generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

ispell

Browse Source
This commit is contained in:
Ulf Möller 2001-09-07 06:39:38 +00:00
parent 3b80e3aa9e
commit e3fefbfd56
2 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
CHANGES
View File

@ -5,7 +5,7 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2001] Changes between 0.9.6 and 0.9.7 [xx XXX 2001]
OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001) OpenSSL 0.9.6a/0.9.6b (bugfix releases, 5 Apr 2001 and 9 July 2001)
and OpenSSL 0.9.7 were developped in parallel, based on OpenSSL 0.9.6. and OpenSSL 0.9.7 were developed in parallel, based on OpenSSL 0.9.6.
Change log entries are tagged as follows: Change log entries are tagged as follows:
-) applies to 0.9.6a/0.9.6b/0.9.6c only -) applies to 0.9.6a/0.9.6b/0.9.6c only
@ -20,7 +20,7 @@
'wristwatch attack' using huge encoding parameters (cf. 'wristwatch attack' using huge encoding parameters (cf.
James H. Manger's CRYPTO 2001 paper). Note that the James H. Manger's CRYPTO 2001 paper). Note that the
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
encoding paramters and hence was not vulnerable. encoding parameters and hence was not vulnerable.
[Bodo Moeller] [Bodo Moeller]
+) Add a "destroy" handler to ENGINEs that allows structural cleanup to +) Add a "destroy" handler to ENGINEs that allows structural cleanup to
@ -60,14 +60,14 @@
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
requivalent based on BN_pseudo_rand() instead of BN_rand(). equivalent based on BN_pseudo_rand() instead of BN_rand().
[Bodo Moeller] [Bodo Moeller]
+) Add a copy() function to EVP_MD. +) Add a copy() function to EVP_MD.
[Ben Laurie] [Ben Laurie]
+) Make EVP_MD routines take a context pointer instead of just the +) Make EVP_MD routines take a context pointer instead of just the
md_data voud pointer. md_data void pointer.
[Ben Laurie] [Ben Laurie]
+) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates +) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
@ -149,7 +149,7 @@
The configuration part makes use of modern compiler features and The configuration part makes use of modern compiler features and
still retains old compiler behavior for those that run older versions still retains old compiler behavior for those that run older versions
of the OS. The shared library support part includes a variant that of the OS. The shared library support part includes a variant that
uses the RPATH feature, and is available through the speciel uses the RPATH feature, and is available through the special
configuration target "alpha-cc-rpath", which will never be selected configuration target "alpha-cc-rpath", which will never be selected
automatically. automatically.
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
@ -200,7 +200,7 @@
[Steve Henson] [Steve Henson]
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
explicitely to NULL, as at least on Solaris 8 this seems not always to be explicitly to NULL, as at least on Solaris 8 this seems not always to be
done automatically (in contradiction to the requirements of the C done automatically (in contradiction to the requirements of the C
standard). This made problems when used from OpenSSH. standard). This made problems when used from OpenSSH.
[Lutz Jaenicke] [Lutz Jaenicke]
@ -355,7 +355,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Bodo Moeller] [Bodo Moeller]
+) Enhance the general user interface with mechanisms for inner control +) Enhance the general user interface with mechanisms for inner control
and with pssibilities to have yes/no kind of prompts. and with possibilities to have yes/no kind of prompts.
[Richard Levitte] [Richard Levitte]
+) Change all calls to low level digest routines in the library and +) Change all calls to low level digest routines in the library and
@ -368,14 +368,14 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Change the key loaders to take a UI_METHOD instead of a callback Change the key loaders to take a UI_METHOD instead of a callback
function pointer. NOTE: this breaks binary compatibility with earlier function pointer. NOTE: this breaks binary compatibility with earlier
versions of OpenSSL [engine]. versions of OpenSSL [engine].
Addapt the nCipher code for these new conditions and add a card insertion Adapt the nCipher code for these new conditions and add a card insertion
callback. callback.
[Richard Levitte] [Richard Levitte]
+) Enhance the general user interface with mechanisms to better support +) Enhance the general user interface with mechanisms to better support
dialog box interfaces, application-defined prompts, the possibility dialog box interfaces, application-defined prompts, the possibility
to use defaults (for example default passwords from somewhere else) to use defaults (for example default passwords from somewhere else)
and interrupts/cancelations. and interrupts/cancellations.
[Richard Levitte] [Richard Levitte]
*) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
@ -395,7 +395,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Ulf Möller, Bodo Möller] [Ulf Möller, Bodo Möller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
when fixing the server behaviour for backwards-compatible 'client when fixing the server behaviour for backwards-compatible 'client
hello' messages. (Note that the attack is impractical against hello' messages. (Note that the attack is impractical against
SSL 3.0 and TLS 1.0 anyway because length and version checking SSL 3.0 and TLS 1.0 anyway because length and version checking
@ -416,7 +416,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Bodo Moeller] [Bodo Moeller]
+) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
tidy up some unecessarily weird code in 'sk_new()'). tidy up some unnecessarily weird code in 'sk_new()').
[Geoff, reported by Diego Tartara <dtartara@novamens.com>] [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
+) Change the key loading routines for ENGINEs to use the same kind +) Change the key loading routines for ENGINEs to use the same kind
@ -446,7 +446,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
const ASN1_ITEM *it = &ASN1_INTEGER_it; const ASN1_ITEM *it = &ASN1_INTEGER_it;
wont compile. This is used by the any applications that need to wont compile. This is used by the any applications that need to
delcare their own ASN1 modules. This was fixed by adding the option declare their own ASN1 modules. This was fixed by adding the option
EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
needed for static libraries under Win32. needed for static libraries under Win32.
[Steve Henson] [Steve Henson]
@ -584,7 +584,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
missing functions (including a catch-all ENGINE_cpy that duplicates missing functions (including a catch-all ENGINE_cpy that duplicates
all ENGINE values onto a new ENGINE except reference counts/state). all ENGINE values onto a new ENGINE except reference counts/state).
- Removed NULL parameter checks in get/set functions. Setting a method - Removed NULL parameter checks in get/set functions. Setting a method
or function to NULL is a way of cancelling out a previously set or function to NULL is a way of canceling out a previously set
value. Passing a NULL ENGINE parameter is just plain stupid anyway value. Passing a NULL ENGINE parameter is just plain stupid anyway
and doesn't justify the extra error symbols and code. and doesn't justify the extra error symbols and code.
- Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
@ -602,12 +602,12 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
combination of a flag and a thread ID variable. combination of a flag and a thread ID variable.
Otherwise while one thread is in ssleay_rand_bytes (which sets the Otherwise while one thread is in ssleay_rand_bytes (which sets the
flag), *other* threads can enter ssleay_add_bytes without obeying flag), *other* threads can enter ssleay_add_bytes without obeying
the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
that they do not hold after the first thread unsets add_do_not_lock). that they do not hold after the first thread unsets add_do_not_lock).
[Bodo Moeller] [Bodo Moeller]
+) Implement binary inversion algorithm for BN_mod_inverse in addition +) Implement binary inversion algorithm for BN_mod_inverse in addition
to the algorithm using long divison. The binary algorithm can be to the algorithm using long division. The binary algorithm can be
used only if the modulus is odd. On 32-bit systems, it is faster used only if the modulus is odd. On 32-bit systems, it is faster
only for relatively small moduli (roughly 20-30% for 128-bit moduli, only for relatively small moduli (roughly 20-30% for 128-bit moduli,
roughly 5-15% for 256-bit moduli), so we use it only for moduli roughly 5-15% for 256-bit moduli), so we use it only for moduli
@ -820,10 +820,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
#define bar OPENSSL_GLOBAL_REF(bar) #define bar OPENSSL_GLOBAL_REF(bar)
The #defines are very important, and therefore so is including the The #defines are very important, and therefore so is including the
header file everywere where the defined globals are used. header file everywhere where the defined globals are used.
The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
of ASN.1 items, but that structure is a bt different. of ASN.1 items, but that structure is a bit different.
The largest change is in util/mkdef.pl which has been enhanced with The largest change is in util/mkdef.pl which has been enhanced with
better and easier to understand logic to choose which symbols should better and easier to understand logic to choose which symbols should
@ -852,7 +852,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
responses. OCSP responses are prepared in real time and may only responses. OCSP responses are prepared in real time and may only
be a few seconds old. Simply checking that the current time lies be a few seconds old. Simply checking that the current time lies
between thisUpdate and nextUpdate max reject otherwise valid responses between thisUpdate and nextUpdate max reject otherwise valid responses
caused by either OCSP responder or client clock innacuracy. Instead caused by either OCSP responder or client clock inaccuracy. Instead
we allow thisUpdate and nextUpdate to fall within a certain period of we allow thisUpdate and nextUpdate to fall within a certain period of
the current time. The age of the response can also optionally be the current time. The age of the response can also optionally be
checked. Two new options -validity_period and -status_age added to checked. Two new options -validity_period and -status_age added to
@ -860,7 +860,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Steve Henson] [Steve Henson]
+) If signature or public key algorithm is unrecognized print out its +) If signature or public key algorithm is unrecognized print out its
OID rather that just UNKOWN. OID rather that just UNKNOWN.
[Steve Henson] [Steve Henson]
*) Avoid coredump with unsupported or invalid public keys by checking if *) Avoid coredump with unsupported or invalid public keys by checking if
@ -895,7 +895,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
to use such a feature) has been added to "s_server". to use such a feature) has been added to "s_server".
[Geoff Thorpe, Lutz Jaenicke] [Geoff Thorpe, Lutz Jaenicke]
+) Modify mkdef.pl to recognise and parse prprocessor conditionals +) Modify mkdef.pl to recognise and parse preprocessor conditionals
of the form '#if defined(...) || defined(...) || ...' and of the form '#if defined(...) || defined(...) || ...' and
'#if !defined(...) && !defined(...) && ...'. This also avoids '#if !defined(...) && !defined(...) && ...'. This also avoids
the growing number of special cases it was previously handling. the growing number of special cases it was previously handling.
@ -1049,7 +1049,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
extract information from a certificate request. OCSP_response_create() extract information from a certificate request. OCSP_response_create()
creates a response and optionally adds a basic response structure. creates a response and optionally adds a basic response structure.
OCSP_basic_add1_status() adds a complete single response to a basic OCSP_basic_add1_status() adds a complete single response to a basic
reponse and returns the OCSP_SINGLERESP structure just added (to allow response and returns the OCSP_SINGLERESP structure just added (to allow
extensions to be included for example). OCSP_basic_add1_cert() adds a extensions to be included for example). OCSP_basic_add1_cert() adds a
certificate to a basic response and OCSP_basic_sign() signs a basic certificate to a basic response and OCSP_basic_sign() signs a basic
response with various flags. New helper functions ASN1_TIME_check() response with various flags. New helper functions ASN1_TIME_check()
@ -1059,7 +1059,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
+) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}() +) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
structure from a certificate. X509_pubkey_digest() digests tha public_key structure from a certificate. X509_pubkey_digest() digests the public_key
contents: this is used in various key identifiers. contents: this is used in various key identifiers.
[Steve Henson] [Steve Henson]
@ -1079,7 +1079,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
+) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates +) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
passed by the function are trusted implicitly. If any of them signed the passed by the function are trusted implicitly. If any of them signed the
reponse then it is assumed to be valid and is not verified. response then it is assumed to be valid and is not verified.
[Steve Henson] [Steve Henson]
-) Make the CRL encoding routines work with empty SEQUENCE OF. The -) Make the CRL encoding routines work with empty SEQUENCE OF. The

6
FAQ
View File

@ -153,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
their software on operating systems that don't normally include OpenSSL. their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitely that useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that "This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder GPL software developed by others, you may want to ask the copyright holder
@ -304,7 +304,7 @@ there is little point presenting a certificate which the server will
reject. reject.
The solution is to add the relevant CA certificate to your servers "trusted The solution is to add the relevant CA certificate to your servers "trusted
CA list". How you do this depends on the server sofware in uses. You can CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool: print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit openssl s_client -connect www.some.host:443 -prexit
@ -558,7 +558,7 @@ SSL_write() will try to continue any pending handshake.
* Why doesn't my server application receive a client certificate? * Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate, Due to the TLS protocol definition, a client will only send a certificate,
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates. SSL_CTX_set_verify() function to enable the use of client certificates.