Home | History | Annotate | Line # | Download | only in dist
      2  OpenSSL CHANGES
      3  _______________
      5  Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
      7   *) Missing CRL sanity check
      9      A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
     10      but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
     11      CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
     13      This issue only affects the OpenSSL 1.0.2i
     14      (CVE-2016-7052)
     15      [Matt Caswell]
     17  Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
     19   *) OCSP Status Request extension unbounded memory growth
     21      A malicious client can send an excessively large OCSP Status Request
     22      extension. If that client continually requests renegotiation, sending a
     23      large OCSP Status Request extension each time, then there will be unbounded
     24      memory growth on the server. This will eventually lead to a Denial Of
     25      Service attack through memory exhaustion. Servers with a default
     26      configuration are vulnerable even if they do not support OCSP. Builds using
     27      the "no-ocsp" build time option are not affected.
     29      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     30      (CVE-2016-6304)
     31      [Matt Caswell]
     33   *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
     34      HIGH to MEDIUM.
     36      This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
     37      Leurent (INRIA)
     38      (CVE-2016-2183)
     39      [Rich Salz]
     41   *) OOB write in MDC2_Update()
     43      An overflow can occur in MDC2_Update() either if called directly or
     44      through the EVP_DigestUpdate() function using MDC2. If an attacker
     45      is able to supply very large amounts of input data after a previous
     46      call to EVP_EncryptUpdate() with a partial block then a length check
     47      can overflow resulting in a heap corruption.
     49      The amount of data needed is comparable to SIZE_MAX which is impractical
     50      on most platforms.
     52      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     53      (CVE-2016-6303)
     54      [Stephen Henson]
     56   *) Malformed SHA512 ticket DoS
     58      If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
     59      DoS attack where a malformed ticket will result in an OOB read which will
     60      ultimately crash.
     62      The use of SHA512 in TLS session tickets is comparatively rare as it requires
     63      a custom server callback and ticket lookup mechanism.
     65      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     66      (CVE-2016-6302)
     67      [Stephen Henson]
     69   *) OOB write in BN_bn2dec()
     71      The function BN_bn2dec() does not check the return value of BN_div_word().
     72      This can cause an OOB write if an application uses this function with an
     73      overly large BIGNUM. This could be a problem if an overly large certificate
     74      or CRL is printed out from an untrusted source. TLS is not affected because
     75      record limits will reject an oversized certificate before it is parsed.
     77      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     78      (CVE-2016-2182)
     79      [Stephen Henson]
     81   *) OOB read in TS_OBJ_print_bio()
     83      The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
     84      the total length the OID text representation would use and not the amount
     85      of data written. This will result in OOB reads when large OIDs are
     86      presented.
     88      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
     89      (CVE-2016-2180)
     90      [Stephen Henson]
     92   *) Pointer arithmetic undefined behaviour
     94      Avoid some undefined pointer arithmetic
     96      A common idiom in the codebase is to check limits in the following manner:
     97      "p + len > limit"
     99      Where "p" points to some malloc'd data of SIZE bytes and
    100      limit == p + SIZE
    102      "len" here could be from some externally supplied data (e.g. from a TLS
    103      message).
    105      The rules of C pointer arithmetic are such that "p + len" is only well
    106      defined where len <= SIZE. Therefore the above idiom is actually
    107      undefined behaviour.
    109      For example this could cause problems if some malloc implementation
    110      provides an address for "p" such that "p + len" actually overflows for
    111      values of len that are too big and therefore p + len < limit.
    113      This issue was reported to OpenSSL by Guido Vranken
    114      (CVE-2016-2177)
    115      [Matt Caswell]
    117   *) Constant time flag not preserved in DSA signing
    119      Operations in the DSA signing algorithm should run in constant time in
    120      order to avoid side channel attacks. A flaw in the OpenSSL DSA
    121      implementation means that a non-constant time codepath is followed for
    122      certain operations. This has been demonstrated through a cache-timing
    123      attack to be sufficient for an attacker to recover the private DSA key.
    125      This issue was reported by Csar Pereida (Aalto University), Billy Brumley
    126      (Tampere University of Technology), and Yuval Yarom (The University of
    127      Adelaide and NICTA).
    128      (CVE-2016-2178)
    129      [Csar Pereida]
    131   *) DTLS buffered message DoS
    133      In a DTLS connection where handshake messages are delivered out-of-order
    134      those messages that OpenSSL is not yet ready to process will be buffered
    135      for later use. Under certain circumstances, a flaw in the logic means that
    136      those messages do not get removed from the buffer even though the handshake
    137      has been completed. An attacker could force up to approx. 15 messages to
    138      remain in the buffer when they are no longer required. These messages will
    139      be cleared when the DTLS connection is closed. The default maximum size for
    140      a message is 100k. Therefore the attacker could force an additional 1500k
    141      to be consumed per connection. By opening many simulataneous connections an
    142      attacker could cause a DoS attack through memory exhaustion.
    144      This issue was reported to OpenSSL by Quan Luo.
    145      (CVE-2016-2179)
    146      [Matt Caswell]
    148   *) DTLS replay protection DoS
    150      A flaw in the DTLS replay attack protection mechanism means that records
    151      that arrive for future epochs update the replay protection "window" before
    152      the MAC for the record has been validated. This could be exploited by an
    153      attacker by sending a record for the next epoch (which does not have to
    154      decrypt or have a valid MAC), with a very large sequence number. This means
    155      that all subsequent legitimate packets are dropped causing a denial of
    156      service for a specific DTLS connection.
    158      This issue was reported to OpenSSL by the OCAP audit team.
    159      (CVE-2016-2181)
    160      [Matt Caswell]
    162   *) Certificate message OOB reads
    164      In OpenSSL 1.0.2 and earlier some missing message length checks can result
    165      in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
    166      theoretical DoS risk but this has not been observed in practice on common
    167      platforms.
    169      The messages affected are client certificate, client certificate request
    170      and server certificate. As a result the attack can only be performed
    171      against a client or a server which enables client authentication.
    173      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
    174      (CVE-2016-6306)
    175      [Stephen Henson]
    177  Changes between 1.0.2g and 1.0.2h [3 May 2016]
    179   *) Prevent padding oracle in AES-NI CBC MAC check
    181      A MITM attacker can use a padding oracle attack to decrypt traffic
    182      when the connection uses an AES CBC cipher and the server support
    183      AES-NI.
    185      This issue was introduced as part of the fix for Lucky 13 padding
    186      attack (CVE-2013-0169). The padding check was rewritten to be in
    187      constant time by making sure that always the same bytes are read and
    188      compared against either the MAC or padding bytes. But it no longer
    189      checked that there was enough data to have both the MAC and padding
    190      bytes.
    192      This issue was reported by Juraj Somorovsky using TLS-Attacker.
    193      (CVE-2016-2107)
    194      [Kurt Roeckx]
    196   *) Fix EVP_EncodeUpdate overflow
    198      An overflow can occur in the EVP_EncodeUpdate() function which is used for
    199      Base64 encoding of binary data. If an attacker is able to supply very large
    200      amounts of input data then a length check can overflow resulting in a heap
    201      corruption.
    203      Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
    204      the PEM_write_bio* family of functions. These are mainly used within the
    205      OpenSSL command line applications, so any application which processes data
    206      from an untrusted source and outputs it as a PEM file should be considered
    207      vulnerable to this issue. User applications that call these APIs directly
    208      with large amounts of untrusted data may also be vulnerable.
    210      This issue was reported by Guido Vranken.
    211      (CVE-2016-2105)
    212      [Matt Caswell]
    214   *) Fix EVP_EncryptUpdate overflow
    216      An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
    217      is able to supply very large amounts of input data after a previous call to
    218      EVP_EncryptUpdate() with a partial block then a length check can overflow
    219      resulting in a heap corruption. Following an analysis of all OpenSSL
    220      internal usage of the EVP_EncryptUpdate() function all usage is one of two
    221      forms. The first form is where the EVP_EncryptUpdate() call is known to be
    222      the first called function after an EVP_EncryptInit(), and therefore that
    223      specific call must be safe. The second form is where the length passed to
    224      EVP_EncryptUpdate() can be seen from the code to be some small value and
    225      therefore there is no possibility of an overflow. Since all instances are
    226      one of these two forms, it is believed that there can be no overflows in
    227      internal code due to this problem. It should be noted that
    228      EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
    229      Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
    230      of these calls have also been analysed too and it is believed there are no
    231      instances in internal usage where an overflow could occur.
    233      This issue was reported by Guido Vranken.
    234      (CVE-2016-2106)
    235      [Matt Caswell]
    237   *) Prevent ASN.1 BIO excessive memory allocation
    239      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
    240      a short invalid encoding can casuse allocation of large amounts of memory
    241      potentially consuming excessive resources or exhausting memory.
    243      Any application parsing untrusted data through d2i BIO functions is
    244      affected. The memory based functions such as d2i_X509() are *not* affected.
    245      Since the memory based functions are used by the TLS library, TLS
    246      applications are not affected.
    248      This issue was reported by Brian Carpenter.
    249      (CVE-2016-2109)
    250      [Stephen Henson]
    252   *) EBCDIC overread
    254      ASN1 Strings that are over 1024 bytes can cause an overread in applications
    255      using the X509_NAME_oneline() function on EBCDIC systems. This could result
    256      in arbitrary stack data being returned in the buffer.
    258      This issue was reported by Guido Vranken.
    259      (CVE-2016-2176)
    260      [Matt Caswell]
    262   *) Modify behavior of ALPN to invoke callback after SNI/servername
    263      callback, such that updates to the SSL_CTX affect ALPN.
    264      [Todd Short]
    266   *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
    267      default.
    268      [Kurt Roeckx]
    270   *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
    271      methods are enabled and ssl2 is disabled the methods return NULL.
    272      [Kurt Roeckx]
    274  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
    276   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
    277     Builds that are not configured with "enable-weak-ssl-ciphers" will not
    278     provide any "EXPORT" or "LOW" strength ciphers.
    279     [Viktor Dukhovni]
    281   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
    282     is by default disabled at build-time.  Builds that are not configured with
    283     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
    284     users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
    285     will need to explicitly call either of:
    287         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
    288     or
    289         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
    291     as appropriate.  Even if either of those is used, or the application
    292     explicitly uses the version-specific SSLv2_method() or its client and
    293     server variants, SSLv2 ciphers vulnerable to exhaustive search key
    294     recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
    295     ciphers, and SSLv2 56-bit DES are no longer available.
    296     (CVE-2016-0800)
    297     [Viktor Dukhovni]
    299   *) Fix a double-free in DSA code
    301      A double free bug was discovered when OpenSSL parses malformed DSA private
    302      keys and could lead to a DoS attack or memory corruption for applications
    303      that receive DSA private keys from untrusted sources.  This scenario is
    304      considered rare.
    306      This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
    307      libFuzzer.
    308      (CVE-2016-0705)
    309      [Stephen Henson]
    311   *) Disable SRP fake user seed to address a server memory leak.
    313      Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
    315      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
    316      In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
    317      was changed to ignore the "fake user" SRP seed, even if the seed
    318      is configured.
    320      Users should use SRP_VBASE_get1_by_user instead. Note that in
    321      SRP_VBASE_get1_by_user, caller must free the returned value. Note
    322      also that even though configuring the SRP seed attempts to hide
    323      invalid usernames by continuing the handshake with fake
    324      credentials, this behaviour is not constant time and no strong
    325      guarantees are made that the handshake is indistinguishable from
    326      that of a valid user.
    327      (CVE-2016-0798)
    328      [Emilia Ksper]
    330   *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
    332      In the BN_hex2bn function the number of hex digits is calculated using an
    333      int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
    334      large values of |i| this can result in |bn_expand| not allocating any
    335      memory because |i * 4| is negative. This can leave the internal BIGNUM data
    336      field as NULL leading to a subsequent NULL ptr deref. For very large values
    337      of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
    338      In this case memory is allocated to the internal BIGNUM data field, but it
    339      is insufficiently sized leading to heap corruption. A similar issue exists
    340      in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
    341      is ever called by user applications with very large untrusted hex/dec data.
    342      This is anticipated to be a rare occurrence.
    344      All OpenSSL internal usage of these functions use data that is not expected
    345      to be untrusted, e.g. config file data or application command line
    346      arguments. If user developed applications generate config file data based
    347      on untrusted data then it is possible that this could also lead to security
    348      consequences. This is also anticipated to be rare.
    350      This issue was reported to OpenSSL by Guido Vranken.
    351      (CVE-2016-0797)
    352      [Matt Caswell]
    354   *) Fix memory issues in BIO_*printf functions
    356      The internal |fmtstr| function used in processing a "%s" format string in
    357      the BIO_*printf functions could overflow while calculating the length of a
    358      string and cause an OOB read when printing very long strings.
    360      Additionally the internal |doapr_outch| function can attempt to write to an
    361      OOB memory location (at an offset from the NULL pointer) in the event of a
    362      memory allocation failure. In 1.0.2 and below this could be caused where
    363      the size of a buffer to be allocated is greater than INT_MAX. E.g. this
    364      could be in processing a very long "%s" format string. Memory leaks can
    365      also occur.
    367      The first issue may mask the second issue dependent on compiler behaviour.
    368      These problems could enable attacks where large amounts of untrusted data
    369      is passed to the BIO_*printf functions. If applications use these functions
    370      in this way then they could be vulnerable. OpenSSL itself uses these
    371      functions when printing out human-readable dumps of ASN.1 data. Therefore
    372      applications that print this data could be vulnerable if the data is from
    373      untrusted sources. OpenSSL command line applications could also be
    374      vulnerable where they print out ASN.1 data, or if untrusted data is passed
    375      as command line arguments.
    377      Libssl is not considered directly vulnerable. Additionally certificates etc
    378      received via remote connections via libssl are also unlikely to be able to
    379      trigger these issues because of message size limits enforced within libssl.
    381      This issue was reported to OpenSSL Guido Vranken.
    382      (CVE-2016-0799)
    383      [Matt Caswell]
    385   *) Side channel attack on modular exponentiation
    387      A side-channel attack was found which makes use of cache-bank conflicts on
    388      the Intel Sandy-Bridge microarchitecture which could lead to the recovery
    389      of RSA keys.  The ability to exploit this issue is limited as it relies on
    390      an attacker who has control of code in a thread running on the same
    391      hyper-threaded core as the victim thread which is performing decryptions.
    393      This issue was reported to OpenSSL by Yuval Yarom, The University of
    394      Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
    395      Nadia Heninger, University of Pennsylvania with more information at
    396      http://cachebleed.info.
    397      (CVE-2016-0702)
    398      [Andy Polyakov]
    400   *) Change the req app to generate a 2048-bit RSA/DSA key by default,
    401      if no keysize is specified with default_bits. This fixes an
    402      omission in an earlier change that changed all RSA/DSA key generation
    403      apps to use 2048 bits by default.
    404      [Emilia Ksper]
    406  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
    408   *) DH small subgroups
    410      Historically OpenSSL only ever generated DH parameters based on "safe"
    411      primes. More recently (in version 1.0.2) support was provided for
    412      generating X9.42 style parameter files such as those required for RFC 5114
    413      support. The primes used in such files may not be "safe". Where an
    414      application is using DH configured with parameters based on primes that are
    415      not "safe" then an attacker could use this fact to find a peer's private
    416      DH exponent. This attack requires that the attacker complete multiple
    417      handshakes in which the peer uses the same private DH exponent. For example
    418      this could be used to discover a TLS server's private DH exponent if it's
    419      reusing the private DH exponent or it's using a static DH ciphersuite.
    421      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
    422      TLS. It is not on by default. If the option is not set then the server
    423      reuses the same private DH exponent for the life of the server process and
    424      would be vulnerable to this attack. It is believed that many popular
    425      applications do set this option and would therefore not be at risk.
    427      The fix for this issue adds an additional check where a "q" parameter is
    428      available (as is the case in X9.42 based parameters). This detects the
    429      only known attack, and is the only possible defense for static DH
    430      ciphersuites. This could have some performance impact.
    432      Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
    433      default and cannot be disabled. This could have some performance impact.
    435      This issue was reported to OpenSSL by Antonio Sanso (Adobe).
    436      (CVE-2016-0701)
    437      [Matt Caswell]
    439   *) SSLv2 doesn't block disabled ciphers
    441      A malicious client can negotiate SSLv2 ciphers that have been disabled on
    442      the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
    443      been disabled, provided that the SSLv2 protocol was not also disabled via
    444      SSL_OP_NO_SSLv2.
    446      This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
    447      and Sebastian Schinzel.
    448      (CVE-2015-3197)
    449      [Viktor Dukhovni]
    451   *) Reject DH handshakes with parameters shorter than 1024 bits.
    452      [Kurt Roeckx]
    454  Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
    456   *) BN_mod_exp may produce incorrect results on x86_64
    458      There is a carry propagating bug in the x86_64 Montgomery squaring
    459      procedure. No EC algorithms are affected. Analysis suggests that attacks
    460      against RSA and DSA as a result of this defect would be very difficult to
    461      perform and are not believed likely. Attacks against DH are considered just
    462      feasible (although very difficult) because most of the work necessary to
    463      deduce information about a private key may be performed offline. The amount
    464      of resources required for such an attack would be very significant and
    465      likely only accessible to a limited number of attackers. An attacker would
    466      additionally need online access to an unpatched system using the target
    467      private key in a scenario with persistent DH parameters and a private
    468      key that is shared between multiple clients. For example this can occur by
    469      default in OpenSSL DHE based SSL/TLS ciphersuites.
    471      This issue was reported to OpenSSL by Hanno Bck.
    472      (CVE-2015-3193)
    473      [Andy Polyakov]
    475   *) Certificate verify crash with missing PSS parameter
    477      The signature verification routines will crash with a NULL pointer
    478      dereference if presented with an ASN.1 signature using the RSA PSS
    479      algorithm and absent mask generation function parameter. Since these
    480      routines are used to verify certificate signature algorithms this can be
    481      used to crash any certificate verification operation and exploited in a
    482      DoS attack. Any application which performs certificate verification is
    483      vulnerable including OpenSSL clients and servers which enable client
    484      authentication.
    486      This issue was reported to OpenSSL by Loc Jonas Etienne (Qnective AG).
    487      (CVE-2015-3194)
    488      [Stephen Henson]
    490   *) X509_ATTRIBUTE memory leak
    492      When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
    493      memory. This structure is used by the PKCS#7 and CMS routines so any
    494      application which reads PKCS#7 or CMS data from untrusted sources is
    495      affected. SSL/TLS is not affected.
    497      This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
    498      libFuzzer.
    499      (CVE-2015-3195)
    500      [Stephen Henson]
    502   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
    503      This changes the decoding behaviour for some invalid messages,
    504      though the change is mostly in the more lenient direction, and
    505      legacy behaviour is preserved as much as possible.
    506      [Emilia Ksper]
    508   *) In DSA_generate_parameters_ex, if the provided seed is too short,
    509      use a random seed, as already documented.
    510      [Rich Salz and Ismo Puustinen <ismo.puustinen (a] intel.com>]
    512  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
    514   *) Alternate chains certificate forgery
    516      During certificate verfification, OpenSSL will attempt to find an
    517      alternative certificate chain if the first attempt to build such a chain
    518      fails. An error in the implementation of this logic can mean that an
    519      attacker could cause certain checks on untrusted certificates to be
    520      bypassed, such as the CA flag, enabling them to use a valid leaf
    521      certificate to act as a CA and "issue" an invalid certificate.
    523      This issue was reported to OpenSSL by Adam Langley/David Benjamin
    524      (Google/BoringSSL).
    525      (CVE-2015-1793)
    526      [Matt Caswell]
    528   *) Race condition handling PSK identify hint
    530      If PSK identity hints are received by a multi-threaded client then
    531      the values are wrongly updated in the parent SSL_CTX structure. This can
    532      result in a race condition potentially leading to a double free of the
    533      identify hint data.
    534      (CVE-2015-3196)
    535      [Stephen Henson]
    537  Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
    539   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
    540      incompatibility in the handling of HMAC. The previous ABI has now been
    541      restored.
    543  Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
    545   *) Malformed ECParameters causes infinite loop
    547      When processing an ECParameters structure OpenSSL enters an infinite loop
    548      if the curve specified is over a specially malformed binary polynomial
    549      field.
    551      This can be used to perform denial of service against any
    552      system which processes public keys, certificate requests or
    553      certificates.  This includes TLS clients and TLS servers with
    554      client authentication enabled.
    556      This issue was reported to OpenSSL by Joseph Barr-Pixton.
    557      (CVE-2015-1788)
    558      [Andy Polyakov]
    560   *) Exploitable out-of-bounds read in X509_cmp_time
    562      X509_cmp_time does not properly check the length of the ASN1_TIME
    563      string and can read a few bytes out of bounds. In addition,
    564      X509_cmp_time accepts an arbitrary number of fractional seconds in the
    565      time string.
    567      An attacker can use this to craft malformed certificates and CRLs of
    568      various sizes and potentially cause a segmentation fault, resulting in
    569      a DoS on applications that verify certificates or CRLs. TLS clients
    570      that verify CRLs are affected. TLS clients and servers with client
    571      authentication enabled may be affected if they use custom verification
    572      callbacks.
    574      This issue was reported to OpenSSL by Robert Swiecki (Google), and
    575      independently by Hanno Bck.
    576      (CVE-2015-1789)
    577      [Emilia Ksper]
    579   *) PKCS7 crash with missing EnvelopedContent
    581      The PKCS#7 parsing code does not handle missing inner EncryptedContent
    582      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
    583      with missing content and trigger a NULL pointer dereference on parsing.
    585      Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
    586      structures from untrusted sources are affected. OpenSSL clients and
    587      servers are not affected.
    589      This issue was reported to OpenSSL by Michal Zalewski (Google).
    590      (CVE-2015-1790)
    591      [Emilia Ksper]
    593   *) CMS verify infinite loop with unknown hash function
    595      When verifying a signedData message the CMS code can enter an infinite loop
    596      if presented with an unknown hash function OID. This can be used to perform
    597      denial of service against any system which verifies signedData messages using
    598      the CMS code.
    599      This issue was reported to OpenSSL by Johannes Bauer.
    600      (CVE-2015-1792)
    601      [Stephen Henson]
    603   *) Race condition handling NewSessionTicket
    605      If a NewSessionTicket is received by a multi-threaded client when attempting to
    606      reuse a previous ticket then a race condition can occur potentially leading to
    607      a double free of the ticket data.
    608      (CVE-2015-1791)
    609      [Matt Caswell]
    611   *) Removed support for the two export grade static DH ciphersuites
    612      EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
    613      were newly added (along with a number of other static DH ciphersuites) to
    614      1.0.2. However the two export ones have *never* worked since they were
    615      introduced. It seems strange in any case to be adding new export
    616      ciphersuites, and given "logjam" it also does not seem correct to fix them.
    617      [Matt Caswell]
    619   *) Only support 256-bit or stronger elliptic curves with the
    620      'ecdh_auto' setting (server) or by default (client). Of supported
    621      curves, prefer P-256 (both).
    622      [Emilia Kasper]
    624   *) Reject DH handshakes with parameters shorter than 768 bits.
    625      [Kurt Roeckx and Emilia Kasper]
    627  Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
    629   *) ClientHello sigalgs DoS fix
    631      If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
    632      invalid signature algorithms extension a NULL pointer dereference will
    633      occur. This can be exploited in a DoS attack against the server.
    635      This issue was was reported to OpenSSL by David Ramos of Stanford
    636      University.
    637      (CVE-2015-0291)
    638      [Stephen Henson and Matt Caswell]
    640   *) Multiblock corrupted pointer fix
    642      OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
    643      feature only applies on 64 bit x86 architecture platforms that support AES
    644      NI instructions. A defect in the implementation of "multiblock" can cause
    645      OpenSSL's internal write buffer to become incorrectly set to NULL when
    646      using non-blocking IO. Typically, when the user application is using a
    647      socket BIO for writing, this will only result in a failed connection.
    648      However if some other BIO is used then it is likely that a segmentation
    649      fault will be triggered, thus enabling a potential DoS attack.
    651      This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
    652      (CVE-2015-0290)
    653      [Matt Caswell]
    655   *) Segmentation fault in DTLSv1_listen fix
    657      The DTLSv1_listen function is intended to be stateless and processes the
    658      initial ClientHello from many peers. It is common for user code to loop
    659      over the call to DTLSv1_listen until a valid ClientHello is received with
    660      an associated cookie. A defect in the implementation of DTLSv1_listen means
    661      that state is preserved in the SSL object from one invocation to the next
    662      that can lead to a segmentation fault. Errors processing the initial
    663      ClientHello can trigger this scenario. An example of such an error could be
    664      that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
    665      server.
    667      This issue was reported to OpenSSL by Per Allansson.
    668      (CVE-2015-0207)
    669      [Matt Caswell]
    671   *) Segmentation fault in ASN1_TYPE_cmp fix
    673      The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
    674      made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
    675      certificate signature algorithm consistency this can be used to crash any
    676      certificate verification operation and exploited in a DoS attack. Any
    677      application which performs certificate verification is vulnerable including
    678      OpenSSL clients and servers which enable client authentication.
    679      (CVE-2015-0286)
    680      [Stephen Henson]
    682   *) Segmentation fault for invalid PSS parameters fix
    684      The signature verification routines will crash with a NULL pointer
    685      dereference if presented with an ASN.1 signature using the RSA PSS
    686      algorithm and invalid parameters. Since these routines are used to verify
    687      certificate signature algorithms this can be used to crash any
    688      certificate verification operation and exploited in a DoS attack. Any
    689      application which performs certificate verification is vulnerable including
    690      OpenSSL clients and servers which enable client authentication.
    692      This issue was was reported to OpenSSL by Brian Carpenter.
    693      (CVE-2015-0208)
    694      [Stephen Henson]
    696   *) ASN.1 structure reuse memory corruption fix
    698      Reusing a structure in ASN.1 parsing may allow an attacker to cause
    699      memory corruption via an invalid write. Such reuse is and has been
    700      strongly discouraged and is believed to be rare.
    702      Applications that parse structures containing CHOICE or ANY DEFINED BY
    703      components may be affected. Certificate parsing (d2i_X509 and related
    704      functions) are however not affected. OpenSSL clients and servers are
    705      not affected.
    706      (CVE-2015-0287)
    707      [Stephen Henson]
    709   *) PKCS7 NULL pointer dereferences fix
    711      The PKCS#7 parsing code does not handle missing outer ContentInfo
    712      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
    713      missing content and trigger a NULL pointer dereference on parsing.
    715      Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
    716      otherwise parse PKCS#7 structures from untrusted sources are
    717      affected. OpenSSL clients and servers are not affected.
    719      This issue was reported to OpenSSL by Michal Zalewski (Google).
    720      (CVE-2015-0289)
    721      [Emilia Ksper]
    723   *) DoS via reachable assert in SSLv2 servers fix
    725      A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
    726      servers that both support SSLv2 and enable export cipher suites by sending
    727      a specially crafted SSLv2 CLIENT-MASTER-KEY message.
    729      This issue was discovered by Sean Burford (Google) and Emilia Ksper
    730      (OpenSSL development team).
    731      (CVE-2015-0293)
    732      [Emilia Ksper]
    734   *) Empty CKE with client auth and DHE fix
    736      If client auth is used then a server can seg fault in the event of a DHE
    737      ciphersuite being selected and a zero length ClientKeyExchange message
    738      being sent by the client. This could be exploited in a DoS attack.
    739      (CVE-2015-1787)
    740      [Matt Caswell]
    742   *) Handshake with unseeded PRNG fix
    744      Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
    745      with an unseeded PRNG. The conditions are:
    746      - The client is on a platform where the PRNG has not been seeded
    747      automatically, and the user has not seeded manually
    748      - A protocol specific client method version has been used (i.e. not
    749      SSL_client_methodv23)
    750      - A ciphersuite is used that does not require additional random data from
    751      the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
    753      If the handshake succeeds then the client random that has been used will
    754      have been generated from a PRNG with insufficient entropy and therefore the
    755      output may be predictable.
    757      For example using the following command with an unseeded openssl will
    758      succeed on an unpatched platform:
    760      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
    761      (CVE-2015-0285)
    762      [Matt Caswell]
    764   *) Use After Free following d2i_ECPrivatekey error fix
    766      A malformed EC private key file consumed via the d2i_ECPrivateKey function
    767      could cause a use after free condition. This, in turn, could cause a double
    768      free in several private key parsing functions (such as d2i_PrivateKey
    769      or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
    770      for applications that receive EC private keys from untrusted
    771      sources. This scenario is considered rare.
    773      This issue was discovered by the BoringSSL project and fixed in their
    774      commit 517073cd4b.
    775      (CVE-2015-0209)
    776      [Matt Caswell]
    778   *) X509_to_X509_REQ NULL pointer deref fix
    780      The function X509_to_X509_REQ will crash with a NULL pointer dereference if
    781      the certificate key is invalid. This function is rarely used in practice.
    783      This issue was discovered by Brian Carpenter.
    784      (CVE-2015-0288)
    785      [Stephen Henson]
    787   *) Removed the export ciphers from the DEFAULT ciphers
    788      [Kurt Roeckx]
    790  Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
    792   *) Change RSA and DH/DSA key generation apps to generate 2048-bit
    793      keys by default.
    794      [Kurt Roeckx]
    796   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
    797      ARMv5 through ARMv8, as opposite to "locking" it to single one.
    798      So far those who have to target multiple plaforms would compromise
    799      and argue that binary targeting say ARMv5 would still execute on
    800      ARMv8. "Universal" build resolves this compromise by providing
    801      near-optimal performance even on newer platforms.
    802      [Andy Polyakov]
    804   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
    805      (other platforms pending).
    806      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
    808   *) Add support for the SignedCertificateTimestampList certificate and
    809      OCSP response extensions from RFC6962.
    810      [Rob Stradling]
    812   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
    813      for corner cases. (Certain input points at infinity could lead to
    814      bogus results, with non-infinity inputs mapped to infinity too.)
    815      [Bodo Moeller]
    817   *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
    818      This covers AES, SHA256/512 and GHASH. "Initial" means that most
    819      common cases are optimized and there still is room for further
    820      improvements. Vector Permutation AES for Altivec is also added.
    821      [Andy Polyakov]
    823   *) Add support for little-endian ppc64 Linux target.
    824      [Marcelo Cerri (IBM)]
    826   *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
    827      SHA1, SHA256 and GHASH. "Initial" means that most common cases
    828      are optimized and there still is room for further improvements.
    829      Both 32- and 64-bit modes are supported.
    830      [Andy Polyakov, Ard Biesheuvel (Linaro)]
    832   *) Improved ARMv7 NEON support.
    833      [Andy Polyakov]
    835   *) Support for SPARC Architecture 2011 crypto extensions, first
    836      implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
    837      SHA256/512, MD5, GHASH and modular exponentiation.
    838      [Andy Polyakov, David Miller]
    840   *) Accelerated modular exponentiation for Intel processors, a.k.a.
    841      RSAZ.
    842      [Shay Gueron & Vlad Krasnov (Intel Corp)]
    844   *) Support for new and upcoming Intel processors, including AVX2,
    845      BMI and SHA ISA extensions. This includes additional "stitched"
    846      implementations, AESNI-SHA256 and GCM, and multi-buffer support
    847      for TLS encrypt.
    849      This work was sponsored by Intel Corp.
    850      [Andy Polyakov]
    852   *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
    853      supports both DTLS 1.2 and 1.0 and should use whatever version the peer
    854      supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
    855      [Steve Henson]
    857   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
    858      this fixes a limiation in previous versions of OpenSSL.
    859      [Steve Henson]
    861   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
    862      MGF1 digest and OAEP label.
    863      [Steve Henson]
    865   *) Add EVP support for key wrapping algorithms, to avoid problems with
    866      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
    867      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
    868      algorithms and include tests cases.
    869      [Steve Henson]
    871   *) Add functions to allocate and set the fields of an ECDSA_METHOD
    872      structure.
    873      [Douglas E. Engert, Steve Henson]
    875   *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
    876      difference in days and seconds between two tm or ASN1_TIME structures.
    877      [Steve Henson]
    879   *) Add -rev test option to s_server to just reverse order of characters
    880      received by client and send back to server. Also prints an abbreviated
    881      summary of the connection parameters.
    882      [Steve Henson]
    884   *) New option -brief for s_client and s_server to print out a brief summary
    885      of connection parameters.
    886      [Steve Henson]
    888   *) Add callbacks for arbitrary TLS extensions.
    889      [Trevor Perrin <trevp (a] trevp.net> and Ben Laurie]
    891   *) New option -crl_download in several openssl utilities to download CRLs
    892      from CRLDP extension in certificates.
    893      [Steve Henson]
    895   *) New options -CRL and -CRLform for s_client and s_server for CRLs.
    896      [Steve Henson]
    898   *) New function X509_CRL_diff to generate a delta CRL from the difference
    899      of two full CRLs. Add support to "crl" utility.
    900      [Steve Henson]
    902   *) New functions to set lookup_crls function and to retrieve
    903      X509_STORE from X509_STORE_CTX.
    904      [Steve Henson]
    906   *) Print out deprecated issuer and subject unique ID fields in
    907      certificates.
    908      [Steve Henson]
    910   *) Extend OCSP I/O functions so they can be used for simple general purpose
    911      HTTP as well as OCSP. New wrapper function which can be used to download
    912      CRLs using the OCSP API.
    913      [Steve Henson]
    915   *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
    916      [Steve Henson]
    918   *) SSL_CONF* functions. These provide a common framework for application
    919      configuration using configuration files or command lines.
    920      [Steve Henson]
    922   *) SSL/TLS tracing code. This parses out SSL/TLS records using the
    923      message callback and prints the results. Needs compile time option
    924      "enable-ssl-trace". New options to s_client and s_server to enable
    925      tracing.
    926      [Steve Henson]
    928   *) New ctrl and macro to retrieve supported points extensions.
    929      Print out extension in s_server and s_client.
    930      [Steve Henson]
    932   *) New functions to retrieve certificate signature and signature
    933      OID NID.
    934      [Steve Henson]
    936   *) Add functions to retrieve and manipulate the raw cipherlist sent by a
    937      client to OpenSSL.
    938      [Steve Henson]
    940   *) New Suite B modes for TLS code. These use and enforce the requirements
    941      of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
    942      only use Suite B curves. The Suite B modes can be set by using the
    943      strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
    944      [Steve Henson]
    946   *) New chain verification flags for Suite B levels of security. Check
    947      algorithms are acceptable when flags are set in X509_verify_cert.
    948      [Steve Henson]
    950   *) Make tls1_check_chain return a set of flags indicating checks passed
    951      by a certificate chain. Add additional tests to handle client
    952      certificates: checks for matching certificate type and issuer name
    953      comparison.
    954      [Steve Henson]
    956   *) If an attempt is made to use a signature algorithm not in the peer
    957      preference list abort the handshake. If client has no suitable
    958      signature algorithms in response to a certificate request do not
    959      use the certificate.
    960      [Steve Henson]
    962   *) If server EC tmp key is not in client preference list abort handshake.
    963      [Steve Henson]
    965   *) Add support for certificate stores in CERT structure. This makes it
    966      possible to have different stores per SSL structure or one store in
    967      the parent SSL_CTX. Include distint stores for certificate chain
    968      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
    969      to build and store a certificate chain in CERT structure: returing
    970      an error if the chain cannot be built: this will allow applications
    971      to test if a chain is correctly configured.
    973      Note: if the CERT based stores are not set then the parent SSL_CTX
    974      store is used to retain compatibility with existing behaviour.
    976      [Steve Henson]
    978   *) New function ssl_set_client_disabled to set a ciphersuite disabled
    979      mask based on the current session, check mask when sending client
    980      hello and checking the requested ciphersuite.
    981      [Steve Henson]
    983   *) New ctrls to retrieve and set certificate types in a certificate
    984      request message. Print out received values in s_client. If certificate
    985      types is not set with custom values set sensible values based on
    986      supported signature algorithms.
    987      [Steve Henson]
    989   *) Support for distinct client and server supported signature algorithms.
    990      [Steve Henson]
    992   *) Add certificate callback. If set this is called whenever a certificate
    993      is required by client or server. An application can decide which
    994      certificate chain to present based on arbitrary criteria: for example
    995      supported signature algorithms. Add very simple example to s_server.
    996      This fixes many of the problems and restrictions of the existing client
    997      certificate callback: for example you can now clear an existing
    998      certificate and specify the whole chain.
    999      [Steve Henson]
   1001   *) Add new "valid_flags" field to CERT_PKEY structure which determines what
   1002      the certificate can be used for (if anything). Set valid_flags field 
   1003      in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
   1004      to have similar checks in it.
   1006      Add new "cert_flags" field to CERT structure and include a "strict mode".
   1007      This enforces some TLS certificate requirements (such as only permitting
   1008      certificate signature algorithms contained in the supported algorithms
   1009      extension) which some implementations ignore: this option should be used
   1010      with caution as it could cause interoperability issues.
   1011      [Steve Henson]
   1013   *) Update and tidy signature algorithm extension processing. Work out
   1014      shared signature algorithms based on preferences and peer algorithms
   1015      and print them out in s_client and s_server. Abort handshake if no
   1016      shared signature algorithms.
   1017      [Steve Henson]
   1019   *) Add new functions to allow customised supported signature algorithms
   1020      for SSL and SSL_CTX structures. Add options to s_client and s_server
   1021      to support them.
   1022      [Steve Henson]
   1024   *) New function SSL_certs_clear() to delete all references to certificates
   1025      from an SSL structure. Before this once a certificate had been added
   1026      it couldn't be removed.
   1027      [Steve Henson]
   1029   *) Integrate hostname, email address and IP address checking with certificate
   1030      verification. New verify options supporting checking in opensl utility.
   1031      [Steve Henson]
   1033   *) Fixes and wildcard matching support to hostname and email checking
   1034      functions. Add manual page.
   1035      [Florian Weimer (Red Hat Product Security Team)]
   1037   *) New functions to check a hostname email or IP address against a
   1038      certificate. Add options x509 utility to print results of checks against
   1039      a certificate.
   1040      [Steve Henson]
   1042   *) Fix OCSP checking.
   1043      [Rob Stradling <rob.stradling (a] comodo.com> and Ben Laurie]
   1045   *) Initial experimental support for explicitly trusted non-root CAs. 
   1046      OpenSSL still tries to build a complete chain to a root but if an
   1047      intermediate CA has a trust setting included that is used. The first
   1048      setting is used: whether to trust (e.g., -addtrust option to the x509
   1049      utility) or reject.
   1050      [Steve Henson]
   1052   *) Add -trusted_first option which attempts to find certificates in the
   1053      trusted store even if an untrusted chain is also supplied.
   1054      [Steve Henson]
   1056   *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
   1057      platform support for Linux and Android.
   1058      [Andy Polyakov]
   1060   *) Support for linux-x32, ILP32 environment in x86_64 framework.
   1061      [Andy Polyakov]
   1063   *) Experimental multi-implementation support for FIPS capable OpenSSL.
   1064      When in FIPS mode the approved implementations are used as normal,
   1065      when not in FIPS mode the internal unapproved versions are used instead.
   1066      This means that the FIPS capable OpenSSL isn't forced to use the
   1067      (often lower perfomance) FIPS implementations outside FIPS mode.
   1068      [Steve Henson]
   1070   *) Transparently support X9.42 DH parameters when calling
   1071      PEM_read_bio_DHparameters. This means existing applications can handle
   1072      the new parameter format automatically.
   1073      [Steve Henson]
   1075   *) Initial experimental support for X9.42 DH parameter format: mainly
   1076      to support use of 'q' parameter for RFC5114 parameters.
   1077      [Steve Henson]
   1079   *) Add DH parameters from RFC5114 including test data to dhtest.
   1080      [Steve Henson]
   1082   *) Support for automatic EC temporary key parameter selection. If enabled
   1083      the most preferred EC parameters are automatically used instead of
   1084      hardcoded fixed parameters. Now a server just has to call:
   1085      SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
   1086      support ECDH and use the most appropriate parameters.
   1087      [Steve Henson]
   1089   *) Enhance and tidy EC curve and point format TLS extension code. Use
   1090      static structures instead of allocation if default values are used.
   1091      New ctrls to set curves we wish to support and to retrieve shared curves.
   1092      Print out shared curves in s_server. New options to s_server and s_client
   1093      to set list of supported curves.
   1094      [Steve Henson]
   1096   *) New ctrls to retrieve supported signature algorithms and 
   1097      supported curve values as an array of NIDs. Extend openssl utility
   1098      to print out received values.
   1099      [Steve Henson]
   1101   *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
   1102      between NIDs and the more common NIST names such as "P-256". Enhance
   1103      ecparam utility and ECC method to recognise the NIST names for curves.
   1104      [Steve Henson]
   1106   *) Enhance SSL/TLS certificate chain handling to support different
   1107      chains for each certificate instead of one chain in the parent SSL_CTX.
   1108      [Steve Henson]
   1110   *) Support for fixed DH ciphersuite client authentication: where both
   1111      server and client use DH certificates with common parameters.
   1112      [Steve Henson]
   1114   *) Support for fixed DH ciphersuites: those requiring DH server
   1115      certificates.
   1116      [Steve Henson]
   1118   *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
   1119      the certificate.
   1120      Note: Related 1.0.2-beta specific macros X509_get_cert_info,
   1121      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
   1122      X509_CINF_get_signature were reverted post internal team review.
   1124  Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
   1126   *) Build fixes for the Windows and OpenVMS platforms
   1127      [Matt Caswell and Richard Levitte]
   1129  Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
   1131   *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
   1132      message can cause a segmentation fault in OpenSSL due to a NULL pointer
   1133      dereference. This could lead to a Denial Of Service attack. Thanks to
   1134      Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
   1135      (CVE-2014-3571)
   1136      [Steve Henson]
   1138   *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
   1139      dtls1_buffer_record function under certain conditions. In particular this
   1140      could occur if an attacker sent repeated DTLS records with the same
   1141      sequence number but for the next epoch. The memory leak could be exploited
   1142      by an attacker in a Denial of Service attack through memory exhaustion.
   1143      Thanks to Chris Mueller for reporting this issue.
   1144      (CVE-2015-0206)
   1145      [Matt Caswell]
   1147   *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
   1148      built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
   1149      method would be set to NULL which could later result in a NULL pointer
   1150      dereference. Thanks to Frank Schmirler for reporting this issue.
   1151      (CVE-2014-3569)
   1152      [Kurt Roeckx]
   1154   *) Abort handshake if server key exchange message is omitted for ephemeral
   1155      ECDH ciphersuites.
   1157      Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
   1158      reporting this issue.
   1159      (CVE-2014-3572)
   1160      [Steve Henson]
   1162   *) Remove non-export ephemeral RSA code on client and server. This code
   1163      violated the TLS standard by allowing the use of temporary RSA keys in
   1164      non-export ciphersuites and could be used by a server to effectively
   1165      downgrade the RSA key length used to a value smaller than the server
   1166      certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
   1167      INRIA or reporting this issue.
   1168      (CVE-2015-0204)
   1169      [Steve Henson]
   1171   *) Fixed issue where DH client certificates are accepted without verification.
   1172      An OpenSSL server will accept a DH certificate for client authentication
   1173      without the certificate verify message. This effectively allows a client to
   1174      authenticate without the use of a private key. This only affects servers
   1175      which trust a client certificate authority which issues certificates
   1176      containing DH keys: these are extremely rare and hardly ever encountered.
   1177      Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
   1178      this issue.
   1179      (CVE-2015-0205)
   1180      [Steve Henson]
   1182   *) Ensure that the session ID context of an SSL is updated when its
   1183      SSL_CTX is updated via SSL_set_SSL_CTX.
   1185      The session ID context is typically set from the parent SSL_CTX,
   1186      and can vary with the CTX.
   1187      [Adam Langley]
   1189   *) Fix various certificate fingerprint issues.
   1191      By using non-DER or invalid encodings outside the signed portion of a
   1192      certificate the fingerprint can be changed without breaking the signature.
   1193      Although no details of the signed portion of the certificate can be changed
   1194      this can cause problems with some applications: e.g. those using the
   1195      certificate fingerprint for blacklists.
   1197      1. Reject signatures with non zero unused bits.
   1199      If the BIT STRING containing the signature has non zero unused bits reject
   1200      the signature. All current signature algorithms require zero unused bits.
   1202      2. Check certificate algorithm consistency.
   1204      Check the AlgorithmIdentifier inside TBS matches the one in the
   1205      certificate signature. NB: this will result in signature failure
   1206      errors for some broken certificates.
   1208      Thanks to Konrad Kraszewski from Google for reporting this issue.
   1210      3. Check DSA/ECDSA signatures use DER.
   1212      Reencode DSA/ECDSA signatures and compare with the original received
   1213      signature. Return an error if there is a mismatch.
   1215      This will reject various cases including garbage after signature
   1216      (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
   1217      program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
   1218      (negative or with leading zeroes).
   1220      Further analysis was conducted and fixes were developed by Stephen Henson
   1221      of the OpenSSL core team.
   1223      (CVE-2014-8275)
   1224      [Steve Henson]
   1226    *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
   1227       results on some platforms, including x86_64. This bug occurs at random
   1228       with a very low probability, and is not known to be exploitable in any
   1229       way, though its exact impact is difficult to determine. Thanks to Pieter
   1230       Wuille (Blockstream) who reported this issue and also suggested an initial
   1231       fix. Further analysis was conducted by the OpenSSL development team and
   1232       Adam Langley of Google. The final fix was developed by Andy Polyakov of
   1233       the OpenSSL core team.
   1234       (CVE-2014-3570)
   1235       [Andy Polyakov]
   1237    *) Do not resume sessions on the server if the negotiated protocol
   1238       version does not match the session's version. Resuming with a different
   1239       version, while not strictly forbidden by the RFC, is of questionable
   1240       sanity and breaks all known clients.
   1241       [David Benjamin, Emilia Ksper]
   1243    *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
   1244       early CCS messages during renegotiation. (Note that because
   1245       renegotiation is encrypted, this early CCS was not exploitable.)
   1246       [Emilia Ksper]
   1248    *) Tighten client-side session ticket handling during renegotiation:
   1249       ensure that the client only accepts a session ticket if the server sends
   1250       the extension anew in the ServerHello. Previously, a TLS client would
   1251       reuse the old extension state and thus accept a session ticket if one was
   1252       announced in the initial ServerHello.
   1254       Similarly, ensure that the client requires a session ticket if one
   1255       was advertised in the ServerHello. Previously, a TLS client would
   1256       ignore a missing NewSessionTicket message.
   1257       [Emilia Ksper]
   1259  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
   1261   *) SRTP Memory Leak.
   1263      A flaw in the DTLS SRTP extension parsing code allows an attacker, who
   1264      sends a carefully crafted handshake message, to cause OpenSSL to fail
   1265      to free up to 64k of memory causing a memory leak. This could be
   1266      exploited in a Denial Of Service attack. This issue affects OpenSSL
   1267      1.0.1 server implementations for both SSL/TLS and DTLS regardless of
   1268      whether SRTP is used or configured. Implementations of OpenSSL that
   1269      have been compiled with OPENSSL_NO_SRTP defined are not affected.
   1271      The fix was developed by the OpenSSL team.
   1272      (CVE-2014-3513)
   1273      [OpenSSL team]
   1275   *) Session Ticket Memory Leak.
   1277      When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
   1278      integrity of that ticket is first verified. In the event of a session
   1279      ticket integrity check failing, OpenSSL will fail to free memory
   1280      causing a memory leak. By sending a large number of invalid session
   1281      tickets an attacker could exploit this issue in a Denial Of Service
   1282      attack.
   1283      (CVE-2014-3567)
   1284      [Steve Henson]
   1286   *) Build option no-ssl3 is incomplete.
   1288      When OpenSSL is configured with "no-ssl3" as a build option, servers
   1289      could accept and complete a SSL 3.0 handshake, and clients could be
   1290      configured to send them.
   1291      (CVE-2014-3568)
   1292      [Akamai and the OpenSSL team]
   1294   *) Add support for TLS_FALLBACK_SCSV.
   1295      Client applications doing fallback retries should call
   1296      SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
   1297      (CVE-2014-3566)
   1298      [Adam Langley, Bodo Moeller]
   1300   *) Add additional DigestInfo checks.
   1302      Reencode DigestInto in DER and check against the original when
   1303      verifying RSA signature: this will reject any improperly encoded
   1304      DigestInfo structures.
   1306      Note: this is a precautionary measure and no attacks are currently known.
   1308      [Steve Henson]
   1310  Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
   1312   *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
   1313      SRP code can be overrun an internal buffer. Add sanity check that
   1314      g, A, B < N to SRP code.
   1316      Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
   1317      Group for discovering this issue.
   1318      (CVE-2014-3512)
   1319      [Steve Henson]
   1321   *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
   1322      TLS 1.0 instead of higher protocol versions when the ClientHello message
   1323      is badly fragmented. This allows a man-in-the-middle attacker to force a
   1324      downgrade to TLS 1.0 even if both the server and the client support a
   1325      higher protocol version, by modifying the client's TLS records.
   1327      Thanks to David Benjamin and Adam Langley (Google) for discovering and
   1328      researching this issue.
   1329      (CVE-2014-3511)
   1330      [David Benjamin]
   1332   *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
   1333      to a denial of service attack. A malicious server can crash the client
   1334      with a null pointer dereference (read) by specifying an anonymous (EC)DH
   1335      ciphersuite and sending carefully crafted handshake messages.
   1337      Thanks to Felix Grbert (Google) for discovering and researching this
   1338      issue.
   1339      (CVE-2014-3510)
   1340      [Emilia Ksper]
   1342   *) By sending carefully crafted DTLS packets an attacker could cause openssl
   1343      to leak memory. This can be exploited through a Denial of Service attack.
   1344      Thanks to Adam Langley for discovering and researching this issue.
   1345      (CVE-2014-3507)
   1346      [Adam Langley]
   1348   *) An attacker can force openssl to consume large amounts of memory whilst
   1349      processing DTLS handshake messages. This can be exploited through a
   1350      Denial of Service attack.
   1351      Thanks to Adam Langley for discovering and researching this issue.
   1352      (CVE-2014-3506)
   1353      [Adam Langley]
   1355   *) An attacker can force an error condition which causes openssl to crash
   1356      whilst processing DTLS packets due to memory being freed twice. This
   1357      can be exploited through a Denial of Service attack.
   1358      Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
   1359      this issue.
   1360      (CVE-2014-3505)
   1361      [Adam Langley]
   1363   *) If a multithreaded client connects to a malicious server using a resumed
   1364      session and the server sends an ec point format extension it could write
   1365      up to 255 bytes to freed memory.
   1367      Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
   1368      issue.
   1369      (CVE-2014-3509)
   1370      [Gabor Tyukasz]
   1372   *) A malicious server can crash an OpenSSL client with a null pointer
   1373      dereference (read) by specifying an SRP ciphersuite even though it was not
   1374      properly negotiated with the client. This can be exploited through a
   1375      Denial of Service attack.
   1377      Thanks to Joonas Kuorilehto and Riku Hietamki (Codenomicon) for
   1378      discovering and researching this issue.
   1379      (CVE-2014-5139)
   1380      [Steve Henson]
   1382   *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
   1383      X509_name_oneline, X509_name_print_ex et al. to leak some information
   1384      from the stack. Applications may be affected if they echo pretty printing
   1385      output to the attacker.
   1387      Thanks to Ivan Fratric (Google) for discovering this issue.
   1388      (CVE-2014-3508)
   1389      [Emilia Ksper, and Steve Henson]
   1391   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
   1392      for corner cases. (Certain input points at infinity could lead to
   1393      bogus results, with non-infinity inputs mapped to infinity too.)
   1394      [Bodo Moeller]
   1396  Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
   1398   *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
   1399      handshake can force the use of weak keying material in OpenSSL
   1400      SSL/TLS clients and servers.
   1402      Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
   1403      researching this issue. (CVE-2014-0224)
   1404      [KIKUCHI Masashi, Steve Henson]
   1406   *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
   1407      OpenSSL DTLS client the code can be made to recurse eventually crashing
   1408      in a DoS attack.
   1410      Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
   1411      (CVE-2014-0221)
   1412      [Imre Rad, Steve Henson]
   1414   *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
   1415      be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
   1416      client or server. This is potentially exploitable to run arbitrary
   1417      code on a vulnerable client or server.
   1419      Thanks to Jri Aedla for reporting this issue. (CVE-2014-0195)
   1420      [Jri Aedla, Steve Henson]
   1422   *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
   1423      are subject to a denial of service attack.
   1425      Thanks to Felix Grbert and Ivan Fratric at Google for discovering
   1426      this issue. (CVE-2014-3470)
   1427      [Felix Grbert, Ivan Fratric, Steve Henson]
   1429   *) Harmonize version and its documentation. -f flag is used to display
   1430      compilation flags.
   1431      [mancha <mancha1 (a] zoho.com>]
   1433   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
   1434      in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
   1435      [mancha <mancha1 (a] zoho.com>]
   1437   *) Fix some double frees. These are not thought to be exploitable.
   1438      [mancha <mancha1 (a] zoho.com>]
   1440  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
   1442   *) A missing bounds check in the handling of the TLS heartbeat extension
   1443      can be used to reveal up to 64k of memory to a connected client or
   1444      server.
   1446      Thanks for Neel Mehta of Google Security for discovering this bug and to
   1447      Adam Langley <agl (a] chromium.org> and Bodo Moeller <bmoeller (a] acm.org> for
   1448      preparing the fix (CVE-2014-0160)
   1449      [Adam Langley, Bodo Moeller]
   1451   *) Fix for the attack described in the paper "Recovering OpenSSL
   1452      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
   1453      by Yuval Yarom and Naomi Benger. Details can be obtained from:
   1454      http://eprint.iacr.org/2014/140
   1456      Thanks to Yuval Yarom and Naomi Benger for discovering this
   1457      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
   1458      [Yuval Yarom and Naomi Benger]
   1460   *) TLS pad extension: draft-agl-tls-padding-03
   1462      Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
   1463      TLS client Hello record length value would otherwise be > 255 and
   1464      less that 512 pad with a dummy extension containing zeroes so it
   1465      is at least 512 bytes long.
   1467      [Adam Langley, Steve Henson]
   1469  Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
   1471   *) Fix for TLS record tampering bug. A carefully crafted invalid 
   1472      handshake could crash OpenSSL with a NULL pointer exception.
   1473      Thanks to Anton Johansson for reporting this issues.
   1474      (CVE-2013-4353)
   1476   *) Keep original DTLS digest and encryption contexts in retransmission
   1477      structures so we can use the previous session parameters if they need
   1478      to be resent. (CVE-2013-6450)
   1479      [Steve Henson]
   1481   *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
   1482      avoids preferring ECDHE-ECDSA ciphers when the client appears to be
   1483      Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
   1484      several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
   1485      is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
   1486      10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
   1487      [Rob Stradling, Adam Langley]
   1489  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
   1491   *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
   1492      supporting platforms or when small records were transferred.
   1493      [Andy Polyakov, Steve Henson]
   1495  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
   1497   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
   1499      This addresses the flaw in CBC record processing discovered by 
   1500      Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
   1501      at: http://www.isg.rhul.ac.uk/tls/     
   1503      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
   1504      Security Group at Royal Holloway, University of London
   1505      (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
   1506      Emilia Ksper for the initial patch.
   1507      (CVE-2013-0169)
   1508      [Emilia Ksper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
   1510   *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
   1511      ciphersuites which can be exploited in a denial of service attack.
   1512      Thanks go to and to Adam Langley <agl (a] chromium.org> for discovering
   1513      and detecting this bug and to Wolfgang Ettlinger
   1514      <wolfgang.ettlinger (a] gmail.com> for independently discovering this issue.
   1515      (CVE-2012-2686)
   1516      [Adam Langley]
   1518   *) Return an error when checking OCSP signatures when key is NULL.
   1519      This fixes a DoS attack. (CVE-2013-0166)
   1520      [Steve Henson]
   1522   *) Make openssl verify return errors.
   1523      [Chris Palmer <palmer (a] google.com> and Ben Laurie]
   1525   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
   1526      the right response is stapled. Also change SSL_get_certificate()
   1527      so it returns the certificate actually sent.
   1528      See http://rt.openssl.org/Ticket/Display.html?id=2836.
   1529      [Rob Stradling <rob.stradling (a] comodo.com>]
   1531   *) Fix possible deadlock when decoding public keys.
   1532      [Steve Henson]
   1534   *) Don't use TLS 1.0 record version number in initial client hello
   1535      if renegotiating.
   1536      [Steve Henson]
   1538  Changes between 1.0.1b and 1.0.1c [10 May 2012]
   1540   *) Sanity check record length before skipping explicit IV in TLS
   1541      1.2, 1.1 and DTLS to fix DoS attack.
   1543      Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
   1544      fuzzing as a service testing platform.
   1545      (CVE-2012-2333)
   1546      [Steve Henson]
   1548   *) Initialise tkeylen properly when encrypting CMS messages.
   1549      Thanks to Solar Designer of Openwall for reporting this issue.
   1550      [Steve Henson]
   1552   *) In FIPS mode don't try to use composite ciphers as they are not
   1553      approved.
   1554      [Steve Henson]
   1556  Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
   1558   *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
   1559      1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
   1560      mean any application compiled against OpenSSL 1.0.0 headers setting
   1561      SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
   1562      TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
   1563      0x10000000L Any application which was previously compiled against
   1564      OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
   1565      will need to be recompiled as a result. Letting be results in
   1566      inability to disable specifically TLS 1.1 and in client context,
   1567      in unlike event, limit maximum offered version to TLS 1.0 [see below].
   1568      [Steve Henson]
   1570   *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
   1571      disable just protocol X, but all protocols above X *if* there are
   1572      protocols *below* X still enabled. In more practical terms it means
   1573      that if application wants to disable TLS1.0 in favor of TLS1.1 and
   1574      above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
   1575      SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
   1576      client side.
   1577      [Andy Polyakov]
   1579  Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
   1581   *) Check for potentially exploitable overflows in asn1_d2i_read_bio
   1582      BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
   1583      in CRYPTO_realloc_clean.
   1585      Thanks to Tavis Ormandy, Google Security Team, for discovering this
   1586      issue and to Adam Langley <agl (a] chromium.org> for fixing it.
   1587      (CVE-2012-2110)
   1588      [Adam Langley (Google), Tavis Ormandy, Google Security Team]
   1590   *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
   1591      [Adam Langley]
   1593   *) Workarounds for some broken servers that "hang" if a client hello
   1594      record length exceeds 255 bytes.
   1596      1. Do not use record version number > TLS 1.0 in initial client
   1597         hello: some (but not all) hanging servers will now work.
   1598      2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
   1599 	the number of ciphers sent in the client hello. This should be
   1600         set to an even number, such as 50, for example by passing:
   1601         -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
   1602         Most broken servers should now work.
   1603      3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
   1604 	TLS 1.2 client support entirely.
   1605      [Steve Henson]
   1607   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
   1608      [Andy Polyakov]
   1610  Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
   1612   *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
   1613      STRING form instead of a DigestInfo.
   1614      [Steve Henson]
   1616   *) The format used for MDC2 RSA signatures is inconsistent between EVP
   1617      and the RSA_sign/RSA_verify functions. This was made more apparent when
   1618      OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
   1619      those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect 
   1620      the correct format in RSA_verify so both forms transparently work.
   1621      [Steve Henson]
   1623   *) Some servers which support TLS 1.0 can choke if we initially indicate
   1624      support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
   1625      encrypted premaster secret. As a workaround use the maximum pemitted
   1626      client version in client hello, this should keep such servers happy
   1627      and still work with previous versions of OpenSSL.
   1628      [Steve Henson]
   1630   *) Add support for TLS/DTLS heartbeats.
   1631      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1633   *) Add support for SCTP.
   1634      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1636   *) Improved PRNG seeding for VOS.
   1637      [Paul Green <Paul.Green (a] stratus.com>]
   1639   *) Extensive assembler packs updates, most notably:
   1641 	- x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
   1642 	- x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
   1643 	- x86_64:       bit-sliced AES implementation;
   1644 	- ARM:          NEON support, contemporary platforms optimizations;
   1645 	- s390x:        z196 support;
   1646 	- *:            GHASH and GF(2^m) multiplication implementations;
   1648      [Andy Polyakov]
   1650   *) Make TLS-SRP code conformant with RFC 5054 API cleanup
   1651      (removal of unnecessary code)
   1652      [Peter Sylvester <peter.sylvester (a] edelweb.fr>]
   1654   *) Add TLS key material exporter from RFC 5705.
   1655      [Eric Rescorla]
   1657   *) Add DTLS-SRTP negotiation from RFC 5764.
   1658      [Eric Rescorla]
   1660   *) Add Next Protocol Negotiation,
   1661      http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
   1662      disabled with a no-npn flag to config or Configure. Code donated
   1663      by Google.
   1664      [Adam Langley <agl (a] google.com> and Ben Laurie]
   1666   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
   1667      NIST-P256, NIST-P521, with constant-time single point multiplication on
   1668      typical inputs. Compiler support for the nonstandard type __uint128_t is
   1669      required to use this (present in gcc 4.4 and later, for 64-bit builds).
   1670      Code made available under Apache License version 2.0.
   1672      Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
   1673      line to include this in your build of OpenSSL, and run "make depend" (or
   1674      "make update"). This enables the following EC_METHODs:
   1676          EC_GFp_nistp224_method()
   1677          EC_GFp_nistp256_method()
   1678          EC_GFp_nistp521_method()
   1680      EC_GROUP_new_by_curve_name() will automatically use these (while
   1681      EC_GROUP_new_curve_GFp() currently prefers the more flexible
   1682      implementations).
   1683      [Emilia Ksper, Adam Langley, Bodo Moeller (Google)]
   1685   *) Use type ossl_ssize_t instad of ssize_t which isn't available on
   1686      all platforms. Move ssize_t definition from e_os.h to the public
   1687      header file e_os2.h as it now appears in public header file cms.h
   1688      [Steve Henson]
   1690   *) New -sigopt option to the ca, req and x509 utilities. Additional
   1691      signature parameters can be passed using this option and in
   1692      particular PSS. 
   1693      [Steve Henson]
   1695   *) Add RSA PSS signing function. This will generate and set the
   1696      appropriate AlgorithmIdentifiers for PSS based on those in the
   1697      corresponding EVP_MD_CTX structure. No application support yet.
   1698      [Steve Henson]
   1700   *) Support for companion algorithm specific ASN1 signing routines.
   1701      New function ASN1_item_sign_ctx() signs a pre-initialised
   1702      EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
   1703      the appropriate parameters.
   1704      [Steve Henson]
   1706   *) Add new algorithm specific ASN1 verification initialisation function
   1707      to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
   1708      handling will be the same no matter what EVP_PKEY_METHOD is used.
   1709      Add a PSS handler to support verification of PSS signatures: checked
   1710      against a number of sample certificates.
   1711      [Steve Henson]
   1713   *) Add signature printing for PSS. Add PSS OIDs.
   1714      [Steve Henson, Martin Kaiser <lists (a] kaiser.cx>]
   1716   *) Add algorithm specific signature printing. An individual ASN1 method
   1717      can now print out signatures instead of the standard hex dump. 
   1719      More complex signatures (e.g. PSS) can print out more meaningful
   1720      information. Include DSA version that prints out the signature
   1721      parameters r, s.
   1722      [Steve Henson]
   1724   *) Password based recipient info support for CMS library: implementing
   1725      RFC3211.
   1726      [Steve Henson]
   1728   *) Split password based encryption into PBES2 and PBKDF2 functions. This
   1729      neatly separates the code into cipher and PBE sections and is required
   1730      for some algorithms that split PBES2 into separate pieces (such as
   1731      password based CMS).
   1732      [Steve Henson]
   1734   *) Session-handling fixes:
   1735      - Fix handling of connections that are resuming with a session ID,
   1736        but also support Session Tickets.
   1737      - Fix a bug that suppressed issuing of a new ticket if the client
   1738        presented a ticket with an expired session.
   1739      - Try to set the ticket lifetime hint to something reasonable.
   1740      - Make tickets shorter by excluding irrelevant information.
   1741      - On the client side, don't ignore renewed tickets.
   1742      [Adam Langley, Bodo Moeller (Google)]
   1744   *) Fix PSK session representation.
   1745      [Bodo Moeller]
   1747   *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
   1749      This work was sponsored by Intel.
   1750      [Andy Polyakov]
   1752   *) Add GCM support to TLS library. Some custom code is needed to split
   1753      the IV between the fixed (from PRF) and explicit (from TLS record)
   1754      portions. This adds all GCM ciphersuites supported by RFC5288 and 
   1755      RFC5289. Generalise some AES* cipherstrings to inlclude GCM and
   1756      add a special AESGCM string for GCM only.
   1757      [Steve Henson]
   1759   *) Expand range of ctrls for AES GCM. Permit setting invocation
   1760      field on decrypt and retrieval of invocation field only on encrypt.
   1761      [Steve Henson]
   1763   *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
   1764      As required by RFC5289 these ciphersuites cannot be used if for
   1765      versions of TLS earlier than 1.2.
   1766      [Steve Henson]
   1768   *) For FIPS capable OpenSSL interpret a NULL default public key method
   1769      as unset and return the appopriate default but do *not* set the default.
   1770      This means we can return the appopriate method in applications that
   1771      swicth between FIPS and non-FIPS modes.
   1772      [Steve Henson]
   1774   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
   1775      ENGINE is used then we cannot handle that in the FIPS module so we
   1776      keep original code iff non-FIPS operations are allowed.
   1777      [Steve Henson]
   1779   *) Add -attime option to openssl utilities.
   1780      [Peter Eckersley <pde (a] eff.org>, Ben Laurie and Steve Henson]
   1782   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
   1783      [Steve Henson]
   1785   *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
   1786      FIPS EC methods unconditionally for now.
   1787      [Steve Henson]
   1789   *) New build option no-ec2m to disable characteristic 2 code.
   1790      [Steve Henson]
   1792   *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
   1793      all cases can be covered as some introduce binary incompatibilities.
   1794      [Steve Henson]
   1796   *) Redirect RSA operations to FIPS module including keygen,
   1797      encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
   1798      [Steve Henson]
   1800   *) Add similar low level API blocking to ciphers.
   1801      [Steve Henson]
   1803   *) Low level digest APIs are not approved in FIPS mode: any attempt
   1804      to use these will cause a fatal error. Applications that *really* want
   1805      to use them can use the private_* version instead.
   1806      [Steve Henson]
   1808   *) Redirect cipher operations to FIPS module for FIPS builds. 
   1809      [Steve Henson]
   1811   *) Redirect digest operations to FIPS module for FIPS builds. 
   1812      [Steve Henson]
   1814   *) Update build system to add "fips" flag which will link in fipscanister.o
   1815      for static and shared library builds embedding a signature if needed.
   1816      [Steve Henson]
   1818   *) Output TLS supported curves in preference order instead of numerical
   1819      order. This is currently hardcoded for the highest order curves first.
   1820      This should be configurable so applications can judge speed vs strength.
   1821      [Steve Henson]
   1823   *) Add TLS v1.2 server support for client authentication. 
   1824      [Steve Henson]
   1826   *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
   1827      and enable MD5.
   1828      [Steve Henson]
   1830   *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
   1831      FIPS modules versions.
   1832      [Steve Henson]
   1834   *) Add TLS v1.2 client side support for client authentication. Keep cache
   1835      of handshake records longer as we don't know the hash algorithm to use
   1836      until after the certificate request message is received.
   1837      [Steve Henson]
   1839   *) Initial TLS v1.2 client support. Add a default signature algorithms
   1840      extension including all the algorithms we support. Parse new signature
   1841      format in client key exchange. Relax some ECC signing restrictions for
   1842      TLS v1.2 as indicated in RFC5246.
   1843      [Steve Henson]
   1845   *) Add server support for TLS v1.2 signature algorithms extension. Switch
   1846      to new signature format when needed using client digest preference.
   1847      All server ciphersuites should now work correctly in TLS v1.2. No client
   1848      support yet and no support for client certificates.
   1849      [Steve Henson]
   1851   *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
   1852      to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
   1853      ciphersuites. At present only RSA key exchange ciphersuites work with
   1854      TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
   1855      SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
   1856      and version checking.
   1857      [Steve Henson]
   1859   *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
   1860      with this defined it will not be affected by any changes to ssl internal
   1861      structures. Add several utility functions to allow openssl application
   1862      to work with OPENSSL_NO_SSL_INTERN defined.
   1863      [Steve Henson]
   1865   *) Add SRP support.
   1866      [Tom Wu <tjw (a] cs.stanford.edu> and Ben Laurie]
   1868   *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
   1869      [Steve Henson]
   1871   *) Permit abbreviated handshakes when renegotiating using the function
   1872      SSL_renegotiate_abbreviated().
   1873      [Robin Seggelmann <seggelmann (a] fh-muenster.de>]
   1875   *) Add call to ENGINE_register_all_complete() to
   1876      ENGINE_load_builtin_engines(), so some implementations get used
   1877      automatically instead of needing explicit application support.
   1878      [Steve Henson]
   1880   *) Add support for TLS key exporter as described in RFC5705.
   1881      [Robin Seggelmann <seggelmann (a] fh-muenster.de>, Steve Henson]
   1883   *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
   1884      a few changes are required:
   1886        Add SSL_OP_NO_TLSv1_1 flag.
   1887        Add TLSv1_1 methods.
   1888        Update version checking logic to handle version 1.1.
   1889        Add explicit IV handling (ported from DTLS code).
   1890        Add command line options to s_client/s_server.
   1891      [Steve Henson]
   1893  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
   1895   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
   1896      in CMS and PKCS7 code. When RSA decryption fails use a random key for
   1897      content decryption and always return the same error. Note: this attack
   1898      needs on average 2^20 messages so it only affects automated senders. The
   1899      old behaviour can be reenabled in the CMS code by setting the
   1900      CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
   1901      an MMA defence is not necessary.
   1902      Thanks to Ivan Nestlerode <inestlerode (a] us.ibm.com> for discovering
   1903      this issue. (CVE-2012-0884)
   1904      [Steve Henson]
   1906   *) Fix CVE-2011-4619: make sure we really are receiving a 
   1907      client hello before rejecting multiple SGC restarts. Thanks to
   1908      Ivan Nestlerode <inestlerode (a] us.ibm.com> for discovering this bug.
   1909      [Steve Henson]
   1911  Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
   1913   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
   1914      Thanks to Antonio Martin, Enterprise Secure Access Research and
   1915      Development, Cisco Systems, Inc. for discovering this bug and
   1916      preparing a fix. (CVE-2012-0050)
   1917      [Antonio Martin]
   1919  Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
   1921   *) Nadhem Alfardan and Kenny Paterson have discovered an extension
   1922      of the Vaudenay padding oracle attack on CBC mode encryption
   1923      which enables an efficient plaintext recovery attack against
   1924      the OpenSSL implementation of DTLS. Their attack exploits timing
   1925      differences arising during decryption processing. A research
   1926      paper describing this attack can be found at:
   1927                   http://www.isg.rhul.ac.uk/~kp/dtls.pdf
   1928      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
   1929      Security Group at Royal Holloway, University of London
   1930      (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
   1931      <seggelmann (a] fh-muenster.de> and Michael Tuexen <tuexen (a] fh-muenster.de>
   1932      for preparing the fix. (CVE-2011-4108)
   1933      [Robin Seggelmann, Michael Tuexen]
   1935   *) Clear bytes used for block padding of SSL 3.0 records.
   1936      (CVE-2011-4576)
   1937      [Adam Langley (Google)]
   1939   *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
   1940      Kadianakis <desnacked (a] gmail.com> for discovering this issue and
   1941      Adam Langley for preparing the fix. (CVE-2011-4619)
   1942      [Adam Langley (Google)]
   1944   *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
   1945      [Andrey Kulikov <amdeich (a] gmail.com>]
   1947   *) Prevent malformed RFC3779 data triggering an assertion failure.
   1948      Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
   1949      and Rob Austein <sra (a] hactrn.net> for fixing it. (CVE-2011-4577)
   1950      [Rob Austein <sra (a] hactrn.net>]
   1952   *) Improved PRNG seeding for VOS.
   1953      [Paul Green <Paul.Green (a] stratus.com>]
   1955   *) Fix ssl_ciph.c set-up race.
   1956      [Adam Langley (Google)]
   1958   *) Fix spurious failures in ecdsatest.c.
   1959      [Emilia Ksper (Google)]
   1961   *) Fix the BIO_f_buffer() implementation (which was mixing different
   1962      interpretations of the '..._len' fields).
   1963      [Adam Langley (Google)]
   1965   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
   1966      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
   1967      threads won't reuse the same blinding coefficients.
   1969      This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
   1970      lock to call BN_BLINDING_invert_ex, and avoids one use of
   1971      BN_BLINDING_update for each BN_BLINDING structure (previously,
   1972      the last update always remained unused).
   1973      [Emilia Ksper (Google)]
   1975   *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
   1976      [Bob Buckholz (Google)]
   1978  Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
   1980   *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
   1981      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
   1982      [Kaspar Brand <ossl (a] velox.ch>]
   1984   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
   1985      for multi-threaded use of ECDH. (CVE-2011-3210)
   1986      [Adam Langley (Google)]
   1988   *) Fix x509_name_ex_d2i memory leak on bad inputs.
   1989      [Bodo Moeller]
   1991   *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
   1992      signature public key algorithm by using OID xref utilities instead.
   1993      Before this you could only use some ECC ciphersuites with SHA1 only.
   1994      [Steve Henson]
   1996   *) Add protection against ECDSA timing attacks as mentioned in the paper
   1997      by Billy Bob Brumley and Nicola Tuveri, see:
   1999 	http://eprint.iacr.org/2011/232.pdf
   2001      [Billy Bob Brumley and Nicola Tuveri]
   2003  Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
   2005   *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
   2006      [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
   2008   *) Fix bug in string printing code: if *any* escaping is enabled we must
   2009      escape the escape character (backslash) or the resulting string is
   2010      ambiguous.
   2011      [Steve Henson]
   2013  Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
   2015   *) Disable code workaround for ancient and obsolete Netscape browsers
   2016      and servers: an attacker can use it in a ciphersuite downgrade attack.
   2017      Thanks to Martin Rex for discovering this bug. CVE-2010-4180
   2018      [Steve Henson]
   2020   *) Fixed J-PAKE implementation error, originally discovered by
   2021      Sebastien Martini, further info and confirmation from Stefan
   2022      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
   2023      [Ben Laurie]
   2025  Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
   2027   *) Fix extension code to avoid race conditions which can result in a buffer
   2028      overrun vulnerability: resumed sessions must not be modified as they can
   2029      be shared by multiple threads. CVE-2010-3864
   2030      [Steve Henson]
   2032   *) Fix WIN32 build system to correctly link an ENGINE directory into
   2033      a DLL. 
   2034      [Steve Henson]
   2036  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
   2038   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
   2039      (CVE-2010-1633)
   2040      [Steve Henson, Peter-Michael Hager <hager (a] dortmund.net>]
   2042  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
   2044   *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
   2045      context. The operation can be customised via the ctrl mechanism in
   2046      case ENGINEs want to include additional functionality.
   2047      [Steve Henson]
   2049   *) Tolerate yet another broken PKCS#8 key format: private key value negative.
   2050      [Steve Henson]
   2052   *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
   2053      output hashes compatible with older versions of OpenSSL.
   2054      [Willy Weisz <weisz (a] vcpc.univie.ac.at>]
   2056   *) Fix compression algorithm handling: if resuming a session use the
   2057      compression algorithm of the resumed session instead of determining
   2058      it from client hello again. Don't allow server to change algorithm.
   2059      [Steve Henson]
   2061   *) Add load_crls() function to apps tidying load_certs() too. Add option
   2062      to verify utility to allow additional CRLs to be included.
   2063      [Steve Henson]
   2065   *) Update OCSP request code to permit adding custom headers to the request:
   2066      some responders need this.
   2067      [Steve Henson]
   2069   *) The function EVP_PKEY_sign() returns <=0 on error: check return code
   2070      correctly.
   2071      [Julia Lawall <julia (a] diku.dk>]
   2073   *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
   2074      needlessly dereferenced structures, used obsolete functions and
   2075      didn't handle all updated verify codes correctly.
   2076      [Steve Henson]
   2078   *) Disable MD2 in the default configuration.
   2079      [Steve Henson]
   2081   *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
   2082      indicate the initial BIO being pushed or popped. This makes it possible
   2083      to determine whether the BIO is the one explicitly called or as a result
   2084      of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
   2085      it handles reference counts correctly and doesn't zero out the I/O bio
   2086      when it is not being explicitly popped. WARNING: applications which
   2087      included workarounds for the old buggy behaviour will need to be modified
   2088      or they could free up already freed BIOs.
   2089      [Steve Henson]
   2091   *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
   2092      renaming to all platforms (within the 0.9.8 branch, this was
   2093      done conditionally on Netware platforms to avoid a name clash).
   2094      [Guenter <lists (a] gknw.net>]
   2096   *) Add ECDHE and PSK support to DTLS.
   2097      [Michael Tuexen <tuexen (a] fh-muenster.de>]
   2099   *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
   2100      be used on C++.
   2101      [Steve Henson]
   2103   *) Add "missing" function EVP_MD_flags() (without this the only way to
   2104      retrieve a digest flags is by accessing the structure directly. Update
   2105      EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
   2106      or cipher is registered as in the "from" argument. Print out all
   2107      registered digests in the dgst usage message instead of manually 
   2108      attempting to work them out.
   2109      [Steve Henson]
   2111   *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
   2112      this allows the use of compression and extensions. Change default cipher
   2113      string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
   2114      by default unless an application cipher string requests it.
   2115      [Steve Henson]
   2117   *) Alter match criteria in PKCS12_parse(). It used to try to use local
   2118      key ids to find matching certificates and keys but some PKCS#12 files
   2119      don't follow the (somewhat unwritten) rules and this strategy fails.
   2120      Now just gather all certificates together and the first private key
   2121      then look for the first certificate that matches the key.
   2122      [Steve Henson]
   2124   *) Support use of registered digest and cipher names for dgst and cipher
   2125      commands instead of having to add each one as a special case. So now
   2126      you can do:
   2128         openssl sha256 foo
   2130      as well as:
   2132         openssl dgst -sha256 foo
   2134      and this works for ENGINE based algorithms too.
   2136      [Steve Henson]
   2138   *) Update Gost ENGINE to support parameter files.
   2139      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2141   *) Support GeneralizedTime in ca utility. 
   2142      [Oliver Martin <oliver (a] volatilevoid.net>, Steve Henson]
   2144   *) Enhance the hash format used for certificate directory links. The new
   2145      form uses the canonical encoding (meaning equivalent names will work
   2146      even if they aren't identical) and uses SHA1 instead of MD5. This form
   2147      is incompatible with the older format and as a result c_rehash should
   2148      be used to rebuild symbolic links.
   2149      [Steve Henson]
   2151   *) Make PKCS#8 the default write format for private keys, replacing the
   2152      traditional format. This form is standardised, more secure and doesn't
   2153      include an implicit MD5 dependency.
   2154      [Steve Henson]
   2156   *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
   2157      committed to OpenSSL should pass this lot as a minimum.
   2158      [Steve Henson]
   2160   *) Add session ticket override functionality for use by EAP-FAST.
   2161      [Jouni Malinen <j (a] w1.fi>]
   2163   *) Modify HMAC functions to return a value. Since these can be implemented
   2164      in an ENGINE errors can occur.
   2165      [Steve Henson]
   2167   *) Type-checked OBJ_bsearch_ex.
   2168      [Ben Laurie]
   2170   *) Type-checked OBJ_bsearch. Also some constification necessitated
   2171      by type-checking.  Still to come: TXT_DB, bsearch(?),
   2172      OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
   2173      CONF_VALUE.
   2174      [Ben Laurie]
   2176   *) New function OPENSSL_gmtime_adj() to add a specific number of days and
   2177      seconds to a tm structure directly, instead of going through OS
   2178      specific date routines. This avoids any issues with OS routines such
   2179      as the year 2038 bug. New *_adj() functions for ASN1 time structures
   2180      and X509_time_adj_ex() to cover the extended range. The existing
   2181      X509_time_adj() is still usable and will no longer have any date issues.
   2182      [Steve Henson]
   2184   *) Delta CRL support. New use deltas option which will attempt to locate
   2185      and search any appropriate delta CRLs available.
   2187      This work was sponsored by Google.
   2188      [Steve Henson]
   2190   *) Support for CRLs partitioned by reason code. Reorganise CRL processing
   2191      code and add additional score elements. Validate alternate CRL paths
   2192      as part of the CRL checking and indicate a new error "CRL path validation
   2193      error" in this case. Applications wanting additional details can use
   2194      the verify callback and check the new "parent" field. If this is not
   2195      NULL CRL path validation is taking place. Existing applications wont
   2196      see this because it requires extended CRL support which is off by
   2197      default.
   2199      This work was sponsored by Google.
   2200      [Steve Henson]
   2202   *) Support for freshest CRL extension.
   2204      This work was sponsored by Google.
   2205      [Steve Henson]
   2207   *) Initial indirect CRL support. Currently only supported in the CRLs
   2208      passed directly and not via lookup. Process certificate issuer
   2209      CRL entry extension and lookup CRL entries by bother issuer name
   2210      and serial number. Check and process CRL issuer entry in IDP extension.
   2212      This work was sponsored by Google.
   2213      [Steve Henson]
   2215   *) Add support for distinct certificate and CRL paths. The CRL issuer
   2216      certificate is validated separately in this case. Only enabled if
   2217      an extended CRL support flag is set: this flag will enable additional
   2218      CRL functionality in future.
   2220      This work was sponsored by Google.
   2221      [Steve Henson]
   2223   *) Add support for policy mappings extension.
   2225      This work was sponsored by Google.
   2226      [Steve Henson]
   2228   *) Fixes to pathlength constraint, self issued certificate handling,
   2229      policy processing to align with RFC3280 and PKITS tests.
   2231      This work was sponsored by Google.
   2232      [Steve Henson]
   2234   *) Support for name constraints certificate extension. DN, email, DNS
   2235      and URI types are currently supported.
   2237      This work was sponsored by Google.
   2238      [Steve Henson]
   2240   *) To cater for systems that provide a pointer-based thread ID rather
   2241      than numeric, deprecate the current numeric thread ID mechanism and
   2242      replace it with a structure and associated callback type. This
   2243      mechanism allows a numeric "hash" to be extracted from a thread ID in
   2244      either case, and on platforms where pointers are larger than 'long',
   2245      mixing is done to help ensure the numeric 'hash' is usable even if it
   2246      can't be guaranteed unique. The default mechanism is to use "&errno"
   2247      as a pointer-based thread ID to distinguish between threads.
   2249      Applications that want to provide their own thread IDs should now use
   2250      CRYPTO_THREADID_set_callback() to register a callback that will call
   2251      either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
   2253      Note that ERR_remove_state() is now deprecated, because it is tied
   2254      to the assumption that thread IDs are numeric.  ERR_remove_state(0)
   2255      to free the current thread's error state should be replaced by
   2256      ERR_remove_thread_state(NULL).
   2258      (This new approach replaces the functions CRYPTO_set_idptr_callback(),
   2259      CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
   2260      OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
   2261      application was previously providing a numeric thread callback that
   2262      was inappropriate for distinguishing threads, then uniqueness might
   2263      have been obtained with &errno that happened immediately in the
   2264      intermediate development versions of OpenSSL; this is no longer the
   2265      case, the numeric thread callback will now override the automatic use
   2266      of &errno.)
   2267      [Geoff Thorpe, with help from Bodo Moeller]
   2269   *) Initial support for different CRL issuing certificates. This covers a
   2270      simple case where the self issued certificates in the chain exist and
   2271      the real CRL issuer is higher in the existing chain.
   2273      This work was sponsored by Google.
   2274      [Steve Henson]
   2276   *) Removed effectively defunct crypto/store from the build.
   2277      [Ben Laurie]
   2279   *) Revamp of STACK to provide stronger type-checking. Still to come:
   2280      TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
   2281      ASN1_STRING, CONF_VALUE.
   2282      [Ben Laurie]
   2284   *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
   2285      RAM on SSL connections.  This option can save about 34k per idle SSL.
   2286      [Nick Mathewson]
   2288   *) Revamp of LHASH to provide stronger type-checking. Still to come:
   2289      STACK, TXT_DB, bsearch, qsort.
   2290      [Ben Laurie]
   2292   *) Initial support for Cryptographic Message Syntax (aka CMS) based
   2293      on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
   2294      support for data, signedData, compressedData, digestedData and
   2295      encryptedData, envelopedData types included. Scripts to check against
   2296      RFC4134 examples draft and interop and consistency checks of many
   2297      content types and variants.
   2298      [Steve Henson]
   2300   *) Add options to enc utility to support use of zlib compression BIO.
   2301      [Steve Henson]
   2303   *) Extend mk1mf to support importing of options and assembly language
   2304      files from Configure script, currently only included in VC-WIN32.
   2305      The assembly language rules can now optionally generate the source
   2306      files from the associated perl scripts.
   2307      [Steve Henson]
   2309   *) Implement remaining functionality needed to support GOST ciphersuites.
   2310      Interop testing has been performed using CryptoPro implementations.
   2311      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2313   *) s390x assembler pack.
   2314      [Andy Polyakov]
   2316   *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
   2317      "family."
   2318      [Andy Polyakov]
   2320   *) Implement Opaque PRF Input TLS extension as specified in
   2321      draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
   2322      official specification yet and no extension type assignment by
   2323      IANA exists, this extension (for now) will have to be explicitly
   2324      enabled when building OpenSSL by providing the extension number
   2325      to use.  For example, specify an option
   2327          -DTLSEXT_TYPE_opaque_prf_input=0x9527
   2329      to the "config" or "Configure" script to enable the extension,
   2330      assuming extension number 0x9527 (which is a completely arbitrary
   2331      and unofficial assignment based on the MD5 hash of the Internet
   2332      Draft).  Note that by doing so, you potentially lose
   2333      interoperability with other TLS implementations since these might
   2334      be using the same extension number for other purposes.
   2336      SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
   2337      opaque PRF input value to use in the handshake.  This will create
   2338      an interal copy of the length-'len' string at 'src', and will
   2339      return non-zero for success.
   2341      To get more control and flexibility, provide a callback function
   2342      by using
   2344           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
   2345           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
   2347      where
   2349           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
   2350           void *arg;
   2352      Callback function 'cb' will be called in handshakes, and is
   2353      expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
   2354      Argument 'arg' is for application purposes (the value as given to
   2355      SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
   2356      be provided to the callback function).  The callback function
   2357      has to return non-zero to report success: usually 1 to use opaque
   2358      PRF input just if possible, or 2 to enforce use of the opaque PRF
   2359      input.  In the latter case, the library will abort the handshake
   2360      if opaque PRF input is not successfully negotiated.
   2362      Arguments 'peerinput' and 'len' given to the callback function
   2363      will always be NULL and 0 in the case of a client.  A server will
   2364      see the client's opaque PRF input through these variables if
   2365      available (NULL and 0 otherwise).  Note that if the server
   2366      provides an opaque PRF input, the length must be the same as the
   2367      length of the client's opaque PRF input.
   2369      Note that the callback function will only be called when creating
   2370      a new session (session resumption can resume whatever was
   2371      previously negotiated), and will not be called in SSL 2.0
   2372      handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
   2373      SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
   2374      for applications that need to enforce opaque PRF input.
   2376      [Bodo Moeller]
   2378   *) Update ssl code to support digests other than SHA1+MD5 for handshake
   2379      MAC. 
   2381      [Victor B. Wagner <vitus (a] cryptocom.ru>]
   2383   *) Add RFC4507 support to OpenSSL. This includes the corrections in
   2384      RFC4507bis. The encrypted ticket format is an encrypted encoded
   2385      SSL_SESSION structure, that way new session features are automatically
   2386      supported.
   2388      If a client application caches session in an SSL_SESSION structure
   2389      support is transparent because tickets are now stored in the encoded
   2390      SSL_SESSION.
   2392      The SSL_CTX structure automatically generates keys for ticket
   2393      protection in servers so again support should be possible
   2394      with no application modification.
   2396      If a client or server wishes to disable RFC4507 support then the option
   2397      SSL_OP_NO_TICKET can be set.
   2399      Add a TLS extension debugging callback to allow the contents of any client
   2400      or server extensions to be examined.
   2402      This work was sponsored by Google.
   2403      [Steve Henson]
   2405   *) Final changes to avoid use of pointer pointer casts in OpenSSL.
   2406      OpenSSL should now compile cleanly on gcc 4.2
   2407      [Peter Hartley <pdh (a] utter.chaos.org.uk>, Steve Henson]
   2409   *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
   2410      support including streaming MAC support: this is required for GOST
   2411      ciphersuite support.
   2412      [Victor B. Wagner <vitus (a] cryptocom.ru>, Steve Henson]
   2414   *) Add option -stream to use PKCS#7 streaming in smime utility. New
   2415      function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
   2416      to output in BER and PEM format.
   2417      [Steve Henson]
   2419   *) Experimental support for use of HMAC via EVP_PKEY interface. This
   2420      allows HMAC to be handled via the EVP_DigestSign*() interface. The
   2421      EVP_PKEY "key" in this case is the HMAC key, potentially allowing
   2422      ENGINE support for HMAC keys which are unextractable. New -mac and
   2423      -macopt options to dgst utility.
   2424      [Steve Henson]
   2426   *) New option -sigopt to dgst utility. Update dgst to use
   2427      EVP_Digest{Sign,Verify}*. These two changes make it possible to use
   2428      alternative signing paramaters such as X9.31 or PSS in the dgst 
   2429      utility.
   2430      [Steve Henson]
   2432   *) Change ssl_cipher_apply_rule(), the internal function that does
   2433      the work each time a ciphersuite string requests enabling
   2434      ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
   2435      removing ("!foo+bar") a class of ciphersuites: Now it maintains
   2436      the order of disabled ciphersuites such that those ciphersuites
   2437      that most recently went from enabled to disabled not only stay
   2438      in order with respect to each other, but also have higher priority
   2439      than other disabled ciphersuites the next time ciphersuites are
   2440      enabled again.
   2442      This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
   2443      the same ciphersuites as with "HIGH" alone, but in a specific
   2444      order where the PSK ciphersuites come first (since they are the
   2445      most recently disabled ciphersuites when "HIGH" is parsed).
   2447      Also, change ssl_create_cipher_list() (using this new
   2448      funcionality) such that between otherwise identical
   2449      cihpersuites, ephemeral ECDH is preferred over ephemeral DH in
   2450      the default order.
   2451      [Bodo Moeller]
   2453   *) Change ssl_create_cipher_list() so that it automatically
   2454      arranges the ciphersuites in reasonable order before starting
   2455      to process the rule string.  Thus, the definition for "DEFAULT"
   2456      (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
   2457      remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
   2458      This makes it much easier to arrive at a reasonable default order
   2459      in applications for which anonymous ciphers are OK (meaning
   2460      that you can't actually use DEFAULT).
   2461      [Bodo Moeller; suggested by Victor Duchovni]
   2463   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
   2464      processing) into multiple integers instead of setting
   2465      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
   2466      "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
   2467      (These masks as well as the individual bit definitions are hidden
   2468      away into the non-exported interface ssl/ssl_locl.h, so this
   2469      change to the definition of the SSL_CIPHER structure shouldn't
   2470      affect applications.)  This give us more bits for each of these
   2471      categories, so there is no longer a need to coagulate AES128 and
   2472      AES256 into a single algorithm bit, and to coagulate Camellia128
   2473      and Camellia256 into a single algorithm bit, which has led to all
   2474      kinds of kludges.
   2476      Thus, among other things, the kludge introduced in 0.9.7m and
   2477      0.9.8e for masking out AES256 independently of AES128 or masking
   2478      out Camellia256 independently of AES256 is not needed here in 0.9.9.
   2480      With the change, we also introduce new ciphersuite aliases that
   2481      so far were missing: "AES128", "AES256", "CAMELLIA128", and
   2482      "CAMELLIA256".
   2483      [Bodo Moeller]
   2485   *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
   2486      Use the leftmost N bytes of the signature input if the input is
   2487      larger than the prime q (with N being the size in bytes of q).
   2488      [Nils Larsch]
   2490   *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
   2491      it yet and it is largely untested.
   2492      [Steve Henson]
   2494   *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
   2495      [Nils Larsch]
   2497   *) Initial incomplete changes to avoid need for function casts in OpenSSL
   2498      some compilers (gcc 4.2 and later) reject their use. Safestack is
   2499      reimplemented.  Update ASN1 to avoid use of legacy functions. 
   2500      [Steve Henson]
   2502   *) Win32/64 targets are linked with Winsock2.
   2503      [Andy Polyakov]
   2505   *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
   2506      to external functions. This can be used to increase CRL handling 
   2507      efficiency especially when CRLs are very large by (for example) storing
   2508      the CRL revoked certificates in a database.
   2509      [Steve Henson]
   2511   *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
   2512      new CRLs added to a directory can be used. New command line option
   2513      -verify_return_error to s_client and s_server. This causes real errors
   2514      to be returned by the verify callback instead of carrying on no matter
   2515      what. This reflects the way a "real world" verify callback would behave.
   2516      [Steve Henson]
   2518   *) GOST engine, supporting several GOST algorithms and public key formats.
   2519      Kindly donated by Cryptocom.
   2520      [Cryptocom]
   2522   *) Partial support for Issuing Distribution Point CRL extension. CRLs
   2523      partitioned by DP are handled but no indirect CRL or reason partitioning
   2524      (yet). Complete overhaul of CRL handling: now the most suitable CRL is
   2525      selected via a scoring technique which handles IDP and AKID in CRLs.
   2526      [Steve Henson]
   2528   *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
   2529      will ultimately be used for all verify operations: this will remove the
   2530      X509_STORE dependency on certificate verification and allow alternative
   2531      lookup methods.  X509_STORE based implementations of these two callbacks.
   2532      [Steve Henson]
   2534   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
   2535      Modify get_crl() to find a valid (unexpired) CRL if possible.
   2536      [Steve Henson]
   2538   *) New function X509_CRL_match() to check if two CRLs are identical. Normally
   2539      this would be called X509_CRL_cmp() but that name is already used by
   2540      a function that just compares CRL issuer names. Cache several CRL 
   2541      extensions in X509_CRL structure and cache CRLDP in X509.
   2542      [Steve Henson]
   2544   *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
   2545      this maps equivalent X509_NAME structures into a consistent structure.
   2546      Name comparison can then be performed rapidly using memcmp().
   2547      [Steve Henson]
   2549   *) Non-blocking OCSP request processing. Add -timeout option to ocsp 
   2550      utility.
   2551      [Steve Henson]
   2553   *) Allow digests to supply their own micalg string for S/MIME type using
   2554      the ctrl EVP_MD_CTRL_MICALG.
   2555      [Steve Henson]
   2557   *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
   2558      EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
   2559      ctrl. It can then customise the structure before and/or after signing
   2560      if necessary.
   2561      [Steve Henson]
   2563   *) New function OBJ_add_sigid() to allow application defined signature OIDs
   2564      to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
   2565      to free up any added signature OIDs.
   2566      [Steve Henson]
   2568   *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
   2569      EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
   2570      digest and cipher tables. New options added to openssl utility:
   2571      list-message-digest-algorithms and list-cipher-algorithms.
   2572      [Steve Henson]
   2574   *) Change the array representation of binary polynomials: the list
   2575      of degrees of non-zero coefficients is now terminated with -1.
   2576      Previously it was terminated with 0, which was also part of the
   2577      value; thus, the array representation was not applicable to
   2578      polynomials where t^0 has coefficient zero.  This change makes
   2579      the array representation useful in a more general context.
   2580      [Douglas Stebila]
   2582   *) Various modifications and fixes to SSL/TLS cipher string
   2583      handling.  For ECC, the code now distinguishes between fixed ECDH
   2584      with RSA certificates on the one hand and with ECDSA certificates
   2585      on the other hand, since these are separate ciphersuites.  The
   2586      unused code for Fortezza ciphersuites has been removed.
   2588      For consistency with EDH, ephemeral ECDH is now called "EECDH"
   2589      (not "ECDHE").  For consistency with the code for DH
   2590      certificates, use of ECDH certificates is now considered ECDH
   2591      authentication, not RSA or ECDSA authentication (the latter is
   2592      merely the CA's signing algorithm and not actively used in the
   2593      protocol).
   2595      The temporary ciphersuite alias "ECCdraft" is no longer
   2596      available, and ECC ciphersuites are no longer excluded from "ALL"
   2597      and "DEFAULT".  The following aliases now exist for RFC 4492
   2598      ciphersuites, most of these by analogy with the DH case:
   2600          kECDHr   - ECDH cert, signed with RSA
   2601          kECDHe   - ECDH cert, signed with ECDSA
   2602          kECDH    - ECDH cert (signed with either RSA or ECDSA)
   2603          kEECDH   - ephemeral ECDH
   2604          ECDH     - ECDH cert or ephemeral ECDH
   2606          aECDH    - ECDH cert
   2607          aECDSA   - ECDSA cert
   2608          ECDSA    - ECDSA cert
   2610          AECDH    - anonymous ECDH
   2611          EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
   2613      [Bodo Moeller]
   2615   *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
   2616      Use correct micalg parameters depending on digest(s) in signed message.
   2617      [Steve Henson]
   2619   *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
   2620      an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
   2621      [Steve Henson]
   2623   *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
   2624      an engine to register a method. Add ENGINE lookups for methods and
   2625      functional reference processing.
   2626      [Steve Henson]
   2628   *) New functions EVP_Digest{Sign,Verify)*. These are enchance versions of
   2629      EVP_{Sign,Verify}* which allow an application to customise the signature
   2630      process.
   2631      [Steve Henson]
   2633   *) New -resign option to smime utility. This adds one or more signers
   2634      to an existing PKCS#7 signedData structure. Also -md option to use an
   2635      alternative message digest algorithm for signing.
   2636      [Steve Henson]
   2638   *) Tidy up PKCS#7 routines and add new functions to make it easier to
   2639      create PKCS7 structures containing multiple signers. Update smime
   2640      application to support multiple signers.
   2641      [Steve Henson]
   2643   *) New -macalg option to pkcs12 utility to allow setting of an alternative
   2644      digest MAC.
   2645      [Steve Henson]
   2647   *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
   2648      Reorganize PBE internals to lookup from a static table using NIDs,
   2649      add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
   2650      EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
   2651      PRF which will be automatically used with PBES2.
   2652      [Steve Henson]
   2654   *) Replace the algorithm specific calls to generate keys in "req" with the
   2655      new API.
   2656      [Steve Henson]
   2658   *) Update PKCS#7 enveloped data routines to use new API. This is now
   2659      supported by any public key method supporting the encrypt operation. A
   2660      ctrl is added to allow the public key algorithm to examine or modify
   2661      the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
   2662      a no op.
   2663      [Steve Henson]
   2665   *) Add a ctrl to asn1 method to allow a public key algorithm to express
   2666      a default digest type to use. In most cases this will be SHA1 but some
   2667      algorithms (such as GOST) need to specify an alternative digest. The
   2668      return value indicates how strong the prefernce is 1 means optional and
   2669      2 is mandatory (that is it is the only supported type). Modify
   2670      ASN1_item_sign() to accept a NULL digest argument to indicate it should
   2671      use the default md. Update openssl utilities to use the default digest
   2672      type for signing if it is not explicitly indicated.
   2673      [Steve Henson]
   2675   *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New 
   2676      EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
   2677      signing method from the key type. This effectively removes the link
   2678      between digests and public key types.
   2679      [Steve Henson]
   2681   *) Add an OID cross reference table and utility functions. Its purpose is to
   2682      translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
   2683      rsaEncryption. This will allow some of the algorithm specific hackery
   2684      needed to use the correct OID to be removed. 
   2685      [Steve Henson]
   2687   *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
   2688      structures for PKCS7_sign(). They are now set up by the relevant public
   2689      key ASN1 method.
   2690      [Steve Henson]
   2692   *) Add provisional EC pkey method with support for ECDSA and ECDH.
   2693      [Steve Henson]
   2695   *) Add support for key derivation (agreement) in the API, DH method and
   2696      pkeyutl.
   2697      [Steve Henson]
   2699   *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
   2700      public and private key formats. As a side effect these add additional 
   2701      command line functionality not previously available: DSA signatures can be
   2702      generated and verified using pkeyutl and DH key support and generation in
   2703      pkey, genpkey.
   2704      [Steve Henson]
   2706   *) BeOS support.
   2707      [Oliver Tappe <zooey (a] hirschkaefer.de>]
   2709   *) New make target "install_html_docs" installs HTML renditions of the
   2710      manual pages.
   2711      [Oliver Tappe <zooey (a] hirschkaefer.de>]
   2713   *) New utility "genpkey" this is analagous to "genrsa" etc except it can
   2714      generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
   2715      support key and parameter generation and add initial key generation
   2716      functionality for RSA.
   2717      [Steve Henson]
   2719   *) Add functions for main EVP_PKEY_method operations. The undocumented
   2720      functions EVP_PKEY_{encrypt,decrypt} have been renamed to
   2721      EVP_PKEY_{encrypt,decrypt}_old. 
   2722      [Steve Henson]
   2724   *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
   2725      key API, doesn't do much yet.
   2726      [Steve Henson]
   2728   *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
   2729      public key algorithms. New option to openssl utility:
   2730      "list-public-key-algorithms" to print out info.
   2731      [Steve Henson]
   2733   *) Implement the Supported Elliptic Curves Extension for
   2734      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
   2735      [Douglas Stebila]
   2737   *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
   2738      EVP_CIPHER structures to avoid later problems in EVP_cleanup().
   2739      [Steve Henson]
   2741   *) New utilities pkey and pkeyparam. These are similar to algorithm specific
   2742      utilities such as rsa, dsa, dsaparam etc except they process any key
   2743      type.
   2744      [Steve Henson]
   2746   *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New 
   2747      functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
   2748      EVP_PKEY_print_param() to print public key data from an EVP_PKEY
   2749      structure.
   2750      [Steve Henson]
   2752   *) Initial support for pluggable public key ASN1.
   2753      De-spaghettify the public key ASN1 handling. Move public and private
   2754      key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
   2755      algorithm specific handling to a single module within the relevant
   2756      algorithm directory. Add functions to allow (near) opaque processing
   2757      of public and private key structures.
   2758      [Steve Henson]
   2760   *) Implement the Supported Point Formats Extension for
   2761      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
   2762      [Douglas Stebila]
   2764   *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
   2765      for the psk identity [hint] and the psk callback functions to the
   2766      SSL_SESSION, SSL and SSL_CTX structure.
   2768      New ciphersuites:
   2769          PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
   2770          PSK-AES256-CBC-SHA
   2772      New functions:
   2773          SSL_CTX_use_psk_identity_hint
   2774          SSL_get_psk_identity_hint
   2775          SSL_get_psk_identity
   2776          SSL_use_psk_identity_hint
   2778      [Mika Kousa and Pasi Eronen of Nokia Corporation]
   2780   *) Add RFC 3161 compliant time stamp request creation, response generation
   2781      and response verification functionality.
   2782      [Zoltn Glzik <zglozik (a] opentsa.org>, The OpenTSA Project]
   2784   *) Add initial support for TLS extensions, specifically for the server_name
   2785      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
   2786      have new members for a host name.  The SSL data structure has an
   2787      additional member SSL_CTX *initial_ctx so that new sessions can be
   2788      stored in that context to allow for session resumption, even after the
   2789      SSL has been switched to a new SSL_CTX in reaction to a client's
   2790      server_name extension.
   2792      New functions (subject to change):
   2794          SSL_get_servername()
   2795          SSL_get_servername_type()
   2796          SSL_set_SSL_CTX()
   2798      New CTRL codes and macros (subject to change):
   2801                                  - SSL_CTX_set_tlsext_servername_callback()
   2803                                       - SSL_CTX_set_tlsext_servername_arg()
   2804          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
   2806      openssl s_client has a new '-servername ...' option.
   2808      openssl s_server has new options '-servername_host ...', '-cert2 ...',
   2809      '-key2 ...', '-servername_fatal' (subject to change).  This allows
   2810      testing the HostName extension for a specific single host name ('-cert'
   2811      and '-key' remain fallbacks for handshakes without HostName
   2812      negotiation).  If the unrecogninzed_name alert has to be sent, this by
   2813      default is a warning; it becomes fatal with the '-servername_fatal'
   2814      option.
   2816      [Peter Sylvester,  Remy Allais, Christophe Renou]
   2818   *) Whirlpool hash implementation is added.
   2819      [Andy Polyakov]
   2821   *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
   2822      bn(64,32). Because of instruction set limitations it doesn't have
   2823      any negative impact on performance. This was done mostly in order
   2824      to make it possible to share assembler modules, such as bn_mul_mont
   2825      implementations, between 32- and 64-bit builds without hassle.
   2826      [Andy Polyakov]
   2828   *) Move code previously exiled into file crypto/ec/ec2_smpt.c
   2829      to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
   2830      macro.
   2831      [Bodo Moeller]
   2833   *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
   2834      dedicated Montgomery multiplication procedure, is introduced.
   2835      BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
   2836      "64-bit" performance on certain 32-bit targets.
   2837      [Andy Polyakov]
   2839   *) New option SSL_OP_NO_COMP to disable use of compression selectively
   2840      in SSL structures. New SSL ctrl to set maximum send fragment size. 
   2841      Save memory by seeting the I/O buffer sizes dynamically instead of
   2842      using the maximum available value.
   2843      [Steve Henson]
   2845   *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
   2846      in addition to the text details.
   2847      [Bodo Moeller]
   2849   *) Very, very preliminary EXPERIMENTAL support for printing of general
   2850      ASN1 structures. This currently produces rather ugly output and doesn't
   2851      handle several customised structures at all.
   2852      [Steve Henson]
   2854   *) Integrated support for PVK file format and some related formats such
   2855      as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
   2856      these in the 'rsa' and 'dsa' utilities.
   2857      [Steve Henson]
   2859   *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
   2860      [Steve Henson]
   2862   *) Remove the ancient ASN1_METHOD code. This was only ever used in one
   2863      place for the (very old) "NETSCAPE" format certificates which are now
   2864      handled using new ASN1 code equivalents.
   2865      [Steve Henson]
   2867   *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
   2868      pointer and make the SSL_METHOD parameter in SSL_CTX_new,
   2869      SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
   2870      [Nils Larsch]
   2872   *) Modify CRL distribution points extension code to print out previously
   2873      unsupported fields. Enhance extension setting code to allow setting of
   2874      all fields.
   2875      [Steve Henson]
   2877   *) Add print and set support for Issuing Distribution Point CRL extension.
   2878      [Steve Henson]
   2880   *) Change 'Configure' script to enable Camellia by default.
   2881      [NTT]
   2883  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
   2885   *) When rejecting SSL/TLS records due to an incorrect version number, never
   2886      update s->server with a new major version number.  As of
   2887      - OpenSSL 0.9.8m if 'short' is a 16-bit type,
   2888      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
   2889      the previous behavior could result in a read attempt at NULL when
   2890      receiving specific incorrect SSL/TLS records once record payload
   2891      protection is active.  (CVE-2010-0740)
   2892      [Bodo Moeller, Adam Langley <agl (a] chromium.org>]
   2894   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
   2895      could be crashed if the relevant tables were not present (e.g. chrooted).
   2896      [Tomas Hoger <thoger (a] redhat.com>]
   2898  Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
   2900   *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
   2901      [Martin Olsson, Neel Mehta]
   2903   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
   2904      accommodate for stack sorting, always a write lock!).
   2905      [Bodo Moeller]
   2907   *) On some versions of WIN32 Heap32Next is very slow. This can cause
   2908      excessive delays in the RAND_poll(): over a minute. As a workaround
   2909      include a time check in the inner Heap32Next loop too.
   2910      [Steve Henson]
   2912   *) The code that handled flushing of data in SSL/TLS originally used the
   2913      BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
   2914      the problem outlined in PR#1949. The fix suggested there however can
   2915      trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
   2916      of Apache). So instead simplify the code to flush unconditionally.
   2917      This should be fine since flushing with no data to flush is a no op.
   2918      [Steve Henson]
   2920   *) Handle TLS versions 2.0 and later properly and correctly use the
   2921      highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
   2922      off ancient servers have a habit of sticking around for a while...
   2923      [Steve Henson]
   2925   *) Modify compression code so it frees up structures without using the
   2926      ex_data callbacks. This works around a problem where some applications
   2927      call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
   2928      restarting) then use compression (e.g. SSL with compression) later.
   2929      This results in significant per-connection memory leaks and
   2930      has caused some security issues including CVE-2008-1678 and
   2931      CVE-2009-4355.
   2932      [Steve Henson]
   2934   *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
   2935      change when encrypting or decrypting.
   2936      [Bodo Moeller]
   2938   *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
   2939      connect and renegotiate with servers which do not support RI.
   2940      Until RI is more widely deployed this option is enabled by default.
   2941      [Steve Henson]
   2943   *) Add "missing" ssl ctrls to clear options and mode.
   2944      [Steve Henson]
   2946   *) If client attempts to renegotiate and doesn't support RI respond with
   2947      a no_renegotiation alert as required by RFC5746.  Some renegotiating
   2948      TLS clients will continue a connection gracefully when they receive
   2949      the alert. Unfortunately OpenSSL mishandled this alert and would hang
   2950      waiting for a server hello which it will never receive. Now we treat a
   2951      received no_renegotiation alert as a fatal error. This is because
   2952      applications requesting a renegotiation might well expect it to succeed
   2953      and would have no code in place to handle the server denying it so the
   2954      only safe thing to do is to terminate the connection.
   2955      [Steve Henson]
   2957   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
   2958      peer supports secure renegotiation and 0 otherwise. Print out peer
   2959      renegotiation support in s_client/s_server.
   2960      [Steve Henson]
   2962   *) Replace the highly broken and deprecated SPKAC certification method with
   2963      the updated NID creation version. This should correctly handle UTF8.
   2964      [Steve Henson]
   2966   *) Implement RFC5746. Re-enable renegotiation but require the extension
   2967      as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
   2968      turns out to be a bad idea. It has been replaced by
   2969      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
   2970      SSL_CTX_set_options(). This is really not recommended unless you
   2971      know what you are doing.
   2972      [Eric Rescorla <ekr (a] networkresonance.com>, Ben Laurie, Steve Henson]
   2974   *) Fixes to stateless session resumption handling. Use initial_ctx when
   2975      issuing and attempting to decrypt tickets in case it has changed during
   2976      servername handling. Use a non-zero length session ID when attempting
   2977      stateless session resumption: this makes it possible to determine if
   2978      a resumption has occurred immediately after receiving server hello
   2979      (several places in OpenSSL subtly assume this) instead of later in
   2980      the handshake.
   2981      [Steve Henson]
   2983   *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
   2984      CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
   2985      fixes for a few places where the return code is not checked
   2986      correctly.
   2987      [Julia Lawall <julia (a] diku.dk>]
   2989   *) Add --strict-warnings option to Configure script to include devteam
   2990      warnings in other configurations.
   2991      [Steve Henson]
   2993   *) Add support for --libdir option and LIBDIR variable in makefiles. This
   2994      makes it possible to install openssl libraries in locations which
   2995      have names other than "lib", for example "/usr/lib64" which some
   2996      systems need.
   2997      [Steve Henson, based on patch from Jeremy Utley]
   2999   *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
   3000      X690 8.9.12 and can produce some misleading textual output of OIDs.
   3001      [Steve Henson, reported by Dan Kaminsky]
   3003   *) Delete MD2 from algorithm tables. This follows the recommendation in
   3004      several standards that it is not used in new applications due to
   3005      several cryptographic weaknesses. For binary compatibility reasons
   3006      the MD2 API is still compiled in by default.
   3007      [Steve Henson]
   3009   *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
   3010      and restored.
   3011      [Steve Henson]
   3013   *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
   3014      OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
   3015      clash.
   3016      [Guenter <lists (a] gknw.net>]
   3018   *) Fix the server certificate chain building code to use X509_verify_cert(),
   3019      it used to have an ad-hoc builder which was unable to cope with anything
   3020      other than a simple chain.
   3021      [David Woodhouse <dwmw2 (a] infradead.org>, Steve Henson]
   3023   *) Don't check self signed certificate signatures in X509_verify_cert()
   3024      by default (a flag can override this): it just wastes time without
   3025      adding any security. As a useful side effect self signed root CAs
   3026      with non-FIPS digests are now usable in FIPS mode.
   3027      [Steve Henson]
   3029   *) In dtls1_process_out_of_seq_message() the check if the current message
   3030      is already buffered was missing. For every new message was memory
   3031      allocated, allowing an attacker to perform an denial of service attack
   3032      with sending out of seq handshake messages until there is no memory
   3033      left. Additionally every future messege was buffered, even if the
   3034      sequence number made no sense and would be part of another handshake.
   3035      So only messages with sequence numbers less than 10 in advance will be
   3036      buffered.  (CVE-2009-1378)
   3037      [Robin Seggelmann, discovered by Daniel Mentz] 	
   3039   *) Records are buffered if they arrive with a future epoch to be
   3040      processed after finishing the corresponding handshake. There is
   3041      currently no limitation to this buffer allowing an attacker to perform
   3042      a DOS attack with sending records with future epochs until there is no
   3043      memory left. This patch adds the pqueue_size() function to detemine
   3044      the size of a buffer and limits the record buffer to 100 entries.
   3045      (CVE-2009-1377)
   3046      [Robin Seggelmann, discovered by Daniel Mentz] 	
   3048   *) Keep a copy of frag->msg_header.frag_len so it can be used after the
   3049      parent structure is freed.  (CVE-2009-1379)
   3050      [Daniel Mentz] 	
   3052   *) Handle non-blocking I/O properly in SSL_shutdown() call.
   3053      [Darryl Miles <darryl-mailinglists (a] netbauds.net>]
   3055   *) Add 2.5.4.* OIDs
   3056      [Ilya O. <vrghost (a] gmail.com>]
   3058  Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
   3060   *) Disable renegotiation completely - this fixes a severe security
   3061      problem (CVE-2009-3555) at the cost of breaking all
   3062      renegotiation. Renegotiation can be re-enabled by setting
   3064      run-time. This is really not recommended unless you know what
   3065      you're doing.
   3066      [Ben Laurie]
   3068  Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
   3070   *) Don't set val to NULL when freeing up structures, it is freed up by
   3071      underlying code. If sizeof(void *) > sizeof(long) this can result in
   3072      zeroing past the valid field. (CVE-2009-0789)
   3073      [Paolo Ganci <Paolo.Ganci (a] AdNovum.CH>]
   3075   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
   3076      checked correctly. This would allow some invalid signed attributes to
   3077      appear to verify correctly. (CVE-2009-0591)
   3078      [Ivan Nestlerode <inestlerode (a] us.ibm.com>]
   3080   *) Reject UniversalString and BMPString types with invalid lengths. This
   3081      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
   3082      a legal length. (CVE-2009-0590)
   3083      [Steve Henson]
   3085   *) Set S/MIME signing as the default purpose rather than setting it 
   3086      unconditionally. This allows applications to override it at the store
   3087      level.
   3088      [Steve Henson]
   3090   *) Permit restricted recursion of ASN1 strings. This is needed in practice
   3091      to handle some structures.
   3092      [Steve Henson]
   3094   *) Improve efficiency of mem_gets: don't search whole buffer each time
   3095      for a '\n'
   3096      [Jeremy Shapiro <jnshapir (a] us.ibm.com>]
   3098   *) New -hex option for openssl rand.
   3099      [Matthieu Herrb]
   3101   *) Print out UTF8String and NumericString when parsing ASN1.
   3102      [Steve Henson]
   3104   *) Support NumericString type for name components.
   3105      [Steve Henson]
   3107   *) Allow CC in the environment to override the automatically chosen
   3108      compiler. Note that nothing is done to ensure flags work with the
   3109      chosen compiler.
   3110      [Ben Laurie]
   3112  Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
   3114   *) Properly check EVP_VerifyFinal() and similar return values
   3115      (CVE-2008-5077).
   3116      [Ben Laurie, Bodo Moeller, Google Security Team]
   3118   *) Enable TLS extensions by default.
   3119      [Ben Laurie]
   3121   *) Allow the CHIL engine to be loaded, whether the application is
   3122      multithreaded or not. (This does not release the developer from the
   3123      obligation to set up the dynamic locking callbacks.)
   3124      [Sander Temme <sander (a] temme.net>]
   3126   *) Use correct exit code if there is an error in dgst command.
   3127      [Steve Henson; problem pointed out by Roland Dirlewanger]
   3129   *) Tweak Configure so that you need to say "experimental-jpake" to enable
   3130      JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
   3131      [Bodo Moeller]
   3133   *) Add experimental JPAKE support, including demo authentication in
   3134      s_client and s_server.
   3135      [Ben Laurie]
   3137   *) Set the comparison function in v3_addr_canonize().
   3138      [Rob Austein <sra (a] hactrn.net>]
   3140   *) Add support for XMPP STARTTLS in s_client.
   3141      [Philip Paeps <philip (a] freebsd.org>]
   3143   *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
   3144      to ensure that even with this option, only ciphersuites in the
   3145      server's preference list will be accepted.  (Note that the option
   3146      applies only when resuming a session, so the earlier behavior was
   3147      just about the algorithm choice for symmetric cryptography.)
   3148      [Bodo Moeller]
   3150  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
   3152   *) Fix NULL pointer dereference if a DTLS server received
   3153      ChangeCipherSpec as first record (CVE-2009-1386).
   3154      [PR #1679]
   3156   *) Fix a state transitition in s3_srvr.c and d1_srvr.c
   3157      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
   3158      [Nagendra Modadugu]
   3160   *) The fix in 0.9.8c that supposedly got rid of unsafe
   3161      double-checked locking was incomplete for RSA blinding,
   3162      addressing just one layer of what turns out to have been
   3163      doubly unsafe triple-checked locking.
   3165      So now fix this for real by retiring the MONT_HELPER macro
   3166      in crypto/rsa/rsa_eay.c.
   3168      [Bodo Moeller; problem pointed out by Marius Schilder]
   3170   *) Various precautionary measures:
   3172      - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
   3174      - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
   3175        (NB: This would require knowledge of the secret session ticket key
   3176        to exploit, in which case you'd be SOL either way.)
   3178      - Change bn_nist.c so that it will properly handle input BIGNUMs
   3179        outside the expected range.
   3181      - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
   3182        builds.
   3184      [Neel Mehta, Bodo Moeller]
   3186   *) Allow engines to be "soft loaded" - i.e. optionally don't die if
   3187      the load fails. Useful for distros.
   3188      [Ben Laurie and the FreeBSD team]
   3190   *) Add support for Local Machine Keyset attribute in PKCS#12 files.
   3191      [Steve Henson]
   3193   *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
   3194      [Huang Ying]
   3196   *) Expand ENGINE to support engine supplied SSL client certificate functions.
   3198      This work was sponsored by Logica.
   3199      [Steve Henson]
   3201   *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
   3202      keystores. Support for SSL/TLS client authentication too.
   3203      Not compiled unless enable-capieng specified to Configure.
   3205      This work was sponsored by Logica.
   3206      [Steve Henson]
   3208   *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
   3209      ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
   3210      attribute creation routines such as certifcate requests and PKCS#12
   3211      files.
   3212      [Steve Henson]
   3214  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
   3216   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
   3217      handshake which could lead to a cilent crash as found using the
   3218      Codenomicon TLS test suite (CVE-2008-1672) 
   3219      [Steve Henson, Mark Cox]
   3221   *) Fix double free in TLS server name extensions which could lead to
   3222      a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
   3223      [Joe Orton]
   3225   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
   3227      Clear the error queue to ensure that error entries left from
   3228      older function calls do not interfere with the correct operation.
   3229      [Lutz Jaenicke, Erik de Castro Lopo]
   3231   *) Remove root CA certificates of commercial CAs:
   3233      The OpenSSL project does not recommend any specific CA and does not
   3234      have any policy with respect to including or excluding any CA.
   3235      Therefore it does not make any sense to ship an arbitrary selection
   3236      of root CA certificates with the OpenSSL software.
   3237      [Lutz Jaenicke]
   3239   *) RSA OAEP patches to fix two separate invalid memory reads.
   3240      The first one involves inputs when 'lzero' is greater than
   3241      'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
   3242      before the beginning of from). The second one involves inputs where
   3243      the 'db' section contains nothing but zeroes (there is a one-byte
   3244      invalid read after the end of 'db').
   3245      [Ivan Nestlerode <inestlerode (a] us.ibm.com>]
   3247   *) Partial backport from 0.9.9-dev:
   3249      Introduce bn_mul_mont (dedicated Montgomery multiplication
   3250      procedure) as a candidate for BIGNUM assembler implementation.
   3251      While 0.9.9-dev uses assembler for various architectures, only
   3252      x86_64 is available by default here in the 0.9.8 branch, and
   3253      32-bit x86 is available through a compile-time setting.
   3255      To try the 32-bit x86 assembler implementation, use Configure
   3256      option "enable-montasm" (which exists only for this backport).
   3258      As "enable-montasm" for 32-bit x86 disclaims code stability
   3259      anyway, in this constellation we activate additional code
   3260      backported from 0.9.9-dev for further performance improvements,
   3261      namely BN_from_montgomery_word.  (To enable this otherwise,
   3262      e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
   3264      [Andy Polyakov (backport partially by Bodo Moeller)]
   3266   *) Add TLS session ticket callback. This allows an application to set
   3267      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
   3268      values. This is useful for key rollover for example where several key
   3269      sets may exist with different names.
   3270      [Steve Henson]
   3272   *) Reverse ENGINE-internal logic for caching default ENGINE handles.
   3273      This was broken until now in 0.9.8 releases, such that the only way
   3274      a registered ENGINE could be used (assuming it initialises
   3275      successfully on the host) was to explicitly set it as the default
   3276      for the relevant algorithms. This is in contradiction with 0.9.7
   3277      behaviour and the documentation. With this fix, when an ENGINE is
   3278      registered into a given algorithm's table of implementations, the
   3279      'uptodate' flag is reset so that auto-discovery will be used next
   3280      time a new context for that algorithm attempts to select an
   3281      implementation.
   3282      [Ian Lister (tweaked by Geoff Thorpe)]
   3284   *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
   3285      implemention in the following ways:
   3287      Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
   3288      hard coded.
   3290      Lack of BER streaming support means one pass streaming processing is
   3291      only supported if data is detached: setting the streaming flag is
   3292      ignored for embedded content.
   3294      CMS support is disabled by default and must be explicitly enabled
   3295      with the enable-cms configuration option.
   3296      [Steve Henson]
   3298   *) Update the GMP engine glue to do direct copies between BIGNUM and
   3299      mpz_t when openssl and GMP use the same limb size. Otherwise the
   3300      existing "conversion via a text string export" trick is still used.
   3301      [Paul Sheer <paulsheer (a] gmail.com>]
   3303   *) Zlib compression BIO. This is a filter BIO which compressed and
   3304      uncompresses any data passed through it.
   3305      [Steve Henson]
   3307   *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
   3308      RFC3394 compatible AES key wrapping.
   3309      [Steve Henson]
   3311   *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
   3312      sets string data without copying. X509_ALGOR_set0() and
   3313      X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
   3314      data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
   3315      from an X509_ATTRIBUTE structure optionally checking it occurs only
   3316      once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
   3317      data.
   3318      [Steve Henson]
   3320   *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
   3321      to get the expected BN_FLG_CONSTTIME behavior.
   3322      [Bodo Moeller (Google)]
   3324   *) Netware support:
   3326      - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
   3327      - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
   3328      - added some more tests to do_tests.pl
   3329      - fixed RunningProcess usage so that it works with newer LIBC NDKs too
   3330      - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
   3331      - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
   3332        netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
   3333      - various changes to netware.pl to enable gcc-cross builds on Win32
   3334        platform
   3335      - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
   3336      - various changes to fix missing prototype warnings
   3337      - fixed x86nasm.pl to create correct asm files for NASM COFF output
   3338      - added AES, WHIRLPOOL and CPUID assembler code to build files
   3339      - added missing AES assembler make rules to mk1mf.pl
   3340      - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
   3341      [Guenter Knauf <eflash (a] gmx.net>]
   3343   *) Implement certificate status request TLS extension defined in RFC3546.
   3344      A client can set the appropriate parameters and receive the encoded
   3345      OCSP response via a callback. A server can query the supplied parameters
   3346      and set the encoded OCSP response in the callback. Add simplified examples
   3347      to s_client and s_server.
   3348      [Steve Henson]
   3350  Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
   3352   *) Fix various bugs:
   3353      + Binary incompatibility of ssl_ctx_st structure
   3354      + DTLS interoperation with non-compliant servers
   3355      + Don't call get_session_cb() without proposed session
   3356      + Fix ia64 assembler code
   3357      [Andy Polyakov, Steve Henson]
   3359  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
   3361   *) DTLS Handshake overhaul. There were longstanding issues with
   3362      OpenSSL DTLS implementation, which were making it impossible for
   3363      RFC 4347 compliant client to communicate with OpenSSL server.
   3364      Unfortunately just fixing these incompatibilities would "cut off"
   3365      pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
   3366      server keeps tolerating non RFC compliant syntax. The opposite is
   3367      not true, 0.9.8f client can not communicate with earlier server.
   3368      This update even addresses CVE-2007-4995.
   3369      [Andy Polyakov]
   3371   *) Changes to avoid need for function casts in OpenSSL: some compilers
   3372      (gcc 4.2 and later) reject their use.
   3373      [Kurt Roeckx <kurt (a] roeckx.be>, Peter Hartley <pdh (a] utter.chaos.org.uk>,
   3374       Steve Henson]
   3376   *) Add RFC4507 support to OpenSSL. This includes the corrections in
   3377      RFC4507bis. The encrypted ticket format is an encrypted encoded
   3378      SSL_SESSION structure, that way new session features are automatically
   3379      supported.
   3381      If a client application caches session in an SSL_SESSION structure
   3382      support is transparent because tickets are now stored in the encoded
   3383      SSL_SESSION.
   3385      The SSL_CTX structure automatically generates keys for ticket
   3386      protection in servers so again support should be possible
   3387      with no application modification.
   3389      If a client or server wishes to disable RFC4507 support then the option
   3390      SSL_OP_NO_TICKET can be set.
   3392      Add a TLS extension debugging callback to allow the contents of any client
   3393      or server extensions to be examined.
   3395      This work was sponsored by Google.
   3396      [Steve Henson]
   3398   *) Add initial support for TLS extensions, specifically for the server_name
   3399      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
   3400      have new members for a host name.  The SSL data structure has an
   3401      additional member SSL_CTX *initial_ctx so that new sessions can be
   3402      stored in that context to allow for session resumption, even after the
   3403      SSL has been switched to a new SSL_CTX in reaction to a client's
   3404      server_name extension.
   3406      New functions (subject to change):
   3408          SSL_get_servername()
   3409          SSL_get_servername_type()
   3410          SSL_set_SSL_CTX()
   3412      New CTRL codes and macros (subject to change):
   3415                                  - SSL_CTX_set_tlsext_servername_callback()
   3417                                       - SSL_CTX_set_tlsext_servername_arg()
   3418          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
   3420      openssl s_client has a new '-servername ...' option.
   3422      openssl s_server has new options '-servername_host ...', '-cert2 ...',
   3423      '-key2 ...', '-servername_fatal' (subject to change).  This allows
   3424      testing the HostName extension for a specific single host name ('-cert'
   3425      and '-key' remain fallbacks for handshakes without HostName
   3426      negotiation).  If the unrecogninzed_name alert has to be sent, this by
   3427      default is a warning; it becomes fatal with the '-servername_fatal'
   3428      option.
   3430      [Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson]
   3432   *) Add AES and SSE2 assembly language support to VC++ build.
   3433      [Steve Henson]
   3435   *) Mitigate attack on final subtraction in Montgomery reduction.
   3436      [Andy Polyakov]
   3438   *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
   3439      (which previously caused an internal error).
   3440      [Bodo Moeller]
   3442   *) Squeeze another 10% out of IGE mode when in != out.
   3443      [Ben Laurie]
   3445   *) AES IGE mode speedup.
   3446      [Dean Gaudet (Google)]
   3448   *) Add the Korean symmetric 128-bit cipher SEED (see
   3449      http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
   3450      add SEED ciphersuites from RFC 4162:
   3452         TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
   3455         TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
   3457      To minimize changes between patchlevels in the OpenSSL 0.9.8
   3458      series, SEED remains excluded from compilation unless OpenSSL
   3459      is configured with 'enable-seed'.
   3460      [KISA, Bodo Moeller]
   3462   *) Mitigate branch prediction attacks, which can be practical if a
   3463      single processor is shared, allowing a spy process to extract
   3464      information.  For detailed background information, see
   3465      http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
   3466      J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
   3467      and Necessary Software Countermeasures").  The core of the change
   3468      are new versions BN_div_no_branch() and
   3469      BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
   3470      respectively, which are slower, but avoid the security-relevant
   3471      conditional branches.  These are automatically called by BN_div()
   3472      and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
   3473      of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
   3474      remove a conditional branch.
   3476      BN_FLG_CONSTTIME is the new name for the previous
   3477      BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
   3478      modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
   3479      in the exponent causes BN_mod_exp_mont() to use the alternative
   3480      implementation in BN_mod_exp_mont_consttime().)  The old name
   3481      remains as a deprecated alias.
   3483      Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
   3484      RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
   3485      constant-time implementations for more than just exponentiation.
   3486      Here too the old name is kept as a deprecated alias.
   3488      BN_BLINDING_new() will now use BN_dup() for the modulus so that
   3489      the BN_BLINDING structure gets an independent copy of the
   3490      modulus.  This means that the previous "BIGNUM *m" argument to
   3491      BN_BLINDING_new() and to BN_BLINDING_create_param() now
   3492      essentially becomes "const BIGNUM *m", although we can't actually
   3493      change this in the header file before 0.9.9.  It allows
   3494      RSA_setup_blinding() to use BN_with_flags() on the modulus to
   3495      enable BN_FLG_CONSTTIME.
   3497      [Matthew D Wood (Intel Corp)]
   3499   *) In the SSL/TLS server implementation, be strict about session ID
   3500      context matching (which matters if an application uses a single
   3501      external cache for different purposes).  Previously,
   3502      out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
   3503      set.  This did ensure strict client verification, but meant that,
   3504      with applications using a single external cache for quite
   3505      different requirements, clients could circumvent ciphersuite
   3506      restrictions for a given session ID context by starting a session
   3507      in a different context.
   3508      [Bodo Moeller]
   3510   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
   3511      a ciphersuite string such as "DEFAULT:RSA" cannot enable
   3512      authentication-only ciphersuites.
   3513      [Bodo Moeller]
   3515   *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
   3516      not complete and could lead to a possible single byte overflow
   3517      (CVE-2007-5135) [Ben Laurie]
   3519  Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
   3521   *) Since AES128 and AES256 (and similarly Camellia128 and
   3522      Camellia256) share a single mask bit in the logic of
   3523      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
   3524      kludge to work properly if AES128 is available and AES256 isn't
   3525      (or if Camellia128 is available and Camellia256 isn't).
   3526      [Victor Duchovni]
   3528   *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
   3529      (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
   3530      When a point or a seed is encoded in a BIT STRING, we need to
   3531      prevent the removal of trailing zero bits to get the proper DER
   3532      encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
   3533      of a NamedBitList, for which trailing 0 bits need to be removed.)
   3534      [Bodo Moeller]
   3536   *) Have SSL/TLS server implementation tolerate "mismatched" record
   3537      protocol version while receiving ClientHello even if the
   3538      ClientHello is fragmented.  (The server can't insist on the
   3539      particular protocol version it has chosen before the ServerHello
   3540      message has informed the client about his choice.)
   3541      [Bodo Moeller]
   3543   *) Add RFC 3779 support.
   3544      [Rob Austein for ARIN, Ben Laurie]
   3546   *) Load error codes if they are not already present instead of using a
   3547      static variable. This allows them to be cleanly unloaded and reloaded.
   3548      Improve header file function name parsing.
   3549      [Steve Henson]
   3551   *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
   3552      or CAPABILITY handshake as required by RFCs.
   3553      [Goetz Babin-Ebell]
   3555  Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
   3557   *) Introduce limits to prevent malicious keys being able to
   3558      cause a denial of service.  (CVE-2006-2940)
   3559      [Steve Henson, Bodo Moeller]
   3561   *) Fix ASN.1 parsing of certain invalid structures that can result
   3562      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
   3564   *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
   3565      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
   3567   *) Fix SSL client code which could crash if connecting to a
   3568      malicious SSLv2 server.  (CVE-2006-4343)
   3569      [Tavis Ormandy and Will Drewry, Google Security Team]
   3571   *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
   3572      match only those.  Before that, "AES256-SHA" would be interpreted
   3573      as a pattern and match "AES128-SHA" too (since AES128-SHA got
   3574      the same strength classification in 0.9.7h) as we currently only
   3575      have a single AES bit in the ciphersuite description bitmap.
   3576      That change, however, also applied to ciphersuite strings such as
   3577      "RC4-MD5" that intentionally matched multiple ciphersuites --
   3578      namely, SSL 2.0 ciphersuites in addition to the more common ones
   3579      from SSL 3.0/TLS 1.0.
   3581      So we change the selection algorithm again: Naming an explicit
   3582      ciphersuite selects this one ciphersuite, and any other similar
   3583      ciphersuite (same bitmap) from *other* protocol versions.
   3584      Thus, "RC4-MD5" again will properly select both the SSL 2.0
   3585      ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
   3587      Since SSL 2.0 does not have any ciphersuites for which the
   3588      128/256 bit distinction would be relevant, this works for now.
   3589      The proper fix will be to use different bits for AES128 and
   3590      AES256, which would have avoided the problems from the beginning;
   3591      however, bits are scarce, so we can only do this in a new release
   3592      (not just a patchlevel) when we can change the SSL_CIPHER
   3593      definition to split the single 'unsigned long mask' bitmap into
   3594      multiple values to extend the available space.
   3596      [Bodo Moeller]
   3598  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
   3600   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
   3601      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
   3603   *) Add AES IGE and biIGE modes.
   3604      [Ben Laurie]
   3606   *) Change the Unix randomness entropy gathering to use poll() when
   3607      possible instead of select(), since the latter has some
   3608      undesirable limitations.
   3609      [Darryl Miles via Richard Levitte and Bodo Moeller]
   3611   *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
   3612      treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
   3613      cannot be implicitly activated as part of, e.g., the "AES" alias.
   3614      However, please upgrade to OpenSSL 0.9.9[-dev] for
   3615      non-experimental use of the ECC ciphersuites to get TLS extension
   3616      support, which is required for curve and point format negotiation
   3617      to avoid potential handshake problems.
   3618      [Bodo Moeller]
   3620   *) Disable rogue ciphersuites:
   3622       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
   3623       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
   3624       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
   3626      The latter two were purportedly from
   3627      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
   3628      appear there.
   3630      Also deactivate the remaining ciphersuites from
   3631      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
   3632      unofficial, and the ID has long expired.
   3633      [Bodo Moeller]
   3635   *) Fix RSA blinding Heisenbug (problems sometimes occured on
   3636      dual-core machines) and other potential thread-safety issues.
   3637      [Bodo Moeller]
   3639   *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
   3640      versions), which is now available for royalty-free use
   3641      (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
   3642      Also, add Camellia TLS ciphersuites from RFC 4132.
   3644      To minimize changes between patchlevels in the OpenSSL 0.9.8
   3645      series, Camellia remains excluded from compilation unless OpenSSL
   3646      is configured with 'enable-camellia'.
   3647      [NTT]
   3649   *) Disable the padding bug check when compression is in use. The padding
   3650      bug check assumes the first packet is of even length, this is not
   3651      necessarily true if compresssion is enabled and can result in false
   3652      positives causing handshake failure. The actual bug test is ancient
   3653      code so it is hoped that implementations will either have fixed it by
   3654      now or any which still have the bug do not support compression.
   3655      [Steve Henson]
   3657  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
   3659   *) When applying a cipher rule check to see if string match is an explicit
   3660      cipher suite and only match that one cipher suite if it is.
   3661      [Steve Henson]
   3663   *) Link in manifests for VC++ if needed.
   3664      [Austin Ziegler <halostatue (a] gmail.com>]
   3666   *) Update support for ECC-based TLS ciphersuites according to
   3667      draft-ietf-tls-ecc-12.txt with proposed changes (but without
   3668      TLS extensions, which are supported starting with the 0.9.9
   3669      branch, not in the OpenSSL 0.9.8 branch).
   3670      [Douglas Stebila]
   3672   *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
   3673      opaque EVP_CIPHER_CTX handling.
   3674      [Steve Henson]
   3676   *) Fixes and enhancements to zlib compression code. We now only use
   3677      "zlib1.dll" and use the default __cdecl calling convention on Win32
   3678      to conform with the standards mentioned here:
   3679            http://www.zlib.net/DLL_FAQ.txt
   3680      Static zlib linking now works on Windows and the new --with-zlib-include
   3681      --with-zlib-lib options to Configure can be used to supply the location
   3682      of the headers and library. Gracefully handle case where zlib library
   3683      can't be loaded.
   3684      [Steve Henson]
   3686   *) Several fixes and enhancements to the OID generation code. The old code
   3687      sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
   3688      handle numbers larger than ULONG_MAX, truncated printing and had a
   3689      non standard OBJ_obj2txt() behaviour.
   3690      [Steve Henson]
   3692   *) Add support for building of engines under engine/ as shared libraries
   3693      under VC++ build system.
   3694      [Steve Henson]
   3696   *) Corrected the numerous bugs in the Win32 path splitter in DSO.
   3697      Hopefully, we will not see any false combination of paths any more.
   3698      [Richard Levitte]
   3700  Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
   3702   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
   3703      (part of SSL_OP_ALL).  This option used to disable the
   3704      countermeasure against man-in-the-middle protocol-version
   3705      rollback in the SSL 2.0 server implementation, which is a bad
   3706      idea.  (CVE-2005-2969)
   3708      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
   3709      for Information Security, National Institute of Advanced Industrial
   3710      Science and Technology [AIST], Japan)]
   3712   *) Add two function to clear and return the verify parameter flags.
   3713      [Steve Henson]
   3715   *) Keep cipherlists sorted in the source instead of sorting them at
   3716      runtime, thus removing the need for a lock.
   3717      [Nils Larsch]
   3719   *) Avoid some small subgroup attacks in Diffie-Hellman.
   3720      [Nick Mathewson and Ben Laurie]
   3722   *) Add functions for well-known primes.
   3723      [Nick Mathewson]
   3725   *) Extended Windows CE support.
   3726      [Satoshi Nakamura and Andy Polyakov]
   3728   *) Initialize SSL_METHOD structures at compile time instead of during
   3729      runtime, thus removing the need for a lock.
   3730      [Steve Henson]
   3732   *) Make PKCS7_decrypt() work even if no certificate is supplied by
   3733      attempting to decrypt each encrypted key in turn. Add support to
   3734      smime utility.
   3735      [Steve Henson]
   3737  Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
   3739   [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
   3740   OpenSSL 0.9.8.]
   3742   *) Add libcrypto.pc and libssl.pc for those who feel they need them.
   3743      [Richard Levitte]
   3745   *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
   3746      key into the same file any more.
   3747      [Richard Levitte]
   3749   *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
   3750      [Andy Polyakov]
   3752   *) Add -utf8 command line and config file option to 'ca'.
   3753      [Stefan <stf (a] udoma.org]
   3755   *) Removed the macro des_crypt(), as it seems to conflict with some
   3756      libraries.  Use DES_crypt().
   3757      [Richard Levitte]
   3759   *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
   3760      involves renaming the source and generated shared-libs for
   3761      both. The engines will accept the corrected or legacy ids
   3762      ('ncipher' and '4758_cca' respectively) when binding. NB,
   3763      this only applies when building 'shared'.
   3764      [Corinna Vinschen <vinschen (a] redhat.com> and Geoff Thorpe]
   3766   *) Add attribute functions to EVP_PKEY structure. Modify
   3767      PKCS12_create() to recognize a CSP name attribute and
   3768      use it. Make -CSP option work again in pkcs12 utility.
   3769      [Steve Henson]
   3771   *) Add new functionality to the bn blinding code:
   3772      - automatic re-creation of the BN_BLINDING parameters after
   3773        a fixed number of uses (currently 32)
   3774      - add new function for parameter creation
   3775      - introduce flags to control the update behaviour of the
   3776        BN_BLINDING parameters
   3777      - hide BN_BLINDING structure
   3778      Add a second BN_BLINDING slot to the RSA structure to improve
   3779      performance when a single RSA object is shared among several
   3780      threads.
   3781      [Nils Larsch]
   3783   *) Add support for DTLS.
   3784      [Nagendra Modadugu <nagendra (a] cs.stanford.edu> and Ben Laurie]
   3786   *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
   3787      to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
   3788      [Walter Goulet]
   3790   *) Remove buggy and incompletet DH cert support from
   3791      ssl/ssl_rsa.c and ssl/s3_both.c
   3792      [Nils Larsch]
   3794   *) Use SHA-1 instead of MD5 as the default digest algorithm for
   3795      the apps/openssl applications.
   3796      [Nils Larsch]
   3798   *) Compile clean with "-Wall -Wmissing-prototypes
   3799      -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
   3800      DEBUG_SAFESTACK must also be set.
   3801      [Ben Laurie]
   3803   *) Change ./Configure so that certain algorithms can be disabled by default.
   3804      The new counterpiece to "no-xxx" is "enable-xxx".
   3806      The patented RC5 and MDC2 algorithms will now be disabled unless
   3807      "enable-rc5" and "enable-mdc2", respectively, are specified.
   3809      (IDEA remains enabled despite being patented.  This is because IDEA
   3810      is frequently required for interoperability, and there is no license
   3811      fee for non-commercial use.  As before, "no-idea" can be used to
   3812      avoid this algorithm.)
   3814      [Bodo Moeller]
   3816   *) Add processing of proxy certificates (see RFC 3820).  This work was
   3817      sponsored by KTH (The Royal Institute of Technology in Stockholm) and
   3818      EGEE (Enabling Grids for E-science in Europe).
   3819      [Richard Levitte]
   3821   *) RC4 performance overhaul on modern architectures/implementations, such
   3822      as Intel P4, IA-64 and AMD64.
   3823      [Andy Polyakov]
   3825   *) New utility extract-section.pl. This can be used specify an alternative
   3826      section number in a pod file instead of having to treat each file as
   3827      a separate case in Makefile. This can be done by adding two lines to the
   3828      pod file:
   3830      =for comment openssl_section:XXX
   3832      The blank line is mandatory.
   3834      [Steve Henson]
   3836   *) New arguments -certform, -keyform and -pass for s_client and s_server
   3837      to allow alternative format key and certificate files and passphrase
   3838      sources.
   3839      [Steve Henson]
   3841   *) New structure X509_VERIFY_PARAM which combines current verify parameters,
   3842      update associated structures and add various utility functions.
   3844      Add new policy related verify parameters, include policy checking in 
   3845      standard verify code. Enhance 'smime' application with extra parameters
   3846      to support policy checking and print out.
   3847      [Steve Henson]
   3849   *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
   3850      Nehemiah processors. These extensions support AES encryption in hardware
   3851      as well as RNG (though RNG support is currently disabled).
   3852      [Michal Ludvig <michal (a] logix.cz>, with help from Andy Polyakov]
   3854   *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
   3855      [Geoff Thorpe]
   3857   *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
   3858      [Andy Polyakov and a number of other people]
   3860   *) Improved PowerPC platform support. Most notably BIGNUM assembler
   3861      implementation contributed by IBM.
   3862      [Suresh Chari, Peter Waltenberg, Andy Polyakov]
   3864   *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
   3865      exponent rather than 'unsigned long'. There is a corresponding change to
   3866      the new 'rsa_keygen' element of the RSA_METHOD structure.
   3867      [Jelte Jansen, Geoff Thorpe]
   3869   *) Functionality for creating the initial serial number file is now
   3870      moved from CA.pl to the 'ca' utility with a new option -create_serial.
   3872      (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
   3873      number file to 1, which is bound to cause problems.  To avoid
   3874      the problems while respecting compatibility between different 0.9.7
   3875      patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
   3876      CA.pl for serial number initialization.  With the new release 0.9.8,
   3877      we can fix the problem directly in the 'ca' utility.)
   3878      [Steve Henson]
   3880   *) Reduced header interdepencies by declaring more opaque objects in
   3881      ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
   3882      give fewer recursive includes, which could break lazy source code - so
   3883      this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
   3884      developers should define this symbol when building and using openssl to
   3885      ensure they track the recommended behaviour, interfaces, [etc], but
   3886      backwards-compatible behaviour prevails when this isn't defined.
   3887      [Geoff Thorpe]
   3889   *) New function X509_POLICY_NODE_print() which prints out policy nodes.
   3890      [Steve Henson]
   3892   *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
   3893      This will generate a random key of the appropriate length based on the 
   3894      cipher context. The EVP_CIPHER can provide its own random key generation
   3895      routine to support keys of a specific form. This is used in the des and 
   3896      3des routines to generate a key of the correct parity. Update S/MIME
   3897      code to use new functions and hence generate correct parity DES keys.
   3898      Add EVP_CHECK_DES_KEY #define to return an error if the key is not 
   3899      valid (weak or incorrect parity).
   3900      [Steve Henson]
   3902   *) Add a local set of CRLs that can be used by X509_verify_cert() as well
   3903      as looking them up. This is useful when the verified structure may contain
   3904      CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
   3905      present unless the new PKCS7_NO_CRL flag is asserted.
   3906      [Steve Henson]
   3908   *) Extend ASN1 oid configuration module. It now additionally accepts the
   3909      syntax:
   3911      shortName = some long name,
   3912      [Steve Henson]
   3914   *) Reimplemented the BN_CTX implementation. There is now no more static
   3915      limitation on the number of variables it can handle nor the depth of the
   3916      "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
   3917      information can now expand as required, and rather than having a single
   3918      static array of bignums, BN_CTX now uses a linked-list of such arrays
   3919      allowing it to expand on demand whilst maintaining the usefulness of
   3920      BN_CTX's "bundling".
   3921      [Geoff Thorpe]
   3923   *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
   3924      to allow all RSA operations to function using a single BN_CTX.
   3925      [Geoff Thorpe]
   3927   *) Preliminary support for certificate policy evaluation and checking. This
   3928      is initially intended to pass the tests outlined in "Conformance Testing
   3929      of Relying Party Client Certificate Path Processing Logic" v1.07.
   3930      [Steve Henson]
   3932   *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
   3933      remained unused and not that useful. A variety of other little bignum
   3934      tweaks and fixes have also been made continuing on from the audit (see
   3935      below).
   3936      [Geoff Thorpe]
   3938   *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
   3939      associated ASN1, EVP and SSL functions and old ASN1 macros.
   3940      [Richard Levitte]
   3942   *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
   3943      and this should never fail. So the return value from the use of
   3944      BN_set_word() (which can fail due to needless expansion) is now deprecated;
   3945      if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
   3946      [Geoff Thorpe]
   3948   *) BN_CTX_get() should return zero-valued bignums, providing the same
   3949      initialised value as BN_new().
   3950      [Geoff Thorpe, suggested by Ulf Mller]
   3952   *) Support for inhibitAnyPolicy certificate extension.
   3953      [Steve Henson]
   3955   *) An audit of the BIGNUM code is underway, for which debugging code is
   3956      enabled when BN_DEBUG is defined. This makes stricter enforcements on what
   3957      is considered valid when processing BIGNUMs, and causes execution to
   3958      assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
   3959      further steps are taken to deliberately pollute unused data in BIGNUM
   3960      structures to try and expose faulty code further on. For now, openssl will
   3961      (in its default mode of operation) continue to tolerate the inconsistent
   3962      forms that it has tolerated in the past, but authors and packagers should
   3963      consider trying openssl and their own applications when compiled with
   3964      these debugging symbols defined. It will help highlight potential bugs in
   3965      their own code, and will improve the test coverage for OpenSSL itself. At
   3966      some point, these tighter rules will become openssl's default to improve
   3967      maintainability, though the assert()s and other overheads will remain only
   3968      in debugging configurations. See bn.h for more details.
   3969      [Geoff Thorpe, Nils Larsch, Ulf Mller]
   3971   *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
   3972      that can only be obtained through BN_CTX_new() (which implicitly
   3973      initialises it). The presence of this function only made it possible
   3974      to overwrite an existing structure (and cause memory leaks).
   3975      [Geoff Thorpe]
   3977   *) Because of the callback-based approach for implementing LHASH as a
   3978      template type, lh_insert() adds opaque objects to hash-tables and
   3979      lh_doall() or lh_doall_arg() are typically used with a destructor callback
   3980      to clean up those corresponding objects before destroying the hash table
   3981      (and losing the object pointers). So some over-zealous constifications in
   3982      LHASH have been relaxed so that lh_insert() does not take (nor store) the
   3983      objects as "const" and the lh_doall[_arg] callback wrappers are not
   3984      prototyped to have "const" restrictions on the object pointers they are
   3985      given (and so aren't required to cast them away any more).
   3986      [Geoff Thorpe]
   3988   *) The tmdiff.h API was so ugly and minimal that our own timing utility
   3989      (speed) prefers to use its own implementation. The two implementations
   3990      haven't been consolidated as yet (volunteers?) but the tmdiff API has had
   3991      its object type properly exposed (MS_TM) instead of casting to/from "char
   3992      *". This may still change yet if someone realises MS_TM and "ms_time_***"
   3993      aren't necessarily the greatest nomenclatures - but this is what was used
   3994      internally to the implementation so I've used that for now.
   3995      [Geoff Thorpe]
   3997   *) Ensure that deprecated functions do not get compiled when
   3998      OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
   3999      the self-tests were still using deprecated key-generation functions so
   4000      these have been updated also.
   4001      [Geoff Thorpe]
   4003   *) Reorganise PKCS#7 code to separate the digest location functionality
   4004      into PKCS7_find_digest(), digest addtion into PKCS7_bio_add_digest().
   4005      New function PKCS7_set_digest() to set the digest type for PKCS#7
   4006      digestedData type. Add additional code to correctly generate the
   4007      digestedData type and add support for this type in PKCS7 initialization
   4008      functions.
   4009      [Steve Henson]
   4011   *) New function PKCS7_set0_type_other() this initializes a PKCS7 
   4012      structure of type "other".
   4013      [Steve Henson]
   4015   *) Fix prime generation loop in crypto/bn/bn_prime.pl by making
   4016      sure the loop does correctly stop and breaking ("division by zero")
   4017      modulus operations are not performed. The (pre-generated) prime
   4018      table crypto/bn/bn_prime.h was already correct, but it could not be
   4019      re-generated on some platforms because of the "division by zero"
   4020      situation in the script.
   4021      [Ralf S. Engelschall]
   4023   *) Update support for ECC-based TLS ciphersuites according to
   4024      draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
   4025      SHA-1 now is only used for "small" curves (where the
   4026      representation of a field element takes up to 24 bytes); for
   4027      larger curves, the field element resulting from ECDH is directly
   4028      used as premaster secret.
   4029      [Douglas Stebila (Sun Microsystems Laboratories)]
   4031   *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
   4032      curve secp160r1 to the tests.
   4033      [Douglas Stebila (Sun Microsystems Laboratories)]
   4035   *) Add the possibility to load symbols globally with DSO.
   4036      [Gtz Babin-Ebell <babin-ebell (a] trustcenter.de> via Richard Levitte]
   4038   *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
   4039      control of the error stack.
   4040      [Richard Levitte]
   4042   *) Add support for STORE in ENGINE.
   4043      [Richard Levitte]
   4045   *) Add the STORE type.  The intention is to provide a common interface
   4046      to certificate and key stores, be they simple file-based stores, or
   4047      HSM-type store, or LDAP stores, or...
   4048      NOTE: The code is currently UNTESTED and isn't really used anywhere.
   4049      [Richard Levitte]
   4051   *) Add a generic structure called OPENSSL_ITEM.  This can be used to
   4052      pass a list of arguments to any function as well as provide a way
   4053      for a function to pass data back to the caller.
   4054      [Richard Levitte]
   4056   *) Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
   4057      works like BUF_strdup() but can be used to duplicate a portion of
   4058      a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
   4059      a memory area.
   4060      [Richard Levitte]
   4062   *) Add the function sk_find_ex() which works like sk_find(), but will
   4063      return an index to an element even if an exact match couldn't be
   4064      found.  The index is guaranteed to point at the element where the
   4065      searched-for key would be inserted to preserve sorting order.
   4066      [Richard Levitte]
   4068   *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
   4069      takes an extra flags argument for optional functionality.  Currently,
   4070      the following flags are defined:
   4073 	This one gets OBJ_bsearch_ex() to return a pointer to the first
   4074 	element where the comparing function returns a negative or zero
   4075 	number.
   4078 	This one gets OBJ_bsearch_ex() to return a pointer to the first
   4079 	element where the comparing function returns zero.  This is useful
   4080 	if there are more than one element where the comparing function
   4081 	returns zero.
   4082      [Richard Levitte]
   4084   *) Make it possible to create self-signed certificates with 'openssl ca'
   4085      in such a way that the self-signed certificate becomes part of the
   4086      CA database and uses the same mechanisms for serial number generation
   4087      as all other certificate signing.  The new flag '-selfsign' enables
   4088      this functionality.  Adapt CA.sh and CA.pl.in.
   4089      [Richard Levitte]
   4091   *) Add functionality to check the public key of a certificate request
   4092      against a given private.  This is useful to check that a certificate
   4093      request can be signed by that key (self-signing).
   4094      [Richard Levitte]
   4096   *) Make it possible to have multiple active certificates with the same
   4097      subject in the CA index file.  This is done only if the keyword
   4098      'unique_subject' is set to 'no' in the main CA section (default
   4099      if 'CA_default') of the configuration file.  The value is saved
   4100      with the database itself in a separate index attribute file,
   4101      named like the index file with '.attr' appended to the name.
   4102      [Richard Levitte]
   4104   *) Generate muti valued AVAs using '+' notation in config files for
   4105      req and dirName.
   4106      [Steve Henson]
   4108   *) Support for nameConstraints certificate extension.
   4109      [Steve Henson]
   4111   *) Support for policyConstraints certificate extension.
   4112      [Steve Henson]
   4114   *) Support for policyMappings certificate extension.
   4115      [Steve Henson]
   4117   *) Make sure the default DSA_METHOD implementation only uses its
   4118      dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
   4119      and change its own handlers to be NULL so as to remove unnecessary
   4120      indirection. This lets alternative implementations fallback to the
   4121      default implementation more easily.
   4122      [Geoff Thorpe]
   4124   *) Support for directoryName in GeneralName related extensions
   4125      in config files.
   4126      [Steve Henson]
   4128   *) Make it possible to link applications using Makefile.shared.
   4129      Make that possible even when linking against static libraries!
   4130      [Richard Levitte]
   4132   *) Support for single pass processing for S/MIME signing. This now
   4133      means that S/MIME signing can be done from a pipe, in addition
   4134      cleartext signing (multipart/signed type) is effectively streaming
   4135      and the signed data does not need to be all held in memory.
   4137      This is done with a new flag PKCS7_STREAM. When this flag is set
   4138      PKCS7_sign() only initializes the PKCS7 structure and the actual signing
   4139      is done after the data is output (and digests calculated) in
   4140      SMIME_write_PKCS7().
   4141      [Steve Henson]
   4143   *) Add full support for -rpath/-R, both in shared libraries and
   4144      applications, at least on the platforms where it's known how
   4145      to do it.
   4146      [Richard Levitte]
   4148   *) In crypto/ec/ec_mult.c, implement fast point multiplication with
   4149      precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
   4150      will now compute a table of multiples of the generator that
   4151      makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
   4152      faster (notably in the case of a single point multiplication,
   4153      scalar * generator).
   4154      [Nils Larsch, Bodo Moeller]
   4156   *) IPv6 support for certificate extensions. The various extensions
   4157      which use the IP:a.b.c.d can now take IPv6 addresses using the
   4158      formats of RFC1884 2.2 . IPv6 addresses are now also displayed
   4159      correctly.
   4160      [Steve Henson]
   4162   *) Added an ENGINE that implements RSA by performing private key
   4163      exponentiations with the GMP library. The conversions to and from
   4164      GMP's mpz_t format aren't optimised nor are any montgomery forms
   4165      cached, and on x86 it appears OpenSSL's own performance has caught up.
   4166      However there are likely to be other architectures where GMP could
   4167      provide a boost. This ENGINE is not built in by default, but it can be
   4168      specified at Configure time and should be accompanied by the necessary
   4169      linker additions, eg;
   4170          ./config -DOPENSSL_USE_GMP -lgmp
   4171      [Geoff Thorpe]
   4173   *) "openssl engine" will not display ENGINE/DSO load failure errors when
   4174      testing availability of engines with "-t" - the old behaviour is
   4175      produced by increasing the feature's verbosity with "-tt".
   4176      [Geoff Thorpe]
   4178   *) ECDSA routines: under certain error conditions uninitialized BN objects
   4179      could be freed. Solution: make sure initialization is performed early
   4180      enough. (Reported and fix supplied by Nils Larsch <nla (a] trustcenter.de>
   4181      via PR#459)
   4182      [Lutz Jaenicke]
   4184   *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
   4185      and DH_METHOD (eg. by ENGINE implementations) to override the normal
   4186      software implementations. For DSA and DH, parameter generation can
   4187      also be overriden by providing the appropriate method callbacks.
   4188      [Geoff Thorpe]
   4190   *) Change the "progress" mechanism used in key-generation and
   4191      primality testing to functions that take a new BN_GENCB pointer in
   4192      place of callback/argument pairs. The new API functions have "_ex"
   4193      postfixes and the older functions are reimplemented as wrappers for
   4194      the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
   4195      declarations of the old functions to help (graceful) attempts to
   4196      migrate to the new functions. Also, the new key-generation API
   4197      functions operate on a caller-supplied key-structure and return
   4198      success/failure rather than returning a key or NULL - this is to
   4199      help make "keygen" another member function of RSA_METHOD etc.
   4201      Example for using the new callback interface:
   4203           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
   4204           void *my_arg = ...;
   4205           BN_GENCB my_cb;
   4207           BN_GENCB_set(&my_cb, my_callback, my_arg);
   4209           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
   4210           /* For the meaning of a, b in calls to my_callback(), see the
   4211            * documentation of the function that calls the callback.
   4212            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
   4213            * my_callback should return 1 if it wants BN_is_prime_ex()
   4214            * to continue, or 0 to stop.
   4215            */
   4217      [Geoff Thorpe]
   4219   *) Change the ZLIB compression method to be stateful, and make it
   4220      available to TLS with the number defined in 
   4221      draft-ietf-tls-compression-04.txt.
   4222      [Richard Levitte]
   4224   *) Add the ASN.1 structures and functions for CertificatePair, which
   4225      is defined as follows (according to X.509_4thEditionDraftV6.pdf):
   4227      CertificatePair ::= SEQUENCE {
   4228         forward		[0]	Certificate OPTIONAL,
   4229         reverse		[1]	Certificate OPTIONAL,
   4230         -- at least one of the pair shall be present -- }
   4232      Also implement the PEM functions to read and write certificate
   4233      pairs, and defined the PEM tag as "CERTIFICATE PAIR".
   4235      This needed to be defined, mostly for the sake of the LDAP
   4236      attribute crossCertificatePair, but may prove useful elsewhere as
   4237      well.
   4238      [Richard Levitte]
   4240   *) Make it possible to inhibit symlinking of shared libraries in
   4241      Makefile.shared, for Cygwin's sake.
   4242      [Richard Levitte]
   4244   *) Extend the BIGNUM API by creating a function 
   4245           void BN_set_negative(BIGNUM *a, int neg);
   4246      and a macro that behave like
   4247           int  BN_is_negative(const BIGNUM *a);
   4249      to avoid the need to access 'a->neg' directly in applications.
   4250      [Nils Larsch]
   4252   *) Implement fast modular reduction for pseudo-Mersenne primes
   4253      used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
   4254      EC_GROUP_new_curve_GFp() will now automatically use this
   4255      if applicable.
   4256      [Nils Larsch <nla (a] trustcenter.de>]
   4258   *) Add new lock type (CRYPTO_LOCK_BN).
   4259      [Bodo Moeller]
   4261   *) Change the ENGINE framework to automatically load engines
   4262      dynamically from specific directories unless they could be
   4263      found to already be built in or loaded.  Move all the
   4264      current engines except for the cryptodev one to a new
   4265      directory engines/.
   4266      The engines in engines/ are built as shared libraries if
   4267      the "shared" options was given to ./Configure or ./config.
   4268      Otherwise, they are inserted in libcrypto.a.
   4269      /usr/local/ssl/engines is the default directory for dynamic
   4270      engines, but that can be overriden at configure time through
   4271      the usual use of --prefix and/or --openssldir, and at run
   4272      time with the environment variable OPENSSL_ENGINES.
   4273      [Geoff Thorpe and Richard Levitte]
   4275   *) Add Makefile.shared, a helper makefile to build shared
   4276      libraries.  Addapt Makefile.org.
   4277      [Richard Levitte]
   4279   *) Add version info to Win32 DLLs.
   4280      [Peter 'Luna' Runestig" <peter (a] runestig.com>]
   4282   *) Add new 'medium level' PKCS#12 API. Certificates and keys
   4283      can be added using this API to created arbitrary PKCS#12
   4284      files while avoiding the low level API.
   4286      New options to PKCS12_create(), key or cert can be NULL and
   4287      will then be omitted from the output file. The encryption
   4288      algorithm NIDs can be set to -1 for no encryption, the mac
   4289      iteration count can be set to 0 to omit the mac.
   4291      Enhance pkcs12 utility by making the -nokeys and -nocerts
   4292      options work when creating a PKCS#12 file. New option -nomac
   4293      to omit the mac, NONE can be set for an encryption algorithm.
   4294      New code is modified to use the enhanced PKCS12_create()
   4295      instead of the low level API.
   4296      [Steve Henson]
   4298   *) Extend ASN1 encoder to support indefinite length constructed
   4299      encoding. This can output sequences tags and octet strings in
   4300      this form. Modify pk7_asn1.c to support indefinite length
   4301      encoding. This is experimental and needs additional code to
   4302      be useful, such as an ASN1 bio and some enhanced streaming
   4303      PKCS#7 code.
   4305      Extend template encode functionality so that tagging is passed
   4306      down to the template encoder.
   4307      [Steve Henson]
   4309   *) Let 'openssl req' fail if an argument to '-newkey' is not
   4310      recognized instead of using RSA as a default.
   4311      [Bodo Moeller]
   4313   *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
   4314      As these are not official, they are not included in "ALL";
   4315      the "ECCdraft" ciphersuite group alias can be used to select them.
   4316      [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
   4318   *) Add ECDH engine support.
   4319      [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
   4321   *) Add ECDH in new directory crypto/ecdh/.
   4322      [Douglas Stebila (Sun Microsystems Laboratories)]
   4324   *) Let BN_rand_range() abort with an error after 100 iterations
   4325      without success (which indicates a broken PRNG).
   4326      [Bodo Moeller]
   4328   *) Change BN_mod_sqrt() so that it verifies that the input value
   4329      is really the square of the return value.  (Previously,
   4330      BN_mod_sqrt would show GIGO behaviour.)
   4331      [Bodo Moeller]
   4333   *) Add named elliptic curves over binary fields from X9.62, SECG,
   4334      and WAP/WTLS; add OIDs that were still missing.
   4336      [Sheueling Chang Shantz and Douglas Stebila
   4337      (Sun Microsystems Laboratories)]
   4339   *) Extend the EC library for elliptic curves over binary fields
   4340      (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
   4341      New EC_METHOD:
   4343           EC_GF2m_simple_method
   4345      New API functions:
   4347           EC_GROUP_new_curve_GF2m
   4348           EC_GROUP_set_curve_GF2m
   4349           EC_GROUP_get_curve_GF2m
   4350           EC_POINT_set_affine_coordinates_GF2m
   4351           EC_POINT_get_affine_coordinates_GF2m
   4352           EC_POINT_set_compressed_coordinates_GF2m
   4354      Point compression for binary fields is disabled by default for
   4355      patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
   4356      enable it).
   4358      As binary polynomials are represented as BIGNUMs, various members
   4359      of the EC_GROUP and EC_POINT data structures can be shared
   4360      between the implementations for prime fields and binary fields;
   4361      the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
   4362      are essentially identical to their ..._GFp counterparts.
   4363      (For simplicity, the '..._GFp' prefix has been dropped from
   4364      various internal method names.)
   4366      An internal 'field_div' method (similar to 'field_mul' and
   4367      'field_sqr') has been added; this is used only for binary fields.
   4369      [Sheueling Chang Shantz and Douglas Stebila
   4370      (Sun Microsystems Laboratories)]
   4372   *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
   4373      through methods ('mul', 'precompute_mult').
   4375      The generic implementations (now internally called 'ec_wNAF_mul'
   4376      and 'ec_wNAF_precomputed_mult') remain the default if these
   4377      methods are undefined.
   4379      [Sheueling Chang Shantz and Douglas Stebila
   4380      (Sun Microsystems Laboratories)]
   4382   *) New function EC_GROUP_get_degree, which is defined through
   4383      EC_METHOD.  For curves over prime fields, this returns the bit
   4384      length of the modulus.
   4386      [Sheueling Chang Shantz and Douglas Stebila
   4387      (Sun Microsystems Laboratories)]
   4389   *) New functions EC_GROUP_dup, EC_POINT_dup.
   4390      (These simply call ..._new  and ..._copy).
   4392      [Sheueling Chang Shantz and Douglas Stebila
   4393      (Sun Microsystems Laboratories)]
   4395   *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
   4396      Polynomials are represented as BIGNUMs (where the sign bit is not
   4397      used) in the following functions [macros]:  
   4399           BN_GF2m_add
   4400           BN_GF2m_sub             [= BN_GF2m_add]
   4401           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
   4402           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
   4403           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
   4404           BN_GF2m_mod_inv
   4405           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
   4406           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
   4407           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
   4408           BN_GF2m_cmp             [= BN_ucmp]
   4410      (Note that only the 'mod' functions are actually for fields GF(2^m).
   4411      BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
   4413      For some functions, an the irreducible polynomial defining a
   4414      field can be given as an 'unsigned int[]' with strictly
   4415      decreasing elements giving the indices of those bits that are set;
   4416      i.e., p[] represents the polynomial
   4417           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
   4418      where
   4419           p[0] > p[1] > ... > p[k] = 0.
   4420      This applies to the following functions:
   4422           BN_GF2m_mod_arr
   4423           BN_GF2m_mod_mul_arr
   4424           BN_GF2m_mod_sqr_arr
   4425           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
   4426           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
   4427           BN_GF2m_mod_exp_arr
   4428           BN_GF2m_mod_sqrt_arr
   4429           BN_GF2m_mod_solve_quad_arr
   4430           BN_GF2m_poly2arr
   4431           BN_GF2m_arr2poly
   4433      Conversion can be performed by the following functions:
   4435           BN_GF2m_poly2arr
   4436           BN_GF2m_arr2poly
   4438      bntest.c has additional tests for binary polynomial arithmetic.
   4440      Two implementations for BN_GF2m_mod_div() are available.
   4441      The default algorithm simply uses BN_GF2m_mod_inv() and
   4442      BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
   4443      if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
   4444      copyright notice in crypto/bn/bn_gf2m.c before enabling it).
   4446      [Sheueling Chang Shantz and Douglas Stebila
   4447      (Sun Microsystems Laboratories)]
   4449   *) Add new error code 'ERR_R_DISABLED' that can be used when some
   4450      functionality is disabled at compile-time.
   4451      [Douglas Stebila <douglas.stebila (a] sun.com>]
   4453   *) Change default behaviour of 'openssl asn1parse' so that more
   4454      information is visible when viewing, e.g., a certificate:
   4456      Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
   4457      mode the content of non-printable OCTET STRINGs is output in a
   4458      style similar to INTEGERs, but with '[HEX DUMP]' prepended to
   4459      avoid the appearance of a printable string.
   4460      [Nils Larsch <nla (a] trustcenter.de>]
   4462   *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
   4463      functions
   4464           EC_GROUP_set_asn1_flag()
   4465           EC_GROUP_get_asn1_flag()
   4466           EC_GROUP_set_point_conversion_form()
   4467           EC_GROUP_get_point_conversion_form()
   4468      These control ASN1 encoding details:
   4469      - Curves (i.e., groups) are encoded explicitly unless asn1_flag
   4470        has been set to OPENSSL_EC_NAMED_CURVE.
   4471      - Points are encoded in uncompressed form by default; options for
   4472        asn1_for are as for point2oct, namely
   4477      Also add 'seed' and 'seed_len' members to EC_GROUP with access
   4478      functions
   4479           EC_GROUP_set_seed()
   4480           EC_GROUP_get0_seed()
   4481           EC_GROUP_get_seed_len()
   4482      This is used only for ASN1 purposes (so far).
   4483      [Nils Larsch <nla (a] trustcenter.de>]
   4485   *) Add 'field_type' member to EC_METHOD, which holds the NID
   4486      of the appropriate field type OID.  The new function
   4487      EC_METHOD_get_field_type() returns this value.
   4488      [Nils Larsch <nla (a] trustcenter.de>]
   4490   *) Add functions 
   4491           EC_POINT_point2bn()
   4492           EC_POINT_bn2point()
   4493           EC_POINT_point2hex()
   4494           EC_POINT_hex2point()
   4495      providing useful interfaces to EC_POINT_point2oct() and
   4496      EC_POINT_oct2point().
   4497      [Nils Larsch <nla (a] trustcenter.de>]
   4499   *) Change internals of the EC library so that the functions
   4500           EC_GROUP_set_generator()
   4501           EC_GROUP_get_generator()
   4502           EC_GROUP_get_order()
   4503           EC_GROUP_get_cofactor()
   4504      are implemented directly in crypto/ec/ec_lib.c and not dispatched
   4505      to methods, which would lead to unnecessary code duplication when
   4506      adding different types of curves.
   4507      [Nils Larsch <nla (a] trustcenter.de> with input by Bodo Moeller]
   4509   *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
   4510      arithmetic, and such that modified wNAFs are generated
   4511      (which avoid length expansion in many cases).
   4512      [Bodo Moeller]
   4514   *) Add a function EC_GROUP_check_discriminant() (defined via
   4515      EC_METHOD) that verifies that the curve discriminant is non-zero.
   4517      Add a function EC_GROUP_check() that makes some sanity tests
   4518      on a EC_GROUP, its generator and order.  This includes
   4519      EC_GROUP_check_discriminant().
   4520      [Nils Larsch <nla (a] trustcenter.de>]
   4522   *) Add ECDSA in new directory crypto/ecdsa/.
   4524      Add applications 'openssl ecparam' and 'openssl ecdsa'
   4525      (these are based on 'openssl dsaparam' and 'openssl dsa').
   4527      ECDSA support is also included in various other files across the
   4528      library.  Most notably,
   4529      - 'openssl req' now has a '-newkey ecdsa:file' option;
   4530      - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
   4531      - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
   4532        d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
   4533        them suitable for ECDSA where domain parameters must be
   4534        extracted before the specific public key;
   4535      - ECDSA engine support has been added.
   4536      [Nils Larsch <nla (a] trustcenter.de>]
   4538   *) Include some named elliptic curves, and add OIDs from X9.62,
   4539      SECG, and WAP/WTLS.  Each curve can be obtained from the new
   4540      function
   4541           EC_GROUP_new_by_curve_name(),
   4542      and the list of available named curves can be obtained with
   4543           EC_get_builtin_curves().
   4544      Also add a 'curve_name' member to EC_GROUP objects, which can be
   4545      accessed via
   4546          EC_GROUP_set_curve_name()
   4547          EC_GROUP_get_curve_name()
   4548      [Nils Larsch <larsch (a] trustcenter.de, Bodo Moeller]
   4550   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
   4551      was actually never needed) and in BN_mul().  The removal in BN_mul()
   4552      required a small change in bn_mul_part_recursive() and the addition
   4553      of the functions bn_cmp_part_words(), bn_sub_part_words() and
   4554      bn_add_part_words(), which do the same thing as bn_cmp_words(),
   4555      bn_sub_words() and bn_add_words() except they take arrays with
   4556      differing sizes.
   4557      [Richard Levitte]
   4559  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
   4561   *) Cleanse PEM buffers before freeing them since they may contain 
   4562      sensitive data.
   4563      [Benjamin Bennett <ben (a] psc.edu>]
   4565   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
   4566      a ciphersuite string such as "DEFAULT:RSA" cannot enable
   4567      authentication-only ciphersuites.
   4568      [Bodo Moeller]
   4570   *) Since AES128 and AES256 share a single mask bit in the logic of
   4571      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
   4572      kludge to work properly if AES128 is available and AES256 isn't.
   4573      [Victor Duchovni]
   4575   *) Expand security boundary to match 1.1.1 module.
   4576      [Steve Henson]
   4578   *) Remove redundant features: hash file source, editing of test vectors
   4579      modify fipsld to use external fips_premain.c signature.
   4580      [Steve Henson]
   4582   *) New perl script mkfipsscr.pl to create shell scripts or batch files to
   4583      run algorithm test programs.
   4584      [Steve Henson]
   4586   *) Make algorithm test programs more tolerant of whitespace.
   4587      [Steve Henson]
   4589   *) Have SSL/TLS server implementation tolerate "mismatched" record
   4590      protocol version while receiving ClientHello even if the
   4591      ClientHello is fragmented.  (The server can't insist on the
   4592      particular protocol version it has chosen before the ServerHello
   4593      message has informed the client about his choice.)
   4594      [Bodo Moeller]
   4596   *) Load error codes if they are not already present instead of using a
   4597      static variable. This allows them to be cleanly unloaded and reloaded.
   4598      [Steve Henson]
   4600  Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
   4602   *) Introduce limits to prevent malicious keys being able to
   4603      cause a denial of service.  (CVE-2006-2940)
   4604      [Steve Henson, Bodo Moeller]
   4606   *) Fix ASN.1 parsing of certain invalid structures that can result
   4607      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
   4609   *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
   4610      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
   4612   *) Fix SSL client code which could crash if connecting to a
   4613      malicious SSLv2 server.  (CVE-2006-4343)
   4614      [Tavis Ormandy and Will Drewry, Google Security Team]
   4616   *) Change ciphersuite string processing so that an explicit
   4617      ciphersuite selects this one ciphersuite (so that "AES256-SHA"
   4618      will no longer include "AES128-SHA"), and any other similar
   4619      ciphersuite (same bitmap) from *other* protocol versions (so that
   4620      "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
   4621      SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
   4622      changes from 0.9.8b and 0.9.8d.
   4623      [Bodo Moeller]
   4625  Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
   4627   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
   4628      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
   4630   *) Change the Unix randomness entropy gathering to use poll() when
   4631      possible instead of select(), since the latter has some
   4632      undesirable limitations.
   4633      [Darryl Miles via Richard Levitte and Bodo Moeller]
   4635   *) Disable rogue ciphersuites:
   4637       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
   4638       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
   4639       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
   4641      The latter two were purportedly from
   4642      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
   4643      appear there.
   4645      Also deactive the remaining ciphersuites from
   4646      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
   4647      unofficial, and the ID has long expired.
   4648      [Bodo Moeller]
   4650   *) Fix RSA blinding Heisenbug (problems sometimes occured on
   4651      dual-core machines) and other potential thread-safety issues.
   4652      [Bodo Moeller]
   4654  Changes between 0.9.7i and 0.9.7j  [04 May 2006]
   4656   *) Adapt fipsld and the build system to link against the validated FIPS
   4657      module in FIPS mode.
   4658      [Steve Henson]
   4660   *) Fixes for VC++ 2005 build under Windows.
   4661      [Steve Henson]
   4663   *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 
   4664      from a Windows bash shell such as MSYS. It is autodetected from the
   4665      "config" script when run from a VC++ environment. Modify standard VC++
   4666      build to use fipscanister.o from the GNU make build. 
   4667      [Steve Henson]
   4669  Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
   4671   *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
   4672      The value now differs depending on if you build for FIPS or not.
   4673      BEWARE!  A program linked with a shared FIPSed libcrypto can't be
   4674      safely run with a non-FIPSed libcrypto, as it may crash because of
   4675      the difference induced by this change.
   4676      [Andy Polyakov]
   4678  Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
   4680   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
   4681      (part of SSL_OP_ALL).  This option used to disable the
   4682      countermeasure against man-in-the-middle protocol-version
   4683      rollback in the SSL 2.0 server implementation, which is a bad
   4684      idea.  (CVE-2005-2969)
   4686      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
   4687      for Information Security, National Institute of Advanced Industrial
   4688      Science and Technology [AIST], Japan)]
   4690   *) Minimal support for X9.31 signatures and PSS padding modes. This is
   4691      mainly for FIPS compliance and not fully integrated at this stage.
   4692      [Steve Henson]
   4694   *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
   4695      the exponentiation using a fixed-length exponent.  (Otherwise,
   4696      the information leaked through timing could expose the secret key
   4697      after many signatures; cf. Bleichenbacher's attack on DSA with
   4698      biased k.)
   4699      [Bodo Moeller]
   4701   *) Make a new fixed-window mod_exp implementation the default for
   4702      RSA, DSA, and DH private-key operations so that the sequence of
   4703      squares and multiplies and the memory access pattern are
   4704      independent of the particular secret key.  This will mitigate
   4705      cache-timing and potential related attacks.
   4707      BN_mod_exp_mont_consttime() is the new exponentiation implementation,
   4708      and this is automatically used by BN_mod_exp_mont() if the new flag
   4709      BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
   4710      will use this BN flag for private exponents unless the flag
   4712      DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
   4714      [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
   4716   *) Change the client implementation for SSLv23_method() and
   4717      SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
   4718      Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
   4719      (Previously, the SSL 2.0 backwards compatible Client Hello
   4720      message format would be used even with SSL_OP_NO_SSLv2.)
   4721      [Bodo Moeller]
   4723   *) Add support for smime-type MIME parameter in S/MIME messages which some
   4724      clients need.
   4725      [Steve Henson]
   4727   *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
   4728      a threadsafe manner. Modify rsa code to use new function and add calls
   4729      to dsa and dh code (which had race conditions before).
   4730      [Steve Henson]
   4732   *) Include the fixed error library code in the C error file definitions
   4733      instead of fixing them up at runtime. This keeps the error code
   4734      structures constant.
   4735      [Steve Henson]
   4737  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
   4739   [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
   4740   OpenSSL 0.9.8.]
   4742   *) Fixes for newer kerberos headers. NB: the casts are needed because
   4743      the 'length' field is signed on one version and unsigned on another
   4744      with no (?) obvious way to tell the difference, without these VC++
   4745      complains. Also the "definition" of FAR (blank) is no longer included
   4746      nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
   4747      some needed definitions.
   4748      [Steve Henson]
   4750   *) Undo Cygwin change.
   4751      [Ulf Mller]
   4753   *) Added support for proxy certificates according to RFC 3820.
   4754      Because they may be a security thread to unaware applications,
   4755      they must be explicitely allowed in run-time.  See
   4756      docs/HOWTO/proxy_certificates.txt for further information.
   4757      [Richard Levitte]
   4759  Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
   4761   *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
   4762      server and client random values. Previously
   4763      (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
   4764      less random data when sizeof(time_t) > 4 (some 64 bit platforms).
   4766      This change has negligible security impact because:
   4768      1. Server and client random values still have 24 bytes of pseudo random
   4769         data.
   4771      2. Server and client random values are sent in the clear in the initial
   4772         handshake.
   4774      3. The master secret is derived using the premaster secret (48 bytes in
   4775         size for static RSA ciphersuites) as well as client server and random
   4776         values.
   4778      The OpenSSL team would like to thank the UK NISCC for bringing this issue
   4779      to our attention. 
   4781      [Stephen Henson, reported by UK NISCC]
   4783   *) Use Windows randomness collection on Cygwin.
   4784      [Ulf Mller]
   4786   *) Fix hang in EGD/PRNGD query when communication socket is closed
   4787      prematurely by EGD/PRNGD.
   4788      [Darren Tucker <dtucker (a] zip.com.au> via Lutz Jnicke, resolves #1014]
   4790   *) Prompt for pass phrases when appropriate for PKCS12 input format.
   4791      [Steve Henson]
   4793   *) Back-port of selected performance improvements from development
   4794      branch, as well as improved support for PowerPC platforms.
   4795      [Andy Polyakov]
   4797   *) Add lots of checks for memory allocation failure, error codes to indicate
   4798      failure and freeing up memory if a failure occurs.
   4799      [Nauticus Networks SSL Team <openssl (a] nauticusnet.com>, Steve Henson]
   4801   *) Add new -passin argument to dgst.
   4802      [Steve Henson]
   4804   *) Perform some character comparisons of different types in X509_NAME_cmp:
   4805      this is needed for some certificates that reencode DNs into UTF8Strings
   4806      (in violation of RFC3280) and can't or wont issue name rollover
   4807      certificates.
   4808      [Steve Henson]
   4810   *) Make an explicit check during certificate validation to see that
   4811      the CA setting in each certificate on the chain is correct.  As a
   4812      side effect always do the following basic checks on extensions,
   4813      not just when there's an associated purpose to the check:
   4815       - if there is an unhandled critical extension (unless the user
   4816         has chosen to ignore this fault)
   4817       - if the path length has been exceeded (if one is set at all)
   4818       - that certain extensions fit the associated purpose (if one has
   4819         been given)
   4820      [Richard Levitte]
   4822  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
   4824   *) Avoid a race condition when CRLs are checked in a multi threaded 
   4825      environment. This would happen due to the reordering of the revoked
   4826      entries during signature checking and serial number lookup. Now the
   4827      encoding is cached and the serial number sort performed under a lock.
   4828      Add new STACK function sk_is_sorted().
   4829      [Steve Henson]
   4831   *) Add Delta CRL to the extension code.
   4832      [Steve Henson]
   4834   *) Various fixes to s3_pkt.c so alerts are sent properly.
   4835      [David Holmes <d.holmes (a] f5.com>]
   4837   *) Reduce the chances of duplicate issuer name and serial numbers (in
   4838      violation of RFC3280) using the OpenSSL certificate creation utilities.
   4839      This is done by creating a random 64 bit value for the initial serial
   4840      number when a serial number file is created or when a self signed
   4841      certificate is created using 'openssl req -x509'. The initial serial
   4842      number file is created using 'openssl x509 -next_serial' in CA.pl
   4843      rather than being initialized to 1.
   4844      [Steve Henson]
   4846  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
   4848   *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
   4849      by using the Codenomicon TLS Test Tool (CVE-2004-0079)                    
   4850      [Joe Orton, Steve Henson]   
   4852   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
   4853      (CVE-2004-0112)
   4854      [Joe Orton, Steve Henson]   
   4856   *) Make it possible to have multiple active certificates with the same
   4857      subject in the CA index file.  This is done only if the keyword
   4858      'unique_subject' is set to 'no' in the main CA section (default
   4859      if 'CA_default') of the configuration file.  The value is saved
   4860      with the database itself in a separate index attribute file,
   4861      named like the index file with '.attr' appended to the name.
   4862      [Richard Levitte]
   4864   *) X509 verify fixes. Disable broken certificate workarounds when 
   4865      X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
   4866      keyUsage extension present. Don't accept CRLs with unhandled critical
   4867      extensions: since verify currently doesn't process CRL extensions this
   4868      rejects a CRL with *any* critical extensions. Add new verify error codes
   4869      for these cases.
   4870      [Steve Henson]
   4872   *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
   4873      A clarification of RFC2560 will require the use of OCTET STRINGs and 
   4874      some implementations cannot handle the current raw format. Since OpenSSL
   4875      copies and compares OCSP nonces as opaque blobs without any attempt at
   4876      parsing them this should not create any compatibility issues.
   4877      [Steve Henson]
   4879   *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
   4880      calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
   4881      this HMAC (and other) operations are several times slower than OpenSSL
   4882      < 0.9.7.
   4883      [Steve Henson]
   4885   *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
   4886      [Peter Sylvester <Peter.Sylvester (a] EdelWeb.fr>]
   4888   *) Use the correct content when signing type "other".
   4889      [Steve Henson]
   4891  Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
   4893   *) Fix various bugs revealed by running the NISCC test suite:
   4895      Stop out of bounds reads in the ASN1 code when presented with
   4896      invalid tags (CVE-2003-0543 and CVE-2003-0544).
   4898      Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
   4900      If verify callback ignores invalid public key errors don't try to check
   4901      certificate signature with the NULL public key.
   4903      [Steve Henson]
   4905   *) New -ignore_err option in ocsp application to stop the server
   4906      exiting on the first error in a request.
   4907      [Steve Henson]
   4909   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
   4910      if the server requested one: as stated in TLS 1.0 and SSL 3.0
   4911      specifications.
   4912      [Steve Henson]
   4914   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
   4915      extra data after the compression methods not only for TLS 1.0
   4916      but also for SSL 3.0 (as required by the specification).
   4917      [Bodo Moeller; problem pointed out by Matthias Loepfe]
   4919   *) Change X509_certificate_type() to mark the key as exported/exportable
   4920      when it's 512 *bits* long, not 512 bytes.
   4921      [Richard Levitte]
   4923   *) Change AES_cbc_encrypt() so it outputs exact multiple of
   4924      blocks during encryption.
   4925      [Richard Levitte]
   4927   *) Various fixes to base64 BIO and non blocking I/O. On write 
   4928      flushes were not handled properly if the BIO retried. On read
   4929      data was not being buffered properly and had various logic bugs.
   4930      This also affects blocking I/O when the data being decoded is a
   4931      certain size.
   4932      [Steve Henson]
   4934   *) Various S/MIME bugfixes and compatibility changes:
   4935      output correct application/pkcs7 MIME type if
   4936      PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
   4937      Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
   4938      of files as .eml work). Correctly handle very long lines in MIME
   4939      parser.
   4940      [Steve Henson]
   4942  Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
   4944   *) Countermeasure against the Klima-Pokorny-Rosa extension of
   4945      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
   4946      a protocol version number mismatch like a decryption error
   4947      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
   4948      [Bodo Moeller]
   4950   *) Turn on RSA blinding by default in the default implementation
   4951      to avoid a timing attack. Applications that don't want it can call
   4952      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
   4953      They would be ill-advised to do so in most cases.
   4954      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
   4956   *) Change RSA blinding code so that it works when the PRNG is not
   4957      seeded (in this case, the secret RSA exponent is abused as
   4958      an unpredictable seed -- if it is not unpredictable, there
   4959      is no point in blinding anyway).  Make RSA blinding thread-safe
   4960      by remembering the creator's thread ID in rsa->blinding and
   4961      having all other threads use local one-time blinding factors
   4962      (this requires more computation than sharing rsa->blinding, but
   4963      avoids excessive locking; and if an RSA object is not shared
   4964      between threads, blinding will still be very fast).
   4965      [Bodo Moeller]
   4967   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
   4968      ENGINE as defaults for all supported algorithms irrespective of
   4969      the 'flags' parameter. 'flags' is now honoured, so applications
   4970      should make sure they are passing it correctly.
   4971      [Geoff Thorpe]
   4973   *) Target "mingw" now allows native Windows code to be generated in
   4974      the Cygwin environment as well as with the MinGW compiler.
   4975      [Ulf Moeller] 
   4977  Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
   4979   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
   4980      via timing by performing a MAC computation even if incorrrect
   4981      block cipher padding has been found.  This is a countermeasure
   4982      against active attacks where the attacker has to distinguish
   4983      between bad padding and a MAC verification error. (CVE-2003-0078)
   4985      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
   4986      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
   4987      Martin Vuagnoux (EPFL, Ilion)]
   4989   *) Make the no-err option work as intended.  The intention with no-err
   4990      is not to have the whole error stack handling routines removed from
   4991      libcrypto, it's only intended to remove all the function name and
   4992      reason texts, thereby removing some of the footprint that may not
   4993      be interesting if those errors aren't displayed anyway.
   4995      NOTE: it's still possible for any application or module to have it's
   4996      own set of error texts inserted.  The routines are there, just not
   4997      used by default when no-err is given.
   4998      [Richard Levitte]
   5000   *) Add support for FreeBSD on IA64.
   5001      [dirk.meyer (a] dinoex.sub.org via Richard Levitte, resolves #454]
   5003   *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
   5004      Kerberos function mit_des_cbc_cksum().  Before this change,
   5005      the value returned by DES_cbc_cksum() was like the one from
   5006      mit_des_cbc_cksum(), except the bytes were swapped.
   5007      [Kevin Greaney <Kevin.Greaney (a] hp.com> and Richard Levitte]
   5009   *) Allow an application to disable the automatic SSL chain building.
   5010      Before this a rather primitive chain build was always performed in
   5011      ssl3_output_cert_chain(): an application had no way to send the 
   5012      correct chain if the automatic operation produced an incorrect result.
   5014      Now the chain builder is disabled if either:
   5016      1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
   5018      2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
   5020      The reasoning behind this is that an application would not want the
   5021      auto chain building to take place if extra chain certificates are
   5022      present and it might also want a means of sending no additional
   5023      certificates (for example the chain has two certificates and the
   5024      root is omitted).
   5025      [Steve Henson]
   5027   *) Add the possibility to build without the ENGINE framework.
   5028      [Steven Reddie <smr (a] essemer.com.au> via Richard Levitte]
   5030   *) Under Win32 gmtime() can return NULL: check return value in
   5031      OPENSSL_gmtime(). Add error code for case where gmtime() fails.
   5032      [Steve Henson]
   5034   *) DSA routines: under certain error conditions uninitialized BN objects
   5035      could be freed. Solution: make sure initialization is performed early
   5036      enough. (Reported and fix supplied by Ivan D Nestlerode <nestler (a] MIT.EDU>,
   5037      Nils Larsch <nla (a] trustcenter.de> via PR#459)
   5038      [Lutz Jaenicke]
   5040   *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
   5041      checked on reconnect on the client side, therefore session resumption
   5042      could still fail with a "ssl session id is different" error. This
   5043      behaviour is masked when SSL_OP_ALL is used due to
   5044      SSL_OP_MICROSOFT_SESS_ID_BUG being set.
   5045      Behaviour observed by Crispin Flowerday <crispin (a] flowerday.cx> as
   5046      followup to PR #377.
   5047      [Lutz Jaenicke]
   5049   *) IA-32 assembler support enhancements: unified ELF targets, support
   5050      for SCO/Caldera platforms, fix for Cygwin shared build.
   5051      [Andy Polyakov]
   5053   *) Add support for FreeBSD on sparc64.  As a consequence, support for
   5054      FreeBSD on non-x86 processors is separate from x86 processors on
   5055      the config script, much like the NetBSD support.
   5056      [Richard Levitte & Kris Kennaway <kris (a] obsecurity.org>]
   5058  Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
   5060   [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
   5061   OpenSSL 0.9.7.]
   5063   *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
   5064      code (06) was taken as the first octet of the session ID and the last
   5065      octet was ignored consequently. As a result SSLv2 client side session
   5066      caching could not have worked due to the session ID mismatch between
   5067      client and server.
   5068      Behaviour observed by Crispin Flowerday <crispin (a] flowerday.cx> as
   5069      PR #377.
   5070      [Lutz Jaenicke]
   5072   *) Change the declaration of needed Kerberos libraries to use EX_LIBS
   5073      instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
   5074      removed entirely.
   5075      [Richard Levitte]
   5077   *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
   5078      seems that in spite of existing for more than a year, many application
   5079      author have done nothing to provide the necessary callbacks, which
   5080      means that this particular engine will not work properly anywhere.
   5081      This is a very unfortunate situation which forces us, in the name
   5082      of usability, to give the hw_ncipher.c a static lock, which is part
   5083      of libcrypto.
   5084      NOTE: This is for the 0.9.7 series ONLY.  This hack will never
   5085      appear in 0.9.8 or later.  We EXPECT application authors to have
   5086      dealt properly with this when 0.9.8 is released (unless we actually
   5087      make such changes in the libcrypto locking code that changes will
   5088      have to be made anyway).
   5089      [Richard Levitte]
   5091   *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
   5092      octets have been read, EOF or an error occurs. Without this change
   5093      some truncated ASN1 structures will not produce an error.
   5094      [Steve Henson]
   5096   *) Disable Heimdal support, since it hasn't been fully implemented.
   5097      Still give the possibility to force the use of Heimdal, but with
   5098      warnings and a request that patches get sent to openssl-dev.
   5099      [Richard Levitte]
   5101   *) Add the VC-CE target, introduce the WINCE sysname, and add
   5102      INSTALL.WCE and appropriate conditionals to make it build.
   5103      [Steven Reddie <smr (a] essemer.com.au> via Richard Levitte]
   5105   *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
   5106      cygssl-x.y.z.dll, where x, y and z are the major, minor and
   5107      edit numbers of the version.
   5108      [Corinna Vinschen <vinschen (a] redhat.com> and Richard Levitte]
   5110   *) Introduce safe string copy and catenation functions
   5111      (BUF_strlcpy() and BUF_strlcat()).
   5112      [Ben Laurie (CHATS) and Richard Levitte]
   5114   *) Avoid using fixed-size buffers for one-line DNs.
   5115      [Ben Laurie (CHATS)]
   5117   *) Add BUF_MEM_grow_clean() to avoid information leakage when
   5118      resizing buffers containing secrets, and use where appropriate.
   5119      [Ben Laurie (CHATS)]
   5121   *) Avoid using fixed size buffers for configuration file location.
   5122      [Ben Laurie (CHATS)]
   5124   *) Avoid filename truncation for various CA files.
   5125      [Ben Laurie (CHATS)]
   5127   *) Use sizeof in preference to magic numbers.
   5128      [Ben Laurie (CHATS)]
   5130   *) Avoid filename truncation in cert requests.
   5131      [Ben Laurie (CHATS)]
   5133   *) Add assertions to check for (supposedly impossible) buffer
   5134      overflows.
   5135      [Ben Laurie (CHATS)]
   5137   *) Don't cache truncated DNS entries in the local cache (this could
   5138      potentially lead to a spoofing attack).
   5139      [Ben Laurie (CHATS)]
   5141   *) Fix various buffers to be large enough for hex/decimal
   5142      representations in a platform independent manner.
   5143      [Ben Laurie (CHATS)]
   5145   *) Add CRYPTO_realloc_clean() to avoid information leakage when
   5146      resizing buffers containing secrets, and use where appropriate.
   5147      [Ben Laurie (CHATS)]
   5149   *) Add BIO_indent() to avoid much slightly worrying code to do
   5150      indents.
   5151      [Ben Laurie (CHATS)]
   5153   *) Convert sprintf()/BIO_puts() to BIO_printf().
   5154      [Ben Laurie (CHATS)]
   5156   *) buffer_gets() could terminate with the buffer only half
   5157      full. Fixed.
   5158      [Ben Laurie (CHATS)]
   5160   *) Add assertions to prevent user-supplied crypto functions from
   5161      overflowing internal buffers by having large block sizes, etc.
   5162      [Ben Laurie (CHATS)]
   5164   *) New OPENSSL_assert() macro (similar to assert(), but enabled
   5165      unconditionally).
   5166      [Ben Laurie (CHATS)]
   5168   *) Eliminate unused copy of key in RC4.
   5169      [Ben Laurie (CHATS)]
   5171   *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
   5172      [Ben Laurie (CHATS)]
   5174   *) Fix off-by-one error in EGD path.
   5175      [Ben Laurie (CHATS)]
   5177   *) If RANDFILE path is too long, ignore instead of truncating.
   5178      [Ben Laurie (CHATS)]
   5180   *) Eliminate unused and incorrectly sized X.509 structure
   5181      CBCParameter.
   5182      [Ben Laurie (CHATS)]
   5184   *) Eliminate unused and dangerous function knumber().
   5185      [Ben Laurie (CHATS)]
   5187   *) Eliminate unused and dangerous structure, KSSL_ERR.
   5188      [Ben Laurie (CHATS)]
   5190   *) Protect against overlong session ID context length in an encoded
   5191      session object. Since these are local, this does not appear to be
   5192      exploitable.
   5193      [Ben Laurie (CHATS)]
   5195   *) Change from security patch (see 0.9.6e below) that did not affect
   5196      the 0.9.6 release series:
   5198      Remote buffer overflow in SSL3 protocol - an attacker could
   5199      supply an oversized master key in Kerberos-enabled versions.
   5200      (CVE-2002-0657)
   5201      [Ben Laurie (CHATS)]
   5203   *) Change the SSL kerb5 codes to match RFC 2712.
   5204      [Richard Levitte]
   5206   *) Make -nameopt work fully for req and add -reqopt switch.
   5207      [Michael Bell <michael.bell (a] rz.hu-berlin.de>, Steve Henson]
   5209   *) The "block size" for block ciphers in CFB and OFB mode should be 1.
   5210      [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve (a] opera.com>]
   5212   *) Make sure tests can be performed even if the corresponding algorithms
   5213      have been removed entirely.  This was also the last step to make
   5214      OpenSSL compilable with DJGPP under all reasonable conditions.
   5215      [Richard Levitte, Doug Kaufman <dkaufman (a] rahul.net>]
   5217   *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
   5218      to allow version independent disabling of normally unselected ciphers,
   5219      which may be activated as a side-effect of selecting a single cipher.
   5221      (E.g., cipher list string "RSA" enables ciphersuites that are left
   5222      out of "ALL" because they do not provide symmetric encryption.
   5223      "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
   5224      [Lutz Jaenicke, Bodo Moeller]
   5226   *) Add appropriate support for separate platform-dependent build
   5227      directories.  The recommended way to make a platform-dependent
   5228      build directory is the following (tested on Linux), maybe with
   5229      some local tweaks:
   5231 	# Place yourself outside of the OpenSSL source tree.  In
   5232 	# this example, the environment variable OPENSSL_SOURCE
   5233 	# is assumed to contain the absolute OpenSSL source directory.
   5234 	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
   5235 	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
   5236 	(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
   5237 		mkdir -p `dirname $F`
   5238 		ln -s $OPENSSL_SOURCE/$F $F
   5239 	done
   5241      To be absolutely sure not to disturb the source tree, a "make clean"
   5242      is a good thing.  If it isn't successfull, don't worry about it,
   5243      it probably means the source directory is very clean.
   5244      [Richard Levitte]
   5246   *) Make sure any ENGINE control commands make local copies of string
   5247      pointers passed to them whenever necessary. Otherwise it is possible
   5248      the caller may have overwritten (or deallocated) the original string
   5249      data when a later ENGINE operation tries to use the stored values.
   5250      [Gtz Babin-Ebell <babinebell (a] trustcenter.de>]
   5252   *) Improve diagnostics in file reading and command-line digests.
   5253      [Ben Laurie aided and abetted by Solar Designer <solar (a] openwall.com>]
   5255   *) Add AES modes CFB and OFB to the object database.  Correct an
   5256      error in AES-CFB decryption.
   5257      [Richard Levitte]
   5259   *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 
   5260      allows existing EVP_CIPHER_CTX structures to be reused after
   5261      calling EVP_*Final(). This behaviour is used by encryption
   5262      BIOs and some applications. This has the side effect that
   5263      applications must explicitly clean up cipher contexts with
   5264      EVP_CIPHER_CTX_cleanup() or they will leak memory.
   5265      [Steve Henson]
   5267   *) Check the values of dna and dnb in bn_mul_recursive before calling
   5268      bn_mul_comba (a non zero value means the a or b arrays do not contain
   5269      n2 elements) and fallback to bn_mul_normal if either is not zero.
   5270      [Steve Henson]
   5272   *) Fix escaping of non-ASCII characters when using the -subj option
   5273      of the "openssl req" command line tool. (Robert Joop <joop (a] fokus.gmd.de>)
   5274      [Lutz Jaenicke]
   5276   *) Make object definitions compliant to LDAP (RFC2256): SN is the short
   5277      form for "surname", serialNumber has no short form.
   5278      Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
   5279      therefore remove "mail" short name for "internet 7".
   5280      The OID for unique identifiers in X509 certificates is
   5281      x500UniqueIdentifier, not uniqueIdentifier.
   5282      Some more OID additions. (Michael Bell <michael.bell (a] rz.hu-berlin.de>)
   5283      [Lutz Jaenicke]
   5285   *) Add an "init" command to the ENGINE config module and auto initialize
   5286      ENGINEs. Without any "init" command the ENGINE will be initialized 
   5287      after all ctrl commands have been executed on it. If init=1 the 
   5288      ENGINE is initailized at that point (ctrls before that point are run
   5289      on the uninitialized ENGINE and after on the initialized one). If
   5290      init=0 then the ENGINE will not be iniatialized at all.
   5291      [Steve Henson]
   5293   *) Fix the 'app_verify_callback' interface so that the user-defined
   5294      argument is actually passed to the callback: In the
   5295      SSL_CTX_set_cert_verify_callback() prototype, the callback
   5296      declaration has been changed from
   5297           int (*cb)()
   5298      into
   5299           int (*cb)(X509_STORE_CTX *,void *);
   5300      in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
   5301           i=s->ctx->app_verify_callback(&ctx)
   5302      has been changed into
   5303           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
   5305      To update applications using SSL_CTX_set_cert_verify_callback(),
   5306      a dummy argument can be added to their callback functions.
   5307      [D. K. Smetters <smetters (a] parc.xerox.com>]
   5309   *) Added the '4758cca' ENGINE to support IBM 4758 cards.
   5310      [Maurice Gittens <maurice (a] gittens.nl>, touchups by Geoff Thorpe]
   5312   *) Add and OPENSSL_LOAD_CONF define which will cause
   5313      OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
   5314      This allows older applications to transparently support certain
   5315      OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
   5316      Two new functions OPENSSL_add_all_algorithms_noconf() which will never
   5317      load the config file and OPENSSL_add_all_algorithms_conf() which will
   5318      always load it have also been added.
   5319      [Steve Henson]
   5321   *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
   5322      Adjust NIDs and EVP layer.
   5323      [Stephen Sprunk <stephen (a] sprunk.org> and Richard Levitte]
   5325   *) Config modules support in openssl utility.
   5327      Most commands now load modules from the config file,
   5328      though in a few (such as version) this isn't done 
   5329      because it couldn't be used for anything.
   5331      In the case of ca and req the config file used is
   5332      the same as the utility itself: that is the -config
   5333      command line option can be used to specify an
   5334      alternative file.
   5335      [Steve Henson]
   5337   *) Move default behaviour from OPENSSL_config(). If appname is NULL
   5338      use "openssl_conf" if filename is NULL use default openssl config file.
   5339      [Steve Henson]
   5341   *) Add an argument to OPENSSL_config() to allow the use of an alternative
   5342      config section name. Add a new flag to tolerate a missing config file
   5343      and move code to CONF_modules_load_file().
   5344      [Steve Henson]
   5346   *) Support for crypto accelerator cards from Accelerated Encryption
   5347      Processing, www.aep.ie.  (Use engine 'aep')
   5348      The support was copied from 0.9.6c [engine] and adapted/corrected
   5349      to work with the new engine framework.
   5350      [AEP Inc. and Richard Levitte]
   5352   *) Support for SureWare crypto accelerator cards from Baltimore
   5353      Technologies.  (Use engine 'sureware')
   5354      The support was copied from 0.9.6c [engine] and adapted
   5355      to work with the new engine framework.
   5356      [Richard Levitte]
   5358   *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
   5359      make the newer ENGINE framework commands for the CHIL engine work.
   5360      [Toomas Kiisk <vix (a] cyber.ee> and Richard Levitte]
   5362   *) Make it possible to produce shared libraries on ReliantUNIX.
   5363      [Robert Dahlem <Robert.Dahlem (a] ffm2.siemens.de> via Richard Levitte]
   5365   *) Add the configuration target debug-linux-ppro.
   5366      Make 'openssl rsa' use the general key loading routines
   5367      implemented in apps.c, and make those routines able to
   5368      handle the key format FORMAT_NETSCAPE and the variant
   5369      FORMAT_IISSGC.
   5370      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   5372  *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
   5373      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   5375   *) Add -keyform to rsautl, and document -engine.
   5376      [Richard Levitte, inspired by Toomas Kiisk <vix (a] cyber.ee>]
   5378   *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
   5379      BIO_R_NO_SUCH_FILE error code rather than the generic
   5380      ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
   5381      [Ben Laurie]
   5383   *) Add new functions
   5384           ERR_peek_last_error
   5385           ERR_peek_last_error_line
   5386           ERR_peek_last_error_line_data.
   5387      These are similar to
   5388           ERR_peek_error
   5389           ERR_peek_error_line
   5390           ERR_peek_error_line_data,
   5391      but report on the latest error recorded rather than the first one
   5392      still in the error queue.
   5393      [Ben Laurie, Bodo Moeller]
   5395   *) default_algorithms option in ENGINE config module. This allows things
   5396      like:
   5397      default_algorithms = ALL
   5398      default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
   5399      [Steve Henson]
   5401   *) Prelminary ENGINE config module.
   5402      [Steve Henson]
   5404   *) New experimental application configuration code.
   5405      [Steve Henson]
   5407   *) Change the AES code to follow the same name structure as all other
   5408      symmetric ciphers, and behave the same way.  Move everything to
   5409      the directory crypto/aes, thereby obsoleting crypto/rijndael.
   5410      [Stephen Sprunk <stephen (a] sprunk.org> and Richard Levitte]
   5412   *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
   5413      [Ben Laurie and Theo de Raadt]
   5415   *) Add option to output public keys in req command.
   5416      [Massimiliano Pala madwolf (a] openca.org]
   5418   *) Use wNAFs in EC_POINTs_mul() for improved efficiency
   5419      (up to about 10% better than before for P-192 and P-224).
   5420      [Bodo Moeller]
   5422   *) New functions/macros
   5424           SSL_CTX_set_msg_callback(ctx, cb)
   5425           SSL_CTX_set_msg_callback_arg(ctx, arg)
   5426           SSL_set_msg_callback(ssl, cb)
   5427           SSL_set_msg_callback_arg(ssl, arg)
   5429      to request calling a callback function
   5431           void cb(int write_p, int version, int content_type,
   5432                   const void *buf, size_t len, SSL *ssl, void *arg)
   5434      whenever a protocol message has been completely received
   5435      (write_p == 0) or sent (write_p == 1).  Here 'version' is the
   5436      protocol version  according to which the SSL library interprets
   5437      the current protocol message (SSL2_VERSION, SSL3_VERSION, or
   5438      TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
   5439      the content type as defined in the SSL 3.0/TLS 1.0 protocol
   5440      specification (change_cipher_spec(20), alert(21), handshake(22)).
   5441      'buf' and 'len' point to the actual message, 'ssl' to the
   5442      SSL object, and 'arg' is the application-defined value set by
   5443      SSL[_CTX]_set_msg_callback_arg().
   5445      'openssl s_client' and 'openssl s_server' have new '-msg' options
   5446      to enable a callback that displays all protocol messages.
   5447      [Bodo Moeller]
   5449   *) Change the shared library support so shared libraries are built as
   5450      soon as the corresponding static library is finished, and thereby get
   5451      openssl and the test programs linked against the shared library.
   5452      This still only happens when the keyword "shard" has been given to
   5453      the configuration scripts.
   5455      NOTE: shared library support is still an experimental thing, and
   5456      backward binary compatibility is still not guaranteed.
   5457      ["Maciej W. Rozycki" <macro (a] ds2.pg.gda.pl> and Richard Levitte]
   5459   *) Add support for Subject Information Access extension.
   5460      [Peter Sylvester <Peter.Sylvester (a] EdelWeb.fr>]
   5462   *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
   5463      additional bytes when new memory had to be allocated, not just
   5464      when reusing an existing buffer.
   5465      [Bodo Moeller]
   5467   *) New command line and configuration option 'utf8' for the req command.
   5468      This allows field values to be specified as UTF8 strings.
   5469      [Steve Henson]
   5471   *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
   5472      runs for the former and machine-readable output for the latter.
   5473      [Ben Laurie]
   5475   *) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
   5476      of the e-mail address in the DN (i.e., it will go into a certificate
   5477      extension only).  The new configuration file option 'email_in_dn = no'
   5478      has the same effect.
   5479      [Massimiliano Pala madwolf (a] openca.org]
   5481   *) Change all functions with names starting with des_ to be starting
   5482      with DES_ instead.  Add wrappers that are compatible with libdes,
   5483      but are named _ossl_old_des_*.  Finally, add macros that map the
   5484      des_* symbols to the corresponding _ossl_old_des_* if libdes
   5485      compatibility is desired.  If OpenSSL 0.9.6c compatibility is
   5486      desired, the des_* symbols will be mapped to DES_*, with one
   5487      exception.
   5489      Since we provide two compatibility mappings, the user needs to
   5490      define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
   5491      compatibility is desired.  The default (i.e., when that macro
   5492      isn't defined) is OpenSSL 0.9.6c compatibility.
   5494      There are also macros that enable and disable the support of old
   5495      des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
   5496      and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
   5497      are defined, the default will apply: to support the old des routines.
   5499      In either case, one must include openssl/des.h to get the correct
   5500      definitions.  Do not try to just include openssl/des_old.h, that
   5501      won't work.
   5503      NOTE: This is a major break of an old API into a new one.  Software
   5504      authors are encouraged to switch to the DES_ style functions.  Some
   5505      time in the future, des_old.h and the libdes compatibility functions
   5506      will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
   5507      default), and then completely removed.
   5508      [Richard Levitte]
   5510   *) Test for certificates which contain unsupported critical extensions.
   5511      If such a certificate is found during a verify operation it is 
   5512      rejected by default: this behaviour can be overridden by either
   5513      handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
   5514      by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
   5515      X509_supported_extension() has also been added which returns 1 if a
   5516      particular extension is supported.
   5517      [Steve Henson]
   5519   *) Modify the behaviour of EVP cipher functions in similar way to digests
   5520      to retain compatibility with existing code.
   5521      [Steve Henson]
   5523   *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
   5524      compatibility with existing code. In particular the 'ctx' parameter does
   5525      not have to be to be initialized before the call to EVP_DigestInit() and
   5526      it is tidied up after a call to EVP_DigestFinal(). New function
   5527      EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
   5528      EVP_MD_CTX_copy() changed to not require the destination to be
   5529      initialized valid and new function EVP_MD_CTX_copy_ex() added which
   5530      requires the destination to be valid.
   5532      Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
   5533      EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
   5534      [Steve Henson]
   5536   *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
   5537      so that complete 'Handshake' protocol structures are kept in memory
   5538      instead of overwriting 'msg_type' and 'length' with 'body' data.
   5539      [Bodo Moeller]
   5541   *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
   5542      [Massimo Santin via Richard Levitte]
   5544   *) Major restructuring to the underlying ENGINE code. This includes
   5545      reduction of linker bloat, separation of pure "ENGINE" manipulation
   5546      (initialisation, etc) from functionality dealing with implementations
   5547      of specific crypto iterfaces. This change also introduces integrated
   5548      support for symmetric ciphers and digest implementations - so ENGINEs
   5549      can now accelerate these by providing EVP_CIPHER and EVP_MD
   5550      implementations of their own. This is detailed in crypto/engine/README
   5551      as it couldn't be adequately described here. However, there are a few
   5552      API changes worth noting - some RSA, DSA, DH, and RAND functions that
   5553      were changed in the original introduction of ENGINE code have now
   5554      reverted back - the hooking from this code to ENGINE is now a good
   5555      deal more passive and at run-time, operations deal directly with
   5556      RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
   5557      dereferencing through an ENGINE pointer any more. Also, the ENGINE
   5558      functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
   5559      they were not being used by the framework as there is no concept of a
   5560      BIGNUM_METHOD and they could not be generalised to the new
   5561      'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
   5562      ENGINE_cpy() has been removed as it cannot be consistently defined in
   5563      the new code.
   5564      [Geoff Thorpe]
   5566   *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
   5567      [Steve Henson]
   5569   *) Change mkdef.pl to sort symbols that get the same entry number,
   5570      and make sure the automatically generated functions ERR_load_*
   5571      become part of libeay.num as well.
   5572      [Richard Levitte]
   5574   *) New function SSL_renegotiate_pending().  This returns true once
   5575      renegotiation has been requested (either SSL_renegotiate() call
   5576      or HelloRequest/ClientHello receveived from the peer) and becomes
   5577      false once a handshake has been completed.
   5578      (For servers, SSL_renegotiate() followed by SSL_do_handshake()
   5579      sends a HelloRequest, but does not ensure that a handshake takes
   5580      place.  SSL_renegotiate_pending() is useful for checking if the
   5581      client has followed the request.)
   5582      [Bodo Moeller]
   5585      By default, clients may request session resumption even during
   5586      renegotiation (if session ID contexts permit); with this option,
   5587      session resumption is possible only in the first handshake.
   5589      SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
   5590      more bits available for options that should not be part of
   5592      [Bodo Moeller]
   5594   *) Add some demos for certificate and certificate request creation.
   5595      [Steve Henson]
   5597   *) Make maximum certificate chain size accepted from the peer application
   5598      settable (SSL*_get/set_max_cert_list()), as proposed by
   5599      "Douglas E. Engert" <deengert (a] anl.gov>.
   5600      [Lutz Jaenicke]
   5602   *) Add support for shared libraries for Unixware-7
   5603      (Boyd Lynn Gerber <gerberb (a] zenez.com>).
   5604      [Lutz Jaenicke]
   5606   *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
   5607      be done prior to destruction. Use this to unload error strings from
   5608      ENGINEs that load their own error strings. NB: This adds two new API
   5609      functions to "get" and "set" this destroy handler in an ENGINE.
   5610      [Geoff Thorpe]
   5612   *) Alter all existing ENGINE implementations (except "openssl" and
   5613      "openbsd") to dynamically instantiate their own error strings. This
   5614      makes them more flexible to be built both as statically-linked ENGINEs
   5615      and self-contained shared-libraries loadable via the "dynamic" ENGINE.
   5616      Also, add stub code to each that makes building them as self-contained
   5617      shared-libraries easier (see README.ENGINE).
   5618      [Geoff Thorpe]
   5620   *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
   5621      implementations into applications that are completely implemented in
   5622      self-contained shared-libraries. The "dynamic" ENGINE exposes control
   5623      commands that can be used to configure what shared-library to load and
   5624      to control aspects of the way it is handled. Also, made an update to
   5625      the README.ENGINE file that brings its information up-to-date and
   5626      provides some information and instructions on the "dynamic" ENGINE
   5627      (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
   5628      [Geoff Thorpe]
   5630   *) Make it possible to unload ranges of ERR strings with a new
   5631      "ERR_unload_strings" function.
   5632      [Geoff Thorpe]
   5634   *) Add a copy() function to EVP_MD.
   5635      [Ben Laurie]
   5637   *) Make EVP_MD routines take a context pointer instead of just the
   5638      md_data void pointer.
   5639      [Ben Laurie]
   5641   *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
   5642      that the digest can only process a single chunk of data
   5643      (typically because it is provided by a piece of
   5644      hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
   5645      is only going to provide a single chunk of data, and hence the
   5646      framework needn't accumulate the data for oneshot drivers.
   5647      [Ben Laurie]
   5649   *) As with "ERR", make it possible to replace the underlying "ex_data"
   5650      functions. This change also alters the storage and management of global
   5651      ex_data state - it's now all inside ex_data.c and all "class" code (eg.
   5652      RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
   5653      index counters. The API functions that use this state have been changed
   5654      to take a "class_index" rather than pointers to the class's local STACK
   5655      and counter, and there is now an API function to dynamically create new
   5656      classes. This centralisation allows us to (a) plug a lot of the
   5657      thread-safety problems that existed, and (b) makes it possible to clean
   5658      up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
   5659      such data would previously have always leaked in application code and
   5660      workarounds were in place to make the memory debugging turn a blind eye
   5661      to it. Application code that doesn't use this new function will still
   5662      leak as before, but their memory debugging output will announce it now
   5663      rather than letting it slide.
   5665      Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
   5666      induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
   5667      has a return value to indicate success or failure.
   5668      [Geoff Thorpe]
   5670   *) Make it possible to replace the underlying "ERR" functions such that the
   5671      global state (2 LHASH tables and 2 locks) is only used by the "default"
   5672      implementation. This change also adds two functions to "get" and "set"
   5673      the implementation prior to it being automatically set the first time
   5674      any other ERR function takes place. Ie. an application can call "get",
   5675      pass the return value to a module it has just loaded, and that module
   5676      can call its own "set" function using that value. This means the
   5677      module's "ERR" operations will use (and modify) the error state in the
   5678      application and not in its own statically linked copy of OpenSSL code.
   5679      [Geoff Thorpe]
   5681   *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
   5682      reference counts. This performs normal REF_PRINT/REF_CHECK macros on
   5683      the operation, and provides a more encapsulated way for external code
   5684      (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
   5685      to use these functions rather than manually incrementing the counts.
   5687      Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
   5688      [Geoff Thorpe]
   5690   *) Add EVP test program.
   5691      [Ben Laurie]
   5693   *) Add symmetric cipher support to ENGINE. Expect the API to change!
   5694      [Ben Laurie]
   5696   *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
   5697      X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
   5698      X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
   5699      These allow a CRL to be built without having to access X509_CRL fields
   5700      directly. Modify 'ca' application to use new functions.
   5701      [Steve Henson]
   5703   *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
   5704      bug workarounds. Rollback attack detection is a security feature.
   5705      The problem will only arise on OpenSSL servers when TLSv1 is not
   5706      available (sslv3_server_method() or SSL_OP_NO_TLSv1).
   5707      Software authors not wanting to support TLSv1 will have special reasons
   5708      for their choice and can explicitly enable this option.
   5709      [Bodo Moeller, Lutz Jaenicke]
   5711   *) Rationalise EVP so it can be extended: don't include a union of
   5712      cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
   5713      (similar to those existing for EVP_CIPHER_CTX).
   5714      Usage example:
   5716          EVP_MD_CTX md;
   5718          EVP_MD_CTX_init(&md);             /* new function call */
   5719          EVP_DigestInit(&md, EVP_sha1());
   5720          EVP_DigestUpdate(&md, in, len);
   5721          EVP_DigestFinal(&md, out, NULL);
   5722          EVP_MD_CTX_cleanup(&md);          /* new function call */
   5724      [Ben Laurie]
   5726   *) Make DES key schedule conform to the usual scheme, as well as
   5727      correcting its structure. This means that calls to DES functions
   5728      now have to pass a pointer to a des_key_schedule instead of a
   5729      plain des_key_schedule (which was actually always a pointer
   5730      anyway): E.g.,
   5732          des_key_schedule ks;
   5734 	 des_set_key_checked(..., &ks);
   5735 	 des_ncbc_encrypt(..., &ks, ...);
   5737      (Note that a later change renames 'des_...' into 'DES_...'.)
   5738      [Ben Laurie]
   5740   *) Initial reduction of linker bloat: the use of some functions, such as
   5741      PEM causes large amounts of unused functions to be linked in due to
   5742      poor organisation. For example pem_all.c contains every PEM function
   5743      which has a knock on effect of linking in large amounts of (unused)
   5744      ASN1 code. Grouping together similar functions and splitting unrelated
   5745      functions prevents this.
   5746      [Steve Henson]
   5748   *) Cleanup of EVP macros.
   5749      [Ben Laurie]
   5751   *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
   5752      correct _ecb suffix.
   5753      [Ben Laurie]
   5755   *) Add initial OCSP responder support to ocsp application. The
   5756      revocation information is handled using the text based index
   5757      use by the ca application. The responder can either handle
   5758      requests generated internally, supplied in files (for example
   5759      via a CGI script) or using an internal minimal server.
   5760      [Steve Henson]
   5762   *) Add configuration choices to get zlib compression for TLS.
   5763      [Richard Levitte]
   5765   *) Changes to Kerberos SSL for RFC 2712 compliance:
   5766      1.  Implemented real KerberosWrapper, instead of just using
   5767          KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw (a] sxw.org.uk>]
   5768      2.  Implemented optional authenticator field of KerberosWrapper.
   5770      Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
   5771      and authenticator structs; see crypto/krb5/.
   5773      Generalized Kerberos calls to support multiple Kerberos libraries.
   5774      [Vern Staats <staatsvr (a] asc.hpc.mil>,
   5775       Jeffrey Altman <jaltman (a] columbia.edu>
   5776       via Richard Levitte]
   5778   *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
   5779      already does with RSA. testdsa.h now has 'priv_key/pub_key'
   5780      values for each of the key sizes rather than having just
   5781      parameters (and 'speed' generating keys each time).
   5782      [Geoff Thorpe]
   5784   *) Speed up EVP routines.
   5785      Before:
   5786 encrypt
   5787 type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
   5788 des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
   5789 des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
   5790 des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
   5791 decrypt
   5792 des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
   5793 des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
   5794 des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
   5795      After:
   5796 encrypt
   5797 des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
   5798 decrypt
   5799 des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   5800      [Ben Laurie]
   5802   *) Added the OS2-EMX target.
   5803      ["Brian Havard" <brianh (a] kheldar.apana.org.au> and Richard Levitte]
   5805   *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
   5806      to support NCONF routines in extension code. New function CONF_set_nconf()
   5807      to allow functions which take an NCONF to also handle the old LHASH
   5808      structure: this means that the old CONF compatible routines can be
   5809      retained (in particular wrt extensions) without having to duplicate the
   5810      code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
   5811      [Steve Henson]
   5813   *) Enhance the general user interface with mechanisms for inner control
   5814      and with possibilities to have yes/no kind of prompts.
   5815      [Richard Levitte]
   5817   *) Change all calls to low level digest routines in the library and
   5818      applications to use EVP. Add missing calls to HMAC_cleanup() and
   5819      don't assume HMAC_CTX can be copied using memcpy().
   5820      [Verdon Walker <VWalker (a] novell.com>, Steve Henson]
   5822   *) Add the possibility to control engines through control names but with
   5823      arbitrary arguments instead of just a string.
   5824      Change the key loaders to take a UI_METHOD instead of a callback
   5825      function pointer.  NOTE: this breaks binary compatibility with earlier
   5826      versions of OpenSSL [engine].
   5827      Adapt the nCipher code for these new conditions and add a card insertion
   5828      callback.
   5829      [Richard Levitte]
   5831   *) Enhance the general user interface with mechanisms to better support
   5832      dialog box interfaces, application-defined prompts, the possibility
   5833      to use defaults (for example default passwords from somewhere else)
   5834      and interrupts/cancellations.
   5835      [Richard Levitte]
   5837   *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
   5838      attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
   5839      [Steve Henson]
   5841   *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
   5842      tidy up some unnecessarily weird code in 'sk_new()').
   5843      [Geoff, reported by Diego Tartara <dtartara (a] novamens.com>]
   5845   *) Change the key loading routines for ENGINEs to use the same kind
   5846      callback (pem_password_cb) as all other routines that need this
   5847      kind of callback.
   5848      [Richard Levitte]
   5850   *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
   5851      256 bit (=32 byte) keys. Of course seeding with more entropy bytes
   5852      than this minimum value is recommended.
   5853      [Lutz Jaenicke]
   5855   *) New random seeder for OpenVMS, using the system process statistics
   5856      that are easily reachable.
   5857      [Richard Levitte]
   5859   *) Windows apparently can't transparently handle global
   5860      variables defined in DLLs. Initialisations such as:
   5862         const ASN1_ITEM *it = &ASN1_INTEGER_it;
   5864      wont compile. This is used by the any applications that need to
   5865      declare their own ASN1 modules. This was fixed by adding the option
   5866      EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
   5867      needed for static libraries under Win32.
   5868      [Steve Henson]
   5870   *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
   5871      setting of purpose and trust fields. New X509_STORE trust and
   5872      purpose functions and tidy up setting in other SSL functions.
   5873      [Steve Henson]
   5875   *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
   5876      structure. These are inherited by X509_STORE_CTX when it is 
   5877      initialised. This allows various defaults to be set in the
   5878      X509_STORE structure (such as flags for CRL checking and custom
   5879      purpose or trust settings) for functions which only use X509_STORE_CTX
   5880      internally such as S/MIME.
   5882      Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
   5883      trust settings if they are not set in X509_STORE. This allows X509_STORE
   5884      purposes and trust (in S/MIME for example) to override any set by default.
   5886      Add command line options for CRL checking to smime, s_client and s_server
   5887      applications.
   5888      [Steve Henson]
   5890   *) Initial CRL based revocation checking. If the CRL checking flag(s)
   5891      are set then the CRL is looked up in the X509_STORE structure and
   5892      its validity and signature checked, then if the certificate is found
   5893      in the CRL the verify fails with a revoked error.
   5895      Various new CRL related callbacks added to X509_STORE_CTX structure.
   5897      Command line options added to 'verify' application to support this.
   5899      This needs some additional work, such as being able to handle multiple
   5900      CRLs with different times, extension based lookup (rather than just
   5901      by subject name) and ultimately more complete V2 CRL extension
   5902      handling.
   5903      [Steve Henson]
   5905   *) Add a general user interface API (crypto/ui/).  This is designed
   5906      to replace things like des_read_password and friends (backward
   5907      compatibility functions using this new API are provided).
   5908      The purpose is to remove prompting functions from the DES code
   5909      section as well as provide for prompting through dialog boxes in
   5910      a window system and the like.
   5911      [Richard Levitte]
   5913   *) Add "ex_data" support to ENGINE so implementations can add state at a
   5914      per-structure level rather than having to store it globally.
   5915      [Geoff]
   5917   *) Make it possible for ENGINE structures to be copied when retrieved by
   5918      ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
   5919      This causes the "original" ENGINE structure to act like a template,
   5920      analogous to the RSA vs. RSA_METHOD type of separation. Because of this
   5921      operational state can be localised to each ENGINE structure, despite the
   5922      fact they all share the same "methods". New ENGINE structures returned in
   5923      this case have no functional references and the return value is the single
   5924      structural reference. This matches the single structural reference returned
   5925      by ENGINE_by_id() normally, when it is incremented on the pre-existing
   5926      ENGINE structure.
   5927      [Geoff]
   5929   *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
   5930      needs to match any other type at all we need to manually clear the
   5931      tag cache.
   5932      [Steve Henson]
   5934   *) Changes to the "openssl engine" utility to include;
   5935      - verbosity levels ('-v', '-vv', and '-vvv') that provide information
   5936        about an ENGINE's available control commands.
   5937      - executing control commands from command line arguments using the
   5938        '-pre' and '-post' switches. '-post' is only used if '-t' is
   5939        specified and the ENGINE is successfully initialised. The syntax for
   5940        the individual commands are colon-separated, for example;
   5941 	 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
   5942      [Geoff]
   5944   *) New dynamic control command support for ENGINEs. ENGINEs can now
   5945      declare their own commands (numbers), names (strings), descriptions,
   5946      and input types for run-time discovery by calling applications. A
   5947      subset of these commands are implicitly classed as "executable"
   5948      depending on their input type, and only these can be invoked through
   5949      the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
   5950      can be based on user input, config files, etc). The distinction is
   5951      that "executable" commands cannot return anything other than a boolean
   5952      result and can only support numeric or string input, whereas some
   5953      discoverable commands may only be for direct use through
   5954      ENGINE_ctrl(), eg. supporting the exchange of binary data, function
   5955      pointers, or other custom uses. The "executable" commands are to
   5956      support parameterisations of ENGINE behaviour that can be
   5957      unambiguously defined by ENGINEs and used consistently across any
   5958      OpenSSL-based application. Commands have been added to all the
   5959      existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
   5960      control over shared-library paths without source code alterations.
   5961      [Geoff]
   5963   *) Changed all ENGINE implementations to dynamically allocate their
   5964      ENGINEs rather than declaring them statically. Apart from this being
   5965      necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
   5966      this also allows the implementations to compile without using the
   5967      internal engine_int.h header.
   5968      [Geoff]
   5970   *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
   5971      'const' value. Any code that should be able to modify a RAND_METHOD
   5972      should already have non-const pointers to it (ie. they should only
   5973      modify their own ones).
   5974      [Geoff]
   5976   *) Made a variety of little tweaks to the ENGINE code.
   5977      - "atalla" and "ubsec" string definitions were moved from header files
   5978        to C code. "nuron" string definitions were placed in variables
   5979        rather than hard-coded - allowing parameterisation of these values
   5980        later on via ctrl() commands.
   5981      - Removed unused "#if 0"'d code.
   5982      - Fixed engine list iteration code so it uses ENGINE_free() to release
   5983        structural references.
   5984      - Constified the RAND_METHOD element of ENGINE structures.
   5985      - Constified various get/set functions as appropriate and added
   5986        missing functions (including a catch-all ENGINE_cpy that duplicates
   5987        all ENGINE values onto a new ENGINE except reference counts/state).
   5988      - Removed NULL parameter checks in get/set functions. Setting a method
   5989        or function to NULL is a way of cancelling out a previously set
   5990        value.  Passing a NULL ENGINE parameter is just plain stupid anyway
   5991        and doesn't justify the extra error symbols and code.
   5992      - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
   5993        flags from engine_int.h to engine.h.
   5994      - Changed prototypes for ENGINE handler functions (init(), finish(),
   5995        ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
   5996      [Geoff]
   5998   *) Implement binary inversion algorithm for BN_mod_inverse in addition
   5999      to the algorithm using long division.  The binary algorithm can be
   6000      used only if the modulus is odd.  On 32-bit systems, it is faster
   6001      only for relatively small moduli (roughly 20-30% for 128-bit moduli,
   6002      roughly 5-15% for 256-bit moduli), so we use it only for moduli
   6003      up to 450 bits.  In 64-bit environments, the binary algorithm
   6004      appears to be advantageous for much longer moduli; here we use it
   6005      for moduli up to 2048 bits.
   6006      [Bodo Moeller]
   6008   *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
   6009      could not support the combine flag in choice fields.
   6010      [Steve Henson]
   6012   *) Add a 'copy_extensions' option to the 'ca' utility. This copies
   6013      extensions from a certificate request to the certificate.
   6014      [Steve Henson]
   6016   *) Allow multiple 'certopt' and 'nameopt' options to be separated
   6017      by commas. Add 'namopt' and 'certopt' options to the 'ca' config
   6018      file: this allows the display of the certificate about to be
   6019      signed to be customised, to allow certain fields to be included
   6020      or excluded and extension details. The old system didn't display
   6021      multicharacter strings properly, omitted fields not in the policy
   6022      and couldn't display additional details such as extensions.
   6023      [Steve Henson]
   6025   *) Function EC_POINTs_mul for multiple scalar multiplication
   6026      of an arbitrary number of elliptic curve points
   6027           \sum scalars[i]*points[i],
   6028      optionally including the generator defined for the EC_GROUP:
   6029           scalar*generator +  \sum scalars[i]*points[i].
   6031      EC_POINT_mul is a simple wrapper function for the typical case
   6032      that the point list has just one item (besides the optional
   6033      generator).
   6034      [Bodo Moeller]
   6036   *) First EC_METHODs for curves over GF(p):
   6038      EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
   6039      operations and provides various method functions that can also
   6040      operate with faster implementations of modular arithmetic.     
   6042      EC_GFp_mont_method() reuses most functions that are part of
   6043      EC_GFp_simple_method, but uses Montgomery arithmetic.
   6045      [Bodo Moeller; point addition and point doubling
   6046      implementation directly derived from source code provided by
   6047      Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>]
   6049   *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
   6050      crypto/ec/ec_lib.c):
   6052      Curves are EC_GROUP objects (with an optional group generator)
   6053      based on EC_METHODs that are built into the library.
   6055      Points are EC_POINT objects based on EC_GROUP objects.
   6057      Most of the framework would be able to handle curves over arbitrary
   6058      finite fields, but as there are no obvious types for fields other
   6059      than GF(p), some functions are limited to that for now.
   6060      [Bodo Moeller]
   6062   *) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
   6063      that the file contains a complete HTTP response.
   6064      [Richard Levitte]
   6066   *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
   6067      change the def and num file printf format specifier from "%-40sXXX"
   6068      to "%-39s XXX". The latter will always guarantee a space after the
   6069      field while the former will cause them to run together if the field
   6070      is 40 of more characters long.
   6071      [Steve Henson]
   6073   *) Constify the cipher and digest 'method' functions and structures
   6074      and modify related functions to take constant EVP_MD and EVP_CIPHER
   6075      pointers.
   6076      [Steve Henson]
   6078   *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
   6079      in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
   6080      [Bodo Moeller]
   6082   *) Modify EVP_Digest*() routines so they now return values. Although the
   6083      internal software routines can never fail additional hardware versions
   6084      might.
   6085      [Steve Henson]
   6087   *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
   6089      Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
   6090      (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
   6092      ASN1 error codes
   6093           ERR_R_NESTED_ASN1_ERROR
   6094           ...
   6095           ERR_R_MISSING_ASN1_EOS
   6096      were 4 .. 9, conflicting with
   6097           ERR_LIB_RSA (= ERR_R_RSA_LIB)
   6098           ...
   6099           ERR_LIB_PEM (= ERR_R_PEM_LIB).
   6100      They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
   6102      Add new error code 'ERR_R_INTERNAL_ERROR'.
   6103      [Bodo Moeller]
   6105   *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
   6106      suffices.
   6107      [Bodo Moeller]
   6109   *) New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
   6110      sets the subject name for a new request or supersedes the
   6111      subject name in a given request. Formats that can be parsed are
   6112           'CN=Some Name, OU=myOU, C=IT'
   6113      and
   6114           'CN=Some Name/OU=myOU/C=IT'.
   6116      Add options '-batch' and '-verbose' to 'openssl req'.
   6117      [Massimiliano Pala <madwolf (a] hackmasters.net>]
   6119   *) Introduce the possibility to access global variables through
   6120      functions on platform were that's the best way to handle exporting
   6121      global variables in shared libraries.  To enable this functionality,
   6122      one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
   6123      "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
   6124      is normally done by Configure or something similar).
   6126      To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
   6127      in the source file (foo.c) like this:
   6129 	OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
   6130 	OPENSSL_IMPLEMENT_GLOBAL(double,bar);
   6132      To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
   6133      and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
   6135 	OPENSSL_DECLARE_GLOBAL(int,foo);
   6136 	#define foo OPENSSL_GLOBAL_REF(foo)
   6137 	OPENSSL_DECLARE_GLOBAL(double,bar);
   6138 	#define bar OPENSSL_GLOBAL_REF(bar)
   6140      The #defines are very important, and therefore so is including the
   6141      header file everywhere where the defined globals are used.
   6143      The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
   6144      of ASN.1 items, but that structure is a bit different.
   6146      The largest change is in util/mkdef.pl which has been enhanced with
   6147      better and easier to understand logic to choose which symbols should
   6148      go into the Windows .def files as well as a number of fixes and code
   6149      cleanup (among others, algorithm keywords are now sorted
   6150      lexicographically to avoid constant rewrites).
   6151      [Richard Levitte]
   6153   *) In BN_div() keep a copy of the sign of 'num' before writing the
   6154      result to 'rm' because if rm==num the value will be overwritten
   6155      and produce the wrong result if 'num' is negative: this caused
   6156      problems with BN_mod() and BN_nnmod().
   6157      [Steve Henson]
   6159   *) Function OCSP_request_verify(). This checks the signature on an
   6160      OCSP request and verifies the signer certificate. The signer
   6161      certificate is just checked for a generic purpose and OCSP request
   6162      trust settings.
   6163      [Steve Henson]
   6165   *) Add OCSP_check_validity() function to check the validity of OCSP
   6166      responses. OCSP responses are prepared in real time and may only
   6167      be a few seconds old. Simply checking that the current time lies
   6168      between thisUpdate and nextUpdate max reject otherwise valid responses
   6169      caused by either OCSP responder or client clock inaccuracy. Instead
   6170      we allow thisUpdate and nextUpdate to fall within a certain period of
   6171      the current time. The age of the response can also optionally be
   6172      checked. Two new options -validity_period and -status_age added to
   6173      ocsp utility.
   6174      [Steve Henson]
   6176   *) If signature or public key algorithm is unrecognized print out its
   6177      OID rather that just UNKNOWN.
   6178      [Steve Henson]
   6180   *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
   6181      OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
   6182      ID to be generated from the issuer certificate alone which can then be
   6183      passed to OCSP_id_issuer_cmp().
   6184      [Steve Henson]
   6186   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
   6187      ASN1 modules to export functions returning ASN1_ITEM pointers
   6188      instead of the ASN1_ITEM structures themselves. This adds several
   6189      new macros which allow the underlying ASN1 function/structure to
   6190      be accessed transparently. As a result code should not use ASN1_ITEM
   6191      references directly (such as &X509_it) but instead use the relevant
   6192      macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
   6193      use of the new ASN1 code on platforms where exporting structures
   6194      is problematical (for example in shared libraries) but exporting
   6195      functions returning pointers to structures is not.
   6196      [Steve Henson]
   6198   *) Add support for overriding the generation of SSL/TLS session IDs.
   6199      These callbacks can be registered either in an SSL_CTX or per SSL.
   6200      The purpose of this is to allow applications to control, if they wish,
   6201      the arbitrary values chosen for use as session IDs, particularly as it
   6202      can be useful for session caching in multiple-server environments. A
   6203      command-line switch for testing this (and any client code that wishes
   6204      to use such a feature) has been added to "s_server".
   6205      [Geoff Thorpe, Lutz Jaenicke]
   6207   *) Modify mkdef.pl to recognise and parse preprocessor conditionals
   6208      of the form '#if defined(...) || defined(...) || ...' and
   6209      '#if !defined(...) && !defined(...) && ...'.  This also avoids
   6210      the growing number of special cases it was previously handling.
   6211      [Richard Levitte]
   6213   *) Make all configuration macros available for application by making
   6214      sure they are available in opensslconf.h, by giving them names starting
   6215      with "OPENSSL_" to avoid conflicts with other packages and by making
   6216      sure e_os2.h will cover all platform-specific cases together with
   6217      opensslconf.h.
   6218      Additionally, it is now possible to define configuration/platform-
   6219      specific names (called "system identities").  In the C code, these
   6220      are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
   6221      macro with the name beginning with "OPENSSL_SYS_", which is determined
   6222      from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
   6223      what is available.
   6224      [Richard Levitte]
   6226   *) New option -set_serial to 'req' and 'x509' this allows the serial
   6227      number to use to be specified on the command line. Previously self
   6228      signed certificates were hard coded with serial number 0 and the 
   6229      CA options of 'x509' had to use a serial number in a file which was
   6230      auto incremented.
   6231      [Steve Henson]
   6233   *) New options to 'ca' utility to support V2 CRL entry extensions.
   6234      Currently CRL reason, invalidity date and hold instruction are
   6235      supported. Add new CRL extensions to V3 code and some new objects.
   6236      [Steve Henson]
   6238   *) New function EVP_CIPHER_CTX_set_padding() this is used to
   6239      disable standard block padding (aka PKCS#5 padding) in the EVP
   6240      API, which was previously mandatory. This means that the data is
   6241      not padded in any way and so the total length much be a multiple
   6242      of the block size, otherwise an error occurs.
   6243      [Steve Henson]
   6245   *) Initial (incomplete) OCSP SSL support.
   6246      [Steve Henson]
   6248   *) New function OCSP_parse_url(). This splits up a URL into its host,
   6249      port and path components: primarily to parse OCSP URLs. New -url
   6250      option to ocsp utility.
   6251      [Steve Henson]
   6253   *) New nonce behavior. The return value of OCSP_check_nonce() now 
   6254      reflects the various checks performed. Applications can decide
   6255      whether to tolerate certain situations such as an absent nonce
   6256      in a response when one was present in a request: the ocsp application
   6257      just prints out a warning. New function OCSP_add1_basic_nonce()
   6258      this is to allow responders to include a nonce in a response even if
   6259      the request is nonce-less.
   6260      [Steve Henson]
   6262   *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
   6263      skipped when using openssl x509 multiple times on a single input file,
   6264      e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
   6265      [Bodo Moeller]
   6267   *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
   6268      set string type: to handle setting ASN1_TIME structures. Fix ca
   6269      utility to correctly initialize revocation date of CRLs.
   6270      [Steve Henson]
   6272   *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
   6273      the clients preferred ciphersuites and rather use its own preferences.
   6274      Should help to work around M$ SGC (Server Gated Cryptography) bug in
   6275      Internet Explorer by ensuring unchanged hash method during stepup.
   6276      (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
   6277      [Lutz Jaenicke]
   6279   *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
   6280      to aes and add a new 'exist' option to print out symbols that don't
   6281      appear to exist.
   6282      [Steve Henson]
   6284   *) Additional options to ocsp utility to allow flags to be set and
   6285      additional certificates supplied.
   6286      [Steve Henson]
   6288   *) Add the option -VAfile to 'openssl ocsp', so the user can give the
   6289      OCSP client a number of certificate to only verify the response
   6290      signature against.
   6291      [Richard Levitte]
   6293   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
   6294      handle the new API. Currently only ECB, CBC modes supported. Add new
   6295      AES OIDs.
   6297      Add TLS AES ciphersuites as described in RFC3268, "Advanced
   6298      Encryption Standard (AES) Ciphersuites for Transport Layer
   6299      Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
   6300      not enabled by default and were not part of the "ALL" ciphersuite
   6301      alias because they were not yet official; they could be
   6302      explicitly requested by specifying the "AESdraft" ciphersuite
   6303      group alias.  In the final release of OpenSSL 0.9.7, the group
   6304      alias is called "AES" and is part of "ALL".)
   6305      [Ben Laurie, Steve  Henson, Bodo Moeller]
   6307   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
   6308      request to response.
   6309      [Steve Henson]
   6311   *) Functions for OCSP responders. OCSP_request_onereq_count(),
   6312      OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
   6313      extract information from a certificate request. OCSP_response_create()
   6314      creates a response and optionally adds a basic response structure.
   6315      OCSP_basic_add1_status() adds a complete single response to a basic
   6316      response and returns the OCSP_SINGLERESP structure just added (to allow
   6317      extensions to be included for example). OCSP_basic_add1_cert() adds a
   6318      certificate to a basic response and OCSP_basic_sign() signs a basic
   6319      response with various flags. New helper functions ASN1_TIME_check()
   6320      (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
   6321      (converts ASN1_TIME to GeneralizedTime).
   6322      [Steve Henson]
   6324   *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
   6325      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
   6326      structure from a certificate. X509_pubkey_digest() digests the public_key
   6327      contents: this is used in various key identifiers. 
   6328      [Steve Henson]
   6330   *) Make sk_sort() tolerate a NULL argument.
   6331      [Steve Henson reported by Massimiliano Pala <madwolf (a] comune.modena.it>]
   6333   *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
   6334      passed by the function are trusted implicitly. If any of them signed the
   6335      response then it is assumed to be valid and is not verified.
   6336      [Steve Henson]
   6338   *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
   6339      to data. This was previously part of the PKCS7 ASN1 code. This
   6340      was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
   6341      [Steve Henson, reported by Kenneth R. Robinette
   6342 				<support (a] securenetterm.com>]
   6344   *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
   6345      routines: without these tracing memory leaks is very painful.
   6346      Fix leaks in PKCS12 and PKCS7 routines.
   6347      [Steve Henson]
   6349   *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
   6350      Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
   6351      effectively meant GeneralizedTime would never be used. Now it
   6352      is initialised to -1 but X509_time_adj() now has to check the value
   6353      and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
   6354      V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
   6355      [Steve Henson, reported by Kenneth R. Robinette
   6356 				<support (a] securenetterm.com>]
   6358   *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
   6359      result in a zero length in the ASN1_INTEGER structure which was
   6360      not consistent with the structure when d2i_ASN1_INTEGER() was used
   6361      and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
   6362      to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
   6363      where it did not print out a minus for negative ASN1_INTEGER.
   6364      [Steve Henson]
   6366   *) Add summary printout to ocsp utility. The various functions which
   6367      convert status values to strings have been renamed to:
   6368      OCSP_response_status_str(), OCSP_cert_status_str() and
   6369      OCSP_crl_reason_str() and are no longer static. New options
   6370      to verify nonce values and to disable verification. OCSP response
   6371      printout format cleaned up.
   6372      [Steve Henson]
   6374   *) Add additional OCSP certificate checks. These are those specified
   6375      in RFC2560. This consists of two separate checks: the CA of the
   6376      certificate being checked must either be the OCSP signer certificate
   6377      or the issuer of the OCSP signer certificate. In the latter case the
   6378      OCSP signer certificate must contain the OCSP signing extended key
   6379      usage. This check is performed by attempting to match the OCSP
   6380      signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
   6381      in the OCSP_CERTID structures of the response.
   6382      [Steve Henson]
   6384   *) Initial OCSP certificate verification added to OCSP_basic_verify()
   6385      and related routines. This uses the standard OpenSSL certificate
   6386      verify routines to perform initial checks (just CA validity) and
   6387      to obtain the certificate chain. Then additional checks will be
   6388      performed on the chain. Currently the root CA is checked to see
   6389      if it is explicitly trusted for OCSP signing. This is used to set
   6390      a root CA as a global signing root: that is any certificate that
   6391      chains to that CA is an acceptable OCSP signing certificate.
   6392      [Steve Henson]
   6394   *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
   6395      extensions from a separate configuration file.
   6396      As when reading extensions from the main configuration file,
   6397      the '-extensions ...' option may be used for specifying the
   6398      section to use.
   6399      [Massimiliano Pala <madwolf (a] comune.modena.it>]
   6401   *) New OCSP utility. Allows OCSP requests to be generated or
   6402      read. The request can be sent to a responder and the output
   6403      parsed, outputed or printed in text form. Not complete yet:
   6404      still needs to check the OCSP response validity.
   6405      [Steve Henson]
   6407   *) New subcommands for 'openssl ca':
   6408      'openssl ca -status <serial>' prints the status of the cert with
   6409      the given serial number (according to the index file).
   6410      'openssl ca -updatedb' updates the expiry status of certificates
   6411      in the index file.
   6412      [Massimiliano Pala <madwolf (a] comune.modena.it>]
   6414   *) New '-newreq-nodes' command option to CA.pl.  This is like
   6415      '-newreq', but calls 'openssl req' with the '-nodes' option
   6416      so that the resulting key is not encrypted.
   6417      [Damien Miller <djm (a] mindrot.org>]
   6419   *) New configuration for the GNU Hurd.
   6420      [Jonathan Bartlett <johnnyb (a] wolfram.com> via Richard Levitte]
   6422   *) Initial code to implement OCSP basic response verify. This
   6423      is currently incomplete. Currently just finds the signer's
   6424      certificate and verifies the signature on the response.
   6425      [Steve Henson]
   6427   *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
   6428      value of OPENSSLDIR.  This is available via the new '-d' option
   6429      to 'openssl version', and is also included in 'openssl version -a'.
   6430      [Bodo Moeller]
   6432   *) Allowing defining memory allocation callbacks that will be given
   6433      file name and line number information in additional arguments
   6434      (a const char* and an int).  The basic functionality remains, as
   6435      well as the original possibility to just replace malloc(),
   6436      realloc() and free() by functions that do not know about these
   6437      additional arguments.  To register and find out the current
   6438      settings for extended allocation functions, the following
   6439      functions are provided:
   6441 	CRYPTO_set_mem_ex_functions
   6442 	CRYPTO_set_locked_mem_ex_functions
   6443 	CRYPTO_get_mem_ex_functions
   6444 	CRYPTO_get_locked_mem_ex_functions
   6446      These work the same way as CRYPTO_set_mem_functions and friends.
   6447      CRYPTO_get_[locked_]mem_functions now writes 0 where such an
   6448      extended allocation function is enabled.
   6449      Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
   6450      a conventional allocation function is enabled.
   6451      [Richard Levitte, Bodo Moeller]
   6453   *) Finish off removing the remaining LHASH function pointer casts.
   6454      There should no longer be any prototype-casting required when using
   6455      the LHASH abstraction, and any casts that remain are "bugs". See
   6456      the callback types and macros at the head of lhash.h for details
   6457      (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
   6458      [Geoff Thorpe]
   6460   *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
   6461      If /dev/[u]random devices are not available or do not return enough
   6462      entropy, EGD style sockets (served by EGD or PRNGD) will automatically
   6463      be queried.
   6464      The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
   6465      /etc/entropy will be queried once each in this sequence, quering stops
   6466      when enough entropy was collected without querying more sockets.
   6467      [Lutz Jaenicke]
   6469   *) Change the Unix RAND_poll() variant to be able to poll several
   6470      random devices, as specified by DEVRANDOM, until a sufficient amount
   6471      of data has been collected.   We spend at most 10 ms on each file
   6472      (select timeout) and read in non-blocking mode.  DEVRANDOM now
   6473      defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
   6474      (previously it was just the string "/dev/urandom"), so on typical
   6475      platforms the 10 ms delay will never occur.
   6476      Also separate out the Unix variant to its own file, rand_unix.c.
   6477      For VMS, there's a currently-empty rand_vms.c.
   6478      [Richard Levitte]
   6480   *) Move OCSP client related routines to ocsp_cl.c. These
   6481      provide utility functions which an application needing
   6482      to issue a request to an OCSP responder and analyse the
   6483      response will typically need: as opposed to those which an
   6484      OCSP responder itself would need which will be added later.
   6486      OCSP_request_sign() signs an OCSP request with an API similar
   6487      to PKCS7_sign(). OCSP_response_status() returns status of OCSP
   6488      response. OCSP_response_get1_basic() extracts basic response
   6489      from response. OCSP_resp_find_status(): finds and extracts status
   6490      information from an OCSP_CERTID structure (which will be created
   6491      when the request structure is built). These are built from lower
   6492      level functions which work on OCSP_SINGLERESP structures but
   6493      wont normally be used unless the application wishes to examine
   6494      extensions in the OCSP response for example.
   6496      Replace nonce routines with a pair of functions.
   6497      OCSP_request_add1_nonce() adds a nonce value and optionally
   6498      generates a random value. OCSP_check_nonce() checks the
   6499      validity of the nonce in an OCSP response.
   6500      [Steve Henson]
   6502   *) Change function OCSP_request_add() to OCSP_request_add0_id().
   6503      This doesn't copy the supplied OCSP_CERTID and avoids the
   6504      need to free up the newly created id. Change return type
   6505      to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
   6506      This can then be used to add extensions to the request.
   6507      Deleted OCSP_request_new(), since most of its functionality
   6508      is now in OCSP_REQUEST_new() (and the case insensitive name
   6509      clash) apart from the ability to set the request name which
   6510      will be added elsewhere.
   6511      [Steve Henson]
   6513   *) Update OCSP API. Remove obsolete extensions argument from
   6514      various functions. Extensions are now handled using the new
   6515      OCSP extension code. New simple OCSP HTTP function which 
   6516      can be used to send requests and parse the response.
   6517      [Steve Henson]
   6519   *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
   6520      ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
   6521      uses the special reorder version of SET OF to sort the attributes
   6522      and reorder them to match the encoded order. This resolves a long
   6523      standing problem: a verify on a PKCS7 structure just after signing
   6524      it used to fail because the attribute order did not match the
   6525      encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
   6526      it uses the received order. This is necessary to tolerate some broken
   6527      software that does not order SET OF. This is handled by encoding
   6528      as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
   6529      to produce the required SET OF.
   6530      [Steve Henson]
   6532   *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
   6533      OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
   6534      files to get correct declarations of the ASN.1 item variables.
   6535      [Richard Levitte]
   6537   *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
   6538      PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
   6539      asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
   6540      NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
   6541      New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
   6542      ASN1_ITEM and no wrapper functions.
   6543      [Steve Henson]
   6545   *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
   6546      replace the old function pointer based I/O routines. Change most of
   6547      the *_d2i_bio() and *_d2i_fp() functions to use these.
   6548      [Steve Henson]
   6550   *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
   6551      lines, recognice more "algorithms" that can be deselected, and make
   6552      it complain about algorithm deselection that isn't recognised.
   6553      [Richard Levitte]
   6555   *) New ASN1 functions to handle dup, sign, verify, digest, pack and
   6556      unpack operations in terms of ASN1_ITEM. Modify existing wrappers
   6557      to use new functions. Add NO_ASN1_OLD which can be set to remove
   6558      some old style ASN1 functions: this can be used to determine if old
   6559      code will still work when these eventually go away.
   6560      [Steve Henson]
   6562   *) New extension functions for OCSP structures, these follow the
   6563      same conventions as certificates and CRLs.
   6564      [Steve Henson]
   6566   *) New function X509V3_add1_i2d(). This automatically encodes and
   6567      adds an extension. Its behaviour can be customised with various
   6568      flags to append, replace or delete. Various wrappers added for
   6569      certifcates and CRLs.
   6570      [Steve Henson]
   6572   *) Fix to avoid calling the underlying ASN1 print routine when
   6573      an extension cannot be parsed. Correct a typo in the
   6574      OCSP_SERVICELOC extension. Tidy up print OCSP format.
   6575      [Steve Henson]
   6577   *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
   6578      entries for variables.
   6579      [Steve Henson]
   6581   *) Add functionality to apps/openssl.c for detecting locking
   6582      problems: As the program is single-threaded, all we have
   6583      to do is register a locking callback using an array for
   6584      storing which locks are currently held by the program.
   6585      [Bodo Moeller]
   6587   *) Use a lock around the call to CRYPTO_get_ex_new_index() in
   6588      SSL_get_ex_data_X509_STORE_idx(), which is used in
   6589      ssl_verify_cert_chain() and thus can be called at any time
   6590      during TLS/SSL handshakes so that thread-safety is essential.
   6591      Unfortunately, the ex_data design is not at all suited
   6592      for multi-threaded use, so it probably should be abolished.
   6593      [Bodo Moeller]
   6595   *) Added Broadcom "ubsec" ENGINE to OpenSSL.
   6596      [Broadcom, tweaked and integrated by Geoff Thorpe]
   6598   *) Move common extension printing code to new function
   6599      X509V3_print_extensions(). Reorganise OCSP print routines and
   6600      implement some needed OCSP ASN1 functions. Add OCSP extensions.
   6601      [Steve Henson]
   6603   *) New function X509_signature_print() to remove duplication in some
   6604      print routines.
   6605      [Steve Henson]
   6607   *) Add a special meaning when SET OF and SEQUENCE OF flags are both
   6608      set (this was treated exactly the same as SET OF previously). This
   6609      is used to reorder the STACK representing the structure to match the
   6610      encoding. This will be used to get round a problem where a PKCS7
   6611      structure which was signed could not be verified because the STACK
   6612      order did not reflect the encoded order.
   6613      [Steve Henson]
   6615   *) Reimplement the OCSP ASN1 module using the new code.
   6616      [Steve Henson]
   6618   *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
   6619      for its ASN1 operations. The old style function pointers still exist
   6620      for now but they will eventually go away.
   6621      [Steve Henson]
   6623   *) Merge in replacement ASN1 code from the ASN1 branch. This almost
   6624      completely replaces the old ASN1 functionality with a table driven
   6625      encoder and decoder which interprets an ASN1_ITEM structure describing
   6626      the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
   6627      largely maintained. Almost all of the old asn1_mac.h macro based ASN1
   6628      has also been converted to the new form.
   6629      [Steve Henson]
   6631   *) Change BN_mod_exp_recp so that negative moduli are tolerated
   6632      (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
   6633      so that BN_mod_exp_mont and BN_mod_exp_mont_word work
   6634      for negative moduli.
   6635      [Bodo Moeller]
   6637   *) Fix BN_uadd and BN_usub: Always return non-negative results instead
   6638      of not touching the result's sign bit.
   6639      [Bodo Moeller]
   6641   *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
   6642      set.
   6643      [Bodo Moeller]
   6645   *) Changed the LHASH code to use prototypes for callbacks, and created
   6646      macros to declare and implement thin (optionally static) functions
   6647      that provide type-safety and avoid function pointer casting for the
   6648      type-specific callbacks.
   6649      [Geoff Thorpe]
   6651   *) Added Kerberos Cipher Suites to be used with TLS, as written in
   6652      RFC 2712.
   6653      [Veers Staats <staatsvr (a] asc.hpc.mil>,
   6654       Jeffrey Altman <jaltman (a] columbia.edu>, via Richard Levitte]
   6656   *) Reformat the FAQ so the different questions and answers can be divided
   6657      in sections depending on the subject.
   6658      [Richard Levitte]
   6660   *) Have the zlib compression code load ZLIB.DLL dynamically under
   6661      Windows.
   6662      [Richard Levitte]
   6664   *) New function BN_mod_sqrt for computing square roots modulo a prime
   6665      (using the probabilistic Tonelli-Shanks algorithm unless
   6666      p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
   6667      be handled deterministically).
   6668      [Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>, Bodo Moeller]
   6670   *) Make BN_mod_inverse faster by explicitly handling small quotients
   6671      in the Euclid loop. (Speed gain about 20% for small moduli [256 or
   6672      512 bits], about 30% for larger ones [1024 or 2048 bits].)
   6673      [Bodo Moeller]
   6675   *) New function BN_kronecker.
   6676      [Bodo Moeller]
   6678   *) Fix BN_gcd so that it works on negative inputs; the result is
   6679      positive unless both parameters are zero.
   6680      Previously something reasonably close to an infinite loop was
   6681      possible because numbers could be growing instead of shrinking
   6682      in the implementation of Euclid's algorithm.
   6683      [Bodo Moeller]
   6685   *) Fix BN_is_word() and BN_is_one() macros to take into account the
   6686      sign of the number in question.
   6688      Fix BN_is_word(a,w) to work correctly for w == 0.
   6690      The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
   6691      because its test if the absolute value of 'a' equals 'w'.
   6692      Note that BN_abs_is_word does *not* handle w == 0 reliably;
   6693      it exists mostly for use in the implementations of BN_is_zero(),
   6694      BN_is_one(), and BN_is_word().
   6695      [Bodo Moeller]
   6697   *) New function BN_swap.
   6698      [Bodo Moeller]
   6700   *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
   6701      the exponentiation functions are more likely to produce reasonable
   6702      results on negative inputs.
   6703      [Bodo Moeller]
   6705   *) Change BN_mod_mul so that the result is always non-negative.
   6706      Previously, it could be negative if one of the factors was negative;
   6707      I don't think anyone really wanted that behaviour.
   6708      [Bodo Moeller]
   6710   *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
   6711      (except for exponentiation, which stays in crypto/bn/bn_exp.c,
   6712      and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
   6713      and add new functions:
   6715           BN_nnmod
   6716           BN_mod_sqr
   6717           BN_mod_add
   6718           BN_mod_add_quick
   6719           BN_mod_sub
   6720           BN_mod_sub_quick
   6721           BN_mod_lshift1
   6722           BN_mod_lshift1_quick
   6723           BN_mod_lshift
   6724           BN_mod_lshift_quick
   6726      These functions always generate non-negative results.
   6728      BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
   6729      such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
   6731      BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
   6732      BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
   6733      be reduced modulo  m.
   6734      [Lenka Fibikova <fibikova (a] exp-math.uni-essen.de>, Bodo Moeller]
   6736 #if 0
   6737      The following entry accidentily appeared in the CHANGES file
   6738      distributed with OpenSSL 0.9.7.  The modifications described in
   6739      it do *not* apply to OpenSSL 0.9.7.
   6741   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
   6742      was actually never needed) and in BN_mul().  The removal in BN_mul()
   6743      required a small change in bn_mul_part_recursive() and the addition
   6744      of the functions bn_cmp_part_words(), bn_sub_part_words() and
   6745      bn_add_part_words(), which do the same thing as bn_cmp_words(),
   6746      bn_sub_words() and bn_add_words() except they take arrays with
   6747      differing sizes.
   6748      [Richard Levitte]
   6749 #endif
   6751   *) In 'openssl passwd', verify passwords read from the terminal
   6752      unless the '-salt' option is used (which usually means that
   6753      verification would just waste user's time since the resulting
   6754      hash is going to be compared with some given password hash)
   6755      or the new '-noverify' option is used.
   6757      This is an incompatible change, but it does not affect
   6758      non-interactive use of 'openssl passwd' (passwords on the command
   6759      line, '-stdin' option, '-in ...' option) and thus should not
   6760      cause any problems.
   6761      [Bodo Moeller]
   6763   *) Remove all references to RSAref, since there's no more need for it.
   6764      [Richard Levitte]
   6766   *) Make DSO load along a path given through an environment variable
   6767      (SHLIB_PATH) with shl_load().
   6768      [Richard Levitte]
   6770   *) Constify the ENGINE code as a result of BIGNUM constification.
   6771      Also constify the RSA code and most things related to it.  In a
   6772      few places, most notable in the depth of the ASN.1 code, ugly
   6773      casts back to non-const were required (to be solved at a later
   6774      time)
   6775      [Richard Levitte]
   6777   *) Make it so the openssl application has all engines loaded by default.
   6778      [Richard Levitte]
   6780   *) Constify the BIGNUM routines a little more.
   6781      [Richard Levitte]
   6783   *) Add the following functions:
   6785 	ENGINE_load_cswift()
   6786 	ENGINE_load_chil()
   6787 	ENGINE_load_atalla()
   6788 	ENGINE_load_nuron()
   6789 	ENGINE_load_builtin_engines()
   6791      That way, an application can itself choose if external engines that
   6792      are built-in in OpenSSL shall ever be used or not.  The benefit is
   6793      that applications won't have to be linked with libdl or other dso
   6794      libraries unless it's really needed.
   6796      Changed 'openssl engine' to load all engines on demand.
   6797      Changed the engine header files to avoid the duplication of some
   6798      declarations (they differed!).
   6799      [Richard Levitte]
   6801   *) 'openssl engine' can now list capabilities.
   6802      [Richard Levitte]
   6804   *) Better error reporting in 'openssl engine'.
   6805      [Richard Levitte]
   6807   *) Never call load_dh_param(NULL) in s_server.
   6808      [Bodo Moeller]
   6810   *) Add engine application.  It can currently list engines by name and
   6811      identity, and test if they are actually available.
   6812      [Richard Levitte]
   6814   *) Improve RPM specification file by forcing symbolic linking and making
   6815      sure the installed documentation is also owned by root.root.
   6816      [Damien Miller <djm (a] mindrot.org>]
   6818   *) Give the OpenSSL applications more possibilities to make use of
   6819      keys (public as well as private) handled by engines.
   6820      [Richard Levitte]
   6822   *) Add OCSP code that comes from CertCo.
   6823      [Richard Levitte]
   6825   *) Add VMS support for the Rijndael code.
   6826      [Richard Levitte]
   6828   *) Added untested support for Nuron crypto accelerator.
   6829      [Ben Laurie]
   6831   *) Add support for external cryptographic devices.  This code was
   6832      previously distributed separately as the "engine" branch.
   6833      [Geoff Thorpe, Richard Levitte]
   6835   *) Rework the filename-translation in the DSO code. It is now possible to
   6836      have far greater control over how a "name" is turned into a filename
   6837      depending on the operating environment and any oddities about the
   6838      different shared library filenames on each system.
   6839      [Geoff Thorpe]
   6841   *) Support threads on FreeBSD-elf in Configure.
   6842      [Richard Levitte]
   6844   *) Fix for SHA1 assembly problem with MASM: it produces
   6845      warnings about corrupt line number information when assembling
   6846      with debugging information. This is caused by the overlapping
   6847      of two sections.
   6848      [Bernd Matthes <mainbug (a] celocom.de>, Steve Henson]
   6850   *) NCONF changes.
   6851      NCONF_get_number() has no error checking at all.  As a replacement,
   6852      NCONF_get_number_e() is defined (_e for "error checking") and is
   6853      promoted strongly.  The old NCONF_get_number is kept around for
   6854      binary backward compatibility.
   6855      Make it possible for methods to load from something other than a BIO,
   6856      by providing a function pointer that is given a name instead of a BIO.
   6857      For example, this could be used to load configuration data from an
   6858      LDAP server.
   6859      [Richard Levitte]
   6861   *) Fix for non blocking accept BIOs. Added new I/O special reason
   6862      BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
   6863      with non blocking I/O was not possible because no retry code was
   6864      implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
   6865      this case.
   6866      [Steve Henson]
   6868   *) Added the beginnings of Rijndael support.
   6869      [Ben Laurie]
   6871   *) Fix for bug in DirectoryString mask setting. Add support for
   6872      X509_NAME_print_ex() in 'req' and X509_print_ex() function
   6873      to allow certificate printing to more controllable, additional
   6874      'certopt' option to 'x509' to allow new printing options to be
   6875      set.
   6876      [Steve Henson]
   6878   *) Clean old EAY MD5 hack from e_os.h.
   6879      [Richard Levitte]
   6881  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
   6883   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
   6884      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
   6885      [Joe Orton, Steve Henson]
   6887  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
   6889   *) Fix additional bug revealed by the NISCC test suite:
   6891      Stop bug triggering large recursion when presented with
   6892      certain ASN.1 tags (CVE-2003-0851)
   6893      [Steve Henson]
   6895  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
   6897   *) Fix various bugs revealed by running the NISCC test suite:
   6899      Stop out of bounds reads in the ASN1 code when presented with
   6900      invalid tags (CVE-2003-0543 and CVE-2003-0544).
   6902      If verify callback ignores invalid public key errors don't try to check
   6903      certificate signature with the NULL public key.
   6905      [Steve Henson]
   6907   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
   6908      if the server requested one: as stated in TLS 1.0 and SSL 3.0
   6909      specifications.
   6910      [Steve Henson]
   6912   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
   6913      extra data after the compression methods not only for TLS 1.0
   6914      but also for SSL 3.0 (as required by the specification).
   6915      [Bodo Moeller; problem pointed out by Matthias Loepfe]
   6917   *) Change X509_certificate_type() to mark the key as exported/exportable
   6918      when it's 512 *bits* long, not 512 bytes.
   6919      [Richard Levitte]
   6921  Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
   6923   *) Countermeasure against the Klima-Pokorny-Rosa extension of
   6924      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
   6925      a protocol version number mismatch like a decryption error
   6926      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
   6927      [Bodo Moeller]
   6929   *) Turn on RSA blinding by default in the default implementation
   6930      to avoid a timing attack. Applications that don't want it can call
   6931      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
   6932      They would be ill-advised to do so in most cases.
   6933      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
   6935   *) Change RSA blinding code so that it works when the PRNG is not
   6936      seeded (in this case, the secret RSA exponent is abused as
   6937      an unpredictable seed -- if it is not unpredictable, there
   6938      is no point in blinding anyway).  Make RSA blinding thread-safe
   6939      by remembering the creator's thread ID in rsa->blinding and
   6940      having all other threads use local one-time blinding factors
   6941      (this requires more computation than sharing rsa->blinding, but
   6942      avoids excessive locking; and if an RSA object is not shared
   6943      between threads, blinding will still be very fast).
   6944      [Bodo Moeller]
   6946  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
   6948   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
   6949      via timing by performing a MAC computation even if incorrrect
   6950      block cipher padding has been found.  This is a countermeasure
   6951      against active attacks where the attacker has to distinguish
   6952      between bad padding and a MAC verification error. (CVE-2003-0078)
   6954      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
   6955      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
   6956      Martin Vuagnoux (EPFL, Ilion)]
   6958  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
   6960   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
   6961      memory from it's contents.  This is done with a counter that will
   6962      place alternating values in each byte.  This can be used to solve
   6963      two issues: 1) the removal of calls to memset() by highly optimizing
   6964      compilers, and 2) cleansing with other values than 0, since those can
   6965      be read through on certain media, for example a swap space on disk.
   6966      [Geoff Thorpe]
   6968   *) Bugfix: client side session caching did not work with external caching,
   6969      because the session->cipher setting was not restored when reloading
   6970      from the external cache. This problem was masked, when
   6971      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
   6972      (Found by Steve Haslam <steve (a] araqnid.ddts.net>.)
   6973      [Lutz Jaenicke]
   6975   *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
   6976      length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
   6977      [Zeev Lieber <zeev-l (a] yahoo.com>]
   6979   *) Undo an undocumented change introduced in 0.9.6e which caused
   6980      repeated calls to OpenSSL_add_all_ciphers() and 
   6981      OpenSSL_add_all_digests() to be ignored, even after calling
   6982      EVP_cleanup().
   6983      [Richard Levitte]
   6985   *) Change the default configuration reader to deal with last line not
   6986      being properly terminated.
   6987      [Richard Levitte]
   6989   *) Change X509_NAME_cmp() so it applies the special rules on handling
   6990      DN values that are of type PrintableString, as well as RDNs of type
   6991      emailAddress where the value has the type ia5String.
   6992      [stefank (a] valicert.com via Richard Levitte]
   6994   *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
   6995      the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
   6996      doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
   6997      the bitwise-OR of the two for use by the majority of applications
   6998      wanting this behaviour, and update the docs. The documented
   6999      behaviour and actual behaviour were inconsistent and had been
   7000      changing anyway, so this is more a bug-fix than a behavioural
   7001      change.
   7002      [Geoff Thorpe, diagnosed by Nadav Har'El]
   7004   *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
   7005      (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
   7006      [Bodo Moeller]
   7008   *) Fix initialization code race conditions in
   7009         SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
   7010         SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
   7011         SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
   7012         TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
   7013         ssl2_get_cipher_by_char(),
   7014         ssl3_get_cipher_by_char().
   7015      [Patrick McCormick <patrick (a] tellme.com>, Bodo Moeller]
   7017   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
   7018      the cached sessions are flushed, as the remove_cb() might use ex_data
   7019      contents. Bug found by Sam Varshavchik <mrsam (a] courier-mta.com>
   7020      (see [openssl.org #212]).
   7021      [Geoff Thorpe, Lutz Jaenicke]
   7023   *) Fix typo in OBJ_txt2obj which incorrectly passed the content
   7024      length, instead of the encoding length to d2i_ASN1_OBJECT.
   7025      [Steve Henson]
   7027  Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
   7029   *) [In 0.9.6g-engine release:]
   7030      Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
   7031      [Lynn Gazis <lgazis (a] rainbow.com>]
   7033  Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
   7035   *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
   7036      and get fix the header length calculation.
   7037      [Florian Weimer <Weimer (a] CERT.Uni-Stuttgart.DE>,
   7038 	Alon Kantor <alonk (a] checkpoint.com> (and others),
   7039 	Steve Henson]
   7041   *) Use proper error handling instead of 'assertions' in buffer
   7042      overflow checks added in 0.9.6e.  This prevents DoS (the
   7043      assertions could call abort()).
   7044      [Arne Ansper <arne (a] ats.cyber.ee>, Bodo Moeller]
   7046  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
   7048   *) Add various sanity checks to asn1_get_length() to reject
   7049      the ASN1 length bytes if they exceed sizeof(long), will appear
   7050      negative or the content length exceeds the length of the
   7051      supplied buffer.
   7052      [Steve Henson, Adi Stav <stav (a] mercury.co.il>, James Yonan <jim (a] ntlp.com>]
   7054   *) Fix cipher selection routines: ciphers without encryption had no flags
   7055      for the cipher strength set and where therefore not handled correctly
   7056      by the selection routines (PR #130).
   7057      [Lutz Jaenicke]
   7059   *) Fix EVP_dsa_sha macro.
   7060      [Nils Larsch]
   7062   *) New option
   7064      for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
   7065      that was added in OpenSSL 0.9.6d.
   7067      As the countermeasure turned out to be incompatible with some
   7068      broken SSL implementations, the new option is part of SSL_OP_ALL.
   7069      SSL_OP_ALL is usually employed when compatibility with weird SSL
   7070      implementations is desired (e.g. '-bugs' option to 's_client' and
   7071      's_server'), so the new option is automatically set in many
   7072      applications.
   7073      [Bodo Moeller]
   7075   *) Changes in security patch:
   7077      Changes marked "(CHATS)" were sponsored by the Defense Advanced
   7078      Research Projects Agency (DARPA) and Air Force Research Laboratory,
   7079      Air Force Materiel Command, USAF, under agreement number
   7080      F30602-01-2-0537.
   7082   *) Add various sanity checks to asn1_get_length() to reject
   7083      the ASN1 length bytes if they exceed sizeof(long), will appear
   7084      negative or the content length exceeds the length of the
   7085      supplied buffer. (CVE-2002-0659)
   7086      [Steve Henson, Adi Stav <stav (a] mercury.co.il>, James Yonan <jim (a] ntlp.com>]
   7088   *) Assertions for various potential buffer overflows, not known to
   7089      happen in practice.
   7090      [Ben Laurie (CHATS)]
   7092   *) Various temporary buffers to hold ASCII versions of integers were
   7093      too small for 64 bit platforms. (CVE-2002-0655)
   7094      [Matthew Byng-Maddick <mbm (a] aldigital.co.uk> and Ben Laurie (CHATS)>
   7096   *) Remote buffer overflow in SSL3 protocol - an attacker could
   7097      supply an oversized session ID to a client. (CVE-2002-0656)
   7098      [Ben Laurie (CHATS)]
   7100   *) Remote buffer overflow in SSL2 protocol - an attacker could
   7101      supply an oversized client master key. (CVE-2002-0656)
   7102      [Ben Laurie (CHATS)]
   7104  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
   7106   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
   7107      encoded as NULL) with id-dsa-with-sha1.
   7108      [Nils Larsch <nla (a] trustcenter.de>; problem pointed out by Bodo Moeller]
   7110   *) Check various X509_...() return values in apps/req.c.
   7111      [Nils Larsch <nla (a] trustcenter.de>]
   7113   *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
   7114      an end-of-file condition would erronously be flagged, when the CRLF
   7115      was just at the end of a processed block. The bug was discovered when
   7116      processing data through a buffering memory BIO handing the data to a
   7117      BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
   7118      <ptsekov (a] syntrex.com> and Nedelcho Stanev.
   7119      [Lutz Jaenicke]
   7121   *) Implement a countermeasure against a vulnerability recently found
   7122      in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
   7123      before application data chunks to avoid the use of known IVs
   7124      with data potentially chosen by the attacker.
   7125      [Bodo Moeller]
   7127   *) Fix length checks in ssl3_get_client_hello().
   7128      [Bodo Moeller]
   7130   *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
   7131      to prevent ssl3_read_internal() from incorrectly assuming that
   7132      ssl3_read_bytes() found application data while handshake
   7133      processing was enabled when in fact s->s3->in_read_app_data was
   7134      merely automatically cleared during the initial handshake.
   7135      [Bodo Moeller; problem pointed out by Arne Ansper <arne (a] ats.cyber.ee>]
   7137   *) Fix object definitions for Private and Enterprise: they were not
   7138      recognized in their shortname (=lowercase) representation. Extend
   7139      obj_dat.pl to issue an error when using undefined keywords instead
   7140      of silently ignoring the problem (Svenning Sorensen
   7141      <sss (a] sss.dnsalias.net>).
   7142      [Lutz Jaenicke]
   7144   *) Fix DH_generate_parameters() so that it works for 'non-standard'
   7145      generators, i.e. generators other than 2 and 5.  (Previously, the
   7146      code did not properly initialise the 'add' and 'rem' values to
   7147      BN_generate_prime().)
   7149      In the new general case, we do not insist that 'generator' is
   7150      actually a primitive root: This requirement is rather pointless;
   7151      a generator of the order-q subgroup is just as good, if not
   7152      better.
   7153      [Bodo Moeller]
   7155   *) Map new X509 verification errors to alerts. Discovered and submitted by
   7156      Tom Wu <tom (a] arcot.com>.
   7157      [Lutz Jaenicke]
   7159   *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
   7160      returning non-zero before the data has been completely received
   7161      when using non-blocking I/O.
   7162      [Bodo Moeller; problem pointed out by John Hughes]
   7164   *) Some of the ciphers missed the strength entry (SSL_LOW etc).
   7165      [Ben Laurie, Lutz Jaenicke]
   7167   *) Fix bug in SSL_clear(): bad sessions were not removed (found by
   7168      Yoram Zahavi <YoramZ (a] gilian.com>).
   7169      [Lutz Jaenicke]
   7171   *) Add information about CygWin 1.3 and on, and preserve proper
   7172      configuration for the versions before that.
   7173      [Corinna Vinschen <vinschen (a] redhat.com> and Richard Levitte]
   7175   *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
   7176      check whether we deal with a copy of a session and do not delete from
   7177      the cache in this case. Problem reported by "Izhar Shoshani Levi"
   7178      <izhar (a] checkpoint.com>.
   7179      [Lutz Jaenicke]
   7181   *) Do not store session data into the internal session cache, if it
   7182      is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
   7183      flag is set). Proposed by Aslam <aslam (a] funk.com>.
   7184      [Lutz Jaenicke]
   7186   *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
   7187      value is 0.
   7188      [Richard Levitte]
   7190   *) [In 0.9.6d-engine release:]
   7191      Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
   7192      [Toomas Kiisk <vix (a] cyber.ee> via Richard Levitte]
   7194   *) Add the configuration target linux-s390x.
   7195      [Neale Ferguson <Neale.Ferguson (a] SoftwareAG-USA.com> via Richard Levitte]
   7197   *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
   7198      ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
   7199      variable as an indication that a ClientHello message has been
   7200      received.  As the flag value will be lost between multiple
   7201      invocations of ssl3_accept when using non-blocking I/O, the
   7202      function may not be aware that a handshake has actually taken
   7203      place, thus preventing a new session from being added to the
   7204      session cache.
   7206      To avoid this problem, we now set s->new_session to 2 instead of
   7207      using a local variable.
   7208      [Lutz Jaenicke, Bodo Moeller]
   7210   *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
   7211      if the SSL_R_LENGTH_MISMATCH error is detected.
   7212      [Geoff Thorpe, Bodo Moeller]
   7214   *) New 'shared_ldflag' column in Configure platform table.
   7215      [Richard Levitte]
   7217   *) Fix EVP_CIPHER_mode macro.
   7218      ["Dan S. Camper" <dan (a] bti.net>]
   7220   *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
   7221      type, we must throw them away by setting rr->length to 0.
   7222      [D P Chang <dpc (a] qualys.com>]
   7224  Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
   7226   *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
   7227      <Dominikus.Scherkl (a] biodata.com>.  (The previous implementation
   7228      worked incorrectly for those cases where  range = 10..._2  and
   7229      3*range  is two bits longer than  range.)
   7230      [Bodo Moeller]
   7232   *) Only add signing time to PKCS7 structures if it is not already
   7233      present.
   7234      [Steve Henson]
   7236   *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
   7237      OBJ_ld_ce should be OBJ_id_ce.
   7238      Also some ip-pda OIDs in crypto/objects/objects.txt were
   7239      incorrect (cf. RFC 3039).
   7240      [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
   7242   *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
   7243      returns early because it has nothing to do.
   7244      [Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7246   *) [In 0.9.6c-engine release:]
   7247      Fix mutex callback return values in crypto/engine/hw_ncipher.c.
   7248      [Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7250   *) [In 0.9.6c-engine release:]
   7251      Add support for Cryptographic Appliance's keyserver technology.
   7252      (Use engine 'keyclient')
   7253      [Cryptographic Appliances and Geoff Thorpe]
   7255   *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
   7256      is called via tools/c89.sh because arguments have to be
   7257      rearranged (all '-L' options must appear before the first object
   7258      modules).
   7259      [Richard Shapiro <rshapiro (a] abinitio.com>]
   7261   *) [In 0.9.6c-engine release:]
   7262      Add support for Broadcom crypto accelerator cards, backported
   7263      from 0.9.7.
   7264      [Broadcom, Nalin Dahyabhai <nalin (a] redhat.com>, Mark Cox]
   7266   *) [In 0.9.6c-engine release:]
   7267      Add support for SureWare crypto accelerator cards from 
   7268      Baltimore Technologies.  (Use engine 'sureware')
   7269      [Baltimore Technologies and Mark Cox]
   7271   *) [In 0.9.6c-engine release:]
   7272      Add support for crypto accelerator cards from Accelerated
   7273      Encryption Processing, www.aep.ie.  (Use engine 'aep')
   7274      [AEP Inc. and Mark Cox]
   7276   *) Add a configuration entry for gcc on UnixWare.
   7277      [Gary Benson <gbenson (a] redhat.com>]
   7279   *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
   7280      messages are stored in a single piece (fixed-length part and
   7281      variable-length part combined) and fix various bugs found on the way.
   7282      [Bodo Moeller]
   7284   *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
   7285      instead.  BIO_gethostbyname() does not know what timeouts are
   7286      appropriate, so entries would stay in cache even when they have
   7287      become invalid.
   7288      [Bodo Moeller; problem pointed out by Rich Salz <rsalz (a] zolera.com>
   7290   *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
   7291      faced with a pathologically small ClientHello fragment that does
   7292      not contain client_version: Instead of aborting with an error,
   7293      simply choose the highest available protocol version (i.e.,
   7294      TLS 1.0 unless it is disabled).  In practice, ClientHello
   7295      messages are never sent like this, but this change gives us
   7296      strictly correct behaviour at least for TLS.
   7297      [Bodo Moeller]
   7299   *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
   7300      never resets s->method to s->ctx->method when called from within
   7301      one of the SSL handshake functions.
   7302      [Bodo Moeller; problem pointed out by Niko Baric]
   7304   *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
   7305      (sent using the client's version number) if client_version is
   7306      smaller than the protocol version in use.  Also change
   7307      ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
   7308      the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
   7309      the client will at least see that alert.
   7310      [Bodo Moeller]
   7312   *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
   7313      correctly.
   7314      [Bodo Moeller]
   7316   *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
   7317      client receives HelloRequest while in a handshake.
   7318      [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider (a] bjss.co.uk>]
   7320   *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
   7321      should end in 'break', not 'goto end' which circuments various
   7322      cleanups done in state SSL_ST_OK.   But session related stuff
   7323      must be disabled for SSL_ST_OK in the case that we just sent a
   7324      HelloRequest.
   7326      Also avoid some overhead by not calling ssl_init_wbio_buffer()
   7327      before just sending a HelloRequest.
   7328      [Bodo Moeller, Eric Rescorla <ekr (a] rtfm.com>]
   7330   *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
   7331      reveal whether illegal block cipher padding was found or a MAC
   7332      verification error occured.  (Neither SSLerr() codes nor alerts
   7333      are directly visible to potential attackers, but the information
   7334      may leak via logfiles.)
   7336      Similar changes are not required for the SSL 2.0 implementation
   7337      because the number of padding bytes is sent in clear for SSL 2.0,
   7338      and the extra bytes are just ignored.  However ssl/s2_pkt.c
   7339      failed to verify that the purported number of padding bytes is in
   7340      the legal range.
   7341      [Bodo Moeller]
   7343   *) Add OpenUNIX-8 support including shared libraries
   7344      (Boyd Lynn Gerber <gerberb (a] zenez.com>).
   7345      [Lutz Jaenicke]
   7347   *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
   7348      'wristwatch attack' using huge encoding parameters (cf.
   7349      James H. Manger's CRYPTO 2001 paper).  Note that the
   7350      RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
   7351      encoding parameters and hence was not vulnerable.
   7352      [Bodo Moeller]
   7354   *) BN_sqr() bug fix.
   7355      [Ulf Mller, reported by Jim Ellis <jim.ellis (a] cavium.com>]
   7357   *) Rabin-Miller test analyses assume uniformly distributed witnesses,
   7358      so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
   7359      followed by modular reduction.
   7360      [Bodo Moeller; pointed out by Adam Young <AYoung1 (a] NCSUS.JNJ.COM>]
   7362   *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
   7363      equivalent based on BN_pseudo_rand() instead of BN_rand().
   7364      [Bodo Moeller]
   7366   *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
   7367      This function was broken, as the check for a new client hello message
   7368      to handle SGC did not allow these large messages.
   7369      (Tracked down by "Douglas E. Engert" <deengert (a] anl.gov>.)
   7370      [Lutz Jaenicke]
   7372   *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
   7373      [Lutz Jaenicke]
   7375   *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
   7376      for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton (a] netopia.com>).
   7377      [Lutz Jaenicke]
   7379   *) Rework the configuration and shared library support for Tru64 Unix.
   7380      The configuration part makes use of modern compiler features and
   7381      still retains old compiler behavior for those that run older versions
   7382      of the OS.  The shared library support part includes a variant that
   7383      uses the RPATH feature, and is available through the special
   7384      configuration target "alpha-cc-rpath", which will never be selected
   7385      automatically.
   7386      [Tim Mooney <mooney (a] dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
   7388   *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
   7389      with the same message size as in ssl3_get_certificate_request().
   7390      Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
   7391      messages might inadvertently be reject as too long.
   7392      [Petr Lampa <lampa (a] fee.vutbr.cz>]
   7394   *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
   7395      [Andy Polyakov]
   7397   *) Modified SSL library such that the verify_callback that has been set
   7398      specificly for an SSL object with SSL_set_verify() is actually being
   7399      used. Before the change, a verify_callback set with this function was
   7400      ignored and the verify_callback() set in the SSL_CTX at the time of
   7401      the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
   7402      to allow the necessary settings.
   7403      [Lutz Jaenicke]
   7405   *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
   7406      explicitly to NULL, as at least on Solaris 8 this seems not always to be
   7407      done automatically (in contradiction to the requirements of the C
   7408      standard). This made problems when used from OpenSSH.
   7409      [Lutz Jaenicke]
   7411   *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
   7412      dh->length and always used
   7414           BN_rand_range(priv_key, dh->p).
   7416      BN_rand_range() is not necessary for Diffie-Hellman, and this
   7417      specific range makes Diffie-Hellman unnecessarily inefficient if
   7418      dh->length (recommended exponent length) is much smaller than the
   7419      length of dh->p.  We could use BN_rand_range() if the order of
   7420      the subgroup was stored in the DH structure, but we only have
   7421      dh->length.
   7423      So switch back to
   7425           BN_rand(priv_key, l, ...)
   7427      where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
   7428      otherwise.
   7429      [Bodo Moeller]
   7431   *) In
   7433           RSA_eay_public_encrypt
   7434           RSA_eay_private_decrypt
   7435           RSA_eay_private_encrypt (signing)
   7436           RSA_eay_public_decrypt (signature verification)
   7438      (default implementations for RSA_public_encrypt,
   7439      RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
   7440      always reject numbers >= n.
   7441      [Bodo Moeller]
   7443   *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
   7444      to synchronize access to 'locking_thread'.  This is necessary on
   7445      systems where access to 'locking_thread' (an 'unsigned long'
   7446      variable) is not atomic.
   7447      [Bodo Moeller]
   7449   *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
   7450      *before* setting the 'crypto_lock_rand' flag.  The previous code had
   7451      a race condition if 0 is a valid thread ID.
   7452      [Travis Vitek <vitek (a] roguewave.com>]
   7454   *) Add support for shared libraries under Irix.
   7455      [Albert Chin-A-Young <china (a] thewrittenword.com>]
   7457   *) Add configuration option to build on Linux on both big-endian and
   7458      little-endian MIPS.
   7459      [Ralf Baechle <ralf (a] uni-koblenz.de>]
   7461   *) Add the possibility to create shared libraries on HP-UX.
   7462      [Richard Levitte]
   7464  Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
   7466   *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
   7467      to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
   7468      Markku-Juhani O. Saarinen <markku-juhani.saarinen (a] nokia.com>:
   7469      PRNG state recovery was possible based on the output of
   7470      one PRNG request appropriately sized to gain knowledge on
   7471      'md' followed by enough consecutive 1-byte PRNG requests
   7472      to traverse all of 'state'.
   7474      1. When updating 'md_local' (the current thread's copy of 'md')
   7475         during PRNG output generation, hash all of the previous
   7476         'md_local' value, not just the half used for PRNG output.
   7478      2. Make the number of bytes from 'state' included into the hash
   7479         independent from the number of PRNG bytes requested.
   7481      The first measure alone would be sufficient to avoid
   7482      Markku-Juhani's attack.  (Actually it had never occurred
   7483      to me that the half of 'md_local' used for chaining was the
   7484      half from which PRNG output bytes were taken -- I had always
   7485      assumed that the secret half would be used.)  The second
   7486      measure makes sure that additional data from 'state' is never
   7487      mixed into 'md_local' in small portions; this heuristically
   7488      further strengthens the PRNG.
   7489      [Bodo Moeller]
   7491   *) Fix crypto/bn/asm/mips3.s.
   7492      [Andy Polyakov]
   7494   *) When only the key is given to "enc", the IV is undefined. Print out
   7495      an error message in this case.
   7496      [Lutz Jaenicke]
   7498   *) Handle special case when X509_NAME is empty in X509 printing routines.
   7499      [Steve Henson]
   7501   *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
   7502      positive and less than q.
   7503      [Bodo Moeller]
   7505   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
   7506      used: it isn't thread safe and the add_lock_callback should handle
   7507      that itself.
   7508      [Paul Rose <Paul.Rose (a] bridge.com>]
   7510   *) Verify that incoming data obeys the block size in
   7511      ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
   7512      [Bodo Moeller]
   7514   *) Fix OAEP check.
   7515      [Ulf Mller, Bodo Mller]
   7517   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
   7518      RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
   7519      when fixing the server behaviour for backwards-compatible 'client
   7520      hello' messages.  (Note that the attack is impractical against
   7521      SSL 3.0 and TLS 1.0 anyway because length and version checking
   7522      means that the probability of guessing a valid ciphertext is
   7523      around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
   7524      paper.)
   7526      Before 0.9.5, the countermeasure (hide the error by generating a
   7527      random 'decryption result') did not work properly because
   7528      ERR_clear_error() was missing, meaning that SSL_get_error() would
   7529      detect the supposedly ignored error.
   7531      Both problems are now fixed.
   7532      [Bodo Moeller]
   7534   *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
   7535      (previously it was 1024).
   7536      [Bodo Moeller]
   7538   *) Fix for compatibility mode trust settings: ignore trust settings
   7539      unless some valid trust or reject settings are present.
   7540      [Steve Henson]
   7542   *) Fix for blowfish EVP: its a variable length cipher.
   7543      [Steve Henson]
   7545   *) Fix various bugs related to DSA S/MIME verification. Handle missing
   7546      parameters in DSA public key structures and return an error in the
   7547      DSA routines if parameters are absent.
   7548      [Steve Henson]
   7550   *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
   7551      in the current directory if neither $RANDFILE nor $HOME was set.
   7552      RAND_file_name() in 0.9.6a returned NULL in this case.  This has
   7553      caused some confusion to Windows users who haven't defined $HOME.
   7554      Thus RAND_file_name() is changed again: e_os.h can define a
   7555      DEFAULT_HOME, which will be used if $HOME is not set.
   7556      For Windows, we use "C:"; on other platforms, we still require
   7557      environment variables.
   7559   *) Move 'if (!initialized) RAND_poll()' into regions protected by
   7560      CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
   7561      having multiple threads call RAND_poll() concurrently.
   7562      [Bodo Moeller]
   7564   *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
   7565      combination of a flag and a thread ID variable.
   7566      Otherwise while one thread is in ssleay_rand_bytes (which sets the
   7567      flag), *other* threads can enter ssleay_add_bytes without obeying
   7568      the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
   7569      that they do not hold after the first thread unsets add_do_not_lock).
   7570      [Bodo Moeller]
   7572   *) Change bctest again: '-x' expressions are not available in all
   7573      versions of 'test'.
   7574      [Bodo Moeller]
   7576  Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
   7578   *) Fix a couple of memory leaks in PKCS7_dataDecode()
   7579      [Steve Henson, reported by Heyun Zheng <hzheng (a] atdsprint.com>]
   7581   *) Change Configure and Makefiles to provide EXE_EXT, which will contain
   7582      the default extension for executables, if any.  Also, make the perl
   7583      scripts that use symlink() to test if it really exists and use "cp"
   7584      if it doesn't.  All this made OpenSSL compilable and installable in
   7585      CygWin.
   7586      [Richard Levitte]
   7588   *) Fix for asn1_GetSequence() for indefinite length constructed data.
   7589      If SEQUENCE is length is indefinite just set c->slen to the total
   7590      amount of data available.
   7591      [Steve Henson, reported by shige (a] FreeBSD.org]
   7592      [This change does not apply to 0.9.7.]
   7594   *) Change bctest to avoid here-documents inside command substitution
   7595      (workaround for FreeBSD /bin/sh bug).
   7596      For compatibility with Ultrix, avoid shell functions (introduced
   7597      in the bctest version that searches along $PATH).
   7598      [Bodo Moeller]
   7600   *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
   7601      with des_encrypt() defined on some operating systems, like Solaris
   7602      and UnixWare.
   7603      [Richard Levitte]
   7605   *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
   7606      On the Importance of Eliminating Errors in Cryptographic
   7607      Computations, J. Cryptology 14 (2001) 2, 101-119,
   7608      http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
   7609      [Ulf Moeller]
   7611   *) MIPS assembler BIGNUM division bug fix. 
   7612      [Andy Polyakov]
   7614   *) Disabled incorrect Alpha assembler code.
   7615      [Richard Levitte]
   7617   *) Fix PKCS#7 decode routines so they correctly update the length
   7618      after reading an EOC for the EXPLICIT tag.
   7619      [Steve Henson]
   7620      [This change does not apply to 0.9.7.]
   7622   *) Fix bug in PKCS#12 key generation routines. This was triggered
   7623      if a 3DES key was generated with a 0 initial byte. Include
   7624      PKCS12_BROKEN_KEYGEN compilation option to retain the old
   7625      (but broken) behaviour.
   7626      [Steve Henson]
   7628   *) Enhance bctest to search for a working bc along $PATH and print
   7629      it when found.
   7630      [Tim Rice <tim (a] multitalents.net> via Richard Levitte]
   7632   *) Fix memory leaks in err.c: free err_data string if necessary;
   7633      don't write to the wrong index in ERR_set_error_data.
   7634      [Bodo Moeller]
   7636   *) Implement ssl23_peek (analogous to ssl23_read), which previously
   7637      did not exist.
   7638      [Bodo Moeller]
   7640   *) Replace rdtsc with _emit statements for VC++ version 5.
   7641      [Jeremy Cooper <jeremy (a] baymoo.org>]
   7643   *) Make it possible to reuse SSLv2 sessions.
   7644      [Richard Levitte]
   7646   *) In copy_email() check for >= 0 as a return value for
   7647      X509_NAME_get_index_by_NID() since 0 is a valid index.
   7648      [Steve Henson reported by Massimiliano Pala <madwolf (a] opensca.org>]
   7650   *) Avoid coredump with unsupported or invalid public keys by checking if
   7651      X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
   7652      PKCS7_verify() fails with non detached data.
   7653      [Steve Henson]
   7655   *) Don't use getenv in library functions when run as setuid/setgid.
   7656      New function OPENSSL_issetugid().
   7657      [Ulf Moeller]
   7659   *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
   7660      due to incorrect handling of multi-threading:
   7662      1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
   7664      2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
   7666      3. Count how many times MemCheck_off() has been called so that
   7667         nested use can be treated correctly.  This also avoids 
   7668         inband-signalling in the previous code (which relied on the
   7669         assumption that thread ID 0 is impossible).
   7670      [Bodo Moeller]
   7672   *) Add "-rand" option also to s_client and s_server.
   7673      [Lutz Jaenicke]
   7675   *) Fix CPU detection on Irix 6.x.
   7676      [Kurt Hockenbury <khockenb (a] stevens-tech.edu> and
   7677       "Bruce W. Forsberg" <bruce.forsberg (a] baesystems.com>]
   7679   *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
   7680      was empty.
   7681      [Steve Henson]
   7682      [This change does not apply to 0.9.7.]
   7684   *) Use the cached encoding of an X509_NAME structure rather than
   7685      copying it. This is apparently the reason for the libsafe "errors"
   7686      but the code is actually correct.
   7687      [Steve Henson]
   7689   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
   7690      Bleichenbacher's DSA attack.
   7691      Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
   7692      to be set and top=0 forces the highest bit to be set; top=-1 is new
   7693      and leaves the highest bit random.
   7694      [Ulf Moeller, Bodo Moeller]
   7696   *) In the NCONF_...-based implementations for CONF_... queries
   7697      (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
   7698      a temporary CONF structure with the data component set to NULL
   7699      (which gives segmentation faults in lh_retrieve).
   7700      Instead, use NULL for the CONF pointer in CONF_get_string and
   7701      CONF_get_number (which may use environment variables) and directly
   7702      return NULL from CONF_get_section.
   7703      [Bodo Moeller]
   7705   *) Fix potential buffer overrun for EBCDIC.
   7706      [Ulf Moeller]
   7708   *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
   7709      keyUsage if basicConstraints absent for a CA.
   7710      [Steve Henson]
   7712   *) Make SMIME_write_PKCS7() write mail header values with a format that
   7713      is more generally accepted (no spaces before the semicolon), since
   7714      some programs can't parse those values properly otherwise.  Also make
   7715      sure BIO's that break lines after each write do not create invalid
   7716      headers.
   7717      [Richard Levitte]
   7719   *) Make the CRL encoding routines work with empty SEQUENCE OF. The
   7720      macros previously used would not encode an empty SEQUENCE OF
   7721      and break the signature.
   7722      [Steve Henson]
   7723      [This change does not apply to 0.9.7.]
   7725   *) Zero the premaster secret after deriving the master secret in
   7726      DH ciphersuites.
   7727      [Steve Henson]
   7729   *) Add some EVP_add_digest_alias registrations (as found in
   7730      OpenSSL_add_all_digests()) to SSL_library_init()
   7731      aka OpenSSL_add_ssl_algorithms().  This provides improved
   7732      compatibility with peers using X.509 certificates
   7733      with unconventional AlgorithmIdentifier OIDs.
   7734      [Bodo Moeller]
   7736   *) Fix for Irix with NO_ASM.
   7737      ["Bruce W. Forsberg" <bruce.forsberg (a] baesystems.com>]
   7739   *) ./config script fixes.
   7740      [Ulf Moeller, Richard Levitte]
   7742   *) Fix 'openssl passwd -1'.
   7743      [Bodo Moeller]
   7745   *) Change PKCS12_key_gen_asc() so it can cope with non null
   7746      terminated strings whose length is passed in the passlen
   7747      parameter, for example from PEM callbacks. This was done
   7748      by adding an extra length parameter to asc2uni().
   7749      [Steve Henson, reported by <oddissey (a] samsung.co.kr>]
   7751   *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
   7752      call failed, free the DSA structure.
   7753      [Bodo Moeller]
   7755   *) Fix to uni2asc() to cope with zero length Unicode strings.
   7756      These are present in some PKCS#12 files.
   7757      [Steve Henson]
   7759   *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
   7760      Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
   7761      when writing a 32767 byte record.
   7762      [Bodo Moeller; problem reported by Eric Day <eday (a] concentric.net>]
   7764   *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
   7765      obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
   7767      (RSA objects have a reference count access to which is protected
   7768      by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
   7769      so they are meant to be shared between threads.)
   7770      [Bodo Moeller, Geoff Thorpe; original patch submitted by
   7771      "Reddie, Steven" <Steven.Reddie (a] ca.com>]
   7773   *) Fix a deadlock in CRYPTO_mem_leaks().
   7774      [Bodo Moeller]
   7776   *) Use better test patterns in bntest.
   7777      [Ulf Mller]
   7779   *) rand_win.c fix for Borland C.
   7780      [Ulf Mller]
   7782   *) BN_rshift bugfix for n == 0.
   7783      [Bodo Moeller]
   7785   *) Add a 'bctest' script that checks for some known 'bc' bugs
   7786      so that 'make test' does not abort just because 'bc' is broken.
   7787      [Bodo Moeller]
   7789   *) Store verify_result within SSL_SESSION also for client side to
   7790      avoid potential security hole. (Re-used sessions on the client side
   7791      always resulted in verify_result==X509_V_OK, not using the original
   7792      result of the server certificate verification.)
   7793      [Lutz Jaenicke]
   7795   *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
   7796      SSL3_RT_APPLICATION_DATA, return 0.
   7797      Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
   7798      [Bodo Moeller]
   7800   *) Fix SSL_peek:
   7801      Both ssl2_peek and ssl3_peek, which were totally broken in earlier
   7802      releases, have been re-implemented by renaming the previous
   7803      implementations of ssl2_read and ssl3_read to ssl2_read_internal
   7804      and ssl3_read_internal, respectively, and adding 'peek' parameters
   7805      to them.  The new ssl[23]_{read,peek} functions are calls to
   7806      ssl[23]_read_internal with the 'peek' flag set appropriately.
   7807      A 'peek' parameter has also been added to ssl3_read_bytes, which
   7808      does the actual work for ssl3_read_internal.
   7809      [Bodo Moeller]
   7811   *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
   7812      the method-specific "init()" handler. Also clean up ex_data after
   7813      calling the method-specific "finish()" handler. Previously, this was
   7814      happening the other way round.
   7815      [Geoff Thorpe]
   7817   *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
   7818      The previous value, 12, was not always sufficient for BN_mod_exp().
   7819      [Bodo Moeller]
   7821   *) Make sure that shared libraries get the internal name engine with
   7822      the full version number and not just 0.  This should mark the
   7823      shared libraries as not backward compatible.  Of course, this should
   7824      be changed again when we can guarantee backward binary compatibility.
   7825      [Richard Levitte]
   7827   *) Fix typo in get_cert_by_subject() in by_dir.c
   7828      [Jean-Marc Desperrier <jean-marc.desperrier (a] certplus.com>]
   7830   *) Rework the system to generate shared libraries:
   7832      - Make note of the expected extension for the shared libraries and
   7833        if there is a need for symbolic links from for example libcrypto.so.0
   7834        to libcrypto.so.0.9.7.  There is extended info in Configure for
   7835        that.
   7837      - Make as few rebuilds of the shared libraries as possible.
   7839      - Still avoid linking the OpenSSL programs with the shared libraries.
   7841      - When installing, install the shared libraries separately from the
   7842        static ones.
   7843      [Richard Levitte]
   7845   *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
   7847      Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
   7848      and not in SSL_clear because the latter is also used by the
   7849      accept/connect functions; previously, the settings made by
   7850      SSL_set_read_ahead would be lost during the handshake.
   7851      [Bodo Moeller; problems reported by Anders Gertz <gertz (a] epact.se>]     
   7853   *) Correct util/mkdef.pl to be selective about disabled algorithms.
   7854      Previously, it would create entries for disableed algorithms no
   7855      matter what.
   7856      [Richard Levitte]
   7858   *) Added several new manual pages for SSL_* function.
   7859      [Lutz Jaenicke]
   7861  Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
   7863   *) In ssl23_get_client_hello, generate an error message when faced
   7864      with an initial SSL 3.0/TLS record that is too small to contain the
   7865      first two bytes of the ClientHello message, i.e. client_version.
   7866      (Note that this is a pathologic case that probably has never happened
   7867      in real life.)  The previous approach was to use the version number
   7868      from the record header as a substitute; but our protocol choice
   7869      should not depend on that one because it is not authenticated
   7870      by the Finished messages.
   7871      [Bodo Moeller]
   7873   *) More robust randomness gathering functions for Windows.
   7874      [Jeffrey Altman <jaltman (a] columbia.edu>]
   7876   *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
   7877      not set then we don't setup the error code for issuer check errors
   7878      to avoid possibly overwriting other errors which the callback does
   7879      handle. If an application does set the flag then we assume it knows
   7880      what it is doing and can handle the new informational codes
   7881      appropriately.
   7882      [Steve Henson]
   7884   *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
   7885      a general "ANY" type, as such it should be able to decode anything
   7886      including tagged types. However it didn't check the class so it would
   7887      wrongly interpret tagged types in the same way as their universal
   7888      counterpart and unknown types were just rejected. Changed so that the
   7889      tagged and unknown types are handled in the same way as a SEQUENCE:
   7890      that is the encoding is stored intact. There is also a new type
   7891      "V_ASN1_OTHER" which is used when the class is not universal, in this
   7892      case we have no idea what the actual type is so we just lump them all
   7893      together.
   7894      [Steve Henson]
   7896   *) On VMS, stdout may very well lead to a file that is written to
   7897      in a record-oriented fashion.  That means that every write() will
   7898      write a separate record, which will be read separately by the
   7899      programs trying to read from it.  This can be very confusing.
   7901      The solution is to put a BIO filter in the way that will buffer
   7902      text until a linefeed is reached, and then write everything a
   7903      line at a time, so every record written will be an actual line,
   7904      not chunks of lines and not (usually doesn't happen, but I've
   7905      seen it once) several lines in one record.  BIO_f_linebuffer() is
   7906      the answer.
   7908      Currently, it's a VMS-only method, because that's where it has
   7909      been tested well enough.
   7910      [Richard Levitte]
   7912   *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
   7913      it can return incorrect results.
   7914      (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
   7915      but it was in 0.9.6-beta[12].)
   7916      [Bodo Moeller]
   7918   *) Disable the check for content being present when verifying detached
   7919      signatures in pk7_smime.c. Some versions of Netscape (wrongly)
   7920      include zero length content when signing messages.
   7921      [Steve Henson]
   7923   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
   7924      BIO_ctrl (for BIO pairs).
   7925      [Bodo Mller]
   7927   *) Add DSO method for VMS.
   7928      [Richard Levitte]
   7930   *) Bug fix: Montgomery multiplication could produce results with the
   7931      wrong sign.
   7932      [Ulf Mller]
   7934   *) Add RPM specification openssl.spec and modify it to build three
   7935      packages.  The default package contains applications, application
   7936      documentation and run-time libraries.  The devel package contains
   7937      include files, static libraries and function documentation.  The
   7938      doc package contains the contents of the doc directory.  The original
   7939      openssl.spec was provided by Damien Miller <djm (a] mindrot.org>.
   7940      [Richard Levitte]
   7942   *) Add a large number of documentation files for many SSL routines.
   7943      [Lutz Jaenicke <Lutz.Jaenicke (a] aet.TU-Cottbus.DE>]
   7945   *) Add a configuration entry for Sony News 4.
   7946      [NAKAJI Hiroyuki <nakaji (a] tutrp.tut.ac.jp>]
   7948   *) Don't set the two most significant bits to one when generating a
   7949      random number < q in the DSA library.
   7950      [Ulf Mller]
   7952   *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
   7953      behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
   7954      the underlying transport is blocking) if a handshake took place.
   7955      (The default behaviour is needed by applications such as s_client
   7956      and s_server that use select() to determine when to use SSL_read;
   7957      but for applications that know in advance when to expect data, it
   7958      just makes things more complicated.)
   7959      [Bodo Moeller]
   7961   *) Add RAND_egd_bytes(), which gives control over the number of bytes read
   7962      from EGD.
   7963      [Ben Laurie]
   7965   *) Add a few more EBCDIC conditionals that make `req' and `x509'
   7966      work better on such systems.
   7967      [Martin Kraemer <Martin.Kraemer (a] MchP.Siemens.De>]
   7969   *) Add two demo programs for PKCS12_parse() and PKCS12_create().
   7970      Update PKCS12_parse() so it copies the friendlyName and the
   7971      keyid to the certificates aux info.
   7972      [Steve Henson]
   7974   *) Fix bug in PKCS7_verify() which caused an infinite loop
   7975      if there was more than one signature.
   7976      [Sven Uszpelkat <su (a] celocom.de>]
   7978   *) Major change in util/mkdef.pl to include extra information
   7979      about each symbol, as well as presentig variables as well
   7980      as functions.  This change means that there's n more need
   7981      to rebuild the .num files when some algorithms are excluded.
   7982      [Richard Levitte]
   7984   *) Allow the verify time to be set by an application,
   7985      rather than always using the current time.
   7986      [Steve Henson]
   7988   *) Phase 2 verify code reorganisation. The certificate
   7989      verify code now looks up an issuer certificate by a
   7990      number of criteria: subject name, authority key id
   7991      and key usage. It also verifies self signed certificates
   7992      by the same criteria. The main comparison function is
   7993      X509_check_issued() which performs these checks.
   7995      Lot of changes were necessary in order to support this
   7996      without completely rewriting the lookup code.
   7998      Authority and subject key identifier are now cached.
   8000      The LHASH 'certs' is X509_STORE has now been replaced
   8001      by a STACK_OF(X509_OBJECT). This is mainly because an
   8002      LHASH can't store or retrieve multiple objects with
   8003      the same hash value.
   8005      As a result various functions (which were all internal
   8006      use only) have changed to handle the new X509_STORE
   8007      structure. This will break anything that messed round
   8008      with X509_STORE internally.
   8010      The functions X509_STORE_add_cert() now checks for an
   8011      exact match, rather than just subject name.
   8013      The X509_STORE API doesn't directly support the retrieval
   8014      of multiple certificates matching a given criteria, however
   8015      this can be worked round by performing a lookup first
   8016      (which will fill the cache with candidate certificates)
   8017      and then examining the cache for matches. This is probably
   8018      the best we can do without throwing out X509_LOOKUP
   8019      entirely (maybe later...).
   8021      The X509_VERIFY_CTX structure has been enhanced considerably.
   8023      All certificate lookup operations now go via a get_issuer()
   8024      callback. Although this currently uses an X509_STORE it
   8025      can be replaced by custom lookups. This is a simple way
   8026      to bypass the X509_STORE hackery necessary to make this
   8027      work and makes it possible to use more efficient techniques
   8028      in future. A very simple version which uses a simple
   8029      STACK for its trusted certificate store is also provided
   8030      using X509_STORE_CTX_trusted_stack().
   8032      The verify_cb() and verify() callbacks now have equivalents
   8033      in the X509_STORE_CTX structure.
   8035      X509_STORE_CTX also has a 'flags' field which can be used
   8036      to customise the verify behaviour.
   8037      [Steve Henson]
   8039   *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
   8040      excludes S/MIME capabilities.
   8041      [Steve Henson]
   8043   *) When a certificate request is read in keep a copy of the
   8044      original encoding of the signed data and use it when outputing
   8045      again. Signatures then use the original encoding rather than
   8046      a decoded, encoded version which may cause problems if the
   8047      request is improperly encoded.
   8048      [Steve Henson]
   8050   *) For consistency with other BIO_puts implementations, call
   8051      buffer_write(b, ...) directly in buffer_puts instead of calling
   8052      BIO_write(b, ...).
   8054      In BIO_puts, increment b->num_write as in BIO_write.
   8055      [Peter.Sylvester (a] EdelWeb.fr]
   8057   *) Fix BN_mul_word for the case where the word is 0. (We have to use
   8058      BN_zero, we may not return a BIGNUM with an array consisting of
   8059      words set to zero.)
   8060      [Bodo Moeller]
   8062   *) Avoid calling abort() from within the library when problems are
   8063      detected, except if preprocessor symbols have been defined
   8064      (such as REF_CHECK, BN_DEBUG etc.).
   8065      [Bodo Moeller]
   8067   *) New openssl application 'rsautl'. This utility can be
   8068      used for low level RSA operations. DER public key
   8069      BIO/fp routines also added.
   8070      [Steve Henson]
   8072   *) New Configure entry and patches for compiling on QNX 4.
   8073      [Andreas Schneider <andreas (a] ds3.etech.fh-hamburg.de>]
   8075   *) A demo state-machine implementation was sponsored by
   8076      Nuron (http://www.nuron.com/) and is now available in
   8077      demos/state_machine.
   8078      [Ben Laurie]
   8080   *) New options added to the 'dgst' utility for signature
   8081      generation and verification.
   8082      [Steve Henson]
   8084   *) Unrecognized PKCS#7 content types are now handled via a
   8085      catch all ASN1_TYPE structure. This allows unsupported
   8086      types to be stored as a "blob" and an application can
   8087      encode and decode it manually.
   8088      [Steve Henson]
   8090   *) Fix various signed/unsigned issues to make a_strex.c
   8091      compile under VC++.
   8092      [Oscar Jacobsson <oscar.jacobsson (a] celocom.com>]
   8094   *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
   8095      length if passed a buffer. ASN1_INTEGER_to_BN failed
   8096      if passed a NULL BN and its argument was negative.
   8097      [Steve Henson, pointed out by Sven Heiberg <sven (a] tartu.cyber.ee>]
   8099   *) Modification to PKCS#7 encoding routines to output definite
   8100      length encoding. Since currently the whole structures are in
   8101      memory there's not real point in using indefinite length 
   8102      constructed encoding. However if OpenSSL is compiled with
   8103      the flag PKCS7_INDEFINITE_ENCODING the old form is used.
   8104      [Steve Henson]
   8106   *) Added BIO_vprintf() and BIO_vsnprintf().
   8107      [Richard Levitte]
   8109   *) Added more prefixes to parse for in the the strings written
   8110      through a logging bio, to cover all the levels that are available
   8111      through syslog.  The prefixes are now:
   8114 	ALERT, ALR		=>	LOG_ALERT
   8115 	CRIT, CRI		=>	LOG_CRIT
   8116 	ERROR, ERR		=>	LOG_ERR
   8119 	INFO, INF		=>	LOG_INFO
   8120 	DEBUG, DBG		=>	LOG_DEBUG
   8122      and as before, if none of those prefixes are present at the
   8123      beginning of the string, LOG_ERR is chosen.
   8125      On Win32, the LOG_* levels are mapped according to this:
   8131      [Richard Levitte]
   8133   *) Made it possible to reconfigure with just the configuration
   8134      argument "reconf" or "reconfigure".  The command line arguments
   8135      are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
   8136      and are retrieved from there when reconfiguring.
   8137      [Richard Levitte]
   8139   *) MD4 implemented.
   8140      [Assar Westerlund <assar (a] sics.se>, Richard Levitte]
   8142   *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
   8143      [Richard Levitte]
   8145   *) The obj_dat.pl script was messing up the sorting of object
   8146      names. The reason was that it compared the quoted version
   8147      of strings as a result "OCSP" > "OCSP Signing" because
   8148      " > SPACE. Changed script to store unquoted versions of
   8149      names and add quotes on output. It was also omitting some
   8150      names from the lookup table if they were given a default
   8151      value (that is if SN is missing it is given the same
   8152      value as LN and vice versa), these are now added on the
   8153      grounds that if an object has a name we should be able to
   8154      look it up. Finally added warning output when duplicate
   8155      short or long names are found.
   8156      [Steve Henson]
   8158   *) Changes needed for Tandem NSK.
   8159      [Scott Uroff <scott (a] xypro.com>]
   8161   *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
   8162      RSA_padding_check_SSLv23(), special padding was never detected
   8163      and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
   8164      version rollback attacks was not effective.
   8166      In s23_clnt.c, don't use special rollback-attack detection padding
   8167      (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
   8168      client; similarly, in s23_srvr.c, don't do the rollback check if
   8169      SSL 2.0 is the only protocol enabled in the server.
   8170      [Bodo Moeller]
   8172   *) Make it possible to get hexdumps of unprintable data with 'openssl
   8173      asn1parse'.  By implication, the functions ASN1_parse_dump() and
   8174      BIO_dump_indent() are added.
   8175      [Richard Levitte]
   8177   *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
   8178      these print out strings and name structures based on various
   8179      flags including RFC2253 support and proper handling of
   8180      multibyte characters. Added options to the 'x509' utility 
   8181      to allow the various flags to be set.
   8182      [Steve Henson]
   8184   *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
   8185      Also change the functions X509_cmp_current_time() and
   8186      X509_gmtime_adj() work with an ASN1_TIME structure,
   8187      this will enable certificates using GeneralizedTime in validity
   8188      dates to be checked.
   8189      [Steve Henson]
   8191   *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
   8192      negative public key encodings) on by default,
   8193      NO_NEG_PUBKEY_BUG can be set to disable it.
   8194      [Steve Henson]
   8196   *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
   8197      content octets. An i2c_ASN1_OBJECT is unnecessary because
   8198      the encoding can be trivially obtained from the structure.
   8199      [Steve Henson]
   8201   *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
   8202      not read locks (CRYPTO_r_[un]lock).
   8203      [Bodo Moeller]
   8205   *) A first attempt at creating official support for shared
   8206      libraries through configuration.  I've kept it so the
   8207      default is static libraries only, and the OpenSSL programs
   8208      are always statically linked for now, but there are
   8209      preparations for dynamic linking in place.
   8210      This has been tested on Linux and Tru64.
   8211      [Richard Levitte]
   8213   *) Randomness polling function for Win9x, as described in:
   8214      Peter Gutmann, Software Generation of Practically Strong
   8215      Random Numbers.
   8216      [Ulf Mller]
   8218   *) Fix so PRNG is seeded in req if using an already existing
   8219      DSA key.
   8220      [Steve Henson]
   8222   *) New options to smime application. -inform and -outform
   8223      allow alternative formats for the S/MIME message including
   8224      PEM and DER. The -content option allows the content to be
   8225      specified separately. This should allow things like Netscape
   8226      form signing output easier to verify.
   8227      [Steve Henson]
   8229   *) Fix the ASN1 encoding of tags using the 'long form'.
   8230      [Steve Henson]
   8232   *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
   8233      STRING types. These convert content octets to and from the
   8234      underlying type. The actual tag and length octets are
   8235      already assumed to have been read in and checked. These
   8236      are needed because all other string types have virtually
   8237      identical handling apart from the tag. By having versions
   8238      of the ASN1 functions that just operate on content octets
   8239      IMPLICIT tagging can be handled properly. It also allows
   8240      the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
   8241      and ASN1_INTEGER are identical apart from the tag.
   8242      [Steve Henson]
   8244   *) Change the handling of OID objects as follows:
   8246      - New object identifiers are inserted in objects.txt, following
   8247        the syntax given in objects.README.
   8248      - objects.pl is used to process obj_mac.num and create a new
   8249        obj_mac.h.
   8250      - obj_dat.pl is used to create a new obj_dat.h, using the data in
   8251        obj_mac.h.
   8253      This is currently kind of a hack, and the perl code in objects.pl
   8254      isn't very elegant, but it works as I intended.  The simplest way
   8255      to check that it worked correctly is to look in obj_dat.h and
   8256      check the array nid_objs and make sure the objects haven't moved
   8257      around (this is important!).  Additions are OK, as well as
   8258      consistent name changes. 
   8259      [Richard Levitte]
   8261   *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
   8262      [Bodo Moeller]
   8264   *) Addition of the command line parameter '-rand file' to 'openssl req'.
   8265      The given file adds to whatever has already been seeded into the
   8266      random pool through the RANDFILE configuration file option or
   8267      environment variable, or the default random state file.
   8268      [Richard Levitte]
   8270   *) mkstack.pl now sorts each macro group into lexical order.
   8271      Previously the output order depended on the order the files
   8272      appeared in the directory, resulting in needless rewriting
   8273      of safestack.h .
   8274      [Steve Henson]
   8276   *) Patches to make OpenSSL compile under Win32 again. Mostly
   8277      work arounds for the VC++ problem that it treats func() as
   8278      func(void). Also stripped out the parts of mkdef.pl that
   8279      added extra typesafe functions: these no longer exist.
   8280      [Steve Henson]
   8282   *) Reorganisation of the stack code. The macros are now all 
   8283      collected in safestack.h . Each macro is defined in terms of
   8284      a "stack macro" of the form SKM_<name>(type, a, b). The 
   8285      DEBUG_SAFESTACK is now handled in terms of function casts,
   8286      this has the advantage of retaining type safety without the
   8287      use of additional functions. If DEBUG_SAFESTACK is not defined
   8288      then the non typesafe macros are used instead. Also modified the
   8289      mkstack.pl script to handle the new form. Needs testing to see
   8290      if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
   8291      the default if no major problems. Similar behaviour for ASN1_SET_OF
   8292      and PKCS12_STACK_OF.
   8293      [Steve Henson]
   8295   *) When some versions of IIS use the 'NET' form of private key the
   8296      key derivation algorithm is different. Normally MD5(password) is
   8297      used as a 128 bit RC4 key. In the modified case
   8298      MD5(MD5(password) + "SGCKEYSALT")  is used insted. Added some
   8299      new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
   8300      as the old Netscape_RSA functions except they have an additional
   8301      'sgckey' parameter which uses the modified algorithm. Also added
   8302      an -sgckey command line option to the rsa utility. Thanks to 
   8303      Adrian Peck <bertie (a] ncipher.com> for posting details of the modified
   8304      algorithm to openssl-dev.
   8305      [Steve Henson]
   8307   *) The evp_local.h macros were using 'c.##kname' which resulted in
   8308      invalid expansion on some systems (SCO 5.0.5 for example).
   8309      Corrected to 'c.kname'.
   8310      [Phillip Porch <root (a] theporch.com>]
   8312   *) New X509_get1_email() and X509_REQ_get1_email() functions that return
   8313      a STACK of email addresses from a certificate or request, these look
   8314      in the subject name and the subject alternative name extensions and 
   8315      omit any duplicate addresses.
   8316      [Steve Henson]
   8318   *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
   8319      This makes DSA verification about 2 % faster.
   8320      [Bodo Moeller]
   8322   *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
   8323      (meaning that now 2^5 values will be precomputed, which is only 4 KB
   8324      plus overhead for 1024 bit moduli).
   8325      This makes exponentiations about 0.5 % faster for 1024 bit
   8326      exponents (as measured by "openssl speed rsa2048").
   8327      [Bodo Moeller]
   8329   *) Rename memory handling macros to avoid conflicts with other
   8330      software:
   8331           Malloc         =>  OPENSSL_malloc
   8332           Malloc_locked  =>  OPENSSL_malloc_locked
   8333           Realloc        =>  OPENSSL_realloc
   8334           Free           =>  OPENSSL_free
   8335      [Richard Levitte]
   8337   *) New function BN_mod_exp_mont_word for small bases (roughly 15%
   8338      faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
   8339      [Bodo Moeller]
   8341   *) CygWin32 support.
   8342      [John Jarvie <jjarvie (a] newsguy.com>]
   8344   *) The type-safe stack code has been rejigged. It is now only compiled
   8345      in when OpenSSL is configured with the DEBUG_SAFESTACK option and
   8346      by default all type-specific stack functions are "#define"d back to
   8347      standard stack functions. This results in more streamlined output
   8348      but retains the type-safety checking possibilities of the original
   8349      approach.
   8350      [Geoff Thorpe]
   8352   *) The STACK code has been cleaned up, and certain type declarations
   8353      that didn't make a lot of sense have been brought in line. This has
   8354      also involved a cleanup of sorts in safestack.h to more correctly
   8355      map type-safe stack functions onto their plain stack counterparts.
   8356      This work has also resulted in a variety of "const"ifications of
   8357      lots of the code, especially "_cmp" operations which should normally
   8358      be prototyped with "const" parameters anyway.
   8359      [Geoff Thorpe]
   8361   *) When generating bytes for the first time in md_rand.c, 'stir the pool'
   8362      by seeding with STATE_SIZE dummy bytes (with zero entropy count).
   8363      (The PRNG state consists of two parts, the large pool 'state' and 'md',
   8364      where all of 'md' is used each time the PRNG is used, but 'state'
   8365      is used only indexed by a cyclic counter. As entropy may not be
   8366      well distributed from the beginning, 'md' is important as a
   8367      chaining variable. However, the output function chains only half
   8368      of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
   8369      all of 'md', and seeding with STATE_SIZE dummy bytes will result
   8370      in all of 'state' being rewritten, with the new values depending
   8371      on virtually all of 'md'.  This overcomes the 80 bit limitation.)
   8372      [Bodo Moeller]
   8374   *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
   8375      the handshake is continued after ssl_verify_cert_chain();
   8376      otherwise, if SSL_VERIFY_NONE is set, remaining error codes
   8377      can lead to 'unexplainable' connection aborts later.
   8378      [Bodo Moeller; problem tracked down by Lutz Jaenicke]
   8380   *) Major EVP API cipher revision.
   8381      Add hooks for extra EVP features. This allows various cipher
   8382      parameters to be set in the EVP interface. Support added for variable
   8383      key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
   8384      setting of RC2 and RC5 parameters.
   8386      Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
   8387      ciphers.
   8389      Remove lots of duplicated code from the EVP library. For example *every*
   8390      cipher init() function handles the 'iv' in the same way according to the
   8391      cipher mode. They also all do nothing if the 'key' parameter is NULL and
   8392      for CFB and OFB modes they zero ctx->num.
   8394      New functionality allows removal of S/MIME code RC2 hack.
   8396      Most of the routines have the same form and so can be declared in terms
   8397      of macros.
   8399      By shifting this to the top level EVP_CipherInit() it can be removed from
   8400      all individual ciphers. If the cipher wants to handle IVs or keys
   8401      differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
   8402      flags.
   8404      Change lots of functions like EVP_EncryptUpdate() to now return a
   8405      value: although software versions of the algorithms cannot fail
   8406      any installed hardware versions can.
   8407      [Steve Henson]
   8409   *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
   8410      this option is set, tolerate broken clients that send the negotiated
   8411      protocol version number instead of the requested protocol version
   8412      number.
   8413      [Bodo Moeller]
   8415   *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
   8416      i.e. non-zero for export ciphersuites, zero otherwise.
   8417      Previous versions had this flag inverted, inconsistent with
   8418      rsa_tmp_cb (..._TMP_RSA_CB).
   8419      [Bodo Moeller; problem reported by Amit Chopra]
   8421   *) Add missing DSA library text string. Work around for some IIS
   8422      key files with invalid SEQUENCE encoding.
   8423      [Steve Henson]
   8425   *) Add a document (doc/standards.txt) that list all kinds of standards
   8426      and so on that are implemented in OpenSSL.
   8427      [Richard Levitte]
   8429   *) Enhance c_rehash script. Old version would mishandle certificates
   8430      with the same subject name hash and wouldn't handle CRLs at all.
   8431      Added -fingerprint option to crl utility, to support new c_rehash
   8432      features.
   8433      [Steve Henson]
   8435   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
   8436      [Ulf Mller]
   8438   *) Fix for SSL server purpose checking. Server checking was
   8439      rejecting certificates which had extended key usage present
   8440      but no ssl client purpose.
   8441      [Steve Henson, reported by Rene Grosser <grosser (a] hisolutions.com>]
   8443   *) Make PKCS#12 code work with no password. The PKCS#12 spec
   8444      is a little unclear about how a blank password is handled.
   8445      Since the password in encoded as a BMPString with terminating
   8446      double NULL a zero length password would end up as just the
   8447      double NULL. However no password at all is different and is
   8448      handled differently in the PKCS#12 key generation code. NS
   8449      treats a blank password as zero length. MSIE treats it as no
   8450      password on export: but it will try both on import. We now do
   8451      the same: PKCS12_parse() tries zero length and no password if
   8452      the password is set to "" or NULL (NULL is now a valid password:
   8453      it wasn't before) as does the pkcs12 application.
   8454      [Steve Henson]
   8456   *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
   8457      perror when PEM_read_bio_X509_REQ fails, the error message must
   8458      be obtained from the error queue.
   8459      [Bodo Moeller]
   8461   *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
   8462      it in ERR_remove_state if appropriate, and change ERR_get_state
   8463      accordingly to avoid race conditions (this is necessary because
   8464      thread_hash is no longer constant once set).
   8465      [Bodo Moeller]
   8467   *) Bugfix for linux-elf makefile.one.
   8468      [Ulf Mller]
   8470   *) RSA_get_default_method() will now cause a default
   8471      RSA_METHOD to be chosen if one doesn't exist already.
   8472      Previously this was only set during a call to RSA_new()
   8473      or RSA_new_method(NULL) meaning it was possible for
   8474      RSA_get_default_method() to return NULL.
   8475      [Geoff Thorpe]
   8477   *) Added native name translation to the existing DSO code
   8478      that will convert (if the flag to do so is set) filenames
   8479      that are sufficiently small and have no path information
   8480      into a canonical native form. Eg. "blah" converted to
   8481      "libblah.so" or "blah.dll" etc.
   8482      [Geoff Thorpe]
   8484   *) New function ERR_error_string_n(e, buf, len) which is like
   8485      ERR_error_string(e, buf), but writes at most 'len' bytes
   8486      including the 0 terminator.  For ERR_error_string_n, 'buf'
   8487      may not be NULL.
   8488      [Damien Miller <djm (a] mindrot.org>, Bodo Moeller]
   8490   *) CONF library reworked to become more general.  A new CONF
   8491      configuration file reader "class" is implemented as well as a
   8492      new functions (NCONF_*, for "New CONF") to handle it.  The now
   8493      old CONF_* functions are still there, but are reimplemented to
   8494      work in terms of the new functions.  Also, a set of functions
   8495      to handle the internal storage of the configuration data is
   8496      provided to make it easier to write new configuration file
   8497      reader "classes" (I can definitely see something reading a
   8498      configuration file in XML format, for example), called _CONF_*,
   8499      or "the configuration storage API"...
   8501      The new configuration file reading functions are:
   8503         NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
   8504         NCONF_get_section, NCONF_get_string, NCONF_get_numbre
   8506         NCONF_default, NCONF_WIN32
   8508         NCONF_dump_fp, NCONF_dump_bio
   8510      NCONF_default and NCONF_WIN32 are method (or "class") choosers,
   8511      NCONF_new creates a new CONF object.  This works in the same way
   8512      as other interfaces in OpenSSL, like the BIO interface.
   8513      NCONF_dump_* dump the internal storage of the configuration file,
   8514      which is useful for debugging.  All other functions take the same
   8515      arguments as the old CONF_* functions wth the exception of the
   8516      first that must be a `CONF *' instead of a `LHASH *'.
   8518      To make it easer to use the new classes with the old CONF_* functions,
   8519      the function CONF_set_default_method is provided.
   8520      [Richard Levitte]
   8522   *) Add '-tls1' option to 'openssl ciphers', which was already
   8523      mentioned in the documentation but had not been implemented.
   8524      (This option is not yet really useful because even the additional
   8525      experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
   8526      [Bodo Moeller]
   8528   *) Initial DSO code added into libcrypto for letting OpenSSL (and
   8529      OpenSSL-based applications) load shared libraries and bind to
   8530      them in a portable way.
   8531      [Geoff Thorpe, with contributions from Richard Levitte]
   8533  Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
   8535   *) Make sure _lrotl and _lrotr are only used with MSVC.
   8537   *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
   8538      (the default implementation of RAND_status).
   8540   *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
   8541      to '-clrext' (= clear extensions), as intended and documented.
   8542      [Bodo Moeller; inconsistency pointed out by Michael Attili
   8543      <attili (a] amaxo.com>]
   8545   *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
   8546      was larger than the MD block size.      
   8547      [Steve Henson, pointed out by Yost William <YostW (a] tce.com>]
   8549   *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
   8550      fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
   8551      using the passed key: if the passed key was a private key the result
   8552      of X509_print(), for example, would be to print out all the private key
   8553      components.
   8554      [Steve Henson]
   8556   *) des_quad_cksum() byte order bug fix.
   8557      [Ulf Mller, using the problem description in krb4-0.9.7, where
   8558       the solution is attributed to Derrick J Brashear <shadow (a] DEMENTIA.ORG>]
   8560   *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
   8561      discouraged.
   8562      [Steve Henson, pointed out by Brian Korver <briank (a] cs.stanford.edu>]
   8564   *) For easily testing in shell scripts whether some command
   8565      'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
   8566      returns with exit code 0 iff no command of the given name is available.
   8567      'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
   8568      the output goes to stdout and nothing is printed to stderr.
   8569      Additional arguments are always ignored.
   8571      Since for each cipher there is a command of the same name,
   8572      the 'no-cipher' compilation switches can be tested this way.
   8574      ('openssl no-XXX' is not able to detect pseudo-commands such
   8575      as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
   8576      [Bodo Moeller]
   8578   *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
   8579      [Bodo Moeller]
   8581   *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
   8582      is set; it will be thrown away anyway because each handshake creates
   8583      its own key.
   8584      ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
   8585      to parameters -- in previous versions (since OpenSSL 0.9.3) the
   8586      'default key' from SSL_CTX_set_tmp_dh would always be lost, meanining
   8587      you effectivly got SSL_OP_SINGLE_DH_USE when using this macro.
   8588      [Bodo Moeller]
   8590   *) New s_client option -ign_eof: EOF at stdin is ignored, and
   8591      'Q' and 'R' lose their special meanings (quit/renegotiate).
   8592      This is part of what -quiet does; unlike -quiet, -ign_eof
   8593      does not suppress any output.
   8594      [Richard Levitte]
   8596   *) Add compatibility options to the purpose and trust code. The
   8597      purpose X509_PURPOSE_ANY is "any purpose" which automatically
   8598      accepts a certificate or CA, this was the previous behaviour,
   8599      with all the associated security issues.
   8601      X509_TRUST_COMPAT is the old trust behaviour: only and
   8602      automatically trust self signed roots in certificate store. A
   8603      new trust setting X509_TRUST_DEFAULT is used to specify that
   8604      a purpose has no associated trust setting and it should instead
   8605      use the value in the default purpose.
   8606      [Steve Henson]
   8608   *) Fix the PKCS#8 DSA private key code so it decodes keys again
   8609      and fix a memory leak.
   8610      [Steve Henson]
   8612   *) In util/mkerr.pl (which implements 'make errors'), preserve
   8613      reason strings from the previous version of the .c file, as
   8614      the default to have only downcase letters (and digits) in
   8615      automatically generated reasons codes is not always appropriate.
   8616      [Bodo Moeller]
   8618   *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
   8619      using strerror.  Previously, ERR_reason_error_string() returned
   8620      library names as reason strings for SYSerr; but SYSerr is a special
   8621      case where small numbers are errno values, not library numbers.
   8622      [Bodo Moeller]
   8624   *) Add '-dsaparam' option to 'openssl dhparam' application.  This
   8625      converts DSA parameters into DH parameters. (When creating parameters,
   8626      DSA_generate_parameters is used.)
   8627      [Bodo Moeller]
   8629   *) Include 'length' (recommended exponent length) in C code generated
   8630      by 'openssl dhparam -C'.
   8631      [Bodo Moeller]
   8633   *) The second argument to set_label in perlasm was already being used
   8634      so couldn't be used as a "file scope" flag. Moved to third argument
   8635      which was free.
   8636      [Steve Henson]
   8638   *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
   8639      instead of RAND_bytes for encryption IVs and salts.
   8640      [Bodo Moeller]
   8642   *) Include RAND_status() into RAND_METHOD instead of implementing
   8643      it only for md_rand.c  Otherwise replacing the PRNG by calling
   8644      RAND_set_rand_method would be impossible.
   8645      [Bodo Moeller]
   8647   *) Don't let DSA_generate_key() enter an infinite loop if the random
   8648      number generation fails.
   8649      [Bodo Moeller]
   8651   *) New 'rand' application for creating pseudo-random output.
   8652      [Bodo Moeller]
   8654   *) Added configuration support for Linux/IA64
   8655      [Rolf Haberrecker <rolf (a] suse.de>]
   8657   *) Assembler module support for Mingw32.
   8658      [Ulf Mller]
   8660   *) Shared library support for HPUX (in shlib/).
   8661      [Lutz Jaenicke <Lutz.Jaenicke (a] aet.TU-Cottbus.DE> and Anonymous]
   8663   *) Shared library support for Solaris gcc.
   8664      [Lutz Behnke <behnke (a] trustcenter.de>]
   8666  Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
   8668   *) PKCS7_encrypt() was adding text MIME headers twice because they
   8669      were added manually and by SMIME_crlf_copy().
   8670      [Steve Henson]
   8672   *) In bntest.c don't call BN_rand with zero bits argument.
   8673      [Steve Henson, pointed out by Andrew W. Gray <agray (a] iconsinc.com>]
   8675   *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
   8676      case was implemented. This caused BN_div_recp() to fail occasionally.
   8677      [Ulf Mller]
   8679   *) Add an optional second argument to the set_label() in the perl
   8680      assembly language builder. If this argument exists and is set
   8681      to 1 it signals that the assembler should use a symbol whose 
   8682      scope is the entire file, not just the current function. This
   8683      is needed with MASM which uses the format label:: for this scope.
   8684      [Steve Henson, pointed out by Peter Runestig <peter (a] runestig.com>]
   8686   *) Change the ASN1 types so they are typedefs by default. Before
   8687      almost all types were #define'd to ASN1_STRING which was causing
   8688      STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
   8689      for example.
   8690      [Steve Henson]
   8692   *) Change names of new functions to the new get1/get0 naming
   8693      convention: After 'get1', the caller owns a reference count
   8694      and has to call ..._free; 'get0' returns a pointer to some
   8695      data structure without incrementing reference counters.
   8696      (Some of the existing 'get' functions increment a reference
   8697      counter, some don't.)
   8698      Similarly, 'set1' and 'add1' functions increase reference
   8699      counters or duplicate objects.
   8700      [Steve Henson]
   8702   *) Allow for the possibility of temp RSA key generation failure:
   8703      the code used to assume it always worked and crashed on failure.
   8704      [Steve Henson]
   8706   *) Fix potential buffer overrun problem in BIO_printf().
   8707      [Ulf Mller, using public domain code by Patrick Powell; problem
   8708       pointed out by David Sacerdote <das33 (a] cornell.edu>]
   8710   *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
   8711      RAND_egd() and RAND_status().  In the command line application,
   8712      the EGD socket can be specified like a seed file using RANDFILE
   8713      or -rand.
   8714      [Ulf Mller]
   8716   *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
   8717      Some CAs (e.g. Verisign) distribute certificates in this form.
   8718      [Steve Henson]
   8720   *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
   8721      list to exclude them. This means that no special compilation option
   8722      is needed to use anonymous DH: it just needs to be included in the
   8723      cipher list.
   8724      [Steve Henson]
   8726   *) Change the EVP_MD_CTX_type macro so its meaning consistent with
   8727      EVP_MD_type. The old functionality is available in a new macro called
   8728      EVP_MD_md(). Change code that uses it and update docs.
   8729      [Steve Henson]
   8731   *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
   8732      where the 'void *' argument is replaced by a function pointer argument.
   8733      Previously 'void *' was abused to point to functions, which works on
   8734      many platforms, but is not correct.  As these functions are usually
   8735      called by macros defined in OpenSSL header files, most source code
   8736      should work without changes.
   8737      [Richard Levitte]
   8739   *) <openssl/opensslconf.h> (which is created by Configure) now contains
   8740      sections with information on -D... compiler switches used for
   8741      compiling the library so that applications can see them.  To enable
   8742      one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
   8743      must be defined.  E.g.,
   8744         #define OPENSSL_ALGORITHM_DEFINES
   8745         #include <openssl/opensslconf.h>
   8746      defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
   8747      [Richard Levitte, Ulf and Bodo Mller]
   8749   *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
   8750      record layer.
   8751      [Bodo Moeller]
   8753   *) Change the 'other' type in certificate aux info to a STACK_OF
   8754      X509_ALGOR. Although not an AlgorithmIdentifier as such it has
   8755      the required ASN1 format: arbitrary types determined by an OID.
   8756      [Steve Henson]
   8758   *) Add some PEM_write_X509_REQ_NEW() functions and a command line
   8759      argument to 'req'. This is not because the function is newer or
   8760      better than others it just uses the work 'NEW' in the certificate
   8761      request header lines. Some software needs this.
   8762      [Steve Henson]
   8764   *) Reorganise password command line arguments: now passwords can be
   8765      obtained from various sources. Delete the PEM_cb function and make
   8766      it the default behaviour: i.e. if the callback is NULL and the
   8767      usrdata argument is not NULL interpret it as a null terminated pass
   8768      phrase. If usrdata and the callback are NULL then the pass phrase
   8769      is prompted for as usual.
   8770      [Steve Henson]
   8772   *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
   8773      the support is automatically enabled. The resulting binaries will
   8774      autodetect the card and use it if present.
   8775      [Ben Laurie and Compaq Inc.]
   8777   *) Work around for Netscape hang bug. This sends certificate request
   8778      and server done in one record. Since this is perfectly legal in the
   8779      SSL/TLS protocol it isn't a "bug" option and is on by default. See
   8780      the bugs/SSLv3 entry for more info.
   8781      [Steve Henson]
   8783   *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
   8784      [Andy Polyakov]
   8786   *) Add -rand argument to smime and pkcs12 applications and read/write
   8787      of seed file.
   8788      [Steve Henson]
   8790   *) New 'passwd' tool for crypt(3) and apr1 password hashes.
   8791      [Bodo Moeller]
   8793   *) Add command line password options to the remaining applications.
   8794      [Steve Henson]
   8796   *) Bug fix for BN_div_recp() for numerators with an even number of
   8797      bits.
   8798      [Ulf Mller]
   8800   *) More tests in bntest.c, and changed test_bn output.
   8801      [Ulf Mller]
   8803   *) ./config recognizes MacOS X now.
   8804      [Andy Polyakov]
   8806   *) Bug fix for BN_div() when the first words of num and divsor are
   8807      equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
   8808      [Ulf Mller]
   8810   *) Add support for various broken PKCS#8 formats, and command line
   8811      options to produce them.
   8812      [Steve Henson]
   8814   *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
   8815      get temporary BIGNUMs from a BN_CTX.
   8816      [Ulf Mller]
   8818   *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
   8819      for p == 0.
   8820      [Ulf Mller]
   8822   *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
   8823      include a #define from the old name to the new. The original intent
   8824      was that statically linked binaries could for example just call
   8825      SSLeay_add_all_ciphers() to just add ciphers to the table and not
   8826      link with digests. This never worked becayse SSLeay_add_all_digests()
   8827      and SSLeay_add_all_ciphers() were in the same source file so calling
   8828      one would link with the other. They are now in separate source files.
   8829      [Steve Henson]
   8831   *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
   8832      [Steve Henson]
   8834   *) Use a less unusual form of the Miller-Rabin primality test (it used
   8835      a binary algorithm for exponentiation integrated into the Miller-Rabin
   8836      loop, our standard modexp algorithms are faster).
   8837      [Bodo Moeller]
   8839   *) Support for the EBCDIC character set completed.
   8840      [Martin Kraemer <Martin.Kraemer (a] Mch.SNI.De>]
   8842   *) Source code cleanups: use const where appropriate, eliminate casts,
   8843      use void * instead of char * in lhash.
   8844      [Ulf Mller] 
   8846   *) Bugfix: ssl3_send_server_key_exchange was not restartable
   8847      (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
   8848      this the server could overwrite ephemeral keys that the client
   8849      has already seen).
   8850      [Bodo Moeller]
   8852   *) Turn DSA_is_prime into a macro that calls BN_is_prime,
   8853      using 50 iterations of the Rabin-Miller test.
   8855      DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
   8856      iterations of the Rabin-Miller test as required by the appendix
   8857      to FIPS PUB 186[-1]) instead of DSA_is_prime.
   8858      As BN_is_prime_fasttest includes trial division, DSA parameter
   8859      generation becomes much faster.
   8861      This implies a change for the callback functions in DSA_is_prime
   8862      and DSA_generate_parameters: The callback function is called once
   8863      for each positive witness in the Rabin-Miller test, not just
   8864      occasionally in the inner loop; and the parameters to the
   8865      callback function now provide an iteration count for the outer
   8866      loop rather than for the current invocation of the inner loop.
   8867      DSA_generate_parameters additionally can call the callback
   8868      function with an 'iteration count' of -1, meaning that a
   8869      candidate has passed the trial division test (when q is generated 
   8870      from an application-provided seed, trial division is skipped).
   8871      [Bodo Moeller]
   8873   *) New function BN_is_prime_fasttest that optionally does trial
   8874      division before starting the Rabin-Miller test and has
   8875      an additional BN_CTX * argument (whereas BN_is_prime always
   8876      has to allocate at least one BN_CTX).
   8877      'callback(1, -1, cb_arg)' is called when a number has passed the
   8878      trial division stage.
   8879      [Bodo Moeller]
   8881   *) Fix for bug in CRL encoding. The validity dates weren't being handled
   8882      as ASN1_TIME.
   8883      [Steve Henson]
   8885   *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
   8886      [Steve Henson]
   8888   *) New function BN_pseudo_rand().
   8889      [Ulf Mller]
   8891   *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
   8892      bignum version of BN_from_montgomery() with the working code from
   8893      SSLeay 0.9.0 (the word based version is faster anyway), and clean up
   8894      the comments.
   8895      [Ulf Mller]
   8897   *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
   8898      made it impossible to use the same SSL_SESSION data structure in
   8899      SSL2 clients in multiple threads.
   8900      [Bodo Moeller]
   8902   *) The return value of RAND_load_file() no longer counts bytes obtained
   8903      by stat().  RAND_load_file(..., -1) is new and uses the complete file
   8904      to seed the PRNG (previously an explicit byte count was required).
   8905      [Ulf Mller, Bodo Mller]
   8907   *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
   8908      used (char *) instead of (void *) and had casts all over the place.
   8909      [Steve Henson]
   8911   *) Make BN_generate_prime() return NULL on error if ret!=NULL.
   8912      [Ulf Mller]
   8914   *) Retain source code compatibility for BN_prime_checks macro:
   8915      BN_is_prime(..., BN_prime_checks, ...) now uses
   8916      BN_prime_checks_for_size to determine the appropriate number of
   8917      Rabin-Miller iterations.
   8918      [Ulf M