OpenSSL CHANGES
_______________
- Changes between 1.1.0e and 1.1.1 [xx XXX xxxx]
+ Changes between 1.1.0f and 1.1.1 [xx XXX xxxx]
+
+ *) In the UI interface, make it possible to duplicate the user data. This
+ can be used by engines that need to retain the data for a longer time
+ than just the call where this user data is passed.
+ [Richard Levitte]
+
+ *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
+ bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
+ alerts across multiple records (some of which could be empty). In practice
+ it make no sense to send an empty alert record, or to fragment one. TLSv1.3
+ prohibts this altogether and other libraries (BoringSSL, NSS) do not
+ support this at all. Supporting it adds significant complexity to the
+ record layer, and its removal is unlikely to cause inter-operability
+ issues.
+ [Matt Caswell]
+
+ *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
+ with Z. These are meant to replace LONG and ZLONG and to be size safe.
+ The use of LONG and ZLONG is discouraged and scheduled for deprecation
+ in OpenSSL 1.2.0.
+ [Richard Levitte]
+
+ *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
+ 'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
+ [Richard Levitte, Andy Polyakov]
+
+ *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
+ does for RSA, etc.
+ [Richard Levitte]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
+ success if they are asked to add an object which already exists
+ in the store. This change cascades to other functions which load
+ certificates and CRLs.
+ [Paul Dale]
+
+ *) x86_64 assembly pack: annotate code with DWARF CFI directives to
+ facilitate stack unwinding even from assembly subroutines.
+ [Andy Polyakov]
+
+ *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
+ Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
+ [Richard Levitte]
*) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
are no longer allowed.
[Emilia Käsper]
+ *) Add support for ARIA
+ [Paul Dale]
+
+ *) s_client will now send the Server Name Indication (SNI) extension by
+ default unless the new "-noservername" option is used. The server name is
+ based on the host provided to the "-connect" option unless overridden by
+ using "-servername".
+ [Matt Caswell]
+
*) Add support for SipHash
[Todd Short]
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]
+ *) The RSA "null" method, which was partially supported to avoid patent
+ issues, has been replaced to always returns NULL.
+ [Rich Salz]
+
+ Changes between 1.1.0e and 1.1.0f [25 May 2017]
+
+ *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
+ platform rather than 'mingw'.
+ [Richard Levitte]
+
+ *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
+ VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
+ which is the minimum version we support.
+ [Richard Levitte]
+
Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
*) Encrypt-Then-Mac renegotiation crash
to service a connection. This could lead to a Denial of Service through
memory exhaustion. However, the excessive message length check still takes
place, and this would cause the connection to immediately fail. Assuming
- that the application calls SSL_free() on the failed conneciton in a timely
+ that the application calls SSL_free() on the failed connection in a timely
manner then the 21Mb of allocated memory will then be immediately freed
again. Therefore the excessive memory allocation will be transitory in
nature. This then means that there is only a security impact if:
*) Add X25519 support.
Add ASN.1 and EVP_PKEY methods for X25519. This includes support
for public and private key encoding using the format documented in
- draft-ietf-curdle-pkix-02. The coresponding EVP_PKEY method supports
+ draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
key generation and key derivation.
TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
done while fixing the error code for the key-too-small case.
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
- *) CA.sh has been removmed; use CA.pl instead.
+ *) CA.sh has been removed; use CA.pl instead.
[Rich Salz]
*) Removed old DES API.
projects / openssl.git / blobdiff