X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=b26145ce44ee2ab703836681b750d87115bd3b1f;hp=8b033f42bf6671e4b3bbab4e0e5b6a2042e90f91;hb=b96eb06f7907da2fef89c0c7b89ce4dedc593ecc;hpb=bb7cd4e3ebb9c1114b7fb6f6d0e4c280ef984889 diff --git a/CHANGES b/CHANGES index 8b033f42bf..b26145ce44 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,134 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 1999] + *) Add a password callback function PEM_cb() which either prompts for + a password if usr_data is NULL or otherwise assumes it is a null + terminate password. Allow passwords to be passed on command line + environment or config files in a few more utilities. + [Steve Henson] + + *) Add a bunch of DER and PEM functions to handle PKCS#8 format private + keys. Add some short names for PKCS#8 PBE algorithms and allow them + to be specified on the command line for the pkcs8 and pkcs12 utilities. + Update documentation. + [Steve Henson] + + *) Support for ASN1 "NULL" type. This could be handled before by using + ASN1_TYPE but there wasn't any function that would try to read a NULL + and produce an error if it couldn't. For compatibility we also have + ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and + don't allocate anything because they don't need to. + [Steve Henson] + + *) Initial support for MacOS is now provided. Examine INSTALL.MacOS + for details. + [Andy Polyakov, Roy Woods ] + + *) Rebuild of the memory allocation routines used by OpenSSL code and + possibly others as well. The purpose is to make an interface that + provide hooks so anyone can build a separate set of allocation and + deallocation routines to be used by OpenSSL, for example if memory + pool implementations, or something else. The same is provided for + memory debugging code. OpenSSL already comes with code that finds + memory leaks, but this gives people a chance to debug other memory + problems. + + With these changes, a new set of functions and macros have appeared: + + CRYPTO_set_mem_debug_functions() [F] + CRYPTO_get_mem_debug_functions() [F] + CRYPTO_dbg_set_options() [F] + CRYPTO_dbg_get_options() [F] + CRYPTO_melloc_debug_init() [M] + + The memory debug functions are NULL by default, unless the library + is compiled with CRYPTO_MDEBUG or friends is defined. If someone + wants to debug memory anyway, CRYPTO_malloc_debug_init() or + CRYPTO_set_mem_debug_functions() must be used. + + Also, things like CRYPTO_set_mem_functions will always give the + expected result (the new set of functions is used for allocation + and deallocation) at all times, regardless of platform and compiler + options. + + To finish it up, some functions that were never use in any other + way than through macros have a new API and new semantic: + + CRYPTO_dbg_malloc() + CRYPTO_dbg_realloc() + CRYPTO_dbg_free() + + All macros of value have retained their old syntax. + [Richard Levitte] + + *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the + ordering of SMIMECapabilities wasn't in "strength order" and there + was a missing NULL in the AlgorithmIdentifier for the SHA1 signature + algorithm. + [Steve Henson] + + *) Some ASN1 types with illegal zero length encoding (INTEGER, + ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines. + [Frans Heymans , modified by Steve Henson] + + *) Merge in my S/MIME library for OpenSSL. This provides a simple + S/MIME API on top of the PKCS#7 code, a MIME parser (with enough + functionality to handle multipart/signed properly) and a utility + called 'smime' to call all this stuff. This is based on code I + originally wrote for Celo who have kindly allowed it to be + included in OpenSSL. + [Steve Henson] + + *) Add variants des_set_key_checked and des_set_key_unchecked of + des_set_key (aka des_key_sched). Global variable des_check_key + decides which of these is called by des_set_key; this way + des_check_key behaves as it always did, but applications and + the library itself, which was buggy for des_check_key == 1, + have a cleaner way to pick the version they need. + [Bodo Moeller] + + *) New function PKCS12_newpass() which changes the password of a + PKCS12 structure. + [Steve Henson] + + *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and + dynamic mix. In both cases the ids can be used as an index into the + table. Also modified the X509_TRUST_add() and X509_PURPOSE_add() + functions so they accept a list of the field values and the + application doesn't need to directly manipulate the X509_TRUST + structure. + [Steve Henson] + + *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't + need initialising. + [Steve Henson] + + *) Modify the way the V3 extension code looks up extensions. This now + works in a similar way to the object code: we have some "standard" + extensions in a static table which is searched with OBJ_bsearch() + and the application can add dynamic ones if needed. The file + crypto/x509v3/ext_dat.h now has the info: this file needs to be + updated whenever a new extension is added to the core code and kept + in ext_nid order. There is a simple program 'tabtest.c' which checks + this. New extensions are not added too often so this file can readily + be maintained manually. + + There are two big advantages in doing things this way. The extensions + can be looked up immediately and no longer need to be "added" using + X509V3_add_standard_extensions(): this function now does nothing. + [Side note: I get *lots* of email saying the extension code doesn't + work because people forget to call this function] + Also no dynamic allocation is done unless new extensions are added: + so if we don't add custom extensions there is no need to call + X509V3_EXT_cleanup(). + [Steve Henson] + + *) Modify enc utility's salting as follows: make salting the default. Add a + magic header, so unsalted files fail gracefully instead of just decrypting + to garbage. This is because not salting is a big security hole, so people + should be discouraged from doing it. + [Ben Laurie] + *) Fixes and enhancements to the 'x509' utility. It allowed a message digest to be passed on the command line but it only used this parameter when signing a certificate. Modified so all relevant @@ -49,7 +177,7 @@ public keys in a format compatible with certificate SubjectPublicKeyInfo structures. Unfortunately there were already functions called *_PublicKey_* which used various odd formats so - these are retained for compatability: however the DSA variants were + these are retained for compatibility: however the DSA variants were never in a public release so they have been deleted. Changed dsa/rsa utilities to handle the new format: note no releases ever handled public keys so we should be OK. @@ -60,7 +188,7 @@ require various evil hacks to allow partial transparent handling and even then it doesn't work with DER formats. Given the option anything other than PKCS#8 should be dumped: but the other formats have to - stay in the name of compatability. + stay in the name of compatibility. With public keys and the benefit of hindsight one standard format is used which works with EVP_PKEY, RSA or DSA structures: though @@ -172,7 +300,7 @@ functions. An X509_AUX function such as PEM_read_X509_AUX() can still read in a certificate file in the usual way but it will also read in any additional "auxiliary information". By - doing things this way a fair degree of compatability can be + doing things this way a fair degree of compatibility can be retained: existing certificates can have this information added using the new 'x509' options. @@ -235,7 +363,7 @@ Use the random seed file in some applications that previously did not: ca, - dsaparam -genkey (which also ignored its `-rand' option), + dsaparam -genkey (which also ignored its '-rand' option), s_client, s_server, x509 (when signing). @@ -244,9 +372,9 @@ for RSA signatures we could do without one. gendh and gendsa (unlike genrsa) used to read only the first byte - of each file listed in the `-rand' option. The function as previously + of each file listed in the '-rand' option. The function as previously found in genrsa is now in app_rand.c and is used by all programs - that support `-rand'. + that support '-rand'. [Bodo Moeller] *) In RAND_write_file, use mode 0600 for creating files;