[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

  *) Fix so PRNG is seeded in req if using an already existing
     DSA key.
     [Steve Henson]

  *) New options to smime application. -inform and -outform
     allow alternative formats for the S/MIME message including
     PEM and DER. The -content option allows the content to be
     specified separately. This should allow things like Netscape
     form signing output easier to verify.
     [Steve Henson]

  *) Fix the ASN1 encoding of tags using the 'long form'.
     [Steve Henson]

  *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
     STRING types. These convert content octets to and from the
     underlying type. The actual tag and length octets are
     already assumed to have been read in and checked. These
     are needed because all other string types have virtually
     identical handling apart from the tag. By having versions
     of the ASN1 functions that just operate on content octets
     IMPLICIT tagging can be handled properly. It also allows
     the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
     and ASN1_INTEGER are identical apart from the tag.
     [Steve Henson]

  *) Change the handling of OID objects as follows:

     - New object identifiers are inserted in objects.txt, following
       the syntax given in objects.README.
     - objects.pl is used to process obj_mac.num and create a new
       obj_mac.h.
     - obj_dat.pl is used to create a new obj_dat.h, using the data in
       obj_mac.h.

     This is currently kind of a hack, and the perl code in objects.pl
     isn't very elegant, but it works as I intended.  The simplest way
     to check that it worked correctly is to look in obj_dat.h and
     check the array nid_objs and make sure the objects haven't moved
     around (this is important!).  Additions are OK, as well as
     consistent name changes. 
     [Richard Levitte]

  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

  *) Addition of the command line parameter '-rand file' to 'openssl req'.
     The given file adds to whatever has already been seeded into the
     random pool through the RANDFILE configuration file option or
     environment variable, or the default random state file.
     [Richard Levitte]

  *) mkstack.pl now sorts each macro group into lexical order.
     Previously the output order depended on the order the files
     appeared in the directory, resulting in needless rewriting
     of safestack.h .
     [Steve Henson]

  *) Patches to make OpenSSL compile under Win32 again. Mostly
     work arounds for the VC++ problem that it treats func() as
     func(void). Also stripped out the parts of mkdef.pl that
     added extra typesafe functions: these no longer exist.
     [Steve Henson]

  *) Reorganisation of the stack code. The macros are now all 
     collected in safestack.h . Each macro is defined in terms of
     a "stack macro" of the form SKM_<name>(type, a, b). The 
     DEBUG_SAFESTACK is now handled in terms of function casts,
     this has the advantage of retaining type safety without the
     use of additional functions. If DEBUG_SAFESTACK is not defined
     then the non typesafe macros are used instead. Also modified the
     mkstack.pl script to handle the new form. Needs testing to see
     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
     the default if no major problems. Similar behaviour for ASN1_SET_OF
     and PKCS12_STACK_OF.
     [Steve Henson]

  *) When some versions of IIS use the 'NET' form of private key the
     key derivation algorithm is different. Normally MD5(password) is
     used as a 128 bit RC4 key. In the modified case
     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
     new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
     as the old Netscape_RSA functions except they have an additional
     'sgckey' parameter which uses the modified algorithm. Also added
     an -sgckey command line option to the rsa utility. Thanks to 
     Adrian Peck <bertie@ncipher.com> for posting details of the modified
     algorithm to openssl-dev.
     [Steve Henson]

  *) The evp_local.h macros were using 'c.##kname' which resulted in
     invalid expansion on some systems (SCO 5.0.5 for example).
     Corrected to 'c.kname'.
     [Phillip Porch <root@theporch.com>]

  *) New X509_get1_email() and X509_REQ_get1_email() functions that return
     a STACK of email addresses from a certificate or request, these look
     in the subject name and the subject alternative name extensions and 
     omit any duplicate addresses.
     [Steve Henson]

  *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
     This makes DSA verification about 2 % faster.
     [Bodo Moeller]

  *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
     (meaning that now 2^5 values will be precomputed, which is only 4 KB
     plus overhead for 1024 bit moduli).
     This makes exponentiations about 0.5 % faster for 1024 bit
     exponents (as measured by "openssl speed rsa2048").
     [Bodo Moeller]

  *) Rename memory handling macros to avoid conflicts with other
     software:
          Malloc         =>  OPENSSL_malloc
          Malloc_locked  =>  OPENSSL_malloc_locked
          Realloc        =>  OPENSSL_realloc
          Free           =>  OPENSSL_free
     [Richard Levitte]

  *) New function BN_mod_exp_mont_word for small bases (roughly 15%
     faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
     [Bodo Moeller]

  *) CygWin32 support.
     [John Jarvie <jjarvie@newsguy.com>]

  *) The type-safe stack code has been rejigged. It is now only compiled
     in when OpenSSL is configured with the DEBUG_SAFESTACK option and
     by default all type-specific stack functions are "#define"d back to
     standard stack functions. This results in more streamlined output
     but retains the type-safety checking possibilities of the original
     approach.
     [Geoff Thorpe]

  *) The STACK code has been cleaned up, and certain type declarations
     that didn't make a lot of sense have been brought in line. This has
     also involved a cleanup of sorts in safestack.h to more correctly
     map type-safe stack functions onto their plain stack counterparts.
     This work has also resulted in a variety of "const"ifications of
     lots of the code, especially "_cmp" operations which should normally
     be prototyped with "const" parameters anyway.
     [Geoff Thorpe]

  *) When generating bytes for the first time in md_rand.c, 'stir the pool'
     by seeding with STATE_SIZE dummy bytes (with zero entropy count).
     (The PRNG state consists of two parts, the large pool 'state' and 'md',
     where all of 'md' is used each time the PRNG is used, but 'state'
     is used only indexed by a cyclic counter. As entropy may not be
     well distributed from the beginning, 'md' is important as a
     chaining variable. However, the output function chains only half
     of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
     all of 'md', and seeding with STATE_SIZE dummy bytes will result
     in all of 'state' being rewritten, with the new values depending
     on virtually all of 'md'.  This overcomes the 80 bit limitation.)
     [Bodo Moeller]

  *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
     the handshake is continued after ssl_verify_cert_chain();
     otherwise, if SSL_VERIFY_NONE is set, remaining error codes
     can lead to 'unexplainable' connection aborts later.
     [Bodo Moeller; problem tracked down by Lutz Jaenicke]

  *) Major EVP API cipher revision.
     Add hooks for extra EVP features. This allows various cipher
     parameters to be set in the EVP interface. Support added for variable
     key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
     setting of RC2 and RC5 parameters.

     Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
     ciphers.

     Remove lots of duplicated code from the EVP library. For example *every*
     cipher init() function handles the 'iv' in the same way according to the
     cipher mode. They also all do nothing if the 'key' parameter is NULL and
     for CFB and OFB modes they zero ctx->num.

     New functionality allows removal of S/MIME code RC2 hack.

     Most of the routines have the same form and so can be declared in terms
     of macros.

     By shifting this to the top level EVP_CipherInit() it can be removed from
     all individual ciphers. If the cipher wants to handle IVs or keys
     differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
     flags.

     Change lots of functions like EVP_EncryptUpdate() to now return a
     value: although software versions of the algorithms cannot fail
     any installed hardware versions can.
     [Steve Henson]

  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
     this option is set, tolerate broken clients that send the negotiated
     protocol version number instead of the requested protocol version
     number.
     [Bodo Moeller]

  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
     i.e. non-zero for export ciphersuites, zero otherwise.
     Previous versions had this flag inverted, inconsistent with
     rsa_tmp_cb (..._TMP_RSA_CB).
     [Bodo Moeller; problem reported by Amit Chopra]

  *) Add missing DSA library text string. Work around for some IIS
     key files with invalid SEQUENCE encoding.
     [Steve Henson]

  *) Add a document (doc/standards.txt) that list all kinds of standards
     and so on that are implemented in OpenSSL.
     [Richard Levitte]

  *) Enhance c_rehash script. Old version would mishandle certificates
     with the same subject name hash and wouldn't handle CRLs at all.
     Added -fingerprint option to crl utility, to support new c_rehash
     features.
     [Steve Henson]

  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
c90341a1 RL	5	Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
c90341a1 RL	6
fd13f0ee DSH	7	*) Fix so PRNG is seeded in req if using an already existing
	8	DSA key.
	9	[Steve Henson]
	10
094fe66d DSH	11	*) New options to smime application. -inform and -outform
	12	allow alternative formats for the S/MIME message including
	13	PEM and DER. The -content option allows the content to be
	14	specified separately. This should allow things like Netscape
	15	form signing output easier to verify.
	16	[Steve Henson]
	17
	18	*) Fix the ASN1 encoding of tags using the 'long form'.
	19	[Steve Henson]
	20
a338e21b DSH	21	) New ASN1 functions, i2c_ and c2i_* for INTEGER and BIT
	22	STRING types. These convert content octets to and from the
	23	underlying type. The actual tag and length octets are
	24	already assumed to have been read in and checked. These
	25	are needed because all other string types have virtually
	26	identical handling apart from the tag. By having versions
	27	of the ASN1 functions that just operate on content octets
	28	IMPLICIT tagging can be handled properly. It also allows
	29	the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
	30	and ASN1_INTEGER are identical apart from the tag.
	31	[Steve Henson]
	32
d5870bbe RL	33	*) Change the handling of OID objects as follows:
	34
	35	- New object identifiers are inserted in objects.txt, following
	36	the syntax given in objects.README.
	37	- objects.pl is used to process obj_mac.num and create a new
	38	obj_mac.h.
	39	- obj_dat.pl is used to create a new obj_dat.h, using the data in
	40	obj_mac.h.
	41
	42	This is currently kind of a hack, and the perl code in objects.pl
	43	isn't very elegant, but it works as I intended. The simplest way
	44	to check that it worked correctly is to look in obj_dat.h and
	45	check the array nid_objs and make sure the objects haven't moved
	46	around (this is important!). Additions are OK, as well as
	47	consistent name changes.
	48	[Richard Levitte]
	49
1f4643a2 BM	50	*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
	51	[Bodo Moeller]
	52
fb0b844a	53	*) Addition of the command line parameter '-rand file' to 'openssl req'.
1023b122 RL	54	The given file adds to whatever has already been seeded into the
	55	random pool through the RANDFILE configuration file option or
	56	environment variable, or the default random state file.
fb0b844a RL	57	[Richard Levitte]
fb0b844a RL	58
4dd45354 DSH	59	*) mkstack.pl now sorts each macro group into lexical order.
	60	Previously the output order depended on the order the files
	61	appeared in the directory, resulting in needless rewriting
	62	of safestack.h .
	63	[Steve Henson]
	64
13083215 DSH	65	*) Patches to make OpenSSL compile under Win32 again. Mostly
	66	work arounds for the VC++ problem that it treats func() as
	67	func(void). Also stripped out the parts of mkdef.pl that
	68	added extra typesafe functions: these no longer exist.
	69	[Steve Henson]
	70
3aceb94b DSH	71	*) Reorganisation of the stack code. The macros are now all
	72	collected in safestack.h . Each macro is defined in terms of
	73	a "stack macro" of the form SKM_<name>(type, a, b). The
	74	DEBUG_SAFESTACK is now handled in terms of function casts,
	75	this has the advantage of retaining type safety without the
	76	use of additional functions. If DEBUG_SAFESTACK is not defined
	77	then the non typesafe macros are used instead. Also modified the
	78	mkstack.pl script to handle the new form. Needs testing to see
	79	if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
7ef82068 DSH	80	the default if no major problems. Similar behaviour for ASN1_SET_OF
7ef82068 DSH	81	and PKCS12_STACK_OF.
3aceb94b DSH	82	[Steve Henson]
3aceb94b DSH	83
d3ed8ceb DSH	84	*) When some versions of IIS use the 'NET' form of private key the
	85	key derivation algorithm is different. Normally MD5(password) is
	86	used as a 128 bit RC4 key. In the modified case
	87	MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some
	88	new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
	89	as the old Netscape_RSA functions except they have an additional
	90	'sgckey' parameter which uses the modified algorithm. Also added
	91	an -sgckey command line option to the rsa utility. Thanks to
	92	Adrian Peck <bertie@ncipher.com> for posting details of the modified
	93	algorithm to openssl-dev.
	94	[Steve Henson]
	95
e366f2b8 DSH	96	*) The evp_local.h macros were using 'c.##kname' which resulted in
	97	invalid expansion on some systems (SCO 5.0.5 for example).
	98	Corrected to 'c.kname'.
	99	[Phillip Porch <root@theporch.com>]
	100
a91dedca DSH	101	*) New X509_get1_email() and X509_REQ_get1_email() functions that return
	102	a STACK of email addresses from a certificate or request, these look
	103	in the subject name and the subject alternative name extensions and
	104	omit any duplicate addresses.
	105	[Steve Henson]
	106
dc434bbc BM	107	*) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
	108	This makes DSA verification about 2 % faster.
	109	[Bodo Moeller]
	110
	111	*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
	112	(meaning that now 2^5 values will be precomputed, which is only 4 KB
	113	plus overhead for 1024 bit moduli).
	114	This makes exponentiations about 0.5 % faster for 1024 bit
	115	exponents (as measured by "openssl speed rsa2048").
	116	[Bodo Moeller]
	117
947b3b8b BM	118	*) Rename memory handling macros to avoid conflicts with other
	119	software:
	120	Malloc => OPENSSL_malloc
	121	Malloc_locked => OPENSSL_malloc_locked
	122	Realloc => OPENSSL_realloc
	123	Free => OPENSSL_free
	124	[Richard Levitte]
	125
482a9d41 BM	126	*) New function BN_mod_exp_mont_word for small bases (roughly 15%
482a9d41 BM	127	faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
6dad7bd6 BM	128	[Bodo Moeller]
6dad7bd6 BM	129
be5d92e0 UM	130	*) CygWin32 support.
	131	[John Jarvie <jjarvie@newsguy.com>]
	132
e41c8d6a GT	133	*) The type-safe stack code has been rejigged. It is now only compiled
	134	in when OpenSSL is configured with the DEBUG_SAFESTACK option and
	135	by default all type-specific stack functions are "#define"d back to
	136	standard stack functions. This results in more streamlined output
	137	but retains the type-safety checking possibilities of the original
	138	approach.
	139	[Geoff Thorpe]
	140
ccd86b68 GT	141	*) The STACK code has been cleaned up, and certain type declarations
	142	that didn't make a lot of sense have been brought in line. This has
	143	also involved a cleanup of sorts in safestack.h to more correctly
	144	map type-safe stack functions onto their plain stack counterparts.
	145	This work has also resulted in a variety of "const"ifications of
	146	lots of the code, especially "_cmp" operations which should normally
	147	be prototyped with "const" parameters anyway.
	148	[Geoff Thorpe]
	149
361ee973 BM	150	*) When generating bytes for the first time in md_rand.c, 'stir the pool'
	151	by seeding with STATE_SIZE dummy bytes (with zero entropy count).
	152	(The PRNG state consists of two parts, the large pool 'state' and 'md',
	153	where all of 'md' is used each time the PRNG is used, but 'state'
	154	is used only indexed by a cyclic counter. As entropy may not be
	155	well distributed from the beginning, 'md' is important as a
	156	chaining variable. However, the output function chains only half
	157	of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
	158	all of 'md', and seeding with STATE_SIZE dummy bytes will result
	159	in all of 'state' being rewritten, with the new values depending
	160	on virtually all of 'md'. This overcomes the 80 bit limitation.)
	161	[Bodo Moeller]
	162
49528751 DSH	163	*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
	164	the handshake is continued after ssl_verify_cert_chain();
	165	otherwise, if SSL_VERIFY_NONE is set, remaining error codes
	166	can lead to 'unexplainable' connection aborts later.
	167	[Bodo Moeller; problem tracked down by Lutz Jaenicke]
	168
	169	*) Major EVP API cipher revision.
	170	Add hooks for extra EVP features. This allows various cipher
	171	parameters to be set in the EVP interface. Support added for variable
	172	key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
	173	setting of RC2 and RC5 parameters.
	174
	175	Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
	176	ciphers.
	177
	178	Remove lots of duplicated code from the EVP library. For example every
360370d9 DSH	179	cipher init() function handles the 'iv' in the same way according to the
	180	cipher mode. They also all do nothing if the 'key' parameter is NULL and
	181	for CFB and OFB modes they zero ctx->num.
	182
49528751 DSH	183	New functionality allows removal of S/MIME code RC2 hack.
49528751 DSH	184
57ae2e24 DSH	185	Most of the routines have the same form and so can be declared in terms
	186	of macros.
	187
360370d9 DSH	188	By shifting this to the top level EVP_CipherInit() it can be removed from
	189	all individual ciphers. If the cipher wants to handle IVs or keys
	190	differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
	191	flags.
be06a934 DSH	192
	193	Change lots of functions like EVP_EncryptUpdate() to now return a
	194	value: although software versions of the algorithms cannot fail
	195	any installed hardware versions can.
7f060601 DSH	196	[Steve Henson]
7f060601 DSH	197
2c05c494 BM	198	*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
	199	this option is set, tolerate broken clients that send the negotiated
	200	protocol version number instead of the requested protocol version
	201	number.
	202	[Bodo Moeller]
	203
	204	*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
	205	i.e. non-zero for export ciphersuites, zero otherwise.
	206	Previous versions had this flag inverted, inconsistent with
	207	rsa_tmp_cb (..._TMP_RSA_CB).
	208	[Bodo Moeller; problem reported by Amit Chopra]
	209
b4b41f48 DSH	210	*) Add missing DSA library text string. Work around for some IIS
	211	key files with invalid SEQUENCE encoding.
	212	[Steve Henson]
	213
6d7cce48 RL	214	*) Add a document (doc/standards.txt) that list all kinds of standards
	215	and so on that are implemented in OpenSSL.
	216	[Richard Levitte]
	217
439df508 DSH	218	*) Enhance c_rehash script. Old version would mishandle certificates
	219	with the same subject name hash and wouldn't handle CRLs at all.
	220	Added -fingerprint option to crl utility, to support new c_rehash
	221	features.
	222	[Steve Henson]
	223
0e1c0612	224	*) Eliminate non-ANSI declarations in crypto.h and stack.h.
2c05c494	225