Skip to content
CHANGES 50 KiB
Newer Older
 OpenSSL CHANGES
Ben Laurie's avatar
Ben Laurie committed
 Changes between 0.9.3 and 0.9.3a  [29 May 1999]
Bodo Möller's avatar
Bodo Möller committed
  *) New configuration variant "sco5-gcc".

Bodo Möller's avatar
Bodo Möller committed
  *) Updated some demos.
Bodo Möller's avatar
Bodo Möller committed
     [Sean O Riordain, Wade Scholine]
Bodo Möller's avatar
Bodo Möller committed

Bodo Möller's avatar
Bodo Möller committed
  *) Add missing BIO_free at exit of pkcs12 application.
     [Wu Zhigang]

  *) Fix memory leak in conf.c.
     [Steve Henson]

  *) Updates for Win32 to assembler version of MD5.
     [Steve Henson]

  *) Set #! path to perl in apps/der_chop to where we found it
     instead of using a fixed path.
     [Bodo Moeller]

  *) SHA library changes for irix64-mips4-cc.
     [Andy Polyakov]

  *) Improvements for VMS support.
     [Richard Levitte]

Bodo Möller's avatar
Bodo Möller committed
 Changes between 0.9.2b and 0.9.3  [24 May 1999]
Ulf Möller's avatar
Ulf Möller committed

  *) Bignum library bug fix. IRIX 6 passes "make test" now!
     This also avoids the problems with SC4.2 and unpatched SC5.  
     [Andy Polyakov <appro@fy.chalmers.se>]

  *) New functions sk_num, sk_value and sk_set to replace the previous macros.
     These are required because of the typesafe stack would otherwise break 
     existing code. If old code used a structure member which used to be STACK
     and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
     sk_num or sk_value it would produce an error because the num, data members
     are not present in STACK_OF. Now it just produces a warning. sk_set
     replaces the old method of assigning a value to sk_value
     (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
     that does this will no longer work (and should use sk_set instead) but
     this could be regarded as a "questionable" behaviour anyway.
     [Steve Henson]

  *) Fix most of the other PKCS#7 bugs. The "experimental" code can now
     correctly handle encrypted S/MIME data.
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) Change type of various DES function arguments from des_cblock
Bodo Möller's avatar
Bodo Möller committed
     (which means, in function argument declarations, pointer to char)
Bodo Möller's avatar
Bodo Möller committed
     to des_cblock * (meaning pointer to array with 8 char elements),
     which allows the compiler to do more typechecking; it was like
     that back in SSLeay, but with lots of ugly casts.

     Introduce new type const_des_cblock.
     [Bodo Moeller]

  *) Reorganise the PKCS#7 library and get rid of some of the more obvious
     problems: find RecipientInfo structure that matches recipient certificate
     and initialise the ASN1 structures properly based on passed cipher.
     [Steve Henson]

  *) Belatedly make the BN tests actually check the results.
     [Ben Laurie]

  *) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
     to and from BNs: it was completely broken. New compilation option
     NEG_PUBKEY_BUG to allow for some broken certificates that encode public
     key elements as negative integers.
     [Steve Henson]

  *) Reorganize and speed up MD5.
     [Andy Polyakov <appro@fy.chalmers.se>]

Ulf Möller's avatar
Ulf Möller committed
  *) VMS support.
     [Richard Levitte <richard@levitte.org>]
  *) New option -out to asn1parse to allow the parsed structure to be
     output to a file. This is most useful when combined with the -strparse
     option to examine the output of things like OCTET STRINGS.
     [Steve Henson]

  *) Make SSL library a little more fool-proof by not requiring any longer
     that SSL_set_{accept,connect}_state be called before
     SSL_{accept,connect} may be used (SSL_set_..._state is omitted
     in many applications because usually everything *appeared* to work as
     intended anyway -- now it really works as intended).
     [Bodo Moeller]

  *) Move openssl.cnf out of lib/.
     [Ulf Möller]

  *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
     -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
     -Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+ 
     [Ralf S. Engelschall]

  *) Various fixes to the EVP and PKCS#7 code. It may now be able to
     handle PKCS#7 enveloped data properly.
     [Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve]

  *) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
     copying pointers.  The cert_st handling is changed by this in
     various ways (and thus what used to be known as ctx->default_cert
     is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
     any longer when s->cert does not give us what we need).
     ssl_cert_instantiate becomes obsolete by this change.
     As soon as we've got the new code right (possibly it already is?),
     we have solved a couple of bugs of the earlier code where s->cert
     was used as if it could not have been shared with other SSL structures.

     Note that using the SSL API in certain dirty ways now will result
     in different behaviour than observed with earlier library versions:
     Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
     does not influence s as it used to.
     
     In order to clean up things more thoroughly, inside SSL_SESSION
     we don't use CERT any longer, but a new structure SESS_CERT
     that holds per-session data (if available); currently, this is
     the peer's certificate chain and, for clients, the server's certificate
     and temporary key.  CERT holds only those values that can have
     meaningful defaults in an SSL_CTX.
  *) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
     from the internal representation. Various PKCS#7 fixes: remove some
     evil casts and set the enc_dig_alg field properly based on the signing
     key type.
     [Steve Henson]

  *) Allow PKCS#12 password to be set from the command line or the
     environment. Let 'ca' get its config file name from the environment
     variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
     and 'x509').
     [Steve Henson]

  *) Allow certificate policies extension to use an IA5STRING for the
     organization field. This is contrary to the PKIX definition but
     VeriSign uses it and IE5 only recognises this form. Document 'x509'
     extension option.
     [Steve Henson]

Ben Laurie's avatar
Ben Laurie committed
  *) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
     without disallowing inline assembler and the like for non-pedantic builds.
     [Ben Laurie]

  *) Support Borland C++ builder.
     [Janez Jere <jj@void.si>, modified by Ulf Möller]

  *) Support Mingw32.
     [Ulf Möller]

  *) SHA-1 cleanups and performance enhancements.
     [Andy Polyakov <appro@fy.chalmers.se>]

Ulf Möller's avatar
Ulf Möller committed
  *) Sparc v8plus assembler for the bignum library.
     [Andy Polyakov <appro@fy.chalmers.se>]
  *) Accept any -xxx and +xxx compiler options in Configure.
     [Ulf Möller]

  *) Update HPUX configuration.
     [Anonymous]
  
  *) Add missing sk_<type>_unshift() function to safestack.h
     [Ralf S. Engelschall]

  *) New function SSL_CTX_use_certificate_chain_file that sets the
     "extra_cert"s in addition to the certificate.  (This makes sense
     only for "PEM" format files, as chains as a whole are not
     DER-encoded.)
     [Bodo Moeller]

  *) Support verify_depth from the SSL API.
     x509_vfy.c had what can be considered an off-by-one-error:
     Its depth (which was not part of the external interface)
     was actually counting the number of certificates in a chain;
     now it really counts the depth.
     [Bodo Moeller]

  *) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
     instead of X509err, which often resulted in confusing error
     messages since the error codes are not globally unique
     (e.g. an alleged error in ssl3_accept when a certificate
     didn't match the private key).

  *) New function SSL_CTX_set_session_id_context that allows to set a default
     value (so that you don't need SSL_set_session_id_context for each
     connection using the SSL_CTX).
Ulf Möller's avatar
Ulf Möller committed
  *) OAEP decoding bug fix.
     [Ulf Möller]

  *) Support INSTALL_PREFIX for package builders, as proposed by
Loading full blame...