[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.8b and 0.9.9  [xx XXX xxxx]

  *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
     Reorganize PBE internals to lookup from a static table using NIDs,
     add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
     EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
     PRF which will be automatically used with PBES2.
     [Steve Henson]

  *) Replace the algorithm specific calls to generate keys in "req" with the
     new API.
     [Steve Henson]

  *) Update PKCS#7 enveloped data routines to use new API. This is now
     supported by any public key method supporting the encrypt operation. A
     ctrl is added to allow the public key algorithm to examine or modify
     the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
     a no op.
     [Steve Henson]

  *) Add a ctrl to asn1 method to allow a public key algorithm to express
     a default digest type to use. In most cases this will be SHA1 but some
     algorithms (such as GOST) need to specify an alternative digest. The
     return value indicates how strong the prefernce is 1 means optional and
     2 is mandatory (that is it is the only supported type). Modify
     ASN1_item_sign() to accept a NULL digest argument to indicate it should
     use the default md. Update openssl utilities to use the default digest
     type for signing if it is not explicitly indicated.
     [Steve Henson]

  *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
     EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
     signing method from the key type. This effectively removes the link
     between digests and public key types.
     [Steve Henson]

  *) Add an OID cross reference table and utility functions. Its purpose is to
     translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
     rsaEncryption. This will allow some of the algorithm specific hackery
     needed to use the correct OID to be removed. 
     [Steve Henson]

  *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
     structures for PKCS7_sign(). They are now set up by the relevant public
     key ASN1 method.
     [Steve Henson]

  *) Add provisional EC pkey method with support for ECDSA and ECDH.
     [Steve Henson]

  *) Add support for key derivation (agreement) in the API, DH method and
     pkeyutl.
     [Steve Henson]

  *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
     public and private key formats. As a side effect these add additional 
     command line functionality not previously available: DSA signatures can be
     generated and verified using pkeyutl and DH key support and generation in
     pkey, genpkey.
     [Steve Henson]

  *) BeOS support.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New make target "install_html_docs" installs HTML renditions of the
     manual pages.
     [Oliver Tappe <zooey@hirschkaefer.de>]

  *) New utility "genpkey" this is analagous to "genrsa" etc except it can
     generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
     support key and parameter generation and add initial key generation
     functionality for RSA.
     [Steve Henson]

  *) Add functions for main EVP_PKEY_method operations. The undocumented
     functions EVP_PKEY_{encrypt,decrypt} have been renamed to
     EVP_PKEY_{encrypt,decrypt}_old. 
     [Steve Henson]

  *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
     key API, doesn't do much yet.
     [Steve Henson]

  *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
     public key algorithms. New option to openssl utility:
     "list-public-key-algorithms" to print out info.
     [Steve Henson]

  *) Implement the Supported Elliptic Curves Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
     EVP_CIPHER structures to avoid later problems in EVP_cleanup().
     [Steve Henson]

  *) New utilities pkey and pkeyparam. These are similar to algorithm specific
     utilities such as rsa, dsa, dsaparam etc except they process any key
     type.
     [Steve Henson]

  *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
     functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
     EVP_PKEY_print_param() to print public key data from an EVP_PKEY
     structure.
     [Steve Henson]

  *) Initial support for pluggable public key ASN1.
     De-spaghettify the public key ASN1 handling. Move public and private
     key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
     algorithm specific handling to a single module within the relevant
     algorithm directory. Add functions to allow (near) opaque processing
     of public and private key structures.
     [Steve Henson]

  *) Implement the Supported Point Formats Extension for
     ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
     [Douglas Stebila]

  *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
     for the psk identity [hint] and the psk callback functions to the
     SSL_SESSION, SSL and SSL_CTX structure.
     
     New ciphersuites:
         PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
         PSK-AES256-CBC-SHA
 
     New functions:
         SSL_CTX_use_psk_identity_hint
         SSL_get_psk_identity_hint
         SSL_get_psk_identity
         SSL_use_psk_identity_hint

     [Mika Kousa and Pasi Eronen of Nokia Corporation]

  *) Add RFC 3161 compliant time stamp request creation, response generation
     and response verification functionality.
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
399a6f0b DSH	5	Changes between 0.9.8b and 0.9.9 [xx XXX xxxx]
399a6f0b DSH	6
856640b5	7	*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
b8f702a0	8	Reorganize PBE internals to lookup from a static table using NIDs,
6d3a1eac DSH	9	add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
	10	EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
	11	PRF which will be automatically used with PBES2.
856640b5 DSH	12	[Steve Henson]
856640b5 DSH	13
34b3c72e	14	*) Replace the algorithm specific calls to generate keys in "req" with the
959e8dfe DSH	15	new API.
	16	[Steve Henson]
	17
399a6f0b DSH	18	*) Update PKCS#7 enveloped data routines to use new API. This is now
	19	supported by any public key method supporting the encrypt operation. A
	20	ctrl is added to allow the public key algorithm to examine or modify
	21	the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
	22	a no op.
	23	[Steve Henson]
28e4fe34	24
03919683 DSH	25	*) Add a ctrl to asn1 method to allow a public key algorithm to express
	26	a default digest type to use. In most cases this will be SHA1 but some
	27	algorithms (such as GOST) need to specify an alternative digest. The
	28	return value indicates how strong the prefernce is 1 means optional and
	29	2 is mandatory (that is it is the only supported type). Modify
	30	ASN1_item_sign() to accept a NULL digest argument to indicate it should
	31	use the default md. Update openssl utilities to use the default digest
	32	type for signing if it is not explicitly indicated.
	33	[Steve Henson]
	34
ee1d9ec0 DSH	35	*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
	36	EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
	37	signing method from the key type. This effectively removes the link
	38	between digests and public key types.
	39	[Steve Henson]
	40
d2027098 DSH	41	*) Add an OID cross reference table and utility functions. Its purpose is to
	42	translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
	43	rsaEncryption. This will allow some of the algorithm specific hackery
	44	needed to use the correct OID to be removed.
	45	[Steve Henson]
	46
492a9e24 DSH	47	*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
	48	structures for PKCS7_sign(). They are now set up by the relevant public
	49	key ASN1 method.
	50	[Steve Henson]
	51
9ca7047d DSH	52	*) Add provisional EC pkey method with support for ECDSA and ECDH.
	53	[Steve Henson]
	54
ffb1ac67 DSH	55	*) Add support for key derivation (agreement) in the API, DH method and
	56	pkeyutl.
	57	[Steve Henson]
	58
3ba0885a DSH	59	*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
	60	public and private key formats. As a side effect these add additional
	61	command line functionality not previously available: DSA signatures can be
	62	generated and verified using pkeyutl and DH key support and generation in
	63	pkey, genpkey.
	64	[Steve Henson]
	65
4700aea9 UM	66	*) BeOS support.
	67	[Oliver Tappe <zooey@hirschkaefer.de>]
	68
	69	*) New make target "install_html_docs" installs HTML renditions of the
	70	manual pages.
	71	[Oliver Tappe <zooey@hirschkaefer.de>]
	72
f5cda4cb DSH	73	*) New utility "genpkey" this is analagous to "genrsa" etc except it can
	74	generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
	75	support key and parameter generation and add initial key generation
	76	functionality for RSA.
	77	[Steve Henson]
	78
f733a5ef DSH	79	*) Add functions for main EVP_PKEY_method operations. The undocumented
	80	functions EVP_PKEY_{encrypt,decrypt} have been renamed to
	81	EVP_PKEY_{encrypt,decrypt}_old.
	82	[Steve Henson]
	83
0b6f3c66 DSH	84	*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
	85	key API, doesn't do much yet.
	86	[Steve Henson]
	87
0b33dac3 DSH	88	*) New function EVP_PKEY_asn1_get0_info() to retrieve information about
	89	public key algorithms. New option to openssl utility:
	90	"list-public-key-algorithms" to print out info.
	91	[Steve Henson]
	92
33273721 BM	93	*) Implement the Supported Elliptic Curves Extension for
	94	ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
	95	[Douglas Stebila]
	96
246e0931 DSH	97	*) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
	98	EVP_CIPHER structures to avoid later problems in EVP_cleanup().
	99	[Steve Henson]
	100
3e4585c8	101	*) New utilities pkey and pkeyparam. These are similar to algorithm specific
f5cda4cb	102	utilities such as rsa, dsa, dsaparam etc except they process any key
3e4585c8	103	type.
3e84b6e1 DSH	104	[Steve Henson]
3e84b6e1 DSH	105
35208f36 DSH	106	*) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
	107	functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
	108	EVP_PKEY_print_param() to print public key data from an EVP_PKEY
	109	structure.
	110	[Steve Henson]
	111
448be743 DSH	112	*) Initial support for pluggable public key ASN1.
	113	De-spaghettify the public key ASN1 handling. Move public and private
	114	key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
	115	algorithm specific handling to a single module within the relevant
	116	algorithm directory. Add functions to allow (near) opaque processing
	117	of public and private key structures.
	118	[Steve Henson]
	119
36ca4ba6 BM	120	*) Implement the Supported Point Formats Extension for
	121	ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
	122	[Douglas Stebila]
	123
ddac1974 NL	124	*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
	125	for the psk identity [hint] and the psk callback functions to the
	126	SSL_SESSION, SSL and SSL_CTX structure.
	127
	128	New ciphersuites:
	129	PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
	130	PSK-AES256-CBC-SHA
	131
	132	New functions:
	133	SSL_CTX_use_psk_identity_hint
	134	SSL_get_psk_identity_hint
	135	SSL_get_psk_identity
	136	SSL_use_psk_identity_hint
	137
	138	[Mika Kousa and Pasi Eronen of Nokia Corporation]
	139
c7235be6 UM	140	*) Add RFC 3161 compliant time stamp request creation, response generation
	141	and response verification functionality.
	142