Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified on the `perl
Configure ...' command line. This way one can compile OpenSSL libraries with
Position Independent Code (PIC) which is needed for linking it into DSOs.
Move the SSL_CTX_xxx defines at the top of ssl.h to the location of other
SSL_CTX_xxx defines. What was the reason to move them to the top, even before
the copyright and #ifdef HEADER_SSL_H? Hmmm... when there was and still is a
good reason feel free to reverse this patch, but please document why it is
needed this way.
Add a first cut for a NEWS document similar to what other packages (mostly GNU
packages) provide. The idea is that because of the large number of CHANGES
entries, this file summarizes the major changes for a brief overview.
Cleaned up the LICENSE document: The official contact for any license
questions now is the OpenSSL core team under openssl-core@openssl.org. And
add a paragraph about the dual-license situation to make sure people recognize
that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply to the OpenSSL
toolkit.
General source tree makefile cleanups: Made `making xxx in yyy...' display
consistent in the source tree and replaced `/bin/rm' by `rm'. Additonally
cleaned up the `make links' target: Remove unnecessary semicolons, subsequent
redundant removes, inline point.sh into mklink.sh to speed processing and no
longer clutter the display with confusing stuff. Instead only the actually
done links are displayed.
Add an extra 'raw' function r2i to the extension code. Nothing uses this yet and
it is just a place holder for functionality to be added later. Its been added
now so the X509V3_EXT_METHOD structure shouldn't (hopefully) have to change
after the release.
Added the new `Includes OpenSSL Cryptography Software' button as
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
button and can be used by applications based on OpenSSL to show the
relationship to the OpenSSL project.
PS: This beast caused me three hours to create, because
of the size I had to hand-paint the 7pt fonts in Photoshop.
Fix the Win32 compile environment and add various changes so it will now compile
under Win32 (9X and NT) again. Note: some signed/unsigned changes recently
checked in were killing the Win32 compile.
Ops, the logic of the second argument has to be coupled with the != test to
work correctly for the SSL_CTX_xxx situations, too. Now "make test" passes
again fine.
Add a bunch of SSL_xxx() functions for configuring the temporary RSA and DH
private keys and/or callback functions which directly correspond to their
SSL_CTX_xxx() counterparts but work on a per-connection basis. This is needed
for applications which have to configure certificates on a per-connection
basis (e.g. Apache+mod_ssl) instead of a per-context basis (e.g.
s_server).
For the RSA certificate situation is makes no difference, but for the DSA
certificate situation this fixes the "no shared cipher" problem where the
OpenSSL cipher selection procedure failed because the temporary keys were not
overtaken from the context and the API provided no way to reconfigure them.
The new functions now let applications reconfigure the stuff and they are in
detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper function
and also to reduce code redundancy inside ssl_rsa.c.
Submitted by: Ralf S. Engelschall
Reviewed by: Ben Laurie
Move s_server -dcert and -dkey options out of the undocumented feature area
because they are useful for the DSA situation and should be recognized by the
users. Thanks to Steve for the original hint.
Fix the cipher decision scheme for export ciphers: the export bits are *not*
within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within SSL_EXP_MASK. So, the
original variable has to be used instead of the already masked variable.
Submitted by: Richard Levitte <levitte@stacken.kth.se>
Reviewed by: Ralf S. Engelschall
Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
from `int' to `unsigned int' because it's a length and initialized by
EVP_DigestFinal() which expects an `unsigned int *'.
Submitted by: Richard Levitte <levitte@stacken.kth.se>
Reviewed by: Ralf S. Engelschall
Make `openssl x509 -noout -modulus' functional also for DSA certificates (in
addition to RSA certificates) to match the behaviour of `openssl dsa -noout
-modulus' as it's already the case for `openssl rsa -noout -modulus'. For RSA
the -modulus is the real "modulus" while for DSA currently the public key is
printed (a decision which was already done by `openssl dsa -modulus' in the
past) which serves a similar purpose. Additionally the NO_RSA no longer
completely removes the whole -modulus option; it now only avoids using the RSA
stuff. Same applies to NO_DSA now, too.
Various changes to make this stuff compile under Win32 and VC++ with and
without -debug option to mk1mf.pl. Change _export to is_export (_export is
a reserved word under VC++). Add yucky function prototype function pointer
casts. Sanitise the included files in crypto/x509v3.
Add more functionality to issuer alt name and subject alt name. New options
to include email addresses from DN and copy details from issuer certificate.
Include examples in openssl.cnf, update Win32 ordinals.
Mark J. Cox [Tue, 16 Feb 1999 09:22:21 +0000 (09:22 +0000)]
Updates to the new SSL compression code
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
Fix so that the version number in the master secret, when passed
via RSA, checks that if TLS was proposed, but we roll back to SSLv3
(because the server will not accept higher), that the version number
is 0x03,0x01, not 0x03,0x00
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
Patch to Configure script. For some reason the BN_ASM part was truncated to
the first word which broke (at least) the Linux compile. Hopefully this wont
break other platforms.
Add support for raw extensions. This means that you can include the DER encoding
of an arbitrary extension: e.g. 1.3.4.5=critical,RAW:12:34:56 Using this
technique currently unsupported extensions can be generated if you know their
DER encoding. Even if the extension is supported in future the raw extension
will still work: that is the raw version can always be used even if it is a
supported extension.
Make the 'crypto' and 'ssl' options in the perl script mkdef.pl really work,
also add an 'update' option to automatically append any new functions to the
ssleay.num and libeay.num files.