OpenSSL CHANGES | |
_______________ | |
Changes between 0.9.1c and 0.9.2 | |
*) Add support for Triple DES Cipher Block Chaining with Output Feedback | |
Masking (CBCM). In the absence of test vectors, the best I have been able | |
to do is check that the decrypt undoes the encrypt, so far. Send me test | |
vectors if you have them. | |
[Ben Laurie] | |
*) Correct caclulation of key length for export ciphers (too much space was | |
allocated for null ciphers). This has not been tested! | |
[Ben Laurie] | |
*) Modifications to the mkdef.pl for Win32 DEF file creation. The usage | |
message is now correct (it understands "crypto" and "ssl" on its | |
command line). There is also now an "update" option. This will update | |
the util/ssleay.num and util/libeay.num files with any new functions. | |
If you do a: | |
perl util/mkdef.pl crypto ssl update | |
it will update them. | |
*) Overhauled the Perl interface (perl/*): | |
- ported BN stuff to OpenSSL's different BN library | |
- made the perl/ source tree CVS-aware | |
- renamed the package from SSLeay to OpenSSL (the files still contain | |
their history because I've copied them in the repository) | |
- removed obsolete files (the test scripts will be replaced | |
by better Test::Harness variants in the future) | |
[Ralf S. Engelschall] | |
*) First cut for a very conservative source tree cleanup: | |
1. merge various obsolete readme texts into doc/ssleay.txt | |
where we collect the old documents and readme texts. | |
2. remove the first part of files where I'm already sure that we no | |
longer need them because of three reasons: either they are just temporary | |
files which were left by Eric or they are preserved original files where | |
I've verified that the diff is also available in the CVS via "cvs diff | |
-rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for | |
the crypto/md/ stuff). | |
[Ralf S. Engelschall] | |
*) More extension code. Incomplete support for subject and issuer alt | |
name, issuer and authority key id. Change the i2v function parameters | |
and add an extra 'crl' parameter in the X509V3_CTX structure: guess | |
what that's for :-) Fix to ASN1 macro which messed up | |
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED. | |
[Steve Henson] | |
*) Preliminary support for ENUMERATED type. This is largely copied from the | |
INTEGER code. | |
[Steve Henson] | |
*) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy. | |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] | |
*) Make sure `make rehash' target really finds the `openssl' program. | |
[Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>] | |
*) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd | |
like to hear about it if this slows down other processors. | |
[Ben Laurie] | |
*) Add CygWin32 platform information to Configure script. | |
[Alan Batie <batie@aahz.jf.intel.com>] | |
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm' | |
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>] | |
*) New program nseq to manipulate netscape certificate sequences | |
[Steve Henson] | |
*) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a | |
few typos. | |
[Steve Henson] | |
*) Fixes to BN code. Previously the default was to define BN_RECURSION | |
but the BN code had some problems that would cause failures when | |
doing certificate verification and some other functions. | |
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)] | |
*) Add ASN1 and PEM code to support netscape certificate sequences. | |
[Steve Henson] | |
*) Add ASN1 and PEM code to support netscape certificate sequences. | |
[Steve Henson] | |
*) Add several PKIX and private extended key usage OIDs. | |
[Steve Henson] | |
*) Modify the 'ca' program to handle the new extension code. Modify | |
openssl.cnf for new extension format, add comments. | |
[Steve Henson] | |
*) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' | |
and add a sample to openssl.cnf so req -x509 now adds appropriate | |
CA extensions. | |
[Steve Henson] | |
*) Continued X509 V3 changes. Add to other makefiles, integrate with the | |
error code, add initial support to X509_print() and x509 application. | |
[Steve Henson] | |
*) Takes a deep breath and start addding X509 V3 extension support code. Add | |
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this | |
stuff is currently isolated and isn't even compiled yet. | |
[Steve Henson] | |
*) Continuing patches for GeneralizedTime. Fix up certificate and CRL | |
ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print. | |
Removed the versions check from X509 routines when loading extensions: | |
this allows certain broken certificates that don't set the version | |
properly to be processed. | |
[Steve Henson] | |
*) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another | |
Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which | |
can still be regenerated with "make depend". | |
[Ben Laurie] | |
*) Spelling mistake in C version of CAST-128. | |
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>] | |
*) Changes to the error generation code. The perl script err-code.pl | |
now reads in the old error codes and retains the old numbers, only | |
adding new ones if necessary. It also only changes the .err files if new | |
codes are added. The makefiles have been modified to only insert errors | |
when needed (to avoid needlessly modifying header files). This is done | |
by only inserting errors if the .err file is newer than the auto generated | |
C file. To rebuild all the error codes from scratch (the old behaviour) | |
either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl | |
or delete all the .err files. | |
[Steve Henson] | |
*) CAST-128 was incorrectly implemented for short keys. The C version has | |
been fixed, but is untested. The assembler versions are also fixed, but | |
new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing | |
to regenerate it if needed. | |
[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun | |
Hagino <itojun@kame.net>] | |
*) File was opened incorrectly in randfile.c. | |
[Ulf Möller <ulf@fitug.de>] | |
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print | |
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or | |
GeneralizedTime. ASN1_TIME is the proper type used in certificates et | |
al: it's just almost always a UTCTime. Note this patch adds new error | |
codes so do a "make errors" if there are problems. | |
[Steve Henson] | |
*) Correct Linux 1 recognition in config. | |
[Ulf Möller <ulf@fitug.de>] | |
*) Remove pointless MD5 hash when using DSA keys in ca. | |
[Anonymous <nobody@replay.com>] | |
*) Generate an error if given an empty string as a cert directory. Also | |
generate an error if handed NULL (previously returned 0 to indicate an | |
error, but didn't set one). | |
[Ben Laurie, reported by Anonymous <nobody@replay.com>] | |
*) Add prototypes to SSL methods. Make SSL_write's buffer const, at last. | |
[Ben Laurie] | |
*) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct | |
parameters. This was causing a warning which killed off the Win32 compile. | |
[Steve Henson] | |
*) Remove C++ style comments from crypto/bn/bn_local.h. | |
[Neil Costigan <neil.costigan@celocom.com>] | |
*) The function OBJ_txt2nid was broken. It was supposed to return a nid | |
based on a text string, looking up short and long names and finally | |
"dot" format. The "dot" format stuff didn't work. Added new function | |
OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote | |
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the | |
OID is not part of the table. | |
[Steve Henson] | |
*) Add prototypes to X509 lookup/verify methods, fixing a bug in | |
X509_LOOKUP_by_alias(). | |
[Ben Laurie] | |
*) Sort openssl functions by name. | |
[Ben Laurie] | |
*) Get the gendsa program working (hopefully) and add it to app list. Remove | |
encryption from sample DSA keys (in case anyone is interested the password | |
was "1234"). | |
[Steve Henson] | |
*) Make _all_ *_free functions accept a NULL pointer. | |
[Frans Heymans <fheymans@isaserver.be>] | |
*) If a DH key is generated in s3_srvr.c, don't blow it by trying to use | |
NULL pointers. | |
[Anonymous <nobody@replay.com>] | |
*) s_server should send the CAfile as acceptable CAs, not its own cert. | |
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] | |
*) Don't blow it for numeric -newkey arguments to apps/req. | |
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>] | |
*) Temp key "for export" tests were wrong in s3_srvr.c. | |
[Anonymous <nobody@replay.com>] | |
*) Add prototype for temp key callback functions | |
SSL_CTX_set_tmp_{rsa,dh}_callback(). | |
[Ben Laurie] | |
*) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and | |
DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey(). | |
[Steve Henson] | |
*) X509_name_add_entry() freed the wrong thing after an error. | |
[Arne Ansper <arne@ats.cyber.ee>] | |
*) rsa_eay.c would attempt to free a NULL context. | |
[Arne Ansper <arne@ats.cyber.ee>] | |
*) BIO_s_socket() had a broken should_retry() on Windoze. | |
[Arne Ansper <arne@ats.cyber.ee>] | |
*) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH. | |
[Arne Ansper <arne@ats.cyber.ee>] | |
*) Make sure the already existing X509_STORE->depth variable is initialized | |
in X509_STORE_new(), but document the fact that this variable is still | |
unused in the certificate verification process. | |
[Ralf S. Engelschall] | |
*) Fix the various library and apps files to free up pkeys obtained from | |
X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions. | |
[Steve Henson] | |
*) Fix reference counting in X509_PUBKEY_get(). This makes | |
demos/maurice/example2.c work, amongst others, probably. | |
[Steve Henson and Ben Laurie] | |
*) First cut of a cleanup for apps/. First the `ssleay' program is now named | |
`openssl' and second, the shortcut symlinks for the `openssl <command>' | |
are no longer created. This way we have a single and consistent command | |
line interface `openssl <command>', similar to `cvs <command>'. | |
[Ralf S. Engelschall, Paul Sutton and Ben Laurie] | |
*) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey | |
BIT STRING wrapper always have zero unused bits. | |
[Steve Henson] | |
*) Add CA.pl, perl version of CA.sh, add extended key usage OID. | |
[Steve Henson] | |
*) Make the top-level INSTALL documentation easier to understand. | |
[Paul Sutton] | |
*) Makefiles updated to exit if an error occurs in a sub-directory | |
make (including if user presses ^C) [Paul Sutton] | |
*) Make Montgomery context stuff explicit in RSA data structure. | |
[Ben Laurie] | |
*) Fix build order of pem and err to allow for generated pem.h. | |
[Ben Laurie] | |
*) Fix renumbering bug in X509_NAME_delete_entry(). | |
[Ben Laurie] | |
*) Enhanced the err-ins.pl script so it makes the error library number | |
global and can add a library name. This is needed for external ASN1 and | |
other error libraries. | |
[Steve Henson] | |
*) Fixed sk_insert which never worked properly. | |
[Steve Henson] | |
*) Fix ASN1 macros so they can handle indefinite length construted | |
EXPLICIT tags. Some non standard certificates use these: they can now | |
be read in. | |
[Steve Henson] | |
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc) | |
into a single doc/ssleay.txt bundle. This way the information is still | |
preserved but no longer messes up this directory. Now it's new room for | |
the new set of documenation files. | |
[Ralf S. Engelschall] | |
*) SETs were incorrectly DER encoded. This was a major pain, because they | |
shared code with SEQUENCEs, which aren't coded the same. This means that | |
almost everything to do with SETs or SEQUENCEs has either changed name or | |
number of arguments. | |
[Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>] | |
*) Fix test data to work with the above. | |
[Ben Laurie] | |
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but | |
was already fixed by Eric for 0.9.1 it seems. | |
[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>] | |
*) Autodetect FreeBSD3. | |
[Ben Laurie] | |
*) Fix various bugs in Configure. This affects the following platforms: | |
nextstep | |
ncr-scde | |
unixware-2.0 | |
unixware-2.0-pentium | |
sco5-cc. | |
[Ben Laurie] | |
*) Eliminate generated files from CVS. Reorder tests to regenerate files | |
before they are needed. | |
[Ben Laurie] | |
*) Generate Makefile.ssl from Makefile.org (to keep CVS happy). | |
[Ben Laurie] | |
Changes between 0.9.1b and 0.9.1c | |
*) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and | |
changed SSLeay to OpenSSL in version strings. | |
[Ralf S. Engelschall] | |
*) Some fixups to the top-level documents. | |
[Paul Sutton] | |
*) Fixed the nasty bug where rsaref.h was not found under compile-time | |
because the symlink to include/ was missing. | |
[Ralf S. Engelschall] | |
*) Incorporated the popular no-RSA/DSA-only patches | |
which allow to compile a RSA-free SSLeay. | |
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall] | |
*) Fixed nasty rehash problem under `make -f Makefile.ssl links' | |
when "ssleay" is still not found. | |
[Ralf S. Engelschall] | |
*) Added more platforms to Configure: Cray T3E, HPUX 11, | |
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>] | |
*) Updated the README file. | |
[Ralf S. Engelschall] | |
*) Added various .cvsignore files in the CVS repository subdirs | |
to make a "cvs update" really silent. | |
[Ralf S. Engelschall] | |
*) Recompiled the error-definition header files and added | |
missing symbols to the Win32 linker tables. | |
[Ralf S. Engelschall] | |
*) Cleaned up the top-level documents; | |
o new files: CHANGES and LICENSE | |
o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay | |
o merged COPYRIGHT into LICENSE | |
o removed obsolete TODO file | |
o renamed MICROSOFT to INSTALL.W32 | |
[Ralf S. Engelschall] | |
*) Removed dummy files from the 0.9.1b source tree: | |
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi | |
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f | |
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f | |
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f | |
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f | |
[Ralf S. Engelschall] | |
*) Added various platform portability fixes. | |
[Mark J. Cox] | |
*) The Genesis of the OpenSSL rpject: | |
We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A. | |
Young and Tim J. Hudson created while they were working for C2Net until | |
summer 1998. | |
[The OpenSSL Project] | |
Changes between 0.9.0b and 0.9.1b | |
*) Updated a few CA certificates under certs/ | |
[Eric A. Young] | |
*) Changed some BIGNUM api stuff. | |
[Eric A. Young] | |
*) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD, | |
DGUX x86, Linux Alpha, etc. | |
[Eric A. Young] | |
*) New COMP library [crypto/comp/] for SSL Record Layer Compression: | |
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is | |
available). | |
[Eric A. Young] | |
*) Add -strparse option to asn1pars program which parses nested | |
binary structures | |
[Dr Stephen Henson <shenson@bigfoot.com>] | |
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs. | |
[Eric A. Young] | |
*) DSA fix for "ca" program. | |
[Eric A. Young] | |
*) Added "-genkey" option to "dsaparam" program. | |
[Eric A. Young] | |
*) Added RIPE MD160 (rmd160) message digest. | |
[Eric A. Young] | |
*) Added -a (all) option to "ssleay version" command. | |
[Eric A. Young] | |
*) Added PLATFORM define which is the id given to Configure. | |
[Eric A. Young] | |
*) Added MemCheck_XXXX functions to crypto/mem.c for memory checking. | |
[Eric A. Young] | |
*) Extended the ASN.1 parser routines. | |
[Eric A. Young] | |
*) Extended BIO routines to support REUSEADDR, seek, tell, etc. | |
[Eric A. Young] | |
*) Added a BN_CTX to the BN library. | |
[Eric A. Young] | |
*) Fixed the weak key values in DES library | |
[Eric A. Young] | |
*) Changed API in EVP library for cipher aliases. | |
[Eric A. Young] | |
*) Added support for RC2/64bit cipher. | |
[Eric A. Young] | |
*) Converted the lhash library to the crypto/mem.c functions. | |
[Eric A. Young] | |
*) Added more recognized ASN.1 object ids. | |
[Eric A. Young] | |
*) Added more RSA padding checks for SSL/TLS. | |
[Eric A. Young] | |
*) Added BIO proxy/filter functionality. | |
[Eric A. Young] | |
*) Added extra_certs to SSL_CTX which can be used | |
send extra CA certificates to the client in the CA cert chain sending | |
process. It can be configured with SSL_CTX_add_extra_chain_cert(). | |
[Eric A. Young] | |
*) Now Fortezza is denied in the authentication phase because | |
this is key exchange mechanism is not supported by SSLeay at all. | |
[Eric A. Young] | |
*) Additional PKCS1 checks. | |
[Eric A. Young] | |
*) Support the string "TLSv1" for all TLS v1 ciphers. | |
[Eric A. Young] | |
*) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the | |
ex_data index of the SSL context in the X509_STORE_CTX ex_data. | |
[Eric A. Young] | |
*) Fixed a few memory leaks. | |
[Eric A. Young] | |
*) Fixed various code and comment typos. | |
[Eric A. Young] | |
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0 | |
bytes sent in the client random. | |
[Edward Bishop <ebishop@spyglass.com>] | |