Loading CHANGES +57 −49 Original line number Diff line number Diff line Loading @@ -184,16 +184,59 @@ by Google. [Adam Langley <agl@google.com> and Ben Laurie] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public header file e_os2.h as it now appears in public header file cms.h [Steve Henson] *) New function OPENSSL_gmtime_diff to find the difference in days and seconds between two tm structures. This will be used to provide additional functionality for ASN1_TIME. [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first setting is used: whether to trust or reject. [Steve Henson] *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. Add CMAC pkey methods. [Steve Henson] *) Experiemental regnegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] *) Add an "external" session cache for debugging purposes to s_server. This should help trace issues which normally are only apparent in deployed multi-process servers. [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they can now return an error. The RAND changes required a change to the RAND_METHOD structure. [Steve Henson] *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h whose return value is often ignored. [Steve Henson] Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public header file e_os2.h as it now appears in public header file cms.h [Steve Henson] *) New -sigopt option to the ca, req and x509 utilities. Additional signature parameters can be passed using this option and in particular PSS. Loading Loading @@ -228,34 +271,6 @@ parameters r, s. [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first setting is used: whether to trust or reject. [Steve Henson] *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. Add CMAC pkey methods. [Steve Henson] *) Experiemental regnegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] *) Add an "external" session cache for debugging purposes to s_server. This should help trace issues which normally are only apparent in deployed multi-process servers. [Steve Henson] *) Password based recipient info support for CMS library: implementing RFC3211. [Steve Henson] Loading @@ -266,21 +281,6 @@ password based CMS). [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they can now return an error. The RAND changes required a change to the RAND_METHOD structure. [Steve Henson] *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h whose return value is often ignored. [Steve Henson] Changes between 1.0.0e and 1.0.1 [xx XXX xxxx] *) Session-handling fixes: - Fix handling of connections that are resuming with a session ID, but also support Session Tickets. Loading Loading @@ -452,7 +452,12 @@ Add command line options to s_client/s_server. [Steve Henson] Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] Changes between 1.0.0e and 1.0.0f [xx XXX xxxx] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] Changes between 1.0.0d and 1.0.0e [6 Sep 2011] *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted by initialising X509_STORE_CTX properly. (CVE-2011-3207) Loading Loading @@ -1359,6 +1364,9 @@ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] *) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [Adam Langley (Google)] Loading ssl/s3_lib.c +3 −0 Original line number Diff line number Diff line Loading @@ -3000,6 +3000,7 @@ void ssl3_clear(SSL *s) { unsigned char *rp,*wp; size_t rlen, wlen; int init_extra; #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->client_opaque_prf_input != NULL) Loading Loading @@ -3038,6 +3039,7 @@ void ssl3_clear(SSL *s) wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; init_extra = s->s3->init_extra; if (s->s3->handshake_buffer) { BIO_free(s->s3->handshake_buffer); s->s3->handshake_buffer = NULL; Loading @@ -3050,6 +3052,7 @@ void ssl3_clear(SSL *s) s->s3->wbuf.buf = wp; s->s3->rbuf.len = rlen; s->s3->wbuf.len = wlen; s->s3->init_extra = init_extra; ssl_free_wbio_buffer(s); Loading Loading
CHANGES +57 −49 Original line number Diff line number Diff line Loading @@ -184,16 +184,59 @@ by Google. [Adam Langley <agl@google.com> and Ben Laurie] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public header file e_os2.h as it now appears in public header file cms.h [Steve Henson] *) New function OPENSSL_gmtime_diff to find the difference in days and seconds between two tm structures. This will be used to provide additional functionality for ASN1_TIME. [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first setting is used: whether to trust or reject. [Steve Henson] *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. Add CMAC pkey methods. [Steve Henson] *) Experiemental regnegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] *) Add an "external" session cache for debugging purposes to s_server. This should help trace issues which normally are only apparent in deployed multi-process servers. [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they can now return an error. The RAND changes required a change to the RAND_METHOD structure. [Steve Henson] *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h whose return value is often ignored. [Steve Henson] Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public header file e_os2.h as it now appears in public header file cms.h [Steve Henson] *) New -sigopt option to the ca, req and x509 utilities. Additional signature parameters can be passed using this option and in particular PSS. Loading Loading @@ -228,34 +271,6 @@ parameters r, s. [Steve Henson] *) Add -trusted_first option which attempts to find certificates in the trusted store even if an untrusted chain is also supplied. [Steve Henson] *) Initial experimental support for explicitly trusted non-root CAs. OpenSSL still tries to build a complete chain to a root but if an intermediate CA has a trust setting included that is used. The first setting is used: whether to trust or reject. [Steve Henson] *) New -verify_name option in command line utilities to set verification parameters by name. [Steve Henson] *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. Add CMAC pkey methods. [Steve Henson] *) Experiemental regnegotiation in s_server -www mode. If the client browses /reneg connection is renegotiated. If /renegcert it is renegotiated requesting a certificate. [Steve Henson] *) Add an "external" session cache for debugging purposes to s_server. This should help trace issues which normally are only apparent in deployed multi-process servers. [Steve Henson] *) Password based recipient info support for CMS library: implementing RFC3211. [Steve Henson] Loading @@ -266,21 +281,6 @@ password based CMS). [Steve Henson] *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where return value is ignored. NB. The functions RAND_add(), RAND_seed(), BIO_set_cipher() and some obscure PEM functions were changed so they can now return an error. The RAND changes required a change to the RAND_METHOD structure. [Steve Henson] *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of a gcc attribute to warn if the result of a function is ignored. This is enable if DEBUG_UNUSED is set. Add to several functions in evp.h whose return value is often ignored. [Steve Henson] Changes between 1.0.0e and 1.0.1 [xx XXX xxxx] *) Session-handling fixes: - Fix handling of connections that are resuming with a session ID, but also support Session Tickets. Loading Loading @@ -452,7 +452,12 @@ Add command line options to s_client/s_server. [Steve Henson] Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] Changes between 1.0.0e and 1.0.0f [xx XXX xxxx] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] Changes between 1.0.0d and 1.0.0e [6 Sep 2011] *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted by initialising X509_STORE_CTX properly. (CVE-2011-3207) Loading Loading @@ -1359,6 +1364,9 @@ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] *) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [Adam Langley (Google)] Loading
ssl/s3_lib.c +3 −0 Original line number Diff line number Diff line Loading @@ -3000,6 +3000,7 @@ void ssl3_clear(SSL *s) { unsigned char *rp,*wp; size_t rlen, wlen; int init_extra; #ifdef TLSEXT_TYPE_opaque_prf_input if (s->s3->client_opaque_prf_input != NULL) Loading Loading @@ -3038,6 +3039,7 @@ void ssl3_clear(SSL *s) wp = s->s3->wbuf.buf; rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; init_extra = s->s3->init_extra; if (s->s3->handshake_buffer) { BIO_free(s->s3->handshake_buffer); s->s3->handshake_buffer = NULL; Loading @@ -3050,6 +3052,7 @@ void ssl3_clear(SSL *s) s->s3->wbuf.buf = wp; s->s3->rbuf.len = rlen; s->s3->wbuf.len = wlen; s->s3->init_extra = init_extra; ssl_free_wbio_buffer(s); Loading
