Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
+ *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
+ [Steve Henson]
+
+ *) Use separate DRBG fields for internal and external flags. New function
+ FIPS_drbg_health_check() to perform on demand health checking. Add
+ generation tests to fips_test_suite with reduced health check interval to
+ demonstrate periodic health checking. Add "nodh" option to
+ fips_test_suite to skip very slow DH test.
+ [Steve Henson]
+
*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
based on NID.
[Steve Henson]
by Google.
[Adam Langley <agl@google.com> and Ben Laurie]
- *) Use type ossl_ssize_t instad of ssize_t which isn't available on
- all platforms. Move ssize_t definition from e_os.h to the public
- header file e_os2.h as it now appears in public header file cms.h
- [Steve Henson]
-
*) New function OPENSSL_gmtime_diff to find the difference in days
and seconds between two tm structures. This will be used to provide
additional functionality for ASN1_TIME.
[Steve Henson]
+ *) Add -trusted_first option which attempts to find certificates in the
+ trusted store even if an untrusted chain is also supplied.
+ [Steve Henson]
+
+ *) Initial experimental support for explicitly trusted non-root CAs.
+ OpenSSL still tries to build a complete chain to a root but if an
+ intermediate CA has a trust setting included that is used. The first
+ setting is used: whether to trust or reject.
+ [Steve Henson]
+
+ *) New -verify_name option in command line utilities to set verification
+ parameters by name.
+ [Steve Henson]
+
+ *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
+ Add CMAC pkey methods.
+ [Steve Henson]
+
+ *) Experimental regnegotiation in s_server -www mode. If the client
+ browses /reneg connection is renegotiated. If /renegcert it is
+ renegotiated requesting a certificate.
+ [Steve Henson]
+
+ *) Add an "external" session cache for debugging purposes to s_server. This
+ should help trace issues which normally are only apparent in deployed
+ multi-process servers.
+ [Steve Henson]
+
+ *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
+ return value is ignored. NB. The functions RAND_add(), RAND_seed(),
+ BIO_set_cipher() and some obscure PEM functions were changed so they
+ can now return an error. The RAND changes required a change to the
+ RAND_METHOD structure.
+ [Steve Henson]
+
+ *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
+ a gcc attribute to warn if the result of a function is ignored. This
+ is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
+ whose return value is often ignored.
+ [Steve Henson]
+
+ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
+
+ *) Use type ossl_ssize_t instad of ssize_t which isn't available on
+ all platforms. Move ssize_t definition from e_os.h to the public
+ header file e_os2.h as it now appears in public header file cms.h
+ [Steve Henson]
+
*) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS.
parameters r, s.
[Steve Henson]
- *) Add -trusted_first option which attempts to find certificates in the
- trusted store even if an untrusted chain is also supplied.
- [Steve Henson]
-
- *) Initial experimental support for explicitly trusted non-root CAs.
- OpenSSL still tries to build a complete chain to a root but if an
- intermediate CA has a trust setting included that is used. The first
- setting is used: whether to trust or reject.
- [Steve Henson]
-
- *) New -verify_name option in command line utilities to set verification
- parameters by name.
- [Steve Henson]
-
- *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
- Add CMAC pkey methods.
- [Steve Henson]
-
- *) Experiemental regnegotiation in s_server -www mode. If the client
- browses /reneg connection is renegotiated. If /renegcert it is
- renegotiated requesting a certificate.
- [Steve Henson]
-
- *) Add an "external" session cache for debugging purposes to s_server. This
- should help trace issues which normally are only apparent in deployed
- multi-process servers.
- [Steve Henson]
-
- *) Experiemental password based recipient info support for CMS library:
- implementing RFC3211.
+ *) Password based recipient info support for CMS library: implementing
+ RFC3211.
[Steve Henson]
*) Split password based encryption into PBES2 and PBKDF2 functions. This
password based CMS).
[Steve Henson]
- *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
- return value is ignored. NB. The functions RAND_add(), RAND_seed(),
- BIO_set_cipher() and some obscure PEM functions were changed so they
- can now return an error. The RAND changes required a change to the
- RAND_METHOD structure.
- [Steve Henson]
-
- *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
- a gcc attribute to warn if the result of a function is ignored. This
- is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
- whose return value is often ignored.
- [Steve Henson]
-
- Changes between 1.0.0e and 1.0.1 [xx XXX xxxx]
-
*) Session-handling fixes:
- Fix handling of connections that are resuming with a session ID,
but also support Session Tickets.
Add command line options to s_client/s_server.
[Steve Henson]
- Changes between 1.0.0d and 1.0.0e [xx XXX xxxx]
+ Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
+
+ *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
+ [Bob Buckholz (Google)]
+
+ Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
+ *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
+ [Bob Buckholz (Google)]
+
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
projects / openssl.git / blobdiff