X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=98b44d561c6a997bfcc3e798a10b5b6413de4852;hp=8196fd23f127be57b8bc68beb3817a1964f56896;hb=0185803cc224c8d88ca39ae07c296a4f1854e478;hpb=0b13e9f055d3f7be066dc2e89fc9f9822b12eca7 diff --git a/CHANGES b/CHANGES index 8196fd23f1..98b44d561c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,46 @@ OpenSSL CHANGES _______________ - Changes between 0.9.7 and 0.9.8 [xx XXX xxxx] + Changes between 0.9.7a and 0.9.8 [xx XXX xxxx] + + *) Make it possible to link applications using Makefile.shared. + Make that possible even when linking against static libraries! + [Richard Levitte] + + *) Various fixes to base64 BIO and non blocking I/O. On write + flushes were not handled properly if the BIO retried. On read + data was not being buffered properly and had various logic bugs. + [Steve Henson] + + *) Support for single pass processing for S/MIME signing. This now + means that S/MIME signing can be done from a pipe, in addition + cleartext signing (multipart/signed type) is effectively streaming + and the signed data does not need to be all held in memory. + + This is done with a new flag PKCS7_PARTSIGN. When this flag is set + PKCS7_sign() only initializes the PKCS7 structure and the actual signing + is done after the data is output (and digests calculated) in + SMIME_write_PKCS7(). + [Steve Henson] + + *) Add full support for -rpath/-R, both in shared libraries and + applications, at least on the platforms where it's known how + to do it. + [Richard Levitte] + + *) In crypto/ec/ec_mult.c, implement fast point multiplication with + precomputation, based on wNAF splitting: EC_GROUP_precompute_mult() + will now compute a table of multiples of the generator that + makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul() + faster (notably in the case of a single point multiplication, + scalar * generator). + [Nils Larsch, Bodo Moeller] + + *) IPv6 support for certificate extensions. The various extensions + which use the IP:a.b.c.d can now take IPv6 addresses using the + formats of RFC1884 2.2 . IPv6 addresses are now also displayed + correctly. + [Steve Henson] *) Added an ENGINE that implements RSA by performing private key exponentiations with the GMP library. The conversions to and from @@ -404,7 +443,61 @@ TODO: bug: pad x with leading zeros if necessary differing sizes. [Richard Levitte] - Changes between 0.9.7 and 0.9.7a [XX xxx 2003] + Changes between 0.9.7a and 0.9.7b [xx XXX 2003] + + *) Target "mingw" now allows native Windows code to be generated in + the Cygwin environment as well as with the MinGW compiler. + [Ulf Moeller] + + Changes between 0.9.7 and 0.9.7a [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + *) Make the no-err option work as intended. The intention with no-err + is not to have the whole error stack handling routines removed from + libcrypto, it's only intended to remove all the function name and + reason texts, thereby removing some of the footprint that may not + be interesting if those errors aren't displayed anyway. + + NOTE: it's still possible for any application or module to have it's + own set of error texts inserted. The routines are there, just not + used by default when no-err is given. + [Richard Levitte] + + *) Add support for FreeBSD on IA64. + [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454] + + *) Adjust DES_cbc_cksum() so it returns the same value as the MIT + Kerberos function mit_des_cbc_cksum(). Before this change, + the value returned by DES_cbc_cksum() was like the one from + mit_des_cbc_cksum(), except the bytes were swapped. + [Kevin Greaney and Richard Levitte] + + *) Allow an application to disable the automatic SSL chain building. + Before this a rather primitive chain build was always performed in + ssl3_output_cert_chain(): an application had no way to send the + correct chain if the automatic operation produced an incorrect result. + + Now the chain builder is disabled if either: + + 1. Extra certificates are added via SSL_CTX_add_extra_chain_cert(). + + 2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set. + + The reasoning behind this is that an application would not want the + auto chain building to take place if extra chain certificates are + present and it might also want a means of sending no additional + certificates (for example the chain has two certificates and the + root is omitted). + [Steve Henson] *) Add the possibility to build without the ENGINE framework. [Steven Reddie via Richard Levitte] @@ -2257,6 +2350,18 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of