X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=5979cd89e3752856fb289d0d00d17f5e4a8e752f;hp=5aec2ce77243371cf7813d6f7c24c359b120cf52;hb=88f19d86d9fb2d50b5a80b6cad0a6b38dfc2bf12;hpb=5d120511679ed69669e29b374a3bab1c50ff5134 diff --git a/CHANGES b/CHANGES index 5aec2ce772..5979cd89e3 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,93 @@ Changes between 1.1.1 and 3.0.0 [xx XXX xxxx] - *) Default cipher lists/suites are now avaialble via a function, the + *) Correct the extended master secret constant on EBCDIC systems. Without this + fix TLS connections between an EBCDIC system and a non-EBCDIC system that + negotiate EMS will fail. Unfortunately this also means that TLS connections + between EBCDIC systems with this fix, and EBCDIC systems without this + fix will fail if they negotiate EMS. + [Matt Caswell] + + *) Changed the library initialisation so that the config file is now loaded + by default. This was already the case for libssl. It now occurs for both + libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to + OPENSSL_init_crypto() to suppress automatic loading of a config file. + [Matt Caswell] + + *) Introduced new error raising macros, ERR_raise() and ERR_raise_data(), + where the former acts as a replacement for ERR_put_error(), and the + latter replaces the combination ERR_put_error()+ERR_add_error_data(). + ERR_raise_data() adds more flexibility by taking a format string and + an arbitrary number of arguments following it, to be processed with + BIO_snprintf(). + [Richard Levitte] + + *) Introduced a new function, OSSL_PROVIDER_available(), which can be used + to check if a named provider is loaded and available. When called, it + will also activate all fallback providers if such are still present. + [Richard Levitte] + + *) Enforce a minimum DH modulus size of 512 bits. + [Bernd Edlinger] + + *) Changed DH parameters to generate the order q subgroup instead of 2q. + Previously generated DH parameters are still accepted by DH_check + but DH_generate_key works around that by clearing bit 0 of the + private key for those. This avoids leaking bit 0 of the private key. + [Bernd Edlinger] + + *) Significantly reduce secure memory usage by the randomness pools. + [Paul Dale] + + *) {CRYPTO,OPENSSL}_mem_debug_{push,pop} are now no-ops and have been + deprecated. + [Rich Salz] + + *) A new type, EVP_KEYEXCH, has been introduced to represent key exchange + algorithms. An implementation of a key exchange algorithm can be obtained + by using the function EVP_KEYEXCH_fetch(). An EVP_KEYEXCH algorithm can be + used in a call to EVP_PKEY_derive_init_ex() which works in a similar way to + the older EVP_PKEY_derive_init() function. See the man pages for the new + functions for further details. + [Matt Caswell] + + *) The EVP_PKEY_CTX_set_dh_pad() macro has now been converted to a function. + [Matt Caswell] + + *) Removed the function names from error messages and deprecated the + xxx_F_xxx define's. + + *) Removed NextStep support and the macro OPENSSL_UNISTD + [Rich Salz] + + *) Removed DES_check_key. Also removed OPENSSL_IMPLEMENT_GLOBAL, + OPENSSL_GLOBAL_REF, OPENSSL_DECLARE_GLOBAL. + Also removed "export var as function" capability; we do not export + variables, only functions. + [Rich Salz] + + *) RC5_32_set_key has been changed to return an int type, with 0 indicating + an error and 1 indicating success. In previous versions of OpenSSL this + was a void type. If a key was set longer than the maximum possible this + would crash. + [Matt Caswell] + + *) Support SM2 signing and verification schemes with X509 certificate. + [Paul Yang] + + *) Use SHA256 as the default digest for TS query in the ts app. + [Tomas Mraz] + + *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898. + This checks that the salt length is at least 128 bits, the derived key + length is at least 112 bits, and that the iteration count is at least 1000. + For backwards compatibility these checks are disabled by default in the + default provider, but are enabled by default in the fips provider. + To enable or disable these checks use the control + EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE. + [Shane Lontis] + + *) Default cipher lists/suites are now available via a function, the #defines are deprecated. [Todd Short] @@ -30,7 +116,7 @@ *) Added command 'openssl kdf' that uses the EVP_KDF API. [Shane Lontis] - *) Added command 'openssl mac' that uses the EVP_MAC API. + *) Added command 'openssl mac' that uses the EVP_MAC API. [Shane Lontis] *) Added OPENSSL_info() to get diverse built-in OpenSSL data, such @@ -432,7 +518,7 @@ SSL_set_ciphersuites() [Matt Caswell] - *) Memory allocation failures consistenly add an error to the error + *) Memory allocation failures consistently add an error to the error stack. [Rich Salz] @@ -6970,7 +7056,7 @@ reason texts, thereby removing some of the footprint that may not be interesting if those errors aren't displayed anyway. - NOTE: it's still possible for any application or module to have it's + NOTE: it's still possible for any application or module to have its own set of error texts inserted. The routines are there, just not used by default when no-err is given. [Richard Levitte] @@ -8936,7 +9022,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of - memory from it's contents. This is done with a counter that will + memory from its contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can