OpenSSL v0.9.2.b Release Notes

Release Date: 1999-05-24 // over 22 years ago
    • Bignum library bug fix. IRIX 6 passes "make test" now! This also avoids the problems with SC4.2 and unpatched SC5.

    Andy Polyakov [email protected]

    • New functions sk_num, sk_value and sk_set to replace the previous macros. These are required because of the typesafe stack would otherwise break existing code. If old code used a structure member which used to be STACK and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with sk_num or sk_value it would produce an error because the num, data members are not present in STACK_OF. Now it just produces a warning. sk_set replaces the old method of assigning a value to sk_value (e.g. sk_value(x, i) = y) which the library used in a few cases. Any code that does this will no longer work (and should use sk_set instead) but this could be regarded as a "questionable" behaviour anyway.

    Steve Henson

    • Fix most of the other PKCS#7 bugs. The "experimental" code can now correctly handle encrypted S/MIME data.

    Steve Henson

    • Change type of various DES function arguments from des_cblock (which means, in function argument declarations, pointer to char) to des_cblock * (meaning pointer to array with 8 char elements), which allows the compiler to do more typechecking; it was like that back in SSLeay, but with lots of ugly casts.

    Introduce new type const_des_cblock.

    Bodo Moeller

    • Reorganise the PKCS#7 library and get rid of some of the more obvious problems: find RecipientInfo structure that matches recipient certificate and initialise the ASN1 structures properly based on passed cipher.

    Steve Henson

    • Belatedly make the BN tests actually check the results.

    Ben Laurie

    • Fix the encoding and decoding of negative ASN1 INTEGERS and conversion to and from BNs: it was completely broken. New compilation option NEG_PUBKEY_BUG to allow for some broken certificates that encode public key elements as negative integers.

    Steve Henson

    • Reorganize and speed up MD5.

    Andy Polyakov [email protected]

    • VMS support.

    Richard Levitte [email protected]

    • New option -out to asn1parse to allow the parsed structure to be output to a file. This is most useful when combined with the -strparse option to examine the output of things like OCTET STRINGS.

    Steve Henson

    • Make SSL library a little more fool-proof by not requiring any longer that SSL_set_{accept,connect}_state be called before SSL_{accept,connect} may be used (SSL_set_..._state is omitted in many applications because usually everything appeared to work as intended anyway -- now it really works as intended).

    Bodo Moeller

    • Move openssl.cnf out of lib/.

    Ulf Möller

    • Fix various things to let OpenSSL even pass "egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline" with EGCS 1.1.2+

    Ralf S. Engelschall

    • Various fixes to the EVP and PKCS#7 code. It may now be able to handle PKCS#7 enveloped data properly.

    Sebastian Akerman [email protected], modified by Steve

    • Create a duplicate of the SSL_CTX's CERT in SSL_new instead of copying pointers. The cert_st handling is changed by this in various ways (and thus what used to be known as ctx->default_cert is now called ctx->cert, since we don't resort to s->ctx->[default_]cert any longer when s->cert does not give us what we need). ssl_cert_instantiate becomes obsolete by this change. As soon as we've got the new code right (possibly it already is?), we have solved a couple of bugs of the earlier code where s->cert was used as if it could not have been shared with other SSL structures.

    Note that using the SSL API in certain dirty ways now will result in different behaviour than observed with earlier library versions: Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx) does not influence s as it used to.

    In order to clean up things more thoroughly, inside SSL_SESSION we don't use CERT any longer, but a new structure SESS_CERT that holds per-session data (if available); currently, this is the peer's certificate chain and, for clients, the server's certificate and temporary key. CERT holds only those values that can have meaningful defaults in an SSL_CTX.

    Bodo Moeller

    • New function X509V3_EXT_i2d() to create an X509_EXTENSION structure from the internal representation. Various PKCS#7 fixes: remove some evil casts and set the enc_dig_alg field properly based on the signing key type.

    Steve Henson

    • Allow PKCS#12 password to be set from the command line or the environment. Let 'ca' get its config file name from the environment variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req' and 'x509').

    Steve Henson

    • Allow certificate policies extension to use an IA5STRING for the organization field. This is contrary to the PKIX definition but VeriSign uses it and IE5 only recognises this form. Document 'x509' extension option.

    Steve Henson

    • Add PEDANTIC compiler flag to allow compilation with gcc -pedantic, without disallowing inline assembler and the like for non-pedantic builds.

    Ben Laurie

    • Support Borland C++ builder.

    Janez Jere [email protected], modified by Ulf Möller

    • Support Mingw32.

    Ulf Möller

    • SHA-1 cleanups and performance enhancements.

    Andy Polyakov [email protected]

    • Sparc v8plus assembler for the bignum library.

    Andy Polyakov [email protected]

    • Accept any -xxx and +xxx compiler options in Configure.

    Ulf Möller

    • Update HPUX configuration.

    Anonymous

    • Add missing sk_<type>_unshift() function to safestack.h

    Ralf S. Engelschall

    • New function SSL_CTX_use_certificate_chain_file that sets the "extra_cert"s in addition to the certificate. (This makes sense only for "PEM" format files, as chains as a whole are not DER-encoded.)

    Bodo Moeller

    • Support verify_depth from the SSL API. x509_vfy.c had what can be considered an off-by-one-error: Its depth (which was not part of the external interface) was actually counting the number of certificates in a chain; now it really counts the depth.

    Bodo Moeller

    • Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used instead of X509err, which often resulted in confusing error messages since the error codes are not globally unique (e.g. an alleged error in ssl3_accept when a certificate didn't match the private key).

    • New function SSL_CTX_set_session_id_context that allows to set a default value (so that you don't need SSL_set_session_id_context for each connection using the SSL_CTX).

    Bodo Moeller

    • OAEP decoding bug fix.

    Ulf Möller

    • Support INSTALL_PREFIX for package builders, as proposed by David Harris.

    Bodo Moeller

    • New Configure options "threads" and "no-threads". For systems where the proper compiler options are known (currently Solaris and Linux), "threads" is the default.

    Bodo Moeller

    • New script util/mklink.pl as a faster substitute for util/mklink.sh.

    Bodo Moeller

    • Install various scripts to $(OPENSSLDIR)/misc, not to $(INSTALLTOP)/bin -- they shouldn't clutter directories such as /usr/local/bin.

    Bodo Moeller

    • "make linux-shared" to build shared libraries.

    Niels Poppe [email protected]

    • New Configure option no-<cipher> (rsa, idea, rc5, ...).

    Ulf Möller

    • Add the PKCS#12 API documentation to openssl.txt. Preliminary support for extension adding in x509 utility.

    Steve Henson

    • Remove NOPROTO sections and error code comments.

    Ulf Möller

    • Partial rewrite of the DEF file generator to now parse the ANSI prototypes.

    Steve Henson

    • New Configure options --prefix=DIR and --openssldir=DIR.

    Ulf Möller

    • Complete rewrite of the error code script(s). It is all now handled by one script at the top level which handles error code gathering, header rewriting and C source file generation. It should be much better than the old method: it now uses a modified version of Ulf's parser to read the ANSI prototypes in all header files (thus the old K&R definitions aren't needed for error creation any more) and do a better job of translating function codes into names. The old 'ASN1 error code embedded in a comment' is no longer necessary and it doesn't use .err files which have now been deleted. Also the error code call doesn't have to appear all on one line (which resulted in some large lines...).

    Steve Henson

    • Change #include filenames from <foo.h> to <openssl/foo.h>.

    Bodo Moeller

    • Change behaviour of ssl2_read when facing length-0 packets: Don't return 0 (which usually indicates a closed connection), but continue reading.

    Bodo Moeller

    • Fix some race conditions.

    Bodo Moeller

    • Add support for CRL distribution points extension. Add Certificate Policies and CRL distribution points documentation.

    Steve Henson

    • Move the autogenerated header file parts to crypto/opensslconf.h.

    Ulf Möller

    • Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 8 of keying material. Merlin has also confirmed interop with this fix between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.

    Merlin Hughes [email protected]

    • Fix lots of warnings.

    Richard Levitte [email protected]

    • In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if the directory spec didn't end with a LIST_SEPARATOR_CHAR.

    Richard Levitte [email protected]

    • Fix problems with sizeof(long) == 8.

    Andy Polyakov [email protected]

    • Change functions to ANSI C.

    Ulf Möller

    • Fix typos in error codes.

    Martin Kraemer [email protected], Ulf Möller

    • Remove defunct assembler files from Configure.

    Ulf Möller

    • SPARC v8 assembler BIGNUM implementation.

    Andy Polyakov [email protected]

    • Support for Certificate Policies extension: both print and set. Various additions to support the r2i method this uses.

    Steve Henson

    • A lot of constification, and fix a bug in X509_NAME_oneline() that could return a const string when you are expecting an allocated buffer.

    Ben Laurie

    • Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE types DirectoryString and DisplayText.

    Steve Henson

    • Add code to allow r2i extensions to access the configuration database, add an LHASH database driver and add several ctx helper functions.

    Steve Henson

    • Fix an evil bug in bn_expand2() which caused various BN functions to fail when they extended the size of a BIGNUM.

    Steve Henson

    • Various utility functions to handle SXNet extension. Modify mkdef.pl to support typesafe stack.

    Steve Henson

    • Fix typo in SSL_[gs]et_options().

    Nils Frostberg [email protected]

    • Delete various functions and files that belonged to the (now obsolete) old X509V3 handling code.

    Steve Henson

    • New Configure option "rsaref".

    Ulf Möller

    • Don't auto-generate pem.h.

    Bodo Moeller

    • Introduce type-safe ASN.1 SETs.

    Ben Laurie

    • Convert various additional casted stacks to type-safe STACK_OF() variants.

    Ben Laurie, Ralf S. Engelschall, Steve Henson

    • Introduce type-safe STACKs. This will almost certainly break lots of code that links with OpenSSL (well at least cause lots of warnings), but fear not: the conversion is trivial, and it eliminates loads of evil casts. A few STACKed things have been converted already. Feel free to convert more. In the fullness of time, I'll do away with the STACK type altogether.

    Ben Laurie

    • Add openssl ca -revoke <certfile> facility which revokes a certificate specified in <certfile> by updating the entry in the index.txt file. This way one no longer has to edit the index.txt file manually for revoking a certificate. The -revoke option does the gory details now.

    Massimiliano Pala [email protected], Ralf S. Engelschall

    • Fix openssl crl -noout -text combination where -noout killed the -text option at all and this way the -noout -text combination was inconsistent in openssl crl with the friends in openssl x509|rsa|dsa.

    Ralf S. Engelschall

    • Make sure a corresponding plain text error message exists for the X509_V_ERR_CERT_REVOKED/23 error number which can occur when a verify callback function determined that a certificate was revoked.

    Ralf S. Engelschall

    • Bugfix: In test/testenc, don't test openssl <cipher> for ciphers that were excluded, e.g. by -DNO_IDEA. Also, test all available ciphers including rc5, which was forgotten until now. In order to let the testing shell script know which algorithms are available, a new (up to now undocumented) command openssl list-cipher-commands is used.

    Bodo Moeller

    • Bugfix: s_client occasionally would sleep in select() when it should have checked SSL_pending() first.

    Bodo Moeller

    • New functions DSA_do_sign and DSA_do_verify to provide access to the raw DSA values prior to ASN.1 encoding.

    Ulf Möller

    • Tweaks to Configure

    Niels Poppe [email protected]

    • Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support, yet...

    Steve Henson

    • New variables $(RANLIB) and $(PERL) in the Makefiles.

    Ulf Möller

    • New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486.

    Ulf Möller

    • Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the same as SSL2_VERSION anyway.

    Bodo Moeller

    • New "-showcerts" option for s_client.

    Bodo Moeller

    • Still more PKCS#12 integration. Add pkcs12 application to openssl application. Various cleanups and fixes.

    Steve Henson

    • More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and modify error routines to work internally. Add error codes and PBE init to library startup routines.

    Steve Henson

    • Further PKCS#12 integration. Added password based encryption, PKCS#8 and packing functions to asn1 and evp. Changed function names and error codes along the way.

    Steve Henson

    • PKCS12 integration: and so it begins... First of several patches to slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12 objects to objects.h

    Steve Henson

    • Add a new 'indent' option to some X509V3 extension code. Initial ASN1 and display support for Thawte strong extranet extension.

    Steve Henson

    • Add LinuxPPC support.

    Jeff Dubrule [email protected]

    • Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to bn_div_words in alpha.s.

    Hannes Reinecke [email protected] and Ben Laurie

    • Make sure the RSA OAEP test is skipped under -DRSAref because OAEP isn't supported when OpenSSL is built with RSAref.

    Ulf Moeller [email protected]

    • Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h so they no longer are missing under -DNOPROTO.

    Soren S. Jorvang [email protected]