[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]

  *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
     [Steve Henson]

  *) Remove the ancient ASN1_METHOD code. This was only ever used in one
     place for the (very old) "NETSCAPE" format certificates which are now
     handled using new ASN1 code equivalents.
     [Steve Henson]

  *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
     pointer and make the SSL_METHOD parameter in SSL_CTX_new,
     SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
     [Nils Larsch]

  *) Modify CRL distribution points extension code to print out previously
     unsupported fields. Enhance extension setting code to allow setting of
     all fields.
     [Steve Henson]

  *) Add print and set support for Issuing Distribution Point CRL extension.
     [Steve Henson]

 Changes between 0.9.8 and 0.9.8a  [XX xxx XXXX]

  *) Avoid some small subgroup attacks in Diffie-Hellman.
     [Nick Mathewson and Ben Laurie]

  *) Add functions for well-known primes.
     [Nick Mathewson]

  *) Extended Windows CE support.
     [Satoshi Nakamura and Andy Polyakov]
 
  *) Initialize SSL_METHOD structures at compile time instead of during
     runtime, thus removing the need for a lock.
     [Steve Henson]

  *) Make PKCS7_decrypt() work even if no certificate is supplied by
     attempting to decrypt each encrypted key in turn. Add support to
     smime utility.
     [Steve Henson]

 Changes between 0.9.7h and 0.9.8  [05 Jul 2005]

  *) Add libcrypto.pc and libssl.pc for those who feel they need them.
     [Richard Levitte]

  *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
     key into the same file any more.
     [Richard Levitte]

  *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
     [Andy Polyakov]

  *) Add -utf8 command line and config file option to 'ca'.
     [Stefan <stf@udoma.org]

  *) Removed the macro des_crypt(), as it seems to conflict with some
     libraries.  Use DES_crypt().
     [Richard Levitte]

  *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
     involves renaming the source and generated shared-libs for
     both. The engines will accept the corrected or legacy ids
     ('ncipher' and '4758_cca' respectively) when binding. NB,
     this only applies when building 'shared'.
     [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]

  *) Add attribute functions to EVP_PKEY structure. Modify
     PKCS12_create() to recognize a CSP name attribute and
     use it. Make -CSP option work again in pkcs12 utility.
     [Steve Henson]

  *) Add new functionality to the bn blinding code:
     - automatic re-creation of the BN_BLINDING parameters after
       a fixed number of uses (currently 32)
     - add new function for parameter creation
     - introduce flags to control the update behaviour of the
       BN_BLINDING parameters
     - hide BN_BLINDING structure
     Add a second BN_BLINDING slot to the RSA structure to improve
     performance when a single RSA object is shared among several
     threads.
     [Nils Larsch]

  *) Add support for DTLS.
     [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]

  *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
     to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
     [Walter Goulet]

  *) Remove buggy and incompletet DH cert support from
     ssl/ssl_rsa.c and ssl/s3_both.c
     [Nils Larsch]

  *) Use SHA-1 instead of MD5 as the default digest algorithm for
     the apps/openssl applications.
     [Nils Larsch]

  *) Compile clean with "-Wall -Wmissing-prototypes
     -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
     DEBUG_SAFESTACK must also be set.
     [Ben Laurie]

  *) Change ./Configure so that certain algorithms can be disabled by default.
     The new counterpiece to "no-xxx" is "enable-xxx".

     The patented RC5 and MDC2 algorithms will now be disabled unless
     "enable-rc5" and "enable-mdc2", respectively, are specified.

     (IDEA remains enabled despite being patented.  This is because IDEA
     is frequently required for interoperability, and there is no license
     fee for non-commercial use.  As before, "no-idea" can be used to
     avoid this algorithm.)

     [Bodo Moeller]

  *) Add processing of proxy certificates (see RFC 3820).  This work was
     sponsored by KTH (The Royal Institute of Technology in Stockholm) and
     EGEE (Enabling Grids for E-science in Europe).
     [Richard Levitte]

  *) RC4 performance overhaul on modern architectures/implementations, such
     as Intel P4, IA-64 and AMD64.
     [Andy Polyakov]

  *) New utility extract-section.pl. This can be used specify an alternative
     section number in a pod file instead of having to treat each file as
     a separate case in Makefile. This can be done by adding two lines to the
     pod file:

     =for comment openssl_section:XXX

     The blank line is mandatory.

     [Steve Henson]

  *) New arguments -certform, -keyform and -pass for s_client and s_server
     to allow alternative format key and certificate files and passphrase
     sources.
     [Steve Henson]

  *) New structure X509_VERIFY_PARAM which combines current verify parameters,
     update associated structures and add various utility functions.

     Add new policy related verify parameters, include policy checking in 
     standard verify code. Enhance 'smime' application with extra parameters
     to support policy checking and print out.
     [Steve Henson]

  *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
     Nehemiah processors. These extensions support AES encryption in hardware
     as well as RNG (though RNG support is currently disabled).
     [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]

  *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
     [Geoff Thorpe]

  *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
     [Andy Polyakov and a number of other people]

  *) Improved PowerPC platform support. Most notably BIGNUM assembler
     implementation contributed by IBM.
     [Suresh Chari, Peter Waltenberg, Andy Polyakov]

  *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
     exponent rather than 'unsigned long'. There is a corresponding change to
     the new 'rsa_keygen' element of the RSA_METHOD structure.
     [Jelte Jansen, Geoff Thorpe]

  *) Functionality for creating the initial serial number file is now
     moved from CA.pl to the 'ca' utility with a new option -create_serial.

     (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
     number file to 1, which is bound to cause problems.  To avoid
     the problems while respecting compatibility between different 0.9.7
     patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
     CA.pl for serial number initialization.  With the new release 0.9.8,
     we can fix the problem directly in the 'ca' utility.)
     [Steve Henson]

  *) Reduced header interdepencies by declaring more opaque objects in
     ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
     give fewer recursive includes, which could break lazy source code - so
     this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
     developers should define this symbol when building and using openssl to
     ensure they track the recommended behaviour, interfaces, [etc], but
     backwards-compatible behaviour prevails when this isn't defined.
     [Geoff Thorpe]

  *) New function X509_POLICY_NODE_print() which prints out policy nodes.
     [Steve Henson]

  *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
     This will generate a random key of the appropriate length based on the 
     cipher context. The EVP_CIPHER can provide its own random key generation
     routine to support keys of a specific form. This is used in the des and 
     3des routines to generate a key of the correct parity. Update S/MIME
     code to use new functions and hence generate correct parity DES keys.
     Add EVP_CHECK_DES_KEY #define to return an error if the key is not 
     valid (weak or incorrect parity).
     [Steve Henson]

  *) Add a local set of CRLs that can be used by X509_verify_cert() as well
     as looking them up. This is useful when the verified structure may contain
     CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
     present unless the new PKCS7_NO_CRL flag is asserted.
     [Steve Henson]

  *) Extend ASN1 oid configuration module. It now additionally accepts the
     syntax:

     shortName = some long name, 1.2.3.4
     [Steve Henson]

  *) Reimplemented the BN_CTX implementation. There is now no more static
     limitation on the number of variables it can handle nor the depth of the
     "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
     information can now expand as required, and rather than having a single
     static array of bignums, BN_CTX now uses a linked-list of such arrays
     allowing it to expand on demand whilst maintaining the usefulness of
     BN_CTX's "bundling".
     [Geoff Thorpe]

  *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
     to allow all RSA operations to function using a single BN_CTX.
     [Geoff Thorpe]

  *) Preliminary support for certificate policy evaluation and checking. This
     is initially intended to pass the tests outlined in "Conformance Testing
     of Relying Party Client Certificate Path Processing Logic" v1.07.
     [Steve Henson]

  *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
     remained unused and not that useful. A variety of other little bignum
     tweaks and fixes have also been made continuing on from the audit (see
     below).
     [Geoff Thorpe]

  *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
     associated ASN1, EVP and SSL functions and old ASN1 macros.
     [Richard Levitte]

  *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
     and this should never fail. So the return value from the use of
     BN_set_word() (which can fail due to needless expansion) is now deprecated;
     if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
     [Geoff Thorpe]

  *) BN_CTX_get() should return zero-valued bignums, providing the same
     initialised value as BN_new().
Commit	Line	Data
81a6c781	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
bf3d6c0c	5	Changes between 0.9.8a and 0.9.9 [xx XXX xxxx]
28e4fe34	6
eea374fd DSH	7	*) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
	8	[Steve Henson]
	9
45e27385 DSH	10	*) Remove the ancient ASN1_METHOD code. This was only ever used in one
	11	place for the (very old) "NETSCAPE" format certificates which are now
	12	handled using new ASN1 code equivalents.
eea374fd	13	[Steve Henson]
45e27385	14
4ebb342f NL	15	*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
	16	pointer and make the SSL_METHOD parameter in SSL_CTX_new,
	17	SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
	18	[Nils Larsch]
	19
9aa9d70d	20	*) Modify CRL distribution points extension code to print out previously
0745d089 DSH	21	unsupported fields. Enhance extension setting code to allow setting of
0745d089 DSH	22	all fields.
9aa9d70d DSH	23	[Steve Henson]
9aa9d70d DSH	24
0537f968	25	*) Add print and set support for Issuing Distribution Point CRL extension.
231493c9	26	[Steve Henson]
28e4fe34	27
2bd2cd9b RL	28	Changes between 0.9.8 and 0.9.8a [XX xxx XXXX]
2bd2cd9b RL	29
770bc596	30	*) Avoid some small subgroup attacks in Diffie-Hellman.
bf3d6c0c BL	31	[Nick Mathewson and Ben Laurie]
	32
	33	*) Add functions for well-known primes.
	34	[Nick Mathewson]
	35
0491e058 AP	36	*) Extended Windows CE support.
	37	[Satoshi Nakamura and Andy Polyakov]
	38
f3b656b2 DSH	39	*) Initialize SSL_METHOD structures at compile time instead of during
	40	runtime, thus removing the need for a lock.
	41	[Steve Henson]
	42
8f2e4fdf DSH	43	*) Make PKCS7_decrypt() work even if no certificate is supplied by
	44	attempting to decrypt each encrypted key in turn. Add support to
	45	smime utility.
	46	[Steve Henson]
2bd2cd9b RL	47
2bd2cd9b RL	48	Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
12bdb643	49
c8310124 RL	50	*) Add libcrypto.pc and libssl.pc for those who feel they need them.
	51	[Richard Levitte]
	52
	53	*) Change CA.sh and CA.pl so they don't bundle the CSR and the private
	54	key into the same file any more.
	55	[Richard Levitte]
	56
8d3509b9 AP	57	*) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
	58	[Andy Polyakov]
	59
cbdac46d DSH	60	*) Add -utf8 command line and config file option to 'ca'.
	61	[Stefan <stf@udoma.org]
	62
c8310124 RL	63	*) Removed the macro des_crypt(), as it seems to conflict with some
	64	libraries. Use DES_crypt().
	65	[Richard Levitte]
	66
a2c32e2d GT	67	*) Correct naming of the 'chil' and '4758cca' ENGINEs. This
	68	involves renaming the source and generated shared-libs for
	69	both. The engines will accept the corrected or legacy ids
	70	('ncipher' and '4758_cca' respectively) when binding. NB,
	71	this only applies when building 'shared'.
	72	[Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
	73
b6995add DSH	74	*) Add attribute functions to EVP_PKEY structure. Modify
	75	PKCS12_create() to recognize a CSP name attribute and
	76	use it. Make -CSP option work again in pkcs12 utility.
	77	[Steve Henson]
	78
800e400d NL	79	*) Add new functionality to the bn blinding code:
	80	- automatic re-creation of the BN_BLINDING parameters after
	81	a fixed number of uses (currently 32)
	82	- add new function for parameter creation
	83	- introduce flags to control the update behaviour of the
	84	BN_BLINDING parameters
	85	- hide BN_BLINDING structure
	86	Add a second BN_BLINDING slot to the RSA structure to improve
	87	performance when a single RSA object is shared among several
	88	threads.
	89	[Nils Larsch]
	90
36d16f8e BL	91	*) Add support for DTLS.
	92	[Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
	93
dc0ed30c NL	94	*) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
	95	to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
	96	[Walter Goulet]
	97
6049399b NL	98	*) Remove buggy and incompletet DH cert support from
	99	ssl/ssl_rsa.c and ssl/s3_both.c
	100	[Nils Larsch]
	101
12bdb643 NL	102	*) Use SHA-1 instead of MD5 as the default digest algorithm for
	103	the apps/openssl applications.
	104	[Nils Larsch]
4d94ae00	105
41a15c4f BL	106	*) Compile clean with "-Wall -Wmissing-prototypes
	107	-Wstrict-prototypes -Wmissing-declarations -Werror". Currently
	108	DEBUG_SAFESTACK must also be set.
	109	[Ben Laurie]
	110
c9a112f5	111	*) Change ./Configure so that certain algorithms can be disabled by default.
ecc5ef87 BM	112	The new counterpiece to "no-xxx" is "enable-xxx".
	113
	114	The patented RC5 and MDC2 algorithms will now be disabled unless
	115	"enable-rc5" and "enable-mdc2", respectively, are specified.
	116
	117	(IDEA remains enabled despite being patented. This is because IDEA
	118	is frequently required for interoperability, and there is no license
	119	fee for non-commercial use. As before, "no-idea" can be used to
	120	avoid this algorithm.)
	121
c9a112f5 BM	122	[Bodo Moeller]
c9a112f5 BM	123
6951c23a RL	124	*) Add processing of proxy certificates (see RFC 3820). This work was
	125	sponsored by KTH (The Royal Institute of Technology in Stockholm) and
	126	EGEE (Enabling Grids for E-science in Europe).
	127	[Richard Levitte]
	128
ea681ba8 AP	129	*) RC4 performance overhaul on modern architectures/implementations, such
	130	as Intel P4, IA-64 and AMD64.
	131	[Andy Polyakov]
	132
401ee37a DSH	133	*) New utility extract-section.pl. This can be used specify an alternative
	134	section number in a pod file instead of having to treat each file as
	135	a separate case in Makefile. This can be done by adding two lines to the
	136	pod file:
	137
	138	=for comment openssl_section:XXX
	139
	140	The blank line is mandatory.
	141
	142	[Steve Henson]
	143
826a42a0 DSH	144	*) New arguments -certform, -keyform and -pass for s_client and s_server
	145	to allow alternative format key and certificate files and passphrase
	146	sources.
	147	[Steve Henson]
	148
5d7c222d DSH	149	*) New structure X509_VERIFY_PARAM which combines current verify parameters,
	150	update associated structures and add various utility functions.
	151
	152	Add new policy related verify parameters, include policy checking in
	153	standard verify code. Enhance 'smime' application with extra parameters
	154	to support policy checking and print out.
	155	[Steve Henson]
	156
30fe028f GT	157	*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
	158	Nehemiah processors. These extensions support AES encryption in hardware
	159	as well as RNG (though RNG support is currently disabled).
	160	[Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
	161
df11e1e9 GT	162	*) Deprecate BN_[get\|set]_params() functions (they were ignored internally).
	163	[Geoff Thorpe]
	164
ad500340 AP	165	*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
	166	[Andy Polyakov and a number of other people]
	167
e14f4aab AP	168	*) Improved PowerPC platform support. Most notably BIGNUM assembler
	169	implementation contributed by IBM.
	170	[Suresh Chari, Peter Waltenberg, Andy Polyakov]
	171
bcfea9fb GT	172	*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
	173	exponent rather than 'unsigned long'. There is a corresponding change to
	174	the new 'rsa_keygen' element of the RSA_METHOD structure.
	175	[Jelte Jansen, Geoff Thorpe]
	176
d5f686d8 BM	177	*) Functionality for creating the initial serial number file is now
	178	moved from CA.pl to the 'ca' utility with a new option -create_serial.
	179
	180	(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
	181	number file to 1, which is bound to cause problems. To avoid
	182	the problems while respecting compatibility between different 0.9.7
	183	patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
	184	CA.pl for serial number initialization. With the new release 0.9.8,
	185	we can fix the problem directly in the 'ca' utility.)
64674bcc DSH	186	[Steve Henson]
64674bcc DSH	187
3a87a9b9 GT	188	*) Reduced header interdepencies by declaring more opaque objects in
	189	ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
	190	give fewer recursive includes, which could break lazy source code - so
	191	this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
	192	developers should define this symbol when building and using openssl to
	193	ensure they track the recommended behaviour, interfaces, [etc], but
	194	backwards-compatible behaviour prevails when this isn't defined.
	195	[Geoff Thorpe]
	196
bf5773fa DSH	197	*) New function X509_POLICY_NODE_print() which prints out policy nodes.
	198	[Steve Henson]
	199
216659eb DSH	200	*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
	201	This will generate a random key of the appropriate length based on the
	202	cipher context. The EVP_CIPHER can provide its own random key generation
	203	routine to support keys of a specific form. This is used in the des and
	204	3des routines to generate a key of the correct parity. Update S/MIME
	205	code to use new functions and hence generate correct parity DES keys.
	206	Add EVP_CHECK_DES_KEY #define to return an error if the key is not
	207	valid (weak or incorrect parity).
	208	[Steve Henson]
	209
e1a27eb3 DSH	210	*) Add a local set of CRLs that can be used by X509_verify_cert() as well
	211	as looking them up. This is useful when the verified structure may contain
	212	CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
	213	present unless the new PKCS7_NO_CRL flag is asserted.
	214	[Steve Henson]
	215
6446e0c3 DSH	216	*) Extend ASN1 oid configuration module. It now additionally accepts the
	217	syntax:
	218
	219	shortName = some long name, 1.2.3.4
	220	[Steve Henson]
	221
5c98b2ca GT	222	*) Reimplemented the BN_CTX implementation. There is now no more static
	223	limitation on the number of variables it can handle nor the depth of the
	224	"stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
	225	information can now expand as required, and rather than having a single
	226	static array of bignums, BN_CTX now uses a linked-list of such arrays
	227	allowing it to expand on demand whilst maintaining the usefulness of
	228	BN_CTX's "bundling".
	229	[Geoff Thorpe]
	230
46ef873f GT	231	*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
	232	to allow all RSA operations to function using a single BN_CTX.
	233	[Geoff Thorpe]
	234
4acc3e90 DSH	235	*) Preliminary support for certificate policy evaluation and checking. This
	236	is initially intended to pass the tests outlined in "Conformance Testing
	237	of Relying Party Client Certificate Path Processing Logic" v1.07.
	238	[Steve Henson]
	239
7f663ce4 GT	240	*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
	241	remained unused and not that useful. A variety of other little bignum
	242	tweaks and fixes have also been made continuing on from the audit (see
	243	below).
	244	[Geoff Thorpe]
	245
875a644a RL	246	*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
875a644a RL	247	associated ASN1, EVP and SSL functions and old ASN1 macros.
7f663ce4	248	[Richard Levitte]
875a644a	249
b6358c89 GT	250	*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
	251	and this should never fail. So the return value from the use of
	252	BN_set_word() (which can fail due to needless expansion) is now deprecated;
	253	if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
	254	[Geoff Thorpe]
	255
9e051bac GT	256	*) BN_CTX_get() should return zero-valued bignums, providing the same
	257	initialised value as BN_new().
	258