Changes from version 11:
========================

NOTE: Caesarion v12 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade at your earliest opportunity and regenerate/redistribute
      keys due to the improvements listed below:

  Note on integrity and the use of HMACs: Integrity checks are necessary
to prevent chosen-ciphertext attacks. However, I have decided that these
are not necessary in Caesarion;
  For encrypted public/private keys, a chosen-ciphertext attack should not
reveal any useful information to an adversary since the decrypted keys are
then used in the relatively complicated RSA public-key cryptosystem (which
has adversary-unknown parameters).
  For non-key files, it is unlikely that an adversary would be in a position
to make the target decrypt a chosen-ciphertext and then be able to acquire
the decrypted chosen-ciphertext.

o Non-critical security fix: Upgrade to Leopard14/L14 CSPRNG/cipher,
  since two fairly serious problems were discovered in Leopard13/L13.
o New .L14 extension for encrypted files (file.L13 -> file.L14).
o Make the Cipher-Packet technique use a proper IV to ensure that the
  output sequence from L14 is never reused. The IV is hidden in the
  ciphertext, since it appears after the initial start-pad whose size
  is adversary-unknown.
o Fix a mistake in the cion_encrypt.1 manual page source.
o Add an important security recommendation to DOCS/USER-SECURITY.TXT.
o Fix a typo in the conditional compilation cpp directives in FileCrypt.h.
o Add a self-test to class Startup to assert that "ByteType" is exactly
  eight bits in size, before program execution.
o Add missing "FileUtil.h" header to cion_fencrypt.cxx and cion_fdecrypt.cxx.
o Add missing "ByteType.h" header to cion_decrypt.cxx, cion_encrypt.cxx and
  cion_keygen.cxx.
o Use a better method of assigning signature "startPad" in cion_encrypt.cxx.
o Updated documentation.

Changes from version 10:
========================

o Fix an indentation mistake in Key::WriteKey().
o Remove an incorrect statement from DOCS/INSTRUCTIONS.TXT.
o Non-critical security improvement: Use BN_clear(), memset(3) and other
  methods to clear memory containing sensitive information before exit(3).
o Non-critical security improvement: Guarantee there are no unconcealed
  messages.
o Simplify Random.h.
o Import new Leopard.h source code with memory clearing destructor.
o Due to recent changes it was possible to make more pointers const.
o Updated documentation.
o Fix a nroff-mdoc mistake in the cion_fdecrypt(1) manual page.
o Some small cleanups.

Changes from version 9:
=======================

NOTE: Caesarion v10 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade at your earliest opportunity and regenerate/redistribute
      keys due to the improvements listed below:

o Assert BN_is_prime() doesn't return -1 in cion_keygen.cxx
o Remove duplicated source code by adding FileUtil::FOpenErrCheck(),
  FileUtil::FOpenEmptyCheck() and FileUtil::FCloseErrCheck().
o Add a missing assertion in Key::ReadKey().
o Don't assign saltLen with 1 when entropy returns 0 (by using a do-while).
  This helps protect against Coppersmith's attacks.
o Make cion_fencrypt(1) and cion_fdecrypt(1) use a secure umask (minor
  security fix).
o Non-critical security improvement: Change the cipher-packet technique to
  encode and use a per-packet true-random initialization-vector. This ensures
  that initial sp-len is different for passwords which are the same (before,
  sp-len was always initially the same value for same-passwords). It also
  decimates the CSPRNG output sequence making it different even for passwords
  which are the same, increasing security (especially same-password security).
o Non-critical security improvement: Make the cipher-packet technique read/write
  an initial pseudo-random-sized random-pad, preventing an adversary from
  being able to isolate the start of the first cipher-packet (in the
  ciphertext).

Changes from version 8:
=======================

NOTE: Caesarion v9 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade at your earliest opportunity and regenerate/redistribute
      keys due to the improvements listed below:

o Update some old source code comments to the current reality.
o Add missing copyright notice to manual page sources.
o Import new Leopard.h source code and use Leoaprd13 in preference
  to Leopard12 since it has better DIEHARD BITSTREAM results and a
  "fixed" permutation algorithm. 
o Various source code name-changes and improvements to the layout/design.
o Write cion_fencrypt(1) and cion_fdecrypt(1) programs and their manual pages
  in preparation for supporting encrypted secret-public-keys.
o Clean up the Makefile.
o New Key.h file replaces ReadPublicKey.cxx and ReadPrivateKey.cxx.
o Make Caesarion read/write public-keys in binary in preparation for
  supporting encrypted secret-public-keys.
o Add support for encrypted public-keys.
o Make cion_encrypt(1) automatically enter secret-public-key mode if the
  targets public-key is encrypted.
o Non-critical security improvement: Change the cipher-packet technique so
  that start-pad-len and end-pad-len are produced directly from the CSPRNG,
  and are not encoded into the ciphertext. If they're not encoded into the
  ciphertext, there is no risk of them being compromised.
o Updated documentation and manual pages.

Changes from version 7:
=======================

NOTE: Caesarion v8 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade at your earliest opportunity and regenerate/redistribute
      keys due to the improvements listed below:

o Allow plaintext message data-size to be zero; this helps protect against
  Coppersmith's attacks and is also a non-critical security improvement.
o Make the digital signature system work in binary rather than hexadecimal.
  This should be considered a non-critical security fix.
  It also reduces the memory footprint by 0.5 megabytes.
o Non-critical security improvement: Allow zero data-size when encrypting
  the private-key.
o Create groff_mdoc manual pages and provide "maninstall" Makefile target.
o Add Cipher::DataEncrypt() reducing size of RSA_KeyGen.cxx.
o Add Cipher::DataDecrypt() reducing size of ReadPrivateKey.cxx.
o Updated documentation.

Changes from version 6:
=======================

NOTE: Caesarion v7 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade at your earliest opportunity and regenerate/redistribute
      keys due to the improvements listed below:

o Remove FileUtil::ReadUChar().
o Remove Entropy.h since the Entropy generation algorithm produced very bad
  results (it was tested with the DIEHARD test-suite). As a result of
  this change you will probably be glad to know there will be no more
  asterisks appearing on your screen.
o Replace Term.cxx with a better version.
o Replace badly written Password.cxx with a better written version.
o Replace MD5 with SHA1, since the security of MD5 is in doubt.
o Replace ARC4/5 with Leopard12.
o Continually prompt for message when accepting direct input.
o New software license.
o Updated documentation.

Changes from version 5:
=======================

NOTE: Caesarion v6 is not inter-operable with any previous version.
      If you are using a previous version of Caesarion, you are advised
      to upgrade immediately and regenerate/redistribute keys due to the
      improvements listed below:

o Bug-fix: A "bug" was discovered in the OpenSSL BN_bin2bn() function.
  The "bug" is that the BN_bin2bn() function renders the same BIGNUM value
  for the two distinct { 0, 1, 2 }, { 1, 2 } binary representations.
  This "bug" meant that it would be possible for the digital signature
  implementation to incorrectly flag a fraudulent signature if the MD5
  digest began with a byte equal to zero.
o Ensure message-size does not exceed maximum allowed limit in RSA_Decrypt.cxx.
o Read/Check "from_n" public-key before decryption starts in RSA_Decrypt.cxx.
o Read/Check "d" and "n" before encryption starts in RSA_Encrypt.cxx.
o Non-critical security improvement; alter the way the data and salt are
  encoded as follows. The first byte of the message is the salt-length.
  Upto the next 255 bytes are the salt itself. Then upto the next 255
  bytes are the actual data. This is a security improvement since previously
  an adversary knew that the data would begin at the 2nd byte in the message.
  Now an adversary is denied knowledge of where the data is in the message.
  A nice side-effect of this change is that it is has now been made possible
  to impose more stringent checks during decryption which detect an incorrect
  password or a fraudulent/corrupt ciphertext.
o Switch off the entropy generation algorithm by default (inspired by
  an OpenBSD Journal user).
o Add -e option to cion_keygen(1) and cion_encrypt(1) to activate the
  entropy generation algorithm (inspired by an OpenBSD Journal user).
o Print an asterisk when the Entropy class detects the entropy pool has
  been exhausted (reading 0 from RND_DEVICE). Thereafter, only print
  another asterisk every 1000th time exhaustion is detected (to stop spam).
o Remove FileUtil::FReadUChar() and FileUtil::FReadChar(), and use fread(3)
  in their place.
o Various source code quality improvements.
o Updated documentation.
