OpenSSL CHANGES
_______________
- Changes between 1.0.2g and 1.1.0 [xx XXX xxxx]
+ Changes between 1.0.2h and 1.1.0 [xx XXX xxxx]
+
+ *) The method for finding the storage location for the Windows RAND seed file
+ has changed. First we check %RANDFILE%. If that is not set then we check
+ the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
+ all else fails we fall back to C:\.
+ [Matt Caswell]
+
+ *) The EVP_EncryptUpdate() function has had its return type changed from void
+ to int. A return of 0 indicates and error while a return of 1 indicates
+ success.
+ [Matt Caswell]
+
+ *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
+ DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
+ off the constant time implementation for RSA, DSA and DH have been made
+ no-ops and deprecated.
+ [Matt Caswell]
+
+ *) Windows RAND implementation was simplified to only get entropy by
+ calling CryptGenRandom(). Various other RAND-related tickets
+ were also closed.
+ [Joseph Wylie Yandle, Rich Salz]
+
+ *) The stack and lhash API's were renamed to start with OPENSSL_SK_
+ and OPENSSL_LH_, respectively. The old names are available
+ with API compatibility. They new names are now completely documented.
+ [Rich Salz]
+
+ *) Unify TYPE_up_ref(obj) methods signature.
+ SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
+ X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
+ int (instead of void) like all others TYPE_up_ref() methods.
+ So now these methods also check the return value of CRYPTO_atomic_add(),
+ and the validity of object reference counter.
+ [fdasilvayy@gmail.com]
+
+ *) With Windows Visual Studio builds, the .pdb files are installed
+ alongside the installed libraries and executables. For a static
+ library installation, ossl_static.pdb is the associate compiler
+ generated .pdb file to be used when linking programs.
+ [Richard Levitte]
+
+ *) Remove openssl.spec. Packaging files belong with the packagers.
+ [Richard Levitte]
+
+ *) Automatic Darwin/OSX configuration has had a refresh, it will now
+ recognise x86_64 architectures automatically. You can still decide
+ to build for a different bitness with the environment variable
+ KERNEL_BITS (can be 32 or 64), for example:
+
+ KERNEL_BITS=32 ./config
+
+ [Richard Levitte]
+
+ *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
+ 256 bit AES and HMAC with SHA256.
+ [Steve Henson]
+
+ *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
+ [Andy Polyakov]
+
+ *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
+ [Rich Salz]
*) To enable users to have their own config files and build file templates,
Configure looks in the directory indicated by the environment variable
amounts of input data then a length check can overflow resulting in a heap
corruption.
- Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
the PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes data
from an untrusted source and outputs it as a PEM file should be considered
*) Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
- a short invalid encoding can casuse allocation of large amounts of memory
+ a short invalid encoding can cause allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
Any application parsing untrusted data through d2i BIO functions is
*) Alternate chains certificate forgery
- During certificate verfification, OpenSSL will attempt to find an
+ During certificate verification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
ARMv5 through ARMv8, as opposite to "locking" it to single one.
- So far those who have to target multiple plaforms would compromise
+ So far those who have to target multiple platforms would compromise
and argue that binary targeting say ARMv5 would still execute on
ARMv8. "Universal" build resolves this compromise by providing
near-optimal performance even on newer platforms.
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
- this fixes a limiation in previous versions of OpenSSL.
+ this fixes a limitation in previous versions of OpenSSL.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
*) Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
- the parent SSL_CTX. Include distint stores for certificate chain
+ the parent SSL_CTX. Include distinct stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
- verification. New verify options supporting checking in opensl utility.
+ verification. New verify options supporting checking in openssl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking