Skip to content
CHANGES 119 KiB
Newer Older
 OpenSSL CHANGES
Ulf Möller's avatar
Ulf Möller committed
 Changes between 0.9.5 and 0.9.5a  [XX XXX 2000]
Bodo Möller's avatar
Bodo Möller committed
  *) Add compatibility options to the purpose and trust code. The
     purpose X509_PURPOSE_ANY is "any purpose" which automatically
     accepts a certificate or CA, this was the previous behaviour,
     with all the associated security issues.

     X509_TRUST_COMPAT is the old trust behaviour: only and
     automatically trust self signed roots in certificate store. A
     new trust setting X509_TRUST_DEFAULT is used to specify that
     a purpose has no associated trust setting and it should instead
     use the value in the default purpose.
     [Steve Henson]

  *) Fix the PKCS#8 DSA private key code so it decodes keys again
     and fix a memory leak.
     [Steve Henson]

  *) In util/mkerr.pl (which implements 'make errors'), preserve
     reason strings from the previous version of the .c file, as
     the default to have only downcase letters (and digits) in
     automatically generated reasons codes is not always appropriate.
     [Bodo Moeller]

  *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
     using strerror.  Previously, ERR_reason_error_string() returned
     library names as reason strings for SYSerr; but SYSerr is a special
     case where small numbers are errno values, not library numbers.
     [Bodo Moeller]

  *) Add '-dsaparam' option to 'openssl dhparam' application.  This
     converts DSA parameters into DH parameters. (When creating parameters,
     DSA_generate_parameters is used.)
     [Bodo Moeller]

  *) Include 'length' (recommended exponent length) in C code generated
     by 'openssl dhparam -C'.
     [Bodo Moeller]

  *) The second argument to set_label in perlasm was already being used
     so couldn't be used as a "file scope" flag. Moved to third argument
     which was free.
     [Steve Henson]

  *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
     instead of RAND_bytes for encryption IVs and salts.
     [Bodo Moeller]

  *) Include RAND_status() into RAND_METHOD instead of implementing
     it only for md_rand.c  Otherwise replacing the PRNG by calling
     RAND_set_rand_method would be impossible.
     [Bodo Moeller]

  *) Don't let DSA_generate_key() enter an infinite loop if the random
     number generation fails.
     [Bodo Moeller]

  *) New 'rand' application for creating pseudo-random output.
     [Bodo Moeller]

  *) Added configuration support for Linux/IA64
     [Rolf Haberrecker <rolf@suse.de>]

  *) Assembler module support for Mingw32.
     [Ulf Möller]

  *) Shared library support for HPUX (in shlib/).
     [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]

  *) Shared library support for Solaris gcc.
     [Lutz Behnke <behnke@trustcenter.de>]
Richard Levitte's avatar
Richard Levitte committed
 Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
Ulf Möller's avatar
Ulf Möller committed

  *) PKCS7_encrypt() was adding text MIME headers twice because they
     were added manually and by SMIME_crlf_copy().
     [Steve Henson]

  *) In bntest.c don't call BN_rand with zero bits argument.
     [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]

Ulf Möller's avatar
Ulf Möller committed
  *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
     case was implemented. This caused BN_div_recp() to fail occasionally.
Ulf Möller's avatar
Ulf Möller committed
     [Ulf Möller]

  *) Add an optional second argument to the set_label() in the perl
     assembly language builder. If this argument exists and is set
     to 1 it signals that the assembler should use a symbol whose 
     scope is the entire file, not just the current function. This
     is needed with MASM which uses the format label:: for this scope.
     [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]

  *) Change the ASN1 types so they are typedefs by default. Before
     almost all types were #define'd to ASN1_STRING which was causing
     STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
     for example.
     [Steve Henson]

  *) Change names of new functions to the new get1/get0 naming
     convention: After 'get1', the caller owns a reference count
     and has to call ..._free; 'get0' returns a pointer to some
     data structure without incrementing reference counters.
     (Some of the existing 'get' functions increment a reference
     counter, some don't.)
     Similarly, 'set1' and 'add1' functions increase reference
     counters or duplicate objects.
  *) Allow for the possibility of temp RSA key generation failure:
     the code used to assume it always worked and crashed on failure.
     [Steve Henson]

Ulf Möller's avatar
Ulf Möller committed
  *) Fix potential buffer overrun problem in BIO_printf().
     [Ulf Möller, using public domain code by Patrick Powell; problem
      pointed out by David Sacerdote <das33@cornell.edu>]

Ulf Möller's avatar
Ulf Möller committed
  *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
     RAND_egd() and RAND_status().  In the command line application,
     the EGD socket can be specified like a seed file using RANDFILE
     or -rand.
     [Ulf Möller]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
     Some CAs (e.g. Verisign) distribute certificates in this form.
     [Steve Henson]

  *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
     list to exclude them. This means that no special compilation option
     is needed to use anonymous DH: it just needs to be included in the
     cipher list.
     [Steve Henson]

  *) Change the EVP_MD_CTX_type macro so its meaning consistent with
     EVP_MD_type. The old functionality is available in a new macro called
     EVP_MD_md(). Change code that uses it and update docs.
     [Steve Henson]

  *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
     where the 'void *' argument is replaced by a function pointer argument.
     Previously 'void *' was abused to point to functions, which works on
     many platforms, but is not correct.  As these functions are usually
     called by macros defined in OpenSSL header files, most source code
     should work without changes.
Ulf Möller's avatar
Ulf Möller committed
     [Richard Levitte]

  *) <openssl/opensslconf.h> (which is created by Configure) now contains
     sections with information on -D... compiler switches used for
     compiling the library so that applications can see them.  To enable
     one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
     must be defined.  E.g.,
        #define OPENSSL_ALGORITHM_DEFINES
        #include <openssl/opensslconf.h>
     defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
Ulf Möller's avatar
Ulf Möller committed
     [Richard Levitte, Ulf and Bodo Möller]
  *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
     record layer.
     [Bodo Moeller]

  *) Change the 'other' type in certificate aux info to a STACK_OF
     X509_ALGOR. Although not an AlgorithmIdentifier as such it has
     the required ASN1 format: arbitrary types determined by an OID.
     [Steve Henson]

  *) Add some PEM_write_X509_REQ_NEW() functions and a command line
     argument to 'req'. This is not because the function is newer or
     better than others it just uses the work 'NEW' in the certificate
     request header lines. Some software needs this.
     [Steve Henson]

  *) Reorganise password command line arguments: now passwords can be
     obtained from various sources. Delete the PEM_cb function and make
     it the default behaviour: i.e. if the callback is NULL and the
     usrdata argument is not NULL interpret it as a null terminated pass
     phrase. If usrdata and the callback are NULL then the pass phrase
     is prompted for as usual.
     [Steve Henson]

  *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
     the support is automatically enabled. The resulting binaries will
     autodetect the card and use it if present.
     [Ben Laurie and Compaq Inc.]

  *) Work around for Netscape hang bug. This sends certificate request
     and server done in one record. Since this is perfectly legal in the
     SSL/TLS protocol it isn't a "bug" option and is on by default. See
     the bugs/SSLv3 entry for more info.
     [Steve Henson]

  *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
     [Andy Polyakov]

  *) Add -rand argument to smime and pkcs12 applications and read/write
     of seed file.
     [Steve Henson]

Loading full blame...