Loading CHANGES +16 −10 Original line number Diff line number Diff line Loading @@ -28,15 +28,6 @@ X509_NAME_get_index_by_NID() since 0 is a valid index. [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] *) Use better test patterns in bntest. [Ulf Möller] *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling the method-specific "init()" handler. Also clean up ex_data after calling the method-specific "finish()" handler. Previously, this was happening the other way round. [Geoff Thorpe] *) Avoid coredump with unsupported or invalid public keys by checking if X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when PKCS7_verify() fails with non detached data. Loading Loading @@ -69,6 +60,7 @@ *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME was empty. [Steve Henson] [This change does not apply to 0.9.7.] *) Use the cached encoding of an X509_NAME structure rather than copying it. This is apparently the reason for the libsafe "errors" Loading @@ -80,7 +72,7 @@ Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits to be set and top=0 forces the highest bit to be set; top=-1 is new and leaves the highest bit random. [Ulf Moeller] [Ulf Moeller, Bodo Moeller] *) In the NCONF_...-based implementations for CONF_... queries (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using Loading Loading @@ -109,6 +101,7 @@ macros previously used would not encode an empty SEQUENCE OF and break the signature. [Steve Henson] [This change does not apply to 0.9.7.] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. Loading Loading @@ -161,12 +154,19 @@ *) Fix a deadlock in CRYPTO_mem_leaks(). [Bodo Moeller] *) Use better test patterns in bntest. [Ulf Möller] *) rand_win.c fix for Borland C. [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] *) Add a 'bctest' script that checks for some known 'bc' bugs so that 'make test' does not abort just because 'bc' is broken. [Bodo Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original Loading @@ -189,6 +189,12 @@ does the actual work for ssl3_read_internal. [Bodo Moeller] *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling the method-specific "init()" handler. Also clean up ex_data after calling the method-specific "finish()" handler. Previously, this was happening the other way round. [Geoff Thorpe] *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. The previous value, 12, was not always sufficient for BN_mod_exp(). [Bodo Moeller] Loading STATUS +20 −11 Original line number Diff line number Diff line OpenSSL STATUS Last modified at ______________ $Date: 2001/03/22 09:02:38 $ ______________ $Date: 2001/03/22 10:59:16 $ DEVELOPMENT STATE o OpenSSL 0.9.6a: In development... o OpenSSL 0.9.6a: Bugfix release -- under development... Beta 1 released on March 13th, 2001 HP-UX 10.20 (hpux-parisc-cc) - PASSED [normal+engine] HP-UX 10.20 (hpux-parisc-gcc) - PASSED [normal+engine] Loading Loading @@ -50,14 +50,13 @@ AVAILABLE PATCHES o CA.pl patch (Damien Miller) IN PROGRESS o Steve is currently working on (in no particular order): ASN1 code redesign, butchery, replacement. OCSP EVP cipher enhancement. Proper (or at least usable) certificate chain verification. Enhanced certificate chain verification. Private key, certificate and CRL API and implementation. Developing and bugfixing PKCS#7 (S/MIME code). Various X509 issues: character sets, certificate request extensions. Loading @@ -66,19 +65,29 @@ o Richard is currently working on: UTIL (a new set of library functions to support some higher level functionality that is currently missing). Dynamic thread-lock support. Shared library support for VMS. OCSP Kerberos 5 authentication Constification NEEDS PATCH o non-blocking socket on AIX o $(PERL) in */Makefile.ssl o "Sign the certificate?" - "n" creates empty certificate file o apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file o OpenSSL_0_9_6-stable: #include <openssl/e_os.h> in exported header files is illegal since e_os.h is suitable only for library-internal use. o Whenever strncpy is used, make sure the resulting string is NULL-terminated or an error is reported OPEN ISSUES o internal_verify doesn't know about X509.v3 (basicConstraints CA flag ...) o crypto/ex_data.c is not really thread-safe and so must be used with care (e.g., extra locking where necessary, or don't call CRYPTO_get_ex_new_index once multiple threads exist). The current API is not suitable for everything that it pretends to offer. o The Makefile hierarchy and build mechanism is still not a round thing: Loading Loading
CHANGES +16 −10 Original line number Diff line number Diff line Loading @@ -28,15 +28,6 @@ X509_NAME_get_index_by_NID() since 0 is a valid index. [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>] *) Use better test patterns in bntest. [Ulf Möller] *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling the method-specific "init()" handler. Also clean up ex_data after calling the method-specific "finish()" handler. Previously, this was happening the other way round. [Geoff Thorpe] *) Avoid coredump with unsupported or invalid public keys by checking if X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when PKCS7_verify() fails with non detached data. Loading Loading @@ -69,6 +60,7 @@ *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME was empty. [Steve Henson] [This change does not apply to 0.9.7.] *) Use the cached encoding of an X509_NAME structure rather than copying it. This is apparently the reason for the libsafe "errors" Loading @@ -80,7 +72,7 @@ Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits to be set and top=0 forces the highest bit to be set; top=-1 is new and leaves the highest bit random. [Ulf Moeller] [Ulf Moeller, Bodo Moeller] *) In the NCONF_...-based implementations for CONF_... queries (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using Loading Loading @@ -109,6 +101,7 @@ macros previously used would not encode an empty SEQUENCE OF and break the signature. [Steve Henson] [This change does not apply to 0.9.7.] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. Loading Loading @@ -161,12 +154,19 @@ *) Fix a deadlock in CRYPTO_mem_leaks(). [Bodo Moeller] *) Use better test patterns in bntest. [Ulf Möller] *) rand_win.c fix for Borland C. [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] *) Add a 'bctest' script that checks for some known 'bc' bugs so that 'make test' does not abort just because 'bc' is broken. [Bodo Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original Loading @@ -189,6 +189,12 @@ does the actual work for ssl3_read_internal. [Bodo Moeller] *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling the method-specific "init()" handler. Also clean up ex_data after calling the method-specific "finish()" handler. Previously, this was happening the other way round. [Geoff Thorpe] *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. The previous value, 12, was not always sufficient for BN_mod_exp(). [Bodo Moeller] Loading
STATUS +20 −11 Original line number Diff line number Diff line OpenSSL STATUS Last modified at ______________ $Date: 2001/03/22 09:02:38 $ ______________ $Date: 2001/03/22 10:59:16 $ DEVELOPMENT STATE o OpenSSL 0.9.6a: In development... o OpenSSL 0.9.6a: Bugfix release -- under development... Beta 1 released on March 13th, 2001 HP-UX 10.20 (hpux-parisc-cc) - PASSED [normal+engine] HP-UX 10.20 (hpux-parisc-gcc) - PASSED [normal+engine] Loading Loading @@ -50,14 +50,13 @@ AVAILABLE PATCHES o CA.pl patch (Damien Miller) IN PROGRESS o Steve is currently working on (in no particular order): ASN1 code redesign, butchery, replacement. OCSP EVP cipher enhancement. Proper (or at least usable) certificate chain verification. Enhanced certificate chain verification. Private key, certificate and CRL API and implementation. Developing and bugfixing PKCS#7 (S/MIME code). Various X509 issues: character sets, certificate request extensions. Loading @@ -66,19 +65,29 @@ o Richard is currently working on: UTIL (a new set of library functions to support some higher level functionality that is currently missing). Dynamic thread-lock support. Shared library support for VMS. OCSP Kerberos 5 authentication Constification NEEDS PATCH o non-blocking socket on AIX o $(PERL) in */Makefile.ssl o "Sign the certificate?" - "n" creates empty certificate file o apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file o OpenSSL_0_9_6-stable: #include <openssl/e_os.h> in exported header files is illegal since e_os.h is suitable only for library-internal use. o Whenever strncpy is used, make sure the resulting string is NULL-terminated or an error is reported OPEN ISSUES o internal_verify doesn't know about X509.v3 (basicConstraints CA flag ...) o crypto/ex_data.c is not really thread-safe and so must be used with care (e.g., extra locking where necessary, or don't call CRYPTO_get_ex_new_index once multiple threads exist). The current API is not suitable for everything that it pretends to offer. o The Makefile hierarchy and build mechanism is still not a round thing: Loading
