X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=112a7b67071a5baaa751ad54613aa800a61f5e9c;hp=74253ca4e3b104580b97fe23a07dbbad4ad67074;hb=6d0d5431d4e3e5d8a29166be3ba9362fb988a312;hpb=8a208cba97b0d08cfc6f07bb2f0e0d1f305a0b13 diff --git a/CHANGES b/CHANGES index 74253ca4e3..112a7b6707 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,72 @@ Changes between 0.9.4 and 0.9.5 [xx XXX 2000] + *) Change names of new functions to the new get1/get0 naming + convention: After 'get1', the caller owns a reference count + and has to call ..._free; 'get0' returns a pointer to some + data structure without incrementing reference counters. + (Some of the existing 'get' functions increment a reference + counter, some don't.) + Similarly, 'set1' and 'add1' functions increase reference + counters or duplicate objects. + [Steve Henson] + + *) Allow for the possibility of temp RSA key generation failure: + the code used to assume it always worked and crashed on failure. + [Steve Henson] + + *) Fix potential buffer overrun problem in BIO_printf(). + [Ulf Möller, using public domain code by Patrick Powell; problem + pointed out by David Sacerdote ] + + *) Support EGD . New functions + RAND_egd() and RAND_status(). In the command line application, + the EGD socket can be specified like a seed file using RANDFILE + or -rand. + [Ulf Möller] + + *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. + Some CAs (e.g. Verisign) distribute certificates in this form. + [Steve Henson] + + *) Remove the SSL_ALLOW_ADH compile option and set the default cipher + list to exclude them. This means that no special compilation option + is needed to use anonymous DH: it just needs to be included in the + cipher list. + [Steve Henson] + + *) Change the EVP_MD_CTX_type macro so its meaning consistent with + EVP_MD_type. The old functionality is available in a new macro called + EVP_MD_md(). Change code that uses it and update docs. + [Steve Henson] + + *) ..._ctrl functions now have corresponding ..._callback_ctrl functions + where the 'void *' argument is replaced by a function pointer argument. + Previously 'void *' was abused to point to functions, which works on + many platforms, but is not correct. As these functions are usually + called by macros defined in OpenSSL header files, most source code + should work without changes. + [Richard Levitte] + + *) (which is created by Configure) now contains + sections with information on -D... compiler switches used for + compiling the library so that applications can see them. To enable + one of these sections, a pre-processor symbol OPENSSL_..._DEFINES + must be defined. E.g., + #define OPENSSL_ALGORITHM_DEFINES + #include + defines all pertinent NO_ symbols, such as NO_IDEA, NO_RSA, etc. + [Richard Levitte, Ulf and Bodo Möller] + + *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS + record layer. + [Bodo Moeller] + + *) Change the 'other' type in certificate aux info to a STACK_OF + X509_ALGOR. Although not an AlgorithmIdentifier as such it has + the required ASN1 format: arbitrary types determined by an OID. + [Steve Henson] + *) Add some PEM_write_X509_REQ_NEW() functions and a command line argument to 'req'. This is not because the function is newer or better than others it just uses the work 'NEW' in the certificate @@ -231,7 +297,9 @@ has a return value which indicates the quality of the random data (1 = ok, 0 = not seeded). Also an error is recorded on the thread's error queue. New function RAND_pseudo_bytes() generates output that is - guaranteed to be unique but not unpredictable. + guaranteed to be unique but not unpredictable. RAND_add is like + RAND_seed, but takes an extra argument for an entropy estimate + (RAND_seed always assumes full entropy). [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, @@ -244,7 +312,8 @@ *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs. [Bodo Moeller] - *) New function X509_CTX_rget_chain(), this returns the chain + *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain + in the 0.9.5 release), this returns the chain from an X509_CTX structure with a dup of the stack and all the X509 reference counts upped: so the stack will exist after X509_CTX_cleanup() has been called. Modify pkcs12.c @@ -330,8 +399,7 @@ To get OpenSSL to support MS SGC we have to permit a second client hello message after we have sent server done. In addition we have to - reset the MAC if we do get this second client hello and include the - data just received. + reset the MAC if we do get this second client hello. [Steve Henson] *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide @@ -581,10 +649,12 @@ it clearly returns an error if you try to read the wrong kind of key. Added a -pubkey option to the 'x509' utility to output the public key. - Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() and add - EVP_PKEY_rset_*() functions that do the same as the EVP_PKEY_assign_*() - except they up the reference count of the added key (they don't "swallow" - the supplied key). + Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*() + (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add + EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*()) + that do the same as the EVP_PKEY_assign_*() except they up the + reference count of the added key (they don't "swallow" the + supplied key). [Steve Henson] *) Fixes to crypto/x509/by_file.c the code to read in certificates and