X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=a3f08fa60e05135038dce3f18a12156cc178e475;hp=15b69a3f3d4a54f50fd9ab27b3cc85bb69d9db2a;hb=6f7c2cb31e6856435eb8e4a59ae18eda2fce34b2;hpb=8e28c6715579d2ca7529de7aff257fa03a28bf93 diff --git a/CHANGES b/CHANGES index 15b69a3f3d..a3f08fa60e 100644 --- a/CHANGES +++ b/CHANGES @@ -4,18 +4,68 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] + *) Change the ENGINE framework to automatically load engines + dynamically from specific directories unless they could be + found to already be built in or loaded. Move all the + current engines except for the cryptodev one to a new + directory engines/. + The engines in engines/ are built as shared libraries if + the "shared" options was given to ./Configure or ./config. + Otherwise, they are inserted in libcrypto.a. + /usr/local/ssl/engines is the default directory for dynamic + engines, but that can be overriden with the environment + variable OPENSSL_ENGINES. + [Geoff Thorpe and Richard Levitte] + + *) Add Makefile.shared, a helper makefile to build shared + libraries. Addapt Makefile.org. + [Richard Levitte] + + *) Add version info to Win32 DLLs. + [Peter 'Luna' Runestig" ] + + *) Add new 'medium level' PKCS#12 API. Certificates and keys + can be added using this API to created arbitrary PKCS#12 + files while avoiding the low level API. + + New options to PKCS12_create(), key or cert can be NULL and + will then be omitted from the output file. The encryption + algorithm NIDs can be set to -1 for no encryption, the mac + iteration count can be set to 0 to omit the mac. + + Enhance pkcs12 utility by making the -nokeys and -nocerts + options work when creating a PKCS#12 file. New option -nomac + to omit the mac, NONE can be set for an encryption algorithm. + New code is modified to use the enhanced PKCS12_create() + instead of the low level API. + [Steve Henson] + + *) Extend ASN1 encoder to support indefinite length constructed + encoding. This can output sequences tags and octet strings in + this form. Modify pk7_asn1.c to support indefinite length + encoding. This is experimental and needs additional code to + be useful, such as an ASN1 bio and some enhanced streaming + PKCS#7 code. + + Extend template encode functionality so that tagging is passed + down to the template encoder. + [Steve Henson] + + *) Let 'openssl req' fail if an argument to '-newkey' is not + recognized instead of using RSA as a default. + [Bodo Moeller] + *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt. As these are not official, they are not included in "ALL"; the "ECCdraft" ciphersuite group alias can be used to select them. [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)] -TODO: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not handle ECCdraft -cipher suites correctly. - *) Add ECDH engine support. [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)] *) Add ECDH in new directory crypto/ecdh/. +TODO: more general interface (return x coordinate, not its hash) +TODO: bug: pad x with leading zeros if necessary [Douglas Stebila (Sun Microsystems Laboratories)] *) Let BN_rand_range() abort with an error after 100 iterations @@ -233,17 +283,35 @@ cipher suites correctly. [Nils Larsch ] *) Include some named elliptic curves, and add OIDs from X9.62, - SECG, and WAP/WTLS. The curves can be obtained from the new - functions - EC_GROUP_new_by_nid() - EC_GROUP_new_by_name() + SECG, and WAP/WTLS. Each curve can be obtained from the new + function + EC_GROUP_new_by_nid(), + and the list of available named curves can be obtained with + EC_get_builtin_curves(). Also add a 'curve_name' member to EC_GROUP objects, which can be accessed via EC_GROUP_set_nid() EC_GROUP_get_nid() [Nils Larsch , Steve Henson] + + *) The "block size" for block ciphers in CFB and OFB mode should be 1. + [Steve Henson, reported by Yngve Nysaeter Pettersen ] *) Make sure tests can be performed even if the corresponding algorithms have been removed entirely. This was also the last step to make @@ -267,8 +335,8 @@ cipher suites correctly. # Place yourself outside of the OpenSSL source tree. In # this example, the environment variable OPENSSL_SOURCE # is assumed to contain the absolute OpenSSL source directory. - mkdir -p objtree/`uname -s`-`uname -r`-`uname -m` - cd objtree/`uname -s`-`uname -r`-`uname -m` + mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" + cd objtree/"`uname -s`-`uname -r`-`uname -m`" (cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do mkdir -p `dirname $F` ln -s $OPENSSL_SOURCE/$F $F @@ -1908,6 +1976,31 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6g and 0.9.6h [xx XXX xxxx] + + *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c + (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). + [Bodo Moeller] + + *) Fix initialization code race conditions in + SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), + SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), + SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), + TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), + ssl2_get_cipher_by_char(), + ssl3_get_cipher_by_char(). + [Patrick McCormick , Bodo Moeller] + + *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after + the cached sessions are flushed, as the remove_cb() might use ex_data + contents. Bug found by Sam Varshavchik + (see [openssl.org #212]). + [Geoff Thorpe, Lutz Jaenicke] + + *) Fix typo in OBJ_txt2obj which incorrectly passed the content + length, instead of the encoding length to d2i_ASN1_OBJECT. + [Steve Henson] + Changes between 0.9.6f and 0.9.6g [9 Aug 2002] *) [In 0.9.6g-engine release:] @@ -1926,7 +2019,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper , Bodo Moeller] - + Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) Add various sanity checks to asn1_get_length() to reject @@ -1977,11 +2070,6 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> - *) Remote buffer overflow in SSL3 protocol - an attacker could - supply an oversized master key in Kerberos-enabled versions. - (CAN-2002-0657) - [Ben Laurie (CHATS)] - *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] @@ -2076,13 +2164,13 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k value is 0. [Richard Levitte] - *) Add the configuration target linux-s390x. - [Neale Ferguson via Richard Levitte] - *) [In 0.9.6d-engine release:] Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk via Richard Levitte] + *) Add the configuration target linux-s390x. + [Neale Ferguson via Richard Levitte] + *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag variable as an indication that a ClientHello message has been