[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.5a and 0.9.6  [xx XXX 2000]

  *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
     STRING types. These convert content octets to and from the
     underlying type. The actual tag and length octets are
     already assumed to have been read in and checked. These
     are needed because all other string types have virtually
     identical handling apart from the tag. By having versions
     of the ASN1 functions that just operate on content octets
     IMPLICIT tagging can be handled properly. It also allows
     the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
     and ASN1_INTEGER are identical apart from the tag.
     [Steve Henson]

  *) Change the handling of OID objects as follows:

     - New object identifiers are inserted in objects.txt, following
       the syntax given in objects.README.
     - objects.pl is used to process obj_mac.num and create a new
       obj_mac.h.
     - obj_dat.pl is used to create a new obj_dat.h, using the data in
       obj_mac.h.

     This is currently kind of a hack, and the perl code in objects.pl
     isn't very elegant, but it works as I intended.  The simplest way
     to check that it worked correctly is to look in obj_dat.h and
     check the array nid_objs and make sure the objects haven't moved
     around (this is important!).  Additions are OK, as well as
     consistent name changes. 
     [Richard Levitte]

  *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
     [Bodo Moeller]

  *) Addition of the command line parameter '-rand file' to 'openssl req'.
     The given file adds to whatever has already been seeded into the
     random pool through the RANDFILE configuration file option or
     environment variable, or the default random state file.
     [Richard Levitte]

  *) mkstack.pl now sorts each macro group into lexical order.
     Previously the output order depended on the order the files
     appeared in the directory, resulting in needless rewriting
     of safestack.h .
     [Steve Henson]

  *) Patches to make OpenSSL compile under Win32 again. Mostly
     work arounds for the VC++ problem that it treats func() as
     func(void). Also stripped out the parts of mkdef.pl that
     added extra typesafe functions: these no longer exist.
     [Steve Henson]

  *) Reorganisation of the stack code. The macros are now all 
     collected in safestack.h . Each macro is defined in terms of
     a "stack macro" of the form SKM_<name>(type, a, b). The 
     DEBUG_SAFESTACK is now handled in terms of function casts,
     this has the advantage of retaining type safety without the
     use of additional functions. If DEBUG_SAFESTACK is not defined
     then the non typesafe macros are used instead. Also modified the
     mkstack.pl script to handle the new form. Needs testing to see
     if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
     the default if no major problems. Similar behaviour for ASN1_SET_OF
     and PKCS12_STACK_OF.
     [Steve Henson]

  *) When some versions of IIS use the 'NET' form of private key the
     key derivation algorithm is different. Normally MD5(password) is
     used as a 128 bit RC4 key. In the modified case
     MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
     new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
     as the old Netscape_RSA functions except they have an additional
     'sgckey' parameter which uses the modified algorithm. Also added
     an -sgckey command line option to the rsa utility. Thanks to 
     Adrian Peck <bertie@ncipher.com> for posting details of the modified
     algorithm to openssl-dev.
     [Steve Henson]

  *) The evp_local.h macros were using 'c.##kname' which resulted in
     invalid expansion on some systems (SCO 5.0.5 for example).
     Corrected to 'c.kname'.
     [Phillip Porch <root@theporch.com>]

  *) New X509_get1_email() and X509_REQ_get1_email() functions that return
     a STACK of email addresses from a certificate or request, these look
     in the subject name and the subject alternative name extensions and 
     omit any duplicate addresses.
     [Steve Henson]

  *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
     This makes DSA verification about 2 % faster.
     [Bodo Moeller]

  *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
     (meaning that now 2^5 values will be precomputed, which is only 4 KB
     plus overhead for 1024 bit moduli).
     This makes exponentiations about 0.5 % faster for 1024 bit
     exponents (as measured by "openssl speed rsa2048").
     [Bodo Moeller]

  *) Rename memory handling macros to avoid conflicts with other
     software:
          Malloc         =>  OPENSSL_malloc
          Malloc_locked  =>  OPENSSL_malloc_locked
          Realloc        =>  OPENSSL_realloc
          Free           =>  OPENSSL_free
     [Richard Levitte]

  *) New function BN_mod_exp_mont_word for small bases (roughly 15%
     faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
     [Bodo Moeller]

  *) CygWin32 support.
     [John Jarvie <jjarvie@newsguy.com>]

  *) The type-safe stack code has been rejigged. It is now only compiled
     in when OpenSSL is configured with the DEBUG_SAFESTACK option and
     by default all type-specific stack functions are "#define"d back to
     standard stack functions. This results in more streamlined output
     but retains the type-safety checking possibilities of the original
     approach.
     [Geoff Thorpe]

  *) The STACK code has been cleaned up, and certain type declarations
     that didn't make a lot of sense have been brought in line. This has
     also involved a cleanup of sorts in safestack.h to more correctly
     map type-safe stack functions onto their plain stack counterparts.
     This work has also resulted in a variety of "const"ifications of
     lots of the code, especially "_cmp" operations which should normally
     be prototyped with "const" parameters anyway.
     [Geoff Thorpe]

  *) When generating bytes for the first time in md_rand.c, 'stir the pool'
     by seeding with STATE_SIZE dummy bytes (with zero entropy count).
     (The PRNG state consists of two parts, the large pool 'state' and 'md',
     where all of 'md' is used each time the PRNG is used, but 'state'
     is used only indexed by a cyclic counter. As entropy may not be
     well distributed from the beginning, 'md' is important as a
     chaining variable. However, the output function chains only half
     of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
     all of 'md', and seeding with STATE_SIZE dummy bytes will result
     in all of 'state' being rewritten, with the new values depending
     on virtually all of 'md'.  This overcomes the 80 bit limitation.)
     [Bodo Moeller]

  *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
     the handshake is continued after ssl_verify_cert_chain();
     otherwise, if SSL_VERIFY_NONE is set, remaining error codes
     can lead to 'unexplainable' connection aborts later.
     [Bodo Moeller; problem tracked down by Lutz Jaenicke]

  *) Major EVP API cipher revision.
     Add hooks for extra EVP features. This allows various cipher
     parameters to be set in the EVP interface. Support added for variable
     key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
     setting of RC2 and RC5 parameters.

     Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
     ciphers.

     Remove lots of duplicated code from the EVP library. For example *every*
     cipher init() function handles the 'iv' in the same way according to the
     cipher mode. They also all do nothing if the 'key' parameter is NULL and
     for CFB and OFB modes they zero ctx->num.

     New functionality allows removal of S/MIME code RC2 hack.

     Most of the routines have the same form and so can be declared in terms
     of macros.

     By shifting this to the top level EVP_CipherInit() it can be removed from
     all individual ciphers. If the cipher wants to handle IVs or keys
     differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
     flags.

     Change lots of functions like EVP_EncryptUpdate() to now return a
     value: although software versions of the algorithms cannot fail
     any installed hardware versions can.
     [Steve Henson]

  *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
     this option is set, tolerate broken clients that send the negotiated
     protocol version number instead of the requested protocol version
     number.
     [Bodo Moeller]

  *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
     i.e. non-zero for export ciphersuites, zero otherwise.
     Previous versions had this flag inverted, inconsistent with
     rsa_tmp_cb (..._TMP_RSA_CB).
     [Bodo Moeller; problem reported by Amit Chopra]

  *) Add missing DSA library text string. Work around for some IIS
     key files with invalid SEQUENCE encoding.
     [Steve Henson]

  *) Add a document (doc/standards.txt) that list all kinds of standards
     and so on that are implemented in OpenSSL.
     [Richard Levitte]

  *) Enhance c_rehash script. Old version would mishandle certificates
     with the same subject name hash and wouldn't handle CRLs at all.
     Added -fingerprint option to crl utility, to support new c_rehash
     features.
     [Steve Henson]

  *) Eliminate non-ANSI declarations in crypto.h and stack.h.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
c90341a1 RL	5	Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
c90341a1 RL	6
a338e21b DSH	7	) New ASN1 functions, i2c_ and c2i_* for INTEGER and BIT
	8	STRING types. These convert content octets to and from the
	9	underlying type. The actual tag and length octets are
	10	already assumed to have been read in and checked. These
	11	are needed because all other string types have virtually
	12	identical handling apart from the tag. By having versions
	13	of the ASN1 functions that just operate on content octets
	14	IMPLICIT tagging can be handled properly. It also allows
	15	the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
	16	and ASN1_INTEGER are identical apart from the tag.
	17	[Steve Henson]
	18
d5870bbe RL	19	*) Change the handling of OID objects as follows:
	20
	21	- New object identifiers are inserted in objects.txt, following
	22	the syntax given in objects.README.
	23	- objects.pl is used to process obj_mac.num and create a new
	24	obj_mac.h.
	25	- obj_dat.pl is used to create a new obj_dat.h, using the data in
	26	obj_mac.h.
	27
	28	This is currently kind of a hack, and the perl code in objects.pl
	29	isn't very elegant, but it works as I intended. The simplest way
	30	to check that it worked correctly is to look in obj_dat.h and
	31	check the array nid_objs and make sure the objects haven't moved
	32	around (this is important!). Additions are OK, as well as
	33	consistent name changes.
	34	[Richard Levitte]
	35
1f4643a2 BM	36	*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
	37	[Bodo Moeller]
	38
fb0b844a	39	*) Addition of the command line parameter '-rand file' to 'openssl req'.
1023b122 RL	40	The given file adds to whatever has already been seeded into the
	41	random pool through the RANDFILE configuration file option or
	42	environment variable, or the default random state file.
fb0b844a RL	43	[Richard Levitte]
fb0b844a RL	44
4dd45354 DSH	45	*) mkstack.pl now sorts each macro group into lexical order.
	46	Previously the output order depended on the order the files
	47	appeared in the directory, resulting in needless rewriting
	48	of safestack.h .
	49	[Steve Henson]
	50
13083215 DSH	51	*) Patches to make OpenSSL compile under Win32 again. Mostly
	52	work arounds for the VC++ problem that it treats func() as
	53	func(void). Also stripped out the parts of mkdef.pl that
	54	added extra typesafe functions: these no longer exist.
	55	[Steve Henson]
	56
3aceb94b DSH	57	*) Reorganisation of the stack code. The macros are now all
	58	collected in safestack.h . Each macro is defined in terms of
	59	a "stack macro" of the form SKM_<name>(type, a, b). The
	60	DEBUG_SAFESTACK is now handled in terms of function casts,
	61	this has the advantage of retaining type safety without the
	62	use of additional functions. If DEBUG_SAFESTACK is not defined
	63	then the non typesafe macros are used instead. Also modified the
	64	mkstack.pl script to handle the new form. Needs testing to see
	65	if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
7ef82068 DSH	66	the default if no major problems. Similar behaviour for ASN1_SET_OF
7ef82068 DSH	67	and PKCS12_STACK_OF.
3aceb94b DSH	68	[Steve Henson]
3aceb94b DSH	69
d3ed8ceb DSH	70	*) When some versions of IIS use the 'NET' form of private key the
	71	key derivation algorithm is different. Normally MD5(password) is
	72	used as a 128 bit RC4 key. In the modified case
	73	MD5(MD5(password) + "SGCKEYSALT") is used insted. Added some
	74	new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
	75	as the old Netscape_RSA functions except they have an additional
	76	'sgckey' parameter which uses the modified algorithm. Also added
	77	an -sgckey command line option to the rsa utility. Thanks to
	78	Adrian Peck <bertie@ncipher.com> for posting details of the modified
	79	algorithm to openssl-dev.
	80	[Steve Henson]
	81
e366f2b8 DSH	82	*) The evp_local.h macros were using 'c.##kname' which resulted in
	83	invalid expansion on some systems (SCO 5.0.5 for example).
	84	Corrected to 'c.kname'.
	85	[Phillip Porch <root@theporch.com>]
	86
a91dedca DSH	87	*) New X509_get1_email() and X509_REQ_get1_email() functions that return
	88	a STACK of email addresses from a certificate or request, these look
	89	in the subject name and the subject alternative name extensions and
	90	omit any duplicate addresses.
	91	[Steve Henson]
	92
dc434bbc BM	93	*) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
	94	This makes DSA verification about 2 % faster.
	95	[Bodo Moeller]
	96
	97	*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
	98	(meaning that now 2^5 values will be precomputed, which is only 4 KB
	99	plus overhead for 1024 bit moduli).
	100	This makes exponentiations about 0.5 % faster for 1024 bit
	101	exponents (as measured by "openssl speed rsa2048").
	102	[Bodo Moeller]
	103
947b3b8b BM	104	*) Rename memory handling macros to avoid conflicts with other
	105	software:
	106	Malloc => OPENSSL_malloc
	107	Malloc_locked => OPENSSL_malloc_locked
	108	Realloc => OPENSSL_realloc
	109	Free => OPENSSL_free
	110	[Richard Levitte]
	111
482a9d41 BM	112	*) New function BN_mod_exp_mont_word for small bases (roughly 15%
482a9d41 BM	113	faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
6dad7bd6 BM	114	[Bodo Moeller]
6dad7bd6 BM	115
be5d92e0 UM	116	*) CygWin32 support.
	117	[John Jarvie <jjarvie@newsguy.com>]
	118
e41c8d6a GT	119	*) The type-safe stack code has been rejigged. It is now only compiled
	120	in when OpenSSL is configured with the DEBUG_SAFESTACK option and
	121	by default all type-specific stack functions are "#define"d back to
	122	standard stack functions. This results in more streamlined output
	123	but retains the type-safety checking possibilities of the original
	124	approach.
	125	[Geoff Thorpe]
	126
ccd86b68 GT	127	*) The STACK code has been cleaned up, and certain type declarations
	128	that didn't make a lot of sense have been brought in line. This has
	129	also involved a cleanup of sorts in safestack.h to more correctly
	130	map type-safe stack functions onto their plain stack counterparts.
	131	This work has also resulted in a variety of "const"ifications of
	132	lots of the code, especially "_cmp" operations which should normally
	133	be prototyped with "const" parameters anyway.
	134	[Geoff Thorpe]
	135
361ee973 BM	136	*) When generating bytes for the first time in md_rand.c, 'stir the pool'
	137	by seeding with STATE_SIZE dummy bytes (with zero entropy count).
	138	(The PRNG state consists of two parts, the large pool 'state' and 'md',
	139	where all of 'md' is used each time the PRNG is used, but 'state'
	140	is used only indexed by a cyclic counter. As entropy may not be
	141	well distributed from the beginning, 'md' is important as a
	142	chaining variable. However, the output function chains only half
	143	of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
	144	all of 'md', and seeding with STATE_SIZE dummy bytes will result
	145	in all of 'state' being rewritten, with the new values depending
	146	on virtually all of 'md'. This overcomes the 80 bit limitation.)
	147	[Bodo Moeller]
	148
49528751 DSH	149	*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
	150	the handshake is continued after ssl_verify_cert_chain();
	151	otherwise, if SSL_VERIFY_NONE is set, remaining error codes
	152	can lead to 'unexplainable' connection aborts later.
	153	[Bodo Moeller; problem tracked down by Lutz Jaenicke]
	154
	155	*) Major EVP API cipher revision.
	156	Add hooks for extra EVP features. This allows various cipher
	157	parameters to be set in the EVP interface. Support added for variable
	158	key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
	159	setting of RC2 and RC5 parameters.
	160
	161	Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
	162	ciphers.
	163
	164	Remove lots of duplicated code from the EVP library. For example every
360370d9 DSH	165	cipher init() function handles the 'iv' in the same way according to the
	166	cipher mode. They also all do nothing if the 'key' parameter is NULL and
	167	for CFB and OFB modes they zero ctx->num.
	168
49528751 DSH	169	New functionality allows removal of S/MIME code RC2 hack.
49528751 DSH	170
57ae2e24 DSH	171	Most of the routines have the same form and so can be declared in terms
	172	of macros.
	173
360370d9 DSH	174	By shifting this to the top level EVP_CipherInit() it can be removed from
	175	all individual ciphers. If the cipher wants to handle IVs or keys
	176	differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
	177	flags.
be06a934 DSH	178
	179	Change lots of functions like EVP_EncryptUpdate() to now return a
	180	value: although software versions of the algorithms cannot fail
	181	any installed hardware versions can.
7f060601 DSH	182	[Steve Henson]
7f060601 DSH	183
2c05c494 BM	184	*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
	185	this option is set, tolerate broken clients that send the negotiated
	186	protocol version number instead of the requested protocol version
	187	number.
	188	[Bodo Moeller]
	189
	190	*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
	191	i.e. non-zero for export ciphersuites, zero otherwise.
	192	Previous versions had this flag inverted, inconsistent with
	193	rsa_tmp_cb (..._TMP_RSA_CB).
	194	[Bodo Moeller; problem reported by Amit Chopra]
	195
b4b41f48 DSH	196	*) Add missing DSA library text string. Work around for some IIS
	197	key files with invalid SEQUENCE encoding.
	198	[Steve Henson]
	199
6d7cce48 RL	200	*) Add a document (doc/standards.txt) that list all kinds of standards
	201	and so on that are implemented in OpenSSL.
	202	[Richard Levitte]
	203
439df508 DSH	204	*) Enhance c_rehash script. Old version would mishandle certificates
	205	with the same subject name hash and wouldn't handle CRLs at all.
	206	Added -fingerprint option to crl utility, to support new c_rehash
	207	features.
	208	[Steve Henson]
	209
0e1c0612	210	*) Eliminate non-ANSI declarations in crypto.h and stack.h.
2c05c494	211