(unsigned long pid) - #endif - void ERR_remove_thread_state(CRYPTO_THREADID *tid); - - [Geoff Thorpe] - *) Initial support for Cryptographic Message Syntax (aka CMS) based on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility, support for data, signedData, compressedData, digestedData and @@ -359,38 +363,6 @@ list-message-digest-algorithms and list-cipher-algorithms. [Steve Henson] - *) In addition to the numerical (unsigned long) thread ID, provide - for a pointer (void *) thread ID. This helps accomodate systems - that do not provide an unsigned long thread ID. OpenSSL assumes - it is in the same thread iff both the numerical and the pointer - thread ID agree; so applications are just required to define one - of them appropriately (e.g., by using a pointer to a per-thread - memory object malloc()ed by the application for the pointer-type - thread ID). Exactly analoguous to the existing functions - - void CRYPTO_set_id_callback(unsigned long (*func)(void)); - unsigned long (*CRYPTO_get_id_callback(void))(void); - unsigned long CRYPTO_thread_id(void); - - we now have additional functions - - void CRYPTO_set_idptr_callback(void *(*func)(void)); - void *(*CRYPTO_get_idptr_callback(void))(void); - void *CRYPTO_thread_idptr(void); - - also in . The default value for - CRYPTO_thread_idptr() if the application has not provided its own - callback is &errno. - [Bodo Moeller] - - -- NOTE -- this change has been reverted and replaced with a - type-independent wrapper (ie. applications do not have to check - two type-specific thread ID representations as implied in this - change note). However, the "idptr" callback form described here - can still be registered. Please see the more recent CHANGES note - regarding CRYPTO_THREADID. [Geoff Thorpe] - -- NOTE -- - *) Change the array representation of binary polynomials: the list of degrees of non-zero coefficients is now terminated with -1. Previously it was terminated with 0, which was also part of the @@ -702,11 +674,22 @@ Changes between 0.9.8h and 0.9.8i [xx XXX xxxx] + *) Add support for Local Machine Keyset attribute in PKCS#12 files. + [Steve Henson] + + *) Fix BN_GF2m_mod_arr() top-bit cleanup code. + [Huang Ying] + *) Expand ENGINE to support engine supplied SSL client certificate functions. + + This work was sponsored by Logica. [Steve Henson] - *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. + *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows + keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure. + + This work was sponsored by Logica. [Steve Henson] Changes between 0.9.8g and 0.9.8h [28 May 2008]