[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.3a and 0.9.4

  *) Add a new function PKCS7_signatureVerify. This allows the verification
     of a PKCS#7 signature but with the signing certificate passed to the
     function itself. This contrasts with PKCS7_dataVerify which assumes the
     certificate is present in the PKCS#7 structure. This isn't always the
     case: certificates can be omitted from a PKCS#7 structure and be
     distributed by "out of band" means (such as a certificate database).
     [Steve Henson]

  *) Complete the PEM_* macros with DECLARE_PEM versions to replace the
     function prototypes in pem.h, also change util/mkdef.pl to add the
     necessary function names. 
     [Steve Henson]

  *) mk1mf.pl (used by Windows builds) did not properly read the
     options set by Configure in the top level Makefile; typo fixed,
     now "no-idea" etc. works as intended.
     [Bodo Moeller]

  *) New functions CONF_load_bio() and CONF_load_fp() to allow a config
     file to be loaded from a BIO or FILE pointer. The BIO version will
     for example allow memory BIOs to contain config info.
     [Steve Henson]

  *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
     Whoever hopes to achieve shared-library compatibility across versions
     must use this, not the compile-time macro.
     (Exercise 0.9.4: Which is the minimum library version required by
     such programs?)
     Note: All this applies only to multi-threaded programs, others don't
     need locks.
     [Bodo Moeller]

  *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
     through a BIO pair triggered the default case, i.e.
     SSLerr(...,SSL_R_UNKNOWN_STATE).
     [Bodo Moeller]

  *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
     can use the SSL library even if none of the specific BIOs is
     appropriate.
     [Bodo Moeller]

  *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
     for the encoded length.
     [Jeon KyoungHo <khjeon@sds.samsung.co.kr>]

  *) Add initial documentation of the X509V3 functions.
     [Steve Henson]

  *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 
     PEM_write_bio_PKCS8PrivateKey() that are equivalent to
     PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
     secure PKCS#8 private key format with a high iteration count.
     [Steve Henson]

  *) Fix determination of Perl interpreter: A perl or perl5
     _directory_ in $PATH was also accepted as the interpreter.
     [Ralf S. Engelschall]

  *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
     wrong with it but it was very old and did things like calling
     PEM_ASN1_read() directly and used MD5 for the hash not to mention some
     unusual formatting.
     [Steve Henson]

  *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
     to use the new extension code.
     [Steve Henson]

  *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
     with macros. This should make it easier to change their form, add extra
     arguments etc. Fix a few PEM prototypes which didn't have cipher as a
     constant.
     [Steve Henson]

  *) Add to configuration table a new entry that can specify an alternative
     name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
     according to Mark Crispin <MRC@Panda.COM>.
     [Bodo Moeller]

#if 0
  *) DES CBC did not update the IV. Weird.
     [Ben Laurie]
#else
     des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
     Changing the behaviour of the former might break existing programs --
     where IV updating is needed, des_ncbc_encrypt can be used.
#endif

  *) When bntest is run from "make test" it drives bc to check its
     calculations, as well as internally checking them. If an internal check
     fails, it needs to cause bc to give a non-zero result or make test carries
     on without noticing the failure. Fixed.
     [Ben Laurie]

  *) DES library cleanups.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
0cceb1c7 BM	5	Changes between 0.9.3a and 0.9.4
0cceb1c7 BM	6
170afce5 DSH	7	*) Add a new function PKCS7_signatureVerify. This allows the verification
	8	of a PKCS#7 signature but with the signing certificate passed to the
	9	function itself. This contrasts with PKCS7_dataVerify which assumes the
	10	certificate is present in the PKCS#7 structure. This isn't always the
	11	case: certificates can be omitted from a PKCS#7 structure and be
	12	distributed by "out of band" means (such as a certificate database).
	13	[Steve Henson]
	14
dbd665c2 DSH	15	) Complete the PEM_ macros with DECLARE_PEM versions to replace the
	16	function prototypes in pem.h, also change util/mkdef.pl to add the
	17	necessary function names.
	18	[Steve Henson]
	19
f76a8084 BM	20	*) mk1mf.pl (used by Windows builds) did not properly read the
	21	options set by Configure in the top level Makefile; typo fixed,
	22	now "no-idea" etc. works as intended.
	23	[Bodo Moeller]
	24
8623f693 DSH	25	*) New functions CONF_load_bio() and CONF_load_fp() to allow a config
	26	file to be loaded from a BIO or FILE pointer. The BIO version will
	27	for example allow memory BIOs to contain config info.
	28	[Steve Henson]
	29
a111306b BM	30	*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
	31	Whoever hopes to achieve shared-library compatibility across versions
	32	must use this, not the compile-time macro.
11af1a27 BM	33	(Exercise 0.9.4: Which is the minimum library version required by
	34	such programs?)
	35	Note: All this applies only to multi-threaded programs, others don't
	36	need locks.
a111306b BM	37	[Bodo Moeller]
a111306b BM	38
95d29597 BM	39	*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
	40	through a BIO pair triggered the default case, i.e.
	41	SSLerr(...,SSL_R_UNKNOWN_STATE).
	42	[Bodo Moeller]
	43
	44	*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
	45	can use the SSL library even if none of the specific BIOs is
	46	appropriate.
	47	[Bodo Moeller]
	48
9bce3070 DSH	49	*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
	50	for the encoded length.
	51	[Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
	52
565d1065 DSH	53	*) Add initial documentation of the X509V3 functions.
	54	[Steve Henson]
	55
b7d135b3 DSH	56	*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
	57	PEM_write_bio_PKCS8PrivateKey() that are equivalent to
	58	PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
	59	secure PKCS#8 private key format with a high iteration count.
	60	[Steve Henson]
	61
9d9b559e RE	62	*) Fix determination of Perl interpreter: A perl or perl5
	63	_directory_ in $PATH was also accepted as the interpreter.
	64	[Ralf S. Engelschall]
	65
5f6d0ea2 DSH	66	*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
	67	wrong with it but it was very old and did things like calling
	68	PEM_ASN1_read() directly and used MD5 for the hash not to mention some
	69	unusual formatting.
	70	[Steve Henson]
	71
f62676b9 DSH	72	*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
	73	to use the new extension code.
	74	[Steve Henson]
	75
	76	*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
	77	with macros. This should make it easier to change their form, add extra
	78	arguments etc. Fix a few PEM prototypes which didn't have cipher as a
	79	constant.
	80	[Steve Henson]
	81
8151f52a BM	82	*) Add to configuration table a new entry that can specify an alternative
	83	name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
	84	according to Mark Crispin <MRC@Panda.COM>.
	85	[Bodo Moeller]
	86
c77f47ab	87	#if 0
05861c77 BL	88	*) DES CBC did not update the IV. Weird.
05861c77 BL	89	[Ben Laurie]
c77f47ab	90	#else
a7bd0396 BM	91	des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
	92	Changing the behaviour of the former might break existing programs --
	93	where IV updating is needed, des_ncbc_encrypt can be used.
c77f47ab	94	#endif
05861c77	95
233bf734 BL	96	*) When bntest is run from "make test" it drives bc to check its
	97	calculations, as well as internally checking them. If an internal check
	98	fails, it needs to cause bc to give a non-zero result or make test carries
	99	on without noticing the failure. Fixed.
	100	[Ben Laurie]
	101
908eb7b8 UM	102	*) DES library cleanups.
	103