### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Remove the RAND_DRBG API
+
+ The RAND_DRBG API did not fit well into the new provider concept as
+ implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
+ RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
+ and some of its API calls are rather low-level. This holds in particular
+ for the callback mechanism (RAND_DRBG_set_callbacks()).
+
+ Adding a compatibility layer to continue supporting the RAND_DRBG API as
+ a legacy API for a regular deprecation period turned out to come at the
+ price of complicating the new provider API unnecessarily. Since the
+ RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
+ to drop it entirely.
+
+ *Paul Dale and Matthias St. Pierre*
+
+ * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+ as well as actual hostnames.
+
+ *David Woodhouse*
+
+ * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+
+ *Viktor Dukhovni*
+
+ * Deprecated the `ENGINE` API. Engines should be replaced with providers
+ going forward.
+
+ *Paul Dale*
+
+ * Reworked the recorded ERR codes to make better space for system errors.
+ To distinguish them, the macro `ERR_SYSTEM_ERROR()` indicates if the
+ given code is a system error (true) or an OpenSSL error (false).
+
+ *Richard Levitte*
+
+ * Reworked the test perl framework to better allow parallel testing.
+
+ *Nicola Tuveri and David von Oheimb*
+
+ * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
+ AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
+
+ *Shane Lontis*
+
+ * 'Configure' has been changed to figure out the configuration target if
+ none is given on the command line. Consequently, the 'config' script is
+ now only a mere wrapper. All documentation is changed to only mention
+ 'Configure'.
+
+ *Rich Salz and Richard Levitte*
+
+ * Added a library context that applications as well as other
+ libraries can use to form a separate context within which libcrypto
+ operations are performed.
+
+ There are two ways this can be used:
+
+ - Directly, by passing a library context to functions that take
+ such an argument, such as `EVP_CIPHER_fetch` and similar algorithm
+ fetching functions.
+ - Indirectly, by creating a new library context and then assigning
+ it as the new default, with `OPENSSL_CTX_set0_default`.
+
+ All public OpenSSL functions that take an `OPENSSL_CTX` pointer,
+ apart from the functions directly related to `OPENSSL_CTX`, accept
+ NULL to indicate that the default library context should be used.
+
+ Library code that changes the default library context using
+ `OPENSSL_CTX_set0_default` should take care to restore it with a
+ second call before returning to the caller.
+
+ *Richard Levitte*
+
+ * Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+
+ *Tomas Mraz*
+
+ * Dropped interactive mode from the 'openssl' program. From now on,
+ the `openssl` command without arguments is equivalent to `openssl
+ help`.
+
+ *Richard Levitte*
+
+ * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and
+ EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq().
+ While the old function names have been retained for backward compatibility
+ they should not be used in new developments
+ because their return values are confusing: Unlike other `_cmp()` functions
+ they do not return 0 in case their arguments are equal.
+
+ *David von Oheimb*
+
+ * Deprecated EC_METHOD_get_field_type(). Applications should switch to
+ EC_GROUP_get_field_type().
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_GFp_simple_method(), EC_GFp_mont_method(),
+ EC_GF2m_simple_method(), EC_GFp_nist_method(), EC_GFp_nistp224_method()
+ EC_GFp_nistp256_method(), and EC_GFp_nistp521_method().
+ Applications should rely on the library automatically assigning a suitable
+ EC_METHOD internally upon EC_GROUP construction.
+
+ *Billy Bob Brumley*
+
+ * Deprecated EC_GROUP_new(), EC_GROUP_method_of(), and EC_POINT_method_of().
+ EC_METHOD is now an internal-only concept and a suitable EC_METHOD is
+ assigned internally without application intervention.
+ Users of EC_GROUP_new() should switch to a different suitable constructor.
+
+ *Billy Bob Brumley*
+
* Add CAdES-BES signature verification support, mostly derived
from ESSCertIDv2 TS (RFC 5816) contribution by Marek Klein.
*Paul Dale*
+ * The security strength of SHA1 and MD5 based signatures in TLS has been
+ reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
+ working at the default security level of 1 and instead requires security
+ level 0. The security level can be changed either using the cipher string
+ with @SECLEVEL, or calling SSL_CTX_set_security_level().
+
+ *Kurt Roeckx*
+
* EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH(), and
EVP_PKEY_get0_EC_KEY() can now handle EVP_PKEYs with provider side
internal keys, if they correspond to one of those built in types.
*Richard Levitte*
+ * Project text documents not yet having a proper file name extension
+ (`HACKING`, `LICENSE`, `NOTES*`, `README*`, `VERSION`) have been renamed to
+ `*.md` as far as reasonable, else `*.txt`, for better use with file managers.
+
+ *David von Oheimb*
+
* The main project documents (README, NEWS, CHANGES, INSTALL, SUPPORT)
have been converted to Markdown with the goal to produce documents
which not only look pretty when viewed online in the browser, but
*David von Oheimb*
+ * Added `util/check-format.pl`, a tool for checking adherence to the
+ OpenSSL coding style <https://www.openssl.org/policies/codingstyle.html>.
+ The checks performed are incomplete and yield some false positives.
+ Still the tool should be useful for detecting most typical glitches.
+
+ *David von Oheimb*
+
+ * BIO_do_connect and BIO_do_handshake have been extended:
+ If domain name resolution yields multiple IP addresses all of them are tried
+ after connect() failures.
+
+ *David von Oheimb*
+
* All of the low level RSA functions have been deprecated including:
RSA_new_method, RSA_size, RSA_security_bits, RSA_get0_pss_params,
*Paul Dale*
* The command line utilities genrsa and rsa have been modified to use PKEY
- APIs These commands are now in maintenance mode and no new features will
- be added to them.
+ APIs. They now write PKCS#8 keys by default. These commands are now in
+ maintenance mode and no new features will be added to them.
*Paul Dale*
*Rich Salz*
- * Introduced a new method type and API, OSSL_SERIALIZER, to
- represent generic serializers. An implementation is expected to
- be able to serialize an object associated with a given name (such
+ * Introduced a new method type and API, OSSL_ENCODER, to
+ represent generic encoders. An implementation is expected to
+ be able to encode an object associated with a given name (such
as an algorithm name for an asymmetric key) into forms given by
implementation properties.
- Serializers are primarily used from inside libcrypto, through
+ Encoders are primarily used from inside libcrypto, through
calls to functions like EVP_PKEY_print_private(),
PEM_write_bio_PrivateKey() and similar.
- Serializers are specified in such a way that they can be made to
+ Encoders are specified in such a way that they can be made to
directly handle the provider side portion of an object, if this
- provider side part comes from the same provider as the serializer
+ provider side part comes from the same provider as the encoder
itself, but can also be made to handle objects in parametrized
form (as an OSSL_PARAM array of data). This allows a provider to
- offer generic serializers as a service for any other provider.
+ offer generic encoders as a service for any other provider.
*Richard Levitte*
- SSL_CTX_load_verify_dir()
- SSL_CTX_load_verify_store()
- Also, the following functions are now deprecated:
-
- - X509_STORE_load_locations() (use X509_STORE_load_file(),
- X509_STORE_load_path() or X509_STORE_load_store() instead)
- - SSL_CTX_load_verify_locations() (use SSL_CTX_load_verify_file(),
- SSL_CTX_load_verify_dir() or SSL_CTX_load_verify_store() instead)
-
*Richard Levitte*
* Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
*Richard Levitte*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
* Added EVP_MAC, an EVP layer MAC API, to simplify adding MAC
implementations. This includes a generic EVP_PKEY to EVP_MAC bridge,
to facilitate the continued use of MACs through raw private keys in
- functionality such as EVP_DigestSign* and EVP_DigestVerify*.
+ functionality such as `EVP_DigestSign*` and `EVP_DigestVerify*`.
*Richard Levitte*
*Richard Levitte*
+ * Added the options `-crl_lastupdate` and `-crl_nextupdate` to `openssl ca`,
+ allowing the `lastUpdate` and `nextUpdate` fields in the generated CRL to
+ be set explicitly.
+
+ *Chris Novakovic*
+
* Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
improves application performance by removing data copies and providing
applications with zero-copy system calls such as sendfile and splice.
*Boris Pismenny*
+ * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that
+ option is set, openssl cleanses (zeroize) plaintext bytes from
+ internal buffers after delivering them to the application. Note,
+ the application is still responsible for cleansing other copies
+ (e.g.: data received by SSL_read(3)).
+
+ *Martin Elshuber*
+
+ * `PKCS12_parse` now maintains the order of the parsed certificates
+ when outputting them via `*ca` (rather than reversing it).
+
+ *David von Oheimb*
+
OpenSSL 1.1.1
-------------
*Matthias St. Pierre*
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
*Paul Yang*
* Add SM3 implemented according to GB/T 32905-2016
- * Jack Lloyd <jack.lloyd@ribose.com>,
- Ronald Tse <ronald.tse@ribose.com>,
- Erick Borsboom <erick.borsboom@ribose.com> *
+ *Jack Lloyd <jack.lloyd@ribose.com>,*
+ *Ronald Tse <ronald.tse@ribose.com>,*
+ *Erick Borsboom <erick.borsboom@ribose.com>*
* Add 'Maximum Fragment Length' TLS extension negotiation and support
as documented in RFC6066.
*Filipe Raimundo da Silva*
* Add SM4 implemented according to GB/T 32907-2016.
- * Jack Lloyd <jack.lloyd@ribose.com>,
- Ronald Tse <ronald.tse@ribose.com>,
- Erick Borsboom <erick.borsboom@ribose.com> *
+ *Jack Lloyd <jack.lloyd@ribose.com>,*
+ *Ronald Tse <ronald.tse@ribose.com>,*
+ *Erick Borsboom <erick.borsboom@ribose.com>*
* Reimplement -newreq-nodes and ERR_error_string_n; the
original author does not agree with the license change.
### Changes between 1.1.0k and 1.1.0l [10 Sep 2019]
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
Makefile. Instead, Configure produces a perl module in
configdata.pm which holds most of the config data (in the hash
table %config), the target data that comes from the target
- configuration in one of the `Configurations/*.conf~ files (in
+ configuration in one of the `Configurations/*.conf` files (in
%target).
*Richard Levitte*
opaque. For HMAC_CTX, the following constructors and destructors
were added:
- HMAC_CTX *HMAC_CTX_new(void);
- void HMAC_CTX_free(HMAC_CTX *ctx);
+ HMAC_CTX *HMAC_CTX_new(void);
+ void HMAC_CTX_free(HMAC_CTX *ctx);
For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
destroy such methods has been added. See EVP_MD_meth_new(3) and
EVP_CIPHER_meth_new(3) for documentation.
Additional changes:
- 1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
- HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
- EVP_MD_CTX_reset() should be called instead to reinitialise
+ 1) `EVP_MD_CTX_cleanup()`, `EVP_CIPHER_CTX_cleanup()` and
+ `HMAC_CTX_cleanup()` were removed. `HMAC_CTX_reset()` and
+ `EVP_MD_CTX_reset()` should be called instead to reinitialise
an already created structure.
2) For consistency with the majority of our object creators and
- destructors, EVP_MD_CTX_(create|destroy) were renamed to
- EVP_MD_CTX_(new|free). The old names are retained as macros
+ destructors, `EVP_MD_CTX_(create|destroy)` were renamed to
+ `EVP_MD_CTX_(new|free)`. The old names are retained as macros
for deprecated builds.
*Richard Levitte*
* State machine rewrite. The state machine code has been significantly
refactored in order to remove much duplication of code and solve issues
- with the old code (see ssl/statem/README for further details). This change
- does have some associated API changes. Notably the SSL_state() function
- has been removed and replaced by SSL_get_state which now returns an
- "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
- altogether. The previous handshake states defined in ssl.h and ssl3.h have
- also been removed.
+ with the old code (see [ssl/statem/README.md](ssl/statem/README.md) for
+ further details). This change does have some associated API changes.
+ Notably the SSL_state() function has been removed and replaced by
+ SSL_get_state which now returns an "OSSL_HANDSHAKE_STATE" instead of an int.
+ SSL_set_state() has been removed altogether. The previous handshake states
+ defined in ssl.h and ssl3.h have also been removed.
*Matt Caswell*
*Emilia Käsper*
* Fix no-stdio build.
- * David Woodhouse <David.Woodhouse@intel.com> and also
- Ivan Nestlerode <ivan.nestlerode@sonos.com> *
+ *David Woodhouse <David.Woodhouse@intel.com> and also*
+ *Ivan Nestlerode <ivan.nestlerode@sonos.com>*
* New testing framework
The testing framework has been largely rewritten and is now using
*Steve Henson*
- * Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
+ * Rename old X9.31 PRNG functions of the form `FIPS_rand*` to `FIPS_x931*`.
This shouldn't present any incompatibility problems because applications
shouldn't be using these directly and any that are will need to rethink
anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
### Changes between 1.0.2s and 1.0.2t [10 Sep 2019]
* For built-in EC curves, ensure an EC_GROUP built from the curve name is
- used even when parsing explicit parameters, when loading a serialized key
+ used even when parsing explicit parameters, when loading a encoded key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
- serialized, the output is still encoded with explicit parameters, even if
+ encoded, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
*Nicola Tuveri*
* Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using an
- int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
- large values of |i| this can result in |bn_expand| not allocating any
- memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
+ large values of `i` this can result in `bn_expand` not allocating any
+ memory because `i * 4` is negative. This can leave the internal BIGNUM data
field as NULL leading to a subsequent NULL ptr deref. For very large values
- of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
In this case memory is allocated to the internal BIGNUM data field, but it
is insufficiently sized leading to heap corruption. A similar issue exists
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
* Fix memory issues in `BIO_*printf` functions
- The internal |fmtstr| function used in processing a "%s" format string in
+ The internal `fmtstr` function used in processing a "%s" format string in
the `BIO_*printf` functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings.
- Additionally the internal |doapr_outch| function can attempt to write to an
+ Additionally the internal `doapr_outch` function can attempt to write to an
OOB memory location (at an offset from the NULL pointer) in the event of a
memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
* Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using an
- int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
- large values of |i| this can result in |bn_expand| not allocating any
- memory because |i * 4| is negative. This can leave the internal BIGNUM data
+ int value `i`. Later `bn_expand` is called with a value of `i * 4`. For
+ large values of `i` this can result in `bn_expand` not allocating any
+ memory because `i * 4` is negative. This can leave the internal BIGNUM data
field as NULL leading to a subsequent NULL ptr deref. For very large values
- of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
+ of `i`, the calculation `i * 4` could be a positive value smaller than `i`.
In this case memory is allocated to the internal BIGNUM data field, but it
is insufficiently sized leading to heap corruption. A similar issue exists
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
* Fix memory issues in `BIO_*printf` functions
- The internal |fmtstr| function used in processing a "%s" format string in
+ The internal `fmtstr` function used in processing a "%s" format string in
the `BIO_*printf` functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings.
- Additionally the internal |doapr_outch| function can attempt to write to an
+ Additionally the internal `doapr_outch` function can attempt to write to an
OOB memory location (at an offset from the NULL pointer) in the event of a
memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
disable just protocol X, but all protocols above X *if* there are
protocols *below* X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
- above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
- SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
+ above, it's not sufficient to pass `SSL_OP_NO_TLSv1`, one has to pass
+ `SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2`. This applies to
client side.
*Andy Polyakov*
of specific crypto interfaces. This change also introduces integrated
support for symmetric ciphers and digest implementations - so ENGINEs
can now accelerate these by providing EVP_CIPHER and EVP_MD
- implementations of their own. This is detailed in crypto/engine/README
+ implementations of their own. This is detailed in
+ [crypto/engine/README.md](crypto/engine/README.md)
as it couldn't be adequately described here. However, there are a few
API changes worth noting - some RSA, DSA, DH, and RAND functions that
were changed in the original introduction of ENGINE code have now
makes them more flexible to be built both as statically-linked ENGINEs
and self-contained shared-libraries loadable via the "dynamic" ENGINE.
Also, add stub code to each that makes building them as self-contained
- shared-libraries easier (see README.ENGINE).
+ shared-libraries easier (see [README-Engine.md](README-Engine.md)).
*Geoff Thorpe*
self-contained shared-libraries. The "dynamic" ENGINE exposes control
commands that can be used to configure what shared-library to load and
to control aspects of the way it is handled. Also, made an update to
- the README.ENGINE file that brings its information up-to-date and
+ the [README-Engine.md](README-Engine.md) file
+ that brings its information up-to-date and
provides some information and instructions on the "dynamic" ENGINE
(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
*Geoff Thorpe, Lutz Jaenicke*
* Modify mkdef.pl to recognise and parse preprocessor conditionals
- of the form '#if defined(...) || defined(...) || ...' and
- '#if !defined(...) && !defined(...) && ...'. This also avoids
+ of the form `#if defined(...) || defined(...) || ...` and
+ `#if !defined(...) && !defined(...) && ...`. This also avoids
the growing number of special cases it was previously handling.
*Richard Levitte*
*Bodo Moeller*
- * Move `BN_mod_...` functions into new file crypto/bn/bn_mod.c
- (except for exponentiation, which stays in crypto/bn/bn_exp.c,
- and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
+ * Move `BN_mod_...` functions into new file `crypto/bn/bn_mod.c`
+ (except for exponentiation, which stays in `crypto/bn/bn_exp.c`,
+ and `BN_mod_mul_reciprocal`, which stays in `crypto/bn/bn_recp.c`)
and add new functions:
BN_nnmod
These functions always generate non-negative results.
- BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r
- such that |m| < r < 0, BN_nnmod will output rem + |m| instead).
+ `BN_nnmod` otherwise is `like BN_mod` (if `BN_mod` computes a remainder `r`
+ such that `|m| < r < 0`, `BN_nnmod` will output `rem + |m|` instead).
- BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
- BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b]
- be reduced modulo m.
+ `BN_mod_XXX_quick(r, a, [b,] m)` generates the same result as
+ `BN_mod_XXX(r, a, [b,] m, ctx)`, but requires that `a` [and `b`]
+ be reduced modulo `m`.
*Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller*
-f 0
+<!--
The following entry accidentally appeared in the CHANGES file
distributed with OpenSSL 0.9.7. The modifications described in
it do *not* apply to OpenSSL 0.9.7.
differing sizes.
*Richard Levitte*
-ndif
+-->
* In 'openssl passwd', verify passwords read from the terminal
unless the '-salt' option is used (which usually means that
* Change the handling of OID objects as follows:
- New object identifiers are inserted in objects.txt, following
- the syntax given in objects.README.
+ the syntax given in [crypto/objects/README.md](crypto/objects/README.md).
- objects.pl is used to process obj_mac.num and create a new
obj_mac.h.
- obj_dat.pl is used to create a new obj_dat.h, using the data in
*Steve Henson*
* Be less restrictive and allow also `perl util/perlpath.pl
- /path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin',
- because this way one can also use an interpreter named `perl5' (which is
+ /path/to/bin/perl` in addition to `perl util/perlpath.pl /path/to/bin`,
+ because this way one can also use an interpreter named `perl5` (which is
usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
- installed as `perl').
+ installed as `perl`).
*Matthias Loepfe <Matthias.Loepfe@adnovum.ch>*
*Steve Henson*
- * Make `openssl version' output lines consistent.
+ * Make `openssl version` output lines consistent.
*Ralf S. Engelschall*
*Ben Laurie*
* Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
- on the `perl Configure ...' command line. This way one can compile
+ on the `perl Configure ...` command line. This way one can compile
OpenSSL libraries with Position Independent Code (PIC) which is needed
for linking it into DSOs.
*Ralf S. Engelschall*
- * General source tree makefile cleanups: Made `making xxx in yyy...'
- display consistent in the source tree and replaced `/bin/rm' by `rm'.
- Additionally cleaned up the `make links' target: Remove unnecessary
+ * General source tree makefile cleanups: Made `making xxx in yyy...`
+ display consistent in the source tree and replaced `/bin/rm` by `rm`.
+ Additionally cleaned up the `make links` target: Remove unnecessary
semicolons, subsequent redundant removes, inline point.sh into mklink.sh
to speed processing and no longer clutter the display with confusing
stuff. Instead only the actually done links are displayed.
*Ralf S. Engelschall*
- * Make `openssl x509 -noout -modulus' functional also for DSA certificates
+ * Make `openssl x509 -noout -modulus`' functional also for DSA certificates
(in addition to RSA certificates) to match the behaviour of `openssl dsa
- -noout -modulus' as it's already the case for `openssl rsa -noout
- -modulus'. For RSA the -modulus is the real "modulus" while for DSA
+ -noout -modulus` as it's already the case for `openssl rsa -noout
+ -modulus`. For RSA the -modulus is the real "modulus" while for DSA
currently the public key is printed (a decision which was already done by
- `openssl dsa -modulus' in the past) which serves a similar purpose.
+ `openssl dsa -modulus` in the past) which serves a similar purpose.
Additionally the NO_RSA no longer completely removes the whole -modulus
option; it now only avoids using the RSA stuff. Same applies to NO_DSA
now, too.
projects / openssl.git / blobdiff