X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=0e54372fe9bcda3cf3bdb1461a160add6a443c2f;hp=94e354b81b9d98bc2c091fc234de853e93ab1e40;hb=386828d02913b26918ac2883623e3f66103a120d;hpb=720235eeec6de9d0ce463d22b5a1732cdb24d436

diff --git a/CHANGES b/CHANGES
index 94e354b81b..0e54372fe9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,88 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
+     ASN1 modules to export functions returning ASN1_ITEM pointers
+     instead of the ASN1_ITEM structures themselves. This adds several
+     new macros which allow the underlying ASN1 function/structure to
+     be accessed transparently. As a result code should not use ASN1_ITEM
+     references directly (such as &X509_it) but instead use the relevant
+     macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
+     use of the new ASN1 code on platforms where exporting structures
+     is problematical (for example in shared libraries) but exporting
+     functions returning pointers to structures is not.
+     [Steve Henson]
+
+  *) Add support for overriding the generation of SSL/TLS session IDs.
+     These callbacks can be registered either in an SSL_CTX or per SSL.
+     The purpose of this is to allow applications to control, if they wish,
+     the arbitrary values chosen for use as session IDs, particularly as it
+     can be useful for session caching in multiple-server environments. A
+     command-line switch for testing this (and any client code that wishes
+     to use such a feature) has been added to "s_server".
+     [Geoff Thorpe, Lutz Jaenicke]
+
+  *) Modify mkdef.pl to recognise and parse prprocessor conditionals
+     of the form '#if defined(...) || defined(...) || ...' and
+     '#if !defined(...) && !defined(...) && ...'.  This also avoids
+     the growing number of special cases it was previously handling.
+     [Richard Levitte]
+
+  *) Don't use getenv in library functions when run as setuid/setgid.
+     New function OPENSSL_issetugid().
+     [Ulf Moeller]
+
+  *) Make all configuration macros available for application by making
+     sure they are available in opensslconf.h, by giving them names starting
+     with "OPENSSL_" to avoid conflicts with other packages and by making
+     sure e_os2.h will cover all platform-specific cases together with
+     opensslconf.h.
+     Additionally, it is now possible to define configuration/platform-
+     specific names (called "system identities").  In the C code, these
+     are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
+     macro with the name beginning with "OPENSSL_SYS_", which is determined
+     from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
+     what is available.
+     [Richard Levitte]
+
+  *) New option -set_serial to 'req' and 'x509' this allows the serial
+     number to use to be specified on the command line. Previously self
+     signed certificates were hard coded with serial number 0 and the 
+     CA options of 'x509' had to use a serial number in a file which was
+     auto incremented.
+     [Steve Henson]
+
+  *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
+     due to incorrect handling of multi-threading:
+
+     1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
+
+     2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
+
+     3. Count how many times MemCheck_off() has been called so that
+        nested use can be treated correctly.  This also avoids 
+        inband-signalling in the previous code (which relied on the
+        assumption that thread ID 0 is impossible).
+     [Bodo Moeller]
+
+  *) New options to 'ca' utility to support V2 CRL entry extensions.
+     Currently CRL reason, invalidity date and hold instruction are
+     supported. Add new CRL extensions to V3 code and some new objects.
+     [Steve Henson]
+
+  *) Add "-rand" option also to s_client and s_server.
+     [Lutz Jaenicke]
+
+  *) New function EVP_CIPHER_CTX_set_padding() this is used to
+     disable standard block padding (aka PKCS#5 padding) in the EVP
+     API, which was previously mandatory. This means that the data is
+     not padded in any way and so the total length much be a multiple
+     of the block size, otherwise an error occurs.
+     [Steve Henson]
+
+  *) Initial (incomplete) OCSP SSL support.
+     [Steve Henson]
+
   *) Fix CPU detection on Irix 6.x.
      [Kurt Hockenbury <khockenb@stevens-tech.edu> and
       "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
@@ -58,6 +140,9 @@
 
   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
      Bleichenbacher's DSA attack.
+     Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
+     to be set and top=0 forces the highest bit to be set; top=-1 is new
+     and leaves the highest bit random.
      [Ulf Moeller, Bodo Moeller]
 
   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to