X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=CHANGES.md;h=78e8f88c6247091a9d7f2668c0e9d56d5c48fbf8;hb=33388b44b67145af2181b1e9528c381c8ea0d1b6;hp=af42a38474f4a27c18c04bbd765145416a557d6d;hpb=44652c1637402fffa1babcbdb4c17b287396fd69;p=oweals%2Fopenssl.git diff --git a/CHANGES.md b/CHANGES.md index af42a38474..78e8f88c62 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -24,16 +24,80 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] ### + * Deprecated EC_POINT_set_Jprojective_coordinates_GFp() and + EC_POINT_get_Jprojective_coordinates_GFp(). These functions are not widely + used and applications should instead use the + L and + L functions. + + *Billy Bob Brumley* + + * Added OSSL_PARAM_BLD to the public interface. This allows OSSL_PARAM + arrays to be more easily constructed via a series of utility functions. + Create a parameter builder using OSSL_PARAM_BLD_new(), add parameters using + the various push functions and finally convert to a passable OSSL_PARAM + array using OSSL_PARAM_BLD_to_param(). + + *Paul Dale* + + * EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and + EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side + internal keys, if they correspond to one of those built in types. + + *Richard Levitte* + + * Added EVP_PKEY_set_type_by_keymgmt(), to initialise an EVP_PKEY to + contain a provider side internal key. + + *Richard Levitte* + + * ASN1_verify(), ASN1_digest() and ASN1_sign() have been deprecated. + They are old functions that we don't use, and that you could disable with + the macro NO_ASN1_OLD. This goes all the way back to OpenSSL 0.9.7. + + *Richard Levitte* + + * The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT) + have been converted to Markdown with the goal to produce documents + which not only look pretty when viewed online in the browser, but + remain well readable inside a plain text editor. + + To achieve this goal, a 'minimalistic' Markdown style has been applied + which avoids formatting elements that interfere too much with the + reading flow in the text file. For example, it + + * avoids [ATX headings][] and uses [setext headings][] instead + (which works for `

` and `

` headings only). + * avoids [inline links][] and uses [reference links][] instead. + * avoids [fenced code blocks][] and uses [indented code blocks][] instead. + + [ATX headings]: https://github.github.com/gfm/#atx-headings + [setext headings]: https://github.github.com/gfm/#setext-headings + [inline links]: https://github.github.com/gfm/#inline-link + [reference links]: https://github.github.com/gfm/#reference-link + [fenced code blocks]: https://github.github.com/gfm/#fenced-code-blocks + [indented code blocks]: https://github.github.com/gfm/#indented-code-blocks + + *Matthias St. Pierre* + + * The test suite is changed to preserve results of each test recipe. A new directory test-runs/ with subdirectories named like the test recipes are created in the build tree for this purpose. *Richard Levitte* - * The command line utilities ecparam and ec have been deprecated. Instead - use the pkeyparam, pkey and genpkey programs. + * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712). + This adds crypto/cmp/, crpyto/crmf/, and test/cmp_*. + See L as starting point. - *Paul Dale* + *David von Oheimb* + + * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/. + The legacy OCSP-focused and only partly documented API is retained. + See L etc. for details. + + *David von Oheimb* * All of the low level RSA functions have been deprecated including: @@ -89,25 +153,35 @@ OpenSSL 3.0 *Kurt Roeckx* * The command line utilities dhparam, dsa, gendsa and dsaparam have been - deprecated. Instead use the pkeyparam, pkey, genpkey and pkeyparam - programs respectively. + modified to use PKEY APIs. These commands are now in maintenance mode + and no new features will be added to them. + + *Paul Dale* + + * The command line utility rsautl has been deprecated. + Instead use the pkeyutl program. + + *Paul Dale* + + * The command line utilities genrsa and rsa have been modified to use PKEY + APIs These commands are now in maintenance mode and no new features will + be added to them. *Paul Dale* * All of the low level DH functions have been deprecated including: - DH_OpenSSL, DH_set_default_method, DH_get_default_method, DH_set_method, - DH_new_method, DH_bits, DH_size, DH_security_bits, DH_get_ex_new_index, - DH_set_ex_data, DH_get_ex_data, DH_generate_parameters_ex, - DH_check_params_ex, DH_check_ex, DH_check_pub_key_ex, - DH_check, DH_check_pub_key, DH_generate_key, DH_compute_key, - DH_compute_key_padded, DHparams_print_fp, DHparams_print, DH_get_nid, - DH_KDF_X9_42, DH_get0_engine, DH_get_length, DH_set_length, DH_meth_new, + DH_OpenSSL, DH_set_default_method, DH_get_default_method, + DH_set_method, DH_new_method, DH_bits, DH_size, DH_security_bits, + DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data, + DH_generate_parameters_ex, DH_check_params_ex, DH_check_ex, + DH_check_pub_key_ex, DH_check, DH_check_pub_key, DH_generate_key, + DH_compute_key, DH_compute_key_padded, DHparams_print_fp, + DHparams_print, DH_get_nid, DH_KDF_X9_42, DH_get0_engine, DH_meth_new, DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data, - DH_meth_set0_app_data, DH_meth_get_generate_key, - DH_meth_set_generate_key, DH_meth_get_compute_key, - DH_meth_set_compute_key, DH_meth_get_bn_mod_exp, + DH_meth_set0_app_data, DH_meth_get_generate_key, DH_meth_set_generate_key, + DH_meth_get_compute_key, DH_meth_set_compute_key, DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params and DH_meth_set_generate_params. @@ -908,7 +982,46 @@ OpenSSL 3.0 OpenSSL 1.1.1 ------------- -### Changes between 1.1.1d and 1.1.1e [xx XXX xxxx] ### +### Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] ### + + +### Changes between 1.1.1d and 1.1.1e [17 Mar 2020] ### + + * Properly detect EOF while reading in libssl. Previously if we hit an EOF + while reading in libssl then we would report an error back to the + application (SSL_ERROR_SYSCALL) but errno would be 0. We now add + an error to the stack (which means we instead return SSL_ERROR_SSL) and + therefore give a hint as to what went wrong. + + *Matt Caswell* + + * Check that ed25519 and ed448 are allowed by the security level. Previously + signature algorithms not using an MD were not being checked that they were + allowed by the security level. + + *Kurt Roeckx* + + * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername() + was not quite right. The behaviour was not consistent between resumption + and normal handshakes, and also not quite consistent with historical + behaviour. The behaviour in various scenarios has been clarified and + it has been updated to make it match historical behaviour as closely as + possible. + + *Matt Caswell* + + * *[VMS only]* The header files that the VMS compilers include automatically, + `__DECC_INCLUDE_PROLOGUE.H` and `__DECC_INCLUDE_EPILOGUE.H`, use pragmas + that the C++ compiler doesn't understand. This is a shortcoming in the + compiler, but can be worked around with `__cplusplus` guards. + + C++ applications that use OpenSSL libraries must be compiled using the + qualifier `/NAMES=(AS_IS,SHORTENED)` to be able to use all the OpenSSL + functions. Otherwise, only functions with symbols of less than 31 + characters can be used, as the linker will not be able to successfully + resolve symbols with longer names. + + *Richard Levitte* * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time.