[thirdparty/openssl.git] / CHANGES


 OpenSSL CHANGES
 _______________

 Changes between 0.9.3a and 0.9.4

  *) Fix memory leaks in DSA_do_sign and DSA_is_prime.
     Also really enable memory leak checks in openssl.c and in some
     test programs.
     [Chad C. Mulligan, Bodo Moeller]

  *) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
     up the length of negative integers. This has now been simplified to just
     store the length when it is first determined and use it later, rather
     than trying to keep track of where data is copied and updating it to
     point to the end.
     [Steve Henson, reported by Brien Wheeler
      <bwheeler@authentica-security.com>]

  *) Add a new function PKCS7_signatureVerify. This allows the verification
     of a PKCS#7 signature but with the signing certificate passed to the
     function itself. This contrasts with PKCS7_dataVerify which assumes the
     certificate is present in the PKCS#7 structure. This isn't always the
     case: certificates can be omitted from a PKCS#7 structure and be
     distributed by "out of band" means (such as a certificate database).
     [Steve Henson]

  *) Complete the PEM_* macros with DECLARE_PEM versions to replace the
     function prototypes in pem.h, also change util/mkdef.pl to add the
     necessary function names. 
     [Steve Henson]

  *) mk1mf.pl (used by Windows builds) did not properly read the
     options set by Configure in the top level Makefile; typo fixed,
     now "no-idea" etc. works as intended.
     [Bodo Moeller]

  *) New functions CONF_load_bio() and CONF_load_fp() to allow a config
     file to be loaded from a BIO or FILE pointer. The BIO version will
     for example allow memory BIOs to contain config info.
     [Steve Henson]

  *) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
     Whoever hopes to achieve shared-library compatibility across versions
     must use this, not the compile-time macro.
     (Exercise 0.9.4: Which is the minimum library version required by
     such programs?)
     Note: All this applies only to multi-threaded programs, others don't
     need locks.
     [Bodo Moeller]

  *) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
     through a BIO pair triggered the default case, i.e.
     SSLerr(...,SSL_R_UNKNOWN_STATE).
     [Bodo Moeller]

  *) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
     can use the SSL library even if none of the specific BIOs is
     appropriate.
     [Bodo Moeller]

  *) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
     for the encoded length.
     [Jeon KyoungHo <khjeon@sds.samsung.co.kr>]

  *) Add initial documentation of the X509V3 functions.
     [Steve Henson]

  *) Add a new pair of functions PEM_write_PKCS8PrivateKey() and 
     PEM_write_bio_PKCS8PrivateKey() that are equivalent to
     PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
     secure PKCS#8 private key format with a high iteration count.
     [Steve Henson]

  *) Fix determination of Perl interpreter: A perl or perl5
     _directory_ in $PATH was also accepted as the interpreter.
     [Ralf S. Engelschall]

  *) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
     wrong with it but it was very old and did things like calling
     PEM_ASN1_read() directly and used MD5 for the hash not to mention some
     unusual formatting.
     [Steve Henson]

  *) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
     to use the new extension code.
     [Steve Henson]

  *) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
     with macros. This should make it easier to change their form, add extra
     arguments etc. Fix a few PEM prototypes which didn't have cipher as a
     constant.
     [Steve Henson]

  *) Add to configuration table a new entry that can specify an alternative
     name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
     according to Mark Crispin <MRC@Panda.COM>.
     [Bodo Moeller]

#if 0
  *) DES CBC did not update the IV. Weird.
     [Ben Laurie]
#else
     des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
     Changing the behaviour of the former might break existing programs --
     where IV updating is needed, des_ncbc_encrypt can be used.
#endif

  *) When bntest is run from "make test" it drives bc to check its
     calculations, as well as internally checking them. If an internal check
     fails, it needs to cause bc to give a non-zero result or make test carries
     on without noticing the failure. Fixed.
     [Ben Laurie]

  *) DES library cleanups.
Commit	Line	Data
651d0aff	1
f1c236f8	2	OpenSSL CHANGES
651d0aff RE	3	_______________
651d0aff RE	4
0cceb1c7 BM	5	Changes between 0.9.3a and 0.9.4
0cceb1c7 BM	6
9c729e0a BM	7	*) Fix memory leaks in DSA_do_sign and DSA_is_prime.
	8	Also really enable memory leak checks in openssl.c and in some
	9	test programs.
	10	[Chad C. Mulligan, Bodo Moeller]
	11
034292ad DSH	12	*) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
	13	up the length of negative integers. This has now been simplified to just
	14	store the length when it is first determined and use it later, rather
	15	than trying to keep track of where data is copied and updating it to
	16	point to the end.
	17	[Steve Henson, reported by Brien Wheeler
	18	<bwheeler@authentica-security.com>]
	19
170afce5 DSH	20	*) Add a new function PKCS7_signatureVerify. This allows the verification
	21	of a PKCS#7 signature but with the signing certificate passed to the
	22	function itself. This contrasts with PKCS7_dataVerify which assumes the
	23	certificate is present in the PKCS#7 structure. This isn't always the
	24	case: certificates can be omitted from a PKCS#7 structure and be
	25	distributed by "out of band" means (such as a certificate database).
	26	[Steve Henson]
	27
dbd665c2 DSH	28	) Complete the PEM_ macros with DECLARE_PEM versions to replace the
	29	function prototypes in pem.h, also change util/mkdef.pl to add the
	30	necessary function names.
	31	[Steve Henson]
	32
f76a8084 BM	33	*) mk1mf.pl (used by Windows builds) did not properly read the
	34	options set by Configure in the top level Makefile; typo fixed,
	35	now "no-idea" etc. works as intended.
	36	[Bodo Moeller]
	37
8623f693 DSH	38	*) New functions CONF_load_bio() and CONF_load_fp() to allow a config
	39	file to be loaded from a BIO or FILE pointer. The BIO version will
	40	for example allow memory BIOs to contain config info.
	41	[Steve Henson]
	42
a111306b BM	43	*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
	44	Whoever hopes to achieve shared-library compatibility across versions
	45	must use this, not the compile-time macro.
11af1a27 BM	46	(Exercise 0.9.4: Which is the minimum library version required by
	47	such programs?)
	48	Note: All this applies only to multi-threaded programs, others don't
	49	need locks.
a111306b BM	50	[Bodo Moeller]
a111306b BM	51
95d29597 BM	52	*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
	53	through a BIO pair triggered the default case, i.e.
	54	SSLerr(...,SSL_R_UNKNOWN_STATE).
	55	[Bodo Moeller]
	56
	57	*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
	58	can use the SSL library even if none of the specific BIOs is
	59	appropriate.
	60	[Bodo Moeller]
	61
9bce3070 DSH	62	*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
	63	for the encoded length.
	64	[Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
	65
565d1065 DSH	66	*) Add initial documentation of the X509V3 functions.
	67	[Steve Henson]
	68
b7d135b3 DSH	69	*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
	70	PEM_write_bio_PKCS8PrivateKey() that are equivalent to
	71	PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
	72	secure PKCS#8 private key format with a high iteration count.
	73	[Steve Henson]
	74
9d9b559e RE	75	*) Fix determination of Perl interpreter: A perl or perl5
	76	_directory_ in $PATH was also accepted as the interpreter.
	77	[Ralf S. Engelschall]
	78
5f6d0ea2 DSH	79	*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
	80	wrong with it but it was very old and did things like calling
	81	PEM_ASN1_read() directly and used MD5 for the hash not to mention some
	82	unusual formatting.
	83	[Steve Henson]
	84
f62676b9 DSH	85	*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
	86	to use the new extension code.
	87	[Steve Henson]
	88
	89	*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
	90	with macros. This should make it easier to change their form, add extra
	91	arguments etc. Fix a few PEM prototypes which didn't have cipher as a
	92	constant.
	93	[Steve Henson]
	94
8151f52a BM	95	*) Add to configuration table a new entry that can specify an alternative
	96	name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
	97	according to Mark Crispin <MRC@Panda.COM>.
	98	[Bodo Moeller]
	99
c77f47ab	100	#if 0
05861c77 BL	101	*) DES CBC did not update the IV. Weird.
05861c77 BL	102	[Ben Laurie]
c77f47ab	103	#else
a7bd0396 BM	104	des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
	105	Changing the behaviour of the former might break existing programs --
	106	where IV updating is needed, des_ncbc_encrypt can be used.
c77f47ab	107	#endif
05861c77	108
233bf734 BL	109	*) When bntest is run from "make test" it drives bc to check its
	110	calculations, as well as internally checking them. If an internal check
	111	fails, it needs to cause bc to give a non-zero result or make test carries
	112	on without noticing the failure. Fixed.
	113	[Ben Laurie]
	114
908eb7b8 UM	115	*) DES library cleanups.
	116