NEWS

---

openssl 2.2.2 (2024-09-20)

• Reduce test verbosity per CRAN request
• Update maintainer email address

openssl 2.2.1 (2024-08-16)

• Skip some legacy sha1 tests on Redhat systems to fix #125

openssl 2.2.0 (2024-05-16)

• Use new EVP_MD_fetch() api on libssl 3 to find non-default algorithms.
• Add keccak() hash function
• MacOS/Windows: update to OpenSSL 3.3.0

openssl 2.1.2 (2024-04-21)

• MacOS: avoid linking against legacy versions of openssl

openssl 2.1.1 (2023-09-25)

• Windows: update to openssl 3.1.2 + arm support

openssl 2.1.0 (2023-07-15)

• Windows and autobrew binaries have been bumped to libssl 3.1.1. (MacOS CRAN binaries use libssl from CRAN 'recipes' which is currently libssl 1.1.1)
• Added sha3() function

openssl 2.0.6 (2023-03-09)

• Add new functions pkcs7_encrypt and pkcs7_decrypt
• Fix snprintf bug in hash functions

openssl 2.0.5 (2022-12-06)

• Replace sprintf with snprintf for CRAN

openssl 2.0.4 (2022-10-17)

• Fix strict-prototype warnings for CRAN

openssl 2.0.3 (2022-09-14)

• New function write_openssh_pem to support ed25519 in libssh2/gert

openssl 2.0.2 (2022-05-24)

• Disable tests that require internet access to comply with AON policy

openssl 2.0.1 (2022-05-14)

• Fix a unit test for a changed error message in openssl 3.0.2

openssl 2.0.0 (2022-03-02)

• The default fingerprint() for keys has changed from md5 to sha256. This is a breaking change, but in line with other software phasing out md5, and needed to support systems where use of MD5 has been disabled to comply with FIPS.
• Make the test-suite pass under FIPS on RHEL 8.
• New family of ssl_ctx functions to manipulate an SSL context from inside curl https requests.
• Rd manuals have been markdownified

openssl 1.4.6 (2021-12-19)

• Update unit tests to new pki.goog test servers

openssl 1.4.5 (2021-09-02)

• Tweaks and fixes for upcoming OpenSSLv3. Once OpenSSLv3 is released we should port the deprecated functions, but for now we keep supporting OpenSSL 1.0.2.

openssl 1.4.4 (2021-04-30)

• Fix rand_bytes for large input
• Remove some legacy Windows workarounds from R 3.2
• Windows: upgrade libs to openssl 1.1.1k

openssl 1.4.3 (2020-09-18)

• Fix a harmless compiler warning for CRAN

openssl 1.4.2 (2020-06-27)

• Catch FIPS errors and add FIPS flag to openssl_config()
• Win/Mac: update binary packages to openssl 1.1.1g
• Early preparations for upcoming OpenSSL 3

openssl 1.4.1 (2019-07-18)

• write_pkcs1 now supports RSA/DSA/EC keys for legacy ssh compatibility
• as.list.cert() gains a parameter 'name_format' to control printing #72

openssl 1.4.0

• Expose ed25519 and x25519 functions for signatures and diffie hellman using curve25519. This is only supported when building against version 1.1.1 or newer of the openssl library.
• Unit tests for curve25519 (this requires sodium)

openssl 1.3.0

• read_key() now supports the new openssh private key format
• Added bcrypt KDF which is needed to read the new openssh keys

openssl 1.2.2 (2019-03-01)

• Fix double free crash with libssl 1.1.1b

openssl 1.2.1 (2019-01-17)

• Hotfix release for crash in ecdsa_write()

openssl 1.2 (2019-01-16)

• askpass() has been moved into its own package and gains native programs for MacOS and Windows.
• Added ecdsa_parse() and ecdsa_write() to support JWT signatures (jose pkg)

openssl 1.1 (2018-11-15)

• MacOS and Windows binaries now ship with libssl 1.1.1 (TLS 1.3 support)
• Windows (breaking): my_key() and my_pubkey() now interpret ~/ as windows home dir instead of documents dir, for compatibility with other software.
• my_pubkey() no longer uses USER_PUBKEY but instead USER_KEY + ".pub"
• Use the OpenSSL 1.1 API in LibreSSL 2.7
• Suppress echo in askpass if stdin is a tty

openssl 1.0.2 (2018-07-30)

• Improve system error messages in download_ssl_cert()
• Fix unit test (password error message) for libcrypto 1.1.1

openssl 1.0.1 (2018-03-03)

• Fix a unit test from http://pki.goog/ (google changed servers)

openssl 1.0 (2018-02-02)

• Add the 'name' field to read_p12() output
• Add write_pkcs1() for legacy OpenSSH keys
• Fix unit tests using http://pki.goog/ (Google changed crt files to DER)

openssl 0.9.9 (2017-11-10)

• Workaround failing test on Mavericks due to IPv6 firewall issue

openssl 0.9.8 (2017-11-03)

• Fix build on OSX Mavericks

openssl 0.9.7 (2017-09-06)

• Configure script checks SHLIB_VERSION_NUMBER to find matching lib
• Added internal stopifnot() replacement to give more helpful error mesasges
• Add live SSL unit tests from https://pki.goog
• Fix for OpenBSD/FreeBSD (#41)
• Added as.integer.bignum() method
• Update maintainer email address
• Add symbol registration call in R_init_openssl
• Reject empty digests when signing (#44)
• Use OPENSSL_free to free OpenSSL's allocations (#44)
• Cleanups for ec_keygen() (#44)
• Windows: update OpenSSL to 1.1.0f

openssl 0.9.6 (2016-12-31)

• Add read_p7b() and write_p7b() for certificate bundles
• Rename read_pkcs12 / write_pkcs12 to read_p12 / write_p12
• More unit test for rountripping certs
• Workaround for PEM files with "RSA PUBLIC KEY" instead of "PUBLIC KEY" header
• Fix example in bignum vignette for OpenSSL 1.1.0 (increase RSA key size)
• Sync bundled cacert.pem with Mozilla as of: Wed Sep 14 03:12:05 2016
• Added blake2b and blake2s hash functions (only available in libssl 1.1)
• Fix support for LibreSSL
• Windows: update libssl/libcrypto to 1.1.0c

openssl 0.9.5 (2016-10-28)

• Support for new API in OpenSSL 1.1.0
• Remove 'pseudo_rand_bytes()' (deprecated in libssl)
• Work around missing EVP_CIPH_GCM_MODE in OpenSSL 1.0.0
• Add read_pkcs12() and write_pkcs12() functions
• Add read_pem() for debugging PEM files
• Add base methods [, [[, $, names, .DollarNames for keys and certificates
• Update libssl on Windows to 1.0.2h
• Add #define _POSIX_C_SOURCE in ssl.c to ensure getaddrinfo() is available
• Add as.character.hash method for raw hashes
• Clear error buffer when raising an error

openssl 0.9.4 (2016-05-25)

• Fix ec_keygen() for old versions of OpenSSL
• Added aes_ctr() and aes_gcm() modes
• Added aes_keygen()
• Added bignum_mod_inv()
• Internal tools for JWT/JWK support (see pkg: jose)

openssl 0.9.3 (2016-05-04)

• Added ec_dh() function for ECDH
• Added --atleast-version=1.0 to pkg-config in configure script
• Switch as.list(cert) to RFC2253 format for 'subject' and 'issuer' fields

openssl 0.9.2 (2016-02-26)

• Disable EC stuff for OPENSSL_NO_EC (needed on some Solaris / Gentoo)
• Added openssl_config() function to test if libssl is built with EC support
• Make configure script bourne compatible (remove bash shebang)
• Tweak for OpenBSD in ssl.c
• Added sha224, sha384 and sha2 functions
• Export the fingerprint function

openssl 0.9.1 (2016-01-18)

• Fix for getaddrinfo() in Solaris
• Use the configurable askpass() for password prompt

openssl 0.9 (2016-01-13)

• Switched download_ssl_cert to getaddrinfo() api for ipv6 support
• Fix for example for naming conflict with new digest package

openssl 0.8 (2015-12-15)

• Configure script now checks for OpenSSL minimum version 1.0.0

openssl 0.7

• Breaking change: hash functions now use hmac 'key' instead of a 'salt'
• The my_key() and my_pubkey() functions now work as documented
• as.list(cert) add alt_names field for https certs with multiple domains
• added export_pem for certificates

openssl 0.6 (2015-11-18)

• Added --force-bottle to autobrew installer
• Use nonblocking socket in ssl to set connection timeout
• Fix UBSAN problem in ssl.c
• Fix ASAN problem in hash.c

openssl 0.5 (2015-11-15)

• Major overhaul, add encryption, signature, cert stuff
• Upgrade libssl and libcrypto on windows to 1.0.2d

openssl 0.4 (2015-05-11)

• Added base64 functions