[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.7 and 0.9.8  [xx XXX 2002]

  *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
     As these are not official, they are not included in "ALL";
     the "ECCdraft" ciphersuite group alias can be used to select them.
     [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]

  *) Add ECDH engine support.
     [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]

  *) Add ECDH in new directory crypto/ecdh/.
TODO: more general interface (return  x  coordinate, not its hash)
TODO: bug: pad  x  with leading zeros if necessary
     [Douglas Stebila (Sun Microsystems Laboratories)]

  *) Let BN_rand_range() abort with an error after 100 iterations
     without success (which indicates a broken PRNG).
     [Bodo Moeller]

  *) Change BN_mod_sqrt() so that it verifies that the input value
     is really the square of the return value.  (Previously,
     BN_mod_sqrt would show GIGO behaviour.)
     [Bodo Moeller]

  *) Add named elliptic curves over binary fields from X9.62, SECG,
     and WAP/WTLS; add OIDs that were still missing.

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) Extend the EC library for elliptic curves over binary fields
     (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
     New EC_METHOD:

          EC_GF2m_simple_method

     New API functions:

          EC_GROUP_new_curve_GF2m
          EC_GROUP_set_curve_GF2m
          EC_GROUP_get_curve_GF2m
          EC_POINT_set_affine_coordinates_GF2m
          EC_POINT_get_affine_coordinates_GF2m
          EC_POINT_set_compressed_coordinates_GF2m

     Point compression for binary fields is disabled by default for
     patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
     enable it).

     As binary polynomials are represented as BIGNUMs, various members
     of the EC_GROUP and EC_POINT data structures can be shared
     between the implementations for prime fields and binary fields;
     the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
     are essentially identical to their ..._GFp counterparts.
     (For simplicity, the '..._GFp' prefix has been dropped from
     various internal method names.)

     An internal 'field_div' method (similar to 'field_mul' and
     'field_sqr') has been added; this is used only for binary fields.

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
     through methods ('mul', 'precompute_mult').

     The generic implementations (now internally called 'ec_wNAF_mul'
     and 'ec_wNAF_precomputed_mult') remain the default if these
     methods are undefined.

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) New function EC_GROUP_get_degree, which is defined through
     EC_METHOD.  For curves over prime fields, this returns the bit
     length of the modulus.

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) New functions EC_GROUP_dup, EC_POINT_dup.
     (These simply call ..._new  and ..._copy).

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
     Polynomials are represented as BIGNUMs (where the sign bit is not
     used) in the following functions [macros]:  

          BN_GF2m_add
          BN_GF2m_sub             [= BN_GF2m_add]
          BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
          BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
          BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
          BN_GF2m_mod_inv
          BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
          BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
          BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
          BN_GF2m_cmp             [= BN_ucmp]

     (Note that only the 'mod' functions are actually for fields GF(2^m).
     BN_GF2m_add() is misnomer, but this is for the sake of consistency.)

     For some functions, an the irreducible polynomial defining a
     field can be given as an 'unsigned int[]' with strictly
     decreasing elements giving the indices of those bits that are set;
     i.e., p[] represents the polynomial
          f(t) = t^p[0] + t^p[1] + ... + t^p[k]
     where
          p[0] > p[1] > ... > p[k] = 0.
     This applies to the following functions:

          BN_GF2m_mod_arr
          BN_GF2m_mod_mul_arr
          BN_GF2m_mod_sqr_arr
          BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
          BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
          BN_GF2m_mod_exp_arr
          BN_GF2m_mod_sqrt_arr
          BN_GF2m_mod_solve_quad_arr
          BN_GF2m_poly2arr
          BN_GF2m_arr2poly

     Conversion can be performed by the following functions:

          BN_GF2m_poly2arr
          BN_GF2m_arr2poly

     bntest.c has additional tests for binary polynomial arithmetic.

     Two implementations for BN_GF2m_mod_div() are available.
     The default algorithm simply uses BN_GF2m_mod_inv() and
     BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
     if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
     copyright notice in crypto/bn/bn_gf2m.c before enabling it).

     [Sheueling Chang Shantz and Douglas Stebila
     (Sun Microsystems Laboratories)]

  *) Add new error code 'ERR_R_DISABLED' that can be used when some
     functionality is disabled at compile-time.
     [Douglas Stebila <douglas.stebila@sun.com>]

  *) Change default behaviour of 'openssl asn1parse' so that more
     information is visible when viewing, e.g., a certificate:

     Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
     mode the content of non-printable OCTET STRINGs is output in a
     style similar to INTEGERs, but with '[HEX DUMP]' prepended to
     avoid the appearance of a printable string.
     [Nils Larsch <nla@trustcenter.de>]

  *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
     functions
          EC_GROUP_set_asn1_flag()
          EC_GROUP_get_asn1_flag()
          EC_GROUP_set_point_conversion_form()
          EC_GROUP_get_point_conversion_form()
     These control ASN1 encoding details:
     - Curves (i.e., groups) are encoded explicitly unless asn1_flag
       has been set to OPENSSL_EC_NAMED_CURVE.
     - Points are encoded in uncompressed form by default; options for
       asn1_for are as for point2oct, namely
          POINT_CONVERSION_COMPRESSED
          POINT_CONVERSION_UNCOMPRESSED
          POINT_CONVERSION_HYBRID

     Also add 'seed' and 'seed_len' members to EC_GROUP with access
     functions
          EC_GROUP_set_seed()
          EC_GROUP_get0_seed()
          EC_GROUP_get_seed_len()
     This is used only for ASN1 purposes (so far).
     [Nils Larsch <nla@trustcenter.de>]

  *) Add 'field_type' member to EC_METHOD, which holds the NID
     of the appropriate field type OID.  The new function
     EC_METHOD_get_field_type() returns this value.
     [Nils Larsch <nla@trustcenter.de>]

  *) Add functions 
          EC_POINT_point2bn()
          EC_POINT_bn2point()
          EC_POINT_point2hex()
          EC_POINT_hex2point()
     providing useful interfaces to EC_POINT_point2oct() and
     EC_POINT_oct2point().
     [Nils Larsch <nla@trustcenter.de>]

  *) Change internals of the EC library so that the functions
          EC_GROUP_set_generator()
          EC_GROUP_get_generator()
          EC_GROUP_get_order()
          EC_GROUP_get_cofactor()
     are implemented directly in crypto/ec/ec_lib.c and not dispatched
     to methods, which would lead to unnecessary code duplication when
     adding different types of curves.
     [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]

  *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
     arithmetic, and such that modified wNAFs are generated
     (which avoid length expansion in many cases).
     [Bodo Moeller]

  *) Add a function EC_GROUP_check_discriminant() (defined via
     EC_METHOD) that verifies that the curve discriminant is non-zero.

     Add a function EC_GROUP_check() that makes some sanity tests
     on a EC_GROUP, its generator and order.  This includes
     EC_GROUP_check_discriminant().
     [Nils Larsch <nla@trustcenter.de>]

  *) Add ECDSA in new directory crypto/ecdsa/.

     Add applications 'openssl ecparam' and 'openssl ecdsa'
     (these are based on 'openssl dsaparam' and 'openssl dsa').

     ECDSA support is also included in various other files across the
     library.  Most notably,
     - 'openssl req' now has a '-newkey ecdsa:file' option;
     - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
     - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
       d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
       them suitable for ECDSA where domain parameters must be
       extracted before the specific public key;
     - ECDSA engine support has been added.
     [Nils Larsch <nla@trustcenter.de>]

  *) Include some named elliptic curves, and add OIDs from X9.62,
     SECG, and WAP/WTLS.  The curves can be obtained from the new
     function
          EC_GROUP_new_by_nid()
     Also add a 'curve_name' member to EC_GROUP objects, which can be
     accessed via
         EC_GROUP_set_nid()
         EC_GROUP_get_nid()
     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
 
 Changes between 0.9.6g and 0.9.7  [XX xxx 2002]

  *) Make sure tests can be performed even if the corresponding algorithms
     have been removed entirely.  This was also the last step to make
     OpenSSL compilable with DJGPP under all reasonable conditions.
     [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]

  *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
     to allow version independent disabling of normally unselected ciphers,
     which may be activated as a side-effect of selecting a single cipher.

     (E.g., cipher list string "RSA" enables ciphersuites that are left
     out of "ALL" because they do not provide symmetric encryption.
     "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
     [Lutz Jaenicke, Bodo Moeller]

  *) Add appropriate support for separate platform-dependent build
     directories.  The recommended way to make a platform-dependent
     build directory is the following (tested on Linux), maybe with
     some local tweaks:

	# Place yourself outside of the OpenSSL source tree.  In
	# this example, the environment variable OPENSSL_SOURCE
	# is assumed to contain the absolute OpenSSL source directory.
	mkdir -p objtree/`uname -s`-`uname -r`-`uname -m`
	cd objtree/`uname -s`-`uname -r`-`uname -m`
	(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
		mkdir -p `dirname $F`
		ln -s $OPENSSL_SOURCE/$F $F
	done

     To be absolutely sure not to disturb the source tree, a "make clean"
     is a good thing.  If it isn't successfull, don't worry about it,
     it probably means the source directory is very clean.
     [Richard Levitte]

  *) Make sure any ENGINE control commands make local copies of string
     pointers passed to them whenever necessary. Otherwise it is possible
     the caller may have overwritten (or deallocated) the original string
     data when a later ENGINE operation tries to use the stored values.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
4d94ae00 BM	5	Changes between 0.9.7 and 0.9.8 [xx XXX 2002]
4d94ae00 BM	6
ea262260 BM	7	*) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
	8	As these are not official, they are not included in "ALL";
	9	the "ECCdraft" ciphersuite group alias can be used to select them.
	10	[Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
	11
e172d60d BM	12	*) Add ECDH engine support.
	13	[Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
	14
	15	*) Add ECDH in new directory crypto/ecdh/.
49a0f778 BM	16	TODO: more general interface (return x coordinate, not its hash)
49a0f778 BM	17	TODO: bug: pad x with leading zeros if necessary
e172d60d BM	18	[Douglas Stebila (Sun Microsystems Laboratories)]
e172d60d BM	19
95ecacf8 BM	20	*) Let BN_rand_range() abort with an error after 100 iterations
	21	without success (which indicates a broken PRNG).
	22	[Bodo Moeller]
	23
6fb60a84 BM	24	*) Change BN_mod_sqrt() so that it verifies that the input value
	25	is really the square of the return value. (Previously,
	26	BN_mod_sqrt would show GIGO behaviour.)
	27	[Bodo Moeller]
	28
7793f30e BM	29	*) Add named elliptic curves over binary fields from X9.62, SECG,
	30	and WAP/WTLS; add OIDs that were still missing.
	31
	32	[Sheueling Chang Shantz and Douglas Stebila
	33	(Sun Microsystems Laboratories)]
	34
	35	*) Extend the EC library for elliptic curves over binary fields
	36	(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
	37	New EC_METHOD:
	38
	39	EC_GF2m_simple_method
	40
	41	New API functions:
	42
	43	EC_GROUP_new_curve_GF2m
	44	EC_GROUP_set_curve_GF2m
	45	EC_GROUP_get_curve_GF2m
7793f30e BM	46	EC_POINT_set_affine_coordinates_GF2m
	47	EC_POINT_get_affine_coordinates_GF2m
	48	EC_POINT_set_compressed_coordinates_GF2m
	49
	50	Point compression for binary fields is disabled by default for
	51	patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
	52	enable it).
	53
	54	As binary polynomials are represented as BIGNUMs, various members
	55	of the EC_GROUP and EC_POINT data structures can be shared
	56	between the implementations for prime fields and binary fields;
	57	the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
	58	are essentially identical to their ..._GFp counterparts.
9e4f9b36 BM	59	(For simplicity, the '..._GFp' prefix has been dropped from
9e4f9b36 BM	60	various internal method names.)
7793f30e BM	61
	62	An internal 'field_div' method (similar to 'field_mul' and
	63	'field_sqr') has been added; this is used only for binary fields.
	64
	65	[Sheueling Chang Shantz and Douglas Stebila
	66	(Sun Microsystems Laboratories)]
	67
9e4f9b36	68	*) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
7793f30e BM	69	through methods ('mul', 'precompute_mult').
	70
	71	The generic implementations (now internally called 'ec_wNAF_mul'
	72	and 'ec_wNAF_precomputed_mult') remain the default if these
	73	methods are undefined.
	74
	75	[Sheueling Chang Shantz and Douglas Stebila
	76	(Sun Microsystems Laboratories)]
	77
	78	*) New function EC_GROUP_get_degree, which is defined through
	79	EC_METHOD. For curves over prime fields, this returns the bit
	80	length of the modulus.
	81
	82	[Sheueling Chang Shantz and Douglas Stebila
	83	(Sun Microsystems Laboratories)]
	84
	85	*) New functions EC_GROUP_dup, EC_POINT_dup.
	86	(These simply call ..._new and ..._copy).
	87
	88	[Sheueling Chang Shantz and Douglas Stebila
	89	(Sun Microsystems Laboratories)]
	90
1dc920c8 BM	91	*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
	92	Polynomials are represented as BIGNUMs (where the sign bit is not
	93	used) in the following functions [macros]:
	94
	95	BN_GF2m_add
	96	BN_GF2m_sub [= BN_GF2m_add]
	97	BN_GF2m_mod [wrapper for BN_GF2m_mod_arr]
	98	BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr]
	99	BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr]
	100	BN_GF2m_mod_inv
	101	BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr]
	102	BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr]
	103	BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr]
	104	BN_GF2m_cmp [= BN_ucmp]
	105
	106	(Note that only the 'mod' functions are actually for fields GF(2^m).
	107	BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
	108
	109	For some functions, an the irreducible polynomial defining a
	110	field can be given as an 'unsigned int[]' with strictly
	111	decreasing elements giving the indices of those bits that are set;
	112	i.e., p[] represents the polynomial
	113	f(t) = t^p[0] + t^p[1] + ... + t^p[k]
	114	where
	115	p[0] > p[1] > ... > p[k] = 0.
	116	This applies to the following functions:
	117
	118	BN_GF2m_mod_arr
	119	BN_GF2m_mod_mul_arr
	120	BN_GF2m_mod_sqr_arr
	121	BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv]
	122	BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div]
	123	BN_GF2m_mod_exp_arr
	124	BN_GF2m_mod_sqrt_arr
	125	BN_GF2m_mod_solve_quad_arr
	126	BN_GF2m_poly2arr
	127	BN_GF2m_arr2poly
	128
	129	Conversion can be performed by the following functions:
	130
	131	BN_GF2m_poly2arr
	132	BN_GF2m_arr2poly
	133
	134	bntest.c has additional tests for binary polynomial arithmetic.
	135
909abce8 BM	136	Two implementations for BN_GF2m_mod_div() are available.
	137	The default algorithm simply uses BN_GF2m_mod_inv() and
	138	BN_GF2m_mod_mul(). The alternative algorithm is compiled in only
	139	if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
	140	copyright notice in crypto/bn/bn_gf2m.c before enabling it).
1dc920c8 BM	141
	142	[Sheueling Chang Shantz and Douglas Stebila
	143	(Sun Microsystems Laboratories)]
	144
16dc1cfb BM	145	*) Add new error code 'ERR_R_DISABLED' that can be used when some
	146	functionality is disabled at compile-time.
	147	[Douglas Stebila <douglas.stebila@sun.com>]
	148
ea4f109c BM	149	*) Change default behaviour of 'openssl asn1parse' so that more
	150	information is visible when viewing, e.g., a certificate:
	151
	152	Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
	153	mode the content of non-printable OCTET STRINGs is output in a
	154	style similar to INTEGERs, but with '[HEX DUMP]' prepended to
	155	avoid the appearance of a printable string.
	156	[Nils Larsch <nla@trustcenter.de>]
	157
254ef80d BM	158	*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
	159	functions
	160	EC_GROUP_set_asn1_flag()
	161	EC_GROUP_get_asn1_flag()
	162	EC_GROUP_set_point_conversion_form()
	163	EC_GROUP_get_point_conversion_form()
	164	These control ASN1 encoding details:
b8e0e123 BM	165	- Curves (i.e., groups) are encoded explicitly unless asn1_flag
b8e0e123 BM	166	has been set to OPENSSL_EC_NAMED_CURVE.
5f3d6f70	167	- Points are encoded in uncompressed form by default; options for
254ef80d BM	168	asn1_for are as for point2oct, namely
	169	POINT_CONVERSION_COMPRESSED
	170	POINT_CONVERSION_UNCOMPRESSED
	171	POINT_CONVERSION_HYBRID
5f3d6f70 BM	172
	173	Also add 'seed' and 'seed_len' members to EC_GROUP with access
	174	functions
	175	EC_GROUP_set_seed()
	176	EC_GROUP_get0_seed()
	177	EC_GROUP_get_seed_len()
	178	This is used only for ASN1 purposes (so far).
458c2917 BM	179	[Nils Larsch <nla@trustcenter.de>]
	180
	181	*) Add 'field_type' member to EC_METHOD, which holds the NID
	182	of the appropriate field type OID. The new function
	183	EC_METHOD_get_field_type() returns this value.
	184	[Nils Larsch <nla@trustcenter.de>]
	185
6cbe6382 BM	186	*) Add functions
	187	EC_POINT_point2bn()
	188	EC_POINT_bn2point()
	189	EC_POINT_point2hex()
	190	EC_POINT_hex2point()
	191	providing useful interfaces to EC_POINT_point2oct() and
	192	EC_POINT_oct2point().
	193	[Nils Larsch <nla@trustcenter.de>]
	194
b6db386f BM	195	*) Change internals of the EC library so that the functions
	196	EC_GROUP_set_generator()
	197	EC_GROUP_get_generator()
	198	EC_GROUP_get_order()
	199	EC_GROUP_get_cofactor()
	200	are implemented directly in crypto/ec/ec_lib.c and not dispatched
	201	to methods, which would lead to unnecessary code duplication when
	202	adding different types of curves.
6cbe6382	203	[Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
b6db386f	204
47234cd3 BM	205	*) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
	206	arithmetic, and such that modified wNAFs are generated
	207	(which avoid length expansion in many cases).
	208	[Bodo Moeller]
	209
82652aaf BM	210	*) Add a function EC_GROUP_check_discriminant() (defined via
	211	EC_METHOD) that verifies that the curve discriminant is non-zero.
	212
	213	Add a function EC_GROUP_check() that makes some sanity tests
	214	on a EC_GROUP, its generator and order. This includes
	215	EC_GROUP_check_discriminant().
	216	[Nils Larsch <nla@trustcenter.de>]
	217
4d94ae00 BM	218	*) Add ECDSA in new directory crypto/ecdsa/.
4d94ae00 BM	219
5dbd3efc BM	220	Add applications 'openssl ecparam' and 'openssl ecdsa'
5dbd3efc BM	221	(these are based on 'openssl dsaparam' and 'openssl dsa').
4d94ae00 BM	222
	223	ECDSA support is also included in various other files across the
	224	library. Most notably,
	225	- 'openssl req' now has a '-newkey ecdsa:file' option;
	226	- EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
	227	- X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
	228	d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
	229	them suitable for ECDSA where domain parameters must be
e172d60d BM	230	extracted before the specific public key;
e172d60d BM	231	- ECDSA engine support has been added.
f8e21776	232	[Nils Larsch <nla@trustcenter.de>]
4d94ae00	233
af28dd6c BM	234	*) Include some named elliptic curves, and add OIDs from X9.62,
af28dd6c BM	235	SECG, and WAP/WTLS. The curves can be obtained from the new
7eb18f12	236	function
4d94ae00	237	EC_GROUP_new_by_nid()
254ef80d BM	238	Also add a 'curve_name' member to EC_GROUP objects, which can be
254ef80d BM	239	accessed via
4d94ae00 BM	240	EC_GROUP_set_nid()
	241	EC_GROUP_get_nid()
	242	[Nils Larsch <nla@trustcenter.de, Bodo Moeller]
	243
fbe792f0	244	Changes between 0.9.6g and 0.9.7 [XX xxx 2002]
dc014d43	245
f013c7f2 RL	246	*) Make sure tests can be performed even if the corresponding algorithms
	247	have been removed entirely. This was also the last step to make
	248	OpenSSL compilable with DJGPP under all reasonable conditions.
	249	[Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
	250
648765ba	251	*) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
c6ccf055 LJ	252	to allow version independent disabling of normally unselected ciphers,
c6ccf055 LJ	253	which may be activated as a side-effect of selecting a single cipher.
648765ba BM	254
	255	(E.g., cipher list string "RSA" enables ciphersuites that are left
	256	out of "ALL" because they do not provide symmetric encryption.
	257	"RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
c6ccf055 LJ	258	[Lutz Jaenicke, Bodo Moeller]
c6ccf055 LJ	259
041843e4 RL	260	*) Add appropriate support for separate platform-dependent build
	261	directories. The recommended way to make a platform-dependent
	262	build directory is the following (tested on Linux), maybe with
	263	some local tweaks:
	264
	265	# Place yourself outside of the OpenSSL source tree. In
	266	# this example, the environment variable OPENSSL_SOURCE
	267	# is assumed to contain the absolute OpenSSL source directory.
	268	mkdir -p objtree/`uname -s`-`uname -r`-`uname -m`
	269	cd objtree/`uname -s`-`uname -r`-`uname -m`
	270	(cd $OPENSSL_SOURCE; find . -type f -o -type l) \| while read F; do
	271	mkdir -p `dirname $F`
	272	ln -s $OPENSSL_SOURCE/$F $F
	273	done
	274
	275	To be absolutely sure not to disturb the source tree, a "make clean"
	276	is a good thing. If it isn't successfull, don't worry about it,
	277	it probably means the source directory is very clean.
	278	[Richard Levitte]
	279
a6c6874a GT	280	*) Make sure any ENGINE control commands make local copies of string
	281	pointers passed to them whenever necessary. Otherwise it is possible
	282	the caller may have overwritten (or deallocated) the original string
	283	data when a later ENGINE operation tries to use the stored values.
	284