Skip to content
CHANGES 247 KiB
Newer Older
 OpenSSL CHANGES
Bodo Möller's avatar
Bodo Möller committed
 Changes between 0.9.7 and 0.9.8  [xx XXX 2002]

  *) Add ECDSA in new directory crypto/ecdsa/.

     Add applications 'openssl ecdsaparam' and 'openssl ecdsa'
     (these are variants of 'openssl dsaparam' and 'openssl dsa').

     ECDSA support is also included in various other files across the
     library.  Most notably,
     - 'openssl req' now has a '-newkey ecdsa:file' option;
     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
       them suitable for ECDSA where domain parameters must be
       extracted before the specific public key.
Bodo Möller's avatar
Bodo Möller committed
     [Nils Larsch <nla@trustcenter.de>]
Bodo Möller's avatar
Bodo Möller committed

  *) Add reference counting for EC_GROUP objects.
Bodo Möller's avatar
Bodo Möller committed
     [Nils Larsch <nla@trustcenter.de>]
Bodo Möller's avatar
Bodo Möller committed

  *) Include some named elliptic curves.  These can be obtained from
     the new functions
          EC_GROUP_new_by_nid()
          EC_GROUP_new_by_name()
     Also add a 'nid' field to EC_GROUP objects, which can be accessed
     via
         EC_GROUP_set_nid()
         EC_GROUP_get_nid()
     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
 
 Changes between 0.9.6 and 0.9.7  [xx XXX 2002]

     OpenSSL 0.9.6a/0.9.6b/0.9.6c/0.9.6d (bugfix releases, 5 Apr 2001,
     9 July 2001, 21 Dec 2001 and xx XXX 2002) and OpenSSL 0.9.7 were
     developed in parallel, based on OpenSSL 0.9.6.  
Bodo Möller's avatar
Bodo Möller committed

     Change log entries are tagged as follows:
Bodo Möller's avatar
Bodo Möller committed
         -) applies to 0.9.6a ... 0.9.6d only
         *) applies to 0.9.6a ... 0.9.6d and 0.9.7
Dr. Stephen Henson's avatar
Dr. Stephen Henson committed
  +) Config modules support in openssl utility.

     Most commands now load modules from the config file,
     though in a few (such as version) this isn't done 
     because it couldn't be used for anything.

     In the case of ca and req the config file used is
     the same as the utility itself: that is the -config
     command line option can be used to specify an
     alternative file.
     [Steve Henson]

  +) Move default behaviour from OPENSSL_config(). If appname is NULL
     use "openssl_conf" if filename is NULL use default openssl config file.
     [Steve Henson]

  +) Add an argument to OPENSSL_config() to allow the use of an alternative
     config section name. Add a new flag to tolerate a missing config file
     and move code to CONF_modules_load_file().
     [Steve Henson]

  *) Add information about CygWin 1.3 and on, and preserve proper
     configuration for the versions before that.
     [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]

  *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
     check whether we deal with a copy of a session and do not delete from
     the cache in this case. Problem reported by "Izhar Shoshani Levi"
     <izhar@checkpoint.com>.
     [Lutz Jaenicke]

  *) Do not store session data into the internal session cache, if it
     is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
     flag is set). Proposed by Aslam <aslam@funk.com>.
     [Lutz Jaenicke]

  +) Support for crypto accelerator cards from Accelerated Encryption
     Processing, www.aep.ie.  (Use engine 'aep')
     The support was copied from 0.9.6c [engine] and adapted/corrected
     to work with the new engine framework.
     [AEP Inc. and Richard Levitte]

  +) Support for SureWare crypto accelerator cards from Baltimore
     Technologies.  (Use engine 'sureware')
     The support was copied from 0.9.6c [engine] and adapted
     to work with the new engine framework.
     [Richard Levitte]

  *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
     value is 0.
     [Richard Levitte]

  +) Have the CHIL engine fork-safe (as defined by nCipher) and actually
     make the newer ENGINE framework commands for the CHIL engine work.
     [Toomas Kiisk <vix@cyber.ee> and Richard Levitte]

  +) Make it possible to produce shared libraries on ReliantUNIX.
     [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]

  *) Add the configuration target linux-s390x.
     [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]

  +) Add the configuration target debug-linux-ppro.
     Make 'openssl rsa' use the general key loading routines
     implemented in apps.c, and make those routines able to
     handle the key format FORMAT_NETSCAPE and the variant
     FORMAT_IISSGC.
     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]

  *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]

  +) Add -keyform to rsautl, and document -engine.
     [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]

Bodo Möller's avatar
Bodo Möller committed
  +) Change BIO_new_file (crypto/bio/bss_file.c) to use new
     BIO_R_NO_SUCH_FILE error code rather than the generic
     ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
     [Ben Laurie]

  +) Add new functions
          ERR_peek_last_error
          ERR_peek_last_error_line
          ERR_peek_last_error_line_data.
     These are similar to
          ERR_peek_error
          ERR_peek_error_line
          ERR_peek_error_line_data,
     but report on the latest error recorded rather than the first one
     still in the error queue.
     [Ben Laurie, Bodo Moeller]
        
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) default_algorithms option in ENGINE config module. This allows things
     like:
     default_algorithms = ALL
     default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
     [Steve Henson]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) Prelminary ENGINE config module.
     [Steve Henson]

  *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
     ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
     variable as an indication that a ClientHello message has been
     received.  As the flag value will be lost between multiple
     invocations of ssl3_accept when using non-blocking I/O, the
     function may not be aware that a handshake has actually taken
     place, thus preventing a new session from being added to the
     session cache.

     To avoid this problem, we now set s->new_session to 2 instead of
     using a local variable.
     [Lutz Jaenicke, Bodo Moeller]

  *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
     if the SSL_R_LENGTH_MISMATCH error is detected.
     [Geoff Thorpe, Bodo Moeller]

Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
  +) New experimental application configuration code.
     [Steve Henson]

  *) New 'shared_ldflag' column in Configure platform table.
     [Richard Levitte]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix EVP_CIPHER_mode macro.
     ["Dan S. Camper" <dan@bti.net>]

  +) Change the AES code to follow the same name structure as all other
     symmetric ciphers, and behave the same way.  Move everything to
     the directory crypto/aes, thereby obsoleting crypto/rijndael.
     [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]

Ulf Möller's avatar
Ulf Möller committed
  *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
     type, we must throw them away by setting rr->length to 0.
     [D P Chang <dpc@qualys.com>]

  -) OpenSSL 0.9.6c released [21 dec 2001]

Ben Laurie's avatar
Ben Laurie committed
  +) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
     [Ben Laurie and Theo de Raadt]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
     <Dominikus.Scherkl@biodata.com>.  (The previous implementation
     worked incorrectly for those cases where  range = 10..._2  and
     3*range  is two bits longer than  range.)
     [Bodo Moeller]

  *) Only add signing time to PKCS7 structures if it is not already
     present.
Dr. Stephen Henson's avatar
 
Dr. Stephen Henson committed
     [Steve Henson]

Bodo Möller's avatar
Bodo Möller committed
  *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
     OBJ_ld_ce should be OBJ_id_ce.
     Also some ip-pda OIDs in crypto/objects/objects.txt were
     incorrect (cf. RFC 3039).
Loading full blame...