X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=CHANGES;h=cb4ec5b3e82866e7865f030648f2552dcaf3701a;hp=09b277ecd013833e24fba5fd936297cdbf5d0600;hb=3604a4d3d17620b1c1610e337cbe705cf8f67b0c;hpb=0f583f69f3b3975a67fbc4d7851e4a91fd56d5a6

diff --git a/CHANGES b/CHANGES
index 09b277ecd0..cb4ec5b3e8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,69 @@
 
  Changes between 0.9.4 and 0.9.5  [xx XXX 1999]
 
+  *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
+     for the first serial number and places 2 in the serial number file. This
+     avoids problems when the root CA is created with serial number zero and
+     the first user certificate has the same issuer name and serial number
+     as the root CA.
+     [Steve Henson]
+
+  *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
+     the new code. Add documentation for this stuff.
+     [Steve Henson]
+
+  *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
+     X509_*() to X509at_*() on the grounds that they don't handle X509
+     structures and behave in an analagous way to the X509v3 functions:
+     they shouldn't be called directly but wrapper functions should be used
+     instead.
+
+     So we also now have some wrapper functions that call the X509at functions
+     when passed certificate requests. (TO DO: similar things can be done with
+     PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
+     things. Some of these need some d2i or i2d and print functionality
+     because they handle more complex structures.)
+     [Steve Henson]
+
+  *) Add missing #ifndefs that caused missing symbols when building libssl
+     as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
+     NO_RSA in ssl/s2*.c. 
+     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
+
+  *) Precautions against using the PRNG uninitialized: RAND_bytes() now
+     has a return value which indicates the quality of the random data
+     (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
+     error queue. New function RAND_pseudo_bytes() generates output that is
+     guaranteed to be unique but not unpredictable.
+     [Ulf Möller]
+
+  *) Do more iterations of Rabin-Miller probable prime test (specifically,
+     3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
+     instead of only 2 for all lengths; see BN_prime_checks definition
+     in crypto/bn/bn.h for the complete table).  This guarantees a
+     false-positive rate of at most 2^-80 (actually less because we are
+     additionally doing trial division) for random input.
+     [Bodo Moeller]
+
+  *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
+     [Bodo Moeller]
+
+  *) New function X509_CTX_rget_chain(), this returns the chain
+     from an X509_CTX structure with a dup of the stack and all
+     the X509 reference counts upped: so the stack will exist
+     after X509_CTX_cleanup() has been called. Modify pkcs12.c
+     to use this.
+
+     Also make SSL_SESSION_print() print out the verify return
+     code.
+     [Steve Henson]
+
+  *) Add manpage for the pkcs12 command. Also change the default
+     behaviour so MAC iteration counts are used unless the new
+     -nomaciter option is used. This improves file security and
+     only older versions of MSIE (4.0 for example) need it.
+     [Steve Henson]
+
   *) Honor the no-xxx Configure options when creating .DEF files.
      [Ulf Möller]
 
@@ -152,11 +215,13 @@
   *) Rebuild of the memory allocation routines used by OpenSSL code and
      possibly others as well.  The purpose is to make an interface that
      provide hooks so anyone can build a separate set of allocation and
-     deallocation routines to be used by OpenSSL, for example if memory
-     pool implementations, or something else.  The same is provided for
-     memory debugging code.  OpenSSL already comes with code that finds
-     memory leaks, but this gives people a chance to debug other memory
-     problems.
+     deallocation routines to be used by OpenSSL, for example memory
+     pool implementations, or something else, which was previously hard
+     since Malloc(), Realloc() and Free() were defined as macros having
+     the values malloc, realloc and free, respectively (except for Win32
+     compilations).  The same is provided for memory debugging code.
+     OpenSSL already comes with functionality to find memory leaks, but
+     this gives people a chance to debug other memory problems.
 
      With these changes, a new set of functions and macros have appeared:
 
@@ -168,8 +233,14 @@
 
      The memory debug functions are NULL by default, unless the library
      is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
-     wants to debug memory anyway, CRYPTO_malloc_debug_init() or
-     CRYPTO_set_mem_debug_functions() must be used.
+     wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
+     gives the standard debugging functions that come with OpenSSL) or
+     CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
+     provided by the library user) must be used.  When the standard
+     debugging functions are used, CRYPTO_dbg_set_options can be used to
+     request additional information:
+     CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
+     the CRYPTO_MDEBUG_xxx macro when compiling the library.   
 
      Also, things like CRYPTO_set_mem_functions will always give the
      expected result (the new set of functions is used for allocation
@@ -184,7 +255,7 @@
        CRYPTO_dbg_free()
 
      All macros of value have retained their old syntax.
-     [Richard Levitte]
+     [Richard Levitte and Bodo Moeller]
 
   *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
      ordering of SMIMECapabilities wasn't in "strength order" and there
@@ -396,8 +467,11 @@
 
   *) Add the possibility to add extra information to the memory leak
      detecting output, to form tracebacks, showing from where each
-     allocation was originated.  Also updated sid code to be multi-
-     thread-safe.
+     allocation was originated: CRYPTO_push_info("constant string") adds
+     the string plus current file name and line number to a per-thread
+     stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
+     is like calling CYRPTO_pop_info() until the stack is empty.
+     Also updated memory leak detection code to be multi-thread-safe.
      [Richard Levitte]
 
   *) Add options -text and -noout to pkcs7 utility and delete the
@@ -433,11 +507,11 @@
      for all purposes.
      [Steve Henson]
 
-  *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).  The
-     problem was that one of the replacement routines had not been working since
-     SSLeay releases.  For now the offending routine has been replaced with
-     non-optimised assembler.  Even so, this now gives around 95% performance
-     improvement for 1024 bit RSA signs.
+  *) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).
+     The problem was that one of the replacement routines had not been working
+     since SSLeay releases.  For now the offending routine has been replaced
+     with non-optimised assembler.  Even so, this now gives around 95%
+     performance improvement for 1024 bit RSA signs.
      [Mark Cox]
 
   *) Hack to fix PKCS#7 decryption when used with some unorthodox RC2