More doc cleanup

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index fe16b0b434348967ebf1ccd8b510fa2275dacf49..e182b6072fe22fb4b68165eb3c8a2a66806939e9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,70 @@
  OpenSSL CHANGES
  _______________
 
  OpenSSL CHANGES
  _______________
 

- Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2h and 1.1.0  [xx XXX 2016]
+
+  *) The method for finding the storage location for the Windows RAND seed file
+     has changed. First we check %RANDFILE%. If that is not set then we check
+     the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
+     all else fails we fall back to C:\.
+     [Matt Caswell]
+
+  *) The EVP_EncryptUpdate() function has had its return type changed from void
+     to int. A return of 0 indicates and error while a return of 1 indicates
+     success.
+     [Matt Caswell]
+
+  *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+     DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+     off the constant time implementation for RSA, DSA and DH have been made
+     no-ops and deprecated.
+     [Matt Caswell]
+
+  *) Windows RAND implementation was simplified to only get entropy by
+     calling CryptGenRandom(). Various other RAND-related tickets
+     were also closed.
+     [Joseph Wylie Yandle, Rich Salz]
+
+  *) The stack and lhash API's were renamed to start with OPENSSL_SK_
+     and OPENSSL_LH_, respectively.  The old names are available
+     with API compatibility.  They new names are now completely documented.
+     [Rich Salz]
+
+  *) Unify TYPE_up_ref(obj) methods signature.
+     SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
+     X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
+     int (instead of void) like all others TYPE_up_ref() methods.
+     So now these methods also check the return value of CRYPTO_atomic_add(),
+     and the validity of object reference counter.
+     [fdasilvayy@gmail.com]
+
+  *) With Windows Visual Studio builds, the .pdb files are installed
+     alongside the installed libraries and executables.  For a static
+     library installation, ossl_static.pdb is the associate compiler
+     generated .pdb file to be used when linking programs.
+     [Richard Levitte]
+
+  *) Remove openssl.spec.  Packaging files belong with the packagers.
+     [Richard Levitte]
+
+  *) Automatic Darwin/OSX configuration has had a refresh, it will now
+     recognise x86_64 architectures automatically.  You can still decide
+     to build for a different bitness with the environment variable
+     KERNEL_BITS (can be 32 or 64), for example:
+
+         KERNEL_BITS=32 ./config
+
+     [Richard Levitte]
+
+  *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+     256 bit AES and HMAC with SHA256.
+     [Steve Henson]
+
+  *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
+     [Andy Polyakov]
+
+  *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
+     [Rich Salz]

 
   *) To enable users to have their own config files and build file templates,
      Configure looks in the directory indicated by the environment variable
 
   *) To enable users to have their own config files and build file templates,
      Configure looks in the directory indicated by the environment variable


@@ -1021,7 +1084,7 @@
      amounts of input data then a length check can overflow resulting in a heap
      corruption.
 
      amounts of input data then a length check can overflow resulting in a heap
      corruption.
 

-     Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+     Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by

      the PEM_write_bio* family of functions. These are mainly used within the
      OpenSSL command line applications, so any application which processes data
      from an untrusted source and outputs it as a PEM file should be considered
      the PEM_write_bio* family of functions. These are mainly used within the
      OpenSSL command line applications, so any application which processes data
      from an untrusted source and outputs it as a PEM file should be considered


@@ -1058,7 +1121,7 @@
   *) Prevent ASN.1 BIO excessive memory allocation
 
      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
   *) Prevent ASN.1 BIO excessive memory allocation
 
      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()

-     a short invalid encoding can casuse allocation of large amounts of memory
+     a short invalid encoding can cause allocation of large amounts of memory

      potentially consuming excessive resources or exhausting memory.
 
      Any application parsing untrusted data through d2i BIO functions is
      potentially consuming excessive resources or exhausting memory.
 
      Any application parsing untrusted data through d2i BIO functions is


@@ -1330,7 +1393,7 @@
 
   *) Alternate chains certificate forgery
 
 
   *) Alternate chains certificate forgery
 

-     During certificate verfification, OpenSSL will attempt to find an
+     During certificate verification, OpenSSL will attempt to find an

      alternative certificate chain if the first attempt to build such a chain
      fails. An error in the implementation of this logic can mean that an
      attacker could cause certain checks on untrusted certificates to be
      alternative certificate chain if the first attempt to build such a chain
      fails. An error in the implementation of this logic can mean that an
      attacker could cause certain checks on untrusted certificates to be


@@ -1588,7 +1651,7 @@
 
   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
      ARMv5 through ARMv8, as opposite to "locking" it to single one.
 
   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
      ARMv5 through ARMv8, as opposite to "locking" it to single one.

-     So far those who have to target multiple plaforms would compromise
+     So far those who have to target multiple platforms would compromise

      and argue that binary targeting say ARMv5 would still execute on
      ARMv8. "Universal" build resolves this compromise by providing
      near-optimal performance even on newer platforms.
      and argue that binary targeting say ARMv5 would still execute on
      ARMv8. "Universal" build resolves this compromise by providing
      near-optimal performance even on newer platforms.


@@ -1648,7 +1711,7 @@
      [Steve Henson]
 
   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
      [Steve Henson]
 
   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():

-     this fixes a limiation in previous versions of OpenSSL.
+     this fixes a limitation in previous versions of OpenSSL.

      [Steve Henson]
 
   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
      [Steve Henson]
 
   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,


@@ -1757,7 +1820,7 @@
 
   *) Add support for certificate stores in CERT structure. This makes it
      possible to have different stores per SSL structure or one store in
 
   *) Add support for certificate stores in CERT structure. This makes it
      possible to have different stores per SSL structure or one store in

-     the parent SSL_CTX. Include distint stores for certificate chain
+     the parent SSL_CTX. Include distinct stores for certificate chain

      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
      to build and store a certificate chain in CERT structure: returing
      an error if the chain cannot be built: this will allow applications
      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
      to build and store a certificate chain in CERT structure: returing
      an error if the chain cannot be built: this will allow applications


@@ -1820,7 +1883,7 @@
      [Steve Henson]
 
   *) Integrate hostname, email address and IP address checking with certificate
      [Steve Henson]
 
   *) Integrate hostname, email address and IP address checking with certificate

-     verification. New verify options supporting checking in opensl utility.
+     verification. New verify options supporting checking in openssl utility.

      [Steve Henson]
 
   *) Fixes and wildcard matching support to hostname and email checking
      [Steve Henson]
 
   *) Fixes and wildcard matching support to hostname and email checking