Home | History | Annotate | Line # | Download | only in dist
      1 
      2  OpenSSL CHANGES
      3  _______________
      4 
      5  Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
      6 
      7   *) Missing CRL sanity check
      8 
      9      A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
     10      but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
     11      CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
     12 
     13      This issue only affects the OpenSSL 1.0.2i
     14      (CVE-2016-7052)
     15      [Matt Caswell]
     16 
     17  Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
     18 
     19   *) OCSP Status Request extension unbounded memory growth
     20 
     21      A malicious client can send an excessively large OCSP Status Request
     22      extension. If that client continually requests renegotiation, sending a
     23      large OCSP Status Request extension each time, then there will be unbounded
     24      memory growth on the server. This will eventually lead to a Denial Of
     25      Service attack through memory exhaustion. Servers with a default
     26      configuration are vulnerable even if they do not support OCSP. Builds using
     27      the "no-ocsp" build time option are not affected.
     28 
     29      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     30      (CVE-2016-6304)
     31      [Matt Caswell]
     32 
     33   *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
     34      HIGH to MEDIUM.
     35 
     36      This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
     37      Leurent (INRIA)
     38      (CVE-2016-2183)
     39      [Rich Salz]
     40 
     41   *) OOB write in MDC2_Update()
     42 
     43      An overflow can occur in MDC2_Update() either if called directly or
     44      through the EVP_DigestUpdate() function using MDC2. If an attacker
     45      is able to supply very large amounts of input data after a previous
     46      call to EVP_EncryptUpdate() with a partial block then a length check
     47      can overflow resulting in a heap corruption.
     48 
     49      The amount of data needed is comparable to SIZE_MAX which is impractical
     50      on most platforms.
     51 
     52      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     53      (CVE-2016-6303)
     54      [Stephen Henson]
     55 
     56   *) Malformed SHA512 ticket DoS
     57 
     58      If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
     59      DoS attack where a malformed ticket will result in an OOB read which will
     60      ultimately crash.
     61 
     62      The use of SHA512 in TLS session tickets is comparatively rare as it requires
     63      a custom server callback and ticket lookup mechanism.
     64 
     65      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     66      (CVE-2016-6302)
     67      [Stephen Henson]
     68 
     69   *) OOB write in BN_bn2dec()
     70 
     71      The function BN_bn2dec() does not check the return value of BN_div_word().
     72      This can cause an OOB write if an application uses this function with an
     73      overly large BIGNUM. This could be a problem if an overly large certificate
     74      or CRL is printed out from an untrusted source. TLS is not affected because
     75      record limits will reject an oversized certificate before it is parsed.
     76 
     77      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     78      (CVE-2016-2182)
     79      [Stephen Henson]
     80 
     81   *) OOB read in TS_OBJ_print_bio()
     82 
     83      The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
     84      the total length the OID text representation would use and not the amount
     85      of data written. This will result in OOB reads when large OIDs are
     86      presented.
     87 
     88      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     89      (CVE-2016-2180)
     90      [Stephen Henson]
     91 
     92   *) Pointer arithmetic undefined behaviour
     93 
     94      Avoid some undefined pointer arithmetic
     95 
     96      A common idiom in the codebase is to check limits in the following manner:
     97      "p + len > limit"
     98 
     99      Where "p" points to some malloc'd data of SIZE bytes and
    100      limit == p + SIZE
    101 
    102      "len" here could be from some externally supplied data (e.g. from a TLS
    103      message).
    104 
    105      The rules of C pointer arithmetic are such that "p + len" is only well
    106      defined where len <= SIZE. Therefore the above idiom is actually
    107      undefined behaviour.
    108 
    109      For example this could cause problems if some malloc implementation
    110      provides an address for "p" such that "p + len" actually overflows for
    111      values of len that are too big and therefore p + len < limit.
    112 
    113      This issue was reported to OpenSSL by Guido Vranken
    114      (CVE-2016-2177)
    115      [Matt Caswell]
    116 
    117   *) Constant time flag not preserved in DSA signing
    118 
    119      Operations in the DSA signing algorithm should run in constant time in
    120      order to avoid side channel attacks. A flaw in the OpenSSL DSA
    121      implementation means that a non-constant time codepath is followed for
    122      certain operations. This has been demonstrated through a cache-timing
    123      attack to be sufficient for an attacker to recover the private DSA key.
    124 
    125      This issue was reported by Csar Pereida (Aalto University), Billy Brumley
    126      (Tampere University of Technology), and Yuval Yarom (The University of
    127      Adelaide and NICTA).
    128      (CVE-2016-2178)
    129      [Csar Pereida]
    130 
    131   *) DTLS buffered message DoS
    132 
    133      In a DTLS connection where handshake messages are delivered out-of-order
    134      those messages that OpenSSL is not yet ready to process will be buffered
    135      for later use. Under certain circumstances, a flaw in the logic means that
    136      those messages do not get removed from the buffer even though the handshake
    137      has been completed. An attacker could force up to approx. 15 messages to
    138      remain in the buffer when they are no longer required. These messages will
    139      be cleared when the DTLS connection is closed. The default maximum size for
    140      a message is 100k. Therefore the attacker could force an additional 1500k
    141      to be consumed per connection. By opening many simulataneous connections an
    142      attacker could cause a DoS attack through memory exhaustion.
    143 
    144      This issue was reported to OpenSSL by Quan Luo.
    145      (CVE-2016-2179)
    146      [Matt Caswell]
    147 
    148   *) DTLS replay protection DoS
    149 
    150      A flaw in the DTLS replay attack protection mechanism means that records
    151      that arrive for future epochs update the replay protection "window" before
    152      the MAC for the record has been validated. This could be exploited by an
    153      attacker by sending a record for the next epoch (which does not have to
    154      decrypt or have a valid MAC), with a very large sequence number. This means
    155      that all subsequent legitimate packets are dropped causing a denial of
    156      service for a specific DTLS connection.
    157 
    158      This issue was reported to OpenSSL by the OCAP audit team.
    159      (CVE-2016-2181)
    160      [Matt Caswell]
    161 
    162   *) Certificate message OOB reads
    163 
    164      In OpenSSL 1.0.2 and earlier some missing message length checks can result
    165      in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
    166      theoretical DoS risk but this has not been observed in practice on common
    167      platforms.
    168 
    169      The messages affected are client certificate, client certificate request
    170      and server certificate. As a result the attack can only be performed
    171      against a client or a server which enables client authentication.
    172 
    173      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
    174      (CVE-2016-6306)
    175      [Stephen Henson]
    176 
    177  Changes between 1.0.2g and 1.0.2h [3 May 2016]
    178 
    179   *) Prevent padding oracle in AES-NI CBC MAC check
    180 
    181      A MITM attacker can use a padding oracle attack to decrypt traffic
    182      when the connection uses an AES CBC cipher and the server support
    183      AES-NI.
    184 
    185      This issue was introduced as part of the fix for Lucky 13 padding
    186      attack (CVE-2013-0169). The padding check was rewritten to be in
    187      constant time by making sure that always the same bytes are read and
    188      compared against either the MAC or padding bytes. But it no longer
    189      checked that there was enough data to have both the MAC and padding
    190      bytes.
    191 
    192      This issue was reported by Juraj Somorovsky using TLS-Attacker.
    193      (CVE-2016-2107)
    194      [Kurt Roeckx]
    195 
    196   *) Fix EVP_EncodeUpdate overflow
    197 
    198      An overflow can occur in the EVP_EncodeUpdate() function which is used for
    199      Base64 encoding of binary data. If an attacker is able to supply very large
    200      amounts of input data then a length check can overflow resulting in a heap
    201      corruption.
    202 
    203      Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
    204      the PEM_write_bio* family of functions. These are mainly used within the
    205      OpenSSL command line applications, so any application which processes data
    206      from an untrusted source and outputs it as a PEM file should be considered
    207      vulnerable to this issue. User applications that call these APIs directly
    208      with large amounts of untrusted data may also be vulnerable.
    209 
    210      This issue was reported by Guido Vranken.
    211      (CVE-2016-2105)
    212      [Matt Caswell]
    213 
    214   *) Fix EVP_EncryptUpdate overflow
    215 
    216      An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
    217      is able to supply very large amounts of input data after a previous call to
    218      EVP_EncryptUpdate() with a partial block then a length check can overflow
    219      resulting in a heap corruption. Following an analysis of all OpenSSL
    220      internal usage of the EVP_EncryptUpdate() function all usage is one of two
    221      forms. The first form is where the EVP_EncryptUpdate() call is known to be
    222      the first called function after an EVP_EncryptInit(), and therefore that
    223      specific call must be safe. The second form is where the length passed to
    224      EVP_EncryptUpdate() can be seen from the code to be some small value and
    225      therefore there is no possibility of an overflow. Since all instances are
    226      one of these two forms, it is believed that there can be no overflows in
    227      internal code due to this problem. It should be noted that
    228      EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
    229      Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
    230      of these calls have also been analysed too and it is believed there are no
    231      instances in internal usage where an overflow could occur.
    232 
    233      This issue was reported by Guido Vranken.
    234      (CVE-2016-2106)
    235      [Matt Caswell]
    236 
    237   *) Prevent ASN.1 BIO excessive memory allocation
    238 
    239      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
    240      a short invalid encoding can casuse allocation of large amounts of memory
    241      potentially consuming excessive resources or exhausting memory.
    242 
    243      Any application parsing untrusted data through d2i BIO functions is
    244      affected. The memory based functions such as d2i_X509() are *not* affected.
    245      Since the memory based functions are used by the TLS library, TLS
    246      applications are not affected.
    247 
    248      This issue was reported by Brian Carpenter.
    249      (CVE-2016-2109)
    250      [Stephen Henson]
    251 
    252   *) EBCDIC overread
    253 
    254      ASN1 Strings that are over 1024 bytes can cause an overread in applications
    255      using the X509_NAME_oneline() function on EBCDIC systems. This could result
    256      in arbitrary stack data being returned in the buffer.
    257 
    258      This issue was reported by Guido Vranken.
    259      (CVE-2016-2176)
    260      [Matt Caswell]
    261 
    262   *) Modify behavior of ALPN to invoke callback after SNI/servername
    263      callback, such that updates to the SSL_CTX affect ALPN.
    264      [Todd Short]
    265 
    266   *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
    267      default.
    268      [Kurt Roeckx]
    269 
    270   *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
    271      methods are enabled and ssl2 is disabled the methods return NULL.
    272      [Kurt Roeckx]
    273 
    274  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
    275 
    276   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
    277     Builds that are not configured with "enable-weak-ssl-ciphers" will not
    278     provide any "EXPORT" or "LOW" strength ciphers.
    279     [Viktor Dukhovni]
    280 
    281   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
    282     is by default disabled at build-time.  Builds that are not configured with
    283     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
    284     users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
    285     will need to explicitly call either of:
    286 
    287         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
    288     or
    289         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
    290 
    291     as appropriate.  Even if either of those is used, or the application
    292     explicitly uses the version-specific SSLv2_method() or its client and
    293     server variants, SSLv2 ciphers vulnerable to exhaustive search key
    294     recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
    295     ciphers, and SSLv2 56-bit DES are no longer available.
    296     (CVE-2016-0800)
    297     [Viktor Dukhovni]
    298 
    299   *) Fix a double-free in DSA code
    300 
    301      A double free bug was discovered when OpenSSL parses malformed DSA private
    302      keys and could lead to a DoS attack or memory corruption for applications
    303      that receive DSA private keys from untrusted sources.  This scenario is
    304      considered rare.
    305 
    306      This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
    307      libFuzzer.
    308      (CVE-2016-0705)
    309      [Stephen Henson]
    310 
    311   *) Disable SRP fake user seed to address a server memory leak.
    312 
    313      Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
    314 
    315      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
    316      In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
    317      was changed to ignore the "fake user" SRP seed, even if the seed
    318      is configured.
    319 
    320      Users should use SRP_VBASE_get1_by_user instead. Note that in
    321      SRP_VBASE_get1_by_user, caller must free the returned value. Note
    322      also that even though configuring the SRP seed attempts to hide
    323      invalid usernames by continuing the handshake with fake
    324      credentials, this behaviour is not constant time and no strong
    325      guarantees are made that the handshake is indistinguishable from
    326      that of a valid user.
    327      (CVE-2016-0798)
    328      [Emilia Ksper]
    329 
    330   *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    331 
    332      In the BN_hex2bn function the number of hex digits is calculated using an
    333      int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
    334      large values of |i| this can result in |bn_expand| not allocating any
    335      memory because |i * 4| is negative. This can leave the internal BIGNUM data
    336      field as NULL leading to a subsequent NULL ptr deref. For very large values
    337      of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
    338      In this case memory is allocated to the internal BIGNUM data field, but it
    339      is insufficiently sized leading to heap corruption. A similar issue exists
    340      in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
    341      is ever called by user applications with very large untrusted hex/dec data.
    342      This is anticipated to be a rare occurrence.
    343 
    344      All OpenSSL internal usage of these functions use data that is not expected
    345      to be untrusted, e.g. config file data or application command line
    346      arguments. If user developed applications generate config file data based
    347      on untrusted data then it is possible that this could also lead to security
    348      consequences. This is also anticipated to be rare.
    349 
    350      This issue was reported to OpenSSL by Guido Vranken.
    351      (CVE-2016-0797)
    352      [Matt Caswell]
    353 
    354   *) Fix memory issues in BIO_*printf functions
    355 
    356      The internal |fmtstr| function used in processing a "%s" format string in
    357      the BIO_*printf functions could overflow while calculating the length of a
    358      string and cause an OOB read when printing very long strings.
    359 
    360      Additionally the internal |doapr_outch| function can attempt to write to an
    361      OOB memory location (at an offset from the NULL pointer) in the event of a
    362      memory allocation failure. In 1.0.2 and below this could be caused where
    363      the size of a buffer to be allocated is greater than INT_MAX. E.g. this
    364      could be in processing a very long "%s" format string. Memory leaks can
    365      also occur.
    366 
    367      The first issue may mask the second issue dependent on compiler behaviour.
    368      These problems could enable attacks where large amounts of untrusted data
    369      is passed to the BIO_*printf functions. If applications use these functions
    370      in this way then they could be vulnerable. OpenSSL itself uses these
    371      functions when printing out human-readable dumps of ASN.1 data. Therefore
    372      applications that print this data could be vulnerable if the data is from
    373      untrusted sources. OpenSSL command line applications could also be
    374      vulnerable where they print out ASN.1 data, or if untrusted data is passed
    375      as command line arguments.
    376 
    377      Libssl is not considered directly vulnerable. Additionally certificates etc
    378      received via remote connections via libssl are also unlikely to be able to
    379      trigger these issues because of message size limits enforced within libssl.
    380 
    381      This issue was reported to OpenSSL Guido Vranken.
    382      (CVE-2016-0799)
    383      [Matt Caswell]
    384 
    385   *) Side channel attack on modular exponentiation
    386 
    387      A side-channel attack was found which makes use of cache-bank conflicts on
    388      the Intel Sandy-Bridge microarchitecture which could lead to the recovery
    389      of RSA keys.  The ability to exploit this issue is limited as it relies on
    390      an attacker who has control of code in a thread running on the same
    391      hyper-threaded core as the victim thread which is performing decryptions.
    392 
    393      This issue was reported to OpenSSL by Yuval Yarom, The University of
    394      Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
    395      Nadia Heninger, University of Pennsylvania with more information at
    396      http://cachebleed.info.
    397      (CVE-2016-0702)
    398      [Andy Polyakov]
    399 
    400   *) Change the req app to generate a 2048-bit RSA/DSA key by default,
    401      if no keysize is specified with default_bits. This fixes an
    402      omission in an earlier change that changed all RSA/DSA key generation
    403      apps to use 2048 bits by default.
    404      [Emilia Ksper]
    405 
    406  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
    407 
    408   *) DH small subgroups
    409 
    410      Historically OpenSSL only ever generated DH parameters based on "safe"
    411      primes. More recently (in version 1.0.2) support was provided for
    412      generating X9.42 style parameter files such as those required for RFC 5114
    413      support. The primes used in such files may not be "safe". Where an
    414      application is using DH configured with parameters based on primes that are
    415      not "safe" then an attacker could use this fact to find a peer's private
    416      DH exponent. This attack requires that the attacker complete multiple
    417      handshakes in which the peer uses the same private DH exponent. For example
    418      this could be used to discover a TLS server's private DH exponent if it's
    419      reusing the private DH exponent or it's using a static DH ciphersuite.
    420 
    421      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
    422      TLS. It is not on by default. If the option is not set then the server
    423      reuses the same private DH exponent for the life of the server process and
    424      would be vulnerable to this attack. It is believed that many popular
    425      applications do set this option and would therefore not be at risk.
    426 
    427      The fix for this issue adds an additional check where a "q" parameter is
    428      available (as is the case in X9.42 based parameters). This detects the
    429      only known attack, and is the only possible defense for static DH
    430      ciphersuites. This could have some performance impact.
    431 
    432      Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
    433      default and cannot be disabled. This could have some performance impact.
    434 
    435      This issue was reported to OpenSSL by Antonio Sanso (Adobe).
    436      (CVE-2016-0701)
    437      [Matt Caswell]
    438 
    439   *) SSLv2 doesn't block disabled ciphers
    440 
    441      A malicious client can negotiate SSLv2 ciphers that have been disabled on
    442      the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
    443      been disabled, provided that the SSLv2 protocol was not also disabled via
    444      SSL_OP_NO_SSLv2.
    445 
    446      This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
    447      and Sebastian Schinzel.
    448      (CVE-2015-3197)
    449      [Viktor Dukhovni]
    450 
    451   *) Reject DH handshakes with parameters shorter than 1024 bits.
    452      [Kurt Roeckx]
    453 
    454  Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
    455 
    456   *) BN_mod_exp may produce incorrect results on x86_64
    457 
    458      There is a carry propagating bug in the x86_64 Montgomery squaring
    459      procedure. No EC algorithms are affected. Analysis suggests that attacks
    460      against RSA and DSA as a result of this defect would be very difficult to
    461      perform and are not believed likely. Attacks against DH are considered just
    462      feasible (although very difficult) because most of the work necessary to
    463      deduce information about a private key may be performed offline. The amount
    464      of resources required for such an attack would be very significant and
    465      likely only accessible to a limited number of attackers. An attacker would
    466      additionally need online access to an unpatched system using the target
    467      private key in a scenario with persistent DH parameters and a private
    468      key that is shared between multiple clients. For example this can occur by
    469      default in OpenSSL DHE based SSL/TLS ciphersuites.
    470 
    471      This issue was reported to OpenSSL by Hanno Bck.
    472      (CVE-2015-3193)
    473      [Andy Polyakov]
    474 
    475   *) Certificate verify crash with missing PSS parameter
    476 
    477      The signature verification routines will crash with a NULL pointer
    478      dereference if presented with an ASN.1 signature using the RSA PSS
    479      algorithm and absent mask generation function parameter. Since these
    480      routines are used to verify certificate signature algorithms this can be
    481      used to crash any certificate verification operation and exploited in a
    482      DoS attack. Any application which performs certificate verification is
    483      vulnerable including OpenSSL clients and servers which enable client
    484      authentication.
    485 
    486      This issue was reported to OpenSSL by Loc Jonas Etienne (Qnective AG).
    487      (CVE-2015-3194)
    488      [Stephen Henson]
    489 
    490   *) X509_ATTRIBUTE memory leak
    491 
    492      When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
    493      memory. This structure is used by the PKCS#7 and CMS routines so any
    494      application which reads PKCS#7 or CMS data from untrusted sources is
    495      affected. SSL/TLS is not affected.
    496 
    497      This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
    498      libFuzzer.
    499      (CVE-2015-3195)
    500      [Stephen Henson]
    501 
    502   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
    503      This changes the decoding behaviour for some invalid messages,
    504      though the change is mostly in the more lenient direction, and
    505      legacy behaviour is preserved as much as possible.
    506      [Emilia Ksper]
    507 
    508   *) In DSA_generate_parameters_ex, if the provided seed is too short,
    509      use a random seed, as already documented.
    510      [Rich Salz and Ismo Puustinen <ismo.puustinen (a] intel.com>]
    511 
    512  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
    513 
    514   *) Alternate chains certificate forgery
    515 
    516      During certificate verfification, OpenSSL will attempt to find an
    517      alternative certificate chain if the first attempt to build such a chain
    518      fails. An error in the implementation of this logic can mean that an
    519      attacker could cause certain checks on untrusted certificates to be
    520      bypassed, such as the CA flag, enabling them to use a valid leaf
    521      certificate to act as a CA and "issue" an invalid certificate.
    522 
    523      This issue was reported to OpenSSL by Adam Langley/David Benjamin
    524      (Google/BoringSSL).
    525      (CVE-2015-1793)
    526      [Matt Caswell]
    527 
    528   *) Race condition handling PSK identify hint
    529 
    530      If PSK identity hints are received by a multi-threaded client then
    531      the values are wrongly updated in the parent SSL_CTX structure. This can
    532      result in a race condition potentially leading to a double free of the
    533      identify hint data.
    534      (CVE-2015-3196)
    535      [Stephen Henson]
    536 
    537  Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
    538 
    539   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
    540      incompatibility in the handling of HMAC. The previous ABI has now been
    541      restored.
    542 
    543  Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
    544 
    545   *) Malformed ECParameters causes infinite loop
    546 
    547      When processing an ECParameters structure OpenSSL enters an infinite loop
    548      if the curve specified is over a specially malformed binary polynomial
    549      field.
    550 
    551      This can be used to perform denial of service against any
    552      system which processes public keys, certificate requests or
    553      certificates.  This includes TLS clients and TLS servers with
    554      client authentication enabled.
    555 
    556      This issue was reported to OpenSSL by Joseph Barr-Pixton.
    557      (CVE-2015-1788)
    558      [Andy Polyakov]
    559 
    560   *) Exploitable out-of-bounds read in X509_cmp_time
    561 
    562      X509_cmp_time does not properly check the length of the ASN1_TIME
    563      string and can read a few bytes out of bounds. In addition,
    564      X509_cmp_time accepts an arbitrary number of fractional seconds in the
    565      time string.
    566 
    567      An attacker can use this to craft malformed certificates and CRLs of
    568      various sizes and potentially cause a segmentation fault, resulting in
    569      a DoS on applications that verify certificates or CRLs. TLS clients
    570      that verify CRLs are affected. TLS clients and servers with client
    571      authentication enabled may be affected if they use custom verification
    572      callbacks.
    573 
    574      This issue was reported to OpenSSL by Robert Swiecki (Google), and
    575      independently by Hanno Bck.
    576      (CVE-2015-1789)
    577      [Emilia Ksper]
    578 
    579   *) PKCS7 crash with missing EnvelopedContent
    580 
    581      The PKCS#7 parsing code does not handle missing inner EncryptedContent
    582      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
    583      with missing content and trigger a NULL pointer dereference on parsing.
    584 
    585      Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
    586      structures from untrusted sources are affected. OpenSSL clients and
    587      servers are not affected.
    588 
    589      This issue was reported to OpenSSL by Michal Zalewski (Google).
    590      (CVE-2015-1790)
    591      [Emilia Ksper]
    592 
    593   *) CMS verify infinite loop with unknown hash function
    594 
    595      When verifying a signedData message the CMS code can enter an infinite loop
    596      if presented with an unknown hash function OID. This can be used to perform
    597      denial of service against any system which verifies signedData messages using
    598      the CMS code.
    599      This issue was reported to OpenSSL by Johannes Bauer.
    600      (CVE-2015-1792)
    601      [Stephen Henson]
    602 
    603   *) Race condition handling NewSessionTicket
    604 
    605      If a NewSessionTicket is received by a multi-threaded client when attempting to
    606      reuse a previous ticket then a race condition can occur potentially leading to
    607      a double free of the ticket data.
    608      (CVE-2015-1791)
    609      [Matt Caswell]
    610 
    611   *) Removed support for the two export grade static DH ciphersuites
    612      EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
    613      were newly added (along with a number of other static DH ciphersuites) to
    614      1.0.2. However the two export ones have *never* worked since they were
    615      introduced. It seems strange in any case to be adding new export
    616      ciphersuites, and given "logjam" it also does not seem correct to fix them.
    617      [Matt Caswell]
    618 
    619   *) Only support 256-bit or stronger elliptic curves with the
    620      'ecdh_auto' setting (server) or by default (client). Of supported
    621      curves, prefer P-256 (both).
    622      [Emilia Kasper]
    623 
    624   *) Reject DH handshakes with parameters shorter than 768 bits.
    625      [Kurt Roeckx and Emilia Kasper]
    626 
    627  Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
    628 
    629   *) ClientHello sigalgs DoS fix
    630 
    631      If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
    632      invalid signature algorithms extension a NULL pointer dereference will
    633      occur. This can be exploited in a DoS attack against the server.
    634 
    635      This issue was was reported to OpenSSL by David Ramos of Stanford
    636      University.
    637      (CVE-2015-0291)
    638      [Stephen Henson and Matt Caswell]
    639 
    640   *) Multiblock corrupted pointer fix
    641 
    642      OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
    643      feature only applies on 64 bit x86 architecture platforms that support AES
    644      NI instructions. A defect in the implementation of "multiblock" can cause
    645      OpenSSL's internal write buffer to become incorrectly set to NULL when
    646      using non-blocking IO. Typically, when the user application is using a
    647      socket BIO for writing, this will only result in a failed connection.
    648      However if some other BIO is used then it is likely that a segmentation
    649      fault will be triggered, thus enabling a potential DoS attack.
    650 
    651      This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
    652      (CVE-2015-0290)
    653      [Matt Caswell]
    654 
    655   *) Segmentation fault in DTLSv1_listen fix
    656 
    657      The DTLSv1_listen function is intended to be stateless and processes the
    658      initial ClientHello from many peers. It is common for user code to loop
    659      over the call to DTLSv1_listen until a valid ClientHello is received with
    660      an associated cookie. A defect in the implementation of DTLSv1_listen means
    661      that state is preserved in the SSL object from one invocation to the next
    662      that can lead to a segmentation fault. Errors processing the initial
    663      ClientHello can trigger this scenario. An example of such an error could be
    664      that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
    665      server.
    666 
    667      This issue was reported to OpenSSL by Per Allansson.
    668      (CVE-2015-0207)
    669      [Matt Caswell]
    670 
    671   *) Segmentation fault in ASN1_TYPE_cmp fix
    672 
    673      The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
    674      made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
    675      certificate signature algorithm consistency this can be used to crash any
    676      certificate verification operation and exploited in a DoS attack. Any
    677      application which performs certificate verification is vulnerable including
    678      OpenSSL clients and servers which enable client authentication.
    679      (CVE-2015-0286)
    680      [Stephen Henson]
    681 
    682   *) Segmentation fault for invalid PSS parameters fix
    683 
    684      The signature verification routines will crash with a NULL pointer
    685      dereference if presented with an ASN.1 signature using the RSA PSS
    686      algorithm and invalid parameters. Since these routines are used to verify
    687      certificate signature algorithms this can be used to crash any
    688      certificate verification operation and exploited in a DoS attack. Any
    689      application which performs certificate verification is vulnerable including
    690      OpenSSL clients and servers which enable client authentication.
    691 
    692      This issue was was reported to OpenSSL by Brian Carpenter.
    693      (CVE-2015-0208)
    694      [Stephen Henson]
    695 
    696   *) ASN.1 structure reuse memory corruption fix
    697 
    698      Reusing a structure in ASN.1 parsing may allow an attacker to cause
    699      memory corruption via an invalid write. Such reuse is and has been
    700      strongly discouraged and is believed to be rare.
    701 
    702      Applications that parse structures containing CHOICE or ANY DEFINED BY
    703      components may be affected. Certificate parsing (d2i_X509 and related
    704      functions) are however not affected. OpenSSL clients and servers are
    705      not affected.
    706      (CVE-2015-0287)
    707      [Stephen Henson]
    708 
    709   *) PKCS7 NULL pointer dereferences fix
    710 
    711      The PKCS#7 parsing code does not handle missing outer ContentInfo
    712      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
    713      missing content and trigger a NULL pointer dereference on parsing.
    714 
    715      Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
    716      otherwise parse PKCS#7 structures from untrusted sources are
    717      affected. OpenSSL clients and servers are not affected.
    718 
    719      This issue was reported to OpenSSL by Michal Zalewski (Google).
    720      (CVE-2015-0289)
    721      [Emilia Ksper]
    722 
    723   *) DoS via reachable assert in SSLv2 servers fix
    724 
    725      A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
    726      servers that both support SSLv2 and enable export cipher suites by sending
    727      a specially crafted SSLv2 CLIENT-MASTER-KEY message.
    728 
    729      This issue was discovered by Sean Burford (Google) and Emilia Ksper
    730      (OpenSSL development team).
    731      (CVE-2015-0293)
    732      [Emilia Ksper]
    733 
    734   *) Empty CKE with client auth and DHE fix
    735 
    736      If client auth is used then a server can seg fault in the event of a DHE
    737      ciphersuite being selected and a zero length ClientKeyExchange message
    738      being sent by the client. This could be exploited in a DoS attack.
    739      (CVE-2015-1787)
    740      [Matt Caswell]
    741 
    742   *) Handshake with unseeded PRNG fix
    743 
    744      Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
    745      with an unseeded PRNG. The conditions are:
    746      - The client is on a platform where the PRNG has not been seeded
    747      automatically, and the user has not seeded manually
    748      - A protocol specific client method version has been used (i.e. not
    749      SSL_client_methodv23)
    750      - A ciphersuite is used that does not require additional random data from
    751      the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
    752 
    753      If the handshake succeeds then the client random that has been used will
    754      have been generated from a PRNG with insufficient entropy and therefore the
    755      output may be predictable.
    756 
    757      For example using the following command with an unseeded openssl will
    758      succeed on an unpatched platform:
    759 
    760      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
    761      (CVE-2015-0285)
    762      [Matt Caswell]
    763 
    764   *) Use After Free following d2i_ECPrivatekey error fix
    765 
    766      A malformed EC private key file consumed via the d2i_ECPrivateKey function
    767      could cause a use after free condition. This, in turn, could cause a double
    768      free in several private key parsing functions (such as d2i_PrivateKey
    769      or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
    770      for applications that receive EC private keys from untrusted
    771      sources. This scenario is considered rare.
    772 
    773      This issue was discovered by the BoringSSL project and fixed in their
    774      commit 517073cd4b.
    775      (CVE-2015-0209)
    776      [Matt Caswell]
    777 
    778   *) X509_to_X509_REQ NULL pointer deref fix
    779 
    780      The function X509_to_X509_REQ will crash with a NULL pointer dereference if
    781      the certificate key is invalid. This function is rarely used in practice.
    782 
    783      This issue was discovered by Brian Carpenter.
    784      (CVE-2015-0288)
    785      [Stephen Henson]
    786 
    787   *) Removed the export ciphers from the DEFAULT ciphers
    788      [Kurt Roeckx]
    789 
    790  Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
    791 
    792   *) Change RSA and DH/DSA key generation apps to generate 2048-bit
    793      keys by default.
    794      [Kurt Roeckx]
    795 
    796   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
    797      ARMv5 through ARMv8, as opposite to "locking" it to single one.
    798      So far those who have to target multiple plaforms would compromise
    799      and argue that binary targeting say ARMv5 would still execute on
    800      ARMv8. "Universal" build resolves this compromise by providing
    801      near-optimal performance even on newer platforms.
    802      [Andy Polyakov]
    803 
    804   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
    805      (other platforms pending).
    806      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
    807 
    808   *) Add support for the SignedCertificateTimestampList certificate and
    809      OCSP response extensions from RFC6962.
    810      [Rob Stradling]
    811 
    812   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
    813      for corner cases. (Certain input points at infinity could lead to
    814      bogus results, with non-infinity inputs mapped to infinity too.)
    815      [Bodo Moeller]
    816 
    817   *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
    818      This covers AES, SHA256/512 and GHASH. "Initial" means that most
    819      common cases are optimized and there still is room for further
    820      improvements. Vector Permutation AES for Altivec is also added.
    821      [Andy Polyakov]
    822 
    823   *) Add support for little-endian ppc64 Linux target.
    824      [Marcelo Cerri (IBM)]
    825 
    826   *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
    827      SHA1, SHA256 and GHASH. "Initial" means that most common cases
    828      are optimized and there still is room for further improvements.
    829      Both 32- and 64-bit modes are supported.
    830      [Andy Polyakov, Ard Biesheuvel (Linaro)]
    831 
    832   *) Improved ARMv7 NEON support.
    833      [Andy Polyakov]
    834 
    835   *) Support for SPARC Architecture 2011 crypto extensions, first
    836      implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
    837      SHA256/512, MD5, GHASH and modular exponentiation.
    838      [Andy Polyakov, David Miller]
    839 
    840   *) Accelerated modular exponentiation for Intel processors, a.k.a.
    841      RSAZ.
    842      [Shay Gueron & Vlad Krasnov (Intel Corp)]
    843 
    844   *) Support for new and upcoming Intel processors, including AVX2,
    845      BMI and SHA ISA extensions. This includes additional "stitched"
    846      implementations, AESNI-SHA256 and GCM, and multi-buffer support
    847      for TLS encrypt.
    848 
    849      This work was sponsored by Intel Corp.
    850      [Andy Polyakov]
    851 
    852   *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
    853      supports both DTLS 1.2 and 1.0 and should use whatever version the peer
    854      supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
    855      [Steve Henson]
    856 
    857   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
    858      this fixes a limiation in previous versions of OpenSSL.
    859      [Steve Henson]
    860 
    861   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
    862      MGF1 digest and OAEP label.
    863      [Steve Henson]
    864 
    865   *) Add EVP support for key wrapping algorithms, to avoid problems with
    866      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
    867      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
    868      algorithms and include tests cases.
    869      [Steve Henson]
    870 
    871   *) Add functions to allocate and set the fields of an ECDSA_METHOD
    872      structure.
    873      [Douglas E. Engert, Steve Henson]
    874 
    875   *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
    876      difference in days and seconds between two tm or ASN1_TIME structures.
    877      [Steve Henson]
    878 
    879   *) Add -rev test option to s_server to just reverse order of characters
    880      received by client and send back to server. Also prints an abbreviated
    881      summary of the connection parameters.
    882      [Steve Henson]
    883 
    884   *) New option -brief for s_client and s_server to print out a brief summary
    885      of connection parameters.
    886      [Steve Henson]
    887 
    888   *) Add callbacks for arbitrary TLS extensions.
    889      [Trevor Perrin <trevp (a] trevp.net> and Ben Laurie]
    890 
    891   *) New option -crl_download in several openssl utilities to download CRLs
    892      from CRLDP extension in certificates.
    893      [Steve Henson]
    894 
    895   *) New options -CRL and -CRLform for s_client and s_server for CRLs.
    896      [Steve Henson]
    897 
    898   *) New function X509_CRL_diff to generate a delta CRL from the difference
    899      of two full CRLs. Add support to "crl" utility.
    900      [Steve Henson]
    901 
    902   *) New functions to set lookup_crls function and to retrieve
    903      X509_STORE from X509_STORE_CTX.
    904      [Steve Henson]
    905 
    906   *) Print out deprecated issuer and subject unique ID fields in
    907      certificates.
    908      [Steve Henson]
    909 
    910   *) Extend OCSP I/O functions so they can be used for simple general purpose
    911      HTTP as well as OCSP. New wrapper function which can be used to download
    912      CRLs using the OCSP API.
    913      [Steve Henson]
    914 
    915   *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
    916      [Steve Henson]
    917 
    918   *) SSL_CONF* functions. These provide a common framework for application
    919      configuration using configuration files or command lines.
    920      [Steve Henson]
    921 
    922   *) SSL/TLS tracing code. This parses out SSL/TLS records using the
    923      message callback and prints the results. Needs compile time option
    924      "enable-ssl-trace". New options to s_client and s_server to enable
    925      tracing.
    926      [Steve Henson]
    927 
    928   *) New ctrl and macro to retrieve supported points extensions.
    929      Print out extension in s_server and s_client.
    930      [Steve Henson]
    931 
    932   *) New functions to retrieve certificate signature and signature
    933      OID NID.
    934      [Steve Henson]
    935 
    936   *) Add functions to retrieve and manipulate the raw cipherlist sent by a
    937      client to OpenSSL.
    938      [Steve Henson]
    939 
    940   *) New Suite B modes for TLS code. These use and enforce the requirements
    941      of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
    942      only use Suite B curves. The Suite B modes can be set by using the
    943      strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
    944      [Steve Henson]
    945 
    946   *) New chain verification flags for Suite B levels of security. Check
    947      algorithms are acceptable when flags are set in X509_verify_cert.
    948      [Steve Henson]
    949 
    950   *) Make tls1_check_chain return a set of flags indicating checks passed
    951      by a certificate chain. Add additional tests to handle client
    952      certificates: checks for matching certificate type and issuer name
    953      comparison.
    954      [Steve Henson]
    955 
    956   *) If an attempt is made to use a signature algorithm not in the peer
    957      preference list abort the handshake. If client has no suitable
    958      signature algorithms in response to a certificate request do not
    959      use the certificate.
    960      [Steve Henson]
    961 
    962   *) If server EC tmp key is not in client preference list abort handshake.
    963      [Steve Henson]
    964 
    965   *) Add support for certificate stores in CERT structure. This makes it
    966      possible to have different stores per SSL structure or one store in
    967      the parent SSL_CTX. Include distint stores for certificate chain
    968      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
    969      to build and store a certificate chain in CERT structure: returing
    970      an error if the chain cannot be built: this will allow applications
    971      to test if a chain is correctly configured.
    972 
    973      Note: if the CERT based stores are not set then the parent SSL_CTX
    974      store is used to retain compatibility with existing behaviour.
    975 
    976      [Steve Henson]
    977 
    978   *) New function ssl_set_client_disabled to set a ciphersuite disabled
    979      mask based on the current session, check mask when sending client
    980      hello and checking the requested ciphersuite.
    981      [Steve Henson]
    982 
    983   *) New ctrls to retrieve and set certificate types in a certificate
    984      request message. Print out received values in s_client. If certificate
    985      types is not set with custom values set sensible values based on
    986      supported signature algorithms.
    987      [Steve Henson]
    988 
    989   *) Support for distinct client and server supported signature algorithms.
    990      [Steve Henson]
    991 
    992   *) Add certificate callback. If set this is called whenever a certificate
    993      is required by client or server. An application can decide which
    994      certificate chain to present based on arbitrary criteria: for example
    995      supported signature algorithms. Add very simple example to s_server.
    996      This fixes many of the problems and restrictions of the existing client
    997      certificate callback: for example you can now clear an existing
    998      certificate and specify the whole chain.
    999      [Steve Henson]
   1000 
   1001   *) Add new "valid_flags" field to CERT_PKEY structure which determines what
   1002      the certificate can be used for (if anything). Set valid_flags field 
   1003      in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
   1004      to have similar checks in it.
   1005 
   1006      Add new "cert_flags" field to CERT structure and include a "strict mode".
   1007      This enforces some TLS certificate requirements (such as only permitting
   1008      certificate signature algorithms contained in the supported algorithms
   1009      extension) which some implementations ignore: this option should be used
   1010      with caution as it could cause interoperability issues.
   1011      [Steve Henson]
   1012 
   1013   *) Update and tidy signature algorithm extension processing. Work out
   1014      shared signature algorithms based on preferences and peer algorithms
   1015      and print them out in s_client and s_server. Abort handshake if no
   1016      shared signature algorithms.
   1017      [Steve Henson]
   1018 
   1019   *) Add new functions to allow customised supported signature algorithms
   1020      for SSL and SSL_CTX structures. Add options to s_client and s_server
   1021      to support them.
   1022      [Steve Henson]
   1023 
   1024   *) New function SSL_certs_clear() to delete all references to certificates
   1025      from an SSL structure. Before this once a certificate had been added
   1026      it couldn't be removed.
   1027      [Steve Henson]
   1028 
   1029   *) Integrate hostname, email address and IP address checking with certificate
   1030      verification. New verify options supporting checking in opensl utility.
   1031      [Steve Henson]
   1032 
   1033   *) Fixes and wildcard matching support to hostname and email checking
   1034      functions. Add manual page.
   1035      [Florian Weimer (Red Hat Product Security Team)]
   1036 
   1037   *) New functions to check a hostname email or IP address against a
   1038      certificate. Add options x509 utility to print results of checks against
   1039      a certificate.
   1040      [Steve Henson]
   1041 
   1042   *) Fix OCSP checking.
   1043      [Rob Stradling <rob.stradling (a] comodo.com> and Ben Laurie]
   1044 
   1045   *) Initial experimental support for explicitly trusted non-root CAs. 
   1046      OpenSSL still tries to build a complete chain to a root but if an
   1047      intermediate CA has a trust setting included that is used. The first
   1048      setting is used: whether to trust (e.g., -addtrust option to the x509
   1049      utility) or reject.
   1050      [Steve Henson]
   1051 
   1052   *) Add -trusted_first option which attempts to find certificates in the
   1053      trusted store even if an untrusted chain is also supplied.
   1054      [Steve Henson]
   1055 
   1056   *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
   1057      platform support for Linux and Android.
   1058      [Andy Polyakov]
   1059 
   1060   *) Support for linux-x32, ILP32 environment in x86_64 framework.
   1061      [Andy Polyakov]
   1062 
   1063   *) Experimental multi-implementation support for FIPS capable OpenSSL.
   1064      When in FIPS mode the approved implementations are used as normal,
   1065      when not in FIPS mode the internal unapproved versions are used instead.
   1066      This means that the FIPS capable OpenSSL isn't forced to use the
   1067      (often lower perfomance) FIPS implementations outside FIPS mode.
   1068      [Steve Henson]
   1069 
   1070   *) Transparently support X9.42 DH parameters when calling
   1071      PEM_read_bio_DHparameters. This means existing applications can handle
   1072      the new parameter format automatically.
   1073      [Steve Henson]
   1074 
   1075   *) Initial experimental support for X9.42 DH parameter format: mainly
   1076      to support use of 'q' parameter for RFC5114 parameters.
   1077      [Steve Henson]
   1078 
   1079   *) Add DH parameters from RFC5114 including test data to dhtest.
   1080      [Steve Henson]
   1081 
   1082   *) Support for automatic EC temporary key parameter selection. If enabled
   1083      the most preferred EC parameters are automatically used instead of
   1084      hardcoded fixed parameters. Now a server just has to call:
   1085      SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
   1086      support ECDH and use the most appropriate parameters.
   1087      [Steve Henson]
   1088 
   1089   *) Enhance and tidy EC curve and point format TLS extension code. Use
   1090      static structures instead of allocation if default values are used.
   1091      New ctrls to set curves we wish to support and to retrieve shared curves.
   1092      Print out shared curves in s_server. New options to s_server and s_client
   1093      to set list of supported curves.
   1094      [Steve Henson]
   1095 
   1096   *) New ctrls to retrieve supported signature algorithms and 
   1097      supported curve values as an array of NIDs. Extend openssl utility
   1098      to print out received values.
   1099      [Steve Henson]
   1100 
   1101   *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
   1102      between NIDs and the more common NIST names such as "P-256". Enhance
   1103      ecparam utility and ECC method to recognise the NIST names for curves.
   1104      [Steve Henson]
   1105 
   1106   *) Enhance SSL/TLS certificate chain handling to support different
   1107      chains for each certificate instead of one chain in the parent SSL_CTX.
   1108      [Steve Henson]
   1109 
   1110   *) Support for fixed DH ciphersuite client authentication: where both
   1111      server and client use DH certificates with common parameters.
   1112      [Steve Henson]
   1113 
   1114   *) Support for fixed DH ciphersuites: those requiring DH server
   1115      certificates.
   1116      [Steve Henson]
   1117 
   1118   *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
   1119      the certificate.
   1120      Note: Related 1.0.2-beta specific macros X509_get_cert_info,
   1121      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
   1122      X509_CINF_get_signature were reverted post internal team review.
   1123 
   1124  Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
   1125 
   1126   *) Build fixes for the Windows and OpenVMS platforms
   1127      [Matt Caswell and Richard Levitte]
   1128 
   1129  Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
   1130 
   1131   *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
   1132      message can cause a segmentation fault in OpenSSL due to a NULL pointer
   1133      dereference. This could lead to a Denial Of Service attack. Thanks to
   1134      Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
   1135      (CVE-2014-3571)
   1136      [Steve Henson]
   1137 
   1138   *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
   1139      dtls1_buffer_record function under certain conditions. In particular this
   1140      could occur if an attacker sent repeated DTLS records with the same
   1141      sequence number but for the next epoch. The memory leak could be exploited
   1142      by an attacker in a Denial of Service attack through memory exhaustion.
   1143      Thanks to Chris Mueller for reporting this issue.
   1144      (CVE-2015-0206)
   1145      [Matt Caswell]
   1146 
   1147   *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
   1148      built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
   1149      method would be set to NULL which could later result in a NULL pointer
   1150      dereference. Thanks to Frank Schmirler for reporting this issue.
   1151      (CVE-2014-3569)
   1152      [Kurt Roeckx]
   1153 
   1154   *) Abort handshake if server key exchange message is omitted for ephemeral
   1155      ECDH ciphersuites.
   1156 
   1157      Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
   1158      reporting this issue.
   1159      (CVE-2014-3572)
   1160      [Steve Henson]
   1161 
   1162   *) Remove non-export ephemeral RSA code on client and server. This code
   1163      violated the TLS standard by allowing the use of temporary RSA keys in
   1164      non-export ciphersuites and could be used by a server to effectively
   1165      downgrade the RSA key length used to a value smaller than the server
   1166      certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
   1167      INRIA or reporting this issue.
   1168      (CVE-2015-0204)
   1169      [Steve Henson]
   1170 
   1171   *) Fixed issue where DH client certificates are accepted without verification.
   1172      An OpenSSL server will accept a DH certificate for client authentication
   1173      without the certificate verify message. This effectively allows a client to
   1174      authenticate without the use of a private key. This only affects servers
   1175      which trust a client certificate authority which issues certificates
   1176      containing DH keys: these are extremely rare and hardly ever encountered.
   1177      Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
   1178      this issue.
   1179      (CVE-2015-0205)
   1180      [Steve Henson]
   1181 
   1182   *) Ensure that the session ID context of an SSL is updated when its
   1183      SSL_CTX is updated via SSL_set_SSL_CTX.
   1184 
   1185      The session ID context is typically set from the parent SSL_CTX,
   1186      and can vary with the CTX.
   1187      [Adam Langley]
   1188 
   1189   *) Fix various certificate fingerprint issues.
   1190 
   1191      By using non-DER or invalid encodings outside the signed portion of a
   1192      certificate the fingerprint can be changed without breaking the signature.
   1193      Although no details of the signed portion of the certificate can be changed
   1194      this can cause problems with some applications: e.g. those using the
   1195      certificate fingerprint for blacklists.
   1196 
   1197      1. Reject signatures with non zero unused bits.
   1198 
   1199      If the BIT STRING containing the signature has non zero unused bits reject
   1200      the signature. All current signature algorithms require zero unused bits.
   1201 
   1202      2. Check certificate algorithm consistency.
   1203 
   1204      Check the AlgorithmIdentifier inside TBS matches the one in the
   1205      certificate signature. NB: this will result in signature failure
   1206      errors for some broken certificates.
   1207 
   1208      Thanks to Konrad Kraszewski from Google for reporting this issue.
   1209 
   1210      3. Check DSA/ECDSA signatures use DER.
   1211 
   1212      Reencode DSA/ECDSA signatures and compare with the original received
   1213      signature. Return an error if there is a mismatch.
   1214 
   1215      This will reject various cases including garbage after signature
   1216      (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
   1217      program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
   1218      (negative or with leading zeroes).
   1219 
   1220      Further analysis was conducted and fixes were developed by Stephen Henson
   1221      of the OpenSSL core team.
   1222 
   1223      (CVE-2014-8275)
   1224      [Steve Henson]
   1225 
   1226    *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
   1227       results on some platforms, including x86_64. This bug occurs at random
   1228       with a very low probability, and is not known to be exploitable in any
   1229       way, though its exact impact is difficult to determine. Thanks to Pieter
   1230       Wuille (Blockstream) who reported this issue and also suggested an initial
   1231       fix. Further analysis was conducted by the OpenSSL development team and
   1232       Adam Langley of Google. The final fix was developed by Andy Polyakov of
   1233       the OpenSSL core team.
   1234       (CVE-2014-3570)
   1235       [Andy Polyakov]
   1236 
   1237    *) Do not resume sessions on the server if the negotiated protocol
   1238       version does not match the session's version. Resuming with a different
   1239       version, while not strictly forbidden by the RFC, is of questionable
   1240       sanity and breaks all known clients.
   1241       [David Benjamin, Emilia Ksper]
   1242 
   1243    *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
   1244       early CCS messages during renegotiation. (Note that because
   1245       renegotiation is encrypted, this early CCS was not exploitable.)
   1246       [Emilia Ksper]
   1247 
   1248    *) Tighten client-side session ticket handling during renegotiation:
   1249       ensure that the client only accepts a session ticket if the server sends
   1250       the extension anew in the ServerHello. Previously, a TLS client would
   1251       reuse the old extension state and thus accept a session ticket if one was
   1252       announced in the initial ServerHello.
   1253 
   1254       Similarly, ensure that the client requires a session ticket if one
   1255       was advertised in the ServerHello. Previously, a TLS client would
   1256       ignore a missing NewSessionTicket message.
   1257       [Emilia Ksper]
   1258 
   1259  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
   1260 
   1261   *) SRTP Memory Leak.
   1262 
   1263      A flaw in the DTLS SRTP extension parsing code allows an attacker, who
   1264      sends a carefully crafted handshake message, to cause OpenSSL to fail
   1265      to free up to 64k of memory causing a memory leak. This could be
   1266      exploited in a Denial Of Service attack. This issue affects OpenSSL
   1267      1.0.1 server implementations for both SSL/TLS and DTLS regardless of
   1268      whether SRTP is used or configured. Implementations of OpenSSL that
   1269      have been compiled with OPENSSL_NO_SRTP defined are not affected.
   1270 
   1271      The fix was developed by the OpenSSL team.
   1272      (CVE-2014-3513)
   1273      [OpenSSL team]
   1274 
   1275   *) Session Ticket Memory Leak.
   1276 
   1277      When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
   1278      integrity of that ticket is first verified. In the event of a session
   1279      ticket integrity check failing, OpenSSL will fail to free memory
   1280      causing a memory leak. By sending a large number of invalid session
   1281      tickets an attacker could exploit this issue in a Denial Of Service
   1282      attack.
   1283      (CVE-2014-3567)
   1284      [Steve Henson]
   1285 
   1286   *) Build option no-ssl3 is incomplete.
   1287 
   1288      When OpenSSL is configured with "no-ssl3" as a build option, servers
   1289      could accept and complete a SSL 3.0 handshake, and clients could be
   1290      configured to send them.
   1291      (CVE-2014-3568)
   1292      [Akamai and the OpenSSL team]
   1293 
   1294   *) Add support for TLS_FALLBACK_SCSV.
   1295      Client applications doing fallback retries should call
   1296      SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
   1297      (CVE-2014-3566)
   1298      [Adam Langley, Bodo Moeller]
   1299 
   1300   *) Add additional DigestInfo checks.
   1301  
   1302      Reencode DigestInto in DER and check against the original when
   1303      verifying RSA signature: this will reject any improperly encoded
   1304      DigestInfo structures.
   1305 
   1306      Note: this is a precautionary measure and no attacks are currently known.
   1307 
   1308      [Steve Henson]
   1309 
   1310  Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
   1311 
   1312   *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
   1313      SRP code can be overrun an internal buffer. Add sanity check that
   1314      g, A, B < N to SRP code.
   1315 
   1316      Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
   1317      Group for discovering this issue.
   1318      (CVE-2014-3512)
   1319      [Steve Henson]
   1320 
   1321   *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
   1322      TLS 1.0 instead of higher protocol versions when the ClientHello message
   1323      is badly fragmented. This allows a man-in-the-middle attacker to force a
   1324      downgrade to TLS 1.0 even if both the server and the client support a
   1325      higher protocol version, by modifying the client's TLS records.
   1326 
   1327      Thanks to David Benjamin and Adam Langley (Google) for discovering and
   1328      researching this issue.
   1329      (CVE-2014-3511)
   1330      [David Benjamin]
   1331 
   1332   *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
   1333      to a denial of service attack. A malicious server can crash the client
   1334      with a null pointer dereference (read) by specifying an anonymous (EC)DH
   1335      ciphersuite and sending carefully crafted handshake messages.
   1336 
   1337      Thanks to Felix Grbert (Google) for discovering and researching this
   1338      issue.
   1339      (CVE-2014-3510)
   1340      [Emilia Ksper]
   1341 
   1342   *) By sending carefully crafted DTLS packets an attacker could cause openssl
   1343      to leak memory. This can be exploited through a Denial of Service attack.
   1344      Thanks to Adam Langley for discovering and researching this issue.
   1345      (CVE-2014-3507)
   1346      [Adam Langley]
   1347 
   1348   *) An attacker can force openssl to consume large amounts of memory whilst
   1349      processing DTLS handshake messages. This can be exploited through a
   1350      Denial of Service attack.
   1351      Thanks to Adam Langley for discovering and researching this issue.
   1352      (CVE-2014-3506)
   1353      [Adam Langley]
   1354 
   1355   *) An attacker can force an error condition which causes openssl to crash
   1356      whilst processing DTLS packets due to memory being freed twice. This
   1357      can be exploited through a Denial of Service attack.
   1358      Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
   1359      this issue.
   1360      (CVE-2014-3505)
   1361      [Adam Langley]
   1362 
   1363   *) If a multithreaded client connects to a malicious server using a resumed
   1364      session and the server sends an ec point format extension it could write
   1365      up to 255 bytes to freed memory.
   1366 
   1367      Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
   1368      issue.
   1369      (CVE-2014-3509)
   1370      [Gabor Tyukasz]
   1371 
   1372   *) A malicious server can crash an OpenSSL client with a null pointer
   1373      dereference (read) by specifying an SRP ciphersuite even though it was not
   1374      properly negotiated with the client. This can be exploited through a
   1375      Denial of Service attack.
   1376 
   1377      Thanks to Joonas Kuorilehto and Riku Hietamki (Codenomicon) for
   1378      discovering and researching this issue.
   1379      (CVE-2014-5139)
   1380      [Steve Henson]
   1381 
   1382   *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
   1383      X509_name_oneline, X509_name_print_ex et al. to leak some information
   1384      from the stack. Applications may be affected if they echo pretty printing
   1385      output to the attacker.
   1386 
   1387      Thanks to Ivan Fratric (Google) for discovering this issue.
   1388      (CVE-2014-3508)
   1389      [Emilia Ksper, and Steve Henson]
   1390 
   1391   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
   1392      for corner cases. (Certain input points at infinity could lead to
   1393      bogus results, with non-infinity inputs mapped to infinity too.)
   1394      [Bodo Moeller]
   1395 
   1396  Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
   1397 
   1398   *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
   1399      handshake can force the use of weak keying material in OpenSSL
   1400      SSL/TLS clients and servers.
   1401 
   1402      Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
   1403      researching this issue. (CVE-2014-0224)
   1404      [KIKUCHI Masashi, Steve Henson]
   1405 
   1406   *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
   1407      OpenSSL DTLS client the code can be made to recurse eventually crashing
   1408      in a DoS attack.
   1409 
   1410      Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
   1411      (CVE-2014-0221)
   1412      [Imre Rad, Steve Henson]
   1413 
   1414   *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
   1415      be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
   1416      client or server. This is potentially exploitable to run arbitrary
   1417      code on a vulnerable client or server.
   1418 
   1419      Thanks to Jri Aedla for reporting this issue. (CVE-2014-0195)
   1420      [Jri Aedla, Steve Henson]
   1421 
   1422   *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
   1423      are subject to a denial of service attack.
   1424 
   1425      Thanks to Felix Grbert and Ivan Fratric at Google for discovering
   1426      this issue. (CVE-2014-3470)
   1427      [Felix Grbert, Ivan Fratric, Steve Henson]
   1428 
   1429   *) Harmonize version and its documentation. -f flag is used to display
   1430      compilation flags.
   1431      [mancha <mancha1 (a] zoho.com>]
   1432 
   1433   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
   1434      in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
   1435      [mancha <mancha1 (a] zoho.com>]
   1436 
   1437   *) Fix some double frees. These are not thought to be exploitable.
   1438      [mancha <mancha1 (a] zoho.com>]
   1439 
   1440  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
   1441 
   1442   *) A missing bounds check in the handling of the TLS heartbeat extension
   1443      can be used to reveal up to 64k of memory to a connected client or
   1444      server.
   1445 
   1446      Thanks for Neel Mehta of Google Security for discovering this bug and to
   1447      Adam Langley <agl (a] chromium.org> and Bodo Moeller <bmoeller (a] acm.org> for
   1448      preparing the fix (CVE-2014-0160)
   1449      [Adam Langley, Bodo Moeller]
   1450 
   1451   *) Fix for the attack described in the paper "Recovering OpenSSL
   1452      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
   1453      by Yuval Yarom and Naomi Benger. Details can be obtained from:
   1454      http://eprint.iacr.org/2014/140
   1455 
   1456      Thanks to Yuval Yarom and Naomi Benger for discovering this
   1457      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
   1458      [Yuval Yarom and Naomi Benger]
   1459 
   1460   *) TLS pad extension: draft-agl-tls-padding-03
   1461 
   1462      Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
   1463      TLS client Hello record length value would otherwise be > 255 and
   1464      less that 512 pad with a dummy extension containing zeroes so it
   1465      is at least 512 bytes long.
   1466 
   1467      [Adam Langley, Steve Henson]
   1468 
   1469  Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
   1470 
   1471   *) Fix for TLS record tampering bug. A carefully crafted invalid 
   1472      handshake could crash OpenSSL with a NULL pointer exception.
   1473      Thanks to Anton Johansson for reporting this issues.
   1474      (CVE-2013-4353)
   1475 
   1476   *) Keep original DTLS digest and encryption contexts in retransmission
   1477      structures so we can use the previous session parameters if they need
   1478      to be resent. (CVE-2013-6450)
   1479      [Steve Henson]
   1480 
   1481   *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
   1482      avoids preferring ECDHE-ECDSA ciphers when the client appears to be
   1483      Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
   1484      several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
   1485      is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
   1486      10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
   1487      [Rob Stradling, Adam Langley]
   1488 
   1489  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
   1490 
   1491   *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
   1492      supporting platforms or when small records were transferred.
   1493      [Andy Polyakov, Steve Henson]
   1494 
   1495  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
   1496 
   1497   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
   1498 
   1499      This addresses the flaw in CBC record processing discovered by 
   1500      Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
   1501      at: http://www.isg.rhul.ac.uk/tls/     
   1502 
   1503      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
   1504      Security Group at Royal Holloway, University of London
   1505      (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
   1506      Emilia Ksper for the initial patch.
   1507      (CVE-2013-0169)
   1508      [Emilia Ksper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
   1509 
   1510   *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
   1511      ciphersuites which can be exploited in a denial of service attack.
   1512      Thanks go to and to Adam Langley <agl (a] chromium.org> for discovering
   1513      and detecting this bug and to Wolfgang Ettlinger
   1514      <wolfgang.ettlinger (a] gmail.com> for independently discovering this issue.
   1515      (CVE-2012-2686)
   1516      [Adam Langley]
   1517 
   1518   *) Return an error when checking OCSP signatures when key is NULL.
   1519      This fixes a DoS attack. (CVE-2013-0166)
   1520      [Steve Henson]
   1521 
   1522   *) Make openssl verify return errors.
   1523      [Chris Palmer <palmer (a] google.com> and Ben Laurie]
   1524 
   1525   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
   1526      the right response is stapled. Also change SSL_get_certificate()
   1527      so it returns the certificate actually sent.
   1528      See http://rt.openssl.org/Ticket/Display.html?id=2836.
   1529      [Rob Stradling <rob.stradling (a] comodo.com>]
   1530 
   1531   *) Fix possible deadlock when decoding public keys.
   1532      [Steve Henson]
   1533 
   1534   *) Don't use TLS 1.0 record version number in initial client hello
   1535      if renegotiating.
   1536      [Steve Henson]
   1537 
   1538  Changes between 1.0.1b and 1.0.1c [10 May 2012]
   1539 
   1540   *) Sanity check record length before skipping explicit IV in TLS
   1541      1.2, 1.1 and DTLS to fix DoS attack.
   1542 
   1543      Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
   1544      fuzzing as a service testing platform.
   1545      (CVE-2012-2333)
   1546      [Steve Henson]
   1547 
   1548   *) Initialise tkeylen properly when encrypting CMS messages.
   1549      Thanks to Solar Designer of Openwall for reporting this issue.
   1550      [Steve Henson]
   1551 
   1552   *) In FIPS mode don't try to use composite ciphers as they are not
   1553      approved.
   1554      [Steve Henson]
   1555 
   1556  Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
   1557 
   1558   *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
   1559      1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
   1560      mean any application compiled against OpenSSL 1.0.0 headers setting
   1561      SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
   1562      TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
   1563      0x10000000L Any application which was previously compiled against
   1564      OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
   1565      will need to be recompiled as a result. Letting be results in
   1566      inability to disable specifically TLS 1.1 and in client context,
   1567      in unlike event, limit maximum offered version to TLS 1.0 [see below].
   1568      [Steve Henson]
   1569 
   1570   *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
   1571      disable just protocol X, but all protocols above X *if* there are
   1572      protocols *below* X still enabled. In more practical terms it means
   1573      that if application wants to disable TLS1.0 in favor of TLS1.1 and
   1574      above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
   1575      SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
   1576      client side.
   1577      [Andy Polyakov]
   1578 
   1579  Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
   1580 
   1581   *) Check for potentially exploitable overflows in asn1_d2i_read_bio
   1582      BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
   1583      in CRYPTO_realloc_clean.
   1584 
   1585      Thanks to Tavis Ormandy, Google Security Team, for discovering this
   1586      issue and to Adam Langley <agl (a] chromium.org> for fixing it.
   1587      (CVE-2012-2110)
   1588      [Adam Langley (Google), Tavis Ormandy, Google Security Team]
   1589 
   1590   *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
   1591      [Adam Langley]
   1592 
   1593   *) Workarounds for some broken servers that "hang" if a client hello
   1594      record length exceeds 255 bytes.
   1595 
   1596      1. Do not use record version number > TLS 1.0 in initial client
   1597         hello: some (but not all) hanging servers will now work.
   1598      2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
   1599 	the number of ciphers sent in the client hello. This should be
   1600         set to an even number, such as 50, for example by passing:
   1601         -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
   1602         Most broken servers should now work.
   1603      3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
   1604 	TLS 1.2 client support entirely.
   1605      [Steve Henson]
   1606 
   1607   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
   1608      [Andy Polyakov]
   1609 
   1610  Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
   1611 
   1612   *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
   1613      STRING form instead of a DigestInfo.
   1614      [Steve Henson]
   1615 
   1616   *) The format used for MDC2 RSA signatures is inconsistent between EVP
   1617      and the RSA_sign/RSA_verify functions. This was made more apparent when
   1618      OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
   1619      those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
   1620      the correct format in RSA_verify so both forms transparently work.
   1621      [Steve Henson]
   1622 
   1623   *) Some servers which support TLS 1.0 can choke if we initially indicate
   1624      support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
   1625      encrypted premaster secret. As a workaround use the maximum pemitted
   1626      client version in client hello, this should keep such servers happy
   1627      and still work with previous versions of OpenSSL.
   1628      [Steve Henson]
   1629 
   1630   *) Add support for TLS/DTLS heartbeats.
   1631      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1632 
   1633   *) Add support for SCTP.
   1634      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1635 
   1636   *) Improved PRNG seeding for VOS.
   1637      [Paul Green <Paul.Green (a] stratus.com>]
   1638 
   1639   *) Extensive assembler packs updates, most notably:
   1640 
   1641 	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
   1642 	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
   1643 	- x86_64:       bit-sliced AES implementation;
   1644 	- ARM:          NEON support, contemporary platforms optimizations;
   1645 	- s390x:        z196 support;
   1646 	- *:            GHASH and GF(2^m) multiplication implementations;
   1647 
   1648      [Andy Polyakov]
   1649 
   1650   *) Make TLS-SRP code conformant with RFC 5054 API cleanup
   1651      (removal of unnecessary code)
   1652      [Peter Sylvester <peter.sylvester (a] edelweb.fr>]
   1653 
   1654   *) Add TLS key material exporter from RFC 5705.
   1655      [Eric Rescorla]
   1656 
   1657   *) Add DTLS-SRTP negotiation from RFC 5764.
   1658      [Eric Rescorla]
   1659 
   1660   *) Add Next Protocol Negotiation,
   1661      http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
   1662      disabled with a no-npn flag to config or Configure. Code donated
   1663      by Google.
   1664      [Adam Langley <agl (a] google.com> and Ben Laurie]
   1665 
   1666   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
   1667      NIST-P256, NIST-P521, with constant-time single point multiplication on
   1668      typical inputs. Compiler support for the nonstandard type __uint128_t is
   1669      required to use this (present in gcc 4.4 and later, for 64-bit builds).
   1670      Code made available under Apache License version 2.0.
   1671 
   1672      Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
   1673      line to include this in your build of OpenSSL, and run "make depend" (or
   1674      "make update"). This enables the following EC_METHODs:
   1675 
   1676          EC_GFp_nistp224_method()
   1677          EC_GFp_nistp256_method()
   1678          EC_GFp_nistp521_method()
   1679 
   1680      EC_GROUP_new_by_curve_name() will automatically use these (while
   1681      EC_GROUP_new_curve_GFp() currently prefers the more flexible
   1682      implementations).
   1683      [Emilia Ksper, Adam Langley, Bodo Moeller (Google)]
   1684 
   1685   *) Use type ossl_ssize_t instad of ssize_t which isn't available on
   1686      all platforms. Move ssize_t definition from e_os.h to the public
   1687      header file e_os2.h as it now appears in public header file cms.h
   1688      [Steve Henson]
   1689 
   1690   *) New -sigopt option to the ca, req and x509 utilities. Additional
   1691      signature parameters can be passed using this option and in
   1692      particular PSS. 
   1693      [Steve Henson]
   1694 
   1695   *) Add RSA PSS signing function. This will generate and set the
   1696      appropriate AlgorithmIdentifiers for PSS based on those in the
   1697      corresponding EVP_MD_CTX structure. No application support yet.
   1698      [Steve Henson]
   1699 
   1700   *) Support for companion algorithm specific ASN1 signing routines.
   1701      New function ASN1_item_sign_ctx() signs a pre-initialised
   1702      EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
   1703      the appropriate parameters.
   1704      [Steve Henson]
   1705 
   1706   *) Add new algorithm specific ASN1 verification initialisation function
   1707      to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
   1708      handling will be the same no matter what EVP_PKEY_METHOD is used.
   1709      Add a PSS handler to support verification of PSS signatures: checked
   1710      against a number of sample certificates.
   1711      [Steve Henson]
   1712 
   1713   *) Add signature printing for PSS. Add PSS OIDs.
   1714      [Steve Henson, Martin Kaiser <lists (a] kaiser.cx>]
   1715 
   1716   *) Add algorithm specific signature printing. An individual ASN1 method
   1717      can now print out signatures instead of the standard hex dump. 
   1718 
   1719      More complex signatures (e.g. PSS) can print out more meaningful
   1720      information. Include DSA version that prints out the signature
   1721      parameters r, s.
   1722      [Steve Henson]
   1723 
   1724   *) Password based recipient info support for CMS library: implementing
   1725      RFC3211.
   1726      [Steve Henson]
   1727 
   1728   *) Split password based encryption into PBES2 and PBKDF2 functions. This
   1729      neatly separates the code into cipher and PBE sections and is required
   1730      for some algorithms that split PBES2 into separate pieces (such as
   1731      password based CMS).
   1732      [Steve Henson]
   1733 
   1734   *) Session-handling fixes:
   1735      - Fix handling of connections that are resuming with a session ID,
   1736        but also support Session Tickets.
   1737      - Fix a bug that suppressed issuing of a new ticket if the client
   1738        presented a ticket with an expired session.
   1739      - Try to set the ticket lifetime hint to something reasonable.
   1740      - Make tickets shorter by excluding irrelevant information.
   1741      - On the client side, don't ignore renewed tickets.
   1742      [Adam Langley, Bodo Moeller (Google)]
   1743 
   1744   *) Fix PSK session representation.
   1745      [Bodo Moeller]
   1746 
   1747   *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
   1748 
   1749      This work was sponsored by Intel.
   1750      [Andy Polyakov]
   1751 
   1752   *) Add GCM support to TLS library. Some custom code is needed to split
   1753      the IV between the fixed (from PRF) and explicit (from TLS record)
   1754      portions. This adds all GCM ciphersuites supported by RFC5288 and 
   1755      RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
   1756      add a special AESGCM string for GCM only.
   1757      [Steve Henson]
   1758 
   1759   *) Expand range of ctrls for AES GCM. Permit setting invocation
   1760      field on decrypt and retrieval of invocation field only on encrypt.
   1761      [Steve Henson]
   1762 
   1763   *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
   1764      As required by RFC5289 these ciphersuites cannot be used if for
   1765      versions of TLS earlier than 1.2.
   1766      [Steve Henson]
   1767 
   1768   *) For FIPS capable OpenSSL interpret a NULL default public key method
   1769      as unset and return the appopriate default but do *not* set the default.
   1770      This means we can return the appopriate method in applications that
   1771      swicth between FIPS and non-FIPS modes.
   1772      [Steve Henson]
   1773 
   1774   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
   1775      ENGINE is used then we cannot handle that in the FIPS module so we
   1776      keep original code iff non-FIPS operations are allowed.
   1777      [Steve Henson]
   1778 
   1779   *) Add -attime option to openssl utilities.
   1780      [Peter Eckersley <pde (a] eff.org>, Ben Laurie and Steve Henson]
   1781 
   1782   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
   1783      [Steve Henson]
   1784 
   1785   *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
   1786      FIPS EC methods unconditionally for now.
   1787      [Steve Henson]
   1788 
   1789   *) New build option no-ec2m to disable characteristic 2 code.
   1790      [Steve Henson]
   1791 
   1792   *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
   1793      all cases can be covered as some introduce binary incompatibilities.
   1794      [Steve Henson]
   1795 
   1796   *) Redirect RSA operations to FIPS module including keygen,
   1797      encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
   1798      [Steve Henson]
   1799 
   1800   *) Add similar low level API blocking to ciphers.
   1801      [Steve Henson]
   1802 
   1803   *) Low level digest APIs are not approved in FIPS mode: any attempt
   1804      to use these will cause a fatal error. Applications that *really* want
   1805      to use them can use the private_* version instead.
   1806      [Steve Henson]
   1807 
   1808   *) Redirect cipher operations to FIPS module for FIPS builds. 
   1809      [Steve Henson]
   1810 
   1811   *) Redirect digest operations to FIPS module for FIPS builds. 
   1812      [Steve Henson]
   1813 
   1814   *) Update build system to add "fips" flag which will link in fipscanister.o
   1815      for static and shared library builds embedding a signature if needed.
   1816      [Steve Henson]
   1817 
   1818   *) Output TLS supported curves in preference order instead of numerical
   1819      order. This is currently hardcoded for the highest order curves first.
   1820      This should be configurable so applications can judge speed vs strength.
   1821      [Steve Henson]
   1822 
   1823   *) Add TLS v1.2 server support for client authentication. 
   1824      [Steve Henson]
   1825 
   1826   *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
   1827      and enable MD5.
   1828      [Steve Henson]
   1829 
   1830   *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
   1831      FIPS modules versions.
   1832      [Steve Henson]
   1833 
   1834   *) Add TLS v1.2 client side support for client authentication. Keep cache
   1835      of handshake records longer as we don't know the hash algorithm to use
   1836      until after the certificate request message is received.
   1837      [Steve Henson]
   1838 
   1839   *) Initial TLS v1.2 client support. Add a default signature algorithms
   1840      extension including all the algorithms we support. Parse new signature
   1841      format in client key exchange. Relax some ECC signing restrictions for
   1842      TLS v1.2 as indicated in RFC5246.
   1843      [Steve Henson]
   1844 
   1845   *) Add server support for TLS v1.2 signature algorithms extension. Switch
   1846      to new signature format when needed using client digest preference.
   1847      All server ciphersuites should now work correctly in TLS v1.2. No client
   1848      support yet and no support for client certificates.
   1849      [Steve Henson]
   1850 
   1851   *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
   1852      to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
   1853      ciphersuites. At present only RSA key exchange ciphersuites work with
   1854      TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
   1855      SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
   1856      and version checking.
   1857      [Steve Henson]
   1858 
   1859   *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
   1860      with this defined it will not be affected by any changes to ssl internal
   1861      structures. Add several utility functions to allow openssl application
   1862      to work with OPENSSL_NO_SSL_INTERN defined.
   1863      [Steve Henson]
   1864 
   1865   *) Add SRP support.
   1866      [Tom Wu <tjw (a] cs.stanford.edu> and Ben Laurie]
   1867 
   1868   *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
   1869      [Steve Henson]
   1870 
   1871   *) Permit abbreviated handshakes when renegotiating using the function
   1872      SSL_renegotiate_abbreviated().
   1873      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1874 
   1875   *) Add call to ENGINE_register_all_complete() to
   1876      ENGINE_load_builtin_engines(), so some implementations get used
   1877      automatically instead of needing explicit application support.
   1878      [Steve Henson]
   1879 
   1880   *) Add support for TLS key exporter as described in RFC5705.
   1881      [Robin Seggelmann <seggelmann (a] fh-muenster.de>, Steve Henson]
   1882 
   1883   *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
   1884      a few changes are required:
   1885 
   1886        Add SSL_OP_NO_TLSv1_1 flag.
   1887        Add TLSv1_1 methods.
   1888        Update version checking logic to handle version 1.1.
   1889        Add explicit IV handling (ported from DTLS code).
   1890        Add command line options to s_client/s_server.
   1891      [Steve Henson]
   1892 
   1893  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
   1894 
   1895   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
   1896      in CMS and PKCS7 code. When RSA decryption fails use a random key for
   1897      content decryption and always return the same error. Note: this attack
   1898      needs on average 2^20 messages so it only affects automated senders. The
   1899      old behaviour can be reenabled in the CMS code by setting the
   1900      CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
   1901      an MMA defence is not necessary.
   1902      Thanks to Ivan Nestlerode <inestlerode (a] us.ibm.com> for discovering
   1903      this issue. (CVE-2012-0884)
   1904      [Steve Henson]
   1905 
   1906   *) Fix CVE-2011-4619: make sure we really are receiving a 
   1907      client hello before rejecting multiple SGC restarts. Thanks to
   1908      Ivan Nestlerode <inestlerode (a] us.ibm.com> for discovering this bug.
   1909      [Steve Henson]
   1910 
   1911  Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
   1912 
   1913   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
   1914      Thanks to Antonio Martin, Enterprise Secure Access Research and
   1915      Development, Cisco Systems, Inc. for discovering this bug and
   1916      preparing a fix. (CVE-2012-0050)
   1917      [Antonio Martin]
   1918 
   1919  Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
   1920 
   1921   *) Nadhem Alfardan and Kenny Paterson have discovered an extension
   1922      of the Vaudenay padding oracle attack on CBC mode encryption
   1923      which enables an efficient plaintext recovery attack against
   1924      the OpenSSL implementation of DTLS. Their attack exploits timing
   1925      differences arising during decryption processing. A research
   1926      paper describing this attack can be found at:
   1927                   http://www.isg.rhul.ac.uk/~kp/dtls.pdf
   1928      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
   1929      Security Group at Royal Holloway, University of London
   1930      (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
   1931      <seggelmann (a] fh-muenster.de> and Michael Tuexen <tuexen (a] fh-muenster.de>
   1932      for preparing the fix. (CVE-2011-4108)
   1933      [Robin Seggelmann, Michael Tuexen]
   1934 
   1935   *) Clear bytes used for block padding of SSL 3.0 records.
   1936      (CVE-2011-4576)
   1937      [Adam Langley (Google)]
   1938 
   1939   *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
   1940      Kadianakis <desnacked (a] gmail.com> for discovering this issue and
   1941      Adam Langley for preparing the fix. (CVE-2011-4619)
   1942      [Adam Langley (Google)]
   1943 
   1944   *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
   1945      [Andrey Kulikov <amdeich (a] gmail.com>]
   1946 
   1947   *) Prevent malformed RFC3779 data triggering an assertion failure.
   1948      Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
   1949      and Rob Austein <sra (a] hactrn.net> for fixing it. (CVE-2011-4577)
   1950      [Rob Austein <sra (a] hactrn.net>]
   1951 
   1952   *) Improved PRNG seeding for VOS.
   1953      [Paul Green <Paul.Green (a] stratus.com>]
   1954 
   1955   *) Fix ssl_ciph.c set-up race.
   1956      [Adam Langley (Google)]
   1957 
   1958   *) Fix spurious failures in ecdsatest.c.
   1959      [Emilia Ksper (Google)]
   1960 
   1961   *) Fix the BIO_f_buffer() implementation (which was mixing different
   1962      interpretations of the '..._len' fields).
   1963      [Adam Langley (Google)]
   1964 
   1965   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
   1966      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
   1967      threads won't reuse the same blinding coefficients.
   1968 
   1969      This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
   1970      lock to call BN_BLINDING_invert_ex, and avoids one use of
   1971      BN_BLINDING_update for each BN_BLINDING structure (previously,
   1972      the last update always remained unused).
   1973      [Emilia Ksper (Google)]
   1974 
   1975   *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
   1976      [Bob Buckholz (Google)]
   1977 
   1978  Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
   1979 
   1980   *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
   1981      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
   1982      [Kaspar Brand <ossl (a] velox.ch>]
   1983 
   1984   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
   1985      for multi-threaded use of ECDH. (CVE-2011-3210)
   1986      [Adam Langley (Google)]
   1987 
   1988   *) Fix x509_name_ex_d2i memory leak on bad inputs.
   1989      [Bodo Moeller]
   1990 
   1991   *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
   1992      signature public key algorithm by using OID xref utilities instead.
   1993      Before this you could only use some ECC ciphersuites with SHA1 only.
   1994      [Steve Henson]
   1995 
   1996   *) Add protection against ECDSA timing attacks as mentioned in the paper
   1997      by Billy Bob Brumley and Nicola Tuveri, see:
   1998 
   1999 	http://eprint.iacr.org/2011/232.pdf
   2000 
   2001      [Billy Bob Brumley and Nicola Tuveri]
   2002 
   2003  Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
   2004 
   2005   *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
   2006      [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
   2007 
   2008   *) Fix bug in string printing code: if *any* escaping is enabled we must
   2009      escape the escape character (backslash) or the resulting string is
   2010      ambiguous.
   2011      [Steve Henson]
   2012 
   2013  Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
   2014 
   2015   *) Disable code workaround for ancient and obsolete Netscape browsers
   2016      and servers: an attacker can use it in a ciphersuite downgrade attack.
   2017      Thanks to Martin Rex for discovering this bug. CVE-2010-4180
   2018      [Steve Henson]
   2019 
   2020   *) Fixed J-PAKE implementation error, originally discovered by
   2021      Sebastien Martini, further info and confirmation from Stefan
   2022      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
   2023      [Ben Laurie]
   2024 
   2025  Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
   2026 
   2027   *) Fix extension code to avoid race conditions which can result in a buffer
   2028      overrun vulnerability: resumed sessions must not be modified as they can
   2029      be shared by multiple threads. CVE-2010-3864
   2030      [Steve Henson]
   2031 
   2032   *) Fix WIN32 build system to correctly link an ENGINE directory into
   2033      a DLL. 
   2034      [Steve Henson]
   2035 
   2036  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
   2037 
   2038   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
   2039      (CVE-2010-1633)
   2040      [Steve Henson, Peter-Michael Hager <hager (a] dortmund.net>]
   2041 
   2042  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
   2043 
   2044   *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
   2045      context. The operation can be customised via the ctrl mechanism in
   2046      case ENGINEs want to include additional functionality.
   2047      [Steve Henson]
   2048 
   2049   *) Tolerate yet another broken PKCS#8 key format: private key value negative.
   2050      [Steve Henson]
   2051 
   2052   *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
   2053      output hashes compatible with older versions of OpenSSL.
   2054      [Willy Weisz <weisz (a] vcpc.univie.ac.at>]
   2055 
   2056   *) Fix compression algorithm handling: if resuming a session use the
   2057      compression algorithm of the resumed session instead of determining
   2058      it from client hello again. Don't allow server to change algorithm.
   2059      [Steve Henson]
   2060 
   2061   *) Add load_crls() function to apps tidying load_certs() too. Add option
   2062      to verify utility to allow additional CRLs to be included.
   2063      [Steve Henson]
   2064 
   2065   *) Update OCSP request code to permit adding custom headers to the request:
   2066      some responders need this.
   2067      [Steve Henson]
   2068 
   2069   *) The function EVP_PKEY_sign() returns <=0 on error: check return code
   2070      correctly.
   2071      [Julia Lawall <julia (a] diku.dk>]
   2072 
   2073   *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
   2074      needlessly dereferenced structures, used obsolete functions and
   2075      didn't handle all updated verify codes correctly.
   2076      [Steve Henson]
   2077 
   2078   *) Disable MD2 in the default configuration.
   2079      [Steve Henson]
   2080 
   2081   *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
   2082      indicate the initial BIO being pushed or popped. This makes it possible
   2083      to determine whether the BIO is the one explicitly called or as a result
   2084      of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
   2085      it handles reference counts correctly and doesn't zero out the I/O bio
   2086      when it is not being explicitly popped. WARNING: applications which
   2087      included workarounds for the old buggy behaviour will need to be modified
   2088      or they could free up already freed BIOs.
   2089      [Steve Henson]
   2090 
   2091   *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
   2092      renaming to all platforms (within the 0.9.8 branch, this was
   2093      done conditionally on Netware platforms to avoid a name clash).
   2094      [Guenter <lists (a] gknw.net>]
   2095 
   2096   *) Add ECDHE and PSK support to DTLS.
   2097      [Michael Tuexen <tuexen (a] fh-muenster.de>]
   2098 
   2099   *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
   2100      be used on C++.
   2101      [Steve Henson]
   2102 
   2103   *) Add "missing" function EVP_MD_flags() (without this the only way to
   2104      retrieve a digest flags is by accessing the structure directly. Update
   2105      EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
   2106      or cipher is registered as in the "from" argument. Print out all
   2107      registered digests in the dgst usage message instead of manually 
   2108      attempting to work them out.
   2109      [Steve Henson]
   2110 
   2111   *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
   2112      this allows the use of compression and extensions. Change default cipher
   2113      string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
   2114      by default unless an application cipher string requests it.
   2115      [Steve Henson]
   2116 
   2117   *) Alter match criteria in PKCS12_parse(). It used to try to use local
   2118      key ids to find matching certificates and keys but some PKCS#12 files
   2119      don't follow the (somewhat unwritten) rules and this strategy fails.
   2120      Now just gather all certificates together and the first private key
   2121      then look for the first certificate that matches the key.
   2122      [Steve Henson]
   2123 
   2124   *) Support use of registered digest and cipher names for dgst and cipher
   2125      commands instead of having to add each one as a special case. So now
   2126      you can do:
   2127 
   2128         openssl sha256 foo
   2129 
   2130      as well as:
   2131 
   2132         openssl dgst -sha256 foo
   2133 
   2134      and this works for ENGINE based algorithms too.
   2135 
   2136      [Steve Henson]
   2137 
   2138   *) Update Gost ENGINE to support parameter files.
   2139      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2140 
   2141   *) Support GeneralizedTime in ca utility. 
   2142      [Oliver Martin <oliver (a] volatilevoid.net>, Steve Henson]
   2143 
   2144   *) Enhance the hash format used for certificate directory links. The new
   2145      form uses the canonical encoding (meaning equivalent names will work
   2146      even if they aren't identical) and uses SHA1 instead of MD5. This form
   2147      is incompatible with the older format and as a result c_rehash should
   2148      be used to rebuild symbolic links.
   2149      [Steve Henson]
   2150 
   2151   *) Make PKCS#8 the default write format for private keys, replacing the
   2152      traditional format. This form is standardised, more secure and doesn't
   2153      include an implicit MD5 dependency.
   2154      [Steve Henson]
   2155 
   2156   *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
   2157      committed to OpenSSL should pass this lot as a minimum.
   2158      [Steve Henson]
   2159 
   2160   *) Add session ticket override functionality for use by EAP-FAST.
   2161      [Jouni Malinen <j (a] w1.fi>]
   2162 
   2163   *) Modify HMAC functions to return a value. Since these can be implemented
   2164      in an ENGINE errors can occur.
   2165      [Steve Henson]
   2166 
   2167   *) Type-checked OBJ_bsearch_ex.
   2168      [Ben Laurie]
   2169 
   2170   *) Type-checked OBJ_bsearch. Also some constification necessitated
   2171      by type-checking.  Still to come: TXT_DB, bsearch(?),
   2172      OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
   2173      CONF_VALUE.
   2174      [Ben Laurie]
   2175 
   2176   *) New function OPENSSL_gmtime_adj() to add a specific number of days and
   2177      seconds to a tm structure directly, instead of going through OS
   2178      specific date routines. This avoids any issues with OS routines such
   2179      as the year 2038 bug. New *_adj() functions for ASN1 time structures
   2180      and X509_time_adj_ex() to cover the extended range. The existing
   2181      X509_time_adj() is still usable and will no longer have any date issues.
   2182      [Steve Henson]
   2183 
   2184   *) Delta CRL support. New use deltas option which will attempt to locate
   2185      and search any appropriate delta CRLs available.
   2186 
   2187      This work was sponsored by Google.
   2188      [Steve Henson]
   2189 
   2190   *) Support for CRLs partitioned by reason code. Reorganise CRL processing
   2191      code and add additional score elements. Validate alternate CRL paths
   2192      as part of the CRL checking and indicate a new error "CRL path validation
   2193      error" in this case. Applications wanting additional details can use
   2194      the verify callback and check the new "parent" field. If this is not
   2195      NULL CRL path validation is taking place. Existing applications wont
   2196      see this because it requires extended CRL support which is off by
   2197      default.
   2198 
   2199      This work was sponsored by Google.
   2200      [Steve Henson]
   2201 
   2202   *) Support for freshest CRL extension.
   2203 
   2204      This work was sponsored by Google.
   2205      [Steve Henson]
   2206 
   2207   *) Initial indirect CRL support. Currently only supported in the CRLs
   2208      passed directly and not via lookup. Process certificate issuer
   2209      CRL entry extension and lookup CRL entries by bother issuer name
   2210      and serial number. Check and process CRL issuer entry in IDP extension.
   2211 
   2212      This work was sponsored by Google.
   2213      [Steve Henson]
   2214 
   2215   *) Add support for distinct certificate and CRL paths. The CRL issuer
   2216      certificate is validated separately in this case. Only enabled if
   2217      an extended CRL support flag is set: this flag will enable additional
   2218      CRL functionality in future.
   2219 
   2220      This work was sponsored by Google.
   2221      [Steve Henson]
   2222 
   2223   *) Add support for policy mappings extension.
   2224 
   2225      This work was sponsored by Google.
   2226      [Steve Henson]
   2227 
   2228   *) Fixes to pathlength constraint, self issued certificate handling,
   2229      policy processing to align with RFC3280 and PKITS tests.
   2230 
   2231      This work was sponsored by Google.
   2232      [Steve Henson]
   2233 
   2234   *) Support for name constraints certificate extension. DN, email, DNS
   2235      and URI types are currently supported.
   2236 
   2237      This work was sponsored by Google.
   2238      [Steve Henson]
   2239 
   2240   *) To cater for systems that provide a pointer-based thread ID rather
   2241      than numeric, deprecate the current numeric thread ID mechanism and
   2242      replace it with a structure and associated callback type. This
   2243      mechanism allows a numeric "hash" to be extracted from a thread ID in
   2244      either case, and on platforms where pointers are larger than 'long',
   2245      mixing is done to help ensure the numeric 'hash' is usable even if it
   2246      can't be guaranteed unique. The default mechanism is to use "&errno"
   2247      as a pointer-based thread ID to distinguish between threads.
   2248 
   2249      Applications that want to provide their own thread IDs should now use
   2250      CRYPTO_THREADID_set_callback() to register a callback that will call
   2251      either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
   2252 
   2253      Note that ERR_remove_state() is now deprecated, because it is tied
   2254      to the assumption that thread IDs are numeric.  ERR_remove_state(0)
   2255      to free the current thread's error state should be replaced by
   2256      ERR_remove_thread_state(NULL).
   2257 
   2258      (This new approach replaces the functions CRYPTO_set_idptr_callback(),
   2259      CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
   2260      OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
   2261      application was previously providing a numeric thread callback that
   2262      was inappropriate for distinguishing threads, then uniqueness might
   2263      have been obtained with &errno that happened immediately in the
   2264      intermediate development versions of OpenSSL; this is no longer the
   2265      case, the numeric thread callback will now override the automatic use
   2266      of &errno.)
   2267      [Geoff Thorpe, with help from Bodo Moeller]
   2268 
   2269   *) Initial support for different CRL issuing certificates. This covers a
   2270      simple case where the self issued certificates in the chain exist and
   2271      the real CRL issuer is higher in the existing chain.
   2272 
   2273      This work was sponsored by Google.
   2274      [Steve Henson]
   2275 
   2276   *) Removed effectively defunct crypto/store from the build.
   2277      [Ben Laurie]
   2278 
   2279   *) Revamp of STACK to provide stronger type-checking. Still to come:
   2280      TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
   2281      ASN1_STRING, CONF_VALUE.
   2282      [Ben Laurie]
   2283 
   2284   *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
   2285      RAM on SSL connections.  This option can save about 34k per idle SSL.
   2286      [Nick Mathewson]
   2287 
   2288   *) Revamp of LHASH to provide stronger type-checking. Still to come:
   2289      STACK, TXT_DB, bsearch, qsort.
   2290      [Ben Laurie]
   2291 
   2292   *) Initial support for Cryptographic Message Syntax (aka CMS) based
   2293      on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
   2294      support for data, signedData, compressedData, digestedData and
   2295      encryptedData, envelopedData types included. Scripts to check against
   2296      RFC4134 examples draft and interop and consistency checks of many
   2297      content types and variants.
   2298      [Steve Henson]
   2299 
   2300   *) Add options to enc utility to support use of zlib compression BIO.
   2301      [Steve Henson]
   2302 
   2303   *) Extend mk1mf to support importing of options and assembly language
   2304      files from Configure script, currently only included in VC-WIN32.
   2305      The assembly language rules can now optionally generate the source
   2306      files from the associated perl scripts.
   2307      [Steve Henson]
   2308 
   2309   *) Implement remaining functionality needed to support GOST ciphersuites.
   2310      Interop testing has been performed using CryptoPro implementations.
   2311      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2312 
   2313   *) s390x assembler pack.
   2314      [Andy Polyakov]
   2315 
   2316   *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
   2317      "family."
   2318      [Andy Polyakov]
   2319 
   2320   *) Implement Opaque PRF Input TLS extension as specified in
   2321      draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
   2322      official specification yet and no extension type assignment by
   2323      IANA exists, this extension (for now) will have to be explicitly
   2324      enabled when building OpenSSL by providing the extension number
   2325      to use.  For example, specify an option
   2326 
   2327          -DTLSEXT_TYPE_opaque_prf_input=0x9527
   2328 
   2329      to the "config" or "Configure" script to enable the extension,
   2330      assuming extension number 0x9527 (which is a completely arbitrary
   2331      and unofficial assignment based on the MD5 hash of the Internet
   2332      Draft).  Note that by doing so, you potentially lose
   2333      interoperability with other TLS implementations since these might
   2334      be using the same extension number for other purposes.
   2335 
   2336      SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
   2337      opaque PRF input value to use in the handshake.  This will create
   2338      an interal copy of the length-'len' string at 'src', and will
   2339      return non-zero for success.
   2340 
   2341      To get more control and flexibility, provide a callback function
   2342      by using
   2343 
   2344           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
   2345           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
   2346 
   2347      where
   2348 
   2349           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
   2350           void *arg;
   2351 
   2352      Callback function 'cb' will be called in handshakes, and is
   2353      expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
   2354      Argument 'arg' is for application purposes (the value as given to
   2355      SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
   2356      be provided to the callback function).  The callback function
   2357      has to return non-zero to report success: usually 1 to use opaque
   2358      PRF input just if possible, or 2 to enforce use of the opaque PRF
   2359      input.  In the latter case, the library will abort the handshake
   2360      if opaque PRF input is not successfully negotiated.
   2361 
   2362      Arguments 'peerinput' and 'len' given to the callback function
   2363      will always be NULL and 0 in the case of a client.  A server will
   2364      see the client's opaque PRF input through these variables if
   2365      available (NULL and 0 otherwise).  Note that if the server
   2366      provides an opaque PRF input, the length must be the same as the
   2367      length of the client's opaque PRF input.
   2368 
   2369      Note that the callback function will only be called when creating
   2370      a new session (session resumption can resume whatever was
   2371      previously negotiated), and will not be called in SSL 2.0
   2372      handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
   2373      SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
   2374      for applications that need to enforce opaque PRF input.
   2375 
   2376      [Bodo Moeller]
   2377 
   2378   *) Update ssl code to support digests other than SHA1+MD5 for handshake
   2379      MAC. 
   2380 
   2381      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2382 
   2383   *) Add RFC4507 support to OpenSSL. This includes the corrections in
   2384      RFC4507bis. The encrypted ticket format is an encrypted encoded
   2385      SSL_SESSION structure, that way new session features are automatically
   2386      supported.
   2387 
   2388      If a client application caches session in an SSL_SESSION structure
   2389      support is transparent because tickets are now stored in the encoded
   2390      SSL_SESSION.
   2391      
   2392      The SSL_CTX structure automatically generates keys for ticket
   2393      protection in servers so again support should be possible
   2394      with no application modification.
   2395 
   2396      If a client or server wishes to disable RFC4507 support then the option
   2397      SSL_OP_NO_TICKET can be set.
   2398 
   2399      Add a TLS extension debugging callback to allow the contents of any client
   2400      or server extensions to be examined.
   2401 
   2402      This work was sponsored by Google.
   2403      [Steve Henson]
   2404 
   2405   *) Final changes to avoid use of pointer pointer casts in OpenSSL.
   2406      OpenSSL should now compile cleanly on gcc 4.2
   2407      [Peter Hartley <pdh (a] utter.chaos.org.uk>, Steve Henson]
   2408 
   2409   *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
   2410      support including streaming MAC support: this is required for GOST
   2411      ciphersuite support.
   2412      [Victor B. Wagner <vitus (a] cryptocom.ru>, Steve Henson]
   2413 
   2414   *) Add option -stream to use PKCS#7 streaming in smime utility. New
   2415      function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
   2416      to output in BER and PEM format.
   2417      [Steve Henson]
   2418 
   2419   *) Experimental support for use of HMAC via EVP_PKEY interface. This
   2420      allows HMAC to be handled via the EVP_DigestSign*() interface. The
   2421      EVP_PKEY "key" in this case is the HMAC key, potentially allowing
   2422      ENGINE support for HMAC keys which are unextractable. New -mac and
   2423      -macopt options to dgst utility.
   2424      [Steve Henson]
   2425 
   2426   *) New option -sigopt to dgst utility. Update dgst to use
   2427      EVP_Digest{Sign,Verify}*. These two changes make it possible to use
   2428      alternative signing paramaters such as X9.31 or PSS in the dgst 
   2429      utility.
   2430      [Steve Henson]
   2431 
   2432   *) Change ssl_cipher_apply_rule(), the internal function that does
   2433      the work each time a ciphersuite string requests enabling
   2434      ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
   2435      removing ("!foo+bar") a class of ciphersuites: Now it maintains
   2436      the order of disabled ciphersuites such that those ciphersuites
   2437      that most recently went from enabled to disabled not only stay
   2438      in order with respect to each other, but also have higher priority
   2439      than other disabled ciphersuites the next time ciphersuites are
   2440      enabled again.
   2441 
   2442      This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
   2443      the same ciphersuites as with "HIGH" alone, but in a specific
   2444      order where the PSK ciphersuites come first (since they are the
   2445      most recently disabled ciphersuites when "HIGH" is parsed).
   2446 
   2447      Also, change ssl_create_cipher_list() (using this new
   2448      funcionality) such that between otherwise identical
   2449      cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
   2450      the default order.
   2451      [Bodo Moeller]
   2452 
   2453   *) Change ssl_create_cipher_list() so that it automatically
   2454      arranges the ciphersuites in reasonable order before starting
   2455      to process the rule string.  Thus, the definition for "DEFAULT"
   2456      (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
   2457      remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
   2458      This makes it much easier to arrive at a reasonable default order
   2459      in applications for which anonymous ciphers are OK (meaning
   2460      that you can't actually use DEFAULT).
   2461      [Bodo Moeller; suggested by Victor Duchovni]
   2462 
   2463   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
   2464      processing) into multiple integers instead of setting
   2465      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
   2466      "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
   2467      (These masks as well as the individual bit definitions are hidden
   2468      away into the non-exported interface ssl/ssl_locl.h, so this
   2469      change to the definition of the SSL_CIPHER structure shouldn't
   2470      affect applications.)  This give us more bits for each of these
   2471      categories, so there is no longer a need to coagulate AES128 and
   2472      AES256 into a single algorithm bit, and to coagulate Camellia128
   2473      and Camellia256 into a single algorithm bit, which has led to all
   2474      kinds of kludges.
   2475 
   2476      Thus, among other things, the kludge introduced in 0.9.7m and
   2477      0.9.8e for masking out AES256 independently of AES128 or masking
   2478      out Camellia256 independently of AES256 is not needed here in 0.9.9.
   2479 
   2480      With the change, we also introduce new ciphersuite aliases that
   2481      so far were missing: "AES128", "AES256", "CAMELLIA128", and
   2482      "CAMELLIA256".
   2483      [Bodo Moeller]
   2484 
   2485   *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
   2486      Use the leftmost N bytes of the signature input if the input is
   2487      larger than the prime q (with N being the size in bytes of q).
   2488      [Nils Larsch]
   2489 
   2490   *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
   2491      it yet and it is largely untested.
   2492      [Steve Henson]
   2493 
   2494   *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
   2495      [Nils Larsch]
   2496 
   2497   *) Initial incomplete changes to avoid need for function casts in OpenSSL
   2498      some compilers (gcc 4.2 and later) reject their use. Safestack is
   2499      reimplemented.  Update ASN1 to avoid use of legacy functions. 
   2500      [Steve Henson]
   2501 
   2502   *) Win32/64 targets are linked with Winsock2.
   2503      [Andy Polyakov]
   2504 
   2505   *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
   2506      to external functions. This can be used to increase CRL handling 
   2507      efficiency especially when CRLs are very large by (for example) storing
   2508      the CRL revoked certificates in a database.
   2509      [Steve Henson]
   2510 
   2511   *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
   2512      new CRLs added to a directory can be used. New command line option
   2513      -verify_return_error to s_client and s_server. This causes real errors
   2514      to be returned by the verify callback instead of carrying on no matter
   2515      what. This reflects the way a "real world" verify callback would behave.
   2516      [Steve Henson]
   2517 
   2518   *) GOST engine, supporting several GOST algorithms and public key formats.
   2519      Kindly donated by Cryptocom.
   2520      [Cryptocom]
   2521 
   2522   *) Partial support for Issuing Distribution Point CRL extension. CRLs
   2523      partitioned by DP are handled but no indirect CRL or reason partitioning
   2524      (yet). Complete overhaul of CRL handling: now the most suitable CRL is
   2525      selected via a scoring technique which handles IDP and AKID in CRLs.
   2526      [Steve Henson]
   2527 
   2528   *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
   2529      will ultimately be used for all verify operations: this will remove the
   2530      X509_STORE dependency on certificate verification and allow alternative
   2531      lookup methods.  X509_STORE based implementations of these two callbacks.
   2532      [Steve Henson]
   2533 
   2534   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
   2535      Modify get_crl() to find a valid (unexpired) CRL if possible.
   2536      [Steve Henson]
   2537 
   2538   *) New function X509_CRL_match() to check if two CRLs are identical. Normally
   2539      this would be called X509_CRL_cmp() but that name is already used by
   2540      a function that just compares CRL issuer names. Cache several CRL 
   2541      extensions in X509_CRL structure and cache CRLDP in X509.
   2542      [Steve Henson]
   2543 
   2544   *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
   2545      this maps equivalent X509_NAME structures into a consistent structure.
   2546      Name comparison can then be performed rapidly using memcmp().
   2547      [Steve Henson]
   2548 
   2549   *) Non-blocking OCSP request processing. Add -timeout option to ocsp 
   2550      utility.
   2551      [Steve Henson]
   2552 
   2553   *) Allow digests to supply their own micalg string for S/MIME type using
   2554      the ctrl EVP_MD_CTRL_MICALG.
   2555      [Steve Henson]
   2556 
   2557   *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
   2558      EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
   2559      ctrl. It can then customise the structure before and/or after signing
   2560      if necessary.
   2561      [Steve Henson]
   2562 
   2563   *) New function OBJ_add_sigid() to allow application defined signature OIDs
   2564      to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
   2565      to free up any added signature OIDs.
   2566      [Steve Henson]
   2567 
   2568   *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
   2569      EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
   2570      digest and cipher tables. New options added to openssl utility:
   2571      list-message-digest-algorithms and list-cipher-algorithms.
   2572      [Steve Henson]
   2573 
   2574   *) Change the array representation of binary polynomials: the list
   2575      of degrees of non-zero coefficients is now terminated with -1.
   2576      Previously it was terminated with 0, which was also part of the
   2577      value; thus, the array representation was not applicable to
   2578      polynomials where t^0 has coefficient zero.  This change makes
   2579      the array representation useful in a more general context.
   2580      [Douglas Stebila]
   2581 
   2582   *) Various modifications and fixes to SSL/TLS cipher string
   2583      handling.  For ECC, the code now distinguishes between fixed ECDH
   2584      with RSA certificates on the one hand and with ECDSA certificates
   2585      on the other hand, since these are separate ciphersuites.  The
   2586      unused code for Fortezza ciphersuites has been removed.
   2587 
   2588      For consistency with EDH, ephemeral ECDH is now called "EECDH"
   2589      (not "ECDHE").  For consistency with the code for DH
   2590      certificates, use of ECDH certificates is now considered ECDH
   2591      authentication, not RSA or ECDSA authentication (the latter is
   2592      merely the CA's signing algorithm and not actively used in the
   2593      protocol).
   2594 
   2595      The temporary ciphersuite alias "ECCdraft" is no longer
   2596      available, and ECC ciphersuites are no longer excluded from "ALL"
   2597      and "DEFAULT".  The following aliases now exist for RFC 4492
   2598      ciphersuites, most of these by analogy with the DH case:
   2599 
   2600          kECDHr   - ECDH cert, signed with RSA
   2601          kECDHe   - ECDH cert, signed with ECDSA
   2602          kECDH    - ECDH cert (signed with either RSA or ECDSA)
   2603          kEECDH   - ephemeral ECDH
   2604          ECDH     - ECDH cert or ephemeral ECDH
   2605 
   2606          aECDH    - ECDH cert
   2607          aECDSA   - ECDSA cert
   2608          ECDSA    - ECDSA cert
   2609 
   2610          AECDH    - anonymous ECDH
   2611          EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
   2612 
   2613      [Bodo Moeller]
   2614 
   2615   *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
   2616      Use correct micalg parameters depending on digest(s) in signed message.
   2617      [Steve Henson]
   2618 
   2619   *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
   2620      an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
   2621      [Steve Henson]
   2622 
   2623   *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
   2624      an engine to register a method. Add ENGINE lookups for methods and
   2625      functional reference processing.
   2626      [Steve Henson]
   2627 
   2628   *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
   2629      EVP_{Sign,Verify}* which allow an application to customise the signature
   2630      process.
   2631      [Steve Henson]
   2632 
   2633   *) New -resign option to smime utility. This adds one or more signers
   2634      to an existing PKCS#7 signedData structure. Also -md option to use an
   2635      alternative message digest algorithm for signing.
   2636      [Steve Henson]
   2637 
   2638   *) Tidy up PKCS#7 routines and add new functions to make it easier to
   2639      create PKCS7 structures containing multiple signers. Update smime
   2640      application to support multiple signers.
   2641      [Steve Henson]
   2642 
   2643   *) New -macalg option to pkcs12 utility to allow setting of an alternative
   2644      digest MAC.
   2645      [Steve Henson]
   2646 
   2647   *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
   2648      Reorganize PBE internals to lookup from a static table using NIDs,
   2649      add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
   2650      EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
   2651      PRF which will be automatically used with PBES2.
   2652      [Steve Henson]
   2653 
   2654   *) Replace the algorithm specific calls to generate keys in "req" with the
   2655      new API.
   2656      [Steve Henson]
   2657 
   2658   *) Update PKCS#7 enveloped data routines to use new API. This is now
   2659      supported by any public key method supporting the encrypt operation. A
   2660      ctrl is added to allow the public key algorithm to examine or modify
   2661      the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
   2662      a no op.
   2663      [Steve Henson]
   2664 
   2665   *) Add a ctrl to asn1 method to allow a public key algorithm to express
   2666      a default digest type to use. In most cases this will be SHA1 but some
   2667      algorithms (such as GOST) need to specify an alternative digest. The
   2668      return value indicates how strong the prefernce is 1 means optional and
   2669      2 is mandatory (that is it is the only supported type). Modify
   2670      ASN1_item_sign() to accept a NULL digest argument to indicate it should
   2671      use the default md. Update openssl utilities to use the default digest
   2672      type for signing if it is not explicitly indicated.
   2673      [Steve Henson]
   2674 
   2675   *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
   2676      EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
   2677      signing method from the key type. This effectively removes the link
   2678      between digests and public key types.
   2679      [Steve Henson]
   2680 
   2681   *) Add an OID cross reference table and utility functions. Its purpose is to
   2682      translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
   2683      rsaEncryption. This will allow some of the algorithm specific hackery
   2684      needed to use the correct OID to be removed. 
   2685      [Steve Henson]
   2686 
   2687   *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
   2688      structures for PKCS7_sign(). They are now set up by the relevant public
   2689      key ASN1 method.
   2690      [Steve Henson]
   2691 
   2692   *) Add provisional EC pkey method with support for ECDSA and ECDH.
   2693      [Steve Henson]
   2694 
   2695   *) Add support for key derivation (agreement) in the API, DH method and
   2696      pkeyutl.
   2697      [Steve Henson]
   2698 
   2699   *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
   2700      public and private key formats. As a side effect these add additional 
   2701      command line functionality not previously available: DSA signatures can be
   2702      generated and verified using pkeyutl and DH key support and generation in
   2703      pkey, genpkey.
   2704      [Steve Henson]
   2705 
   2706   *) BeOS support.
   2707      [Oliver Tappe <zooey (a] hirschkaefer.de>]
   2708 
   2709   *) New make target "install_html_docs" installs HTML renditions of the
   2710      manual pages.
   2711      [Oliver Tappe <zooey (a] hirschkaefer.de>]
   2712 
   2713   *) New utility "genpkey" this is analagous to "genrsa" etc except it can
   2714      generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
   2715      support key and parameter generation and add initial key generation
   2716      functionality for RSA.
   2717      [Steve Henson]
   2718 
   2719   *) Add functions for main EVP_PKEY_method operations. The undocumented
   2720      functions EVP_PKEY_{encrypt,decrypt} have been renamed to
   2721      EVP_PKEY_{encrypt,decrypt}_old. 
   2722      [Steve Henson]
   2723 
   2724   *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
   2725      key API, doesn't do much yet.
   2726      [Steve Henson]
   2727 
   2728   *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
   2729      public key algorithms. New option to openssl utility:
   2730      "list-public-key-algorithms" to print out info.
   2731      [Steve Henson]
   2732 
   2733   *) Implement the Supported Elliptic Curves Extension for
   2734      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
   2735      [Douglas Stebila]
   2736 
   2737   *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
   2738      EVP_CIPHER structures to avoid later problems in EVP_cleanup().
   2739      [Steve Henson]
   2740 
   2741   *) New utilities pkey and pkeyparam. These are similar to algorithm specific
   2742      utilities such as rsa, dsa, dsaparam etc except they process any key
   2743      type.
   2744      [Steve Henson]
   2745 
   2746   *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
   2747      functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
   2748      EVP_PKEY_print_param() to print public key data from an EVP_PKEY
   2749      structure.
   2750      [Steve Henson]
   2751 
   2752   *) Initial support for pluggable public key ASN1.
   2753      De-spaghettify the public key ASN1 handling. Move public and private
   2754      key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
   2755      algorithm specific handling to a single module within the relevant
   2756      algorithm directory. Add functions to allow (near) opaque processing
   2757      of public and private key structures.
   2758      [Steve Henson]
   2759 
   2760   *) Implement the Supported Point Formats Extension for
   2761      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
   2762      [Douglas Stebila]
   2763 
   2764   *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
   2765      for the psk identity [hint] and the psk callback functions to the
   2766      SSL_SESSION, SSL and SSL_CTX structure.
   2767      
   2768      New ciphersuites:
   2769          PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
   2770          PSK-AES256-CBC-SHA
   2771  
   2772      New functions:
   2773          SSL_CTX_use_psk_identity_hint
   2774          SSL_get_psk_identity_hint
   2775          SSL_get_psk_identity
   2776          SSL_use_psk_identity_hint
   2777 
   2778      [Mika Kousa and Pasi Eronen of Nokia Corporation]
   2779 
   2780   *) Add RFC 3161 compliant time stamp request creation, response generation
   2781      and response verification functionality.
   2782      [Zoltn Glzik <zglozik (a] opentsa.org>, The OpenTSA Project]
   2783 
   2784   *) Add initial support for TLS extensions, specifically for the server_name
   2785      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
   2786      have new members for a host name.  The SSL data structure has an
   2787      additional member SSL_CTX *initial_ctx so that new sessions can be
   2788      stored in that context to allow for session resumption, even after the
   2789      SSL has been switched to a new SSL_CTX in reaction to a client's
   2790      server_name extension.
   2791 
   2792      New functions (subject to change):
   2793 
   2794          SSL_get_servername()
   2795          SSL_get_servername_type()
   2796          SSL_set_SSL_CTX()
   2797 
   2798      New CTRL codes and macros (subject to change):
   2799 
   2800          SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
   2801                                  - SSL_CTX_set_tlsext_servername_callback()
   2802          SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
   2803                                       - SSL_CTX_set_tlsext_servername_arg()
   2804          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
   2805 
   2806      openssl s_client has a new '-servername ...' option.
   2807 
   2808      openssl s_server has new options '-servername_host ...', '-cert2 ...',
   2809      '-key2 ...', '-servername_fatal' (subject to change).  This allows
   2810      testing the HostName extension for a specific single host name ('-cert'
   2811      and '-key' remain fallbacks for handshakes without HostName
   2812      negotiation).  If the unrecogninzed_name alert has to be sent, this by
   2813      default is a warning; it becomes fatal with the '-servername_fatal'
   2814      option.
   2815 
   2816      [Peter Sylvester,  Remy Allais, Christophe Renou]
   2817 
   2818   *) Whirlpool hash implementation is added.
   2819      [Andy Polyakov]
   2820 
   2821   *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
   2822      bn(64,32). Because of instruction set limitations it doesn't have
   2823      any negative impact on performance. This was done mostly in order
   2824      to make it possible to share assembler modules, such as bn_mul_mont
   2825      implementations, between 32- and 64-bit builds without hassle.
   2826      [Andy Polyakov]
   2827 
   2828   *) Move code previously exiled into file crypto/ec/ec2_smpt.c
   2829      to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
   2830      macro.
   2831      [Bodo Moeller]
   2832 
   2833   *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
   2834      dedicated Montgomery multiplication procedure, is introduced.
   2835      BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
   2836      "64-bit" performance on certain 32-bit targets.
   2837      [Andy Polyakov]
   2838 
   2839   *) New option SSL_OP_NO_COMP to disable use of compression selectively
   2840      in SSL structures. New SSL ctrl to set maximum send fragment size. 
   2841      Save memory by seeting the I/O buffer sizes dynamically instead of
   2842      using the maximum available value.
   2843      [Steve Henson]
   2844 
   2845   *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
   2846      in addition to the text details.
   2847      [Bodo Moeller]
   2848 
   2849   *) Very, very preliminary EXPERIMENTAL support for printing of general
   2850      ASN1 structures. This currently produces rather ugly output and doesn't
   2851      handle several customised structures at all.
   2852      [Steve Henson]
   2853 
   2854   *) Integrated support for PVK file format and some related formats such
   2855      as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
   2856      these in the 'rsa' and 'dsa' utilities.
   2857      [Steve Henson]
   2858 
   2859   *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
   2860      [Steve Henson]
   2861 
   2862   *) Remove the ancient ASN1_METHOD code. This was only ever used in one
   2863      place for the (very old) "NETSCAPE" format certificates which are now
   2864      handled using new ASN1 code equivalents.
   2865      [Steve Henson]
   2866 
   2867   *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
   2868      pointer and make the SSL_METHOD parameter in SSL_CTX_new,
   2869      SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
   2870      [Nils Larsch]
   2871 
   2872   *) Modify CRL distribution points extension code to print out previously
   2873      unsupported fields. Enhance extension setting code to allow setting of
   2874      all fields.
   2875      [Steve Henson]
   2876 
   2877   *) Add print and set support for Issuing Distribution Point CRL extension.
   2878      [Steve Henson]
   2879 
   2880   *) Change 'Configure' script to enable Camellia by default.
   2881      [NTT]
   2882 
   2883  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
   2884 
   2885   *) When rejecting SSL/TLS records due to an incorrect version number, never
   2886      update s->server with a new major version number.  As of
   2887      - OpenSSL 0.9.8m if 'short' is a 16-bit type,
   2888      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
   2889      the previous behavior could result in a read attempt at NULL when
   2890      receiving specific incorrect SSL/TLS records once record payload
   2891      protection is active.  (CVE-2010-0740)
   2892      [Bodo Moeller, Adam Langley <agl (a] chromium.org>]
   2893 
   2894   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
   2895      could be crashed if the relevant tables were not present (e.g. chrooted).
   2896      [Tomas Hoger <thoger (a] redhat.com>]
   2897 
   2898  Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
   2899 
   2900   *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
   2901      [Martin Olsson, Neel Mehta]
   2902 
   2903   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
   2904      accommodate for stack sorting, always a write lock!).
   2905      [Bodo Moeller]
   2906 
   2907   *) On some versions of WIN32 Heap32Next is very slow. This can cause
   2908      excessive delays in the RAND_poll(): over a minute. As a workaround
   2909      include a time check in the inner Heap32Next loop too.
   2910      [Steve Henson]
   2911 
   2912   *) The code that handled flushing of data in SSL/TLS originally used the
   2913      BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
   2914      the problem outlined in PR#1949. The fix suggested there however can
   2915      trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
   2916      of Apache). So instead simplify the code to flush unconditionally.
   2917      This should be fine since flushing with no data to flush is a no op.
   2918      [Steve Henson]
   2919 
   2920   *) Handle TLS versions 2.0 and later properly and correctly use the
   2921      highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
   2922      off ancient servers have a habit of sticking around for a while...
   2923      [Steve Henson]
   2924 
   2925   *) Modify compression code so it frees up structures without using the
   2926      ex_data callbacks. This works around a problem where some applications
   2927      call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
   2928      restarting) then use compression (e.g. SSL with compression) later.
   2929      This results in significant per-connection memory leaks and
   2930      has caused some security issues including CVE-2008-1678 and
   2931      CVE-2009-4355.
   2932      [Steve Henson]
   2933 
   2934   *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
   2935      change when encrypting or decrypting.
   2936      [Bodo Moeller]
   2937 
   2938   *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
   2939      connect and renegotiate with servers which do not support RI.
   2940      Until RI is more widely deployed this option is enabled by default.
   2941      [Steve Henson]
   2942 
   2943   *) Add "missing" ssl ctrls to clear options and mode.
   2944      [Steve Henson]
   2945 
   2946   *) If client attempts to renegotiate and doesn't support RI respond with
   2947      a no_renegotiation alert as required by RFC5746.  Some renegotiating
   2948      TLS clients will continue a connection gracefully when they receive
   2949      the alert. Unfortunately OpenSSL mishandled this alert and would hang
   2950      waiting for a server hello which it will never receive. Now we treat a
   2951      received no_renegotiation alert as a fatal error. This is because
   2952      applications requesting a renegotiation might well expect it to succeed
   2953      and would have no code in place to handle the server denying it so the
   2954      only safe thing to do is to terminate the connection.
   2955      [Steve Henson]
   2956 
   2957   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
   2958      peer supports secure renegotiation and 0 otherwise. Print out peer
   2959      renegotiation support in s_client/s_server.
   2960      [Steve Henson]
   2961 
   2962   *) Replace the highly broken and deprecated SPKAC certification method with
   2963      the updated NID creation version. This should correctly handle UTF8.
   2964      [Steve Henson]
   2965 
   2966   *) Implement RFC5746. Re-enable renegotiation but require the extension
   2967      as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
   2968      turns out to be a bad idea. It has been replaced by
   2969      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
   2970      SSL_CTX_set_options(). This is really not recommended unless you
   2971      know what you are doing.
   2972      [Eric Rescorla <ekr (a] networkresonance.com>, Ben Laurie, Steve Henson]
   2973 
   2974   *) Fixes to stateless session resumption handling. Use initial_ctx when
   2975      issuing and attempting to decrypt tickets in case it has changed during
   2976      servername handling. Use a non-zero length session ID when attempting
   2977      stateless session resumption: this makes it possible to determine if
   2978      a resumption has occurred immediately after receiving server hello
   2979      (several places in OpenSSL subtly assume this) instead of later in
   2980      the handshake.
   2981      [Steve Henson]
   2982 
   2983   *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
   2984      CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
   2985      fixes for a few places where the return code is not checked
   2986      correctly.
   2987      [Julia Lawall <julia (a] diku.dk>]
   2988 
   2989   *) Add --strict-warnings option to Configure script to include devteam
   2990      warnings in other configurations.
   2991      [Steve Henson]
   2992 
   2993   *) Add support for --libdir option and LIBDIR variable in makefiles. This
   2994      makes it possible to install openssl libraries in locations which
   2995      have names other than "lib", for example "/usr/lib64" which some
   2996      systems need.
   2997      [Steve Henson, based on patch from Jeremy Utley]
   2998 
   2999   *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
   3000      X690 8.9.12 and can produce some misleading textual output of OIDs.
   3001      [Steve Henson, reported by Dan Kaminsky]
   3002 
   3003   *) Delete MD2 from algorithm tables. This follows the recommendation in
   3004      several standards that it is not used in new applications due to
   3005      several cryptographic weaknesses. For binary compatibility reasons
   3006      the MD2 API is still compiled in by default.
   3007      [Steve Henson]
   3008 
   3009   *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
   3010      and restored.
   3011      [Steve Henson]
   3012 
   3013   *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
   3014      OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
   3015      clash.
   3016      [Guenter <lists (a] gknw.net>]
   3017 
   3018   *) Fix the server certificate chain building code to use X509_verify_cert(),
   3019      it used to have an ad-hoc builder which was unable to cope with anything
   3020      other than a simple chain.
   3021      [David Woodhouse <dwmw2 (a] infradead.org>, Steve Henson]
   3022 
   3023   *) Don't check self signed certificate signatures in X509_verify_cert()
   3024      by default (a flag can override this): it just wastes time without
   3025      adding any security. As a useful side effect self signed root CAs
   3026      with non-FIPS digests are now usable in FIPS mode.
   3027      [Steve Henson]
   3028 
   3029   *) In dtls1_process_out_of_seq_message() the check if the current message
   3030      is already buffered was missing. For every new message was memory
   3031      allocated, allowing an attacker to perform an denial of service attack
   3032      with sending out of seq handshake messages until there is no memory
   3033      left. Additionally every future messege was buffered, even if the
   3034      sequence number made no sense and would be part of another handshake.
   3035      So only messages with sequence numbers less than 10 in advance will be
   3036      buffered.  (CVE-2009-1378)
   3037      [Robin Seggelmann, discovered by Daniel Mentz] 	
   3038 
   3039   *) Records are buffered if they arrive with a future epoch to be
   3040      processed after finishing the corresponding handshake. There is
   3041      currently no limitation to this buffer allowing an attacker to perform
   3042      a DOS attack with sending records with future epochs until there is no
   3043      memory left. This patch adds the pqueue_size() function to detemine
   3044      the size of a buffer and limits the record buffer to 100 entries.
   3045      (CVE-2009-1377)
   3046      [Robin Seggelmann, discovered by Daniel Mentz] 	
   3047 
   3048   *) Keep a copy of frag->msg_header.frag_len so it can be used after the
   3049      parent structure is freed.  (CVE-2009-1379)
   3050      [Daniel Mentz] 	
   3051 
   3052   *) Handle non-blocking I/O properly in SSL_shutdown() call.
   3053      [Darryl Miles <darryl-mailinglists (a] netbauds.net>]
   3054 
   3055   *) Add 2.5.4.* OIDs
   3056      [Ilya O. <vrghost (a] gmail.com>]
   3057 
   3058  Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
   3059 
   3060   *) Disable renegotiation completely - this fixes a severe security
   3061      problem (CVE-2009-3555) at the cost of breaking all
   3062      renegotiation. Renegotiation can be re-enabled by setting
   3063      SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
   3064      run-time. This is really not recommended unless you know what
   3065      you're doing.
   3066      [Ben Laurie]
   3067 
   3068  Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
   3069 
   3070   *) Don't set val to NULL when freeing up structures, it is freed up by
   3071      underlying code. If sizeof(void *) > sizeof(long) this can result in
   3072      zeroing past the valid field. (CVE-2009-0789)
   3073      [Paolo Ganci <Paolo.Ganci (a] AdNovum.CH>]
   3074 
   3075   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
   3076      checked correctly. This would allow some invalid signed attributes to
   3077      appear to verify correctly. (CVE-2009-0591)
   3078      [Ivan Nestlerode <inestlerode (a] us.ibm.com>]
   3079 
   3080   *) Reject UniversalString and BMPString types with invalid lengths. This
   3081      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
   3082      a legal length. (CVE-2009-0590)
   3083      [Steve Henson]
   3084 
   3085   *) Set S/MIME signing as the default purpose rather than setting it 
   3086      unconditionally. This allows applications to override it at the store
   3087      level.
   3088      [Steve Henson]
   3089 
   3090   *) Permit restricted recursion of ASN1 strings. This is needed in practice
   3091      to handle some structures.
   3092      [Steve Henson]
   3093 
   3094   *) Improve efficiency of mem_gets: don't search whole buffer each time
   3095      for a '\n'
   3096      [Jeremy Shapiro <jnshapir (a] us.ibm.com>]
   3097 
   3098   *) New -hex option for openssl rand.
   3099      [Matthieu Herrb]
   3100 
   3101   *) Print out UTF8String and NumericString when parsing ASN1.
   3102      [Steve Henson]
   3103 
   3104   *) Support NumericString type for name components.
   3105      [Steve Henson]
   3106 
   3107   *) Allow CC in the environment to override the automatically chosen
   3108      compiler. Note that nothing is done to ensure flags work with the
   3109      chosen compiler.
   3110      [Ben Laurie]
   3111 
   3112  Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
   3113 
   3114   *) Properly check EVP_VerifyFinal() and similar return values
   3115      (CVE-2008-5077).
   3116      [Ben Laurie, Bodo Moeller, Google Security Team]
   3117 
   3118   *) Enable TLS extensions by default.
   3119      [Ben Laurie]
   3120 
   3121   *) Allow the CHIL engine to be loaded, whether the application is
   3122      multithreaded or not. (This does not release the developer from the
   3123      obligation to set up the dynamic locking callbacks.)
   3124      [Sander Temme <sander (a] temme.net>]
   3125 
   3126   *) Use correct exit code if there is an error in dgst command.
   3127      [Steve Henson; problem pointed out by Roland Dirlewanger]
   3128 
   3129   *) Tweak Configure so that you need to say "experimental-jpake" to enable
   3130      JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
   3131      [Bodo Moeller]
   3132 
   3133   *) Add experimental JPAKE support, including demo authentication in
   3134      s_client and s_server.
   3135      [Ben Laurie]
   3136 
   3137   *) Set the comparison function in v3_addr_canonize().
   3138      [Rob Austein <sra (a] hactrn.net>]
   3139 
   3140   *) Add support for XMPP STARTTLS in s_client.
   3141      [Philip Paeps <philip (a] freebsd.org>]
   3142 
   3143   *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
   3144      to ensure that even with this option, only ciphersuites in the
   3145      server's preference list will be accepted.  (Note that the option
   3146      applies only when resuming a session, so the earlier behavior was
   3147      just about the algorithm choice for symmetric cryptography.)
   3148      [Bodo Moeller]
   3149 
   3150  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
   3151 
   3152   *) Fix NULL pointer dereference if a DTLS server received
   3153      ChangeCipherSpec as first record (CVE-2009-1386).
   3154      [PR #1679]
   3155 
   3156   *) Fix a state transitition in s3_srvr.c and d1_srvr.c
   3157      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
   3158      [Nagendra Modadugu]
   3159 
   3160   *) The fix in 0.9.8c that supposedly got rid of unsafe
   3161      double-checked locking was incomplete for RSA blinding,
   3162      addressing just one layer of what turns out to have been
   3163      doubly unsafe triple-checked locking.
   3164 
   3165      So now fix this for real by retiring the MONT_HELPER macro
   3166      in crypto/rsa/rsa_eay.c.
   3167 
   3168      [Bodo Moeller; problem pointed out by Marius Schilder]
   3169 
   3170   *) Various precautionary measures:
   3171 
   3172      - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
   3173 
   3174      - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
   3175        (NB: This would require knowledge of the secret session ticket key
   3176        to exploit, in which case you'd be SOL either way.)
   3177 
   3178      - Change bn_nist.c so that it will properly handle input BIGNUMs
   3179        outside the expected range.
   3180 
   3181      - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
   3182        builds.
   3183 
   3184      [Neel Mehta, Bodo Moeller]
   3185 
   3186   *) Allow engines to be "soft loaded" - i.e. optionally don't die if
   3187      the load fails. Useful for distros.
   3188      [Ben Laurie and the FreeBSD team]
   3189 
   3190   *) Add support for Local Machine Keyset attribute in PKCS#12 files.
   3191      [Steve Henson]
   3192 
   3193   *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
   3194      [Huang Ying]
   3195 
   3196   *) Expand ENGINE to support engine supplied SSL client certificate functions.
   3197 
   3198      This work was sponsored by Logica.
   3199      [Steve Henson]
   3200 
   3201   *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
   3202      keystores. Support for SSL/TLS client authentication too.
   3203      Not compiled unless enable-capieng specified to Configure.
   3204 
   3205      This work was sponsored by Logica.
   3206      [Steve Henson]
   3207 
   3208   *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
   3209      ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
   3210      attribute creation routines such as certifcate requests and PKCS#12
   3211      files.
   3212      [Steve Henson]
   3213 
   3214  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
   3215 
   3216   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
   3217      handshake which could lead to a cilent crash as found using the
   3218      Codenomicon TLS test suite (CVE-2008-1672) 
   3219      [Steve Henson, Mark Cox]
   3220 
   3221   *) Fix double free in TLS server name extensions which could lead to
   3222      a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
   3223      [Joe Orton]
   3224 
   3225   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
   3226 
   3227      Clear the error queue to ensure that error entries left from
   3228      older function calls do not interfere with the correct operation.
   3229      [Lutz Jaenicke, Erik de Castro Lopo]
   3230 
   3231   *) Remove root CA certificates of commercial CAs:
   3232 
   3233      The OpenSSL project does not recommend any specific CA and does not
   3234      have any policy with respect to including or excluding any CA.
   3235      Therefore it does not make any sense to ship an arbitrary selection
   3236      of root CA certificates with the OpenSSL software.
   3237      [Lutz Jaenicke]
   3238 
   3239   *) RSA OAEP patches to fix two separate invalid memory reads.
   3240      The first one involves inputs when 'lzero' is greater than
   3241      'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
   3242      before the beginning of from). The second one involves inputs where
   3243      the 'db' section contains nothing but zeroes (there is a one-byte
   3244      invalid read after the end of 'db').
   3245      [Ivan Nestlerode <inestlerode (a] us.ibm.com>]
   3246 
   3247   *) Partial backport from 0.9.9-dev:
   3248 
   3249      Introduce bn_mul_mont (dedicated Montgomery multiplication
   3250      procedure) as a candidate for BIGNUM assembler implementation.
   3251      While 0.9.9-dev uses assembler for various architectures, only
   3252      x86_64 is available by default here in the 0.9.8 branch, and
   3253      32-bit x86 is available through a compile-time setting.
   3254 
   3255      To try the 32-bit x86 assembler implementation, use Configure
   3256      option "enable-montasm" (which exists only for this backport).
   3257 
   3258      As "enable-montasm" for 32-bit x86 disclaims code stability
   3259      anyway, in this constellation we activate additional code
   3260      backported from 0.9.9-dev for further performance improvements,
   3261      namely BN_from_montgomery_word.  (To enable this otherwise,
   3262      e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
   3263 
   3264      [Andy Polyakov (backport partially by Bodo Moeller)]
   3265 
   3266   *) Add TLS session ticket callback. This allows an application to set
   3267      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
   3268      values. This is useful for key rollover for example where several key
   3269      sets may exist with different names.
   3270      [Steve Henson]
   3271 
   3272   *) Reverse ENGINE-internal logic for caching default ENGINE handles.
   3273      This was broken until now in 0.9.8 releases, such that the only way
   3274      a registered ENGINE could be used (assuming it initialises
   3275      successfully on the host) was to explicitly set it as the default
   3276      for the relevant algorithms. This is in contradiction with 0.9.7
   3277      behaviour and the documentation. With this fix, when an ENGINE is
   3278      registered into a given algorithm's table of implementations, the
   3279      'uptodate' flag is reset so that auto-discovery will be used next
   3280      time a new context for that algorithm attempts to select an
   3281      implementation.
   3282      [Ian Lister (tweaked by Geoff Thorpe)]
   3283 
   3284   *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
   3285      implemention in the following ways:
   3286 
   3287      Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
   3288      hard coded.
   3289 
   3290      Lack of BER streaming support means one pass streaming processing is
   3291      only supported if data is detached: setting the streaming flag is
   3292      ignored for embedded content.
   3293 
   3294      CMS support is disabled by default and must be explicitly enabled
   3295      with the enable-cms configuration option.
   3296      [Steve Henson]
   3297 
   3298   *) Update the GMP engine glue to do direct copies between BIGNUM and
   3299      mpz_t when openssl and GMP use the same limb size. Otherwise the
   3300      existing "conversion via a text string export" trick is still used.
   3301      [Paul Sheer <paulsheer (a] gmail.com>]
   3302 
   3303   *) Zlib compression BIO. This is a filter BIO which compressed and
   3304      uncompresses any data passed through it.
   3305      [Steve Henson]
   3306 
   3307   *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
   3308      RFC3394 compatible AES key wrapping.
   3309      [Steve Henson]
   3310 
   3311   *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
   3312      sets string data without copying. X509_ALGOR_set0() and
   3313      X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
   3314      data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
   3315      from an X509_ATTRIBUTE structure optionally checking it occurs only
   3316      once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
   3317      data.
   3318      [Steve Henson]
   3319 
   3320   *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
   3321      to get the expected BN_FLG_CONSTTIME behavior.
   3322      [Bodo Moeller (Google)]
   3323   
   3324   *) Netware support:
   3325 
   3326      - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
   3327      - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
   3328      - added some more tests to do_tests.pl
   3329      - fixed RunningProcess usage so that it works with newer LIBC NDKs too
   3330      - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
   3331      - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
   3332        netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
   3333      - various changes to netware.pl to enable gcc-cross builds on Win32
   3334        platform
   3335      - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
   3336      - various changes to fix missing prototype warnings
   3337      - fixed x86nasm.pl to create correct asm files for NASM COFF output
   3338      - added AES, WHIRLPOOL and CPUID assembler code to build files
   3339      - added missing AES assembler make rules to mk1mf.pl
   3340      - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
   3341      [Guenter Knauf <eflash (a] gmx.net>]
   3342 
   3343   *) Implement certificate status request TLS extension defined in RFC3546.
   3344      A client can set the appropriate parameters and receive the encoded
   3345      OCSP response via a callback. A server can query the supplied parameters
   3346      and set the encoded OCSP response in the callback. Add simplified examples
   3347      to s_client and s_server.
   3348      [Steve Henson]
   3349 
   3350  Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
   3351 
   3352   *) Fix various bugs:
   3353      + Binary incompatibility of ssl_ctx_st structure
   3354      + DTLS interoperation with non-compliant servers
   3355      + Don't call get_session_cb() without proposed session
   3356      + Fix ia64 assembler code
   3357      [Andy Polyakov, Steve Henson]
   3358 
   3359  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
   3360 
   3361   *) DTLS Handshake overhaul. There were longstanding issues with
   3362      OpenSSL DTLS implementation, which were making it impossible for
   3363      RFC 4347 compliant client to communicate with OpenSSL server.
   3364      Unfortunately just fixing these incompatibilities would "cut off"
   3365      pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
   3366      server keeps tolerating non RFC compliant syntax. The opposite is
   3367      not true, 0.9.8f client can not communicate with earlier server.
   3368      This update even addresses CVE-2007-4995.
   3369      [Andy Polyakov]
   3370 
   3371   *) Changes to avoid need for function casts in OpenSSL: some compilers
   3372      (gcc 4.2 and later) reject their use.
   3373      [Kurt Roeckx <kurt (a] roeckx.be>, Peter Hartley <pdh (a] utter.chaos.org.uk>,
   3374       Steve Henson]
   3375   
   3376   *) Add RFC4507 support to OpenSSL. This includes the corrections in
   3377      RFC4507bis. The encrypted ticket format is an encrypted encoded
   3378      SSL_SESSION structure, that way new session features are automatically
   3379      supported.
   3380 
   3381      If a client application caches session in an SSL_SESSION structure
   3382      support is transparent because tickets are now stored in the encoded
   3383      SSL_SESSION.
   3384      
   3385      The SSL_CTX structure automatically generates keys for ticket
   3386      protection in servers so again support should be possible
   3387      with no application modification.
   3388 
   3389      If a client or server wishes to disable RFC4507 support then the option
   3390      SSL_OP_NO_TICKET can be set.
   3391 
   3392      Add a TLS extension debugging callback to allow the contents of any client
   3393      or server extensions to be examined.
   3394 
   3395      This work was sponsored by Google.
   3396      [Steve Henson]
   3397 
   3398   *) Add initial support for TLS extensions, specifically for the server_name
   3399      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
   3400      have new members for a host name.  The SSL data structure has an
   3401      additional member SSL_CTX *initial_ctx so that new sessions can be
   3402      stored in that context to allow for session resumption, even after the
   3403      SSL has been switched to a new SSL_CTX in reaction to a client's
   3404      server_name extension.
   3405 
   3406      New functions (subject to change):
   3407 
   3408          SSL_get_servername()
   3409          SSL_get_servername_type()
   3410          SSL_set_SSL_CTX()
   3411 
   3412      New CTRL codes and macros (subject to change):
   3413 
   3414          SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
   3415                                  - SSL_CTX_set_tlsext_servername_callback()
   3416          SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
   3417                                       - SSL_CTX_set_tlsext_servername_arg()
   3418          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
   3419 
   3420      openssl s_client has a new '-servername ...' option.
   3421 
   3422      openssl s_server has new options '-servername_host ...', '-cert2 ...',
   3423      '-key2 ...', '-servername_fatal' (subject to change).  This allows
   3424      testing the HostName extension for a specific single host name ('-cert'
   3425      and '-key' remain fallbacks for handshakes without HostName
   3426      negotiation).  If the unrecogninzed_name alert has to be sent, this by
   3427      default is a warning; it becomes fatal with the '-servername_fatal'
   3428      option.
   3429 
   3430      [Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson]
   3431 
   3432   *) Add AES and SSE2 assembly language support to VC++ build.
   3433      [Steve Henson]
   3434 
   3435   *) Mitigate attack on final subtraction in Montgomery reduction.
   3436      [Andy Polyakov]
   3437 
   3438   *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
   3439      (which previously caused an internal error).
   3440      [Bodo Moeller]
   3441 
   3442   *) Squeeze another 10% out of IGE mode when in != out.
   3443      [Ben Laurie]
   3444 
   3445   *) AES IGE mode speedup.
   3446      [Dean Gaudet (Google)]
   3447 
   3448   *) Add the Korean symmetric 128-bit cipher SEED (see
   3449      http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
   3450      add SEED ciphersuites from RFC 4162:
   3451 
   3452         TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
   3453         TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
   3454         TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
   3455         TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
   3456 
   3457      To minimize changes between patchlevels in the OpenSSL 0.9.8
   3458      series, SEED remains excluded from compilation unless OpenSSL
   3459      is configured with 'enable-seed'.
   3460      [KISA, Bodo Moeller]
   3461 
   3462   *) Mitigate branch prediction attacks, which can be practical if a
   3463      single processor is shared, allowing a spy process to extract
   3464      information.  For detailed background information, see
   3465      http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
   3466      J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
   3467      and Necessary Software Countermeasures").  The core of the change
   3468      are new versions BN_div_no_branch() and
   3469      BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
   3470      respectively, which are slower, but avoid the security-relevant
   3471      conditional branches.  These are automatically called by BN_div()
   3472      and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
   3473      of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
   3474      remove a conditional branch.
   3475 
   3476      BN_FLG_CONSTTIME is the new name for the previous
   3477      BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
   3478      modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
   3479      in the exponent causes BN_mod_exp_mont() to use the alternative
   3480      implementation in BN_mod_exp_mont_consttime().)  The old name
   3481      remains as a deprecated alias.
   3482 
   3483      Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
   3484      RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
   3485      constant-time implementations for more than just exponentiation.
   3486      Here too the old name is kept as a deprecated alias.
   3487 
   3488      BN_BLINDING_new() will now use BN_dup() for the modulus so that
   3489      the BN_BLINDING structure gets an independent copy of the
   3490      modulus.  This means that the previous "BIGNUM *m" argument to
   3491      BN_BLINDING_new() and to BN_BLINDING_create_param() now
   3492      essentially becomes "const BIGNUM *m", although we can't actually
   3493      change this in the header file before 0.9.9.  It allows
   3494      RSA_setup_blinding() to use BN_with_flags() on the modulus to
   3495      enable BN_FLG_CONSTTIME.
   3496 
   3497      [Matthew D Wood (Intel Corp)]
   3498 
   3499   *) In the SSL/TLS server implementation, be strict about session ID
   3500      context matching (which matters if an application uses a single
   3501      external cache for different purposes).  Previously,
   3502      out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
   3503      set.  This did ensure strict client verification, but meant that,
   3504      with applications using a single external cache for quite
   3505      different requirements, clients could circumvent ciphersuite
   3506      restrictions for a given session ID context by starting a session
   3507      in a different context.
   3508      [Bodo Moeller]
   3509 
   3510   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
   3511      a ciphersuite string such as "DEFAULT:RSA" cannot enable
   3512      authentication-only ciphersuites.
   3513      [Bodo Moeller]
   3514 
   3515   *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
   3516      not complete and could lead to a possible single byte overflow
   3517      (CVE-2007-5135) [Ben Laurie]
   3518 
   3519  Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
   3520 
   3521   *) Since AES128 and AES256 (and similarly Camellia128 and
   3522      Camellia256) share a single mask bit in the logic of
   3523      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
   3524      kludge to work properly if AES128 is available and AES256 isn't
   3525      (or if Camellia128 is available and Camellia256 isn't).
   3526      [Victor Duchovni]
   3527 
   3528   *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
   3529      (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
   3530      When a point or a seed is encoded in a BIT STRING, we need to
   3531      prevent the removal of trailing zero bits to get the proper DER
   3532      encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
   3533      of a NamedBitList, for which trailing 0 bits need to be removed.)
   3534      [Bodo Moeller]
   3535 
   3536   *) Have SSL/TLS server implementation tolerate "mismatched" record
   3537      protocol version while receiving ClientHello even if the
   3538      ClientHello is fragmented.  (The server can't insist on the
   3539      particular protocol version it has chosen before the ServerHello
   3540      message has informed the client about his choice.)
   3541      [Bodo Moeller]
   3542 
   3543   *) Add RFC 3779 support.
   3544      [Rob Austein for ARIN, Ben Laurie]
   3545 
   3546   *) Load error codes if they are not already present instead of using a
   3547      static variable. This allows them to be cleanly unloaded and reloaded.
   3548      Improve header file function name parsing.
   3549      [Steve Henson]
   3550 
   3551   *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
   3552      or CAPABILITY handshake as required by RFCs.
   3553      [Goetz Babin-Ebell]
   3554 
   3555  Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
   3556 
   3557   *) Introduce limits to prevent malicious keys being able to
   3558      cause a denial of service.  (CVE-2006-2940)
   3559      [Steve Henson, Bodo Moeller]
   3560 
   3561   *) Fix ASN.1 parsing of certain invalid structures that can result
   3562      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
   3563 
   3564   *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
   3565      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
   3566 
   3567   *) Fix SSL client code which could crash if connecting to a
   3568      malicious SSLv2 server.  (CVE-2006-4343)
   3569      [Tavis Ormandy and Will Drewry, Google Security Team]
   3570 
   3571   *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
   3572      match only those.  Before that, "AES256-SHA" would be interpreted
   3573      as a pattern and match "AES128-SHA" too (since AES128-SHA got
   3574      the same strength classification in 0.9.7h) as we currently only
   3575      have a single AES bit in the ciphersuite description bitmap.
   3576      That change, however, also applied to ciphersuite strings such as
   3577      "RC4-MD5" that intentionally matched multiple ciphersuites --
   3578      namely, SSL 2.0 ciphersuites in addition to the more common ones
   3579      from SSL 3.0/TLS 1.0.
   3580 
   3581      So we change the selection algorithm again: Naming an explicit
   3582      ciphersuite selects this one ciphersuite, and any other similar
   3583      ciphersuite (same bitmap) from *other* protocol versions.
   3584      Thus, "RC4-MD5" again will properly select both the SSL 2.0
   3585      ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
   3586 
   3587      Since SSL 2.0 does not have any ciphersuites for which the
   3588      128/256 bit distinction would be relevant, this works for now.
   3589      The proper fix will be to use different bits for AES128 and
   3590      AES256, which would have avoided the problems from the beginning;
   3591      however, bits are scarce, so we can only do this in a new release
   3592      (not just a patchlevel) when we can change the SSL_CIPHER
   3593      definition to split the single 'unsigned long mask' bitmap into
   3594      multiple values to extend the available space.
   3595 
   3596      [Bodo Moeller]
   3597 
   3598  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
   3599 
   3600   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
   3601      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
   3602 
   3603   *) Add AES IGE and biIGE modes.
   3604      [Ben Laurie]
   3605 
   3606   *) Change the Unix randomness entropy gathering to use poll() when
   3607      possible instead of select(), since the latter has some
   3608      undesirable limitations.
   3609      [Darryl Miles via Richard Levitte and Bodo Moeller]
   3610 
   3611   *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
   3612      treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
   3613      cannot be implicitly activated as part of, e.g., the "AES" alias.
   3614      However, please upgrade to OpenSSL 0.9.9[-dev] for
   3615      non-experimental use of the ECC ciphersuites to get TLS extension
   3616      support, which is required for curve and point format negotiation
   3617      to avoid potential handshake problems.
   3618      [Bodo Moeller]
   3619 
   3620   *) Disable rogue ciphersuites:
   3621 
   3622       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
   3623       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
   3624       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
   3625 
   3626      The latter two were purportedly from
   3627      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
   3628      appear there.
   3629 
   3630      Also deactivate the remaining ciphersuites from
   3631      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
   3632      unofficial, and the ID has long expired.
   3633      [Bodo Moeller]
   3634 
   3635   *) Fix RSA blinding Heisenbug (problems sometimes occured on
   3636      dual-core machines) and other potential thread-safety issues.
   3637      [Bodo Moeller]
   3638 
   3639   *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
   3640      versions), which is now available for royalty-free use
   3641      (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
   3642      Also, add Camellia TLS ciphersuites from RFC 4132.
   3643 
   3644      To minimize changes between patchlevels in the OpenSSL 0.9.8
   3645      series, Camellia remains excluded from compilation unless OpenSSL
   3646      is configured with 'enable-camellia'.
   3647      [NTT]
   3648 
   3649   *) Disable the padding bug check when compression is in use. The padding
   3650      bug check assumes the first packet is of even length, this is not
   3651      necessarily true if compresssion is enabled and can result in false
   3652      positives causing handshake failure. The actual bug test is ancient
   3653      code so it is hoped that implementations will either have fixed it by
   3654      now or any which still have the bug do not support compression.
   3655      [Steve Henson]
   3656 
   3657  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
   3658 
   3659   *) When applying a cipher rule check to see if string match is an explicit
   3660      cipher suite and only match that one cipher suite if it is.
   3661      [Steve Henson]
   3662 
   3663   *) Link in manifests for VC++ if needed.
   3664      [Austin Ziegler <halostatue (a] gmail.com>]
   3665 
   3666   *) Update support for ECC-based TLS ciphersuites according to
   3667      draft-ietf-tls-ecc-12.txt with proposed changes (but without
   3668      TLS extensions, which are supported starting with the 0.9.9
   3669      branch, not in the OpenSSL 0.9.8 branch).
   3670      [Douglas Stebila]
   3671 
   3672   *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
   3673      opaque EVP_CIPHER_CTX handling.
   3674      [Steve Henson]
   3675 
   3676   *) Fixes and enhancements to zlib compression code. We now only use
   3677      "zlib1.dll" and use the default __cdecl calling convention on Win32
   3678      to conform with the standards mentioned here:
   3679            http://www.zlib.net/DLL_FAQ.txt
   3680      Static zlib linking now works on Windows and the new --with-zlib-include
   3681      --with-zlib-lib options to Configure can be used to supply the location
   3682      of the headers and library. Gracefully handle case where zlib library
   3683      can't be loaded.
   3684      [Steve Henson]
   3685 
   3686   *) Several fixes and enhancements to the OID generation code. The old code
   3687      sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
   3688      handle numbers larger than ULONG_MAX, truncated printing and had a
   3689      non standard OBJ_obj2txt() behaviour.
   3690      [Steve Henson]
   3691 
   3692   *) Add support for building of engines under engine/ as shared libraries
   3693      under VC++ build system.
   3694      [Steve Henson]
   3695 
   3696   *) Corrected the numerous bugs in the Win32 path splitter in DSO.
   3697      Hopefully, we will not see any false combination of paths any more.
   3698      [Richard Levitte]
   3699 
   3700  Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
   3701 
   3702   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
   3703      (part of SSL_OP_ALL).  This option used to disable the
   3704      countermeasure against man-in-the-middle protocol-version
   3705      rollback in the SSL 2.0 server implementation, which is a bad
   3706      idea.  (CVE-2005-2969)
   3707 
   3708      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
   3709      for Information Security, National Institute of Advanced Industrial
   3710      Science and Technology [AIST], Japan)]
   3711 
   3712   *) Add two function to clear and return the verify parameter flags.
   3713      [Steve Henson]
   3714 
   3715   *) Keep cipherlists sorted in the source instead of sorting them at
   3716      runtime, thus removing the need for a lock.
   3717      [Nils Larsch]
   3718 
   3719   *) Avoid some small subgroup attacks in Diffie-Hellman.
   3720      [Nick Mathewson and Ben Laurie]
   3721 
   3722   *) Add functions for well-known primes.
   3723      [Nick Mathewson]
   3724 
   3725   *) Extended Windows CE support.
   3726      [Satoshi Nakamura and Andy Polyakov]
   3727 
   3728   *) Initialize SSL_METHOD structures at compile time instead of during
   3729      runtime, thus removing the need for a lock.
   3730      [Steve Henson]
   3731 
   3732   *) Make PKCS7_decrypt() work even if no certificate is supplied by
   3733      attempting to decrypt each encrypted key in turn. Add support to
   3734      smime utility.
   3735      [Steve Henson]
   3736 
   3737  Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
   3738 
   3739   [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
   3740   OpenSSL 0.9.8.]
   3741 
   3742   *) Add libcrypto.pc and libssl.pc for those who feel they need them.
   3743      [Richard Levitte]
   3744 
   3745   *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
   3746      key into the same file any more.
   3747      [Richard Levitte]
   3748 
   3749   *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
   3750      [Andy Polyakov]
   3751 
   3752   *) Add -utf8 command line and config file option to 'ca'.
   3753      [Stefan <stf (a] udoma.org]
   3754 
   3755   *) Removed the macro des_crypt(), as it seems to conflict with some
   3756      libraries.  Use DES_crypt().
   3757      [Richard Levitte]
   3758 
   3759   *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
   3760      involves renaming the source and generated shared-libs for
   3761      both. The engines will accept the corrected or legacy ids
   3762      ('ncipher' and '4758_cca' respectively) when binding. NB,
   3763      this only applies when building 'shared'.
   3764      [Corinna Vinschen <vinschen (a] redhat.com> and Geoff Thorpe]
   3765 
   3766   *) Add attribute functions to EVP_PKEY structure. Modify
   3767      PKCS12_create() to recognize a CSP name attribute and
   3768      use it. Make -CSP option work again in pkcs12 utility.
   3769      [Steve Henson]
   3770 
   3771   *) Add new functionality to the bn blinding code:
   3772      - automatic re-creation of the BN_BLINDING parameters after
   3773        a fixed number of uses (currently 32)
   3774      - add new function for parameter creation
   3775      - introduce flags to control the update behaviour of the
   3776        BN_BLINDING parameters
   3777      - hide BN_BLINDING structure
   3778      Add a second BN_BLINDING slot to the RSA structure to improve
   3779      performance when a single RSA object is shared among several
   3780      threads.
   3781      [Nils Larsch]
   3782 
   3783   *) Add support for DTLS.
   3784      [Nagendra Modadugu <nagendra (a] cs.stanford.edu> and Ben Laurie]
   3785 
   3786   *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
   3787      to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
   3788      [Walter Goulet]
   3789 
   3790   *) Remove buggy and incompletet DH cert support from
   3791      ssl/ssl_rsa.c and ssl/s3_both.c
   3792      [Nils Larsch]
   3793 
   3794   *) Use SHA-1 instead of MD5 as the default digest algorithm for
   3795      the apps/openssl applications.
   3796      [Nils Larsch]
   3797 
   3798   *) Compile clean with "-Wall -Wmissing-prototypes
   3799      -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
   3800      DEBUG_SAFESTACK must also be set.
   3801      [Ben Laurie]
   3802 
   3803   *) Change ./Configure so that certain algorithms can be disabled by default.
   3804      The new counterpiece to "no-xxx" is "enable-xxx".
   3805 
   3806      The patented RC5 and MDC2 algorithms will now be disabled unless
   3807      "enable-rc5" and "enable-mdc2", respectively, are specified.
   3808 
   3809      (IDEA remains enabled despite being patented.  This is because IDEA
   3810      is frequently required for interoperability, and there is no license
   3811      fee for non-commercial use.  As before, "no-idea" can be used to
   3812      avoid this algorithm.)
   3813 
   3814      [Bodo Moeller]
   3815 
   3816   *) Add processing of proxy certificates (see RFC 3820).  This work was
   3817      sponsored by KTH (The Royal Institute of Technology in Stockholm) and
   3818      EGEE (Enabling Grids for E-science in Europe).
   3819      [Richard Levitte]
   3820 
   3821   *) RC4 performance overhaul on modern architectures/implementations, such
   3822      as Intel P4, IA-64 and AMD64.
   3823      [Andy Polyakov]
   3824 
   3825   *) New utility extract-section.pl. This can be used specify an alternative
   3826      section number in a pod file instead of having to treat each file as
   3827      a separate case in Makefile. This can be done by adding two lines to the
   3828      pod file:
   3829 
   3830      =for comment openssl_section:XXX
   3831 
   3832      The blank line is mandatory.
   3833 
   3834      [Steve Henson]
   3835 
   3836   *) New arguments -certform, -keyform and -pass for s_client and s_server
   3837      to allow alternative format key and certificate files and passphrase
   3838      sources.
   3839      [Steve Henson]
   3840 
   3841   *) New structure X509_VERIFY_PARAM which combines current verify parameters,
   3842      update associated structures and add various utility functions.
   3843 
   3844      Add new policy related verify parameters, include policy checking in 
   3845      standard verify code. Enhance 'smime' application with extra parameters
   3846      to support policy checking and print out.
   3847      [Steve Henson]
   3848 
   3849   *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
   3850      Nehemiah processors. These extensions support AES encryption in hardware
   3851      as well as RNG (though RNG support is currently disabled).
   3852      [Michal Ludvig <michal (a] logix.cz>, with help from Andy Polyakov]
   3853 
   3854   *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
   3855      [Geoff Thorpe]
   3856 
   3857   *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
   3858      [Andy Polyakov and a number of other people]
   3859 
   3860   *) Improved PowerPC platform support. Most notably BIGNUM assembler
   3861      implementation contributed by IBM.
   3862      [Suresh Chari, Peter Waltenberg, Andy Polyakov]
   3863 
   3864   *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
   3865      exponent rather than 'unsigned long'. There is a corresponding change to
   3866      the new 'rsa_keygen' element of the RSA_METHOD structure.
   3867      [Jelte Jansen, Geoff Thorpe]
   3868 
   3869   *) Functionality for creating the initial serial number file is now
   3870      moved from CA.pl to the 'ca' utility with a new option -create_serial.
   3871 
   3872      (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
   3873      number file to 1, which is bound to cause problems.  To avoid
   3874      the problems while respecting compatibility between different 0.9.7
   3875      patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
   3876      CA.pl for serial number initialization.  With the new release 0.9.8,
   3877      we can fix the problem directly in the 'ca' utility.)
   3878      [Steve Henson]
   3879 
   3880   *) Reduced header interdepencies by declaring more opaque objects in
   3881      ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
   3882      give fewer recursive includes, which could break lazy source code - so
   3883      this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
   3884      developers should define this symbol when building and using openssl to
   3885      ensure they track the recommended behaviour, interfaces, [etc], but
   3886      backwards-compatible behaviour prevails when this isn't defined.
   3887      [Geoff Thorpe]
   3888 
   3889   *) New function X509_POLICY_NODE_print() which prints out policy nodes.
   3890      [Steve Henson]
   3891 
   3892   *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
   3893      This will generate a random key of the appropriate length based on the 
   3894      cipher context. The EVP_CIPHER can provide its own random key generation
   3895      routine to support keys of a specific form. This is used in the des and 
   3896      3des routines to generate a key of the correct parity. Update S/MIME
   3897      code to use new functions and hence generate correct parity DES keys.
   3898      Add EVP_CHECK_DES_KEY #define to return an error if the key is not 
   3899      valid (weak or incorrect parity).
   3900      [Steve Henson]
   3901 
   3902   *) Add a local set of CRLs that can be used by X509_verify_cert() as well
   3903      as looking them up. This is useful when the verified structure may contain
   3904      CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
   3905      present unless the new PKCS7_NO_CRL flag is asserted.
   3906      [Steve Henson]
   3907 
   3908   *) Extend ASN1 oid configuration module. It now additionally accepts the
   3909      syntax:
   3910 
   3911      shortName = some long name, 1.2.3.4
   3912      [Steve Henson]
   3913 
   3914   *) Reimplemented the BN_CTX implementation. There is now no more static
   3915      limitation on the number of variables it can handle nor the depth of the
   3916      "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
   3917      information can now expand as required, and rather than having a single
   3918      static array of bignums, BN_CTX now uses a linked-list of such arrays
   3919      allowing it to expand on demand whilst maintaining the usefulness of
   3920      BN_CTX's "bundling".
   3921      [Geoff Thorpe]
   3922 
   3923   *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
   3924      to allow all RSA operations to function using a single BN_CTX.
   3925      [Geoff Thorpe]
   3926 
   3927   *) Preliminary support for certificate policy evaluation and checking. This
   3928      is initially intended to pass the tests outlined in "Conformance Testing
   3929      of Relying Party Client Certificate Path Processing Logic" v1.07.
   3930      [Steve Henson]
   3931 
   3932   *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
   3933      remained unused and not that useful. A variety of other little bignum
   3934      tweaks and fixes have also been made continuing on from the audit (see
   3935      below).
   3936      [Geoff Thorpe]
   3937 
   3938   *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
   3939      associated ASN1, EVP and SSL functions and old ASN1 macros.
   3940      [Richard Levitte]
   3941 
   3942   *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
   3943      and this should never fail. So the return value from the use of
   3944      BN_set_word() (which can fail due to needless expansion) is now deprecated;
   3945      if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
   3946      [Geoff Thorpe]
   3947 
   3948   *) BN_CTX_get() should return zero-valued bignums, providing the same
   3949      initialised value as BN_new().
   3950      [Geoff Thorpe, suggested by Ulf Mller]
   3951 
   3952   *) Support for inhibitAnyPolicy certificate extension.
   3953      [Steve Henson]
   3954 
   3955   *) An audit of the BIGNUM code is underway, for which debugging code is
   3956      enabled when BN_DEBUG is defined. This makes stricter enforcements on what
   3957      is considered valid when processing BIGNUMs, and causes execution to
   3958      assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
   3959      further steps are taken to deliberately pollute unused data in BIGNUM
   3960      structures to try and expose faulty code further on. For now, openssl will
   3961      (in its default mode of operation) continue to tolerate the inconsistent
   3962      forms that it has tolerated in the past, but authors and packagers should
   3963      consider trying openssl and their own applications when compiled with
   3964      these debugging symbols defined. It will help highlight potential bugs in
   3965      their own code, and will improve the test coverage for OpenSSL itself. At
   3966      some point, these tighter rules will become openssl's default to improve
   3967      maintainability, though the assert()s and other overheads will remain only
   3968      in debugging configurations. See bn.h for more details.
   3969      [Geoff Thorpe, Nils Larsch, Ulf Mller]
   3970 
   3971   *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
   3972      that can only be obtained through BN_CTX_new() (which implicitly
   3973      initialises it). The presence of this function only made it possible
   3974      to overwrite an existing structure (and cause memory leaks).
   3975      [Geoff Thorpe]
   3976 
   3977   *) Because of the callback-based approach for implementing LHASH as a
   3978      template type, lh_insert() adds opaque objects to hash-tables and
   3979      lh_doall() or lh_doall_arg() are typically used with a destructor callback
   3980      to clean up those corresponding objects before destroying the hash table
   3981      (and losing the object pointers). So some over-zealous constifications in
   3982      LHASH have been relaxed so that lh_insert() does not take (nor store) the
   3983      objects as "const" and the lh_doall[_arg] callback wrappers are not
   3984      prototyped to have "const" restrictions on the object pointers they are
   3985      given (and so aren't required to cast them away any more).
   3986      [Geoff Thorpe]
   3987 
   3988   *) The tmdiff.h API was so ugly and minimal that our own timing utility
   3989      (speed) prefers to use its own implementation. The two implementations
   3990      haven't been consolidated as yet (volunteers?) but the tmdiff API has had
   3991      its object type properly exposed (MS_TM) instead of casting to/from "char
   3992      *". This may still change yet if someone realises MS_TM and "ms_time_***"
   3993      aren't necessarily the greatest nomenclatures - but this is what was used
   3994      internally to the implementation so I've used that for now.
   3995      [Geoff Thorpe]
   3996 
   3997   *) Ensure that deprecated functions do not get compiled when
   3998      OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
   3999      the self-tests were still using deprecated key-generation functions so
   4000      these have been updated also.
   4001      [Geoff Thorpe]
   4002 
   4003   *) Reorganise PKCS#7 code to separate the digest location functionality
   4004      into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest().
   4005      New function PKCS7_set_digest() to set the digest type for PKCS#7
   4006      digestedData type. Add additional code to correctly generate the
   4007      digestedData type and add support for this type in PKCS7 initialization
   4008      functions.
   4009      [Steve Henson]
   4010 
   4011   *) New function PKCS7_set0_type_other() this initializes a PKCS7 
   4012      structure of type "other".
   4013      [Steve Henson]
   4014 
   4015   *) Fix prime generation loop in crypto/bn/bn_prime.pl by making
   4016      sure the loop does correctly stop and breaking ("division by zero")
   4017      modulus operations are not performed. The (pre-generated) prime
   4018      table crypto/bn/bn_prime.h was already correct, but it could not be
   4019      re-generated on some platforms because of the "division by zero"
   4020      situation in the script.
   4021      [Ralf S. Engelschall]
   4022 
   4023   *) Update support for ECC-based TLS ciphersuites according to
   4024      draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
   4025      SHA-1 now is only used for "small" curves (where the
   4026      representation of a field element takes up to 24 bytes); for
   4027      larger curves, the field element resulting from ECDH is directly
   4028      used as premaster secret.
   4029      [Douglas Stebila (Sun Microsystems Laboratories)]
   4030 
   4031   *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
   4032      curve secp160r1 to the tests.
   4033      [Douglas Stebila (Sun Microsystems Laboratories)]
   4034 
   4035   *) Add the possibility to load symbols globally with DSO.
   4036      [Gtz Babin-Ebell <babin-ebell (a] trustcenter.de> via Richard Levitte]
   4037 
   4038   *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
   4039      control of the error stack.
   4040      [Richard Levitte]
   4041 
   4042   *) Add support for STORE in ENGINE.
   4043      [Richard Levitte]
   4044 
   4045   *) Add the STORE type.  The intention is to provide a common interface
   4046      to certificate and key stores, be they simple file-based stores, or
   4047      HSM-type store, or LDAP stores, or...
   4048      NOTE: The code is currently UNTESTED and isn't really used anywhere.
   4049      [Richard Levitte]
   4050 
   4051   *) Add a generic structure called OPENSSL_ITEM.  This can be used to
   4052      pass a list of arguments to any function as well as provide a way
   4053      for a function to pass data back to the caller.
   4054      [Richard Levitte]
   4055 
   4056   *) Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
   4057      works like BUF_strdup() but can be used to duplicate a portion of
   4058      a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
   4059      a memory area.
   4060      [Richard Levitte]
   4061 
   4062   *) Add the function sk_find_ex() which works like sk_find(), but will
   4063      return an index to an element even if an exact match couldn't be
   4064      found.  The index is guaranteed to point at the element where the
   4065      searched-for key would be inserted to preserve sorting order.
   4066      [Richard Levitte]
   4067 
   4068   *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
   4069      takes an extra flags argument for optional functionality.  Currently,
   4070      the following flags are defined:
   4071 
   4072 	OBJ_BSEARCH_VALUE_ON_NOMATCH
   4073 	This one gets OBJ_bsearch_ex() to return a pointer to the first
   4074 	element where the comparing function returns a negative or zero
   4075 	number.
   4076 
   4077 	OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
   4078 	This one gets OBJ_bsearch_ex() to return a pointer to the first
   4079 	element where the comparing function returns zero.  This is useful
   4080 	if there are more than one element where the comparing function
   4081 	returns zero.
   4082      [Richard Levitte]
   4083 
   4084   *) Make it possible to create self-signed certificates with 'openssl ca'
   4085      in such a way that the self-signed certificate becomes part of the
   4086      CA database and uses the same mechanisms for serial number generation
   4087      as all other certificate signing.  The new flag '-selfsign' enables
   4088      this functionality.  Adapt CA.sh and CA.pl.in.
   4089      [Richard Levitte]
   4090 
   4091   *) Add functionality to check the public key of a certificate request
   4092      against a given private.  This is useful to check that a certificate
   4093      request can be signed by that key (self-signing).
   4094      [Richard Levitte]
   4095 
   4096   *) Make it possible to have multiple active certificates with the same
   4097      subject in the CA index file.  This is done only if the keyword
   4098      'unique_subject' is set to 'no' in the main CA section (default
   4099      if 'CA_default') of the configuration file.  The value is saved
   4100      with the database itself in a separate index attribute file,
   4101      named like the index file with '.attr' appended to the name.
   4102      [Richard Levitte]
   4103 
   4104   *) Generate muti valued AVAs using '+' notation in config files for
   4105      req and dirName.
   4106      [Steve Henson]
   4107 
   4108   *) Support for nameConstraints certificate extension.
   4109      [Steve Henson]
   4110 
   4111   *) Support for policyConstraints certificate extension.
   4112      [Steve Henson]
   4113 
   4114   *) Support for policyMappings certificate extension.
   4115      [Steve Henson]
   4116 
   4117   *) Make sure the default DSA_METHOD implementation only uses its
   4118      dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
   4119      and change its own handlers to be NULL so as to remove unnecessary
   4120      indirection. This lets alternative implementations fallback to the
   4121      default implementation more easily.
   4122      [Geoff Thorpe]
   4123 
   4124   *) Support for directoryName in GeneralName related extensions
   4125      in config files.
   4126      [Steve Henson]
   4127 
   4128   *) Make it possible to link applications using Makefile.shared.
   4129      Make that possible even when linking against static libraries!
   4130      [Richard Levitte]
   4131 
   4132   *) Support for single pass processing for S/MIME signing. This now
   4133      means that S/MIME signing can be done from a pipe, in addition
   4134      cleartext signing (multipart/signed type) is effectively streaming
   4135      and the signed data does not need to be all held in memory.
   4136 
   4137      This is done with a new flag PKCS7_STREAM. When this flag is set
   4138      PKCS7_sign() only initializes the PKCS7 structure and the actual signing
   4139      is done after the data is output (and digests calculated) in
   4140      SMIME_write_PKCS7().
   4141      [Steve Henson]
   4142 
   4143   *) Add full support for -rpath/-R, both in shared libraries and
   4144      applications, at least on the platforms where it's known how
   4145      to do it.
   4146      [Richard Levitte]
   4147 
   4148   *) In crypto/ec/ec_mult.c, implement fast point multiplication with
   4149      precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
   4150      will now compute a table of multiples of the generator that
   4151      makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
   4152      faster (notably in the case of a single point multiplication,
   4153      scalar * generator).
   4154      [Nils Larsch, Bodo Moeller]
   4155 
   4156   *) IPv6 support for certificate extensions. The various extensions
   4157      which use the IP:a.b.c.d can now take IPv6 addresses using the
   4158      formats of RFC1884 2.2 . IPv6 addresses are now also displayed
   4159      correctly.
   4160      [Steve Henson]
   4161 
   4162   *) Added an ENGINE that implements RSA by performing private key
   4163      exponentiations with the GMP library. The conversions to and from
   4164      GMP's mpz_t format aren't optimised nor are any montgomery forms
   4165      cached, and on x86 it appears OpenSSL's own performance has caught up.
   4166      However there are likely to be other architectures where GMP could
   4167      provide a boost. This ENGINE is not built in by default, but it can be
   4168      specified at Configure time and should be accompanied by the necessary
   4169      linker additions, eg;
   4170          ./config -DOPENSSL_USE_GMP -lgmp
   4171      [Geoff Thorpe]
   4172 
   4173   *) "openssl engine" will not display ENGINE/DSO load failure errors when
   4174      testing availability of engines with "-t" - the old behaviour is
   4175      produced by increasing the feature's verbosity with "-tt".
   4176      [Geoff Thorpe]
   4177 
   4178   *) ECDSA routines: under certain error conditions uninitialized BN objects
   4179      could be freed. Solution: make sure initialization is performed early
   4180      enough. (Reported and fix supplied by Nils Larsch <nla (a] trustcenter.de>
   4181      via PR#459)
   4182      [Lutz Jaenicke]
   4183 
   4184   *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
   4185      and DH_METHOD (eg. by ENGINE implementations) to override the normal
   4186      software implementations. For DSA and DH, parameter generation can
   4187      also be overriden by providing the appropriate method callbacks.
   4188      [Geoff Thorpe]
   4189 
   4190   *) Change the "progress" mechanism used in key-generation and
   4191      primality testing to functions that take a new BN_GENCB pointer in
   4192      place of callback/argument pairs. The new API functions have "_ex"
   4193      postfixes and the older functions are reimplemented as wrappers for
   4194      the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
   4195      declarations of the old functions to help (graceful) attempts to
   4196      migrate to the new functions. Also, the new key-generation API
   4197      functions operate on a caller-supplied key-structure and return
   4198      success/failure rather than returning a key or NULL - this is to
   4199      help make "keygen" another member function of RSA_METHOD etc.
   4200 
   4201      Example for using the new callback interface:
   4202 
   4203           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
   4204           void *my_arg = ...;
   4205           BN_GENCB my_cb;
   4206 
   4207           BN_GENCB_set(&my_cb, my_callback, my_arg);
   4208 
   4209           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
   4210           /* For the meaning of a, b in calls to my_callback(), see the
   4211            * documentation of the function that calls the callback.
   4212            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
   4213            * my_callback should return 1 if it wants BN_is_prime_ex()
   4214            * to continue, or 0 to stop.
   4215            */
   4216 
   4217      [Geoff Thorpe]
   4218 
   4219   *) Change the ZLIB compression method to be stateful, and make it
   4220      available to TLS with the number defined in 
   4221      draft-ietf-tls-compression-04.txt.
   4222      [Richard Levitte]
   4223 
   4224   *) Add the ASN.1 structures and functions for CertificatePair, which
   4225      is defined as follows (according to X.509_4thEditionDraftV6.pdf):
   4226 
   4227      CertificatePair ::= SEQUENCE {
   4228         forward		[0]	Certificate OPTIONAL,
   4229         reverse		[1]	Certificate OPTIONAL,
   4230         -- at least one of the pair shall be present -- }
   4231 
   4232      Also implement the PEM functions to read and write certificate
   4233      pairs, and defined the PEM tag as "CERTIFICATE PAIR".
   4234 
   4235      This needed to be defined, mostly for the sake of the LDAP
   4236      attribute crossCertificatePair, but may prove useful elsewhere as
   4237      well.
   4238      [Richard Levitte]
   4239 
   4240   *) Make it possible to inhibit symlinking of shared libraries in
   4241      Makefile.shared, for Cygwin's sake.
   4242      [Richard Levitte]
   4243 
   4244   *) Extend the BIGNUM API by creating a function 
   4245           void BN_set_negative(BIGNUM *a, int neg);
   4246      and a macro that behave like
   4247           int  BN_is_negative(const BIGNUM *a);
   4248 
   4249      to avoid the need to access 'a->neg' directly in applications.
   4250      [Nils Larsch]
   4251 
   4252   *) Implement fast modular reduction for pseudo-Mersenne primes
   4253      used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
   4254      EC_GROUP_new_curve_GFp() will now automatically use this
   4255      if applicable.
   4256      [Nils Larsch <nla (a] trustcenter.de>]
   4257 
   4258   *) Add new lock type (CRYPTO_LOCK_BN).
   4259      [Bodo Moeller]
   4260 
   4261   *) Change the ENGINE framework to automatically load engines
   4262      dynamically from specific directories unless they could be
   4263      found to already be built in or loaded.  Move all the
   4264      current engines except for the cryptodev one to a new
   4265      directory engines/.
   4266      The engines in engines/ are built as shared libraries if
   4267      the "shared" options was given to ./Configure or ./config.
   4268      Otherwise, they are inserted in libcrypto.a.
   4269      /usr/local/ssl/engines is the default directory for dynamic
   4270      engines, but that can be overriden at configure time through
   4271      the usual use of --prefix and/or --openssldir, and at run
   4272      time with the environment variable OPENSSL_ENGINES.
   4273      [Geoff Thorpe and Richard Levitte]
   4274 
   4275   *) Add Makefile.shared, a helper makefile to build shared
   4276      libraries.  Addapt Makefile.org.
   4277      [Richard Levitte]
   4278 
   4279   *) Add version info to Win32 DLLs.
   4280      [Peter 'Luna' Runestig" <peter (a] runestig.com>]
   4281 
   4282   *) Add new 'medium level' PKCS#12 API. Certificates and keys
   4283      can be added using this API to created arbitrary PKCS#12
   4284      files while avoiding the low level API.
   4285 
   4286      New options to PKCS12_create(), key or cert can be NULL and
   4287      will then be omitted from the output file. The encryption
   4288      algorithm NIDs can be set to -1 for no encryption, the mac
   4289      iteration count can be set to 0 to omit the mac.
   4290 
   4291      Enhance pkcs12 utility by making the -nokeys and -nocerts
   4292      options work when creating a PKCS#12 file. New option -nomac
   4293      to omit the mac, NONE can be set for an encryption algorithm.
   4294      New code is modified to use the enhanced PKCS12_create()
   4295      instead of the low level API.
   4296      [Steve Henson]
   4297 
   4298   *) Extend ASN1 encoder to support indefinite length constructed
   4299      encoding. This can output sequences tags and octet strings in
   4300      this form. Modify pk7_asn1.c to support indefinite length
   4301      encoding. This is experimental and needs additional code to
   4302      be useful, such as an ASN1 bio and some enhanced streaming
   4303      PKCS#7 code.
   4304 
   4305      Extend template encode functionality so that tagging is passed
   4306      down to the template encoder.
   4307      [Steve Henson]
   4308 
   4309   *) Let 'openssl req' fail if an argument to '-newkey' is not
   4310      recognized instead of using RSA as a default.
   4311      [Bodo Moeller]
   4312 
   4313   *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
   4314      As these are not official, they are not included in "ALL";
   4315      the "ECCdraft" ciphersuite group alias can be used to select them.
   4316      [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
   4317 
   4318   *) Add ECDH engine support.
   4319      [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
   4320 
   4321   *) Add ECDH in new directory crypto/ecdh/.
   4322      [Douglas Stebila (Sun Microsystems Laboratories)]
   4323 
   4324   *) Let BN_rand_range() abort with an error after 100 iterations
   4325      without success (which indicates a broken PRNG).
   4326      [Bodo Moeller]
   4327 
   4328   *) Change BN_mod_sqrt() so that it verifies that the input value
   4329      is really the square of the return value.  (Previously,
   4330      BN_mod_sqrt would show GIGO behaviour.)
   4331      [Bodo Moeller]
   4332 
   4333   *) Add named elliptic curves over binary fields from X9.62, SECG,
   4334      and WAP/WTLS; add OIDs that were still missing.
   4335 
   4336      [Sheueling Chang Shantz and Douglas Stebila
   4337      (Sun Microsystems Laboratories)]
   4338 
   4339   *) Extend the EC library for elliptic curves over binary fields
   4340      (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
   4341      New EC_METHOD:
   4342 
   4343           EC_GF2m_simple_method
   4344 
   4345      New API functions:
   4346 
   4347           EC_GROUP_new_curve_GF2m
   4348           EC_GROUP_set_curve_GF2m
   4349           EC_GROUP_get_curve_GF2m
   4350           EC_POINT_set_affine_coordinates_GF2m
   4351           EC_POINT_get_affine_coordinates_GF2m
   4352           EC_POINT_set_compressed_coordinates_GF2m
   4353 
   4354      Point compression for binary fields is disabled by default for
   4355      patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
   4356      enable it).
   4357 
   4358      As binary polynomials are represented as BIGNUMs, various members
   4359      of the EC_GROUP and EC_POINT data structures can be shared
   4360      between the implementations for prime fields and binary fields;
   4361      the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
   4362      are essentially identical to their ..._GFp counterparts.
   4363      (For simplicity, the '..._GFp' prefix has been dropped from
   4364      various internal method names.)
   4365 
   4366      An internal 'field_div' method (similar to 'field_mul' and
   4367      'field_sqr') has been added; this is used only for binary fields.
   4368 
   4369      [Sheueling Chang Shantz and Douglas Stebila
   4370      (Sun Microsystems Laboratories)]
   4371 
   4372   *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
   4373      through methods ('mul', 'precompute_mult').
   4374 
   4375      The generic implementations (now internally called 'ec_wNAF_mul'
   4376      and 'ec_wNAF_precomputed_mult') remain the default if these
   4377      methods are undefined.
   4378 
   4379      [Sheueling Chang Shantz and Douglas Stebila
   4380      (Sun Microsystems Laboratories)]
   4381 
   4382   *) New function EC_GROUP_get_degree, which is defined through
   4383      EC_METHOD.  For curves over prime fields, this returns the bit
   4384      length of the modulus.
   4385 
   4386      [Sheueling Chang Shantz and Douglas Stebila
   4387      (Sun Microsystems Laboratories)]
   4388 
   4389   *) New functions EC_GROUP_dup, EC_POINT_dup.
   4390      (These simply call ..._new  and ..._copy).
   4391 
   4392      [Sheueling Chang Shantz and Douglas Stebila
   4393      (Sun Microsystems Laboratories)]
   4394 
   4395   *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
   4396      Polynomials are represented as BIGNUMs (where the sign bit is not
   4397      used) in the following functions [macros]:  
   4398 
   4399           BN_GF2m_add
   4400           BN_GF2m_sub             [= BN_GF2m_add]
   4401           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
   4402           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
   4403           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
   4404           BN_GF2m_mod_inv
   4405           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
   4406           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
   4407           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
   4408           BN_GF2m_cmp             [= BN_ucmp]
   4409 
   4410      (Note that only the 'mod' functions are actually for fields GF(2^m).
   4411      BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
   4412 
   4413      For some functions, an the irreducible polynomial defining a
   4414      field can be given as an 'unsigned int[]' with strictly
   4415      decreasing elements giving the indices of those bits that are set;
   4416      i.e., p[] represents the polynomial
   4417           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
   4418      where
   4419           p[0] > p[1] > ... > p[k] = 0.
   4420      This applies to the following functions:
   4421 
   4422           BN_GF2m_mod_arr
   4423           BN_GF2m_mod_mul_arr
   4424           BN_GF2m_mod_sqr_arr
   4425           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
   4426           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
   4427           BN_GF2m_mod_exp_arr
   4428           BN_GF2m_mod_sqrt_arr
   4429           BN_GF2m_mod_solve_quad_arr
   4430           BN_GF2m_poly2arr
   4431           BN_GF2m_arr2poly
   4432 
   4433      Conversion can be performed by the following functions:
   4434 
   4435           BN_GF2m_poly2arr
   4436           BN_GF2m_arr2poly
   4437 
   4438      bntest.c has additional tests for binary polynomial arithmetic.
   4439 
   4440      Two implementations for BN_GF2m_mod_div() are available.
   4441      The default algorithm simply uses BN_GF2m_mod_inv() and
   4442      BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
   4443      if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
   4444      copyright notice in crypto/bn/bn_gf2m.c before enabling it).
   4445 
   4446      [Sheueling Chang Shantz and Douglas Stebila
   4447      (Sun Microsystems Laboratories)]
   4448 
   4449   *) Add new error code 'ERR_R_DISABLED' that can be used when some
   4450      functionality is disabled at compile-time.
   4451      [Douglas Stebila <douglas.stebila (a] sun.com>]
   4452 
   4453   *) Change default behaviour of 'openssl asn1parse' so that more
   4454      information is visible when viewing, e.g., a certificate:
   4455 
   4456      Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
   4457      mode the content of non-printable OCTET STRINGs is output in a
   4458      style similar to INTEGERs, but with '[HEX DUMP]' prepended to
   4459      avoid the appearance of a printable string.
   4460      [Nils Larsch <nla (a] trustcenter.de>]
   4461 
   4462   *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
   4463      functions
   4464           EC_GROUP_set_asn1_flag()
   4465           EC_GROUP_get_asn1_flag()
   4466           EC_GROUP_set_point_conversion_form()
   4467           EC_GROUP_get_point_conversion_form()
   4468      These control ASN1 encoding details:
   4469      - Curves (i.e., groups) are encoded explicitly unless asn1_flag
   4470        has been set to OPENSSL_EC_NAMED_CURVE.
   4471      - Points are encoded in uncompressed form by default; options for
   4472        asn1_for are as for point2oct, namely
   4473           POINT_CONVERSION_COMPRESSED
   4474           POINT_CONVERSION_UNCOMPRESSED
   4475           POINT_CONVERSION_HYBRID
   4476 
   4477      Also add 'seed' and 'seed_len' members to EC_GROUP with access
   4478      functions
   4479           EC_GROUP_set_seed()
   4480           EC_GROUP_get0_seed()
   4481           EC_GROUP_get_seed_len()
   4482      This is used only for ASN1 purposes (so far).
   4483      [Nils Larsch <nla (a] trustcenter.de>]
   4484 
   4485   *) Add 'field_type' member to EC_METHOD, which holds the NID
   4486      of the appropriate field type OID.  The new function
   4487      EC_METHOD_get_field_type() returns this value.
   4488      [Nils Larsch <nla (a] trustcenter.de>]
   4489 
   4490   *) Add functions 
   4491           EC_POINT_point2bn()
   4492           EC_POINT_bn2point()
   4493           EC_POINT_point2hex()
   4494           EC_POINT_hex2point()
   4495      providing useful interfaces to EC_POINT_point2oct() and
   4496      EC_POINT_oct2point().
   4497      [Nils Larsch <nla (a] trustcenter.de>]
   4498 
   4499   *) Change internals of the EC library so that the functions
   4500           EC_GROUP_set_generator()
   4501           EC_GROUP_get_generator()
   4502           EC_GROUP_get_order()
   4503           EC_GROUP_get_cofactor()
   4504      are implemented directly in crypto/ec/ec_lib.c and not dispatched
   4505      to methods, which would lead to unnecessary code duplication when
   4506      adding different types of curves.
   4507      [Nils Larsch <nla (a] trustcenter.de> with input by Bodo Moeller]
   4508 
   4509   *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
   4510      arithmetic, and such that modified wNAFs are generated
   4511      (which avoid length expansion in many cases).
   4512      [Bodo Moeller]
   4513 
   4514   *) Add a function EC_GROUP_check_discriminant() (defined via
   4515      EC_METHOD) that verifies that the curve discriminant is non-zero.
   4516 
   4517      Add a function EC_GROUP_check() that makes some sanity tests
   4518      on a EC_GROUP, its generator and order.  This includes
   4519      EC_GROUP_check_discriminant().
   4520      [Nils Larsch <nla (a] trustcenter.de>]
   4521 
   4522   *) Add ECDSA in new directory crypto/ecdsa/.
   4523 
   4524      Add applications 'openssl ecparam' and 'openssl ecdsa'
   4525      (these are based on 'openssl dsaparam' and 'openssl dsa').
   4526 
   4527      ECDSA support is also included in various other files across the
   4528      library.  Most notably,
   4529      - 'openssl req' now has a '-newkey ecdsa:file' option;
   4530      - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
   4531      - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
   4532        d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
   4533        them suitable for ECDSA where domain parameters must be
   4534        extracted before the specific public key;
   4535      - ECDSA engine support has been added.
   4536      [Nils Larsch <nla (a] trustcenter.de>]
   4537 
   4538   *) Include some named elliptic curves, and add OIDs from X9.62,
   4539      SECG, and WAP/WTLS.  Each curve can be obtained from the new
   4540      function
   4541           EC_GROUP_new_by_curve_name(),
   4542      and the list of available named curves can be obtained with
   4543           EC_get_builtin_curves().
   4544      Also add a 'curve_name' member to EC_GROUP objects, which can be
   4545      accessed via
   4546          EC_GROUP_set_curve_name()
   4547          EC_GROUP_get_curve_name()
   4548      [Nils Larsch <larsch (a] trustcenter.de, Bodo Moeller]
   4549  
   4550   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
   4551      was actually never needed) and in BN_mul().  The removal in BN_mul()
   4552      required a small change in bn_mul_part_recursive() and the addition
   4553      of the functions bn_cmp_part_words(), bn_sub_part_words() and
   4554      bn_add_part_words(), which do the same thing as bn_cmp_words(),
   4555      bn_sub_words() and bn_add_words() except they take arrays with
   4556      differing sizes.
   4557      [Richard Levitte]
   4558 
   4559  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
   4560 
   4561   *) Cleanse PEM buffers before freeing them since they may contain 
   4562      sensitive data.
   4563      [Benjamin Bennett <ben (a] psc.edu>]
   4564 
   4565   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
   4566      a ciphersuite string such as "DEFAULT:RSA" cannot enable
   4567      authentication-only ciphersuites.
   4568      [Bodo Moeller]
   4569 
   4570   *) Since AES128 and AES256 share a single mask bit in the logic of
   4571      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
   4572      kludge to work properly if AES128 is available and AES256 isn't.
   4573      [Victor Duchovni]
   4574 
   4575   *) Expand security boundary to match 1.1.1 module.
   4576      [Steve Henson]
   4577 
   4578   *) Remove redundant features: hash file source, editing of test vectors
   4579      modify fipsld to use external fips_premain.c signature.
   4580      [Steve Henson]
   4581 
   4582   *) New perl script mkfipsscr.pl to create shell scripts or batch files to
   4583      run algorithm test programs.
   4584      [Steve Henson]
   4585 
   4586   *) Make algorithm test programs more tolerant of whitespace.
   4587      [Steve Henson]
   4588 
   4589   *) Have SSL/TLS server implementation tolerate "mismatched" record
   4590      protocol version while receiving ClientHello even if the
   4591      ClientHello is fragmented.  (The server can't insist on the
   4592      particular protocol version it has chosen before the ServerHello
   4593      message has informed the client about his choice.)
   4594      [Bodo Moeller]
   4595 
   4596   *) Load error codes if they are not already present instead of using a
   4597      static variable. This allows them to be cleanly unloaded and reloaded.
   4598      [Steve Henson]
   4599 
   4600  Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
   4601 
   4602   *) Introduce limits to prevent malicious keys being able to
   4603      cause a denial of service.  (CVE-2006-2940)
   4604      [Steve Henson, Bodo Moeller]
   4605 
   4606   *) Fix ASN.1 parsing of certain invalid structures that can result
   4607      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
   4608 
   4609   *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
   4610      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
   4611 
   4612   *) Fix SSL client code which could crash if connecting to a
   4613      malicious SSLv2 server.  (CVE-2006-4343)
   4614      [Tavis Ormandy and Will Drewry, Google Security Team]
   4615 
   4616   *) Change ciphersuite string processing so that an explicit
   4617      ciphersuite selects this one ciphersuite (so that "AES256-SHA"
   4618      will no longer include "AES128-SHA"), and any other similar
   4619      ciphersuite (same bitmap) from *other* protocol versions (so that
   4620      "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
   4621      SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
   4622      changes from 0.9.8b and 0.9.8d.
   4623      [Bodo Moeller]
   4624 
   4625  Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
   4626 
   4627   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
   4628      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
   4629 
   4630   *) Change the Unix randomness entropy gathering to use poll() when
   4631      possible instead of select(), since the latter has some
   4632      undesirable limitations.
   4633      [Darryl Miles via Richard Levitte and Bodo Moeller]
   4634 
   4635   *) Disable rogue ciphersuites:
   4636 
   4637       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
   4638       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
   4639       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
   4640 
   4641      The latter two were purportedly from
   4642      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
   4643      appear there.
   4644 
   4645      Also deactive the remaining ciphersuites from
   4646      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
   4647      unofficial, and the ID has long expired.
   4648      [Bodo Moeller]
   4649 
   4650   *) Fix RSA blinding Heisenbug (problems sometimes occured on
   4651      dual-core machines) and other potential thread-safety issues.
   4652      [Bodo Moeller]
   4653 
   4654  Changes between 0.9.7i and 0.9.7j  [04 May 2006]
   4655 
   4656   *) Adapt fipsld and the build system to link against the validated FIPS
   4657      module in FIPS mode.
   4658      [Steve Henson]
   4659 
   4660   *) Fixes for VC++ 2005 build under Windows.
   4661      [Steve Henson]
   4662 
   4663   *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 
   4664      from a Windows bash shell such as MSYS. It is autodetected from the
   4665      "config" script when run from a VC++ environment. Modify standard VC++
   4666      build to use fipscanister.o from the GNU make build. 
   4667      [Steve Henson]
   4668 
   4669  Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
   4670 
   4671   *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
   4672      The value now differs depending on if you build for FIPS or not.
   4673      BEWARE!  A program linked with a shared FIPSed libcrypto can't be
   4674      safely run with a non-FIPSed libcrypto, as it may crash because of
   4675      the difference induced by this change.
   4676      [Andy Polyakov]
   4677 
   4678  Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
   4679 
   4680   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
   4681      (part of SSL_OP_ALL).  This option used to disable the
   4682      countermeasure against man-in-the-middle protocol-version
   4683      rollback in the SSL 2.0 server implementation, which is a bad
   4684      idea.  (CVE-2005-2969)
   4685 
   4686      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
   4687      for Information Security, National Institute of Advanced Industrial
   4688      Science and Technology [AIST], Japan)]
   4689 
   4690   *) Minimal support for X9.31 signatures and PSS padding modes. This is
   4691      mainly for FIPS compliance and not fully integrated at this stage.
   4692      [Steve Henson]
   4693 
   4694   *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
   4695      the exponentiation using a fixed-length exponent.  (Otherwise,
   4696      the information leaked through timing could expose the secret key
   4697      after many signatures; cf. Bleichenbacher's attack on DSA with
   4698      biased k.)
   4699      [Bodo Moeller]
   4700 
   4701   *) Make a new fixed-window mod_exp implementation the default for
   4702      RSA, DSA, and DH private-key operations so that the sequence of
   4703      squares and multiplies and the memory access pattern are
   4704      independent of the particular secret key.  This will mitigate
   4705      cache-timing and potential related attacks.
   4706 
   4707      BN_mod_exp_mont_consttime() is the new exponentiation implementation,
   4708      and this is automatically used by BN_mod_exp_mont() if the new flag
   4709      BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
   4710      will use this BN flag for private exponents unless the flag
   4711      RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
   4712      DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
   4713 
   4714      [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
   4715 
   4716   *) Change the client implementation for SSLv23_method() and
   4717      SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
   4718      Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
   4719      (Previously, the SSL 2.0 backwards compatible Client Hello
   4720      message format would be used even with SSL_OP_NO_SSLv2.)
   4721      [Bodo Moeller]
   4722 
   4723   *) Add support for smime-type MIME parameter in S/MIME messages which some
   4724      clients need.
   4725      [Steve Henson]
   4726 
   4727   *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
   4728      a threadsafe manner. Modify rsa code to use new function and add calls
   4729      to dsa and dh code (which had race conditions before).
   4730      [Steve Henson]
   4731 
   4732   *) Include the fixed error library code in the C error file definitions
   4733      instead of fixing them up at runtime. This keeps the error code
   4734      structures constant.
   4735      [Steve Henson]
   4736 
   4737  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
   4738 
   4739   [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
   4740   OpenSSL 0.9.8.]
   4741 
   4742   *) Fixes for newer kerberos headers. NB: the casts are needed because
   4743      the 'length' field is signed on one version and unsigned on another
   4744      with no (?) obvious way to tell the difference, without these VC++
   4745      complains. Also the "definition" of FAR (blank) is no longer included
   4746      nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
   4747      some needed definitions.
   4748      [Steve Henson]
   4749 
   4750   *) Undo Cygwin change.
   4751      [Ulf Mller]
   4752 
   4753   *) Added support for proxy certificates according to RFC 3820.
   4754      Because they may be a security thread to unaware applications,
   4755      they must be explicitely allowed in run-time.  See
   4756      docs/HOWTO/proxy_certificates.txt for further information.
   4757      [Richard Levitte]
   4758 
   4759  Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
   4760 
   4761   *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
   4762      server and client random values. Previously
   4763      (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
   4764      less random data when sizeof(time_t) > 4 (some 64 bit platforms).
   4765 
   4766      This change has negligible security impact because:
   4767 
   4768      1. Server and client random values still have 24 bytes of pseudo random
   4769         data.
   4770 
   4771      2. Server and client random values are sent in the clear in the initial
   4772         handshake.
   4773 
   4774      3. The master secret is derived using the premaster secret (48 bytes in
   4775         size for static RSA ciphersuites) as well as client server and random
   4776         values.
   4777 
   4778      The OpenSSL team would like to thank the UK NISCC for bringing this issue
   4779      to our attention. 
   4780 
   4781      [Stephen Henson, reported by UK NISCC]
   4782 
   4783   *) Use Windows randomness collection on Cygwin.
   4784      [Ulf Mller]
   4785 
   4786   *) Fix hang in EGD/PRNGD query when communication socket is closed
   4787      prematurely by EGD/PRNGD.
   4788      [Darren Tucker <dtucker (a] zip.com.au> via Lutz Jnicke, resolves #1014]
   4789 
   4790   *) Prompt for pass phrases when appropriate for PKCS12 input format.
   4791      [Steve Henson]
   4792 
   4793   *) Back-port of selected performance improvements from development
   4794      branch, as well as improved support for PowerPC platforms.
   4795      [Andy Polyakov]
   4796 
   4797   *) Add lots of checks for memory allocation failure, error codes to indicate
   4798      failure and freeing up memory if a failure occurs.
   4799      [Nauticus Networks SSL Team <openssl (a] nauticusnet.com>, Steve Henson]
   4800 
   4801   *) Add new -passin argument to dgst.
   4802      [Steve Henson]
   4803 
   4804   *) Perform some character comparisons of different types in X509_NAME_cmp:
   4805      this is needed for some certificates that reencode DNs into UTF8Strings
   4806      (in violation of RFC3280) and can't or wont issue name rollover
   4807      certificates.
   4808      [Steve Henson]
   4809 
   4810   *) Make an explicit check during certificate validation to see that
   4811      the CA setting in each certificate on the chain is correct.  As a
   4812      side effect always do the following basic checks on extensions,
   4813      not just when there's an associated purpose to the check:
   4814 
   4815       - if there is an unhandled critical extension (unless the user
   4816         has chosen to ignore this fault)
   4817       - if the path length has been exceeded (if one is set at all)
   4818       - that certain extensions fit the associated purpose (if one has
   4819         been given)
   4820      [Richard Levitte]
   4821 
   4822  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
   4823 
   4824   *) Avoid a race condition when CRLs are checked in a multi threaded 
   4825      environment. This would happen due to the reordering of the revoked
   4826      entries during signature checking and serial number lookup. Now the
   4827      encoding is cached and the serial number sort performed under a lock.
   4828      Add new STACK function sk_is_sorted().
   4829      [Steve Henson]
   4830 
   4831   *) Add Delta CRL to the extension code.
   4832      [Steve Henson]
   4833 
   4834   *) Various fixes to s3_pkt.c so alerts are sent properly.
   4835      [David Holmes <d.holmes (a] f5.com>]
   4836 
   4837   *) Reduce the chances of duplicate issuer name and serial numbers (in
   4838      violation of RFC3280) using the OpenSSL certificate creation utilities.
   4839      This is done by creating a random 64 bit value for the initial serial
   4840      number when a serial number file is created or when a self signed
   4841      certificate is created using 'openssl req -x509'. The initial serial
   4842      number file is created using 'openssl x509 -next_serial' in CA.pl
   4843      rather than being initialized to 1.
   4844      [Steve Henson]
   4845 
   4846  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
   4847 
   4848   *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
   4849      by using the Codenomicon TLS Test Tool (CVE-2004-0079)                    
   4850      [Joe Orton, Steve Henson]   
   4851 
   4852   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
   4853      (CVE-2004-0112)
   4854      [Joe Orton, Steve Henson]   
   4855 
   4856   *) Make it possible to have multiple active certificates with the same
   4857      subject in the CA index file.  This is done only if the keyword
   4858      'unique_subject' is set to 'no' in the main CA section (default
   4859      if 'CA_default') of the configuration file.  The value is saved
   4860      with the database itself in a separate index attribute file,
   4861      named like the index file with '.attr' appended to the name.
   4862      [Richard Levitte]
   4863 
   4864   *) X509 verify fixes. Disable broken certificate workarounds when 
   4865      X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
   4866      keyUsage extension present. Don't accept CRLs with unhandled critical
   4867      extensions: since verify currently doesn't process CRL extensions this
   4868      rejects a CRL with *any* critical extensions. Add new verify error codes
   4869      for these cases.
   4870      [Steve Henson]
   4871 
   4872   *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
   4873      A clarification of RFC2560 will require the use of OCTET STRINGs and 
   4874      some implementations cannot handle the current raw format. Since OpenSSL
   4875      copies and compares OCSP nonces as opaque blobs without any attempt at
   4876      parsing them this should not create any compatibility issues.
   4877      [Steve Henson]
   4878 
   4879   *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
   4880      calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
   4881      this HMAC (and other) operations are several times slower than OpenSSL
   4882      < 0.9.7.
   4883      [Steve Henson]
   4884 
   4885   *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
   4886      [Peter Sylvester <Peter.Sylvester (a] EdelWeb.fr>]
   4887 
   4888   *) Use the correct content when signing type "other".
   4889      [Steve Henson]
   4890 
   4891  Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
   4892 
   4893   *) Fix various bugs revealed by running the NISCC test suite:
   4894 
   4895      Stop out of bounds reads in the ASN1 code when presented with
   4896      invalid tags (CVE-2003-0543 and CVE-2003-0544).
   4897      
   4898      Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
   4899 
   4900      If verify callback ignores invalid public key errors don't try to check
   4901      certificate signature with the NULL public key.
   4902 
   4903      [Steve Henson]
   4904 
   4905   *) New -ignore_err option in ocsp application to stop the server
   4906      exiting on the first error in a request.
   4907      [Steve Henson]
   4908 
   4909   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
   4910      if the server requested one: as stated in TLS 1.0 and SSL 3.0
   4911      specifications.
   4912      [Steve Henson]
   4913 
   4914   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
   4915      extra data after the compression methods not only for TLS 1.0
   4916      but also for SSL 3.0 (as required by the specification).
   4917      [Bodo Moeller; problem pointed out by Matthias Loepfe]
   4918 
   4919   *) Change X509_certificate_type() to mark the key as exported/exportable
   4920      when it's 512 *bits* long, not 512 bytes.
   4921      [Richard Levitte]
   4922 
   4923   *) Change AES_cbc_encrypt() so it outputs exact multiple of
   4924      blocks during encryption.
   4925      [Richard Levitte]
   4926 
   4927   *) Various fixes to base64 BIO and non blocking I/O. On write 
   4928      flushes were not handled properly if the BIO retried. On read
   4929      data was not being buffered properly and had various logic bugs.
   4930      This also affects blocking I/O when the data being decoded is a
   4931      certain size.
   4932      [Steve Henson]
   4933 
   4934   *) Various S/MIME bugfixes and compatibility changes:
   4935      output correct application/pkcs7 MIME type if
   4936      PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
   4937      Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
   4938      of files as .eml work). Correctly handle very long lines in MIME
   4939      parser.
   4940      [Steve Henson]
   4941 
   4942  Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
   4943 
   4944   *) Countermeasure against the Klima-Pokorny-Rosa extension of
   4945      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
   4946      a protocol version number mismatch like a decryption error
   4947      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
   4948      [Bodo Moeller]
   4949 
   4950   *) Turn on RSA blinding by default in the default implementation
   4951      to avoid a timing attack. Applications that don't want it can call
   4952      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
   4953      They would be ill-advised to do so in most cases.
   4954      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
   4955 
   4956   *) Change RSA blinding code so that it works when the PRNG is not
   4957      seeded (in this case, the secret RSA exponent is abused as
   4958      an unpredictable seed -- if it is not unpredictable, there
   4959      is no point in blinding anyway).  Make RSA blinding thread-safe
   4960      by remembering the creator's thread ID in rsa->blinding and
   4961      having all other threads use local one-time blinding factors
   4962      (this requires more computation than sharing rsa->blinding, but
   4963      avoids excessive locking; and if an RSA object is not shared
   4964      between threads, blinding will still be very fast).
   4965      [Bodo Moeller]
   4966 
   4967   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
   4968      ENGINE as defaults for all supported algorithms irrespective of
   4969      the 'flags' parameter. 'flags' is now honoured, so applications
   4970      should make sure they are passing it correctly.
   4971      [Geoff Thorpe]
   4972 
   4973   *) Target "mingw" now allows native Windows code to be generated in
   4974      the Cygwin environment as well as with the MinGW compiler.
   4975      [Ulf Moeller] 
   4976 
   4977  Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
   4978 
   4979   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
   4980      via timing by performing a MAC computation even if incorrrect
   4981      block cipher padding has been found.  This is a countermeasure
   4982      against active attacks where the attacker has to distinguish
   4983      between bad padding and a MAC verification error. (CVE-2003-0078)
   4984 
   4985      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
   4986      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
   4987      Martin Vuagnoux (EPFL, Ilion)]
   4988 
   4989   *) Make the no-err option work as intended.  The intention with no-err
   4990      is not to have the whole error stack handling routines removed from
   4991      libcrypto, it's only intended to remove all the function name and
   4992      reason texts, thereby removing some of the footprint that may not
   4993      be interesting if those errors aren't displayed anyway.
   4994 
   4995      NOTE: it's still possible for any application or module to have it's
   4996      own set of error texts inserted.  The routines are there, just not
   4997      used by default when no-err is given.
   4998      [Richard Levitte]
   4999 
   5000   *) Add support for FreeBSD on IA64.
   5001      [dirk.meyer (a] dinoex.sub.org via Richard Levitte, resolves #454]
   5002 
   5003   *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
   5004      Kerberos function mit_des_cbc_cksum().  Before this change,
   5005      the value returned by DES_cbc_cksum() was like the one from
   5006      mit_des_cbc_cksum(), except the bytes were swapped.
   5007      [Kevin Greaney <Kevin.Greaney (a] hp.com> and Richard Levitte]
   5008 
   5009   *) Allow an application to disable the automatic SSL chain building.
   5010      Before this a rather primitive chain build was always performed in
   5011      ssl3_output_cert_chain(): an application had no way to send the 
   5012      correct chain if the automatic operation produced an incorrect result.
   5013 
   5014      Now the chain builder is disabled if either:
   5015 
   5016      1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
   5017 
   5018      2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
   5019 
   5020      The reasoning behind this is that an application would not want the
   5021      auto chain building to take place if extra chain certificates are
   5022      present and it might also want a means of sending no additional
   5023      certificates (for example the chain has two certificates and the
   5024      root is omitted).
   5025      [Steve Henson]
   5026 
   5027   *) Add the possibility to build without the ENGINE framework.
   5028      [Steven Reddie <smr (a] essemer.com.au> via Richard Levitte]
   5029 
   5030   *) Under Win32 gmtime() can return NULL: check return value in
   5031      OPENSSL_gmtime(). Add error code for case where gmtime() fails.
   5032      [Steve Henson]
   5033 
   5034   *) DSA routines: under certain error conditions uninitialized BN objects
   5035      could be freed. Solution: make sure initialization is performed early
   5036      enough. (Reported and fix supplied by Ivan D Nestlerode <nestler (a] MIT.EDU>,
   5037      Nils Larsch <nla (a] trustcenter.de> via PR#459)
   5038      [Lutz Jaenicke]
   5039 
   5040   *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
   5041      checked on reconnect on the client side, therefore session resumption
   5042      could still fail with a "ssl session id is different" error. This
   5043      behaviour is masked when SSL_OP_ALL is used due to
   5044      SSL_OP_MICROSOFT_SESS_ID_BUG being set.
   5045      Behaviour observed by Crispin Flowerday <crispin (a] flowerday.cx> as
   5046      followup to PR #377.
   5047      [Lutz Jaenicke]
   5048 
   5049   *) IA-32 assembler support enhancements: unified ELF targets, support
   5050      for SCO/Caldera platforms, fix for Cygwin shared build.
   5051      [Andy Polyakov]
   5052 
   5053   *) Add support for FreeBSD on sparc64.  As a consequence, support for
   5054      FreeBSD on non-x86 processors is separate from x86 processors on
   5055      the config script, much like the NetBSD support.
   5056      [Richard Levitte & Kris Kennaway <kris (a] obsecurity.org>]
   5057 
   5058  Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
   5059 
   5060   [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
   5061   OpenSSL 0.9.7.]
   5062 
   5063   *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
   5064      code (06) was taken as the first octet of the session ID and the last
   5065      octet was ignored consequently. As a result SSLv2 client side session
   5066      caching could not have worked due to the session ID mismatch between
   5067      client and server.
   5068      Behaviour observed by Crispin Flowerday <crispin (a] flowerday.cx> as
   5069      PR #377.
   5070      [Lutz Jaenicke]
   5071 
   5072   *) Change the declaration of needed Kerberos libraries to use EX_LIBS
   5073      instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
   5074      removed entirely.
   5075      [Richard Levitte]
   5076 
   5077   *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
   5078      seems that in spite of existing for more than a year, many application
   5079      author have done nothing to provide the necessary callbacks, which
   5080      means that this particular engine will not work properly anywhere.
   5081      This is a very unfortunate situation which forces us, in the name
   5082      of usability, to give the hw_ncipher.c a static lock, which is part
   5083      of libcrypto.
   5084      NOTE: This is for the 0.9.7 series ONLY.  This hack will never
   5085      appear in 0.9.8 or later.  We EXPECT application authors to have
   5086      dealt properly with this when 0.9.8 is released (unless we actually
   5087      make such changes in the libcrypto locking code that changes will
   5088      have to be made anyway).
   5089      [Richard Levitte]
   5090 
   5091   *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
   5092      octets have been read, EOF or an error occurs. Without this change
   5093      some truncated ASN1 structures will not produce an error.
   5094      [Steve Henson]
   5095 
   5096   *) Disable Heimdal support, since it hasn't been fully implemented.
   5097      Still give the possibility to force the use of Heimdal, but with
   5098      warnings and a request that patches get sent to openssl-dev.
   5099      [Richard Levitte]
   5100 
   5101   *) Add the VC-CE target, introduce the WINCE sysname, and add
   5102      INSTALL.WCE and appropriate conditionals to make it build.
   5103      [Steven Reddie <smr (a] essemer.com.au> via Richard Levitte]
   5104 
   5105   *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
   5106      cygssl-x.y.z.dll, where x, y and z are the major, minor and
   5107      edit numbers of the version.
   5108      [Corinna Vinschen <vinschen (a] redhat.com> and Richard Levitte]
   5109 
   5110   *) Introduce safe string copy and catenation functions
   5111      (BUF_strlcpy() and BUF_strlcat()).
   5112      [Ben Laurie (CHATS) and Richard Levitte]
   5113 
   5114   *) Avoid using fixed-size buffers for one-line DNs.
   5115      [Ben Laurie (CHATS)]
   5116 
   5117   *) Add BUF_MEM_grow_clean() to avoid information leakage when
   5118      resizing buffers containing secrets, and use where appropriate.
   5119      [Ben Laurie (CHATS)]
   5120 
   5121   *) Avoid using fixed size buffers for configuration file location.
   5122      [Ben Laurie (CHATS)]
   5123 
   5124   *) Avoid filename truncation for various CA files.
   5125      [Ben Laurie (CHATS)]
   5126 
   5127   *) Use sizeof in preference to magic numbers.
   5128      [Ben Laurie (CHATS)]
   5129 
   5130   *) Avoid filename truncation in cert requests.
   5131      [Ben Laurie (CHATS)]
   5132 
   5133   *) Add assertions to check for (supposedly impossible) buffer
   5134      overflows.
   5135      [Ben Laurie (CHATS)]
   5136 
   5137   *) Don't cache truncated DNS entries in the local cache (this could
   5138      potentially lead to a spoofing attack).
   5139      [Ben Laurie (CHATS)]
   5140 
   5141   *) Fix various buffers to be large enough for hex/decimal
   5142      representations in a platform independent manner.
   5143      [Ben Laurie (CHATS)]
   5144 
   5145   *) Add CRYPTO_realloc_clean() to avoid information leakage when
   5146      resizing buffers containing secrets, and use where appropriate.
   5147      [Ben Laurie (CHATS)]
   5148 
   5149   *) Add BIO_indent() to avoid much slightly worrying code to do
   5150      indents.
   5151      [Ben Laurie (CHATS)]
   5152 
   5153   *) Convert sprintf()/BIO_puts() to BIO_printf().
   5154      [Ben Laurie (CHATS)]
   5155 
   5156   *) buffer_gets() could terminate with the buffer only half
   5157      full. Fixed.
   5158      [Ben Laurie (CHATS)]
   5159 
   5160   *) Add assertions to prevent user-supplied crypto functions from
   5161      overflowing internal buffers by having large block sizes, etc.
   5162      [Ben Laurie (CHATS)]
   5163 
   5164   *) New OPENSSL_assert() macro (similar to assert(), but enabled
   5165      unconditionally).
   5166      [Ben Laurie (CHATS)]
   5167 
   5168   *) Eliminate unused copy of key in RC4.
   5169      [Ben Laurie (CHATS)]
   5170 
   5171   *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
   5172      [Ben Laurie (CHATS)]
   5173 
   5174   *) Fix off-by-one error in EGD path.
   5175      [Ben Laurie (CHATS)]
   5176 
   5177   *) If RANDFILE path is too long, ignore instead of truncating.
   5178      [Ben Laurie (CHATS)]
   5179 
   5180   *) Eliminate unused and incorrectly sized X.509 structure
   5181      CBCParameter.
   5182      [Ben Laurie (CHATS)]
   5183 
   5184   *) Eliminate unused and dangerous function knumber().
   5185      [Ben Laurie (CHATS)]
   5186 
   5187   *) Eliminate unused and dangerous structure, KSSL_ERR.
   5188      [Ben Laurie (CHATS)]
   5189 
   5190   *) Protect against overlong session ID context length in an encoded
   5191      session object. Since these are local, this does not appear to be
   5192      exploitable.
   5193      [Ben Laurie (CHATS)]
   5194 
   5195   *) Change from security patch (see 0.9.6e below) that did not affect
   5196      the 0.9.6 release series:
   5197 
   5198      Remote buffer overflow in SSL3 protocol - an attacker could
   5199      supply an oversized master key in Kerberos-enabled versions.
   5200      (CVE-2002-0657)
   5201      [Ben Laurie (CHATS)]
   5202 
   5203   *) Change the SSL kerb5 codes to match RFC 2712.
   5204      [Richard Levitte]
   5205 
   5206   *) Make -nameopt work fully for req and add -reqopt switch.
   5207      [Michael Bell <michael.bell (a] rz.hu-berlin.de>, Steve Henson]
   5208 
   5209   *) The "block size" for block ciphers in CFB and OFB mode should be 1.
   5210      [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve (a] opera.com>]
   5211 
   5212   *) Make sure tests can be performed even if the corresponding algorithms
   5213      have been removed entirely.  This was also the last step to make
   5214      OpenSSL compilable with DJGPP under all reasonable conditions.
   5215      [Richard Levitte, Doug Kaufman <dkaufman (a] rahul.net>]
   5216 
   5217   *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
   5218      to allow version independent disabling of normally unselected ciphers,
   5219      which may be activated as a side-effect of selecting a single cipher.
   5220 
   5221      (E.g., cipher list string "RSA" enables ciphersuites that are left
   5222      out of "ALL" because they do not provide symmetric encryption.
   5223      "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
   5224      [Lutz Jaenicke, Bodo Moeller]
   5225 
   5226   *) Add appropriate support for separate platform-dependent build
   5227      directories.  The recommended way to make a platform-dependent
   5228      build directory is the following (tested on Linux), maybe with
   5229      some local tweaks:
   5230 
   5231 	# Place yourself outside of the OpenSSL source tree.  In
   5232 	# this example, the environment variable OPENSSL_SOURCE
   5233 	# is assumed to contain the absolute OpenSSL source directory.
   5234 	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
   5235 	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
   5236 	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
   5237 		mkdir -p `dirname $F`
   5238 		ln -s $OPENSSL_SOURCE/$F $F
   5239 	done
   5240 
   5241      To be absolutely sure not to disturb the source tree, a "make clean"
   5242      is a good thing.  If it isn't successfull, don't worry about it,
   5243      it probably means the source directory is very clean.
   5244      [Richard Levitte]
   5245 
   5246   *) Make sure any ENGINE control commands make local copies of string
   5247      pointers passed to them whenever necessary. Otherwise it is possible
   5248      the caller may have overwritten (or deallocated) the original string
   5249      data when a later ENGINE operation tries to use the stored values.
   5250      [Gtz Babin-Ebell <babinebell (a] trustcenter.de>]
   5251 
   5252   *) Improve diagnostics in file reading and command-line digests.
   5253      [Ben Laurie aided and abetted by Solar Designer <solar (a] openwall.com>]
   5254 
   5255   *) Add AES modes CFB and OFB to the object database.  Correct an
   5256      error in AES-CFB decryption.
   5257      [Richard Levitte]
   5258 
   5259   *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 
   5260      allows existing EVP_CIPHER_CTX structures to be reused after
   5261      calling EVP_*Final(). This behaviour is used by encryption
   5262      BIOs and some applications. This has the side effect that
   5263      applications must explicitly clean up cipher contexts with
   5264      EVP_CIPHER_CTX_cleanup() or they will leak memory.
   5265      [Steve Henson]
   5266 
   5267   *) Check the values of dna and dnb in bn_mul_recursive before calling
   5268      bn_mul_comba (a non zero value means the a or b arrays do not contain
   5269      n2 elements) and fallback to bn_mul_normal if either is not zero.
   5270      [Steve Henson]
   5271 
   5272   *) Fix escaping of non-ASCII characters when using the -subj option
   5273      of the "openssl req" command line tool. (Robert Joop <joop (a] fokus.gmd.de>)
   5274      [Lutz Jaenicke]
   5275 
   5276   *) Make object definitions compliant to LDAP (RFC2256): SN is the short
   5277      form for "surname", serialNumber has no short form.
   5278      Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
   5279      therefore remove "mail" short name for "internet 7".
   5280      The OID for unique identifiers in X509 certificates is
   5281      x500UniqueIdentifier, not uniqueIdentifier.
   5282      Some more OID additions. (Michael Bell <michael.bell (a] rz.hu-berlin.de>)
   5283      [Lutz Jaenicke]
   5284 
   5285   *) Add an "init" command to the ENGINE config module and auto initialize
   5286      ENGINEs. Without any "init" command the ENGINE will be initialized 
   5287      after all ctrl commands have been executed on it. If init=1 the 
   5288      ENGINE is initailized at that point (ctrls before that point are run
   5289      on the uninitialized ENGINE and after on the initialized one). If
   5290      init=0 then the ENGINE will not be iniatialized at all.
   5291      [Steve Henson]
   5292 
   5293   *) Fix the 'app_verify_callback' interface so that the user-defined
   5294      argument is actually passed to the callback: In the
   5295      SSL_CTX_set_cert_verify_callback() prototype, the callback
   5296      declaration has been changed from
   5297           int (*cb)()
   5298      into
   5299           int (*cb)(X509_STORE_CTX *,void *);
   5300      in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
   5301           i=s->ctx->app_verify_callback(&ctx)
   5302      has been changed into
   5303           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
   5304 
   5305      To update applications using SSL_CTX_set_cert_verify_callback(),
   5306      a dummy argument can be added to their callback functions.
   5307      [D. K. Smetters <smetters (a] parc.xerox.com>]
   5308 
   5309   *) Added the '4758cca' ENGINE to support IBM 4758 cards.
   5310      [Maurice Gittens <maurice (a] gittens.nl>, touchups by Geoff Thorpe]
   5311 
   5312   *) Add and OPENSSL_LOAD_CONF define which will cause
   5313      OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
   5314      This allows older applications to transparently support certain
   5315      OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
   5316      Two new functions OPENSSL_add_all_algorithms_noconf() which will never
   5317      load the config file and OPENSSL_add_all_algorithms_conf() which will
   5318      always load it have also been added.
   5319      [Steve Henson]
   5320 
   5321   *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
   5322      Adjust NIDs and EVP layer.
   5323      [Stephen Sprunk <stephen (a] sprunk.org> and Richard Levitte]
   5324 
   5325   *) Config modules support in openssl utility.
   5326 
   5327      Most commands now load modules from the config file,
   5328      though in a few (such as version) this isn't done 
   5329      because it couldn't be used for anything.
   5330 
   5331      In the case of ca and req the config file used is
   5332      the same as the utility itself: that is the -config
   5333      command line option can be used to specify an
   5334      alternative file.
   5335      [Steve Henson]
   5336 
   5337   *) Move default behaviour from OPENSSL_config(). If appname is NULL
   5338      use "openssl_conf" if filename is NULL use default openssl config file.
   5339      [Steve Henson]
   5340 
   5341   *) Add an argument to OPENSSL_config() to allow the use of an alternative
   5342      config section name. Add a new flag to tolerate a missing config file
   5343      and move code to CONF_modules_load_file().
   5344      [Steve Henson]
   5345 
   5346   *) Support for crypto accelerator cards from Accelerated Encryption
   5347      Processing, www.aep.ie.  (Use engine 'aep')
   5348      The support was copied from 0.9.6c [engine] and adapted/corrected
   5349      to work with the new engine framework.
   5350      [AEP Inc. and Richard Levitte]
   5351 
   5352   *) Support for SureWare crypto accelerator cards from Baltimore
   5353      Technologies.  (Use engine 'sureware')
   5354      The support was copied from 0.9.6c [engine] and adapted
   5355      to work with the new engine framework.
   5356      [Richard Levitte]
   5357 
   5358   *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
   5359      make the newer ENGINE framework commands for the CHIL engine work.
   5360      [Toomas Kiisk <vix (a] cyber.ee> and Richard Levitte]
   5361 
   5362   *) Make it possible to produce shared libraries on ReliantUNIX.
   5363      [Robert Dahlem <Robert.Dahlem (a] ffm2.siemens.de> via Richard Levitte]
   5364 
   5365   *) Add the configuration target debug-linux-ppro.
   5366      Make 'openssl rsa' use the general key loading routines
   5367      implemented in apps.c, and make those routines able to
   5368      handle the key format FORMAT_NETSCAPE and the variant
   5369      FORMAT_IISSGC.
   5370      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   5371 
   5372  *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
   5373      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   5374 
   5375   *) Add -keyform to rsautl, and document -engine.
   5376      [Richard Levitte, inspired by Toomas Kiisk <vix (a] cyber.ee>]
   5377 
   5378   *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
   5379      BIO_R_NO_SUCH_FILE error code rather than the generic
   5380      ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
   5381      [Ben Laurie]
   5382 
   5383   *) Add new functions
   5384           ERR_peek_last_error
   5385           ERR_peek_last_error_line
   5386           ERR_peek_last_error_line_data.
   5387      These are similar to
   5388           ERR_peek_error
   5389           ERR_peek_error_line
   5390           ERR_peek_error_line_data,
   5391      but report on the latest error recorded rather than the first one
   5392      still in the error queue.
   5393      [Ben Laurie, Bodo Moeller]
   5394         
   5395   *) default_algorithms option in ENGINE config module. This allows things
   5396      like:
   5397      default_algorithms = ALL
   5398      default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
   5399      [Steve Henson]
   5400 
   5401   *) Prelminary ENGINE config module.
   5402      [Steve Henson]
   5403 
   5404   *) New experimental application configuration code.
   5405      [Steve Henson]
   5406 
   5407   *) Change the AES code to follow the same name structure as all other
   5408      symmetric ciphers, and behave the same way.  Move everything to
   5409      the directory crypto/aes, thereby obsoleting crypto/rijndael.
   5410      [Stephen Sprunk <stephen (a] sprunk.org> and Richard Levitte]
   5411 
   5412   *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
   5413      [Ben Laurie and Theo de Raadt]
   5414 
   5415   *) Add option to output public keys in req command.
   5416      [Massimiliano Pala madwolf (a] openca.org]
   5417 
   5418   *) Use wNAFs in EC_POINTs_mul() for improved efficiency
   5419      (up to about 10% better than before for P-192 and P-224).
   5420      [Bodo Moeller]
   5421 
   5422   *) New functions/macros
   5423 
   5424           SSL_CTX_set_msg_callback(ctx, cb)
   5425           SSL_CTX_set_msg_callback_arg(ctx, arg)
   5426           SSL_set_msg_callback(ssl, cb)
   5427           SSL_set_msg_callback_arg(ssl, arg)
   5428 
   5429      to request calling a callback function
   5430 
   5431           void cb(int write_p, int version, int content_type,
   5432                   const void *buf, size_t len, SSL *ssl, void *arg)
   5433 
   5434      whenever a protocol message has been completely received
   5435      (write_p == 0) or sent (write_p == 1).  Here 'version' is the
   5436      protocol version  according to which the SSL library interprets
   5437      the current protocol message (SSL2_VERSION, SSL3_VERSION, or
   5438      TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
   5439      the content type as defined in the SSL 3.0/TLS 1.0 protocol
   5440      specification (change_cipher_spec(20), alert(21), handshake(22)).
   5441      'buf' and 'len' point to the actual message, 'ssl' to the
   5442      SSL object, and 'arg' is the application-defined value set by
   5443      SSL[_CTX]_set_msg_callback_arg().
   5444 
   5445      'openssl s_client' and 'openssl s_server' have new '-msg' options
   5446      to enable a callback that displays all protocol messages.
   5447      [Bodo Moeller]
   5448 
   5449   *) Change the shared library support so shared libraries are built as
   5450      soon as the corresponding static library is finished, and thereby get
   5451      openssl and the test programs linked against the shared library.
   5452      This still only happens when the keyword "shard" has been given to
   5453      the configuration scripts.
   5454 
   5455      NOTE: shared library support is still an experimental thing, and
   5456      backward binary compatibility is still not guaranteed.
   5457      ["Maciej W. Rozycki" <macro (a] ds2.pg.gda.pl> and Richard Levitte]
   5458 
   5459   *) Add support for Subject Information Access extension.
   5460      [Peter Sylvester <Peter.Sylvester (a] EdelWeb.fr>]
   5461 
   5462   *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
   5463      additional bytes when new memory had to be allocated, not just
   5464      when reusing an existing buffer.
   5465      [Bodo Moeller]
   5466 
   5467   *) New command line and configuration option 'utf8' for the req command.
   5468      This allows field values to be specified as UTF8 strings.
   5469      [Steve Henson]
   5470 
   5471   *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
   5472      runs for the former and machine-readable output for the latter.
   5473      [Ben Laurie]
   5474 
   5475   *) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
   5476      of the e-mail address in the DN (i.e., it will go into a certificate
   5477      extension only).  The new configuration file option 'email_in_dn = no'
   5478      has the same effect.
   5479      [Massimiliano Pala madwolf (a] openca.org]
   5480 
   5481   *) Change all functions with names starting with des_ to be starting
   5482      with DES_ instead.  Add wrappers that are compatible with libdes,
   5483      but are named _ossl_old_des_*.  Finally, add macros that map the
   5484      des_* symbols to the corresponding _ossl_old_des_* if libdes
   5485      compatibility is desired.  If OpenSSL 0.9.6c compatibility is
   5486      desired, the des_* symbols will be mapped to DES_*, with one
   5487      exception.
   5488 
   5489      Since we provide two compatibility mappings, the user needs to
   5490      define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
   5491      compatibility is desired.  The default (i.e., when that macro
   5492      isn't defined) is OpenSSL 0.9.6c compatibility.
   5493 
   5494      There are also macros that enable and disable the support of old
   5495      des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
   5496      and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
   5497      are defined, the default will apply: to support the old des routines.
   5498 
   5499      In either case, one must include openssl/des.h to get the correct
   5500      definitions.  Do not try to just include openssl/des_old.h, that
   5501      won't work.
   5502 
   5503      NOTE: This is a major break of an old API into a new one.  Software
   5504      authors are encouraged to switch to the DES_ style functions.  Some
   5505      time in the future, des_old.h and the libdes compatibility functions
   5506      will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
   5507      default), and then completely removed.
   5508      [Richard Levitte]
   5509 
   5510   *) Test for certificates which contain unsupported critical extensions.
   5511      If such a certificate is found during a verify operation it is 
   5512      rejected by default: this behaviour can be overridden by either
   5513      handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
   5514      by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
   5515      X509_supported_extension() has also been added which returns 1 if a
   5516      particular extension is supported.
   5517      [Steve Henson]
   5518 
   5519   *) Modify the behaviour of EVP cipher functions in similar way to digests
   5520      to retain compatibility with existing code.
   5521      [Steve Henson]
   5522 
   5523   *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
   5524      compatibility with existing code. In particular the 'ctx' parameter does
   5525      not have to be to be initialized before the call to EVP_DigestInit() and
   5526      it is tidied up after a call to EVP_DigestFinal(). New function
   5527      EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
   5528      EVP_MD_CTX_copy() changed to not require the destination to be
   5529      initialized valid and new function EVP_MD_CTX_copy_ex() added which
   5530      requires the destination to be valid.
   5531 
   5532      Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
   5533      EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
   5534      [Steve Henson]
   5535 
   5536   *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
   5537      so that complete 'Handshake' protocol structures are kept in memory
   5538      instead of overwriting 'msg_type' and 'length' with 'body' data.
   5539      [Bodo Moeller]
   5540 
   5541   *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
   5542      [Massimo Santin via Richard Levitte]
   5543 
   5544   *) Major restructuring to the underlying ENGINE code. This includes
   5545      reduction of linker bloat, separation of pure "ENGINE" manipulation
   5546      (initialisation, etc) from functionality dealing with implementations
   5547      of specific crypto iterfaces. This change also introduces integrated
   5548      support for symmetric ciphers and digest implementations - so ENGINEs
   5549      can now accelerate these by providing EVP_CIPHER and EVP_MD
   5550      implementations of their own. This is detailed in crypto/engine/README
   5551      as it couldn't be adequately described here. However, there are a few
   5552      API changes worth noting - some RSA, DSA, DH, and RAND functions that
   5553      were changed in the original introduction of ENGINE code have now
   5554      reverted back - the hooking from this code to ENGINE is now a good
   5555      deal more passive and at run-time, operations deal directly with
   5556      RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
   5557      dereferencing through an ENGINE pointer any more. Also, the ENGINE
   5558      functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
   5559      they were not being used by the framework as there is no concept of a
   5560      BIGNUM_METHOD and they could not be generalised to the new
   5561      'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
   5562      ENGINE_cpy() has been removed as it cannot be consistently defined in
   5563      the new code.
   5564      [Geoff Thorpe]
   5565 
   5566   *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
   5567      [Steve Henson]
   5568 
   5569   *) Change mkdef.pl to sort symbols that get the same entry number,
   5570      and make sure the automatically generated functions ERR_load_*
   5571      become part of libeay.num as well.
   5572      [Richard Levitte]
   5573 
   5574   *) New function SSL_renegotiate_pending().  This returns true once
   5575      renegotiation has been requested (either SSL_renegotiate() call
   5576      or HelloRequest/ClientHello receveived from the peer) and becomes
   5577      false once a handshake has been completed.
   5578      (For servers, SSL_renegotiate() followed by SSL_do_handshake()
   5579      sends a HelloRequest, but does not ensure that a handshake takes
   5580      place.  SSL_renegotiate_pending() is useful for checking if the
   5581      client has followed the request.)
   5582      [Bodo Moeller]
   5583 
   5584   *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
   5585      By default, clients may request session resumption even during
   5586      renegotiation (if session ID contexts permit); with this option,
   5587      session resumption is possible only in the first handshake.
   5588 
   5589      SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
   5590      more bits available for options that should not be part of
   5591      SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
   5592      [Bodo Moeller]
   5593 
   5594   *) Add some demos for certificate and certificate request creation.
   5595      [Steve Henson]
   5596 
   5597   *) Make maximum certificate chain size accepted from the peer application
   5598      settable (SSL*_get/set_max_cert_list()), as proposed by
   5599      "Douglas E. Engert" <deengert (a] anl.gov>.
   5600      [Lutz Jaenicke]
   5601 
   5602   *) Add support for shared libraries for Unixware-7
   5603      (Boyd Lynn Gerber <gerberb (a] zenez.com>).
   5604      [Lutz Jaenicke]
   5605 
   5606   *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
   5607      be done prior to destruction. Use this to unload error strings from
   5608      ENGINEs that load their own error strings. NB: This adds two new API
   5609      functions to "get" and "set" this destroy handler in an ENGINE.
   5610      [Geoff Thorpe]
   5611 
   5612   *) Alter all existing ENGINE implementations (except "openssl" and
   5613      "openbsd") to dynamically instantiate their own error strings. This
   5614      makes them more flexible to be built both as statically-linked ENGINEs
   5615      and self-contained shared-libraries loadable via the "dynamic" ENGINE.
   5616      Also, add stub code to each that makes building them as self-contained
   5617      shared-libraries easier (see README.ENGINE).
   5618      [Geoff Thorpe]
   5619 
   5620   *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
   5621      implementations into applications that are completely implemented in
   5622      self-contained shared-libraries. The "dynamic" ENGINE exposes control
   5623      commands that can be used to configure what shared-library to load and
   5624      to control aspects of the way it is handled. Also, made an update to
   5625      the README.ENGINE file that brings its information up-to-date and
   5626      provides some information and instructions on the "dynamic" ENGINE
   5627      (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
   5628      [Geoff Thorpe]
   5629 
   5630   *) Make it possible to unload ranges of ERR strings with a new
   5631      "ERR_unload_strings" function.
   5632      [Geoff Thorpe]
   5633 
   5634   *) Add a copy() function to EVP_MD.
   5635      [Ben Laurie]
   5636 
   5637   *) Make EVP_MD routines take a context pointer instead of just the
   5638      md_data void pointer.
   5639      [Ben Laurie]
   5640 
   5641   *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
   5642      that the digest can only process a single chunk of data
   5643      (typically because it is provided by a piece of
   5644      hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
   5645      is only going to provide a single chunk of data, and hence the
   5646      framework needn't accumulate the data for oneshot drivers.
   5647      [Ben Laurie]
   5648 
   5649   *) As with "ERR", make it possible to replace the underlying "ex_data"
   5650      functions. This change also alters the storage and management of global
   5651      ex_data state - it's now all inside ex_data.c and all "class" code (eg.
   5652      RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
   5653      index counters. The API functions that use this state have been changed
   5654      to take a "class_index" rather than pointers to the class's local STACK
   5655      and counter, and there is now an API function to dynamically create new
   5656      classes. This centralisation allows us to (a) plug a lot of the
   5657      thread-safety problems that existed, and (b) makes it possible to clean
   5658      up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
   5659      such data would previously have always leaked in application code and
   5660      workarounds were in place to make the memory debugging turn a blind eye
   5661      to it. Application code that doesn't use this new function will still
   5662      leak as before, but their memory debugging output will announce it now
   5663      rather than letting it slide.
   5664 
   5665      Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
   5666      induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
   5667      has a return value to indicate success or failure.
   5668      [Geoff Thorpe]
   5669 
   5670   *) Make it possible to replace the underlying "ERR" functions such that the
   5671      global state (2 LHASH tables and 2 locks) is only used by the "default"
   5672      implementation. This change also adds two functions to "get" and "set"
   5673      the implementation prior to it being automatically set the first time
   5674      any other ERR function takes place. Ie. an application can call "get",
   5675      pass the return value to a module it has just loaded, and that module
   5676      can call its own "set" function using that value. This means the
   5677      module's "ERR" operations will use (and modify) the error state in the
   5678      application and not in its own statically linked copy of OpenSSL code.
   5679      [Geoff Thorpe]
   5680 
   5681   *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
   5682      reference counts. This performs normal REF_PRINT/REF_CHECK macros on
   5683      the operation, and provides a more encapsulated way for external code
   5684      (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
   5685      to use these functions rather than manually incrementing the counts.
   5686 
   5687      Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
   5688      [Geoff Thorpe]
   5689 
   5690   *) Add EVP test program.
   5691      [Ben Laurie]
   5692 
   5693   *) Add symmetric cipher support to ENGINE. Expect the API to change!
   5694      [Ben Laurie]
   5695 
   5696   *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
   5697      X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
   5698      X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
   5699      These allow a CRL to be built without having to access X509_CRL fields
   5700      directly. Modify 'ca' application to use new functions.
   5701      [Steve Henson]
   5702 
   5703   *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
   5704      bug workarounds. Rollback attack detection is a security feature.
   5705      The problem will only arise on OpenSSL servers when TLSv1 is not
   5706      available (sslv3_server_method() or SSL_OP_NO_TLSv1).
   5707      Software authors not wanting to support TLSv1 will have special reasons
   5708      for their choice and can explicitly enable this option.
   5709      [Bodo Moeller, Lutz Jaenicke]
   5710 
   5711   *) Rationalise EVP so it can be extended: don't include a union of
   5712      cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
   5713      (similar to those existing for EVP_CIPHER_CTX).
   5714      Usage example:
   5715 
   5716          EVP_MD_CTX md;
   5717 
   5718          EVP_MD_CTX_init(&md);             /* new function call */
   5719          EVP_DigestInit(&md, EVP_sha1());
   5720          EVP_DigestUpdate(&md, in, len);
   5721          EVP_DigestFinal(&md, out, NULL);
   5722          EVP_MD_CTX_cleanup(&md);          /* new function call */
   5723 
   5724      [Ben Laurie]
   5725 
   5726   *) Make DES key schedule conform to the usual scheme, as well as
   5727      correcting its structure. This means that calls to DES functions
   5728      now have to pass a pointer to a des_key_schedule instead of a
   5729      plain des_key_schedule (which was actually always a pointer
   5730      anyway): E.g.,
   5731 
   5732          des_key_schedule ks;
   5733 
   5734 	 des_set_key_checked(..., &ks);
   5735 	 des_ncbc_encrypt(..., &ks, ...);
   5736 
   5737      (Note that a later change renames 'des_...' into 'DES_...'.)
   5738      [Ben Laurie]
   5739 
   5740   *) Initial reduction of linker bloat: the use of some functions, such as
   5741      PEM causes large amounts of unused functions to be linked in due to
   5742      poor organisation. For example pem_all.c contains every PEM function
   5743      which has a knock on effect of linking in large amounts of (unused)
   5744      ASN1 code. Grouping together similar functions and splitting unrelated
   5745      functions prevents this.
   5746      [Steve Henson]
   5747 
   5748   *) Cleanup of EVP macros.
   5749      [Ben Laurie]
   5750 
   5751   *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
   5752      correct _ecb suffix.
   5753      [Ben Laurie]
   5754 
   5755   *) Add initial OCSP responder support to ocsp application. The
   5756      revocation information is handled using the text based index
   5757      use by the ca application. The responder can either handle
   5758      requests generated internally, supplied in files (for example
   5759      via a CGI script) or using an internal minimal server.
   5760      [Steve Henson]
   5761 
   5762   *) Add configuration choices to get zlib compression for TLS.
   5763      [Richard Levitte]
   5764 
   5765   *) Changes to Kerberos SSL for RFC 2712 compliance:
   5766      1.  Implemented real KerberosWrapper, instead of just using
   5767          KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw (a] sxw.org.uk>]
   5768      2.  Implemented optional authenticator field of KerberosWrapper.
   5769 
   5770      Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
   5771      and authenticator structs; see crypto/krb5/.
   5772 
   5773      Generalized Kerberos calls to support multiple Kerberos libraries.
   5774      [Vern Staats <staatsvr (a] asc.hpc.mil>,
   5775       Jeffrey Altman <jaltman (a] columbia.edu>
   5776       via Richard Levitte]
   5777 
   5778   *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
   5779      already does with RSA. testdsa.h now has 'priv_key/pub_key'
   5780      values for each of the key sizes rather than having just
   5781      parameters (and 'speed' generating keys each time).
   5782      [Geoff Thorpe]
   5783 
   5784   *) Speed up EVP routines.
   5785      Before:
   5786 encrypt
   5787 type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
   5788 des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
   5789 des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
   5790 des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
   5791 decrypt
   5792 des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
   5793 des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
   5794 des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
   5795      After:
   5796 encrypt
   5797 des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
   5798 decrypt
   5799 des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   5800      [Ben Laurie]
   5801 
   5802   *) Added the OS2-EMX target.
   5803      ["Brian Havard" <brianh (a] kheldar.apana.org.au> and Richard Levitte]
   5804 
   5805   *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
   5806      to support NCONF routines in extension code. New function CONF_set_nconf()
   5807      to allow functions which take an NCONF to also handle the old LHASH
   5808      structure: this means that the old CONF compatible routines can be
   5809      retained (in particular wrt extensions) without having to duplicate the
   5810      code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
   5811      [Steve Henson]
   5812 
   5813   *) Enhance the general user interface with mechanisms for inner control
   5814      and with possibilities to have yes/no kind of prompts.
   5815      [Richard Levitte]
   5816 
   5817   *) Change all calls to low level digest routines in the library and
   5818      applications to use EVP. Add missing calls to HMAC_cleanup() and
   5819      don't assume HMAC_CTX can be copied using memcpy().
   5820      [Verdon Walker <VWalker (a] novell.com>, Steve Henson]
   5821 
   5822   *) Add the possibility to control engines through control names but with
   5823      arbitrary arguments instead of just a string.
   5824      Change the key loaders to take a UI_METHOD instead of a callback
   5825      function pointer.  NOTE: this breaks binary compatibility with earlier
   5826      versions of OpenSSL [engine].
   5827      Adapt the nCipher code for these new conditions and add a card insertion
   5828      callback.
   5829      [Richard Levitte]
   5830 
   5831   *) Enhance the general user interface with mechanisms to better support
   5832      dialog box interfaces, application-defined prompts, the possibility
   5833      to use defaults (for example default passwords from somewhere else)
   5834      and interrupts/cancellations.
   5835      [Richard Levitte]
   5836 
   5837   *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
   5838      attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
   5839      [Steve Henson]
   5840 
   5841   *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
   5842      tidy up some unnecessarily weird code in 'sk_new()').
   5843      [Geoff, reported by Diego Tartara <dtartara (a] novamens.com>]
   5844 
   5845   *) Change the key loading routines for ENGINEs to use the same kind
   5846      callback (pem_password_cb) as all other routines that need this
   5847      kind of callback.
   5848      [Richard Levitte]
   5849 
   5850   *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
   5851      256 bit (=32 byte) keys. Of course seeding with more entropy bytes
   5852      than this minimum value is recommended.
   5853      [Lutz Jaenicke]
   5854 
   5855   *) New random seeder for OpenVMS, using the system process statistics
   5856      that are easily reachable.
   5857      [Richard Levitte]
   5858 
   5859   *) Windows apparently can't transparently handle global
   5860      variables defined in DLLs. Initialisations such as:
   5861 
   5862         const ASN1_ITEM *it = &ASN1_INTEGER_it;
   5863 
   5864      wont compile. This is used by the any applications that need to
   5865      declare their own ASN1 modules. This was fixed by adding the option
   5866      EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
   5867      needed for static libraries under Win32.
   5868      [Steve Henson]
   5869 
   5870   *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
   5871      setting of purpose and trust fields. New X509_STORE trust and
   5872      purpose functions and tidy up setting in other SSL functions.
   5873      [Steve Henson]
   5874 
   5875   *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
   5876      structure. These are inherited by X509_STORE_CTX when it is 
   5877      initialised. This allows various defaults to be set in the
   5878      X509_STORE structure (such as flags for CRL checking and custom
   5879      purpose or trust settings) for functions which only use X509_STORE_CTX
   5880      internally such as S/MIME.
   5881 
   5882      Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
   5883      trust settings if they are not set in X509_STORE. This allows X509_STORE
   5884      purposes and trust (in S/MIME for example) to override any set by default.
   5885 
   5886      Add command line options for CRL checking to smime, s_client and s_server
   5887      applications.
   5888      [Steve Henson]
   5889 
   5890   *) Initial CRL based revocation checking. If the CRL checking flag(s)
   5891      are set then the CRL is looked up in the X509_STORE structure and
   5892      its validity and signature checked, then if the certificate is found
   5893      in the CRL the verify fails with a revoked error.
   5894 
   5895      Various new CRL related callbacks added to X509_STORE_CTX structure.
   5896 
   5897      Command line options added to 'verify' application to support this.
   5898 
   5899      This needs some additional work, such as being able to handle multiple
   5900      CRLs with different times, extension based lookup (rather than just
   5901      by subject name) and ultimately more complete V2 CRL extension
   5902      handling.
   5903      [Steve Henson]
   5904 
   5905   *) Add a general user interface API (crypto/ui/).  This is designed
   5906      to replace things like des_read_password and friends (backward
   5907      compatibility functions using this new API are provided).
   5908      The purpose is to remove prompting functions from the DES code
   5909      section as well as provide for prompting through dialog boxes in
   5910      a window system and the like.
   5911      [Richard Levitte]
   5912 
   5913   *) Add "ex_data" support to ENGINE so implementations can add state at a
   5914      per-structure level rather than having to store it globally.
   5915      [Geoff]
   5916 
   5917   *) Make it possible for ENGINE structures to be copied when retrieved by
   5918      ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
   5919      This causes the "original" ENGINE structure to act like a template,
   5920      analogous to the RSA vs. RSA_METHOD type of separation. Because of this
   5921      operational state can be localised to each ENGINE structure, despite the
   5922      fact they all share the same "methods". New ENGINE structures returned in
   5923      this case have no functional references and the return value is the single
   5924      structural reference. This matches the single structural reference returned
   5925      by ENGINE_by_id() normally, when it is incremented on the pre-existing
   5926      ENGINE structure.
   5927      [Geoff]
   5928 
   5929   *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
   5930      needs to match any other type at all we need to manually clear the
   5931      tag cache.
   5932      [Steve Henson]
   5933 
   5934   *) Changes to the "openssl engine" utility to include;
   5935      - verbosity levels ('-v', '-vv', and '-vvv') that provide information
   5936        about an ENGINE's available control commands.
   5937      - executing control commands from command line arguments using the
   5938        '-pre' and '-post' switches. '-post' is only used if '-t' is
   5939        specified and the ENGINE is successfully initialised. The syntax for
   5940        the individual commands are colon-separated, for example;
   5941 	 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
   5942      [Geoff]
   5943 
   5944   *) New dynamic control command support for ENGINEs. ENGINEs can now
   5945      declare their own commands (numbers), names (strings), descriptions,
   5946      and input types for run-time discovery by calling applications. A
   5947      subset of these commands are implicitly classed as "executable"
   5948      depending on their input type, and only these can be invoked through
   5949      the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
   5950      can be based on user input, config files, etc). The distinction is
   5951      that "executable" commands cannot return anything other than a boolean
   5952      result and can only support numeric or string input, whereas some
   5953      discoverable commands may only be for direct use through
   5954      ENGINE_ctrl(), eg. supporting the exchange of binary data, function
   5955      pointers, or other custom uses. The "executable" commands are to
   5956      support parameterisations of ENGINE behaviour that can be
   5957      unambiguously defined by ENGINEs and used consistently across any
   5958      OpenSSL-based application. Commands have been added to all the
   5959      existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
   5960      control over shared-library paths without source code alterations.
   5961      [Geoff]
   5962 
   5963   *) Changed all ENGINE implementations to dynamically allocate their
   5964      ENGINEs rather than declaring them statically. Apart from this being
   5965      necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
   5966      this also allows the implementations to compile without using the
   5967      internal engine_int.h header.
   5968      [Geoff]
   5969 
   5970   *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
   5971      'const' value. Any code that should be able to modify a RAND_METHOD
   5972      should already have non-const pointers to it (ie. they should only
   5973      modify their own ones).
   5974      [Geoff]
   5975 
   5976   *) Made a variety of little tweaks to the ENGINE code.
   5977      - "atalla" and "ubsec" string definitions were moved from header files
   5978        to C code. "nuron" string definitions were placed in variables
   5979        rather than hard-coded - allowing parameterisation of these values
   5980        later on via ctrl() commands.
   5981      - Removed unused "#if 0"'d code.
   5982      - Fixed engine list iteration code so it uses ENGINE_free() to release
   5983        structural references.
   5984      - Constified the RAND_METHOD element of ENGINE structures.
   5985      - Constified various get/set functions as appropriate and added
   5986        missing functions (including a catch-all ENGINE_cpy that duplicates
   5987        all ENGINE values onto a new ENGINE except reference counts/state).
   5988      - Removed NULL parameter checks in get/set functions. Setting a method
   5989        or function to NULL is a way of cancelling out a previously set
   5990        value.  Passing a NULL ENGINE parameter is just plain stupid anyway
   5991        and doesn't justify the extra error symbols and code.
   5992      - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
   5993        flags from engine_int.h to engine.h.
   5994      - Changed prototypes for ENGINE handler functions (init(), finish(),
   5995        ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
   5996      [Geoff]
   5997 
   5998   *) Implement binary inversion algorithm for BN_mod_inverse in addition
   5999      to the algorithm using long division.  The binary algorithm can be
   6000      used only if the modulus is odd.  On 32-bit systems, it is faster
   6001      only for relatively small moduli (roughly 20-30% for 128-bit moduli,
   6002      roughly 5-15% for 256-bit moduli), so we use it only for moduli
   6003      up to 450 bits.  In 64-bit environments, the binary algorithm
   6004      appears to be advantageous for much longer moduli; here we use it
   6005      for moduli up to 2048 bits.
   6006      [Bodo Moeller]
   6007 
   6008   *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
   6009      could not support the combine flag in choice fields.
   6010      [Steve Henson]
   6011 
   6012   *) Add a 'copy_extensions' option to the 'ca' utility. This copies
   6013      extensions from a certificate request to the certificate.
   6014      [Steve Henson]
   6015 
   6016   *) Allow multiple 'certopt' and 'nameopt' options to be separated
   6017      by commas. Add 'namopt' and 'certopt' options to the 'ca' config
   6018      file: this allows the display of the certificate about to be
   6019      signed to be customised, to allow certain fields to be included
   6020      or excluded and extension details. The old system didn't display
   6021      multicharacter strings properly, omitted fields not in the policy
   6022      and couldn't display additional details such as extensions.
   6023      [Steve Henson]
   6024 
   6025   *) Function EC_POINTs_mul for multiple scalar multiplication
   6026      of an arbitrary number of elliptic curve points
   6027           \sum scalars[i]*points[i],
   6028      optionally including the generator defined for the EC_GROUP:
   6029           scalar*generator +  \sum scalars[i]*points[i].
   6030 
   6031      EC_POINT_mul is a simple wrapper function for the typical case
   6032      that the point list has just one item (besides the optional
   6033      generator).
   6034      [Bodo Moeller]
   6035 
   6036   *) First EC_METHODs for curves over GF(p):
   6037 
   6038      EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
   6039      operations and provides various method functions that can also
   6040      operate with faster implementations of modular arithmetic.     
   6041 
   6042      EC_GFp_mont_method() reuses most functions that are part of
   6043      EC_GFp_simple_method, but uses Montgomery arithmetic.
   6044 
   6045      [Bodo Moeller; point addition and point doubling
   6046      implementation directly derived from source code provided by
   6047      Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>]
   6048 
   6049   *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
   6050      crypto/ec/ec_lib.c):
   6051 
   6052      Curves are EC_GROUP objects (with an optional group generator)
   6053      based on EC_METHODs that are built into the library.
   6054 
   6055      Points are EC_POINT objects based on EC_GROUP objects.
   6056 
   6057      Most of the framework would be able to handle curves over arbitrary
   6058      finite fields, but as there are no obvious types for fields other
   6059      than GF(p), some functions are limited to that for now.
   6060      [Bodo Moeller]
   6061 
   6062   *) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
   6063      that the file contains a complete HTTP response.
   6064      [Richard Levitte]
   6065 
   6066   *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
   6067      change the def and num file printf format specifier from "%-40sXXX"
   6068      to "%-39s XXX". The latter will always guarantee a space after the
   6069      field while the former will cause them to run together if the field
   6070      is 40 of more characters long.
   6071      [Steve Henson]
   6072 
   6073   *) Constify the cipher and digest 'method' functions and structures
   6074      and modify related functions to take constant EVP_MD and EVP_CIPHER
   6075      pointers.
   6076      [Steve Henson]
   6077 
   6078   *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
   6079      in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
   6080      [Bodo Moeller]
   6081 
   6082   *) Modify EVP_Digest*() routines so they now return values. Although the
   6083      internal software routines can never fail additional hardware versions
   6084      might.
   6085      [Steve Henson]
   6086 
   6087   *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
   6088 
   6089      Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
   6090      (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
   6091 
   6092      ASN1 error codes
   6093           ERR_R_NESTED_ASN1_ERROR
   6094           ...
   6095           ERR_R_MISSING_ASN1_EOS
   6096      were 4 .. 9, conflicting with
   6097           ERR_LIB_RSA (= ERR_R_RSA_LIB)
   6098           ...
   6099           ERR_LIB_PEM (= ERR_R_PEM_LIB).
   6100      They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
   6101 
   6102      Add new error code 'ERR_R_INTERNAL_ERROR'.
   6103      [Bodo Moeller]
   6104 
   6105   *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
   6106      suffices.
   6107      [Bodo Moeller]
   6108 
   6109   *) New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
   6110      sets the subject name for a new request or supersedes the
   6111      subject name in a given request. Formats that can be parsed are
   6112           'CN=Some Name, OU=myOU, C=IT'
   6113      and
   6114           'CN=Some Name/OU=myOU/C=IT'.
   6115 
   6116      Add options '-batch' and '-verbose' to 'openssl req'.
   6117      [Massimiliano Pala <madwolf (a] hackmasters.net>]
   6118 
   6119   *) Introduce the possibility to access global variables through
   6120      functions on platform were that's the best way to handle exporting
   6121      global variables in shared libraries.  To enable this functionality,
   6122      one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
   6123      "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
   6124      is normally done by Configure or something similar).
   6125 
   6126      To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
   6127      in the source file (foo.c) like this:
   6128 
   6129 	OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
   6130 	OPENSSL_IMPLEMENT_GLOBAL(double,bar);
   6131 
   6132      To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
   6133      and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
   6134 
   6135 	OPENSSL_DECLARE_GLOBAL(int,foo);
   6136 	#define foo OPENSSL_GLOBAL_REF(foo)
   6137 	OPENSSL_DECLARE_GLOBAL(double,bar);
   6138 	#define bar OPENSSL_GLOBAL_REF(bar)
   6139 
   6140      The #defines are very important, and therefore so is including the
   6141      header file everywhere where the defined globals are used.
   6142 
   6143      The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
   6144      of ASN.1 items, but that structure is a bit different.
   6145 
   6146      The largest change is in util/mkdef.pl which has been enhanced with
   6147      better and easier to understand logic to choose which symbols should
   6148      go into the Windows .def files as well as a number of fixes and code
   6149      cleanup (among others, algorithm keywords are now sorted
   6150      lexicographically to avoid constant rewrites).
   6151      [Richard Levitte]
   6152 
   6153   *) In BN_div() keep a copy of the sign of 'num' before writing the
   6154      result to 'rm' because if rm==num the value will be overwritten
   6155      and produce the wrong result if 'num' is negative: this caused
   6156      problems with BN_mod() and BN_nnmod().
   6157      [Steve Henson]
   6158 
   6159   *) Function OCSP_request_verify(). This checks the signature on an
   6160      OCSP request and verifies the signer certificate. The signer
   6161      certificate is just checked for a generic purpose and OCSP request
   6162      trust settings.
   6163      [Steve Henson]
   6164 
   6165   *) Add OCSP_check_validity() function to check the validity of OCSP
   6166      responses. OCSP responses are prepared in real time and may only
   6167      be a few seconds old. Simply checking that the current time lies
   6168      between thisUpdate and nextUpdate max reject otherwise valid responses
   6169      caused by either OCSP responder or client clock inaccuracy. Instead
   6170      we allow thisUpdate and nextUpdate to fall within a certain period of
   6171      the current time. The age of the response can also optionally be
   6172      checked. Two new options -validity_period and -status_age added to
   6173      ocsp utility.
   6174      [Steve Henson]
   6175 
   6176   *) If signature or public key algorithm is unrecognized print out its
   6177      OID rather that just UNKNOWN.
   6178      [Steve Henson]
   6179 
   6180   *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
   6181      OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
   6182      ID to be generated from the issuer certificate alone which can then be
   6183      passed to OCSP_id_issuer_cmp().
   6184      [Steve Henson]
   6185 
   6186   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
   6187      ASN1 modules to export functions returning ASN1_ITEM pointers
   6188      instead of the ASN1_ITEM structures themselves. This adds several
   6189      new macros which allow the underlying ASN1 function/structure to
   6190      be accessed transparently. As a result code should not use ASN1_ITEM
   6191      references directly (such as &X509_it) but instead use the relevant
   6192      macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
   6193      use of the new ASN1 code on platforms where exporting structures
   6194      is problematical (for example in shared libraries) but exporting
   6195      functions returning pointers to structures is not.
   6196      [Steve Henson]
   6197 
   6198   *) Add support for overriding the generation of SSL/TLS session IDs.
   6199      These callbacks can be registered either in an SSL_CTX or per SSL.
   6200      The purpose of this is to allow applications to control, if they wish,
   6201      the arbitrary values chosen for use as session IDs, particularly as it
   6202      can be useful for session caching in multiple-server environments. A
   6203      command-line switch for testing this (and any client code that wishes
   6204      to use such a feature) has been added to "s_server".
   6205      [Geoff Thorpe, Lutz Jaenicke]
   6206 
   6207   *) Modify mkdef.pl to recognise and parse preprocessor conditionals
   6208      of the form '#if defined(...) || defined(...) || ...' and
   6209      '#if !defined(...) && !defined(...) && ...'.  This also avoids
   6210      the growing number of special cases it was previously handling.
   6211      [Richard Levitte]
   6212 
   6213   *) Make all configuration macros available for application by making
   6214      sure they are available in opensslconf.h, by giving them names starting
   6215      with "OPENSSL_" to avoid conflicts with other packages and by making
   6216      sure e_os2.h will cover all platform-specific cases together with
   6217      opensslconf.h.
   6218      Additionally, it is now possible to define configuration/platform-
   6219      specific names (called "system identities").  In the C code, these
   6220      are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
   6221      macro with the name beginning with "OPENSSL_SYS_", which is determined
   6222      from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
   6223      what is available.
   6224      [Richard Levitte]
   6225 
   6226   *) New option -set_serial to 'req' and 'x509' this allows the serial
   6227      number to use to be specified on the command line. Previously self
   6228      signed certificates were hard coded with serial number 0 and the 
   6229      CA options of 'x509' had to use a serial number in a file which was
   6230      auto incremented.
   6231      [Steve Henson]
   6232 
   6233   *) New options to 'ca' utility to support V2 CRL entry extensions.
   6234      Currently CRL reason, invalidity date and hold instruction are
   6235      supported. Add new CRL extensions to V3 code and some new objects.
   6236      [Steve Henson]
   6237 
   6238   *) New function EVP_CIPHER_CTX_set_padding() this is used to
   6239      disable standard block padding (aka PKCS#5 padding) in the EVP
   6240      API, which was previously mandatory. This means that the data is
   6241      not padded in any way and so the total length much be a multiple
   6242      of the block size, otherwise an error occurs.
   6243      [Steve Henson]
   6244 
   6245   *) Initial (incomplete) OCSP SSL support.
   6246      [Steve Henson]
   6247 
   6248   *) New function OCSP_parse_url(). This splits up a URL into its host,
   6249      port and path components: primarily to parse OCSP URLs. New -url
   6250      option to ocsp utility.
   6251      [Steve Henson]
   6252 
   6253   *) New nonce behavior. The return value of OCSP_check_nonce() now 
   6254      reflects the various checks performed. Applications can decide
   6255      whether to tolerate certain situations such as an absent nonce
   6256      in a response when one was present in a request: the ocsp application
   6257      just prints out a warning. New function OCSP_add1_basic_nonce()
   6258      this is to allow responders to include a nonce in a response even if
   6259      the request is nonce-less.
   6260      [Steve Henson]
   6261 
   6262   *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
   6263      skipped when using openssl x509 multiple times on a single input file,
   6264      e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
   6265      [Bodo Moeller]
   6266 
   6267   *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
   6268      set string type: to handle setting ASN1_TIME structures. Fix ca
   6269      utility to correctly initialize revocation date of CRLs.
   6270      [Steve Henson]
   6271 
   6272   *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
   6273      the clients preferred ciphersuites and rather use its own preferences.
   6274      Should help to work around M$ SGC (Server Gated Cryptography) bug in
   6275      Internet Explorer by ensuring unchanged hash method during stepup.
   6276      (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
   6277      [Lutz Jaenicke]
   6278 
   6279   *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
   6280      to aes and add a new 'exist' option to print out symbols that don't
   6281      appear to exist.
   6282      [Steve Henson]
   6283 
   6284   *) Additional options to ocsp utility to allow flags to be set and
   6285      additional certificates supplied.
   6286      [Steve Henson]
   6287 
   6288   *) Add the option -VAfile to 'openssl ocsp', so the user can give the
   6289      OCSP client a number of certificate to only verify the response
   6290      signature against.
   6291      [Richard Levitte]
   6292 
   6293   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
   6294      handle the new API. Currently only ECB, CBC modes supported. Add new
   6295      AES OIDs.
   6296 
   6297      Add TLS AES ciphersuites as described in RFC3268, "Advanced
   6298      Encryption Standard (AES) Ciphersuites for Transport Layer
   6299      Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
   6300      not enabled by default and were not part of the "ALL" ciphersuite
   6301      alias because they were not yet official; they could be
   6302      explicitly requested by specifying the "AESdraft" ciphersuite
   6303      group alias.  In the final release of OpenSSL 0.9.7, the group
   6304      alias is called "AES" and is part of "ALL".)
   6305      [Ben Laurie, Steve  Henson, Bodo Moeller]
   6306 
   6307   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
   6308      request to response.
   6309      [Steve Henson]
   6310 
   6311   *) Functions for OCSP responders. OCSP_request_onereq_count(),
   6312      OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
   6313      extract information from a certificate request. OCSP_response_create()
   6314      creates a response and optionally adds a basic response structure.
   6315      OCSP_basic_add1_status() adds a complete single response to a basic
   6316      response and returns the OCSP_SINGLERESP structure just added (to allow
   6317      extensions to be included for example). OCSP_basic_add1_cert() adds a
   6318      certificate to a basic response and OCSP_basic_sign() signs a basic
   6319      response with various flags. New helper functions ASN1_TIME_check()
   6320      (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
   6321      (converts ASN1_TIME to GeneralizedTime).
   6322      [Steve Henson]
   6323 
   6324   *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
   6325      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
   6326      structure from a certificate. X509_pubkey_digest() digests the public_key
   6327      contents: this is used in various key identifiers. 
   6328      [Steve Henson]
   6329 
   6330   *) Make sk_sort() tolerate a NULL argument.
   6331      [Steve Henson reported by Massimiliano Pala <madwolf (a] comune.modena.it>]
   6332 
   6333   *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
   6334      passed by the function are trusted implicitly. If any of them signed the
   6335      response then it is assumed to be valid and is not verified.
   6336      [Steve Henson]
   6337 
   6338   *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
   6339      to data. This was previously part of the PKCS7 ASN1 code. This
   6340      was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
   6341      [Steve Henson, reported by Kenneth R. Robinette
   6342 				<support (a] securenetterm.com>]
   6343 
   6344   *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
   6345      routines: without these tracing memory leaks is very painful.
   6346      Fix leaks in PKCS12 and PKCS7 routines.
   6347      [Steve Henson]
   6348 
   6349   *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
   6350      Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
   6351      effectively meant GeneralizedTime would never be used. Now it
   6352      is initialised to -1 but X509_time_adj() now has to check the value
   6353      and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
   6354      V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
   6355      [Steve Henson, reported by Kenneth R. Robinette
   6356 				<support (a] securenetterm.com>]
   6357 
   6358   *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
   6359      result in a zero length in the ASN1_INTEGER structure which was
   6360      not consistent with the structure when d2i_ASN1_INTEGER() was used
   6361      and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
   6362      to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
   6363      where it did not print out a minus for negative ASN1_INTEGER.
   6364      [Steve Henson]
   6365 
   6366   *) Add summary printout to ocsp utility. The various functions which
   6367      convert status values to strings have been renamed to:
   6368      OCSP_response_status_str(), OCSP_cert_status_str() and
   6369      OCSP_crl_reason_str() and are no longer static. New options
   6370      to verify nonce values and to disable verification. OCSP response
   6371      printout format cleaned up.
   6372      [Steve Henson]
   6373 
   6374   *) Add additional OCSP certificate checks. These are those specified
   6375      in RFC2560. This consists of two separate checks: the CA of the
   6376      certificate being checked must either be the OCSP signer certificate
   6377      or the issuer of the OCSP signer certificate. In the latter case the
   6378      OCSP signer certificate must contain the OCSP signing extended key
   6379      usage. This check is performed by attempting to match the OCSP
   6380      signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
   6381      in the OCSP_CERTID structures of the response.
   6382      [Steve Henson]
   6383 
   6384   *) Initial OCSP certificate verification added to OCSP_basic_verify()
   6385      and related routines. This uses the standard OpenSSL certificate
   6386      verify routines to perform initial checks (just CA validity) and
   6387      to obtain the certificate chain. Then additional checks will be
   6388      performed on the chain. Currently the root CA is checked to see
   6389      if it is explicitly trusted for OCSP signing. This is used to set
   6390      a root CA as a global signing root: that is any certificate that
   6391      chains to that CA is an acceptable OCSP signing certificate.
   6392      [Steve Henson]
   6393 
   6394   *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
   6395      extensions from a separate configuration file.
   6396      As when reading extensions from the main configuration file,
   6397      the '-extensions ...' option may be used for specifying the
   6398      section to use.
   6399      [Massimiliano Pala <madwolf (a] comune.modena.it>]
   6400 
   6401   *) New OCSP utility. Allows OCSP requests to be generated or
   6402      read. The request can be sent to a responder and the output
   6403      parsed, outputed or printed in text form. Not complete yet:
   6404      still needs to check the OCSP response validity.
   6405      [Steve Henson]
   6406 
   6407   *) New subcommands for 'openssl ca':
   6408      'openssl ca -status <serial>' prints the status of the cert with
   6409      the given serial number (according to the index file).
   6410      'openssl ca -updatedb' updates the expiry status of certificates
   6411      in the index file.
   6412      [Massimiliano Pala <madwolf (a] comune.modena.it>]
   6413 
   6414   *) New '-newreq-nodes' command option to CA.pl.  This is like
   6415      '-newreq', but calls 'openssl req' with the '-nodes' option
   6416      so that the resulting key is not encrypted.
   6417      [Damien Miller <djm (a] mindrot.org>]
   6418 
   6419   *) New configuration for the GNU Hurd.
   6420      [Jonathan Bartlett <johnnyb (a] wolfram.com> via Richard Levitte]
   6421 
   6422   *) Initial code to implement OCSP basic response verify. This
   6423      is currently incomplete. Currently just finds the signer's
   6424      certificate and verifies the signature on the response.
   6425      [Steve Henson]
   6426 
   6427   *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
   6428      value of OPENSSLDIR.  This is available via the new '-d' option
   6429      to 'openssl version', and is also included in 'openssl version -a'.
   6430      [Bodo Moeller]
   6431 
   6432   *) Allowing defining memory allocation callbacks that will be given
   6433      file name and line number information in additional arguments
   6434      (a const char* and an int).  The basic functionality remains, as
   6435      well as the original possibility to just replace malloc(),
   6436      realloc() and free() by functions that do not know about these
   6437      additional arguments.  To register and find out the current
   6438      settings for extended allocation functions, the following
   6439      functions are provided:
   6440 
   6441 	CRYPTO_set_mem_ex_functions
   6442 	CRYPTO_set_locked_mem_ex_functions
   6443 	CRYPTO_get_mem_ex_functions
   6444 	CRYPTO_get_locked_mem_ex_functions
   6445 
   6446      These work the same way as CRYPTO_set_mem_functions and friends.
   6447      CRYPTO_get_[locked_]mem_functions now writes 0 where such an
   6448      extended allocation function is enabled.
   6449      Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
   6450      a conventional allocation function is enabled.
   6451      [Richard Levitte, Bodo Moeller]
   6452 
   6453   *) Finish off removing the remaining LHASH function pointer casts.
   6454      There should no longer be any prototype-casting required when using
   6455      the LHASH abstraction, and any casts that remain are "bugs". See
   6456      the callback types and macros at the head of lhash.h for details
   6457      (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
   6458      [Geoff Thorpe]
   6459 
   6460   *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
   6461      If /dev/[u]random devices are not available or do not return enough
   6462      entropy, EGD style sockets (served by EGD or PRNGD) will automatically
   6463      be queried.
   6464      The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
   6465      /etc/entropy will be queried once each in this sequence, quering stops
   6466      when enough entropy was collected without querying more sockets.
   6467      [Lutz Jaenicke]
   6468 
   6469   *) Change the Unix RAND_poll() variant to be able to poll several
   6470      random devices, as specified by DEVRANDOM, until a sufficient amount
   6471      of data has been collected.   We spend at most 10 ms on each file
   6472      (select timeout) and read in non-blocking mode.  DEVRANDOM now
   6473      defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
   6474      (previously it was just the string "/dev/urandom"), so on typical
   6475      platforms the 10 ms delay will never occur.
   6476      Also separate out the Unix variant to its own file, rand_unix.c.
   6477      For VMS, there's a currently-empty rand_vms.c.
   6478      [Richard Levitte]
   6479 
   6480   *) Move OCSP client related routines to ocsp_cl.c. These
   6481      provide utility functions which an application needing
   6482      to issue a request to an OCSP responder and analyse the
   6483      response will typically need: as opposed to those which an
   6484      OCSP responder itself would need which will be added later.
   6485 
   6486      OCSP_request_sign() signs an OCSP request with an API similar
   6487      to PKCS7_sign(). OCSP_response_status() returns status of OCSP
   6488      response. OCSP_response_get1_basic() extracts basic response
   6489      from response. OCSP_resp_find_status(): finds and extracts status
   6490      information from an OCSP_CERTID structure (which will be created
   6491      when the request structure is built). These are built from lower
   6492      level functions which work on OCSP_SINGLERESP structures but
   6493      wont normally be used unless the application wishes to examine
   6494      extensions in the OCSP response for example.
   6495 
   6496      Replace nonce routines with a pair of functions.
   6497      OCSP_request_add1_nonce() adds a nonce value and optionally
   6498      generates a random value. OCSP_check_nonce() checks the
   6499      validity of the nonce in an OCSP response.
   6500      [Steve Henson]
   6501 
   6502   *) Change function OCSP_request_add() to OCSP_request_add0_id().
   6503      This doesn't copy the supplied OCSP_CERTID and avoids the
   6504      need to free up the newly created id. Change return type
   6505      to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
   6506      This can then be used to add extensions to the request.
   6507      Deleted OCSP_request_new(), since most of its functionality
   6508      is now in OCSP_REQUEST_new() (and the case insensitive name
   6509      clash) apart from the ability to set the request name which
   6510      will be added elsewhere.
   6511      [Steve Henson]
   6512 
   6513   *) Update OCSP API. Remove obsolete extensions argument from
   6514      various functions. Extensions are now handled using the new
   6515      OCSP extension code. New simple OCSP HTTP function which 
   6516      can be used to send requests and parse the response.
   6517      [Steve Henson]
   6518 
   6519   *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
   6520      ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
   6521      uses the special reorder version of SET OF to sort the attributes
   6522      and reorder them to match the encoded order. This resolves a long
   6523      standing problem: a verify on a PKCS7 structure just after signing
   6524      it used to fail because the attribute order did not match the
   6525      encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
   6526      it uses the received order. This is necessary to tolerate some broken
   6527      software that does not order SET OF. This is handled by encoding
   6528      as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
   6529      to produce the required SET OF.
   6530      [Steve Henson]
   6531 
   6532   *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
   6533      OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
   6534      files to get correct declarations of the ASN.1 item variables.
   6535      [Richard Levitte]
   6536 
   6537   *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
   6538      PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
   6539      asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
   6540      NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
   6541      New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
   6542      ASN1_ITEM and no wrapper functions.
   6543      [Steve Henson]
   6544 
   6545   *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
   6546      replace the old function pointer based I/O routines. Change most of
   6547      the *_d2i_bio() and *_d2i_fp() functions to use these.
   6548      [Steve Henson]
   6549 
   6550   *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
   6551      lines, recognice more "algorithms" that can be deselected, and make
   6552      it complain about algorithm deselection that isn't recognised.
   6553      [Richard Levitte]
   6554 
   6555   *) New ASN1 functions to handle dup, sign, verify, digest, pack and
   6556      unpack operations in terms of ASN1_ITEM. Modify existing wrappers
   6557      to use new functions. Add NO_ASN1_OLD which can be set to remove
   6558      some old style ASN1 functions: this can be used to determine if old
   6559      code will still work when these eventually go away.
   6560      [Steve Henson]
   6561 
   6562   *) New extension functions for OCSP structures, these follow the
   6563      same conventions as certificates and CRLs.
   6564      [Steve Henson]
   6565 
   6566   *) New function X509V3_add1_i2d(). This automatically encodes and
   6567      adds an extension. Its behaviour can be customised with various
   6568      flags to append, replace or delete. Various wrappers added for
   6569      certifcates and CRLs.
   6570      [Steve Henson]
   6571 
   6572   *) Fix to avoid calling the underlying ASN1 print routine when
   6573      an extension cannot be parsed. Correct a typo in the
   6574      OCSP_SERVICELOC extension. Tidy up print OCSP format.
   6575      [Steve Henson]
   6576 
   6577   *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
   6578      entries for variables.
   6579      [Steve Henson]
   6580 
   6581   *) Add functionality to apps/openssl.c for detecting locking
   6582      problems: As the program is single-threaded, all we have
   6583      to do is register a locking callback using an array for
   6584      storing which locks are currently held by the program.
   6585      [Bodo Moeller]
   6586 
   6587   *) Use a lock around the call to CRYPTO_get_ex_new_index() in
   6588      SSL_get_ex_data_X509_STORE_idx(), which is used in
   6589      ssl_verify_cert_chain() and thus can be called at any time
   6590      during TLS/SSL handshakes so that thread-safety is essential.
   6591      Unfortunately, the ex_data design is not at all suited
   6592      for multi-threaded use, so it probably should be abolished.
   6593      [Bodo Moeller]
   6594 
   6595   *) Added Broadcom "ubsec" ENGINE to OpenSSL.
   6596      [Broadcom, tweaked and integrated by Geoff Thorpe]
   6597 
   6598   *) Move common extension printing code to new function
   6599      X509V3_print_extensions(). Reorganise OCSP print routines and
   6600      implement some needed OCSP ASN1 functions. Add OCSP extensions.
   6601      [Steve Henson]
   6602 
   6603   *) New function X509_signature_print() to remove duplication in some
   6604      print routines.
   6605      [Steve Henson]
   6606 
   6607   *) Add a special meaning when SET OF and SEQUENCE OF flags are both
   6608      set (this was treated exactly the same as SET OF previously). This
   6609      is used to reorder the STACK representing the structure to match the
   6610      encoding. This will be used to get round a problem where a PKCS7
   6611      structure which was signed could not be verified because the STACK
   6612      order did not reflect the encoded order.
   6613      [Steve Henson]
   6614 
   6615   *) Reimplement the OCSP ASN1 module using the new code.
   6616      [Steve Henson]
   6617 
   6618   *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
   6619      for its ASN1 operations. The old style function pointers still exist
   6620      for now but they will eventually go away.
   6621      [Steve Henson]
   6622 
   6623   *) Merge in replacement ASN1 code from the ASN1 branch. This almost
   6624      completely replaces the old ASN1 functionality with a table driven
   6625      encoder and decoder which interprets an ASN1_ITEM structure describing
   6626      the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
   6627      largely maintained. Almost all of the old asn1_mac.h macro based ASN1
   6628      has also been converted to the new form.
   6629      [Steve Henson]
   6630 
   6631   *) Change BN_mod_exp_recp so that negative moduli are tolerated
   6632      (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
   6633      so that BN_mod_exp_mont and BN_mod_exp_mont_word work
   6634      for negative moduli.
   6635      [Bodo Moeller]
   6636 
   6637   *) Fix BN_uadd and BN_usub: Always return non-negative results instead
   6638      of not touching the result's sign bit.
   6639      [Bodo Moeller]
   6640 
   6641   *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
   6642      set.
   6643      [Bodo Moeller]
   6644 
   6645   *) Changed the LHASH code to use prototypes for callbacks, and created
   6646      macros to declare and implement thin (optionally static) functions
   6647      that provide type-safety and avoid function pointer casting for the
   6648      type-specific callbacks.
   6649      [Geoff Thorpe]
   6650 
   6651   *) Added Kerberos Cipher Suites to be used with TLS, as written in
   6652      RFC 2712.
   6653      [Veers Staats <staatsvr (a] asc.hpc.mil>,
   6654       Jeffrey Altman <jaltman (a] columbia.edu>, via Richard Levitte]
   6655 
   6656   *) Reformat the FAQ so the different questions and answers can be divided
   6657      in sections depending on the subject.
   6658      [Richard Levitte]
   6659 
   6660   *) Have the zlib compression code load ZLIB.DLL dynamically under
   6661      Windows.
   6662      [Richard Levitte]
   6663 
   6664   *) New function BN_mod_sqrt for computing square roots modulo a prime
   6665      (using the probabilistic Tonelli-Shanks algorithm unless
   6666      p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
   6667      be handled deterministically).
   6668      [Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>, Bodo Moeller]
   6669 
   6670   *) Make BN_mod_inverse faster by explicitly handling small quotients
   6671      in the Euclid loop. (Speed gain about 20% for small moduli [256 or
   6672      512 bits], about 30% for larger ones [1024 or 2048 bits].)
   6673      [Bodo Moeller]
   6674 
   6675   *) New function BN_kronecker.
   6676      [Bodo Moeller]
   6677 
   6678   *) Fix BN_gcd so that it works on negative inputs; the result is
   6679      positive unless both parameters are zero.
   6680      Previously something reasonably close to an infinite loop was
   6681      possible because numbers could be growing instead of shrinking
   6682      in the implementation of Euclid's algorithm.
   6683      [Bodo Moeller]
   6684 
   6685   *) Fix BN_is_word() and BN_is_one() macros to take into account the
   6686      sign of the number in question.
   6687 
   6688      Fix BN_is_word(a,w) to work correctly for w == 0.
   6689 
   6690      The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
   6691      because its test if the absolute value of 'a' equals 'w'.
   6692      Note that BN_abs_is_word does *not* handle w == 0 reliably;
   6693      it exists mostly for use in the implementations of BN_is_zero(),
   6694      BN_is_one(), and BN_is_word().
   6695      [Bodo Moeller]
   6696 
   6697   *) New function BN_swap.
   6698      [Bodo Moeller]
   6699 
   6700   *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
   6701      the exponentiation functions are more likely to produce reasonable
   6702      results on negative inputs.
   6703      [Bodo Moeller]
   6704 
   6705   *) Change BN_mod_mul so that the result is always non-negative.
   6706      Previously, it could be negative if one of the factors was negative;
   6707      I don't think anyone really wanted that behaviour.
   6708      [Bodo Moeller]
   6709 
   6710   *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
   6711      (except for exponentiation, which stays in crypto/bn/bn_exp.c,
   6712      and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
   6713      and add new functions:
   6714 
   6715           BN_nnmod
   6716           BN_mod_sqr
   6717           BN_mod_add
   6718           BN_mod_add_quick
   6719           BN_mod_sub
   6720           BN_mod_sub_quick
   6721           BN_mod_lshift1
   6722           BN_mod_lshift1_quick
   6723           BN_mod_lshift
   6724           BN_mod_lshift_quick
   6725 
   6726      These functions always generate non-negative results.
   6727 
   6728      BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
   6729      such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
   6730 
   6731      BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
   6732      BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
   6733      be reduced modulo  m.
   6734      [Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>, Bodo Moeller]
   6735 
   6736 #if 0
   6737      The following entry accidentily appeared in the CHANGES file
   6738      distributed with OpenSSL 0.9.7.  The modifications described in
   6739      it do *not* apply to OpenSSL 0.9.7.
   6740 
   6741   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
   6742      was actually never needed) and in BN_mul().  The removal in BN_mul()
   6743      required a small change in bn_mul_part_recursive() and the addition
   6744      of the functions bn_cmp_part_words(), bn_sub_part_words() and
   6745      bn_add_part_words(), which do the same thing as bn_cmp_words(),
   6746      bn_sub_words() and bn_add_words() except they take arrays with
   6747      differing sizes.
   6748      [Richard Levitte]
   6749 #endif
   6750 
   6751   *) In 'openssl passwd', verify passwords read from the terminal
   6752      unless the '-salt' option is used (which usually means that
   6753      verification would just waste user's time since the resulting
   6754      hash is going to be compared with some given password hash)
   6755      or the new '-noverify' option is used.
   6756 
   6757      This is an incompatible change, but it does not affect
   6758      non-interactive use of 'openssl passwd' (passwords on the command
   6759      line, '-stdin' option, '-in ...' option) and thus should not
   6760      cause any problems.
   6761      [Bodo Moeller]
   6762 
   6763   *) Remove all references to RSAref, since there's no more need for it.
   6764      [Richard Levitte]
   6765 
   6766   *) Make DSO load along a path given through an environment variable
   6767      (SHLIB_PATH) with shl_load().
   6768      [Richard Levitte]
   6769 
   6770   *) Constify the ENGINE code as a result of BIGNUM constification.
   6771      Also constify the RSA code and most things related to it.  In a
   6772      few places, most notable in the depth of the ASN.1 code, ugly
   6773      casts back to non-const were required (to be solved at a later
   6774      time)
   6775      [Richard Levitte]
   6776 
   6777   *) Make it so the openssl application has all engines loaded by default.
   6778      [Richard Levitte]
   6779 
   6780   *) Constify the BIGNUM routines a little more.
   6781      [Richard Levitte]
   6782 
   6783   *) Add the following functions:
   6784 
   6785 	ENGINE_load_cswift()
   6786 	ENGINE_load_chil()
   6787 	ENGINE_load_atalla()
   6788 	ENGINE_load_nuron()
   6789 	ENGINE_load_builtin_engines()
   6790 
   6791      That way, an application can itself choose if external engines that
   6792      are built-in in OpenSSL shall ever be used or not.  The benefit is
   6793      that applications won't have to be linked with libdl or other dso
   6794      libraries unless it's really needed.
   6795 
   6796      Changed 'openssl engine' to load all engines on demand.
   6797      Changed the engine header files to avoid the duplication of some
   6798      declarations (they differed!).
   6799      [Richard Levitte]
   6800 
   6801   *) 'openssl engine' can now list capabilities.
   6802      [Richard Levitte]
   6803 
   6804   *) Better error reporting in 'openssl engine'.
   6805      [Richard Levitte]
   6806 
   6807   *) Never call load_dh_param(NULL) in s_server.
   6808      [Bodo Moeller]
   6809 
   6810   *) Add engine application.  It can currently list engines by name and
   6811      identity, and test if they are actually available.
   6812      [Richard Levitte]
   6813 
   6814   *) Improve RPM specification file by forcing symbolic linking and making
   6815      sure the installed documentation is also owned by root.root.
   6816      [Damien Miller <djm (a] mindrot.org>]
   6817 
   6818   *) Give the OpenSSL applications more possibilities to make use of
   6819      keys (public as well as private) handled by engines.
   6820      [Richard Levitte]
   6821 
   6822   *) Add OCSP code that comes from CertCo.
   6823      [Richard Levitte]
   6824 
   6825   *) Add VMS support for the Rijndael code.
   6826      [Richard Levitte]
   6827 
   6828   *) Added untested support for Nuron crypto accelerator.
   6829      [Ben Laurie]
   6830 
   6831   *) Add support for external cryptographic devices.  This code was
   6832      previously distributed separately as the "engine" branch.
   6833      [Geoff Thorpe, Richard Levitte]
   6834 
   6835   *) Rework the filename-translation in the DSO code. It is now possible to
   6836      have far greater control over how a "name" is turned into a filename
   6837      depending on the operating environment and any oddities about the
   6838      different shared library filenames on each system.
   6839      [Geoff Thorpe]
   6840 
   6841   *) Support threads on FreeBSD-elf in Configure.
   6842      [Richard Levitte]
   6843 
   6844   *) Fix for SHA1 assembly problem with MASM: it produces
   6845      warnings about corrupt line number information when assembling
   6846      with debugging information. This is caused by the overlapping
   6847      of two sections.
   6848      [Bernd Matthes <mainbug (a] celocom.de>, Steve Henson]
   6849 
   6850   *) NCONF changes.
   6851      NCONF_get_number() has no error checking at all.  As a replacement,
   6852      NCONF_get_number_e() is defined (_e for "error checking") and is
   6853      promoted strongly.  The old NCONF_get_number is kept around for
   6854      binary backward compatibility.
   6855      Make it possible for methods to load from something other than a BIO,
   6856      by providing a function pointer that is given a name instead of a BIO.
   6857      For example, this could be used to load configuration data from an
   6858      LDAP server.
   6859      [Richard Levitte]
   6860 
   6861   *) Fix for non blocking accept BIOs. Added new I/O special reason
   6862      BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
   6863      with non blocking I/O was not possible because no retry code was
   6864      implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
   6865      this case.
   6866      [Steve Henson]
   6867 
   6868   *) Added the beginnings of Rijndael support.
   6869      [Ben Laurie]
   6870 
   6871   *) Fix for bug in DirectoryString mask setting. Add support for
   6872      X509_NAME_print_ex() in 'req' and X509_print_ex() function
   6873      to allow certificate printing to more controllable, additional
   6874      'certopt' option to 'x509' to allow new printing options to be
   6875      set.
   6876      [Steve Henson]
   6877 
   6878   *) Clean old EAY MD5 hack from e_os.h.
   6879      [Richard Levitte]
   6880 
   6881  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
   6882 
   6883   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
   6884      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
   6885      [Joe Orton, Steve Henson]
   6886 
   6887  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
   6888 
   6889   *) Fix additional bug revealed by the NISCC test suite:
   6890 
   6891      Stop bug triggering large recursion when presented with
   6892      certain ASN.1 tags (CVE-2003-0851)
   6893      [Steve Henson]
   6894 
   6895  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
   6896 
   6897   *) Fix various bugs revealed by running the NISCC test suite:
   6898 
   6899      Stop out of bounds reads in the ASN1 code when presented with
   6900      invalid tags (CVE-2003-0543 and CVE-2003-0544).
   6901      
   6902      If verify callback ignores invalid public key errors don't try to check
   6903      certificate signature with the NULL public key.
   6904 
   6905      [Steve Henson]
   6906 
   6907   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
   6908      if the server requested one: as stated in TLS 1.0 and SSL 3.0
   6909      specifications.
   6910      [Steve Henson]
   6911 
   6912   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
   6913      extra data after the compression methods not only for TLS 1.0
   6914      but also for SSL 3.0 (as required by the specification).
   6915      [Bodo Moeller; problem pointed out by Matthias Loepfe]
   6916 
   6917   *) Change X509_certificate_type() to mark the key as exported/exportable
   6918      when it's 512 *bits* long, not 512 bytes.
   6919      [Richard Levitte]
   6920 
   6921  Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
   6922 
   6923   *) Countermeasure against the Klima-Pokorny-Rosa extension of
   6924      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
   6925      a protocol version number mismatch like a decryption error
   6926      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
   6927      [Bodo Moeller]
   6928 
   6929   *) Turn on RSA blinding by default in the default implementation
   6930      to avoid a timing attack. Applications that don't want it can call
   6931      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
   6932      They would be ill-advised to do so in most cases.
   6933      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
   6934 
   6935   *) Change RSA blinding code so that it works when the PRNG is not
   6936      seeded (in this case, the secret RSA exponent is abused as
   6937      an unpredictable seed -- if it is not unpredictable, there
   6938      is no point in blinding anyway).  Make RSA blinding thread-safe
   6939      by remembering the creator's thread ID in rsa->blinding and
   6940      having all other threads use local one-time blinding factors
   6941      (this requires more computation than sharing rsa->blinding, but
   6942      avoids excessive locking; and if an RSA object is not shared
   6943      between threads, blinding will still be very fast).
   6944      [Bodo Moeller]
   6945 
   6946  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
   6947 
   6948   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
   6949      via timing by performing a MAC computation even if incorrrect
   6950      block cipher padding has been found.  This is a countermeasure
   6951      against active attacks where the attacker has to distinguish
   6952      between bad padding and a MAC verification error. (CVE-2003-0078)
   6953 
   6954      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
   6955      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
   6956      Martin Vuagnoux (EPFL, Ilion)]
   6957 
   6958  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
   6959 
   6960   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
   6961      memory from it's contents.  This is done with a counter that will
   6962      place alternating values in each byte.  This can be used to solve
   6963      two issues: 1) the removal of calls to memset() by highly optimizing
   6964      compilers, and 2) cleansing with other values than 0, since those can
   6965      be read through on certain media, for example a swap space on disk.
   6966      [Geoff Thorpe]
   6967 
   6968   *) Bugfix: client side session caching did not work with external caching,
   6969      because the session->cipher setting was not restored when reloading
   6970      from the external cache. This problem was masked, when
   6971      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
   6972      (Found by Steve Haslam <steve (a] araqnid.ddts.net>.)
   6973      [Lutz Jaenicke]
   6974 
   6975   *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
   6976      length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
   6977      [Zeev Lieber <zeev-l (a] yahoo.com>]
   6978 
   6979   *) Undo an undocumented change introduced in 0.9.6e which caused
   6980      repeated calls to OpenSSL_add_all_ciphers() and 
   6981      OpenSSL_add_all_digests() to be ignored, even after calling
   6982      EVP_cleanup().
   6983      [Richard Levitte]
   6984 
   6985   *) Change the default configuration reader to deal with last line not
   6986      being properly terminated.
   6987      [Richard Levitte]
   6988 
   6989   *) Change X509_NAME_cmp() so it applies the special rules on handling
   6990      DN values that are of type PrintableString, as well as RDNs of type
   6991      emailAddress where the value has the type ia5String.
   6992      [stefank (a] valicert.com via Richard Levitte]
   6993 
   6994   *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
   6995      the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
   6996      doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
   6997      the bitwise-OR of the two for use by the majority of applications
   6998      wanting this behaviour, and update the docs. The documented
   6999      behaviour and actual behaviour were inconsistent and had been
   7000      changing anyway, so this is more a bug-fix than a behavioural
   7001      change.
   7002      [Geoff Thorpe, diagnosed by Nadav Har'El]
   7003 
   7004   *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
   7005      (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
   7006      [Bodo Moeller]
   7007 
   7008   *) Fix initialization code race conditions in
   7009         SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
   7010         SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
   7011         SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
   7012         TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
   7013         ssl2_get_cipher_by_char(),
   7014         ssl3_get_cipher_by_char().
   7015      [Patrick McCormick <patrick (a] tellme.com>, Bodo Moeller]
   7016 
   7017   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
   7018      the cached sessions are flushed, as the remove_cb() might use ex_data
   7019      contents. Bug found by Sam Varshavchik <mrsam (a] courier-mta.com>
   7020      (see [openssl.org #212]).
   7021      [Geoff Thorpe, Lutz Jaenicke]
   7022 
   7023   *) Fix typo in OBJ_txt2obj which incorrectly passed the content
   7024      length, instead of the encoding length to d2i_ASN1_OBJECT.
   7025      [Steve Henson]
   7026 
   7027  Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
   7028 
   7029   *) [In 0.9.6g-engine release:]
   7030      Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
   7031      [Lynn Gazis <lgazis (a] rainbow.com>]
   7032 
   7033  Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
   7034 
   7035   *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
   7036      and get fix the header length calculation.
   7037      [Florian Weimer <Weimer (a] CERT.Uni-Stuttgart.DE>,
   7038 	Alon Kantor <alonk (a] checkpoint.com> (and others),
   7039 	Steve Henson]
   7040 
   7041   *) Use proper error handling instead of 'assertions' in buffer
   7042      overflow checks added in 0.9.6e.  This prevents DoS (the
   7043      assertions could call abort()).
   7044      [Arne Ansper <arne (a] ats.cyber.ee>, Bodo Moeller]
   7045 
   7046  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
   7047 
   7048   *) Add various sanity checks to asn1_get_length() to reject
   7049      the ASN1 length bytes if they exceed sizeof(long), will appear
   7050      negative or the content length exceeds the length of the
   7051      supplied buffer.
   7052      [Steve Henson, Adi Stav <stav (a] mercury.co.il>, James Yonan <jim (a] ntlp.com>]
   7053 
   7054   *) Fix cipher selection routines: ciphers without encryption had no flags
   7055      for the cipher strength set and where therefore not handled correctly
   7056      by the selection routines (PR #130).
   7057      [Lutz Jaenicke]
   7058 
   7059   *) Fix EVP_dsa_sha macro.
   7060      [Nils Larsch]
   7061 
   7062   *) New option
   7063           SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
   7064      for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
   7065      that was added in OpenSSL 0.9.6d.
   7066 
   7067      As the countermeasure turned out to be incompatible with some
   7068      broken SSL implementations, the new option is part of SSL_OP_ALL.
   7069      SSL_OP_ALL is usually employed when compatibility with weird SSL
   7070      implementations is desired (e.g. '-bugs' option to 's_client' and
   7071      's_server'), so the new option is automatically set in many
   7072      applications.
   7073      [Bodo Moeller]
   7074 
   7075   *) Changes in security patch:
   7076 
   7077      Changes marked "(CHATS)" were sponsored by the Defense Advanced
   7078      Research Projects Agency (DARPA) and Air Force Research Laboratory,
   7079      Air Force Materiel Command, USAF, under agreement number
   7080      F30602-01-2-0537.
   7081 
   7082   *) Add various sanity checks to asn1_get_length() to reject
   7083      the ASN1 length bytes if they exceed sizeof(long), will appear
   7084      negative or the content length exceeds the length of the
   7085      supplied buffer. (CVE-2002-0659)
   7086      [Steve Henson, Adi Stav <stav (a] mercury.co.il>, James Yonan <jim (a] ntlp.com>]
   7087 
   7088   *) Assertions for various potential buffer overflows, not known to
   7089      happen in practice.
   7090      [Ben Laurie (CHATS)]
   7091 
   7092   *) Various temporary buffers to hold ASCII versions of integers were
   7093      too small for 64 bit platforms. (CVE-2002-0655)
   7094      [Matthew Byng-Maddick <mbm (a] aldigital.co.uk> and Ben Laurie (CHATS)>
   7095 
   7096   *) Remote buffer overflow in SSL3 protocol - an attacker could
   7097      supply an oversized session ID to a client. (CVE-2002-0656)
   7098      [Ben Laurie (CHATS)]
   7099 
   7100   *) Remote buffer overflow in SSL2 protocol - an attacker could
   7101      supply an oversized client master key. (CVE-2002-0656)
   7102      [Ben Laurie (CHATS)]
   7103 
   7104  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
   7105 
   7106   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
   7107      encoded as NULL) with id-dsa-with-sha1.
   7108      [Nils Larsch <nla (a] trustcenter.de>; problem pointed out by Bodo Moeller]
   7109 
   7110   *) Check various X509_...() return values in apps/req.c.
   7111      [Nils Larsch <nla (a] trustcenter.de>]
   7112 
   7113   *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
   7114      an end-of-file condition would erronously be flagged, when the CRLF
   7115      was just at the end of a processed block. The bug was discovered when
   7116      processing data through a buffering memory BIO handing the data to a
   7117      BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
   7118      <ptsekov (a] syntrex.com> and Nedelcho Stanev.
   7119      [Lutz Jaenicke]
   7120 
   7121   *) Implement a countermeasure against a vulnerability recently found
   7122      in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
   7123      before application data chunks to avoid the use of known IVs
   7124      with data potentially chosen by the attacker.
   7125      [Bodo Moeller]
   7126 
   7127   *) Fix length checks in ssl3_get_client_hello().
   7128      [Bodo Moeller]
   7129 
   7130   *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
   7131      to prevent ssl3_read_internal() from incorrectly assuming that
   7132      ssl3_read_bytes() found application data while handshake
   7133      processing was enabled when in fact s->s3->in_read_app_data was
   7134      merely automatically cleared during the initial handshake.
   7135      [Bodo Moeller; problem pointed out by Arne Ansper <arne (a] ats.cyber.ee>]
   7136 
   7137   *) Fix object definitions for Private and Enterprise: they were not
   7138      recognized in their shortname (=lowercase) representation. Extend
   7139      obj_dat.pl to issue an error when using undefined keywords instead
   7140      of silently ignoring the problem (Svenning Sorensen
   7141      <sss (a] sss.dnsalias.net>).
   7142      [Lutz Jaenicke]
   7143 
   7144   *) Fix DH_generate_parameters() so that it works for 'non-standard'
   7145      generators, i.e. generators other than 2 and 5.  (Previously, the
   7146      code did not properly initialise the 'add' and 'rem' values to
   7147      BN_generate_prime().)
   7148 
   7149      In the new general case, we do not insist that 'generator' is
   7150      actually a primitive root: This requirement is rather pointless;
   7151      a generator of the order-q subgroup is just as good, if not
   7152      better.
   7153      [Bodo Moeller]
   7154  
   7155   *) Map new X509 verification errors to alerts. Discovered and submitted by
   7156      Tom Wu <tom (a] arcot.com>.
   7157      [Lutz Jaenicke]
   7158 
   7159   *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
   7160      returning non-zero before the data has been completely received
   7161      when using non-blocking I/O.
   7162      [Bodo Moeller; problem pointed out by John Hughes]
   7163 
   7164   *) Some of the ciphers missed the strength entry (SSL_LOW etc).
   7165      [Ben Laurie, Lutz Jaenicke]
   7166 
   7167   *) Fix bug in SSL_clear(): bad sessions were not removed (found by
   7168      Yoram Zahavi <YoramZ (a] gilian.com>).
   7169      [Lutz Jaenicke]
   7170 
   7171   *) Add information about CygWin 1.3 and on, and preserve proper
   7172      configuration for the versions before that.
   7173      [Corinna Vinschen <vinschen (a] redhat.com> and Richard Levitte]
   7174 
   7175   *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
   7176      check whether we deal with a copy of a session and do not delete from
   7177      the cache in this case. Problem reported by "Izhar Shoshani Levi"
   7178      <izhar (a] checkpoint.com>.
   7179      [Lutz Jaenicke]
   7180 
   7181   *) Do not store session data into the internal session cache, if it
   7182      is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
   7183      flag is set). Proposed by Aslam <aslam (a] funk.com>.
   7184      [Lutz Jaenicke]
   7185 
   7186   *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
   7187      value is 0.
   7188      [Richard Levitte]
   7189 
   7190   *) [In 0.9.6d-engine release:]
   7191      Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
   7192      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   7193 
   7194   *) Add the configuration target linux-s390x.
   7195      [Neale Ferguson <Neale.Ferguson (a] SoftwareAG-USA.com> via Richard Levitte]
   7196 
   7197   *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
   7198      ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
   7199      variable as an indication that a ClientHello message has been
   7200      received.  As the flag value will be lost between multiple
   7201      invocations of ssl3_accept when using non-blocking I/O, the
   7202      function may not be aware that a handshake has actually taken
   7203      place, thus preventing a new session from being added to the
   7204      session cache.
   7205 
   7206      To avoid this problem, we now set s->new_session to 2 instead of
   7207      using a local variable.
   7208      [Lutz Jaenicke, Bodo Moeller]
   7209 
   7210   *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
   7211      if the SSL_R_LENGTH_MISMATCH error is detected.
   7212      [Geoff Thorpe, Bodo Moeller]
   7213 
   7214   *) New 'shared_ldflag' column in Configure platform table.
   7215      [Richard Levitte]
   7216 
   7217   *) Fix EVP_CIPHER_mode macro.
   7218      ["Dan S. Camper" <dan (a] bti.net>]
   7219 
   7220   *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
   7221      type, we must throw them away by setting rr->length to 0.
   7222      [D P Chang <dpc (a] qualys.com>]
   7223 
   7224  Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
   7225 
   7226   *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
   7227      <Dominikus.Scherkl (a] biodata.com>.  (The previous implementation
   7228      worked incorrectly for those cases where  range = 10..._2  and
   7229      3*range  is two bits longer than  range.)
   7230      [Bodo Moeller]
   7231 
   7232   *) Only add signing time to PKCS7 structures if it is not already
   7233      present.
   7234      [Steve Henson]
   7235 
   7236   *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
   7237      OBJ_ld_ce should be OBJ_id_ce.
   7238      Also some ip-pda OIDs in crypto/objects/objects.txt were
   7239      incorrect (cf. RFC 3039).
   7240      [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
   7241 
   7242   *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
   7243      returns early because it has nothing to do.
   7244      [Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7245 
   7246   *) [In 0.9.6c-engine release:]
   7247      Fix mutex callback return values in crypto/engine/hw_ncipher.c.
   7248      [Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7249 
   7250   *) [In 0.9.6c-engine release:]
   7251      Add support for Cryptographic Appliance's keyserver technology.
   7252      (Use engine 'keyclient')
   7253      [Cryptographic Appliances and Geoff Thorpe]
   7254 
   7255   *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
   7256      is called via tools/c89.sh because arguments have to be
   7257      rearranged (all '-L' options must appear before the first object
   7258      modules).
   7259      [Richard Shapiro <rshapiro (a] abinitio.com>]
   7260 
   7261   *) [In 0.9.6c-engine release:]
   7262      Add support for Broadcom crypto accelerator cards, backported
   7263      from 0.9.7.
   7264      [Broadcom, Nalin Dahyabhai <nalin (a] redhat.com>, Mark Cox]
   7265 
   7266   *) [In 0.9.6c-engine release:]
   7267      Add support for SureWare crypto accelerator cards from 
   7268      Baltimore Technologies.  (Use engine 'sureware')
   7269      [Baltimore Technologies and Mark Cox]
   7270 
   7271   *) [In 0.9.6c-engine release:]
   7272      Add support for crypto accelerator cards from Accelerated
   7273      Encryption Processing, www.aep.ie.  (Use engine 'aep')
   7274      [AEP Inc. and Mark Cox]
   7275 
   7276   *) Add a configuration entry for gcc on UnixWare.
   7277      [Gary Benson <gbenson (a] redhat.com>]
   7278 
   7279   *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
   7280      messages are stored in a single piece (fixed-length part and
   7281      variable-length part combined) and fix various bugs found on the way.
   7282      [Bodo Moeller]
   7283 
   7284   *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
   7285      instead.  BIO_gethostbyname() does not know what timeouts are
   7286      appropriate, so entries would stay in cache even when they have
   7287      become invalid.
   7288      [Bodo Moeller; problem pointed out by Rich Salz <rsalz (a] zolera.com>
   7289 
   7290   *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
   7291      faced with a pathologically small ClientHello fragment that does
   7292      not contain client_version: Instead of aborting with an error,
   7293      simply choose the highest available protocol version (i.e.,
   7294      TLS 1.0 unless it is disabled).  In practice, ClientHello
   7295      messages are never sent like this, but this change gives us
   7296      strictly correct behaviour at least for TLS.
   7297      [Bodo Moeller]
   7298 
   7299   *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
   7300      never resets s->method to s->ctx->method when called from within
   7301      one of the SSL handshake functions.
   7302      [Bodo Moeller; problem pointed out by Niko Baric]
   7303 
   7304   *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
   7305      (sent using the client's version number) if client_version is
   7306      smaller than the protocol version in use.  Also change
   7307      ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
   7308      the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
   7309      the client will at least see that alert.
   7310      [Bodo Moeller]
   7311 
   7312   *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
   7313      correctly.
   7314      [Bodo Moeller]
   7315 
   7316   *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
   7317      client receives HelloRequest while in a handshake.
   7318      [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7319 
   7320   *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
   7321      should end in 'break', not 'goto end' which circuments various
   7322      cleanups done in state SSL_ST_OK.   But session related stuff
   7323      must be disabled for SSL_ST_OK in the case that we just sent a
   7324      HelloRequest.
   7325 
   7326      Also avoid some overhead by not calling ssl_init_wbio_buffer()
   7327      before just sending a HelloRequest.
   7328      [Bodo Moeller, Eric Rescorla <ekr (a] rtfm.com>]
   7329 
   7330   *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
   7331      reveal whether illegal block cipher padding was found or a MAC
   7332      verification error occured.  (Neither SSLerr() codes nor alerts
   7333      are directly visible to potential attackers, but the information
   7334      may leak via logfiles.)
   7335 
   7336      Similar changes are not required for the SSL 2.0 implementation
   7337      because the number of padding bytes is sent in clear for SSL 2.0,
   7338      and the extra bytes are just ignored.  However ssl/s2_pkt.c
   7339      failed to verify that the purported number of padding bytes is in
   7340      the legal range.
   7341      [Bodo Moeller]
   7342 
   7343   *) Add OpenUNIX-8 support including shared libraries
   7344      (Boyd Lynn Gerber <gerberb (a] zenez.com>).
   7345      [Lutz Jaenicke]
   7346 
   7347   *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
   7348      'wristwatch attack' using huge encoding parameters (cf.
   7349      James H. Manger's CRYPTO 2001 paper).  Note that the
   7350      RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
   7351      encoding parameters and hence was not vulnerable.
   7352      [Bodo Moeller]
   7353 
   7354   *) BN_sqr() bug fix.
   7355      [Ulf Mller, reported by Jim Ellis <jim.ellis (a] cavium.com>]
   7356 
   7357   *) Rabin-Miller test analyses assume uniformly distributed witnesses,
   7358      so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
   7359      followed by modular reduction.
   7360      [Bodo Moeller; pointed out by Adam Young <AYoung1 (a] NCSUS.JNJ.COM>]
   7361 
   7362   *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
   7363      equivalent based on BN_pseudo_rand() instead of BN_rand().
   7364      [Bodo Moeller]
   7365 
   7366   *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
   7367      This function was broken, as the check for a new client hello message
   7368      to handle SGC did not allow these large messages.
   7369      (Tracked down by "Douglas E. Engert" <deengert (a] anl.gov>.)
   7370      [Lutz Jaenicke]
   7371 
   7372   *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
   7373      [Lutz Jaenicke]
   7374 
   7375   *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
   7376      for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton (a] netopia.com>).
   7377      [Lutz Jaenicke]
   7378 
   7379   *) Rework the configuration and shared library support for Tru64 Unix.
   7380      The configuration part makes use of modern compiler features and
   7381      still retains old compiler behavior for those that run older versions
   7382      of the OS.  The shared library support part includes a variant that
   7383      uses the RPATH feature, and is available through the special
   7384      configuration target "alpha-cc-rpath", which will never be selected
   7385      automatically.
   7386      [Tim Mooney <mooney (a] dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
   7387 
   7388   *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
   7389      with the same message size as in ssl3_get_certificate_request().
   7390      Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
   7391      messages might inadvertently be reject as too long.
   7392      [Petr Lampa <lampa (a] fee.vutbr.cz>]
   7393 
   7394   *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
   7395      [Andy Polyakov]
   7396 
   7397   *) Modified SSL library such that the verify_callback that has been set
   7398      specificly for an SSL object with SSL_set_verify() is actually being
   7399      used. Before the change, a verify_callback set with this function was
   7400      ignored and the verify_callback() set in the SSL_CTX at the time of
   7401      the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
   7402      to allow the necessary settings.
   7403      [Lutz Jaenicke]
   7404 
   7405   *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
   7406      explicitly to NULL, as at least on Solaris 8 this seems not always to be
   7407      done automatically (in contradiction to the requirements of the C
   7408      standard). This made problems when used from OpenSSH.
   7409      [Lutz Jaenicke]
   7410 
   7411   *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
   7412      dh->length and always used
   7413 
   7414           BN_rand_range(priv_key, dh->p).
   7415 
   7416      BN_rand_range() is not necessary for Diffie-Hellman, and this
   7417      specific range makes Diffie-Hellman unnecessarily inefficient if
   7418      dh->length (recommended exponent length) is much smaller than the
   7419      length of dh->p.  We could use BN_rand_range() if the order of
   7420      the subgroup was stored in the DH structure, but we only have
   7421      dh->length.
   7422 
   7423      So switch back to
   7424 
   7425           BN_rand(priv_key, l, ...)
   7426 
   7427      where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
   7428      otherwise.
   7429      [Bodo Moeller]
   7430 
   7431   *) In
   7432 
   7433           RSA_eay_public_encrypt
   7434           RSA_eay_private_decrypt
   7435           RSA_eay_private_encrypt (signing)
   7436           RSA_eay_public_decrypt (signature verification)
   7437 
   7438      (default implementations for RSA_public_encrypt,
   7439      RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
   7440      always reject numbers >= n.
   7441      [Bodo Moeller]
   7442 
   7443   *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
   7444      to synchronize access to 'locking_thread'.  This is necessary on
   7445      systems where access to 'locking_thread' (an 'unsigned long'
   7446      variable) is not atomic.
   7447      [Bodo Moeller]
   7448 
   7449   *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
   7450      *before* setting the 'crypto_lock_rand' flag.  The previous code had
   7451      a race condition if 0 is a valid thread ID.
   7452      [Travis Vitek <vitek (a] roguewave.com>]
   7453 
   7454   *) Add support for shared libraries under Irix.
   7455      [Albert Chin-A-Young <china (a] thewrittenword.com>]
   7456 
   7457   *) Add configuration option to build on Linux on both big-endian and
   7458      little-endian MIPS.
   7459      [Ralf Baechle <ralf (a] uni-koblenz.de>]
   7460 
   7461   *) Add the possibility to create shared libraries on HP-UX.
   7462      [Richard Levitte]
   7463 
   7464  Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
   7465 
   7466   *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
   7467      to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
   7468      Markku-Juhani O. Saarinen <markku-juhani.saarinen (a] nokia.com>:
   7469      PRNG state recovery was possible based on the output of
   7470      one PRNG request appropriately sized to gain knowledge on
   7471      'md' followed by enough consecutive 1-byte PRNG requests
   7472      to traverse all of 'state'.
   7473 
   7474      1. When updating 'md_local' (the current thread's copy of 'md')
   7475         during PRNG output generation, hash all of the previous
   7476         'md_local' value, not just the half used for PRNG output.
   7477 
   7478      2. Make the number of bytes from 'state' included into the hash
   7479         independent from the number of PRNG bytes requested.
   7480 
   7481      The first measure alone would be sufficient to avoid
   7482      Markku-Juhani's attack.  (Actually it had never occurred
   7483      to me that the half of 'md_local' used for chaining was the
   7484      half from which PRNG output bytes were taken -- I had always
   7485      assumed that the secret half would be used.)  The second
   7486      measure makes sure that additional data from 'state' is never
   7487      mixed into 'md_local' in small portions; this heuristically
   7488      further strengthens the PRNG.
   7489      [Bodo Moeller]
   7490 
   7491   *) Fix crypto/bn/asm/mips3.s.
   7492      [Andy Polyakov]
   7493 
   7494   *) When only the key is given to "enc", the IV is undefined. Print out
   7495      an error message in this case.
   7496      [Lutz Jaenicke]
   7497 
   7498   *) Handle special case when X509_NAME is empty in X509 printing routines.
   7499      [Steve Henson]
   7500 
   7501   *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
   7502      positive and less than q.
   7503      [Bodo Moeller]
   7504 
   7505   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
   7506      used: it isn't thread safe and the add_lock_callback should handle
   7507      that itself.
   7508      [Paul Rose <Paul.Rose (a] bridge.com>]
   7509 
   7510   *) Verify that incoming data obeys the block size in
   7511      ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
   7512      [Bodo Moeller]
   7513 
   7514   *) Fix OAEP check.
   7515      [Ulf Mller, Bodo Mller]
   7516 
   7517   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
   7518      RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
   7519      when fixing the server behaviour for backwards-compatible 'client
   7520      hello' messages.  (Note that the attack is impractical against
   7521      SSL 3.0 and TLS 1.0 anyway because length and version checking
   7522      means that the probability of guessing a valid ciphertext is
   7523      around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
   7524      paper.)
   7525 
   7526      Before 0.9.5, the countermeasure (hide the error by generating a
   7527      random 'decryption result') did not work properly because
   7528      ERR_clear_error() was missing, meaning that SSL_get_error() would
   7529      detect the supposedly ignored error.
   7530 
   7531      Both problems are now fixed.
   7532      [Bodo Moeller]
   7533 
   7534   *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
   7535      (previously it was 1024).
   7536      [Bodo Moeller]
   7537 
   7538   *) Fix for compatibility mode trust settings: ignore trust settings
   7539      unless some valid trust or reject settings are present.
   7540      [Steve Henson]
   7541 
   7542   *) Fix for blowfish EVP: its a variable length cipher.
   7543      [Steve Henson]
   7544 
   7545   *) Fix various bugs related to DSA S/MIME verification. Handle missing
   7546      parameters in DSA public key structures and return an error in the
   7547      DSA routines if parameters are absent.
   7548      [Steve Henson]
   7549 
   7550   *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
   7551      in the current directory if neither $RANDFILE nor $HOME was set.
   7552      RAND_file_name() in 0.9.6a returned NULL in this case.  This has
   7553      caused some confusion to Windows users who haven't defined $HOME.
   7554      Thus RAND_file_name() is changed again: e_os.h can define a
   7555      DEFAULT_HOME, which will be used if $HOME is not set.
   7556      For Windows, we use "C:"; on other platforms, we still require
   7557      environment variables.
   7558 
   7559   *) Move 'if (!initialized) RAND_poll()' into regions protected by
   7560      CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
   7561      having multiple threads call RAND_poll() concurrently.
   7562      [Bodo Moeller]
   7563 
   7564   *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
   7565      combination of a flag and a thread ID variable.
   7566      Otherwise while one thread is in ssleay_rand_bytes (which sets the
   7567      flag), *other* threads can enter ssleay_add_bytes without obeying
   7568      the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
   7569      that they do not hold after the first thread unsets add_do_not_lock).
   7570      [Bodo Moeller]
   7571 
   7572   *) Change bctest again: '-x' expressions are not available in all
   7573      versions of 'test'.
   7574      [Bodo Moeller]
   7575 
   7576  Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
   7577 
   7578   *) Fix a couple of memory leaks in PKCS7_dataDecode()
   7579      [Steve Henson, reported by Heyun Zheng <hzheng (a] atdsprint.com>]
   7580 
   7581   *) Change Configure and Makefiles to provide EXE_EXT, which will contain
   7582      the default extension for executables, if any.  Also, make the perl
   7583      scripts that use symlink() to test if it really exists and use "cp"
   7584      if it doesn't.  All this made OpenSSL compilable and installable in
   7585      CygWin.
   7586      [Richard Levitte]
   7587 
   7588   *) Fix for asn1_GetSequence() for indefinite length constructed data.
   7589      If SEQUENCE is length is indefinite just set c->slen to the total
   7590      amount of data available.
   7591      [Steve Henson, reported by shige (a] FreeBSD.org]
   7592      [This change does not apply to 0.9.7.]
   7593 
   7594   *) Change bctest to avoid here-documents inside command substitution
   7595      (workaround for FreeBSD /bin/sh bug).
   7596      For compatibility with Ultrix, avoid shell functions (introduced
   7597      in the bctest version that searches along $PATH).
   7598      [Bodo Moeller]
   7599 
   7600   *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
   7601      with des_encrypt() defined on some operating systems, like Solaris
   7602      and UnixWare.
   7603      [Richard Levitte]
   7604 
   7605   *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
   7606      On the Importance of Eliminating Errors in Cryptographic
   7607      Computations, J. Cryptology 14 (2001) 2, 101-119,
   7608      http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
   7609      [Ulf Moeller]
   7610   
   7611   *) MIPS assembler BIGNUM division bug fix. 
   7612      [Andy Polyakov]
   7613 
   7614   *) Disabled incorrect Alpha assembler code.
   7615      [Richard Levitte]
   7616 
   7617   *) Fix PKCS#7 decode routines so they correctly update the length
   7618      after reading an EOC for the EXPLICIT tag.
   7619      [Steve Henson]
   7620      [This change does not apply to 0.9.7.]
   7621 
   7622   *) Fix bug in PKCS#12 key generation routines. This was triggered
   7623      if a 3DES key was generated with a 0 initial byte. Include
   7624      PKCS12_BROKEN_KEYGEN compilation option to retain the old
   7625      (but broken) behaviour.
   7626      [Steve Henson]
   7627 
   7628   *) Enhance bctest to search for a working bc along $PATH and print
   7629      it when found.
   7630      [Tim Rice <tim (a] multitalents.net> via Richard Levitte]
   7631 
   7632   *) Fix memory leaks in err.c: free err_data string if necessary;
   7633      don't write to the wrong index in ERR_set_error_data.
   7634      [Bodo Moeller]
   7635 
   7636   *) Implement ssl23_peek (analogous to ssl23_read), which previously
   7637      did not exist.
   7638      [Bodo Moeller]
   7639 
   7640   *) Replace rdtsc with _emit statements for VC++ version 5.
   7641      [Jeremy Cooper <jeremy (a] baymoo.org>]
   7642 
   7643   *) Make it possible to reuse SSLv2 sessions.
   7644      [Richard Levitte]
   7645 
   7646   *) In copy_email() check for >= 0 as a return value for
   7647      X509_NAME_get_index_by_NID() since 0 is a valid index.
   7648      [Steve Henson reported by Massimiliano Pala <madwolf (a] opensca.org>]
   7649 
   7650   *) Avoid coredump with unsupported or invalid public keys by checking if
   7651      X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
   7652      PKCS7_verify() fails with non detached data.
   7653      [Steve Henson]
   7654 
   7655   *) Don't use getenv in library functions when run as setuid/setgid.
   7656      New function OPENSSL_issetugid().
   7657      [Ulf Moeller]
   7658 
   7659   *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
   7660      due to incorrect handling of multi-threading:
   7661 
   7662      1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
   7663 
   7664      2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
   7665 
   7666      3. Count how many times MemCheck_off() has been called so that
   7667         nested use can be treated correctly.  This also avoids 
   7668         inband-signalling in the previous code (which relied on the
   7669         assumption that thread ID 0 is impossible).
   7670      [Bodo Moeller]
   7671 
   7672   *) Add "-rand" option also to s_client and s_server.
   7673      [Lutz Jaenicke]
   7674 
   7675   *) Fix CPU detection on Irix 6.x.
   7676      [Kurt Hockenbury <khockenb (a] stevens-tech.edu> and
   7677       "Bruce W. Forsberg" <bruce.forsberg (a] baesystems.com>]
   7678 
   7679   *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
   7680      was empty.
   7681      [Steve Henson]
   7682      [This change does not apply to 0.9.7.]
   7683 
   7684   *) Use the cached encoding of an X509_NAME structure rather than
   7685      copying it. This is apparently the reason for the libsafe "errors"
   7686      but the code is actually correct.
   7687      [Steve Henson]
   7688 
   7689   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
   7690      Bleichenbacher's DSA attack.
   7691      Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
   7692      to be set and top=0 forces the highest bit to be set; top=-1 is new
   7693      and leaves the highest bit random.
   7694      [Ulf Moeller, Bodo Moeller]
   7695 
   7696   *) In the NCONF_...-based implementations for CONF_... queries
   7697      (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
   7698      a temporary CONF structure with the data component set to NULL
   7699      (which gives segmentation faults in lh_retrieve).
   7700      Instead, use NULL for the CONF pointer in CONF_get_string and
   7701      CONF_get_number (which may use environment variables) and directly
   7702      return NULL from CONF_get_section.
   7703      [Bodo Moeller]
   7704 
   7705   *) Fix potential buffer overrun for EBCDIC.
   7706      [Ulf Moeller]
   7707 
   7708   *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
   7709      keyUsage if basicConstraints absent for a CA.
   7710      [Steve Henson]
   7711 
   7712   *) Make SMIME_write_PKCS7() write mail header values with a format that
   7713      is more generally accepted (no spaces before the semicolon), since
   7714      some programs can't parse those values properly otherwise.  Also make
   7715      sure BIO's that break lines after each write do not create invalid
   7716      headers.
   7717      [Richard Levitte]
   7718 
   7719   *) Make the CRL encoding routines work with empty SEQUENCE OF. The
   7720      macros previously used would not encode an empty SEQUENCE OF
   7721      and break the signature.
   7722      [Steve Henson]
   7723      [This change does not apply to 0.9.7.]
   7724 
   7725   *) Zero the premaster secret after deriving the master secret in
   7726      DH ciphersuites.
   7727      [Steve Henson]
   7728 
   7729   *) Add some EVP_add_digest_alias registrations (as found in
   7730      OpenSSL_add_all_digests()) to SSL_library_init()
   7731      aka OpenSSL_add_ssl_algorithms().  This provides improved
   7732      compatibility with peers using X.509 certificates
   7733      with unconventional AlgorithmIdentifier OIDs.
   7734      [Bodo Moeller]
   7735 
   7736   *) Fix for Irix with NO_ASM.
   7737      ["Bruce W. Forsberg" <bruce.forsberg (a] baesystems.com>]
   7738 
   7739   *) ./config script fixes.
   7740      [Ulf Moeller, Richard Levitte]
   7741 
   7742   *) Fix 'openssl passwd -1'.
   7743      [Bodo Moeller]
   7744 
   7745   *) Change PKCS12_key_gen_asc() so it can cope with non null
   7746      terminated strings whose length is passed in the passlen
   7747      parameter, for example from PEM callbacks. This was done
   7748      by adding an extra length parameter to asc2uni().
   7749      [Steve Henson, reported by <oddissey (a] samsung.co.kr>]
   7750 
   7751   *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
   7752      call failed, free the DSA structure.
   7753      [Bodo Moeller]
   7754 
   7755   *) Fix to uni2asc() to cope with zero length Unicode strings.
   7756      These are present in some PKCS#12 files.
   7757      [Steve Henson]
   7758 
   7759   *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
   7760      Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
   7761      when writing a 32767 byte record.
   7762      [Bodo Moeller; problem reported by Eric Day <eday (a] concentric.net>]
   7763 
   7764   *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
   7765      obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
   7766 
   7767      (RSA objects have a reference count access to which is protected
   7768      by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
   7769      so they are meant to be shared between threads.)
   7770      [Bodo Moeller, Geoff Thorpe; original patch submitted by
   7771      "Reddie, Steven" <Steven.Reddie (a] ca.com>]
   7772 
   7773   *) Fix a deadlock in CRYPTO_mem_leaks().
   7774      [Bodo Moeller]
   7775 
   7776   *) Use better test patterns in bntest.
   7777      [Ulf Mller]
   7778 
   7779   *) rand_win.c fix for Borland C.
   7780      [Ulf Mller]
   7781  
   7782   *) BN_rshift bugfix for n == 0.
   7783      [Bodo Moeller]
   7784 
   7785   *) Add a 'bctest' script that checks for some known 'bc' bugs
   7786      so that 'make test' does not abort just because 'bc' is broken.
   7787      [Bodo Moeller]
   7788 
   7789   *) Store verify_result within SSL_SESSION also for client side to
   7790      avoid potential security hole. (Re-used sessions on the client side
   7791      always resulted in verify_result==X509_V_OK, not using the original
   7792      result of the server certificate verification.)
   7793      [Lutz Jaenicke]
   7794 
   7795   *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
   7796      SSL3_RT_APPLICATION_DATA, return 0.
   7797      Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
   7798      [Bodo Moeller]
   7799 
   7800   *) Fix SSL_peek:
   7801      Both ssl2_peek and ssl3_peek, which were totally broken in earlier
   7802      releases, have been re-implemented by renaming the previous
   7803      implementations of ssl2_read and ssl3_read to ssl2_read_internal
   7804      and ssl3_read_internal, respectively, and adding 'peek' parameters
   7805      to them.  The new ssl[23]_{read,peek} functions are calls to
   7806      ssl[23]_read_internal with the 'peek' flag set appropriately.
   7807      A 'peek' parameter has also been added to ssl3_read_bytes, which
   7808      does the actual work for ssl3_read_internal.
   7809      [Bodo Moeller]
   7810 
   7811   *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
   7812      the method-specific "init()" handler. Also clean up ex_data after
   7813      calling the method-specific "finish()" handler. Previously, this was
   7814      happening the other way round.
   7815      [Geoff Thorpe]
   7816 
   7817   *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
   7818      The previous value, 12, was not always sufficient for BN_mod_exp().
   7819      [Bodo Moeller]
   7820 
   7821   *) Make sure that shared libraries get the internal name engine with
   7822      the full version number and not just 0.  This should mark the
   7823      shared libraries as not backward compatible.  Of course, this should
   7824      be changed again when we can guarantee backward binary compatibility.
   7825      [Richard Levitte]
   7826 
   7827   *) Fix typo in get_cert_by_subject() in by_dir.c
   7828      [Jean-Marc Desperrier <jean-marc.desperrier (a] certplus.com>]
   7829 
   7830   *) Rework the system to generate shared libraries:
   7831 
   7832      - Make note of the expected extension for the shared libraries and
   7833        if there is a need for symbolic links from for example libcrypto.so.0
   7834        to libcrypto.so.0.9.7.  There is extended info in Configure for
   7835        that.
   7836 
   7837      - Make as few rebuilds of the shared libraries as possible.
   7838 
   7839      - Still avoid linking the OpenSSL programs with the shared libraries.
   7840 
   7841      - When installing, install the shared libraries separately from the
   7842        static ones.
   7843      [Richard Levitte]
   7844 
   7845   *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
   7846 
   7847      Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
   7848      and not in SSL_clear because the latter is also used by the
   7849      accept/connect functions; previously, the settings made by
   7850      SSL_set_read_ahead would be lost during the handshake.
   7851      [Bodo Moeller; problems reported by Anders Gertz <gertz (a] epact.se>]     
   7852 
   7853   *) Correct util/mkdef.pl to be selective about disabled algorithms.
   7854      Previously, it would create entries for disableed algorithms no
   7855      matter what.
   7856      [Richard Levitte]
   7857 
   7858   *) Added several new manual pages for SSL_* function.
   7859      [Lutz Jaenicke]
   7860 
   7861  Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
   7862 
   7863   *) In ssl23_get_client_hello, generate an error message when faced
   7864      with an initial SSL 3.0/TLS record that is too small to contain the
   7865      first two bytes of the ClientHello message, i.e. client_version.
   7866      (Note that this is a pathologic case that probably has never happened
   7867      in real life.)  The previous approach was to use the version number
   7868      from the record header as a substitute; but our protocol choice
   7869      should not depend on that one because it is not authenticated
   7870      by the Finished messages.
   7871      [Bodo Moeller]
   7872 
   7873   *) More robust randomness gathering functions for Windows.
   7874      [Jeffrey Altman <jaltman (a] columbia.edu>]
   7875 
   7876   *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
   7877      not set then we don't setup the error code for issuer check errors
   7878      to avoid possibly overwriting other errors which the callback does
   7879      handle. If an application does set the flag then we assume it knows
   7880      what it is doing and can handle the new informational codes
   7881      appropriately.
   7882      [Steve Henson]
   7883 
   7884   *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
   7885      a general "ANY" type, as such it should be able to decode anything
   7886      including tagged types. However it didn't check the class so it would
   7887      wrongly interpret tagged types in the same way as their universal
   7888      counterpart and unknown types were just rejected. Changed so that the
   7889      tagged and unknown types are handled in the same way as a SEQUENCE:
   7890      that is the encoding is stored intact. There is also a new type
   7891      "V_ASN1_OTHER" which is used when the class is not universal, in this
   7892      case we have no idea what the actual type is so we just lump them all
   7893      together.
   7894      [Steve Henson]
   7895 
   7896   *) On VMS, stdout may very well lead to a file that is written to
   7897      in a record-oriented fashion.  That means that every write() will
   7898      write a separate record, which will be read separately by the
   7899      programs trying to read from it.  This can be very confusing.
   7900 
   7901      The solution is to put a BIO filter in the way that will buffer
   7902      text until a linefeed is reached, and then write everything a
   7903      line at a time, so every record written will be an actual line,
   7904      not chunks of lines and not (usually doesn't happen, but I've
   7905      seen it once) several lines in one record.  BIO_f_linebuffer() is
   7906      the answer.
   7907 
   7908      Currently, it's a VMS-only method, because that's where it has
   7909      been tested well enough.
   7910      [Richard Levitte]
   7911 
   7912   *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
   7913      it can return incorrect results.
   7914      (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
   7915      but it was in 0.9.6-beta[12].)
   7916      [Bodo Moeller]
   7917 
   7918   *) Disable the check for content being present when verifying detached
   7919      signatures in pk7_smime.c. Some versions of Netscape (wrongly)
   7920      include zero length content when signing messages.
   7921      [Steve Henson]
   7922 
   7923   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
   7924      BIO_ctrl (for BIO pairs).
   7925      [Bodo Mller]
   7926 
   7927   *) Add DSO method for VMS.
   7928      [Richard Levitte]
   7929 
   7930   *) Bug fix: Montgomery multiplication could produce results with the
   7931      wrong sign.
   7932      [Ulf Mller]
   7933 
   7934   *) Add RPM specification openssl.spec and modify it to build three
   7935      packages.  The default package contains applications, application
   7936      documentation and run-time libraries.  The devel package contains
   7937      include files, static libraries and function documentation.  The
   7938      doc package contains the contents of the doc directory.  The original
   7939      openssl.spec was provided by Damien Miller <djm (a] mindrot.org>.
   7940      [Richard Levitte]
   7941      
   7942   *) Add a large number of documentation files for many SSL routines.
   7943      [Lutz Jaenicke <Lutz.Jaenicke (a] aet.TU-Cottbus.DE>]
   7944 
   7945   *) Add a configuration entry for Sony News 4.
   7946      [NAKAJI Hiroyuki <nakaji (a] tutrp.tut.ac.jp>]
   7947 
   7948   *) Don't set the two most significant bits to one when generating a
   7949      random number < q in the DSA library.
   7950      [Ulf Mller]
   7951 
   7952   *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
   7953      behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
   7954      the underlying transport is blocking) if a handshake took place.
   7955      (The default behaviour is needed by applications such as s_client
   7956      and s_server that use select() to determine when to use SSL_read;
   7957      but for applications that know in advance when to expect data, it
   7958      just makes things more complicated.)
   7959      [Bodo Moeller]
   7960 
   7961   *) Add RAND_egd_bytes(), which gives control over the number of bytes read
   7962      from EGD.
   7963      [Ben Laurie]
   7964 
   7965   *) Add a few more EBCDIC conditionals that make `req' and `x509'
   7966      work better on such systems.
   7967      [Martin Kraemer <Martin.Kraemer (a] MchP.Siemens.De>]
   7968 
   7969   *) Add two demo programs for PKCS12_parse() and PKCS12_create().
   7970      Update PKCS12_parse() so it copies the friendlyName and the
   7971      keyid to the certificates aux info.
   7972      [Steve Henson]
   7973 
   7974   *) Fix bug in PKCS7_verify() which caused an infinite loop
   7975      if there was more than one signature.
   7976      [Sven Uszpelkat <su (a] celocom.de>]
   7977 
   7978   *) Major change in util/mkdef.pl to include extra information
   7979      about each symbol, as well as presentig variables as well
   7980      as functions.  This change means that there's n more need
   7981      to rebuild the .num files when some algorithms are excluded.
   7982      [Richard Levitte]
   7983 
   7984   *) Allow the verify time to be set by an application,
   7985      rather than always using the current time.
   7986      [Steve Henson]
   7987   
   7988   *) Phase 2 verify code reorganisation. The certificate
   7989      verify code now looks up an issuer certificate by a
   7990      number of criteria: subject name, authority key id
   7991      and key usage. It also verifies self signed certificates
   7992      by the same criteria. The main comparison function is
   7993      X509_check_issued() which performs these checks.
   7994  
   7995      Lot of changes were necessary in order to support this
   7996      without completely rewriting the lookup code.
   7997  
   7998      Authority and subject key identifier are now cached.
   7999  
   8000      The LHASH 'certs' is X509_STORE has now been replaced
   8001      by a STACK_OF(X509_OBJECT). This is mainly because an
   8002      LHASH can't store or retrieve multiple objects with
   8003      the same hash value.
   8004 
   8005      As a result various functions (which were all internal
   8006      use only) have changed to handle the new X509_STORE
   8007      structure. This will break anything that messed round
   8008      with X509_STORE internally.
   8009  
   8010      The functions X509_STORE_add_cert() now checks for an
   8011      exact match, rather than just subject name.
   8012  
   8013      The X509_STORE API doesn't directly support the retrieval
   8014      of multiple certificates matching a given criteria, however
   8015      this can be worked round by performing a lookup first
   8016      (which will fill the cache with candidate certificates)
   8017      and then examining the cache for matches. This is probably
   8018      the best we can do without throwing out X509_LOOKUP
   8019      entirely (maybe later...).
   8020  
   8021      The X509_VERIFY_CTX structure has been enhanced considerably.
   8022  
   8023      All certificate lookup operations now go via a get_issuer()
   8024      callback. Although this currently uses an X509_STORE it
   8025      can be replaced by custom lookups. This is a simple way
   8026      to bypass the X509_STORE hackery necessary to make this
   8027      work and makes it possible to use more efficient techniques
   8028      in future. A very simple version which uses a simple
   8029      STACK for its trusted certificate store is also provided
   8030      using X509_STORE_CTX_trusted_stack().
   8031  
   8032      The verify_cb() and verify() callbacks now have equivalents
   8033      in the X509_STORE_CTX structure.
   8034  
   8035      X509_STORE_CTX also has a 'flags' field which can be used
   8036      to customise the verify behaviour.
   8037      [Steve Henson]
   8038  
   8039   *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
   8040      excludes S/MIME capabilities.
   8041      [Steve Henson]
   8042 
   8043   *) When a certificate request is read in keep a copy of the
   8044      original encoding of the signed data and use it when outputing
   8045      again. Signatures then use the original encoding rather than
   8046      a decoded, encoded version which may cause problems if the
   8047      request is improperly encoded.
   8048      [Steve Henson]
   8049 
   8050   *) For consistency with other BIO_puts implementations, call
   8051      buffer_write(b, ...) directly in buffer_puts instead of calling
   8052      BIO_write(b, ...).
   8053 
   8054      In BIO_puts, increment b->num_write as in BIO_write.
   8055      [Peter.Sylvester (a] EdelWeb.fr]
   8056 
   8057   *) Fix BN_mul_word for the case where the word is 0. (We have to use
   8058      BN_zero, we may not return a BIGNUM with an array consisting of
   8059      words set to zero.)
   8060      [Bodo Moeller]
   8061 
   8062   *) Avoid calling abort() from within the library when problems are
   8063      detected, except if preprocessor symbols have been defined
   8064      (such as REF_CHECK, BN_DEBUG etc.).
   8065      [Bodo Moeller]
   8066 
   8067   *) New openssl application 'rsautl'. This utility can be
   8068      used for low level RSA operations. DER public key
   8069      BIO/fp routines also added.
   8070      [Steve Henson]
   8071 
   8072   *) New Configure entry and patches for compiling on QNX 4.
   8073      [Andreas Schneider <andreas (a] ds3.etech.fh-hamburg.de>]
   8074 
   8075   *) A demo state-machine implementation was sponsored by
   8076      Nuron (http://www.nuron.com/) and is now available in
   8077      demos/state_machine.
   8078      [Ben Laurie]
   8079 
   8080   *) New options added to the 'dgst' utility for signature
   8081      generation and verification.
   8082      [Steve Henson]
   8083 
   8084   *) Unrecognized PKCS#7 content types are now handled via a
   8085      catch all ASN1_TYPE structure. This allows unsupported
   8086      types to be stored as a "blob" and an application can
   8087      encode and decode it manually.
   8088      [Steve Henson]
   8089 
   8090   *) Fix various signed/unsigned issues to make a_strex.c
   8091      compile under VC++.
   8092      [Oscar Jacobsson <oscar.jacobsson (a] celocom.com>]
   8093 
   8094   *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
   8095      length if passed a buffer. ASN1_INTEGER_to_BN failed
   8096      if passed a NULL BN and its argument was negative.
   8097      [Steve Henson, pointed out by Sven Heiberg <sven (a] tartu.cyber.ee>]
   8098 
   8099   *) Modification to PKCS#7 encoding routines to output definite
   8100      length encoding. Since currently the whole structures are in
   8101      memory there's not real point in using indefinite length 
   8102      constructed encoding. However if OpenSSL is compiled with
   8103      the flag PKCS7_INDEFINITE_ENCODING the old form is used.
   8104      [Steve Henson]
   8105 
   8106   *) Added BIO_vprintf() and BIO_vsnprintf().
   8107      [Richard Levitte]
   8108 
   8109   *) Added more prefixes to parse for in the the strings written
   8110      through a logging bio, to cover all the levels that are available
   8111      through syslog.  The prefixes are now:
   8112 
   8113 	PANIC, EMERG, EMR	=>	LOG_EMERG
   8114 	ALERT, ALR		=>	LOG_ALERT
   8115 	CRIT, CRI		=>	LOG_CRIT
   8116 	ERROR, ERR		=>	LOG_ERR
   8117 	WARNING, WARN, WAR	=>	LOG_WARNING
   8118 	NOTICE, NOTE, NOT	=>	LOG_NOTICE
   8119 	INFO, INF		=>	LOG_INFO
   8120 	DEBUG, DBG		=>	LOG_DEBUG
   8121 
   8122      and as before, if none of those prefixes are present at the
   8123      beginning of the string, LOG_ERR is chosen.
   8124 
   8125      On Win32, the LOG_* levels are mapped according to this:
   8126 
   8127 	LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR	=> EVENTLOG_ERROR_TYPE
   8128 	LOG_WARNING				=> EVENTLOG_WARNING_TYPE
   8129 	LOG_NOTICE, LOG_INFO, LOG_DEBUG		=> EVENTLOG_INFORMATION_TYPE
   8130 
   8131      [Richard Levitte]
   8132 
   8133   *) Made it possible to reconfigure with just the configuration
   8134      argument "reconf" or "reconfigure".  The command line arguments
   8135      are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
   8136      and are retrieved from there when reconfiguring.
   8137      [Richard Levitte]
   8138 
   8139   *) MD4 implemented.
   8140      [Assar Westerlund <assar (a] sics.se>, Richard Levitte]
   8141 
   8142   *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
   8143      [Richard Levitte]
   8144 
   8145   *) The obj_dat.pl script was messing up the sorting of object
   8146      names. The reason was that it compared the quoted version
   8147      of strings as a result "OCSP" > "OCSP Signing" because
   8148      " > SPACE. Changed script to store unquoted versions of
   8149      names and add quotes on output. It was also omitting some
   8150      names from the lookup table if they were given a default
   8151      value (that is if SN is missing it is given the same
   8152      value as LN and vice versa), these are now added on the
   8153      grounds that if an object has a name we should be able to
   8154      look it up. Finally added warning output when duplicate
   8155      short or long names are found.
   8156      [Steve Henson]
   8157 
   8158   *) Changes needed for Tandem NSK.
   8159      [Scott Uroff <scott (a] xypro.com>]
   8160 
   8161   *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
   8162      RSA_padding_check_SSLv23(), special padding was never detected
   8163      and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
   8164      version rollback attacks was not effective.
   8165 
   8166      In s23_clnt.c, don't use special rollback-attack detection padding
   8167      (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
   8168      client; similarly, in s23_srvr.c, don't do the rollback check if
   8169      SSL 2.0 is the only protocol enabled in the server.
   8170      [Bodo Moeller]
   8171 
   8172   *) Make it possible to get hexdumps of unprintable data with 'openssl
   8173      asn1parse'.  By implication, the functions ASN1_parse_dump() and
   8174      BIO_dump_indent() are added.
   8175      [Richard Levitte]
   8176 
   8177   *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
   8178      these print out strings and name structures based on various
   8179      flags including RFC2253 support and proper handling of
   8180      multibyte characters. Added options to the 'x509' utility 
   8181      to allow the various flags to be set.
   8182      [Steve Henson]
   8183 
   8184   *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
   8185      Also change the functions X509_cmp_current_time() and
   8186      X509_gmtime_adj() work with an ASN1_TIME structure,
   8187      this will enable certificates using GeneralizedTime in validity
   8188      dates to be checked.
   8189      [Steve Henson]
   8190 
   8191   *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
   8192      negative public key encodings) on by default,
   8193      NO_NEG_PUBKEY_BUG can be set to disable it.
   8194      [Steve Henson]
   8195 
   8196   *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
   8197      content octets. An i2c_ASN1_OBJECT is unnecessary because
   8198      the encoding can be trivially obtained from the structure.
   8199      [Steve Henson]
   8200 
   8201   *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
   8202      not read locks (CRYPTO_r_[un]lock).
   8203      [Bodo Moeller]
   8204 
   8205   *) A first attempt at creating official support for shared
   8206      libraries through configuration.  I've kept it so the
   8207      default is static libraries only, and the OpenSSL programs
   8208      are always statically linked for now, but there are
   8209      preparations for dynamic linking in place.
   8210      This has been tested on Linux and Tru64.
   8211      [Richard Levitte]
   8212 
   8213   *) Randomness polling function for Win9x, as described in:
   8214      Peter Gutmann, Software Generation of Practically Strong
   8215      Random Numbers.
   8216      [Ulf Mller]
   8217 
   8218   *) Fix so PRNG is seeded in req if using an already existing
   8219      DSA key.
   8220      [Steve Henson]
   8221 
   8222   *) New options to smime application. -inform and -outform
   8223      allow alternative formats for the S/MIME message including
   8224      PEM and DER. The -content option allows the content to be
   8225      specified separately. This should allow things like Netscape
   8226      form signing output easier to verify.
   8227      [Steve Henson]
   8228 
   8229   *) Fix the ASN1 encoding of tags using the 'long form'.
   8230      [Steve Henson]
   8231 
   8232   *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
   8233      STRING types. These convert content octets to and from the
   8234      underlying type. The actual tag and length octets are
   8235      already assumed to have been read in and checked. These
   8236      are needed because all other string types have virtually
   8237      identical handling apart from the tag. By having versions
   8238      of the ASN1 functions that just operate on content octets
   8239      IMPLICIT tagging can be handled properly. It also allows
   8240      the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
   8241      and ASN1_INTEGER are identical apart from the tag.
   8242      [Steve Henson]
   8243 
   8244   *) Change the handling of OID objects as follows:
   8245 
   8246      - New object identifiers are inserted in objects.txt, following
   8247        the syntax given in objects.README.
   8248      - objects.pl is used to process obj_mac.num and create a new
   8249        obj_mac.h.
   8250      - obj_dat.pl is used to create a new obj_dat.h, using the data in
   8251        obj_mac.h.
   8252 
   8253      This is currently kind of a hack, and the perl code in objects.pl
   8254      isn't very elegant, but it works as I intended.  The simplest way
   8255      to check that it worked correctly is to look in obj_dat.h and
   8256      check the array nid_objs and make sure the objects haven't moved
   8257      around (this is important!).  Additions are OK, as well as
   8258      consistent name changes. 
   8259      [Richard Levitte]
   8260 
   8261   *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
   8262      [Bodo Moeller]
   8263 
   8264   *) Addition of the command line parameter '-rand file' to 'openssl req'.
   8265      The given file adds to whatever has already been seeded into the
   8266      random pool through the RANDFILE configuration file option or
   8267      environment variable, or the default random state file.
   8268      [Richard Levitte]
   8269 
   8270   *) mkstack.pl now sorts each macro group into lexical order.
   8271      Previously the output order depended on the order the files
   8272      appeared in the directory, resulting in needless rewriting
   8273      of safestack.h .
   8274      [Steve Henson]
   8275 
   8276   *) Patches to make OpenSSL compile under Win32 again. Mostly
   8277      work arounds for the VC++ problem that it treats func() as
   8278      func(void). Also stripped out the parts of mkdef.pl that
   8279      added extra typesafe functions: these no longer exist.
   8280      [Steve Henson]
   8281 
   8282   *) Reorganisation of the stack code. The macros are now all 
   8283      collected in safestack.h . Each macro is defined in terms of
   8284      a "stack macro" of the form SKM_<name>(type, a, b). The 
   8285      DEBUG_SAFESTACK is now handled in terms of function casts,
   8286      this has the advantage of retaining type safety without the
   8287      use of additional functions. If DEBUG_SAFESTACK is not defined
   8288      then the non typesafe macros are used instead. Also modified the
   8289      mkstack.pl script to handle the new form. Needs testing to see
   8290      if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
   8291      the default if no major problems. Similar behaviour for ASN1_SET_OF
   8292      and PKCS12_STACK_OF.
   8293      [Steve Henson]
   8294 
   8295   *) When some versions of IIS use the 'NET' form of private key the
   8296      key derivation algorithm is different. Normally MD5(password) is
   8297      used as a 128 bit RC4 key. In the modified case
   8298      MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
   8299      new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
   8300      as the old Netscape_RSA functions except they have an additional
   8301      'sgckey' parameter which uses the modified algorithm. Also added
   8302      an -sgckey command line option to the rsa utility. Thanks to 
   8303      Adrian Peck <bertie (a] ncipher.com> for posting details of the modified
   8304      algorithm to openssl-dev.
   8305      [Steve Henson]
   8306 
   8307   *) The evp_local.h macros were using 'c.##kname' which resulted in
   8308      invalid expansion on some systems (SCO 5.0.5 for example).
   8309      Corrected to 'c.kname'.
   8310      [Phillip Porch <root (a] theporch.com>]
   8311 
   8312   *) New X509_get1_email() and X509_REQ_get1_email() functions that return
   8313      a STACK of email addresses from a certificate or request, these look
   8314      in the subject name and the subject alternative name extensions and 
   8315      omit any duplicate addresses.
   8316      [Steve Henson]
   8317 
   8318   *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
   8319      This makes DSA verification about 2 % faster.
   8320      [Bodo Moeller]
   8321 
   8322   *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
   8323      (meaning that now 2^5 values will be precomputed, which is only 4 KB
   8324      plus overhead for 1024 bit moduli).
   8325      This makes exponentiations about 0.5 % faster for 1024 bit
   8326      exponents (as measured by "openssl speed rsa2048").
   8327      [Bodo Moeller]
   8328 
   8329   *) Rename memory handling macros to avoid conflicts with other
   8330      software:
   8331           Malloc         =>  OPENSSL_malloc
   8332           Malloc_locked  =>  OPENSSL_malloc_locked
   8333           Realloc        =>  OPENSSL_realloc
   8334           Free           =>  OPENSSL_free
   8335      [Richard Levitte]
   8336 
   8337   *) New function BN_mod_exp_mont_word for small bases (roughly 15%
   8338      faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
   8339      [Bodo Moeller]
   8340 
   8341   *) CygWin32 support.
   8342      [John Jarvie <jjarvie (a] newsguy.com>]
   8343 
   8344   *) The type-safe stack code has been rejigged. It is now only compiled
   8345      in when OpenSSL is configured with the DEBUG_SAFESTACK option and
   8346      by default all type-specific stack functions are "#define"d back to
   8347      standard stack functions. This results in more streamlined output
   8348      but retains the type-safety checking possibilities of the original
   8349      approach.
   8350      [Geoff Thorpe]
   8351 
   8352   *) The STACK code has been cleaned up, and certain type declarations
   8353      that didn't make a lot of sense have been brought in line. This has
   8354      also involved a cleanup of sorts in safestack.h to more correctly
   8355      map type-safe stack functions onto their plain stack counterparts.
   8356      This work has also resulted in a variety of "const"ifications of
   8357      lots of the code, especially "_cmp" operations which should normally
   8358      be prototyped with "const" parameters anyway.
   8359      [Geoff Thorpe]
   8360 
   8361   *) When generating bytes for the first time in md_rand.c, 'stir the pool'
   8362      by seeding with STATE_SIZE dummy bytes (with zero entropy count).
   8363      (The PRNG state consists of two parts, the large pool 'state' and 'md',
   8364      where all of 'md' is used each time the PRNG is used, but 'state'
   8365      is used only indexed by a cyclic counter. As entropy may not be
   8366      well distributed from the beginning, 'md' is important as a
   8367      chaining variable. However, the output function chains only half
   8368      of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
   8369      all of 'md', and seeding with STATE_SIZE dummy bytes will result
   8370      in all of 'state' being rewritten, with the new values depending
   8371      on virtually all of 'md'.  This overcomes the 80 bit limitation.)
   8372      [Bodo Moeller]
   8373 
   8374   *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
   8375      the handshake is continued after ssl_verify_cert_chain();
   8376      otherwise, if SSL_VERIFY_NONE is set, remaining error codes
   8377      can lead to 'unexplainable' connection aborts later.
   8378      [Bodo Moeller; problem tracked down by Lutz Jaenicke]
   8379 
   8380   *) Major EVP API cipher revision.
   8381      Add hooks for extra EVP features. This allows various cipher
   8382      parameters to be set in the EVP interface. Support added for variable
   8383      key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
   8384      setting of RC2 and RC5 parameters.
   8385 
   8386      Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
   8387      ciphers.
   8388 
   8389      Remove lots of duplicated code from the EVP library. For example *every*
   8390      cipher init() function handles the 'iv' in the same way according to the
   8391      cipher mode. They also all do nothing if the 'key' parameter is NULL and
   8392      for CFB and OFB modes they zero ctx->num.
   8393 
   8394      New functionality allows removal of S/MIME code RC2 hack.
   8395 
   8396      Most of the routines have the same form and so can be declared in terms
   8397      of macros.
   8398 
   8399      By shifting this to the top level EVP_CipherInit() it can be removed from
   8400      all individual ciphers. If the cipher wants to handle IVs or keys
   8401      differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
   8402      flags.
   8403 
   8404      Change lots of functions like EVP_EncryptUpdate() to now return a
   8405      value: although software versions of the algorithms cannot fail
   8406      any installed hardware versions can.
   8407      [Steve Henson]
   8408 
   8409   *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
   8410      this option is set, tolerate broken clients that send the negotiated
   8411      protocol version number instead of the requested protocol version
   8412      number.
   8413      [Bodo Moeller]
   8414 
   8415   *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
   8416      i.e. non-zero for export ciphersuites, zero otherwise.
   8417      Previous versions had this flag inverted, inconsistent with
   8418      rsa_tmp_cb (..._TMP_RSA_CB).
   8419      [Bodo Moeller; problem reported by Amit Chopra]
   8420 
   8421   *) Add missing DSA library text string. Work around for some IIS
   8422      key files with invalid SEQUENCE encoding.
   8423      [Steve Henson]
   8424 
   8425   *) Add a document (doc/standards.txt) that list all kinds of standards
   8426      and so on that are implemented in OpenSSL.
   8427      [Richard Levitte]
   8428 
   8429   *) Enhance c_rehash script. Old version would mishandle certificates
   8430      with the same subject name hash and wouldn't handle CRLs at all.
   8431      Added -fingerprint option to crl utility, to support new c_rehash
   8432      features.
   8433      [Steve Henson]
   8434 
   8435   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
   8436      [Ulf Mller]
   8437 
   8438   *) Fix for SSL server purpose checking. Server checking was
   8439      rejecting certificates which had extended key usage present
   8440      but no ssl client purpose.
   8441      [Steve Henson, reported by Rene Grosser <grosser (a] hisolutions.com>]
   8442 
   8443   *) Make PKCS#12 code work with no password. The PKCS#12 spec
   8444      is a little unclear about how a blank password is handled.
   8445      Since the password in encoded as a BMPString with terminating
   8446      double NULL a zero length password would end up as just the
   8447      double NULL. However no password at all is different and is
   8448      handled differently in the PKCS#12 key generation code. NS
   8449      treats a blank password as zero length. MSIE treats it as no
   8450      password on export: but it will try both on import. We now do
   8451      the same: PKCS12_parse() tries zero length and no password if
   8452      the password is set to "" or NULL (NULL is now a valid password:
   8453      it wasn't before) as does the pkcs12 application.
   8454      [Steve Henson]
   8455 
   8456   *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
   8457      perror when PEM_read_bio_X509_REQ fails, the error message must
   8458      be obtained from the error queue.
   8459      [Bodo Moeller]
   8460 
   8461   *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
   8462      it in ERR_remove_state if appropriate, and change ERR_get_state
   8463      accordingly to avoid race conditions (this is necessary because
   8464      thread_hash is no longer constant once set).
   8465      [Bodo Moeller]
   8466 
   8467   *) Bugfix for linux-elf makefile.one.
   8468      [Ulf Mller]
   8469 
   8470   *) RSA_get_default_method() will now cause a default
   8471      RSA_METHOD to be chosen if one doesn't exist already.
   8472      Previously this was only set during a call to RSA_new()
   8473      or RSA_new_method(NULL) meaning it was possible for
   8474      RSA_get_default_method() to return NULL.
   8475      [Geoff Thorpe]
   8476 
   8477   *) Added native name translation to the existing DSO code
   8478      that will convert (if the flag to do so is set) filenames
   8479      that are sufficiently small and have no path information
   8480      into a canonical native form. Eg. "blah" converted to
   8481      "libblah.so" or "blah.dll" etc.
   8482      [Geoff Thorpe]
   8483 
   8484   *) New function ERR_error_string_n(e, buf, len) which is like
   8485      ERR_error_string(e, buf), but writes at most 'len' bytes
   8486      including the 0 terminator.  For ERR_error_string_n, 'buf'
   8487      may not be NULL.
   8488      [Damien Miller <djm (a] mindrot.org>, Bodo Moeller]
   8489 
   8490   *) CONF library reworked to become more general.  A new CONF
   8491      configuration file reader "class" is implemented as well as a
   8492      new functions (NCONF_*, for "New CONF") to handle it.  The now
   8493      old CONF_* functions are still there, but are reimplemented to
   8494      work in terms of the new functions.  Also, a set of functions
   8495      to handle the internal storage of the configuration data is
   8496      provided to make it easier to write new configuration file
   8497      reader "classes" (I can definitely see something reading a
   8498      configuration file in XML format, for example), called _CONF_*,
   8499      or "the configuration storage API"...
   8500 
   8501      The new configuration file reading functions are:
   8502 
   8503         NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
   8504         NCONF_get_section, NCONF_get_string, NCONF_get_numbre
   8505 
   8506         NCONF_default, NCONF_WIN32
   8507 
   8508         NCONF_dump_fp, NCONF_dump_bio
   8509 
   8510      NCONF_default and NCONF_WIN32 are method (or "class") choosers,
   8511      NCONF_new creates a new CONF object.  This works in the same way
   8512      as other interfaces in OpenSSL, like the BIO interface.
   8513      NCONF_dump_* dump the internal storage of the configuration file,
   8514      which is useful for debugging.  All other functions take the same
   8515      arguments as the old CONF_* functions wth the exception of the
   8516      first that must be a `CONF *' instead of a `LHASH *'.
   8517 
   8518      To make it easer to use the new classes with the old CONF_* functions,
   8519      the function CONF_set_default_method is provided.
   8520      [Richard Levitte]
   8521 
   8522   *) Add '-tls1' option to 'openssl ciphers', which was already
   8523      mentioned in the documentation but had not been implemented.
   8524      (This option is not yet really useful because even the additional
   8525      experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
   8526      [Bodo Moeller]
   8527 
   8528   *) Initial DSO code added into libcrypto for letting OpenSSL (and
   8529      OpenSSL-based applications) load shared libraries and bind to
   8530      them in a portable way.
   8531      [Geoff Thorpe, with contributions from Richard Levitte]
   8532 
   8533  Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
   8534 
   8535   *) Make sure _lrotl and _lrotr are only used with MSVC.
   8536 
   8537   *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
   8538      (the default implementation of RAND_status).
   8539 
   8540   *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
   8541      to '-clrext' (= clear extensions), as intended and documented.
   8542      [Bodo Moeller; inconsistency pointed out by Michael Attili
   8543      <attili (a] amaxo.com>]
   8544 
   8545   *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
   8546      was larger than the MD block size.      
   8547      [Steve Henson, pointed out by Yost William <YostW (a] tce.com>]
   8548 
   8549   *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
   8550      fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
   8551      using the passed key: if the passed key was a private key the result
   8552      of X509_print(), for example, would be to print out all the private key
   8553      components.
   8554      [Steve Henson]
   8555 
   8556   *) des_quad_cksum() byte order bug fix.
   8557      [Ulf Mller, using the problem description in krb4-0.9.7, where
   8558       the solution is attributed to Derrick J Brashear <shadow (a] DEMENTIA.ORG>]
   8559 
   8560   *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
   8561      discouraged.
   8562      [Steve Henson, pointed out by Brian Korver <briank (a] cs.stanford.edu>]
   8563 
   8564   *) For easily testing in shell scripts whether some command
   8565      'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
   8566      returns with exit code 0 iff no command of the given name is available.
   8567      'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
   8568      the output goes to stdout and nothing is printed to stderr.
   8569      Additional arguments are always ignored.
   8570 
   8571      Since for each cipher there is a command of the same name,
   8572      the 'no-cipher' compilation switches can be tested this way.
   8573 
   8574      ('openssl no-XXX' is not able to detect pseudo-commands such
   8575      as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
   8576      [Bodo Moeller]
   8577 
   8578   *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
   8579      [Bodo Moeller]
   8580 
   8581   *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
   8582      is set; it will be thrown away anyway because each handshake creates
   8583      its own key.
   8584      ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
   8585      to parameters -- in previous versions (since OpenSSL 0.9.3) the
   8586      'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
   8587      you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
   8588      [Bodo Moeller]
   8589 
   8590   *) New s_client option -ign_eof: EOF at stdin is ignored, and
   8591      'Q' and 'R' lose their special meanings (quit/renegotiate).
   8592      This is part of what -quiet does; unlike -quiet, -ign_eof
   8593      does not suppress any output.
   8594      [Richard Levitte]
   8595 
   8596   *) Add compatibility options to the purpose and trust code. The
   8597      purpose X509_PURPOSE_ANY is "any purpose" which automatically
   8598      accepts a certificate or CA, this was the previous behaviour,
   8599      with all the associated security issues.
   8600 
   8601      X509_TRUST_COMPAT is the old trust behaviour: only and
   8602      automatically trust self signed roots in certificate store. A
   8603      new trust setting X509_TRUST_DEFAULT is used to specify that
   8604      a purpose has no associated trust setting and it should instead
   8605      use the value in the default purpose.
   8606      [Steve Henson]
   8607 
   8608   *) Fix the PKCS#8 DSA private key code so it decodes keys again
   8609      and fix a memory leak.
   8610      [Steve Henson]
   8611 
   8612   *) In util/mkerr.pl (which implements 'make errors'), preserve
   8613      reason strings from the previous version of the .c file, as
   8614      the default to have only downcase letters (and digits) in
   8615      automatically generated reasons codes is not always appropriate.
   8616      [Bodo Moeller]
   8617 
   8618   *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
   8619      using strerror.  Previously, ERR_reason_error_string() returned
   8620      library names as reason strings for SYSerr; but SYSerr is a special
   8621      case where small numbers are errno values, not library numbers.
   8622      [Bodo Moeller]
   8623 
   8624   *) Add '-dsaparam' option to 'openssl dhparam' application.  This
   8625      converts DSA parameters into DH parameters. (When creating parameters,
   8626      DSA_generate_parameters is used.)
   8627      [Bodo Moeller]
   8628 
   8629   *) Include 'length' (recommended exponent length) in C code generated
   8630      by 'openssl dhparam -C'.
   8631      [Bodo Moeller]
   8632 
   8633   *) The second argument to set_label in perlasm was already being used
   8634      so couldn't be used as a "file scope" flag. Moved to third argument
   8635      which was free.
   8636      [Steve Henson]
   8637 
   8638   *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
   8639      instead of RAND_bytes for encryption IVs and salts.
   8640      [Bodo Moeller]
   8641 
   8642   *) Include RAND_status() into RAND_METHOD instead of implementing
   8643      it only for md_rand.c  Otherwise replacing the PRNG by calling
   8644      RAND_set_rand_method would be impossible.
   8645      [Bodo Moeller]
   8646 
   8647   *) Don't let DSA_generate_key() enter an infinite loop if the random
   8648      number generation fails.
   8649      [Bodo Moeller]
   8650 
   8651   *) New 'rand' application for creating pseudo-random output.
   8652      [Bodo Moeller]
   8653 
   8654   *) Added configuration support for Linux/IA64
   8655      [Rolf Haberrecker <rolf (a] suse.de>]
   8656 
   8657   *) Assembler module support for Mingw32.
   8658      [Ulf Mller]
   8659 
   8660   *) Shared library support for HPUX (in shlib/).
   8661      [Lutz Jaenicke <Lutz.Jaenicke (a] aet.TU-Cottbus.DE> and Anonymous]
   8662 
   8663   *) Shared library support for Solaris gcc.
   8664      [Lutz Behnke <behnke (a] trustcenter.de>]
   8665 
   8666  Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
   8667 
   8668   *) PKCS7_encrypt() was adding text MIME headers twice because they
   8669      were added manually and by SMIME_crlf_copy().
   8670      [Steve Henson]
   8671 
   8672   *) In bntest.c don't call BN_rand with zero bits argument.
   8673      [Steve Henson, pointed out by Andrew W. Gray <agray (a] iconsinc.com>]
   8674 
   8675   *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
   8676      case was implemented. This caused BN_div_recp() to fail occasionally.
   8677      [Ulf Mller]
   8678 
   8679   *) Add an optional second argument to the set_label() in the perl
   8680      assembly language builder. If this argument exists and is set
   8681      to 1 it signals that the assembler should use a symbol whose 
   8682      scope is the entire file, not just the current function. This
   8683      is needed with MASM which uses the format label:: for this scope.
   8684      [Steve Henson, pointed out by Peter Runestig <peter (a] runestig.com>]
   8685 
   8686   *) Change the ASN1 types so they are typedefs by default. Before
   8687      almost all types were #define'd to ASN1_STRING which was causing
   8688      STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
   8689      for example.
   8690      [Steve Henson]
   8691 
   8692   *) Change names of new functions to the new get1/get0 naming
   8693      convention: After 'get1', the caller owns a reference count
   8694      and has to call ..._free; 'get0' returns a pointer to some
   8695      data structure without incrementing reference counters.
   8696      (Some of the existing 'get' functions increment a reference
   8697      counter, some don't.)
   8698      Similarly, 'set1' and 'add1' functions increase reference
   8699      counters or duplicate objects.
   8700      [Steve Henson]
   8701 
   8702   *) Allow for the possibility of temp RSA key generation failure:
   8703      the code used to assume it always worked and crashed on failure.
   8704      [Steve Henson]
   8705 
   8706   *) Fix potential buffer overrun problem in BIO_printf().
   8707      [Ulf Mller, using public domain code by Patrick Powell; problem
   8708       pointed out by David Sacerdote <das33 (a] cornell.edu>]
   8709 
   8710   *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
   8711      RAND_egd() and RAND_status().  In the command line application,
   8712      the EGD socket can be specified like a seed file using RANDFILE
   8713      or -rand.
   8714      [Ulf Mller]
   8715 
   8716   *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
   8717      Some CAs (e.g. Verisign) distribute certificates in this form.
   8718      [Steve Henson]
   8719 
   8720   *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
   8721      list to exclude them. This means that no special compilation option
   8722      is needed to use anonymous DH: it just needs to be included in the
   8723      cipher list.
   8724      [Steve Henson]
   8725 
   8726   *) Change the EVP_MD_CTX_type macro so its meaning consistent with
   8727      EVP_MD_type. The old functionality is available in a new macro called
   8728      EVP_MD_md(). Change code that uses it and update docs.
   8729      [Steve Henson]
   8730 
   8731   *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
   8732      where the 'void *' argument is replaced by a function pointer argument.
   8733      Previously 'void *' was abused to point to functions, which works on
   8734      many platforms, but is not correct.  As these functions are usually
   8735      called by macros defined in OpenSSL header files, most source code
   8736      should work without changes.
   8737      [Richard Levitte]
   8738 
   8739   *) <openssl/opensslconf.h> (which is created by Configure) now contains
   8740      sections with information on -D... compiler switches used for
   8741      compiling the library so that applications can see them.  To enable
   8742      one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
   8743      must be defined.  E.g.,
   8744         #define OPENSSL_ALGORITHM_DEFINES
   8745         #include <openssl/opensslconf.h>
   8746      defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
   8747      [Richard Levitte, Ulf and Bodo Mller]
   8748 
   8749   *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
   8750      record layer.
   8751      [Bodo Moeller]
   8752 
   8753   *) Change the 'other' type in certificate aux info to a STACK_OF
   8754      X509_ALGOR. Although not an AlgorithmIdentifier as such it has
   8755      the required ASN1 format: arbitrary types determined by an OID.
   8756      [Steve Henson]
   8757 
   8758   *) Add some PEM_write_X509_REQ_NEW() functions and a command line
   8759      argument to 'req'. This is not because the function is newer or
   8760      better than others it just uses the work 'NEW' in the certificate
   8761      request header lines. Some software needs this.
   8762      [Steve Henson]
   8763 
   8764   *) Reorganise password command line arguments: now passwords can be
   8765      obtained from various sources. Delete the PEM_cb function and make
   8766      it the default behaviour: i.e. if the callback is NULL and the
   8767      usrdata argument is not NULL interpret it as a null terminated pass
   8768      phrase. If usrdata and the callback are NULL then the pass phrase
   8769      is prompted for as usual.
   8770      [Steve Henson]
   8771 
   8772   *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
   8773      the support is automatically enabled. The resulting binaries will
   8774      autodetect the card and use it if present.
   8775      [Ben Laurie and Compaq Inc.]
   8776 
   8777   *) Work around for Netscape hang bug. This sends certificate request
   8778      and server done in one record. Since this is perfectly legal in the
   8779      SSL/TLS protocol it isn't a "bug" option and is on by default. See
   8780      the bugs/SSLv3 entry for more info.
   8781      [Steve Henson]
   8782 
   8783   *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
   8784      [Andy Polyakov]
   8785 
   8786   *) Add -rand argument to smime and pkcs12 applications and read/write
   8787      of seed file.
   8788      [Steve Henson]
   8789 
   8790   *) New 'passwd' tool for crypt(3) and apr1 password hashes.
   8791      [Bodo Moeller]
   8792 
   8793   *) Add command line password options to the remaining applications.
   8794      [Steve Henson]
   8795 
   8796   *) Bug fix for BN_div_recp() for numerators with an even number of
   8797      bits.
   8798      [Ulf Mller]
   8799 
   8800   *) More tests in bntest.c, and changed test_bn output.
   8801      [Ulf Mller]
   8802 
   8803   *) ./config recognizes MacOS X now.
   8804      [Andy Polyakov]
   8805 
   8806   *) Bug fix for BN_div() when the first words of num and divsor are
   8807      equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
   8808      [Ulf Mller]
   8809 
   8810   *) Add support for various broken PKCS#8 formats, and command line
   8811      options to produce them.
   8812      [Steve Henson]
   8813 
   8814   *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
   8815      get temporary BIGNUMs from a BN_CTX.
   8816      [Ulf Mller]
   8817 
   8818   *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
   8819      for p == 0.
   8820      [Ulf Mller]
   8821 
   8822   *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
   8823      include a #define from the old name to the new. The original intent
   8824      was that statically linked binaries could for example just call
   8825      SSLeay_add_all_ciphers() to just add ciphers to the table and not
   8826      link with digests. This never worked becayse SSLeay_add_all_digests()
   8827      and SSLeay_add_all_ciphers() were in the same source file so calling
   8828      one would link with the other. They are now in separate source files.
   8829      [Steve Henson]
   8830 
   8831   *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
   8832      [Steve Henson]
   8833 
   8834   *) Use a less unusual form of the Miller-Rabin primality test (it used
   8835      a binary algorithm for exponentiation integrated into the Miller-Rabin
   8836      loop, our standard modexp algorithms are faster).
   8837      [Bodo Moeller]
   8838 
   8839   *) Support for the EBCDIC character set completed.
   8840      [Martin Kraemer <Martin.Kraemer (a] Mch.SNI.De>]
   8841 
   8842   *) Source code cleanups: use const where appropriate, eliminate casts,
   8843      use void * instead of char * in lhash.
   8844      [Ulf Mller] 
   8845 
   8846   *) Bugfix: ssl3_send_server_key_exchange was not restartable
   8847      (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
   8848      this the server could overwrite ephemeral keys that the client
   8849      has already seen).
   8850      [Bodo Moeller]
   8851 
   8852   *) Turn DSA_is_prime into a macro that calls BN_is_prime,
   8853      using 50 iterations of the Rabin-Miller test.
   8854 
   8855      DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
   8856      iterations of the Rabin-Miller test as required by the appendix
   8857      to FIPS PUB 186[-1]) instead of DSA_is_prime.
   8858      As BN_is_prime_fasttest includes trial division, DSA parameter
   8859      generation becomes much faster.
   8860 
   8861      This implies a change for the callback functions in DSA_is_prime
   8862      and DSA_generate_parameters: The callback function is called once
   8863      for each positive witness in the Rabin-Miller test, not just
   8864      occasionally in the inner loop; and the parameters to the
   8865      callback function now provide an iteration count for the outer
   8866      loop rather than for the current invocation of the inner loop.
   8867      DSA_generate_parameters additionally can call the callback
   8868      function with an 'iteration count' of -1, meaning that a
   8869      candidate has passed the trial division test (when q is generated 
   8870      from an application-provided seed, trial division is skipped).
   8871      [Bodo Moeller]
   8872 
   8873   *) New function BN_is_prime_fasttest that optionally does trial
   8874      division before starting the Rabin-Miller test and has
   8875      an additional BN_CTX * argument (whereas BN_is_prime always
   8876      has to allocate at least one BN_CTX).
   8877      'callback(1, -1, cb_arg)' is called when a number has passed the
   8878      trial division stage.
   8879      [Bodo Moeller]
   8880 
   8881   *) Fix for bug in CRL encoding. The validity dates weren't being handled
   8882      as ASN1_TIME.
   8883      [Steve Henson]
   8884 
   8885   *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
   8886      [Steve Henson]
   8887 
   8888   *) New function BN_pseudo_rand().
   8889      [Ulf Mller]
   8890 
   8891   *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
   8892      bignum version of BN_from_montgomery() with the working code from
   8893      SSLeay 0.9.0 (the word based version is faster anyway), and clean up
   8894      the comments.
   8895      [Ulf Mller]
   8896 
   8897   *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
   8898      made it impossible to use the same SSL_SESSION data structure in
   8899      SSL2 clients in multiple threads.
   8900      [Bodo Moeller]
   8901 
   8902   *) The return value of RAND_load_file() no longer counts bytes obtained
   8903      by stat().  RAND_load_file(..., -1) is new and uses the complete file
   8904      to seed the PRNG (previously an explicit byte count was required).
   8905      [Ulf Mller, Bodo Mller]
   8906 
   8907   *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
   8908      used (char *) instead of (void *) and had casts all over the place.
   8909      [Steve Henson]
   8910 
   8911   *) Make BN_generate_prime() return NULL on error if ret!=NULL.
   8912      [Ulf Mller]
   8913 
   8914   *) Retain source code compatibility for BN_prime_checks macro:
   8915      BN_is_prime(..., BN_prime_checks, ...) now uses
   8916      BN_prime_checks_for_size to determine the appropriate number of
   8917      Rabin-Miller iterations.
   8918      [Ulf M