[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

  *) Addition of the command line parameter '-rand file' to 'openssl req'.
     The given file adds to whatever has already been seeded into the
     random pool through the RANDFILE configuration file option or
     environment variable, or the default random state file.
     [Richard Levitte]

  *) mkstack.pl now sorts each macro group into lexical order.
     Previously the output order depended on the order the files
     appeared in the directory, resulting in needless rewriting
     of safestack.h .
     [Steve Henson]

  *) Patches to make OpenSSL compile under Win32 again. Mostly
     work arounds for the VC++ problem that it treats func() as
     func(void). Also stripped out the parts of mkdef.pl that
     added extra typesafe functions: these no longer exist.
     [Steve Henson]

  *) Reorganisation of the stack code. The macros are now all 
     collected in safestack.h . Each macro is defined in terms of
     a "stack macro" of the form SKM_<name>(type, a, b). The 
     DEBUG_SAFESTACK is now handled in terms of function casts,
     this has the advantage of retaining type safety without the
     use of additional functions. If DEBUG_SAFESTACK is not defined
     then the non typesafe macros are used instead. Also modified the
     mkstack.pl script to handle the new form. Needs testing to see
     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
     the default if no major problems. Similar behaviour for ASN1_SET_OF
     and PKCS12_STACK_OF.
     [Steve Henson]

  *) When some versions of IIS use the 'NET' form of private key the
     key derivation algorithm is different. Normally MD5(password) is
     used as a 128 bit RC4 key. In the modified case
     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
     new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
     as the old Netscape_RSA functions except they have an additional
     'sgckey' parameter which uses the modified algorithm. Also added
     an -sgckey command line option to the rsa utility. Thanks to 
     Adrian Peck <bertie@ncipher.com> for posting details of the modified
     algorithm to openssl-dev.
     [Steve Henson]

  *) The evp_local.h macros were using 'c.##kname' which resulted in
     invalid expansion on some systems (SCO 5.0.5 for example).
     Corrected to 'c.kname'.
     [Phillip Porch <root@theporch.com>]

  *) New X509_get1_email() and X509_REQ_get1_email() functions that return
     a STACK of email addresses from a certificate or request, these look
     in the subject name and the subject alternative name extensions and 
     omit any duplicate addresses.
     [Steve Henson]

  *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
     This makes DSA verification about 2 % faster.
     [Bodo Moeller]

  *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
     (meaning that now 2^5 values will be precomputed, which is only 4 KB
     plus overhead for 1024 bit moduli).
     This makes exponentiations about 0.5 % faster for 1024 bit
     exponents (as measured by "openssl speed rsa2048").
     [Bodo Moeller]

  *) Rename memory handling macros to avoid conflicts with other
     software:
          Malloc         =>  OPENSSL_malloc
          Malloc_locked  =>  OPENSSL_malloc_locked
          Realloc        =>  OPENSSL_realloc
          Free           =>  OPENSSL_free
     [Richard Levitte]

  *) New function BN_mod_exp_mont_word for small bases (roughly 15%
     faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
     [Bodo Moeller]

  *) CygWin32 support.
     [John Jarvie <jjarvie@newsguy.com>]

  *) The type-safe stack code has been rejigged. It is now only compiled
     in when OpenSSL is configured with the DEBUG_SAFESTACK option and
     by default all type-specific stack functions are "#define"d back to
     standard stack functions. This results in more streamlined output
     but retains the type-safety checking possibilities of the original
     approach.
     [Geoff Thorpe]

  *) The STACK code has been cleaned up, and certain type declarations
     that didn't make a lot of sense have been brought in line. This has
     also involved a cleanup of sorts in safestack.h to more correctly
     map type-safe stack functions onto their plain stack counterparts.
     This work has also resulted in a variety of "const"ifications of
     lots of the code, especially "_cmp" operations which should normally
     be prototyped with "const" parameters anyway.
     [Geoff Thorpe]

  *) When generating bytes for the first time in md_rand.c, 'stir the pool'
     by seeding with STATE_SIZE dummy bytes (with zero entropy count).
     (The PRNG state consists of two parts, the large pool 'state' and 'md',
     where all of 'md' is used each time the PRNG is used, but 'state'
     is used only indexed by a cyclic counter. As entropy may not be
     well distributed from the beginning, 'md' is important as a
     chaining variable. However, the output function chains only half
     of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
     all of 'md', and seeding with STATE_SIZE dummy bytes will result
     in all of 'state' being rewritten, with the new values depending
     on virtually all of 'md'.  This overcomes the 80 bit limitation.)
     [Bodo Moeller]

  *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
     the handshake is continued after ssl_verify_cert_chain();
     otherwise, if SSL_VERIFY_NONE is set, remaining error codes
     can lead to 'unexplainable' connection aborts later.
     [Bodo Moeller; problem tracked down by Lutz Jaenicke]

  *) Major EVP API cipher revision.
     Add hooks for extra EVP features. This allows various cipher
     parameters to be set in the EVP interface. Support added for variable
     key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
     setting of RC2 and RC5 parameters.

     Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
     ciphers.

     Remove lots of duplicated code from the EVP library. For example *every*
     cipher init() function handles the 'iv' in the same way according to the
     cipher mode. They also all do nothing if the 'key' parameter is NULL and
     for CFB and OFB modes they zero ctx->num.

     New functionality allows removal of S/MIME code RC2 hack.

     Most of the routines have the same form and so can be declared in terms
     of macros.

     By shifting this to the top level EVP_CipherInit() it can be removed from
     all individual ciphers. If the cipher wants to handle IVs or keys
     differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
     flags.

     Change lots of functions like EVP_EncryptUpdate() to now return a
     value: although software versions of the algorithms cannot fail
     any installed hardware versions can.
     [Steve Henson]

  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
     this option is set, tolerate broken clients that send the negotiated
     protocol version number instead of the requested protocol version
     number.
     [Bodo Moeller]

  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
     i.e. non-zero for export ciphersuites, zero otherwise.
     Previous versions had this flag inverted, inconsistent with
     rsa_tmp_cb (..._TMP_RSA_CB).
     [Bodo Moeller; problem reported by Amit Chopra]

  *) Add missing DSA library text string. Work around for some IIS
     key files with invalid SEQUENCE encoding.
     [Steve Henson]

  *) Add a document (doc/standards.txt) that list all kinds of standards
     and so on that are implemented in OpenSSL.
     [Richard Levitte]

  *) Enhance c_rehash script. Old version would mishandle certificates
     with the same subject name hash and wouldn't handle CRLs at all.
     Added -fingerprint option to crl utility, to support new c_rehash
     features.
     [Steve Henson]

  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
c90341a1 RL	5	Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
c90341a1 RL	6
1f4643a2 BM	7	*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
	8	[Bodo Moeller]
	9
fb0b844a	10	*) Addition of the command line parameter '-rand file' to 'openssl req'.
1023b122 RL	11	The given file adds to whatever has already been seeded into the
	12	random pool through the RANDFILE configuration file option or
	13	environment variable, or the default random state file.
fb0b844a RL	14	[Richard Levitte]
fb0b844a RL	15
4dd45354 DSH	16	*) mkstack.pl now sorts each macro group into lexical order.
	17	Previously the output order depended on the order the files
	18	appeared in the directory, resulting in needless rewriting
	19	of safestack.h .
	20	[Steve Henson]
	21
13083215 DSH	22	*) Patches to make OpenSSL compile under Win32 again. Mostly
	23	work arounds for the VC++ problem that it treats func() as
	24	func(void). Also stripped out the parts of mkdef.pl that
	25	added extra typesafe functions: these no longer exist.
	26	[Steve Henson]
	27
3aceb94b DSH	28	*) Reorganisation of the stack code. The macros are now all
	29	collected in safestack.h . Each macro is defined in terms of
	30	a "stack macro" of the form SKM_<name>(type, a, b). The
	31	DEBUG_SAFESTACK is now handled in terms of function casts,
	32	this has the advantage of retaining type safety without the
	33	use of additional functions. If DEBUG_SAFESTACK is not defined
	34	then the non typesafe macros are used instead. Also modified the
	35	mkstack.pl script to handle the new form. Needs testing to see
	36	if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
7ef82068 DSH	37	the default if no major problems. Similar behaviour for ASN1_SET_OF
7ef82068 DSH	38	and PKCS12_STACK_OF.
3aceb94b DSH	39	[Steve Henson]
3aceb94b DSH	40
d3ed8ceb DSH	41	*) When some versions of IIS use the 'NET' form of private key the
	42	key derivation algorithm is different. Normally MD5(password) is
	43	used as a 128 bit RC4 key. In the modified case
	44	MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some
	45	new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
	46	as the old Netscape_RSA functions except they have an additional
	47	'sgckey' parameter which uses the modified algorithm. Also added
	48	an -sgckey command line option to the rsa utility. Thanks to
	49	Adrian Peck <bertie@ncipher.com> for posting details of the modified
	50	algorithm to openssl-dev.
	51	[Steve Henson]
	52
e366f2b8 DSH	53	*) The evp_local.h macros were using 'c.##kname' which resulted in
	54	invalid expansion on some systems (SCO 5.0.5 for example).
	55	Corrected to 'c.kname'.
	56	[Phillip Porch <root@theporch.com>]
	57
a91dedca DSH	58	*) New X509_get1_email() and X509_REQ_get1_email() functions that return
	59	a STACK of email addresses from a certificate or request, these look
	60	in the subject name and the subject alternative name extensions and
	61	omit any duplicate addresses.
	62	[Steve Henson]
	63
dc434bbc BM	64	*) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
	65	This makes DSA verification about 2 % faster.
	66	[Bodo Moeller]
	67
	68	*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
	69	(meaning that now 2^5 values will be precomputed, which is only 4 KB
	70	plus overhead for 1024 bit moduli).
	71	This makes exponentiations about 0.5 % faster for 1024 bit
	72	exponents (as measured by "openssl speed rsa2048").
	73	[Bodo Moeller]
	74
947b3b8b BM	75	*) Rename memory handling macros to avoid conflicts with other
	76	software:
	77	Malloc => OPENSSL_malloc
	78	Malloc_locked => OPENSSL_malloc_locked
	79	Realloc => OPENSSL_realloc
	80	Free => OPENSSL_free
	81	[Richard Levitte]
	82
482a9d41 BM	83	*) New function BN_mod_exp_mont_word for small bases (roughly 15%
482a9d41 BM	84	faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
6dad7bd6 BM	85	[Bodo Moeller]
6dad7bd6 BM	86
be5d92e0 UM	87	*) CygWin32 support.
	88	[John Jarvie <jjarvie@newsguy.com>]
	89
e41c8d6a GT	90	*) The type-safe stack code has been rejigged. It is now only compiled
	91	in when OpenSSL is configured with the DEBUG_SAFESTACK option and
	92	by default all type-specific stack functions are "#define"d back to
	93	standard stack functions. This results in more streamlined output
	94	but retains the type-safety checking possibilities of the original
	95	approach.
	96	[Geoff Thorpe]
	97
ccd86b68 GT	98	*) The STACK code has been cleaned up, and certain type declarations
	99	that didn't make a lot of sense have been brought in line. This has
	100	also involved a cleanup of sorts in safestack.h to more correctly
	101	map type-safe stack functions onto their plain stack counterparts.
	102	This work has also resulted in a variety of "const"ifications of
	103	lots of the code, especially "_cmp" operations which should normally
	104	be prototyped with "const" parameters anyway.
	105	[Geoff Thorpe]
	106
361ee973 BM	107	*) When generating bytes for the first time in md_rand.c, 'stir the pool'
	108	by seeding with STATE_SIZE dummy bytes (with zero entropy count).
	109	(The PRNG state consists of two parts, the large pool 'state' and 'md',
	110	where all of 'md' is used each time the PRNG is used, but 'state'
	111	is used only indexed by a cyclic counter. As entropy may not be
	112	well distributed from the beginning, 'md' is important as a
	113	chaining variable. However, the output function chains only half
	114	of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
	115	all of 'md', and seeding with STATE_SIZE dummy bytes will result
	116	in all of 'state' being rewritten, with the new values depending
	117	on virtually all of 'md'. This overcomes the 80 bit limitation.)
	118	[Bodo Moeller]
	119
49528751 DSH	120	*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
	121	the handshake is continued after ssl_verify_cert_chain();
	122	otherwise, if SSL_VERIFY_NONE is set, remaining error codes
	123	can lead to 'unexplainable' connection aborts later.
	124	[Bodo Moeller; problem tracked down by Lutz Jaenicke]
	125
	126	*) Major EVP API cipher revision.
	127	Add hooks for extra EVP features. This allows various cipher
	128	parameters to be set in the EVP interface. Support added for variable
	129	key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
	130	setting of RC2 and RC5 parameters.
	131
	132	Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
	133	ciphers.
	134
	135	Remove lots of duplicated code from the EVP library. For example every
360370d9 DSH	136	cipher init() function handles the 'iv' in the same way according to the
	137	cipher mode. They also all do nothing if the 'key' parameter is NULL and
	138	for CFB and OFB modes they zero ctx->num.
	139
49528751 DSH	140	New functionality allows removal of S/MIME code RC2 hack.
49528751 DSH	141
57ae2e24 DSH	142	Most of the routines have the same form and so can be declared in terms
	143	of macros.
	144
360370d9 DSH	145	By shifting this to the top level EVP_CipherInit() it can be removed from
	146	all individual ciphers. If the cipher wants to handle IVs or keys
	147	differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
	148	flags.
be06a934 DSH	149
	150	Change lots of functions like EVP_EncryptUpdate() to now return a
	151	value: although software versions of the algorithms cannot fail
	152	any installed hardware versions can.
7f060601 DSH	153	[Steve Henson]
7f060601 DSH	154
2c05c494 BM	155	*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
	156	this option is set, tolerate broken clients that send the negotiated
	157	protocol version number instead of the requested protocol version
	158	number.
	159	[Bodo Moeller]
	160
	161	*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
	162	i.e. non-zero for export ciphersuites, zero otherwise.
	163	Previous versions had this flag inverted, inconsistent with
	164	rsa_tmp_cb (..._TMP_RSA_CB).
	165	[Bodo Moeller; problem reported by Amit Chopra]
	166
b4b41f48 DSH	167	*) Add missing DSA library text string. Work around for some IIS
	168	key files with invalid SEQUENCE encoding.
	169	[Steve Henson]
	170
6d7cce48 RL	171	*) Add a document (doc/standards.txt) that list all kinds of standards
	172	and so on that are implemented in OpenSSL.
	173	[Richard Levitte]
	174
439df508 DSH	175	*) Enhance c_rehash script. Old version would mishandle certificates
	176	with the same subject name hash and wouldn't handle CRLs at all.
	177	Added -fingerprint option to crl utility, to support new c_rehash
	178	features.
	179	[Steve Henson]
	180
0e1c0612	181	*) Eliminate non-ANSI declarations in crypto.h and stack.h.
2c05c494	182