OpenSSL CHANGES
_______________
- Changes between 1.1.0e and 1.1.1 [xx XXX xxxx]
+ This is a high-level summary of the most important changes.
+ For a full list of changes, see the git commit log; for example,
+ https://github.com/openssl/openssl/commits/ and pick the appropriate
+ release branch.
+
+ Changes between 1.1.0f and 1.1.1 [xx XXX xxxx]
+
+ *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
+ without clearing the errors.
+ [Richard Levitte]
+
+ *) Add "atfork" functions. If building on a system that without
+ pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
+ requirements. The RAND facility now uses/requires this.
+ [Rich Salz]
+
+ *) Add SHA3.
+ [Andy Polyakov]
+
+ *) The UI API becomes a permanent and integral part of libcrypto, i.e.
+ not possible to disable entirely. However, it's still possible to
+ disable the console reading UI method, UI_OpenSSL() (use UI_null()
+ as a fallback).
+
+ To disable, configure with 'no-ui-console'. 'no-ui' is still
+ possible to use as an alias. Check at compile time with the
+ macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still
+ possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
+ [Richard Levitte]
+
+ *) Add a STORE module, which implements a uniform and URI based reader of
+ stores that can contain keys, certificates, CRLs and numerous other
+ objects. The main API is loosely based on a few stdio functions,
+ and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
+ OSSL_STORE_error and OSSL_STORE_close.
+ The implementation uses backends called "loaders" to implement arbitrary
+ URI schemes. There is one built in "loader" for the 'file' scheme.
+ [Richard Levitte]
+
+ *) Add devcrypto engine. This has been implemented against cryptodev-linux,
+ then adjusted to work on FreeBSD 8.4 as well.
+ Enable by configuring with 'enable-devcryptoeng'. This is done by default
+ on BSD implementations, as cryptodev.h is assumed to exist on all of them.
+ [Richard Levitte]
+
+ *) Module names can prefixed with OSSL_ or OPENSSL_. This affects
+ util/mkerr.pl, which is adapted to allow those prefixes, leading to
+ error code calls like this:
+
+ OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
+
+ With this change, we claim the namespaces OSSL and OPENSSL in a manner
+ that can be encoded in C. For the foreseeable future, this will only
+ affect new modules.
+ [Richard Levitte and Tim Hudson]
+
+ *) Removed BSD cryptodev engine.
+ [Rich Salz]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) In the UI interface, make it possible to duplicate the user data. This
+ can be used by engines that need to retain the data for a longer time
+ than just the call where this user data is passed.
+ [Richard Levitte]
+
+ *) Ignore the '-named_curve auto' value for compatibility of applications
+ with OpenSSL 1.0.2.
+ [Tomas Mraz <tmraz@fedoraproject.org>]
+
+ *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
+ bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
+ alerts across multiple records (some of which could be empty). In practice
+ it make no sense to send an empty alert record, or to fragment one. TLSv1.3
+ prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ support this at all. Supporting it adds significant complexity to the
+ record layer, and its removal is unlikely to cause inter-operability
+ issues.
+ [Matt Caswell]
+
+ *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
+ with Z. These are meant to replace LONG and ZLONG and to be size safe.
+ The use of LONG and ZLONG is discouraged and scheduled for deprecation
+ in OpenSSL 1.2.0.
+ [Richard Levitte]
+
+ *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
+ 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
+ [Richard Levitte, Andy Polyakov]
*) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
does for RSA, etc.
platform rather than 'mingw'.
[Richard Levitte]
+ *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
+ success if they are asked to add an object which already exists
+ in the store. This change cascades to other functions which load
+ certificates and CRLs.
+ [Paul Dale]
+
*) x86_64 assembly pack: annotate code with DWARF CFI directives to
facilitate stack unwinding even from assembly subroutines.
[Andy Polyakov]
*) Add support for ARIA
[Paul Dale]
+ *) s_client will now send the Server Name Indication (SNI) extension by
+ default unless the new "-noservername" option is used. The server name is
+ based on the host provided to the "-connect" option unless overridden by
+ using "-servername".
+ [Matt Caswell]
+
*) Add support for SipHash
[Todd Short]
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]
+ *) The RSA "null" method, which was partially supported to avoid patent
+ issues, has been replaced to always returns NULL.
+ [Rich Salz]
+
+ Changes between 1.1.0e and 1.1.0f [25 May 2017]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
*) Encrypt-Then-Mac renegotiation crash
projects / openssl.git / blobdiff