]>
Commit | Line | Data |
---|---|---|
651d0aff | 1 | |
f1c236f8 | 2 | OpenSSL CHANGES |
651d0aff RE |
3 | _______________ |
4 | ||
0cceb1c7 BM |
5 | Changes between 0.9.3a and 0.9.4 |
6 | ||
f7daafa4 DSH |
7 | *) The x509 application mishandled signing requests containing DSA |
8 | keys when the signing key was also DSA and the parameters didn't match. | |
9 | ||
10 | It was supposed to omit the parameters when they matched the signing key: | |
11 | the verifying software was then supposed to automatically use the CA's | |
12 | parameters if they were absent from the end user certificate. | |
13 | ||
14 | Omitting parameters is no longer recommended. The test was also | |
15 | the wrong way round! This was probably due to unusual behaviour in | |
16 | EVP_cmp_parameters() which returns 1 if the parameters match. | |
17 | This meant that parameters were omitted when they *didn't* match and | |
18 | the certificate was useless. Certificates signed with 'ca' didn't have | |
19 | this bug. | |
20 | [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>] | |
21 | ||
777ab7e6 BM |
22 | *) Memory leak checking had some problems. The interface is as follows: |
23 | Applications can use | |
24 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(), | |
25 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop(); | |
26 | "off" is now the default. | |
27 | The library internally uses | |
28 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(), | |
29 | CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on() | |
30 | to disable memory-checking temporarily. | |
31 | ||
32 | Some inconsistent states that previously were possible (and were | |
33 | even the default) are now avoided. | |
34 | [Bodo Moeller] | |
35 | ||
e1056435 BM |
36 | *) Introduce "mode" for SSL structures (with defaults in SSL_CTX), |
37 | which largely parallels "options", but is for changing API behaviour, | |
38 | whereas "options" are about protocol behaviour. | |
39 | Initial "mode" flags (still experimental) are: | |
40 | ||
41 | SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when | |
42 | a single record has been written. | |
43 | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write | |
44 | retries use the same buffer location. | |
45 | (But all of the contents must be | |
46 | copied!) | |
47 | [Bodo Moeller] | |
48 | ||
49 | *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode | |
50 | worked. | |
51 | ||
5271ebd9 UM |
52 | *) Fix problems with no-hmac etc. |
53 |