X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=8172ffc63328278e76337a473a56b050fd6675cf;hp=4ff8e00b4475ef9b576c61f4c8d99ca823c676ff;hb=67fec850e1ccbbe921648b7f0b7ebeb4f1c084f6;hpb=979689aa5cfa100ccbc1f25064e9398be4b7b05c

diff --git a/CHANGES b/CHANGES
index 4ff8e00b44..8172ffc633 100644
--- a/CHANGES
+++ b/CHANGES
@@ -12,20 +12,75 @@
          *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7
          +) applies to 0.9.7 only
 
-  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
-     never resets s->method to s->ctx->method when called from within
-     one of the SSL handshake functions.
-     [Bodo Moeller; problem pointed out by Niko Baric]
+  *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
+     type, we must throw them away by setting rr->length to 0.
+     [D P Chang <dpc@qualys.com>]
 
-  +) Test for certificates which contain unsupported critical extensions.
-     If such a certificate is found during a verify operation it is 
-     rejected by default: this behaviour can be overridden by either
-     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
-     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
-     X509_supported_extension() has also been added which returns 1 if a
-     particular extension is supported.
+  -) OpenSSL 0.9.6c released [21 dec 2001]
+
+  +) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
+     [Ben Laurie and Theo de Raadt]
+
+  *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
+     <Dominikus.Scherkl@biodata.com>.  (The previous implementation
+     worked incorrectly for those cases where  range = 10..._2  and
+     3*range  is two bits longer than  range.)
+     [Bodo Moeller]
+
+  *) Only add signing time to PKCS7 structures if it is not already
+     present.
      [Steve Henson]
 
+  *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
+     OBJ_ld_ce should be OBJ_id_ce.
+     Also some ip-pda OIDs in crypto/objects/objects.txt were
+     incorrect (cf. RFC 3039).
+     [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
+
+  +) Add option to output public keys in req command.
+     [Massimiliano Pala madwolf@openca.org]
+
+  *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
+     returns early because it has nothing to do.
+     [Andy Schneider <andy.schneider@bjss.co.uk>]
+
+  *) [In 0.9.6c-engine and 0.9.7 release:]
+     Fix mutex callback return values in crypto/engine/hw_ncipher.c.
+     [Andy Schneider <andy.schneider@bjss.co.uk>]
+
+  -) [In 0.9.6c-engine release:]
+     Add support for Cryptographic Appliance's keyserver technology.
+     (Use engine 'keyclient')
+     [Cryptographic Appliances and Geoff Thorpe]
+
+  *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
+     is called via tools/c89.sh because arguments have to be
+     rearranged (all '-L' options must appear before the first object
+     modules).
+     [Richard Shapiro <rshapiro@abinitio.com>]
+
+  +) Use wNAFs in EC_POINTs_mul() for improved efficiency
+     (up to about 10% better than before for P-192 and P-224).
+     [Bodo Moeller]
+
+  -) [In 0.9.6c-engine release:]
+     Add support for Broadcom crypto accelerator cards, backported
+     from 0.9.7.
+     [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
+
+  -) [In 0.9.6c-engine release:]
+     Add support for SureWare crypto accelerator cards from 
+     Baltimore Technologies.  (Use engine 'sureware')
+     [Baltimore Technologies and Mark Cox]
+
+  -) [In 0.9.6c-engine release:]
+     Add support for crypto accelerator cards from Accelerated
+     Encryption Processing, www.aep.ie.  (Use engine 'aep')
+     [AEP Inc. and Mark Cox]
+
+  *) Add a configuration entry for gcc on UnixWare.
+     [Gary Benson <gbenson@redhat.com>]
+
   +) New functions/macros
 
           SSL_CTX_set_msg_callback(ctx, cb)
@@ -51,10 +106,87 @@
 
      'openssl s_client' and 'openssl s_server' have new '-msg' options
      to enable a callback that displays all protocol messages.
+     [Bodo Moeller]
 
-     TODO: SSL 2.0, doc/ssl/, doc/apps/
+  *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
+     messages are stored in a single piece (fixed-length part and
+     variable-length part combined) and fix various bugs found on the way.
      [Bodo Moeller]
 
+  +) Change the shared library support so shared libraries are built as
+     soon as the corresponding static library is finished, and thereby get
+     openssl and the test programs linked against the shared library.
+     This still only happens when the keyword "shard" has been given to
+     the configuration scripts.
+
+     NOTE: shared library support is still an experimental thing, and
+     backward binary compatibility is still not guaranteed.
+     ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
+
+  +) Add support for Subject Information Access extension.
+     [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
+
+  +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
+     additional bytes when new memory had to be allocated, not just
+     when reusing an existing buffer.
+     [Bodo Moeller]
+
+  *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
+     instead.  BIO_gethostbyname() does not know what timeouts are
+     appropriate, so entries would stay in cache even when they have
+     become invalid.
+     [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
+
+  +) New command line and configuration option 'utf8' for the req command.
+     This allows field values to be specified as UTF8 strings.
+     [Steve Henson]
+
+  +) Add -multi and -mr options to "openssl speed" - giving multiple parallel
+     runs for the former and machine-readable output for the latter.
+     [Ben Laurie]
+
+  +) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
+     of the e-mail address in the DN (i.e., it will go into a certificate
+     extension only).  The new configuration file option 'email_in_dn = no'
+     has the same effect.
+     [Massimiliano Pala madwolf@openca.org]
+
+  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
+     faced with a pathologically small ClientHello fragment that does
+     not contain client_version: Instead of aborting with an error,
+     simply choose the highest available protocol version (i.e.,
+     TLS 1.0 unless it is disabled).  In practice, ClientHello
+     messages are never sent like this, but this change gives us
+     strictly correct behaviour at least for TLS.
+     [Bodo Moeller]
+
+  +) Change all functions with names starting with des_ to be starting
+     with DES_ instead.  This because there are increasing clashes with
+     libdes and other des libraries that are currently used by other
+     projects.  The old libdes interface is provided, as well as crypt(),
+     if openssl/des_old.h is included.  Note that crypt() is no longer
+     declared in openssl/des.h.
+
+     NOTE: This is a major break of an old API into a new one.  Software
+     authors are encouraged to switch to the DES_ style functions.  Some
+     time in the future, des_old.h and the libdes compatibility functions
+     will be completely removed.
+     [Richard Levitte]
+
+  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
+     never resets s->method to s->ctx->method when called from within
+     one of the SSL handshake functions.
+     [Bodo Moeller; problem pointed out by Niko Baric]
+
+  +) Test for certificates which contain unsupported critical extensions.
+     If such a certificate is found during a verify operation it is 
+     rejected by default: this behaviour can be overridden by either
+     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
+     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
+     X509_supported_extension() has also been added which returns 1 if a
+     particular extension is supported.
+     [Steve Henson]
+
   *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
      (sent using the client's version number) if client_version is
      smaller than the protocol version in use.  Also change
@@ -173,8 +305,12 @@
      "Douglas E. Engert" <deengert@anl.gov>.
      [Lutz Jaenicke]
 
-  +) Add support for shared libraries for Unixware-7 and support including
-     shared libraries for OpenUNIX-8 (Boyd Lynn Gerber <gerberb@zenez.com>).
+  +) Add support for shared libraries for Unixware-7
+     (Boyd Lynn Gerber <gerberb@zenez.com>).
+     [Lutz Jaenicke]
+
+  *) Add OpenUNIX-8 support including shared libraries
+     (Boyd Lynn Gerber <gerberb@zenez.com>).
      [Lutz Jaenicke]
 
   *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
@@ -211,7 +347,7 @@
   *) BN_sqr() bug fix.
      [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
 
-  *) Make it possible to unload ranges of ERR strings with a new
+  +) Make it possible to unload ranges of ERR strings with a new
      "ERR_unload_strings" function.
      [Geoff Thorpe]
 
@@ -341,7 +477,7 @@
      anyway).
      [Ben Laurie]
 
-  +) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
+  *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
      [Andy Polyakov]
 
   *) Modified SSL library such that the verify_callback that has been set
@@ -445,6 +581,16 @@
      parameters (and 'speed' generating keys each time).
      [Geoff Thorpe]
 
+  *) Add support for shared libraries under Irix.
+     [Albert Chin-A-Young <china@thewrittenword.com>]
+
+  *) Add configuration option to build on Linux on both big-endian and
+     little-endian MIPS.
+     [Ralf Baechle <ralf@uni-koblenz.de>]
+
+  *) Add the possibility to create shared libraries on HP-UX.
+     [Richard Levitte]
+
   -) OpenSSL 0.9.6b released [9 July 2001]
 
   *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
@@ -858,9 +1004,12 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      don't write to the wrong index in ERR_set_error_data.
      [Bodo Moeller]
 
-  +) Function EC_POINTs_mul for simultaneous scalar multiplication
-     of an arbitrary number of elliptic curve points, optionally
-     including the generator defined for the EC_GROUP.
+  +) Function EC_POINTs_mul for multiple scalar multiplication
+     of an arbitrary number of elliptic curve points
+          \sum scalars[i]*points[i],
+     optionally including the generator defined for the EC_GROUP:
+          scalar*generator +  \sum scalars[i]*points[i].
+
      EC_POINT_mul is a simple wrapper function for the typical case
      that the point list has just one item (besides the optional
      generator).
@@ -1821,17 +1970,10 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      identity, and test if they are actually available.
      [Richard Levitte]
 
-  +) Add support for shared libraries under Irix.
-     [Albert Chin-A-Young <china@thewrittenword.com>]
-
   +) Improve RPM specification file by forcing symbolic linking and making
      sure the installed documentation is also owned by root.root.
      [Damien Miller <djm@mindrot.org>]
 
-  +) Add configuration option to build on Linux on both big-endian and
-     little-endian MIPS.
-     [Ralf Baechle <ralf@uni-koblenz.de>]
-
   +) Give the OpenSSL applications more possibilities to make use of
      keys (public as well as private) handled by engines.
      [Richard Levitte]
@@ -1858,9 +2000,6 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   +) Support threads on FreeBSD-elf in Configure.
      [Richard Levitte]
 
-  +) Add the possibility to create shared libraries on HP-UX
-     [Richard Levitte]
-
   +) Fix for SHA1 assembly problem with MASM: it produces
      warnings about corrupt line number information when assembling
      with debugging information. This is caused by the overlapping