+ *) Add X25519 support.
+ Integrate support for X25519 into EC library. This includes support
+ for public and private key encoding using the format documented in
+ draft-josefsson-pkix-newcurves-01: specifically X25519 uses the
+ OID from that draft, encodes public keys using little endian
+ format in the ECPoint structure and private keys using
+ little endian form in the privateKey field of the ECPrivateKey
+ structure. TLS support complies with draft-ietf-tls-rfc4492bis-06
+ and uses X25519(29).
+
+ Note: the current version supports key generation, public and
+ private key encoding and ECDH key agreement using the EC API.
+ Low level point operations such as EC_POINT_add(), EC_POINT_mul()
+ are NOT supported.
+ [Steve Henson]
+
+ *) Deprecate SRP_VBASE_get_by_user.
+ SRP_VBASE_get_by_user had inconsistent memory management behaviour.
+ In order to fix an unavoidable memory leak (CVE-2016-0798),
+ SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
+ seed, even if the seed is configured.
+
+ Users should use SRP_VBASE_get1_by_user instead. Note that in
+ SRP_VBASE_get1_by_user, caller must free the returned value. Note
+ also that even though configuring the SRP seed attempts to hide
+ invalid usernames by continuing the handshake with fake
+ credentials, this behaviour is not constant time and no strong
+ guarantees are made that the handshake is indistinguishable from
+ that of a valid user.
+ [Emilia Käsper]
+
+ *) Configuration change; it's now possible to build dynamic engines
+ without having to build shared libraries and vice versa. This
+ only applies to the engines in engines/, those in crypto/engine/
+ will always be built into libcrypto (i.e. "static").
+
+ Building dynamic engines is enabled by default; to disable, use
+ the configuration option "disable-dynamic-engine".
+
+ The only requirements for building dynamic engines are the
+ presence of the DSO module and building with position independent
+ code, so they will also automatically be disabled if configuring
+ with "disable-dso" or "disable-pic".
+
+ The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
+ are also taken away from openssl/opensslconf.h, as they are
+ irrelevant.
+ [Richard Levitte]
+
+ *) Configuration change; if there is a known flag to compile
+ position independent code, it will always be applied on the
+ libcrypto and libssl object files, and never on the application
+ object files. This means other libraries that use routines from
+ libcrypto / libssl can be made into shared libraries regardless
+ of how OpenSSL was configured.
+
+ If this isn't desirable, the configuration options "disable-pic"
+ or "no-pic" can be used to disable the use of PIC. This will
+ also disable building shared libraries and dynamic engines.
+ [Richard Levitte]
+
+ *) Removed JPAKE code. It was experimental and has no wide use.
+ [Rich Salz]
+
+ *) The INSTALL_PREFIX Makefile variable has been renamed to
+ DESTDIR. That makes for less confusion on what this variable
+ is for. Also, the configuration option --install_prefix is
+ removed.
+ [Richard Levitte]
+
+ *) Heartbeat for TLS has been removed and is disabled by default
+ for DTLS; configure with enable-heartbeats. Code that uses the
+ old #define's might need to be updated.
+ [Emilia Käsper, Rich Salz]
+
+ *) Rename REF_CHECK to REF_DEBUG.
+ [Rich Salz]
+
+ *) New "unified" build system
+
+ The "unified" build system is aimed to be a common system for all
+ platforms we support. With it comes new support for VMS.
+
+ This system builds supports building in a different directory tree
+ than the source tree. It produces one Makefile (for unix family
+ or lookalikes), or one descrip.mms (for VMS).
+
+ The source of information to make the Makefile / descrip.mms is
+ small files called 'build.info', holding the necessary
+ information for each directory with source to compile, and a
+ template in Configurations, like unix-Makefile.tmpl or
+ descrip.mms.tmpl.
+
+ We rely heavily on the perl module Text::Template.
+ [Richard Levitte]
+
+ *) Added support for auto-initialisation and de-initialisation of the library.
+ OpenSSL no longer requires explicit init or deinit routines to be called,
+ except in certain circumstances. See the OPENSSL_init_crypto() and
+ OPENSSL_init_ssl() man pages for further information.
+ [Matt Caswell]
+
+ *) The arguments to the DTLSv1_listen function have changed. Specifically the
+ "peer" argument is now expected to be a BIO_ADDR object.
+
+ *) Rewrite of BIO networking library. The BIO library lacked consistent
+ support of IPv6, and adding it required some more extensive
+ modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
+ which hold all types of addresses and chains of address information.
+ It also introduces a new API, with functions like BIO_socket,
+ BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
+ The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
+ have been adapted accordingly.
+ [Richard Levitte]
+
+ *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+ the leading 0-byte.
+ [Emilia Käsper]
+
projects / openssl.git / blobdiff