[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.4 and 0.9.5  [xx XXX 1999]

  *) Initial support for certificate extension requests, these are included
     in things like Xenroll certificate requests. They will later be used to
     allow PKCS#10 requests to include a list of "requested extensions" which
     can be added.
     [Steve Henson]

  *) -crlf option to s_client and s_server for sending newlines as
     CRLF (as required by many protocols).
     [Bodo Moeller]

 Changes between 0.9.3a and 0.9.4  [09 Aug 1999]
  
  *) Install libRSAglue.a when OpenSSL is built with RSAref.
     [Ralf S. Engelschall]

  *) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
     [Andrija Antonijevic <TheAntony2@bigfoot.com>]

  *) Fix -startdate and -enddate (which was missing) arguments to 'ca'
     program.
     [Steve Henson]

  *) New function DSA_dup_DH, which duplicates DSA parameters/keys as
     DH parameters/keys (q is lost during that conversion, but the resulting
     DH parameters contain its length).

     For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
     much faster than DH_generate_parameters (which creates parameters
     where p = 2*q + 1), and also the smaller q makes DH computations
     much more efficient (160-bit exponentiation instead of 1024-bit
     exponentiation); so this provides a convenient way to support DHE
     ciphersuites in SSL/TLS servers (see ssl/ssltest.c).  It is of
     utter importance to use
         SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
     or
         SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
     when such DH parameters are used, because otherwise small subgroup
     attacks may become possible!
     [Bodo Moeller]

  *) Avoid memory leak in i2d_DHparams.
     [Bodo Moeller]

  *) Allow the -k option to be used more than once in the enc program:
     this allows the same encrypted message to be read by multiple recipients.
     [Steve Henson]

  *) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
     an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
     it will always use the numerical form of the OID, even if it has a short
     or long name.
     [Steve Henson]

  *) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
     method only got called if p,q,dmp1,dmq1,iqmp components were present,
     otherwise bn_mod_exp was called. In the case of hardware keys for example
     no private key components need be present and it might store extra data
     in the RSA structure, which cannot be accessed from bn_mod_exp. By setting
     RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key
     operations.
     [Steve Henson]

  *) Added support for SPARC Linux.
     [Andy Polyakov]

  *) pem_password_cb function type incompatibly changed from
          typedef int pem_password_cb(char *buf, int size, int rwflag);
     to
          ....(char *buf, int size, int rwflag, void *userdata);
     so that applications can pass data to their callbacks:
     The PEM[_ASN1]_{read,write}... functions and macros now take an
     additional void * argument, which is just handed through whenever
     the password callback is called.
     [Damien Miller <dmiller@ilogic.com.au>, with tiny changes by Bodo Moeller]

     New function SSL_CTX_set_default_passwd_cb_userdata.

     Compatibility note: As many C implementations push function arguments
     onto the stack in reverse order, the new library version is likely to
     interoperate with programs that have been compiled with the old
     pem_password_cb definition (PEM_whatever takes some data that
     happens to be on the stack as its last argument, and the callback
     just ignores this garbage); but there is no guarantee whatsoever that
     this will work.

  *) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
     (both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
     problems not only on Windows, but also on some Unix platforms.
     To avoid problematic command lines, these definitions are now in an
     auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
     for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
     [Bodo Moeller]

  *) MIPS III/IV assembler module is reimplemented.
     [Andy Polyakov]

  *) More DES library cleanups: remove references to srand/rand and
     delete an unused file.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
d91e201e RE	5	Changes between 0.9.4 and 0.9.5 [xx XXX 1999]
d91e201e RE	6
87c49f62 DSH	7	*) Initial support for certificate extension requests, these are included
	8	in things like Xenroll certificate requests. They will later be used to
	9	allow PKCS#10 requests to include a list of "requested extensions" which
	10	can be added.
	11	[Steve Henson]
	12
1b1a6e78 BM	13	*) -crlf option to s_client and s_server for sending newlines as
	14	CRLF (as required by many protocols).
	15	[Bodo Moeller]
	16
9a577e29	17	Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
dfbaf956	18
9a577e29	19	*) Install libRSAglue.a when OpenSSL is built with RSAref.
dfbaf956	20	[Ralf S. Engelschall]
74678cc2	21
96395158 RE	22	*) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
	23	[Andrija Antonijevic <TheAntony2@bigfoot.com>]
	24
ed7f60fb DSH	25	*) Fix -startdate and -enddate (which was missing) arguments to 'ca'
	26	program.
	27	[Steve Henson]
	28
48c843c3 BM	29	*) New function DSA_dup_DH, which duplicates DSA parameters/keys as
	30	DH parameters/keys (q is lost during that conversion, but the resulting
	31	DH parameters contain its length).
	32
	33	For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
	34	much faster than DH_generate_parameters (which creates parameters
	35	where p = 2*q + 1), and also the smaller q makes DH computations
	36	much more efficient (160-bit exponentiation instead of 1024-bit
	37	exponentiation); so this provides a convenient way to support DHE
	38	ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of
	39	utter importance to use
	40	SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
	41	or
	42	SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
	43	when such DH parameters are used, because otherwise small subgroup
	44	attacks may become possible!
	45	[Bodo Moeller]
	46
	47	*) Avoid memory leak in i2d_DHparams.
	48	[Bodo Moeller]
	49
922180d7 DSH	50	*) Allow the -k option to be used more than once in the enc program:
	51	this allows the same encrypted message to be read by multiple recipients.
	52	[Steve Henson]
	53
3e3d2ea2 DSH	54	*) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
	55	an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
	56	it will always use the numerical form of the OID, even if it has a short
	57	or long name.
	58	[Steve Henson]
	59
770d19b8 DSH	60	*) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
	61	method only got called if p,q,dmp1,dmq1,iqmp components were present,
	62	otherwise bn_mod_exp was called. In the case of hardware keys for example
	63	no private key components need be present and it might store extra data
	64	in the RSA structure, which cannot be accessed from bn_mod_exp. By setting
	65	RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for private key
	66	operations.
	67	[Steve Henson]
	68
a0618e3e AP	69	*) Added support for SPARC Linux.
	70	[Andy Polyakov]
	71
74678cc2 BM	72	*) pem_password_cb function type incompatibly changed from
	73	typedef int pem_password_cb(char *buf, int size, int rwflag);
	74	to
	75	....(char buf, int size, int rwflag, void userdata);
	76	so that applications can pass data to their callbacks:
	77	The PEM[_ASN1]_{read,write}... functions and macros now take an
	78	additional void * argument, which is just handed through whenever
	79	the password callback is called.
	80	[Damien Miller <dmiller@ilogic.com.au>, with tiny changes by Bodo Moeller]
	81
	82	New function SSL_CTX_set_default_passwd_cb_userdata.
	83
	84	Compatibility note: As many C implementations push function arguments
	85	onto the stack in reverse order, the new library version is likely to
	86	interoperate with programs that have been compiled with the old
	87	pem_password_cb definition (PEM_whatever takes some data that
	88	happens to be on the stack as its last argument, and the callback
	89	just ignores this garbage); but there is no guarantee whatsoever that
	90	this will work.
0cceb1c7	91
664b9985 BM	92	*) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
	93	(both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
	94	problems not only on Windows, but also on some Unix platforms.
2e0fc875	95	To avoid problematic command lines, these definitions are now in an
57119943 BM	96	auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
57119943 BM	97	for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
664b9985 BM	98	[Bodo Moeller]
664b9985 BM	99
7363455f AP	100	*) MIPS III/IV assembler module is reimplemented.
	101	[Andy Polyakov]
	102
6434450c UM	103	*) More DES library cleanups: remove references to srand/rand and
	104	delete an unused file.
	105