X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=243223d371c6730dfe777eeab0fc5c525320e13c;hp=94605d7ffdd45be314ff773f8234f2d52ed28f0a;hb=83978bd37a843941cbc3a10c61b675def99ba0c2;hpb=f1558bb4243d83781793ed758367bd71d0983a35 diff --git a/CHANGES b/CHANGES index 94605d7ffd..243223d371 100644 --- a/CHANGES +++ b/CHANGES @@ -12,14 +12,23 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only - +) Test for certificates which contain unsupported critical extensions. - If such a certificate is found during a verify operation it is - rejected by default: this behaviour can be overridden by either - handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or - by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function - X509_supported_extension() has also been added which returns 1 if a - particular extension is supported. - [Steve Henson] + -) [In 0.9.6c-engine release:] + Add support for Broadcom crypto accelerator cards, backported + from 0.9.7. + [Broadcom, Nalin Dahyabhai , Mark Cox] + + -) [In 0.9.6c-engine release:] + Add support for SureWare crypto accelerator cards from + Baltimore Technologies. (Use engine 'sureware') + [Baltimore Technologies and Mark Cox] + + -) [In 0.9.6c-engine release:] + Add support for crypto accelerator cards from Accelerated + Encryption Processing, www.aep.ie. (Use engine 'aep') + [AEP Inc. and Mark Cox] + + *) Add a configuration entry for gcc on UnixWare. + [Gary Benson ] +) New functions/macros @@ -46,10 +55,87 @@ 'openssl s_client' and 'openssl s_server' have new '-msg' options to enable a callback that displays all protocol messages. + [Bodo Moeller] - TODO: SSL 2.0, doc/ssl/, doc/apps/ + *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake + messages are stored in a single piece (fixed-length part and + variable-length part combined) and fix various bugs found on the way. [Bodo Moeller] + +) Change the shared library support so shared libraries are built as + soon as the corresponding static library is finished, and thereby get + openssl and the test programs linked against the shared library. + This still only happens when the keyword "shard" has been given to + the configuration scripts. + + NOTE: shared library support is still an experimental thing, and + backward binary compatibility is still not guaranteed. + ["Maciej W. Rozycki" and Richard Levitte] + + +) Add support for Subject Information Access extension. + [Peter Sylvester ] + + +) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero + additional bytes when new memory had to be allocated, not just + when reusing an existing buffer. + [Bodo Moeller] + + *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() + instead. BIO_gethostbyname() does not know what timeouts are + appropriate, so entries would stay in cache even when they have + become invalid. + [Bodo Moeller; problem pointed out by Rich Salz + + +) New command line and configuration option 'utf8' for the req command. + This allows field values to be specified as UTF8 strings. + [Steve Henson] + + +) Add -multi and -mr options to "openssl speed" - giving multiple parallel + runs for the former and machine-readable output for the latter. + [Ben Laurie] + + +) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion + of the e-mail address in the DN (i.e., it will go into a certificate + extension only). The new configuration file option 'email_in_dn = no' + has the same effect. + [Massimiliano Pala madwolf@openca.org] + + *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when + faced with a pathologically small ClientHello fragment that does + not contain client_version: Instead of aborting with an error, + simply choose the highest available protocol version (i.e., + TLS 1.0 unless it is disabled). In practice, ClientHello + messages are never sent like this, but this change gives us + strictly correct behaviour at least for TLS. + [Bodo Moeller] + + +) Change all functions with names starting with des_ to be starting + with DES_ instead. This because there are increasing clashes with + libdes and other des libraries that are currently used by other + projects. The old libdes interface is provided, as well as crypt(), + if openssl/des_old.h is included. Note that crypt() is no longer + declared in openssl/des.h. + + NOTE: This is a major break of an old API into a new one. Software + authors are encouraged to switch to the DES_ style functions. Some + time in the future, des_old.h and the libdes compatibility functions + will be completely removed. + [Richard Levitte] + + *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() + never resets s->method to s->ctx->method when called from within + one of the SSL handshake functions. + [Bodo Moeller; problem pointed out by Niko Baric] + + +) Test for certificates which contain unsupported critical extensions. + If such a certificate is found during a verify operation it is + rejected by default: this behaviour can be overridden by either + handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or + by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function + X509_supported_extension() has also been added which returns 1 if a + particular extension is supported. + [Steve Henson] + *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert (sent using the client's version number) if client_version is smaller than the protocol version in use. Also change @@ -63,13 +149,16 @@ [Steve Henson] +) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain - compatibility with existing code. In particular the 'ctx' parameter is - not assumed to be valid before the call to EVP_DigestInit() and it is tidied - up after a call to EVP_DigestFinal(). A new function EVP_DigestFinal_ex() - but does not free up the ctx. Also change function EVP_MD_CTX_copy() to - assume the destination is uninitialized: EVP_MD_CTX_copy_ex() do assumes - the destiation is valid. Also modify all the OpenSSL digest calls to call - EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). + compatibility with existing code. In particular the 'ctx' parameter does + not have to be to be initialized before the call to EVP_DigestInit() and + it is tidied up after a call to EVP_DigestFinal(). New function + EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function + EVP_MD_CTX_copy() changed to not require the destination to be + initialized valid and new function EVP_MD_CTX_copy_ex() added which + requires the destination to be valid. + + Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(), + EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex(). [Steve Henson] +) Change ssl3_get_message (ssl/s3_both.c) and the functions using it @@ -165,10 +254,13 @@ "Douglas E. Engert" . [Lutz Jaenicke] - +) Add support for shared libraries for Unixware-7 and support including + ?) Add support for shared libraries for Unixware-7 and support including shared libraries for OpenUNIX-8 (Boyd Lynn Gerber ). [Lutz Jaenicke] + -) OpenUNIX-8 support (Boyd Lynn Gerber ) + [Lutz Jaenicke] + *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 'wristwatch attack' using huge encoding parameters (cf. James H. Manger's CRYPTO 2001 paper). Note that the @@ -333,7 +425,7 @@ anyway). [Ben Laurie] - +) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). + *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). [Andy Polyakov] *) Modified SSL library such that the verify_callback that has been set