X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=19d5c346ae42154edcc732ece25ddf6c49b59b69;hp=512b802f71c460e7af6cc9d5ba7cfc31ce2bf9f3;hb=76f8a1f51d3a92ce2ebd9bb8aa6f945fb9d1fafc;hpb=254ef80db19a6f6610ef07535efd699cef7aa855 diff --git a/CHANGES b/CHANGES index 512b802f71..19d5c346ae 100644 --- a/CHANGES +++ b/CHANGES @@ -11,13 +11,20 @@ EC_GROUP_set_point_conversion_form() EC_GROUP_get_point_conversion_form() These control ASN1 encoding details: - - Curve are encoded explicitly unless asn1_flag has been set to - OPENSSL_EC_NAMED_CURVE. - - Points are encoded in compressed form by default; options for + - Curves (i.e., groups) are encoded explicitly unless asn1_flag + has been set to OPENSSL_EC_NAMED_CURVE. + - Points are encoded in uncompressed form by default; options for asn1_for are as for point2oct, namely POINT_CONVERSION_COMPRESSED POINT_CONVERSION_UNCOMPRESSED POINT_CONVERSION_HYBRID + + Also add 'seed' and 'seed_len' members to EC_GROUP with access + functions + EC_GROUP_set_seed() + EC_GROUP_get0_seed() + EC_GROUP_get_seed_len() + This is used only for ASN1 purposes (so far). [Nils Larsch ] *) Add 'field_type' member to EC_METHOD, which holds the NID @@ -85,6 +92,12 @@ Changes between 0.9.6d and 0.9.7 [XX xxx 2002] + *) Make sure any ENGINE control commands make local copies of string + pointers passed to them whenever necessary. Otherwise it is possible + the caller may have overwritten (or deallocated) the original string + data when a later ENGINE operation tries to use the stored values. + [Götz Babin-Ebell ] + *) Improve diagnostics in file reading and command-line digests. [Ben Laurie aided and abetted by Solar Designer ] @@ -113,6 +126,8 @@ form for "surname", serialNumber has no short form. Use "mail" as the short name for "rfc822Mailbox" according to RFC2798; therefore remove "mail" short name for "internet 7". + The OID for unique identifiers in X509 certificates is + x500UniqueIdentifier, not uniqueIdentifier. Some more OID additions. (Michael Bell ) [Lutz Jaenicke] @@ -419,6 +434,10 @@ By default, clients may request session resumption even during renegotiation (if session ID contexts permit); with this option, session resumption is possible only in the first handshake. + + SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes + more bits available for options that should not be part of + SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION). [Bodo Moeller] *) Add some demos for certificate and certificate request creation. @@ -539,8 +558,8 @@ [Bodo Moeller, Lutz Jaenicke] *) Rationalise EVP so it can be extended: don't include a union of - cipher/digest structures, add init/cleanup functions. This also reduces - the number of header dependencies. + cipher/digest structures, add init/cleanup functions for EVP_MD_CTX + (similar to those existing for EVP_CIPHER_CTX). Usage example: EVP_MD_CTX md; @@ -1706,6 +1725,19 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Fix EVP_dsa_sha macro. [Nils Larsch] + *) New option + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure + that was added in OpenSSL 0.9.6d. + + As the countermeasure turned out to be incompatible with some + broken SSL implementations, the new option is part of SSL_OP_ALL. + SSL_OP_ALL is usually employed when compatibility with weird SSL + implementations is desired (e.g. '-bugs' option to 's_client' and + 's_server'), so the new option is automatically set in many + applications. + [Bodo Moeller] + Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not