317 lines
12 KiB
Plaintext
317 lines
12 KiB
Plaintext
16-Mar-98
|
|
- Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
|
|
- Lots and lots of changes
|
|
|
|
29-Jan-98
|
|
- ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
|
|
Goetz Babin-Ebell <babinebell@trustcenter.de>.
|
|
- SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
|
|
TLS1_VERSION.
|
|
|
|
7-Jan-98
|
|
- Finally reworked the cipher string to ciphers again, so it
|
|
works correctly
|
|
- All the app_data stuff is now ex_data with funcion calls to access.
|
|
The index is supplied by a function and 'methods' can be setup
|
|
for the types that are called on XXX_new/XXX_free. This lets
|
|
applications get notified on creation and destruction. Some of
|
|
the RSA methods could be implemented this way and I may do so.
|
|
- Oh yes, SSL under perl5 is working at the basic level.
|
|
|
|
15-Dec-97
|
|
- Warning - the gethostbyname cache is not fully thread safe,
|
|
but it should work well enough.
|
|
- Major internal reworking of the app_data stuff. More functions
|
|
but if you were accessing ->app_data directly, things will
|
|
stop working.
|
|
- The perlv5 stuff is working. Currently on message digests,
|
|
ciphers and the bignum library.
|
|
|
|
9-Dec-97
|
|
- Modified re-negotiation so that server initated re-neg
|
|
will cause a SSL_read() to return -1 should retry.
|
|
The danger otherwise was that the server and the
|
|
client could end up both trying to read when using non-blocking
|
|
sockets.
|
|
|
|
4-Dec-97
|
|
- Lots of small changes
|
|
- Fix for binaray mode in Windows for the FILE BIO, thanks to
|
|
Bob Denny <rdenny@dc3.com>
|
|
|
|
17-Nov-97
|
|
- Quite a few internal cleanups, (removal of errno, and using macros
|
|
defined in e_os.h).
|
|
- A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
|
|
the automactic naming out output files was being stuffed up.
|
|
|
|
29-Oct-97
|
|
- The Cast5 cipher has been added. MD5 and SHA-1 are now in assember
|
|
for x86.
|
|
|
|
21-Oct-97
|
|
- Fixed a bug in the BIO_gethostbyname() cache.
|
|
|
|
15-Oct-97
|
|
- cbc mode for blowfish/des/3des is now in assember. Blowfish asm
|
|
has also been improved. At this point in time, on the pentium,
|
|
md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
|
|
des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
|
|
is %62 faster.
|
|
|
|
12-Oct-97
|
|
- MEM_BUF_grow() has been fixed so that it always sets the buf->length
|
|
to the value we are 'growing' to. Think of MEM_BUF_grow() as the
|
|
way to set the length value correctly.
|
|
|
|
10-Oct-97
|
|
- I now hash for certificate lookup on the raw DER encoded RDN (md5).
|
|
This breaks things again :-(. This is efficent since I cache
|
|
the DER encoding of the RDN.
|
|
- The text DN now puts in the numeric OID instead of UNKNOWN.
|
|
- req can now process arbitary OIDs in the config file.
|
|
- I've been implementing md5 in x86 asm, much faster :-).
|
|
- Started sha1 in x86 asm, needs more work.
|
|
- Quite a few speedups in the BN stuff. RSA public operation
|
|
has been made faster by caching the BN_MONT_CTX structure.
|
|
The calulating of the Ai where A*Ai === 1 mod m was rather
|
|
expensive. Basically a 40-50% speedup on public operations.
|
|
The RSA speedup is now 15% on pentiums and %20 on pentium
|
|
pro.
|
|
|
|
30-Sep-97
|
|
- After doing some profiling, I added x86 adm for bn_add_words(),
|
|
which just adds 2 arrays of longs together. A %10 speedup
|
|
for 512 and 1024 bit RSA on the pentium pro.
|
|
|
|
29-Sep-97
|
|
- Converted the x86 bignum assembler to us the perl scripts
|
|
for generation.
|
|
|
|
23-Sep-97
|
|
- If SSL_set_session() is passed a NULL session, it now clears the
|
|
current session-id.
|
|
|
|
22-Sep-97
|
|
- Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned
|
|
certificates.
|
|
- Bug in crypto/evp/encode.c where by decoding of 65 base64
|
|
encoded lines, one line at a time (via a memory BIO) would report
|
|
EOF after the first line was decoded.
|
|
- Fix in X509_find_by_issuer_and_serial() from
|
|
Dr Stephen Henson <shenson@bigfoot.com>
|
|
|
|
19-Sep-97
|
|
- NO_FP_API and NO_STDIO added.
|
|
- Put in sh config command. It auto runs Configure with the correct
|
|
parameters.
|
|
|
|
18-Sep-97
|
|
- Fix x509.c so if a DSA cert has different parameters to its parent,
|
|
they are left in place. Not tested yet.
|
|
|
|
16-Sep-97
|
|
- ssl_create_cipher_list() had some bugs, fixes from
|
|
Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
|
|
- Fixed a bug in the Base64 BIO, where it would return 1 instead
|
|
of -1 when end of input was encountered but should retry.
|
|
Basically a Base64/Memory BIO interaction problem.
|
|
- Added a HMAC set of functions in preporarion for TLS work.
|
|
|
|
15-Sep-97
|
|
- Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
|
|
- Prime generation spead up %25 (512 bit prime, pentium pro linux)
|
|
by using montgomery multiplication in the prime number test.
|
|
|
|
11-Sep-97
|
|
- Ugly bug in ssl3_write_bytes(). Basically if application land
|
|
does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
|
|
did not check the size and tried to copy the entire buffer.
|
|
This would tend to cause memory overwrites since SSLv3 has
|
|
a maximum packet size of 16k. If your program uses
|
|
buffers <= 16k, you would probably never see this problem.
|
|
- Fixed a new errors that were cause by malloc() not returning
|
|
0 initialised memory..
|
|
- SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
|
|
SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
|
|
since this flags stops SSLeay being able to handle client
|
|
cert requests correctly.
|
|
|
|
08-Sep-97
|
|
- SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched
|
|
on, the SSL server routines will not use a SSL_SESSION that is
|
|
held in it's cache. This in intended to be used with the session-id
|
|
callbacks so that while the session-ids are still stored in the
|
|
cache, the decision to use them and how to look them up can be
|
|
done by the callbacks. The are the 'new', 'get' and 'remove'
|
|
callbacks. This can be used to determine the session-id
|
|
to use depending on information like which port/host the connection
|
|
is coming from. Since the are also SSL_SESSION_set_app_data() and
|
|
SSL_SESSION_get_app_data() functions, the application can hold
|
|
information against the session-id as well.
|
|
|
|
03-Sep-97
|
|
- Added lookup of CRLs to the by_dir method,
|
|
X509_load_crl_file() also added. Basically it means you can
|
|
lookup CRLs via the same system used to lookup certificates.
|
|
- Changed things so that the X509_NAME structure can contain
|
|
ASN.1 BIT_STRINGS which is required for the unique
|
|
identifier OID.
|
|
- Fixed some problems with the auto flushing of the session-id
|
|
cache. It was not occuring on the server side.
|
|
|
|
02-Sep-97
|
|
- Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
|
|
which is the maximum number of entries allowed in the
|
|
session-id cache. This is enforced with a simple FIFO list.
|
|
The default size is 20*1024 entries which is rather large :-).
|
|
The Timeout code is still always operating.
|
|
|
|
01-Sep-97
|
|
- Added an argument to all the 'generate private key/prime`
|
|
callbacks. It is the last parameter so this should not
|
|
break existing code but it is needed for C++.
|
|
- Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
|
|
BIO. This lets the BIO read and write base64 encoded data
|
|
without inserting or looking for '\n' characters. The '-A'
|
|
flag turns this on when using apps/enc.c.
|
|
- RSA_NO_PADDING added to help BSAFE functionality. This is a
|
|
very dangerous thing to use, since RSA private key
|
|
operations without random padding bytes (as PKCS#1 adds) can
|
|
be attacked such that the private key can be revealed.
|
|
- ASN.1 bug and rc2-40-cbc and rc4-40 added by
|
|
Dr Stephen Henson <shenson@bigfoot.com>
|
|
|
|
31-Aug-97 (stuff added while I was away)
|
|
- Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
|
|
- RSA_flags() added allowing bypass of pub/priv match check
|
|
in ssl/ssl_rsa.c - Tim Hudson.
|
|
- A few minor bugs.
|
|
|
|
SSLeay 0.8.1 released.
|
|
|
|
19-Jul-97
|
|
- Server side initated dynamic renegotiation is broken. I will fix
|
|
it when I get back from holidays.
|
|
|
|
15-Jul-97
|
|
- Quite a few small changes.
|
|
- INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
|
|
|
|
09-Jul-97
|
|
- Added 2 new values to the SSL info callback.
|
|
SSL_CB_START which is passed when the SSL protocol is started
|
|
and SSL_CB_DONE when it has finished sucsessfully.
|
|
|
|
08-Jul-97
|
|
- Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
|
|
that related to DSA public/private keys.
|
|
- Added all the relevent PEM and normal IO functions to support
|
|
reading and writing RSAPublic keys.
|
|
- Changed makefiles to use ${AR} instead of 'ar r'
|
|
|
|
07-Jul-97
|
|
- Error in ERR_remove_state() that would leave a dangling reference
|
|
to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
|
|
- s_client now prints the X509_NAMEs passed from the server
|
|
when requesting a client cert.
|
|
- Added a ssl->type, which is one of SSL_ST_CONNECT or
|
|
SSL_ST_ACCEPT. I had to add it so I could tell if I was
|
|
a connect or an accept after the handshake had finished.
|
|
- SSL_get_client_CA_list(SSL *s) now returns the CA names
|
|
passed by the server if called by a client side SSL.
|
|
|
|
05-Jul-97
|
|
- Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
|
|
0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com).
|
|
|
|
04-Jul-97
|
|
- Fixed some things in X509_NAME_add_entry(), thanks to
|
|
Matthew Donald <matthew@world.net>.
|
|
- I had a look at the cipher section and though that it was a
|
|
bit confused, so I've changed it.
|
|
- I was not setting up the RC4-64-MD5 cipher correctly. It is
|
|
a MS special that appears in exported MS Money.
|
|
- Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3
|
|
spec. I was missing the two byte length header for the
|
|
ClientDiffieHellmanPublic value. This is a packet sent from
|
|
the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
|
option will enable SSLeay server side SSLv3 accept either
|
|
the correct or my 080 packet format.
|
|
- Fixed a few typos in crypto/pem.org.
|
|
|
|
02-Jul-97
|
|
- Alias mapping for EVP_get_(digest|cipher)byname is now
|
|
performed before a lookup for actual cipher. This means
|
|
that an alias can be used to 're-direct' a cipher or a
|
|
digest.
|
|
- ASN1_read_bio() had a bug that only showed up when using a
|
|
memory BIO. When EOF is reached in the memory BIO, it is
|
|
reported as a -1 with BIO_should_retry() set to true.
|
|
|
|
01-Jul-97
|
|
- Fixed an error in X509_verify_cert() caused by my
|
|
miss-understanding how 'do { contine } while(0);' works.
|
|
Thanks to Emil Sit <sit@mit.edu> for educating me :-)
|
|
|
|
30-Jun-97
|
|
- Base64 decoding error. If the last data line did not end with
|
|
a '=', sometimes extra data would be returned.
|
|
- Another 'cut and paste' bug in x509.c related to setting up the
|
|
STDout BIO.
|
|
|
|
27-Jun-97
|
|
- apps/ciphers.c was not printing due to an editing error.
|
|
- Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
|
|
a library build error in util/mk1mf.pl
|
|
|
|
26-Jun-97
|
|
- Still did not have the auto 'experimental' code removal
|
|
script correct.
|
|
- A few header tweaks for Watcom 11.0 under Win32 from
|
|
Rolf Lindemann <Lindemann@maz-hh.de>
|
|
- 0 length OCTET_STRING bug in asn1_parse
|
|
- A minor fix with an non-existent function in the MS .def files.
|
|
- A few changes to the PKCS7 stuff.
|
|
|
|
25-Jun-97
|
|
SSLeay 0.8.0 finally it gets released.
|
|
|
|
24-Jun-97
|
|
Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
|
|
use a temporary RSA key. This is experimental and needs some more work.
|
|
Fixed a few Win16 build problems.
|
|
|
|
23-Jun-97
|
|
SSLv3 bug. I was not doing the 'lookup' of the CERT structure
|
|
correctly. I was taking the SSL->ctx->default_cert when I should
|
|
have been using SSL->cert. The bug was in ssl/s3_srvr.c
|
|
|
|
20-Jun-97
|
|
X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
|
|
rest of the library. Even though I had the code required to do
|
|
it correctly, apps/req.c was doing the wrong thing. I have fixed
|
|
and tested everything.
|
|
|
|
Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
|
|
|
|
19-Jun-97
|
|
Fixed a bug in the SSLv2 server side first packet handling. When
|
|
using the non-blocking test BIO, the ssl->s2->first_packet flag
|
|
was being reset when a would-block failure occurred when reading
|
|
the first 5 bytes of the first packet. This caused the checking
|
|
logic to run at the wrong time and cause an error.
|
|
|
|
Fixed a problem with specifying cipher. If RC4-MD5 were used,
|
|
only the SSLv3 version would be picked up. Now this will pick
|
|
up both SSLv2 and SSLv3 versions. This required changing the
|
|
SSL_CIPHER->mask values so that they only mask the ciphers,
|
|
digests, authentication, export type and key-exchange algorithms.
|
|
|
|
I found that when a SSLv23 session is established, a reused
|
|
session, of type SSLv3 was attempting to write the SSLv2
|
|
ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char
|
|
method has been modified so it will only write out cipher which
|
|
that method knows about.
|
|
|