Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
- *) Default cipher lists/suites are now avaialble via a function, the
+ *) Introduced a new function, OSSL_PROVIDER_available(), which can be used
+ to check if a named provider is loaded and available. When called, it
+ will also activate all fallback providers if such are still present.
+ [Richard Levitte]
+
+ *) Enforce a minimum DH modulus size of 512 bits.
+ [Bernd Edlinger]
+
+ *) Changed DH parameters to generate the order q subgroup instead of 2q.
+ Previously generated DH parameters are still accepted by DH_check
+ but DH_generate_key works around that by clearing bit 0 of the
+ private key for those. This avoids leaking bit 0 of the private key.
+ [Bernd Edlinger]
+
+ *) Added a new FUNCerr() macro that takes a function name.
+ The macro SYSerr() is deprecated.
+ [Rich Salz]
+
+ *) Significantly reduce secure memory usage by the randomness pools.
+ [Paul Dale]
+
+ *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been
+ deprecated.
+ [Rich Salz]
+
+ *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange
+ algorithms. An implementation of a key exchange algorithm can be obtained
+ by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be
+ used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to
+ the older EVP_PKEY_derive_init() function. See the man pages for the new
+ functions for further details.
+ [Matt Caswell]
+
+ *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function.
+ [Matt Caswell]
+
+ *) Removed the function names from error messages and deprecated the
+ xxx_F_xxx define's.
+
+ *) Removed NextStep support and the macro OPENSSL_UNISTD
+ [Rich Salz]
+
+ *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL,
+ OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL.
+ Also removed "export var as function" capability; we do not export
+ variables, only functions.
+ [Rich Salz]
+
+ *) RC5_32_set_key has been changed to return an int type, with 0 indicating
+ an error and 1 indicating success. In previous versions of OpenSSL this
+ was a void type. If a key was set longer than the maximum possible this
+ would crash.
+ [Matt Caswell]
+
+ *) Support SM2 signing and verification schemes with X509 certificate.
+ [Paul Yang]
+
+ *) Use SHA256 as the default digest for TS query in the ts app.
+ [Tomas Mraz]
+
+ *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
+ This checks that the salt length is at least 128 bits, the derived key
+ length is at least 112 bits, and that the iteration count is at least 1000.
+ For backwards compatibility these checks are disabled by default in the
+ default provider, but are enabled by default in the fips provider.
+ To enable or disable these checks use the control
+ EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE.
+ [Shane Lontis]
+
+ *) Default cipher lists/suites are now available via a function, the
#defines are deprecated.
[Todd Short]
*) Added command 'openssl kdf' that uses the EVP_KDF API.
[Shane Lontis]
- *) Added command 'openssl mac' that uses the EVP_MAC API.
+ *) Added command 'openssl mac' that uses the EVP_MAC API.
[Shane Lontis]
*) Added OPENSSL_info() to get diverse built-in OpenSSL data, such
SSL_set_ciphersuites()
[Matt Caswell]
- *) Memory allocation failures consistenly add an error to the error
+ *) Memory allocation failures consistently add an error to the error
stack.
[Rich Salz]
reason texts, thereby removing some of the footprint that may not
be interesting if those errors aren't displayed anyway.
- NOTE: it's still possible for any application or module to have it's
+ NOTE: it's still possible for any application or module to have its
own set of error texts inserted. The routines are there, just not
used by default when no-err is given.
[Richard Levitte]
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
- memory from it's contents. This is done with a counter that will
+ memory from its contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
projects / openssl.git / blobdiff