X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES;h=aef5034c8088cc29ce9dbe9e1feac2aba16a4aee;hb=141e584998088862be4704bd48f887b2527a7486;hp=a2f1d02763e38679a546a02635076db3e3de98c0;hpb=19da1300536be2ffddd5edef039e34b09a0c8440;p=oweals%2Fopenssl.git diff --git a/CHANGES b/CHANGES index a2f1d02763..aef5034c80 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,72 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). + [Lutz Jaenicke] + + +) Add EVP test program. + [Ben Laurie] + + +) Add symmetric cipher support to ENGINE. Expect the API to change! + [Ben Laurie] + + +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() + X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), + X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). + These allow a CRL to be built without having to access X509_CRL fields + directly. Modify 'ca' application to use new functions. + [Steve Henson] + + *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() + for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" ). + [Lutz Jaenicke] + + *) Rework the configuration and shared library support for Tru64 Unix. + The configuration part makes use of modern compiler features and + still retains old compiler behavior for those that run older versions + of the OS. The shared library support part includes a variant that + uses the RPATH feature, and is available through the speciel + configuration target "alpha-cc-rpath", which will never be selected + automatically. + [Tim Mooney via Richard Levitte] + + *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() + with the same message size as in ssl3_get_certificate_request(). + Otherwise, if no ServerKeyExchange message occurs, CertificateRequest + messages might inadvertently be reject as too long. + [Petr Lampa ] + + +) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended + bug workarounds. Rollback attack detection is a security feature. + The problem will only arise on OpenSSL servers when TLSv1 is not + available (sslv3_server_method() or SSL_OP_NO_TLSv1). + Software authors not wanting to support TLSv1 will have special reasons + for their choice and can explicitly enable this option. + [Bodo Moeller, Lutz Jaenicke] + + +) Rationalise EVP so it can be extended: don't include a union of + cipher/digest structures, add init/cleanup functions. This also reduces + the number of header dependencies. + [Ben Laurie] + + +) Make DES key schedule conform to the usual scheme, as well as + correcting its structure. This means that calls to DES functions + now have to pass a pointer to a des_key_schedule instead of a + plain des_key_schedule (which was actually always a pointer + anyway). + [Ben Laurie] + + +) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). + [Andy Polyakov] + + *) Modified SSL library such that the verify_callback that has been set + specificly for an SSL object with SSL_set_verify() is actually being + used. Before the change, a verify_callback set with this function was + ignored and the verify_callback() set in the SSL_CTX at the time of + the call was used. New function X509_STORE_CTX_set_verify_cb() introduced + to allow the necessary settings. + [Lutz Jaenicke] + +) Initial reduction of linker bloat: the use of some functions, such as PEM causes large amounts of unused functions to be linked in due to poor organisation. For example pem_all.c contains every PEM function @@ -20,23 +86,12 @@ functions prevents this. [Steve Henson] - *) Initialize static variable in crypto/dsa/dsa_lib.c explicitely to - NULL, as at least on Solaris 8 this seems not to be done automatically - (in contradiction to the requirements of the C standard). - This made problems when used from OpenSSH. + *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c + explicitely to NULL, as at least on Solaris 8 this seems not always to be + done automatically (in contradiction to the requirements of the C + standard). This made problems when used from OpenSSH. [Lutz Jaenicke] - *) In crypto/dh/dh_key.c, change generate_key() (the default - implementation of DH_generate_key()) so that a new key is - generated each time DH_generate_key() is used on a DH object. - - Previously, DH_generate_key() did not change existing keys - -- but ssl/s3_srvr.c always expected it to do so (in effect, - SSL_OP_SINGLE_DH_USE was ignored in servers reusing the same SSL - object for multiple connections; however, each new SSL object - created from an SSL_CTX got its own key). - [Bodo Moeller] - *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored dh->length and always used @@ -830,6 +885,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k the clients preferred ciphersuites and rather use its own preferences. Should help to work around M$ SGC (Server Gated Cryptography) bug in Internet Explorer by ensuring unchanged hash method during stepup. + (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.) [Lutz Jaenicke] +) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael @@ -1951,7 +2007,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k default is static libraries only, and the OpenSSL programs are always statically linked for now, but there are preparations for dynamic linking in place. - This has been tested on Linux and True64. + This has been tested on Linux and Tru64. [Richard Levitte] *) Randomness polling function for Win9x, as described in: