| 16-Mar-98 |
| - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU> |
| - Lots and lots of changes |
| |
| 29-Jan-98 |
| - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from |
| Goetz Babin-Ebell <babinebell@trustcenter.de>. |
| - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or |
| TLS1_VERSION. |
| |
| 7-Jan-98 |
| - Finally reworked the cipher string to ciphers again, so it |
| works correctly |
| - All the app_data stuff is now ex_data with funcion calls to access. |
| The index is supplied by a function and 'methods' can be setup |
| for the types that are called on XXX_new/XXX_free. This lets |
| applications get notified on creation and destruction. Some of |
| the RSA methods could be implemented this way and I may do so. |
| - Oh yes, SSL under perl5 is working at the basic level. |
| |
| 15-Dec-97 |
| - Warning - the gethostbyname cache is not fully thread safe, |
| but it should work well enough. |
| - Major internal reworking of the app_data stuff. More functions |
| but if you were accessing ->app_data directly, things will |
| stop working. |
| - The perlv5 stuff is working. Currently on message digests, |
| ciphers and the bignum library. |
| |
| 9-Dec-97 |
| - Modified re-negotiation so that server initated re-neg |
| will cause a SSL_read() to return -1 should retry. |
| The danger otherwise was that the server and the |
| client could end up both trying to read when using non-blocking |
| sockets. |
| |
| 4-Dec-97 |
| - Lots of small changes |
| - Fix for binaray mode in Windows for the FILE BIO, thanks to |
| Bob Denny <rdenny@dc3.com> |
| |
| 17-Nov-97 |
| - Quite a few internal cleanups, (removal of errno, and using macros |
| defined in e_os.h). |
| - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where |
| the automactic naming out output files was being stuffed up. |
| |
| 29-Oct-97 |
| - The Cast5 cipher has been added. MD5 and SHA-1 are now in assember |
| for x86. |
| |
| 21-Oct-97 |
| - Fixed a bug in the BIO_gethostbyname() cache. |
| |
| 15-Oct-97 |
| - cbc mode for blowfish/des/3des is now in assember. Blowfish asm |
| has also been improved. At this point in time, on the pentium, |
| md5 is %80 faster, the unoptimesed sha-1 is %79 faster, |
| des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc |
| is %62 faster. |
| |
| 12-Oct-97 |
| - MEM_BUF_grow() has been fixed so that it always sets the buf->length |
| to the value we are 'growing' to. Think of MEM_BUF_grow() as the |
| way to set the length value correctly. |
| |
| 10-Oct-97 |
| - I now hash for certificate lookup on the raw DER encoded RDN (md5). |
| This breaks things again :-(. This is efficent since I cache |
| the DER encoding of the RDN. |
| - The text DN now puts in the numeric OID instead of UNKNOWN. |
| - req can now process arbitary OIDs in the config file. |
| - I've been implementing md5 in x86 asm, much faster :-). |
| - Started sha1 in x86 asm, needs more work. |
| - Quite a few speedups in the BN stuff. RSA public operation |
| has been made faster by caching the BN_MONT_CTX structure. |
| The calulating of the Ai where A*Ai === 1 mod m was rather |
| expensive. Basically a 40-50% speedup on public operations. |
| The RSA speedup is now 15% on pentiums and %20 on pentium |
| pro. |
| |
| 30-Sep-97 |
| - After doing some profiling, I added x86 adm for bn_add_words(), |
| which just adds 2 arrays of longs together. A %10 speedup |
| for 512 and 1024 bit RSA on the pentium pro. |
| |
| 29-Sep-97 |
| - Converted the x86 bignum assembler to us the perl scripts |
| for generation. |
| |
| 23-Sep-97 |
| - If SSL_set_session() is passed a NULL session, it now clears the |
| current session-id. |
| |
| 22-Sep-97 |
| - Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned |
| certificates. |
| - Bug in crypto/evp/encode.c where by decoding of 65 base64 |
| encoded lines, one line at a time (via a memory BIO) would report |
| EOF after the first line was decoded. |
| - Fix in X509_find_by_issuer_and_serial() from |
| Dr Stephen Henson <shenson@bigfoot.com> |
| |
| 19-Sep-97 |
| - NO_FP_API and NO_STDIO added. |
| - Put in sh config command. It auto runs Configure with the correct |
| parameters. |
| |
| 18-Sep-97 |
| - Fix x509.c so if a DSA cert has different parameters to its parent, |
| they are left in place. Not tested yet. |
| |
| 16-Sep-97 |
| - ssl_create_cipher_list() had some bugs, fixes from |
| Patrick Eisenacher <eisenach@stud.uni-frankfurt.de> |
| - Fixed a bug in the Base64 BIO, where it would return 1 instead |
| of -1 when end of input was encountered but should retry. |
| Basically a Base64/Memory BIO interaction problem. |
| - Added a HMAC set of functions in preporarion for TLS work. |
| |
| 15-Sep-97 |
| - Top level makefile tweak - Cameron Simpson <cs@zip.com.au> |
| - Prime generation spead up %25 (512 bit prime, pentium pro linux) |
| by using montgomery multiplication in the prime number test. |
| |
| 11-Sep-97 |
| - Ugly bug in ssl3_write_bytes(). Basically if application land |
| does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code |
| did not check the size and tried to copy the entire buffer. |
| This would tend to cause memory overwrites since SSLv3 has |
| a maximum packet size of 16k. If your program uses |
| buffers <= 16k, you would probably never see this problem. |
| - Fixed a new errors that were cause by malloc() not returning |
| 0 initialised memory.. |
| - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using |
| SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing |
| since this flags stops SSLeay being able to handle client |
| cert requests correctly. |
| |
| 08-Sep-97 |
| - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched |
| on, the SSL server routines will not use a SSL_SESSION that is |
| held in it's cache. This in intended to be used with the session-id |
| callbacks so that while the session-ids are still stored in the |
| cache, the decision to use them and how to look them up can be |
| done by the callbacks. The are the 'new', 'get' and 'remove' |
| callbacks. This can be used to determine the session-id |
| to use depending on information like which port/host the connection |
| is coming from. Since the are also SSL_SESSION_set_app_data() and |
| SSL_SESSION_get_app_data() functions, the application can hold |
| information against the session-id as well. |
| |
| 03-Sep-97 |
| - Added lookup of CRLs to the by_dir method, |
| X509_load_crl_file() also added. Basically it means you can |
| lookup CRLs via the same system used to lookup certificates. |
| - Changed things so that the X509_NAME structure can contain |
| ASN.1 BIT_STRINGS which is required for the unique |
| identifier OID. |
| - Fixed some problems with the auto flushing of the session-id |
| cache. It was not occuring on the server side. |
| |
| 02-Sep-97 |
| - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size) |
| which is the maximum number of entries allowed in the |
| session-id cache. This is enforced with a simple FIFO list. |
| The default size is 20*1024 entries which is rather large :-). |
| The Timeout code is still always operating. |
| |
| 01-Sep-97 |
| - Added an argument to all the 'generate private key/prime` |
| callbacks. It is the last parameter so this should not |
| break existing code but it is needed for C++. |
| - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64() |
| BIO. This lets the BIO read and write base64 encoded data |
| without inserting or looking for '\n' characters. The '-A' |
| flag turns this on when using apps/enc.c. |
| - RSA_NO_PADDING added to help BSAFE functionality. This is a |
| very dangerous thing to use, since RSA private key |
| operations without random padding bytes (as PKCS#1 adds) can |
| be attacked such that the private key can be revealed. |
| - ASN.1 bug and rc2-40-cbc and rc4-40 added by |
| Dr Stephen Henson <shenson@bigfoot.com> |
| |
| 31-Aug-97 (stuff added while I was away) |
| - Linux pthreads by Tim Hudson (tjh@cryptsoft.com). |
| - RSA_flags() added allowing bypass of pub/priv match check |
| in ssl/ssl_rsa.c - Tim Hudson. |
| - A few minor bugs. |
| |
| SSLeay 0.8.1 released. |
| |
| 19-Jul-97 |
| - Server side initated dynamic renegotiation is broken. I will fix |
| it when I get back from holidays. |
| |
| 15-Jul-97 |
| - Quite a few small changes. |
| - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk> |
| |
| 09-Jul-97 |
| - Added 2 new values to the SSL info callback. |
| SSL_CB_START which is passed when the SSL protocol is started |
| and SSL_CB_DONE when it has finished sucsessfully. |
| |
| 08-Jul-97 |
| - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c |
| that related to DSA public/private keys. |
| - Added all the relevent PEM and normal IO functions to support |
| reading and writing RSAPublic keys. |
| - Changed makefiles to use ${AR} instead of 'ar r' |
| |
| 07-Jul-97 |
| - Error in ERR_remove_state() that would leave a dangling reference |
| to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk> |
| - s_client now prints the X509_NAMEs passed from the server |
| when requesting a client cert. |
| - Added a ssl->type, which is one of SSL_ST_CONNECT or |
| SSL_ST_ACCEPT. I had to add it so I could tell if I was |
| a connect or an accept after the handshake had finished. |
| - SSL_get_client_CA_list(SSL *s) now returns the CA names |
| passed by the server if called by a client side SSL. |
| |
| 05-Jul-97 |
| - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index |
| 0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com). |
| |
| 04-Jul-97 |
| - Fixed some things in X509_NAME_add_entry(), thanks to |
| Matthew Donald <matthew@world.net>. |
| - I had a look at the cipher section and though that it was a |
| bit confused, so I've changed it. |
| - I was not setting up the RC4-64-MD5 cipher correctly. It is |
| a MS special that appears in exported MS Money. |
| - Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3 |
| spec. I was missing the two byte length header for the |
| ClientDiffieHellmanPublic value. This is a packet sent from |
| the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
| option will enable SSLeay server side SSLv3 accept either |
| the correct or my 080 packet format. |
| - Fixed a few typos in crypto/pem.org. |
| |
| 02-Jul-97 |
| - Alias mapping for EVP_get_(digest|cipher)byname is now |
| performed before a lookup for actual cipher. This means |
| that an alias can be used to 're-direct' a cipher or a |
| digest. |
| - ASN1_read_bio() had a bug that only showed up when using a |
| memory BIO. When EOF is reached in the memory BIO, it is |
| reported as a -1 with BIO_should_retry() set to true. |
| |
| 01-Jul-97 |
| - Fixed an error in X509_verify_cert() caused by my |
| miss-understanding how 'do { contine } while(0);' works. |
| Thanks to Emil Sit <sit@mit.edu> for educating me :-) |
| |
| 30-Jun-97 |
| - Base64 decoding error. If the last data line did not end with |
| a '=', sometimes extra data would be returned. |
| - Another 'cut and paste' bug in x509.c related to setting up the |
| STDout BIO. |
| |
| 27-Jun-97 |
| - apps/ciphers.c was not printing due to an editing error. |
| - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for |
| a library build error in util/mk1mf.pl |
| |
| 26-Jun-97 |
| - Still did not have the auto 'experimental' code removal |
| script correct. |
| - A few header tweaks for Watcom 11.0 under Win32 from |
| Rolf Lindemann <Lindemann@maz-hh.de> |
| - 0 length OCTET_STRING bug in asn1_parse |
| - A minor fix with an non-existent function in the MS .def files. |
| - A few changes to the PKCS7 stuff. |
| |
| 25-Jun-97 |
| SSLeay 0.8.0 finally it gets released. |
| |
| 24-Jun-97 |
| Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to |
| use a temporary RSA key. This is experimental and needs some more work. |
| Fixed a few Win16 build problems. |
| |
| 23-Jun-97 |
| SSLv3 bug. I was not doing the 'lookup' of the CERT structure |
| correctly. I was taking the SSL->ctx->default_cert when I should |
| have been using SSL->cert. The bug was in ssl/s3_srvr.c |
| |
| 20-Jun-97 |
| X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the |
| rest of the library. Even though I had the code required to do |
| it correctly, apps/req.c was doing the wrong thing. I have fixed |
| and tested everything. |
| |
| Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c. |
| |
| 19-Jun-97 |
| Fixed a bug in the SSLv2 server side first packet handling. When |
| using the non-blocking test BIO, the ssl->s2->first_packet flag |
| was being reset when a would-block failure occurred when reading |
| the first 5 bytes of the first packet. This caused the checking |
| logic to run at the wrong time and cause an error. |
| |
| Fixed a problem with specifying cipher. If RC4-MD5 were used, |
| only the SSLv3 version would be picked up. Now this will pick |
| up both SSLv2 and SSLv3 versions. This required changing the |
| SSL_CIPHER->mask values so that they only mask the ciphers, |
| digests, authentication, export type and key-exchange algorithms. |
| |
| I found that when a SSLv23 session is established, a reused |
| session, of type SSLv3 was attempting to write the SSLv2 |
| ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char |
| method has been modified so it will only write out cipher which |
| that method knows about. |
| |
