[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.3a and 0.9.4

  *) The x509 application mishandled signing requests containing DSA
     keys when the signing key was also DSA and the parameters didn't match.

     It was supposed to omit the parameters when they matched the signing key:
     the verifying software was then supposed to automatically use the CA's
     parameters if they were absent from the end user certificate.

     Omitting parameters is no longer recommended. The test was also
     the wrong way round! This was probably due to unusual behaviour in
     EVP_cmp_parameters() which returns 1 if the parameters match. 
     This meant that parameters were omitted when they *didn't* match and
     the certificate was useless. Certificates signed with 'ca' didn't have
     this bug.
     [Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]

  *) Memory leak checking had some problems.  The interface is as follows:
     Applications can use
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
     "off" is now the default.
     The library internally uses
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
         CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
     to disable memory-checking temporarily.

     Some inconsistent states that previously were possible (and were
     even the default) are now avoided.
     [Bodo Moeller]

  *) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
     which largely parallels "options", but is for changing API behaviour,
     whereas "options" are about protocol behaviour.
     Initial "mode" flags (still experimental) are:

     SSL_MODE_ENABLE_PARTIAL_WRITE   Allow SSL_write to report success when
                                     a single record has been written.
     SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER  Don't insist that SSL_write
                                     retries use the same buffer location.
                                     (But all of the contents must be
                                     copied!)
     [Bodo Moeller]

  *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode
     worked.

  *) Fix problems with no-hmac etc.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
0cceb1c7 BM	5	Changes between 0.9.3a and 0.9.4
0cceb1c7 BM	6
f7daafa4 DSH	7	*) The x509 application mishandled signing requests containing DSA
	8	keys when the signing key was also DSA and the parameters didn't match.
	9
	10	It was supposed to omit the parameters when they matched the signing key:
	11	the verifying software was then supposed to automatically use the CA's
	12	parameters if they were absent from the end user certificate.
	13
	14	Omitting parameters is no longer recommended. The test was also
	15	the wrong way round! This was probably due to unusual behaviour in
	16	EVP_cmp_parameters() which returns 1 if the parameters match.
	17	This meant that parameters were omitted when they didn't match and
	18	the certificate was useless. Certificates signed with 'ca' didn't have
	19	this bug.
	20	[Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
	21
777ab7e6 BM	22	*) Memory leak checking had some problems. The interface is as follows:
	23	Applications can use
	24	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
	25	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
	26	"off" is now the default.
	27	The library internally uses
	28	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
	29	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
	30	to disable memory-checking temporarily.
	31
	32	Some inconsistent states that previously were possible (and were
	33	even the default) are now avoided.
	34	[Bodo Moeller]
	35
e1056435 BM	36	*) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
	37	which largely parallels "options", but is for changing API behaviour,
	38	whereas "options" are about protocol behaviour.
	39	Initial "mode" flags (still experimental) are:
	40
	41	SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when
	42	a single record has been written.
	43	SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write
	44	retries use the same buffer location.
	45	(But all of the contents must be
	46	copied!)
	47	[Bodo Moeller]
	48
	49	*) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode
	50	worked.
	51
5271ebd9 UM	52	*) Fix problems with no-hmac etc.
	53