"Fossies" - the Fresh Open Source Software Archive

Member "openssl-1.1.1g/CHANGES" (21 Apr 2020, 588216 Bytes) of package /linux/misc/openssl-1.1.1g.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "CHANGES": 1.1.1f_vs_1.1.1g.

    1 
    2  OpenSSL CHANGES
    3  _______________
    4 
    5  This is a high-level summary of the most important changes.
    6  For a full list of changes, see the git commit log; for example,
    7  https://github.com/openssl/openssl/commits/ and pick the appropriate
    8  release branch.
    9 
   10  Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
   11 
   12   *) Fixed segmentation fault in SSL_check_chain()
   13      Server or client applications that call the SSL_check_chain() function
   14      during or after a TLS 1.3 handshake may crash due to a NULL pointer
   15      dereference as a result of incorrect handling of the
   16      "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
   17      or unrecognised signature algorithm is received from the peer. This could
   18      be exploited by a malicious peer in a Denial of Service attack.
   19      (CVE-2020-1967)
   20      [Benjamin Kaduk]
   21 
   22   *) Added AES consttime code for no-asm configurations
   23      an optional constant time support for AES was added
   24      when building openssl for no-asm.
   25      Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
   26      Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
   27      At this time this feature is by default disabled.
   28      It will be enabled by default in 3.0.
   29      [Bernd Edlinger]
   30 
   31  Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
   32 
   33   *) Revert the change of EOF detection while reading in libssl to avoid
   34      regressions in applications depending on the current way of reporting
   35      the EOF. As the existing method is not fully accurate the change to
   36      reporting the EOF via SSL_ERROR_SSL is kept on the current development
   37      branch and will be present in the 3.0 release.
   38      [Tomas Mraz]
   39 
   40   *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
   41      when primes for RSA keys are computed.
   42      Since we previously always generated primes == 2 (mod 3) for RSA keys,
   43      the 2-prime and 3-prime RSA modules were easy to distinguish, since
   44      N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
   45      2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
   46      This avoids possible fingerprinting of newly generated RSA modules.
   47      [Bernd Edlinger]
   48 
   49  Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
   50   *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
   51      while reading in libssl then we would report an error back to the
   52      application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
   53      an error to the stack (which means we instead return SSL_ERROR_SSL) and
   54      therefore give a hint as to what went wrong.
   55      [Matt Caswell]
   56 
   57   *) Check that ed25519 and ed448 are allowed by the security level. Previously
   58      signature algorithms not using an MD were not being checked that they were
   59      allowed by the security level.
   60      [Kurt Roeckx]
   61 
   62   *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
   63      was not quite right. The behaviour was not consistent between resumption
   64      and normal handshakes, and also not quite consistent with historical
   65      behaviour. The behaviour in various scenarios has been clarified and
   66      it has been updated to make it match historical behaviour as closely as
   67      possible.
   68      [Matt Caswell]
   69 
   70   *) [VMS only] The header files that the VMS compilers include automatically,
   71      __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
   72      the C++ compiler doesn't understand.  This is a shortcoming in the
   73      compiler, but can be worked around with __cplusplus guards.
   74 
   75      C++ applications that use OpenSSL libraries must be compiled using the
   76      qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
   77      functions.  Otherwise, only functions with symbols of less than 31
   78      characters can be used, as the linker will not be able to successfully
   79      resolve symbols with longer names.
   80      [Richard Levitte]
   81 
   82   *) Corrected the documentation of the return values from the EVP_DigestSign*
   83      set of functions.  The documentation mentioned negative values for some
   84      errors, but this was never the case, so the mention of negative values
   85      was removed.
   86 
   87      Code that followed the documentation and thereby check with something
   88      like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
   89      [Richard Levitte]
   90 
   91   *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
   92      used in exponentiation with 512-bit moduli. No EC algorithms are
   93      affected. Analysis suggests that attacks against 2-prime RSA1024,
   94      3-prime RSA1536, and DSA1024 as a result of this defect would be very
   95      difficult to perform and are not believed likely. Attacks against DH512
   96      are considered just feasible. However, for an attack the target would
   97      have to re-use the DH512 private key, which is not recommended anyway.
   98      Also applications directly using the low level API BN_mod_exp may be
   99      affected if they use BN_FLG_CONSTTIME.
  100      (CVE-2019-1551)
  101      [Andy Polyakov]
  102 
  103   *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
  104      The presence of this system service is determined at run-time.
  105      [Richard Levitte]
  106 
  107   *) Added newline escaping functionality to a filename when using openssl dgst.
  108      This output format is to replicate the output format found in the '*sum'
  109      checksum programs. This aims to preserve backward compatibility.
  110      [Matt Eaton, Richard Levitte, and Paul Dale]
  111 
  112   *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
  113      the first value.
  114      [Jon Spillett]
  115 
  116  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
  117 
  118   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
  119      number generator (RNG). This was intended to include protection in the
  120      event of a fork() system call in order to ensure that the parent and child
  121      processes did not share the same RNG state. However this protection was not
  122      being used in the default case.
  123 
  124      A partial mitigation for this issue is that the output from a high
  125      precision timer is mixed into the RNG state so the likelihood of a parent
  126      and child process sharing state is significantly reduced.
  127 
  128      If an application already calls OPENSSL_init_crypto() explicitly using
  129      OPENSSL_INIT_ATFORK then this problem does not occur at all.
  130      (CVE-2019-1549)
  131      [Matthias St. Pierre]
  132 
  133   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
  134      used even when parsing explicit parameters, when loading a serialized key
  135      or calling `EC_GROUP_new_from_ecpkparameters()`/
  136      `EC_GROUP_new_from_ecparameters()`.
  137      This prevents bypass of security hardening and performance gains,
  138      especially for curves with specialized EC_METHODs.
  139      By default, if a key encoded with explicit parameters is loaded and later
  140      serialized, the output is still encoded with explicit parameters, even if
  141      internally a "named" EC_GROUP is used for computation.
  142      [Nicola Tuveri]
  143 
  144   *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
  145      this change, EC_GROUP_set_generator would accept order and/or cofactor as
  146      NULL. After this change, only the cofactor parameter can be NULL. It also
  147      does some minimal sanity checks on the passed order.
  148      (CVE-2019-1547)
  149      [Billy Bob Brumley]
  150 
  151   *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
  152      An attack is simple, if the first CMS_recipientInfo is valid but the
  153      second CMS_recipientInfo is chosen ciphertext. If the second
  154      recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
  155      encryption key will be replaced by garbage, and the message cannot be
  156      decoded, but if the RSA decryption fails, the correct encryption key is
  157      used and the recipient will not notice the attack.
  158      As a work around for this potential attack the length of the decrypted
  159      key must be equal to the cipher default key length, in case the
  160      certifiate is not given and all recipientInfo are tried out.
  161      The old behaviour can be re-enabled in the CMS code by setting the
  162      CMS_DEBUG_DECRYPT flag.
  163      (CVE-2019-1563)
  164      [Bernd Edlinger]
  165 
  166   *) Early start up entropy quality from the DEVRANDOM seed source has been
  167      improved for older Linux systems.  The RAND subsystem will wait for
  168      /dev/random to be producing output before seeding from /dev/urandom.
  169      The seeded state is stored for future library initialisations using
  170      a system global shared memory segment.  The shared memory identifier
  171      can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
  172      the desired value.  The default identifier is 114.
  173      [Paul Dale]
  174 
  175   *) Correct the extended master secret constant on EBCDIC systems. Without this
  176      fix TLS connections between an EBCDIC system and a non-EBCDIC system that
  177      negotiate EMS will fail. Unfortunately this also means that TLS connections
  178      between EBCDIC systems with this fix, and EBCDIC systems without this
  179      fix will fail if they negotiate EMS.
  180      [Matt Caswell]
  181 
  182   *) Use Windows installation paths in the mingw builds
  183 
  184      Mingw isn't a POSIX environment per se, which means that Windows
  185      paths should be used for installation.
  186      (CVE-2019-1552)
  187      [Richard Levitte]
  188 
  189   *) Changed DH_check to accept parameters with order q and 2q subgroups.
  190      With order 2q subgroups the bit 0 of the private key is not secret
  191      but DH_generate_key works around that by clearing bit 0 of the
  192      private key for those. This avoids leaking bit 0 of the private key.
  193      [Bernd Edlinger]
  194 
  195   *) Significantly reduce secure memory usage by the randomness pools.
  196      [Paul Dale]
  197 
  198   *) Revert the DEVRANDOM_WAIT feature for Linux systems
  199 
  200      The DEVRANDOM_WAIT feature added a select() call to wait for the
  201      /dev/random device to become readable before reading from the
  202      /dev/urandom device.
  203 
  204      It turned out that this change had negative side effects on
  205      performance which were not acceptable. After some discussion it
  206      was decided to revert this feature and leave it up to the OS
  207      resp. the platform maintainer to ensure a proper initialization
  208      during early boot time.
  209      [Matthias St. Pierre]
  210 
  211  Changes between 1.1.1b and 1.1.1c [28 May 2019]
  212 
  213   *) Add build tests for C++.  These are generated files that only do one
  214      thing, to include one public OpenSSL head file each.  This tests that
  215      the public header files can be usefully included in a C++ application.
  216 
  217      This test isn't enabled by default.  It can be enabled with the option
  218      'enable-buildtest-c++'.
  219      [Richard Levitte]
  220 
  221   *) Enable SHA3 pre-hashing for ECDSA and DSA.
  222      [Patrick Steuer]
  223 
  224   *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
  225      This changes the size when using the genpkey app when no size is given. It
  226      fixes an omission in earlier changes that changed all RSA, DSA and DH
  227      generation apps to use 2048 bits by default.
  228      [Kurt Roeckx]
  229 
  230   *) Reorganize the manual pages to consistently have RETURN VALUES,
  231      EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
  232      util/fix-doc-nits accordingly.
  233      [Paul Yang, Joshua Lock]
  234 
  235   *) Add the missing accessor EVP_PKEY_get0_engine()
  236      [Matt Caswell]
  237 
  238   *) Have apps like 's_client' and 's_server' output the signature scheme
  239      along with other cipher suite parameters when debugging.
  240      [Lorinczy Zsigmond]
  241 
  242   *) Make OPENSSL_config() error agnostic again.
  243      [Richard Levitte]
  244 
  245   *) Do the error handling in RSA decryption constant time.
  246      [Bernd Edlinger]
  247 
  248   *) Prevent over long nonces in ChaCha20-Poly1305.
  249 
  250      ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
  251      for every encryption operation. RFC 7539 specifies that the nonce value
  252      (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
  253      and front pads the nonce with 0 bytes if it is less than 12
  254      bytes. However it also incorrectly allows a nonce to be set of up to 16
  255      bytes. In this case only the last 12 bytes are significant and any
  256      additional leading bytes are ignored.
  257 
  258      It is a requirement of using this cipher that nonce values are
  259      unique. Messages encrypted using a reused nonce value are susceptible to
  260      serious confidentiality and integrity attacks. If an application changes
  261      the default nonce length to be longer than 12 bytes and then makes a
  262      change to the leading bytes of the nonce expecting the new value to be a
  263      new unique nonce then such an application could inadvertently encrypt
  264      messages with a reused nonce.
  265 
  266      Additionally the ignored bytes in a long nonce are not covered by the
  267      integrity guarantee of this cipher. Any application that relies on the
  268      integrity of these ignored leading bytes of a long nonce may be further
  269      affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
  270      is safe because no such use sets such a long nonce value. However user
  271      applications that use this cipher directly and set a non-default nonce
  272      length to be longer than 12 bytes may be vulnerable.
  273 
  274      This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
  275      Greef of Ronomon.
  276      (CVE-2019-1543)
  277      [Matt Caswell]
  278 
  279   *) Add DEVRANDOM_WAIT feature for Linux systems
  280 
  281      On older Linux systems where the getrandom() system call is not available,
  282      OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
  283      Contrary to getrandom(), the /dev/urandom device will not block during
  284      early boot when the kernel CSPRNG has not been seeded yet.
  285 
  286      To mitigate this known weakness, use select() to wait for /dev/random to
  287      become readable before reading from /dev/urandom.
  288 
  289   *) Ensure that SM2 only uses SM3 as digest algorithm
  290      [Paul Yang]
  291 
  292  Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
  293 
  294   *) Added SCA hardening for modular field inversion in EC_GROUP through
  295      a new dedicated field_inv() pointer in EC_METHOD.
  296      This also addresses a leakage affecting conversions from projective
  297      to affine coordinates.
  298      [Billy Bob Brumley, Nicola Tuveri]
  299 
  300   *) Change the info callback signals for the start and end of a post-handshake
  301      message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
  302      and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
  303      confused by this and assume that a TLSv1.2 renegotiation has started. This
  304      can break KeyUpdate handling. Instead we no longer signal the start and end
  305      of a post handshake message exchange (although the messages themselves are
  306      still signalled). This could break some applications that were expecting
  307      the old signals. However without this KeyUpdate is not usable for many
  308      applications.
  309      [Matt Caswell]
  310 
  311   *) Fix a bug in the computation of the endpoint-pair shared secret used
  312      by DTLS over SCTP. This breaks interoperability with older versions
  313      of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
  314      switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
  315      interoperability with such broken implementations. However, enabling
  316      this switch breaks interoperability with correct implementations.
  317 
  318   *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
  319      re-used X509_PUBKEY object if the second PUBKEY is malformed.
  320      [Bernd Edlinger]
  321 
  322   *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
  323      [Richard Levitte]
  324 
  325   *) Remove the 'dist' target and add a tarball building script.  The
  326      'dist' target has fallen out of use, and it shouldn't be
  327      necessary to configure just to create a source distribution.
  328      [Richard Levitte]
  329 
  330  Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
  331 
  332   *) Timing vulnerability in DSA signature generation
  333 
  334      The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
  335      timing side channel attack. An attacker could use variations in the signing
  336      algorithm to recover the private key.
  337 
  338      This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
  339      (CVE-2018-0734)
  340      [Paul Dale]
  341 
  342   *) Timing vulnerability in ECDSA signature generation
  343 
  344      The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
  345      timing side channel attack. An attacker could use variations in the signing
  346      algorithm to recover the private key.
  347 
  348      This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
  349      (CVE-2018-0735)
  350      [Paul Dale]
  351 
  352   *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
  353      the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
  354      are retained for backwards compatibility.
  355      [Antoine Salon]
  356 
  357   *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
  358      if its length exceeds 4096 bytes. The limit has been raised to a buffer size
  359      of two gigabytes and the error handling improved.
  360 
  361      This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
  362      categorized as a normal bug, not a security issue, because the DRBG reseeds
  363      automatically and is fully functional even without additional randomness
  364      provided by the application.
  365 
  366  Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
  367 
  368   *) Add a new ClientHello callback. Provides a callback interface that gives
  369      the application the ability to adjust the nascent SSL object at the
  370      earliest stage of ClientHello processing, immediately after extensions have
  371      been collected but before they have been processed. In particular, this
  372      callback can adjust the supported TLS versions in response to the contents
  373      of the ClientHello
  374      [Benjamin Kaduk]
  375 
  376   *) Add SM2 base algorithm support.
  377      [Jack Lloyd]
  378 
  379   *) s390x assembly pack: add (improved) hardware-support for the following
  380      cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
  381      aes-cfb/cfb8, aes-ecb.
  382      [Patrick Steuer]
  383 
  384   *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
  385      parameter is no longer accepted, as it leads to a corrupt table.  NULL
  386      pem_str is reserved for alias entries only.
  387      [Richard Levitte]
  388 
  389   *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
  390      step for prime curves. The new implementation is based on formulae from
  391      differential addition-and-doubling in homogeneous projective coordinates
  392      from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
  393      against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
  394      and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
  395      to work in projective coordinates.
  396      [Billy Bob Brumley, Nicola Tuveri]
  397 
  398   *) Change generating and checking of primes so that the error rate of not
  399      being prime depends on the intended use based on the size of the input.
  400      For larger primes this will result in more rounds of Miller-Rabin.
  401      The maximal error rate for primes with more than 1080 bits is lowered
  402      to 2^-128.
  403      [Kurt Roeckx, Annie Yousar]
  404 
  405   *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  406      [Kurt Roeckx]
  407 
  408   *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
  409      moving between systems, and to avoid confusion when a Windows build is
  410      done with mingw vs with MSVC.  For POSIX installs, there's still a
  411      symlink or copy named 'tsget' to avoid that confusion as well.
  412      [Richard Levitte]
  413 
  414   *) Revert blinding in ECDSA sign and instead make problematic addition
  415      length-invariant. Switch even to fixed-length Montgomery multiplication.
  416      [Andy Polyakov]
  417 
  418   *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
  419      step for binary curves. The new implementation is based on formulae from
  420      differential addition-and-doubling in mixed Lopez-Dahab projective
  421      coordinates, modified to independently blind the operands.
  422      [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
  423 
  424   *) Add a scaffold to optionally enhance the Montgomery ladder implementation
  425      for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
  426      EC_METHODs to implement their own specialized "ladder step", to take
  427      advantage of more favorable coordinate systems or more efficient
  428      differential addition-and-doubling algorithms.
  429      [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
  430 
  431   *) Modified the random device based seed sources to keep the relevant
  432      file descriptors open rather than reopening them on each access.
  433      This allows such sources to operate in a chroot() jail without
  434      the associated device nodes being available. This behaviour can be
  435      controlled using RAND_keep_random_devices_open().
  436      [Paul Dale]
  437 
  438   *) Numerous side-channel attack mitigations have been applied. This may have
  439      performance impacts for some algorithms for the benefit of improved
  440      security. Specific changes are noted in this change log by their respective
  441      authors.
  442      [Matt Caswell]
  443 
  444   *) AIX shared library support overhaul. Switch to AIX "natural" way of
  445      handling shared libraries, which means collecting shared objects of
  446      different versions and bitnesses in one common archive. This allows to
  447      mitigate conflict between 1.0 and 1.1 side-by-side installations. It
  448      doesn't affect the way 3rd party applications are linked, only how
  449      multi-version installation is managed.
  450      [Andy Polyakov]
  451 
  452   *) Make ec_group_do_inverse_ord() more robust and available to other
  453      EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
  454      mitigations are applied to the fallback BN_mod_inverse().
  455      When using this function rather than BN_mod_inverse() directly, new
  456      EC cryptosystem implementations are then safer-by-default.
  457      [Billy Bob Brumley]
  458 
  459   *) Add coordinate blinding for EC_POINT and implement projective
  460      coordinate blinding for generic prime curves as a countermeasure to
  461      chosen point SCA attacks.
  462      [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
  463 
  464   *) Add blinding to ECDSA and DSA signatures to protect against side channel
  465      attacks discovered by Keegan Ryan (NCC Group).
  466      [Matt Caswell]
  467 
  468   *) Enforce checking in the pkeyutl command line app to ensure that the input
  469      length does not exceed the maximum supported digest length when performing
  470      a sign, verify or verifyrecover operation.
  471      [Matt Caswell]
  472 
  473   *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
  474      I/O in combination with something like select() or poll() will hang. This
  475      can be turned off again using SSL_CTX_clear_mode().
  476      Many applications do not properly handle non-application data records, and
  477      TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
  478      around the problems in those applications, but can also break some.
  479      It's recommended to read the manpages about SSL_read(), SSL_write(),
  480      SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
  481      SSL_CTX_set_read_ahead() again.
  482      [Kurt Roeckx]
  483 
  484   *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
  485      now allow empty (zero character) pass phrases.
  486      [Richard Levitte]
  487 
  488   *) Apply blinding to binary field modular inversion and remove patent
  489      pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
  490      [Billy Bob Brumley]
  491 
  492   *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
  493      binary and prime elliptic curves.
  494      [Billy Bob Brumley]
  495 
  496   *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
  497      constant time fixed point multiplication.
  498      [Billy Bob Brumley]
  499 
  500   *) Revise elliptic curve scalar multiplication with timing attack
  501      defenses: ec_wNAF_mul redirects to a constant time implementation
  502      when computing fixed point and variable point multiplication (which
  503      in OpenSSL are mostly used with secret scalars in keygen, sign,
  504      ECDH derive operations).
  505      [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
  506       Sohaib ul Hassan]
  507 
  508   *) Updated CONTRIBUTING
  509      [Rich Salz]
  510 
  511   *) Updated DRBG / RAND to request nonce and additional low entropy
  512      randomness from the system.
  513      [Matthias St. Pierre]
  514 
  515   *) Updated 'openssl rehash' to use OpenSSL consistent default.
  516      [Richard Levitte]
  517 
  518   *) Moved the load of the ssl_conf module to libcrypto, which helps
  519      loading engines that libssl uses before libssl is initialised.
  520      [Matt Caswell]
  521 
  522   *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
  523      [Matt Caswell]
  524 
  525   *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
  526      [Ingo Schwarze, Rich Salz]
  527 
  528   *) Added output of accepting IP address and port for 'openssl s_server'
  529      [Richard Levitte]
  530 
  531   *) Added a new API for TLSv1.3 ciphersuites:
  532         SSL_CTX_set_ciphersuites()
  533         SSL_set_ciphersuites()
  534      [Matt Caswell]
  535 
  536   *) Memory allocation failures consistently add an error to the error
  537      stack.
  538      [Rich Salz]
  539 
  540   *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
  541      in libcrypto when run as setuid/setgid.
  542      [Bernd Edlinger]
  543 
  544   *) Load any config file by default when libssl is used.
  545      [Matt Caswell]
  546 
  547   *) Added new public header file <openssl/rand_drbg.h> and documentation
  548      for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
  549      [Matthias St. Pierre]
  550 
  551   *) QNX support removed (cannot find contributors to get their approval
  552      for the license change).
  553      [Rich Salz]
  554 
  555   *) TLSv1.3 replay protection for early data has been implemented. See the
  556      SSL_read_early_data() man page for further details.
  557      [Matt Caswell]
  558 
  559   *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
  560      configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
  561      below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
  562      In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
  563      would otherwise inadvertently disable all TLSv1.3 ciphersuites the
  564      configuration has been separated out. See the ciphers man page or the
  565      SSL_CTX_set_ciphersuites() man page for more information.
  566      [Matt Caswell]
  567 
  568   *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
  569      in responder mode now supports the new "-multi" option, which
  570      spawns the specified number of child processes to handle OCSP
  571      requests.  The "-timeout" option now also limits the OCSP
  572      responder's patience to wait to receive the full client request
  573      on a newly accepted connection. Child processes are respawned
  574      as needed, and the CA index file is automatically reloaded
  575      when changed.  This makes it possible to run the "ocsp" responder
  576      as a long-running service, making the OpenSSL CA somewhat more
  577      feature-complete.  In this mode, most diagnostic messages logged
  578      after entering the event loop are logged via syslog(3) rather than
  579      written to stderr.
  580      [Viktor Dukhovni]
  581 
  582   *) Added support for X448 and Ed448. Heavily based on original work by
  583      Mike Hamburg.
  584      [Matt Caswell]
  585 
  586   *) Extend OSSL_STORE with capabilities to search and to narrow the set of
  587      objects loaded.  This adds the functions OSSL_STORE_expect() and
  588      OSSL_STORE_find() as well as needed tools to construct searches and
  589      get the search data out of them.
  590      [Richard Levitte]
  591 
  592   *) Support for TLSv1.3 added. Note that users upgrading from an earlier
  593      version of OpenSSL should review their configuration settings to ensure
  594      that they are still appropriate for TLSv1.3. For further information see:
  595      https://wiki.openssl.org/index.php/TLS1.3
  596      [Matt Caswell]
  597 
  598   *) Grand redesign of the OpenSSL random generator
  599 
  600      The default RAND method now utilizes an AES-CTR DRBG according to
  601      NIST standard SP 800-90Ar1. The new random generator is essentially
  602      a port of the default random generator from the OpenSSL FIPS 2.0
  603      object module. It is a hybrid deterministic random bit generator
  604      using an AES-CTR bit stream and which seeds and reseeds itself
  605      automatically using trusted system entropy sources.
  606 
  607      Some of its new features are:
  608       o Support for multiple DRBG instances with seed chaining.
  609       o The default RAND method makes use of a DRBG.
  610       o There is a public and private DRBG instance.
  611       o The DRBG instances are fork-safe.
  612       o Keep all global DRBG instances on the secure heap if it is enabled.
  613       o The public and private DRBG instance are per thread for lock free
  614         operation
  615      [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
  616 
  617   *) Changed Configure so it only says what it does and doesn't dump
  618      so much data.  Instead, ./configdata.pm should be used as a script
  619      to display all sorts of configuration data.
  620      [Richard Levitte]
  621 
  622   *) Added processing of "make variables" to Configure.
  623      [Richard Levitte]
  624 
  625   *) Added SHA512/224 and SHA512/256 algorithm support.
  626      [Paul Dale]
  627 
  628   *) The last traces of Netware support, first removed in 1.1.0, have
  629      now been removed.
  630      [Rich Salz]
  631 
  632   *) Get rid of Makefile.shared, and in the process, make the processing
  633      of certain files (rc.obj, or the .def/.map/.opt files produced from
  634      the ordinal files) more visible and hopefully easier to trace and
  635      debug (or make silent).
  636      [Richard Levitte]
  637 
  638   *) Make it possible to have environment variable assignments as
  639      arguments to config / Configure.
  640      [Richard Levitte]
  641 
  642   *) Add multi-prime RSA (RFC 8017) support.
  643      [Paul Yang]
  644 
  645   *) Add SM3 implemented according to GB/T 32905-2016
  646      [ Jack Lloyd <jack.lloyd@ribose.com>,
  647        Ronald Tse <ronald.tse@ribose.com>,
  648        Erick Borsboom <erick.borsboom@ribose.com> ]
  649 
  650   *) Add 'Maximum Fragment Length' TLS extension negotiation and support
  651      as documented in RFC6066.
  652      Based on a patch from Tomasz Moń
  653      [Filipe Raimundo da Silva]
  654 
  655   *) Add SM4 implemented according to GB/T 32907-2016.
  656      [ Jack Lloyd <jack.lloyd@ribose.com>,
  657        Ronald Tse <ronald.tse@ribose.com>,
  658        Erick Borsboom <erick.borsboom@ribose.com> ]
  659 
  660   *) Reimplement -newreq-nodes and ERR_error_string_n; the
  661      original author does not agree with the license change.
  662      [Rich Salz]
  663 
  664   *) Add ARIA AEAD TLS support.
  665      [Jon Spillett]
  666 
  667   *) Some macro definitions to support VS6 have been removed.  Visual
  668      Studio 6 has not worked since 1.1.0
  669      [Rich Salz]
  670 
  671   *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
  672      without clearing the errors.
  673      [Richard Levitte]
  674 
  675   *) Add "atfork" functions.  If building on a system that without
  676      pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
  677      requirements.  The RAND facility now uses/requires this.
  678      [Rich Salz]
  679 
  680   *) Add SHA3.
  681      [Andy Polyakov]
  682 
  683   *) The UI API becomes a permanent and integral part of libcrypto, i.e.
  684      not possible to disable entirely.  However, it's still possible to
  685      disable the console reading UI method, UI_OpenSSL() (use UI_null()
  686      as a fallback).
  687 
  688      To disable, configure with 'no-ui-console'.  'no-ui' is still
  689      possible to use as an alias.  Check at compile time with the
  690      macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
  691      possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
  692      [Richard Levitte]
  693 
  694   *) Add a STORE module, which implements a uniform and URI based reader of
  695      stores that can contain keys, certificates, CRLs and numerous other
  696      objects.  The main API is loosely based on a few stdio functions,
  697      and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
  698      OSSL_STORE_error and OSSL_STORE_close.
  699      The implementation uses backends called "loaders" to implement arbitrary
  700      URI schemes.  There is one built in "loader" for the 'file' scheme.
  701      [Richard Levitte]
  702 
  703   *) Add devcrypto engine.  This has been implemented against cryptodev-linux,
  704      then adjusted to work on FreeBSD 8.4 as well.
  705      Enable by configuring with 'enable-devcryptoeng'.  This is done by default
  706      on BSD implementations, as cryptodev.h is assumed to exist on all of them.
  707      [Richard Levitte]
  708 
  709   *) Module names can prefixed with OSSL_ or OPENSSL_.  This affects
  710      util/mkerr.pl, which is adapted to allow those prefixes, leading to
  711      error code calls like this:
  712 
  713          OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
  714 
  715      With this change, we claim the namespaces OSSL and OPENSSL in a manner
  716      that can be encoded in C.  For the foreseeable future, this will only
  717      affect new modules.
  718      [Richard Levitte and Tim Hudson]
  719 
  720   *) Removed BSD cryptodev engine.
  721      [Rich Salz]
  722 
  723   *) Add a build target 'build_all_generated', to build all generated files
  724      and only that.  This can be used to prepare everything that requires
  725      things like perl for a system that lacks perl and then move everything
  726      to that system and do the rest of the build there.
  727      [Richard Levitte]
  728 
  729   *) In the UI interface, make it possible to duplicate the user data.  This
  730      can be used by engines that need to retain the data for a longer time
  731      than just the call where this user data is passed.
  732      [Richard Levitte]
  733 
  734   *) Ignore the '-named_curve auto' value for compatibility of applications
  735      with OpenSSL 1.0.2.
  736      [Tomas Mraz <tmraz@fedoraproject.org>]
  737 
  738   *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
  739      bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
  740      alerts across multiple records (some of which could be empty). In practice
  741      it make no sense to send an empty alert record, or to fragment one. TLSv1.3
  742      prohibits this altogether and other libraries (BoringSSL, NSS) do not
  743      support this at all. Supporting it adds significant complexity to the
  744      record layer, and its removal is unlikely to cause interoperability
  745      issues.
  746      [Matt Caswell]
  747 
  748   *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
  749      with Z.  These are meant to replace LONG and ZLONG and to be size safe.
  750      The use of LONG and ZLONG is discouraged and scheduled for deprecation
  751      in OpenSSL 1.2.0.
  752      [Richard Levitte]
  753 
  754   *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
  755      'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
  756      [Richard Levitte, Andy Polyakov]
  757 
  758   *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
  759      does for RSA, etc.
  760      [Richard Levitte]
  761 
  762   *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
  763      platform rather than 'mingw'.
  764      [Richard Levitte]
  765 
  766   *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
  767      success if they are asked to add an object which already exists
  768      in the store. This change cascades to other functions which load
  769      certificates and CRLs.
  770      [Paul Dale]
  771 
  772   *) x86_64 assembly pack: annotate code with DWARF CFI directives to
  773      facilitate stack unwinding even from assembly subroutines.
  774      [Andy Polyakov]
  775 
  776   *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
  777      Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
  778      [Richard Levitte]
  779 
  780   *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
  781      VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
  782      which is the minimum version we support.
  783      [Richard Levitte]
  784 
  785   *) Certificate time validation (X509_cmp_time) enforces stricter
  786      compliance with RFC 5280. Fractional seconds and timezone offsets
  787      are no longer allowed.
  788      [Emilia Käsper]
  789 
  790   *) Add support for ARIA
  791      [Paul Dale]
  792 
  793   *) s_client will now send the Server Name Indication (SNI) extension by
  794      default unless the new "-noservername" option is used. The server name is
  795      based on the host provided to the "-connect" option unless overridden by
  796      using "-servername".
  797      [Matt Caswell]
  798 
  799   *) Add support for SipHash
  800      [Todd Short]
  801 
  802   *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
  803      or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
  804      prevent issues where no progress is being made and the peer continually
  805      sends unrecognised record types, using up resources processing them.
  806      [Matt Caswell]
  807 
  808   *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
  809      using the algorithm defined in
  810      https://www.akkadia.org/drepper/SHA-crypt.txt
  811      [Richard Levitte]
  812 
  813   *) Heartbeat support has been removed; the ABI is changed for now.
  814      [Richard Levitte, Rich Salz]
  815 
  816   *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
  817      [Emilia Käsper]
  818 
  819   *) The RSA "null" method, which was partially supported to avoid patent
  820      issues, has been replaced to always returns NULL.
  821      [Rich Salz]
  822 
  823 
  824  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
  825 
  826   *) Client DoS due to large DH parameter
  827 
  828      During key agreement in a TLS handshake using a DH(E) based ciphersuite a
  829      malicious server can send a very large prime value to the client. This will
  830      cause the client to spend an unreasonably long period of time generating a
  831      key for this prime resulting in a hang until the client has finished. This
  832      could be exploited in a Denial Of Service attack.
  833 
  834      This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
  835      (CVE-2018-0732)
  836      [Guido Vranken]
  837 
  838   *) Cache timing vulnerability in RSA Key Generation
  839 
  840      The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
  841      a cache timing side channel attack. An attacker with sufficient access to
  842      mount cache timing attacks during the RSA key generation process could
  843      recover the private key.
  844 
  845      This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
  846      Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
  847      (CVE-2018-0737)
  848      [Billy Brumley]
  849 
  850   *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
  851      parameter is no longer accepted, as it leads to a corrupt table.  NULL
  852      pem_str is reserved for alias entries only.
  853      [Richard Levitte]
  854 
  855   *) Revert blinding in ECDSA sign and instead make problematic addition
  856      length-invariant. Switch even to fixed-length Montgomery multiplication.
  857      [Andy Polyakov]
  858 
  859   *) Change generating and checking of primes so that the error rate of not
  860      being prime depends on the intended use based on the size of the input.
  861      For larger primes this will result in more rounds of Miller-Rabin.
  862      The maximal error rate for primes with more than 1080 bits is lowered
  863      to 2^-128.
  864      [Kurt Roeckx, Annie Yousar]
  865 
  866   *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  867      [Kurt Roeckx]
  868 
  869   *) Add blinding to ECDSA and DSA signatures to protect against side channel
  870      attacks discovered by Keegan Ryan (NCC Group).
  871      [Matt Caswell]
  872 
  873   *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
  874      now allow empty (zero character) pass phrases.
  875      [Richard Levitte]
  876 
  877   *) Certificate time validation (X509_cmp_time) enforces stricter
  878      compliance with RFC 5280. Fractional seconds and timezone offsets
  879      are no longer allowed.
  880      [Emilia Käsper]
  881 
  882   *) Fixed a text canonicalisation bug in CMS
  883 
  884      Where a CMS detached signature is used with text content the text goes
  885      through a canonicalisation process first prior to signing or verifying a
  886      signature. This process strips trailing space at the end of lines, converts
  887      line terminators to CRLF and removes additional trailing line terminators
  888      at the end of a file. A bug in the canonicalisation process meant that
  889      some characters, such as form-feed, were incorrectly treated as whitespace
  890      and removed. This is contrary to the specification (RFC5485). This fix
  891      could mean that detached text data signed with an earlier version of
  892      OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
  893      signed with a fixed OpenSSL may fail to verify with an earlier version of
  894      OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
  895      and use the "-binary" flag (for the "cms" command line application) or set
  896      the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
  897      [Matt Caswell]
  898 
  899  Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
  900 
  901   *) Constructed ASN.1 types with a recursive definition could exceed the stack
  902 
  903      Constructed ASN.1 types with a recursive definition (such as can be found
  904      in PKCS7) could eventually exceed the stack given malicious input with
  905      excessive recursion. This could result in a Denial Of Service attack. There
  906      are no such structures used within SSL/TLS that come from untrusted sources
  907      so this is considered safe.
  908 
  909      This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
  910      project.
  911      (CVE-2018-0739)
  912      [Matt Caswell]
  913 
  914   *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
  915 
  916      Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
  917      effectively reduced to only comparing the least significant bit of each
  918      byte. This allows an attacker to forge messages that would be considered as
  919      authenticated in an amount of tries lower than that guaranteed by the
  920      security claims of the scheme. The module can only be compiled by the
  921      HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
  922 
  923      This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
  924      (IBM).
  925      (CVE-2018-0733)
  926      [Andy Polyakov]
  927 
  928   *) Add a build target 'build_all_generated', to build all generated files
  929      and only that.  This can be used to prepare everything that requires
  930      things like perl for a system that lacks perl and then move everything
  931      to that system and do the rest of the build there.
  932      [Richard Levitte]
  933 
  934   *) Backport SSL_OP_NO_RENGOTIATION
  935 
  936      OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
  937      (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
  938      changes this is no longer possible in 1.1.0. Therefore the new
  939      SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
  940      1.1.0 to provide equivalent functionality.
  941 
  942      Note that if an application built against 1.1.0h headers (or above) is run
  943      using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
  944      accepted but nothing will happen, i.e. renegotiation will not be prevented.
  945      [Matt Caswell]
  946 
  947   *) Removed the OS390-Unix config target.  It relied on a script that doesn't
  948      exist.
  949      [Rich Salz]
  950 
  951   *) rsaz_1024_mul_avx2 overflow bug on x86_64
  952 
  953      There is an overflow bug in the AVX2 Montgomery multiplication procedure
  954      used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
  955      Analysis suggests that attacks against RSA and DSA as a result of this
  956      defect would be very difficult to perform and are not believed likely.
  957      Attacks against DH1024 are considered just feasible, because most of the
  958      work necessary to deduce information about a private key may be performed
  959      offline. The amount of resources required for such an attack would be
  960      significant. However, for an attack on TLS to be meaningful, the server
  961      would have to share the DH1024 private key among multiple clients, which is
  962      no longer an option since CVE-2016-0701.
  963 
  964      This only affects processors that support the AVX2 but not ADX extensions
  965      like Intel Haswell (4th generation).
  966 
  967      This issue was reported to OpenSSL by David Benjamin (Google). The issue
  968      was originally found via the OSS-Fuzz project.
  969      (CVE-2017-3738)
  970      [Andy Polyakov]
  971 
  972  Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
  973 
  974   *) bn_sqrx8x_internal carry bug on x86_64
  975 
  976      There is a carry propagating bug in the x86_64 Montgomery squaring
  977      procedure. No EC algorithms are affected. Analysis suggests that attacks
  978      against RSA and DSA as a result of this defect would be very difficult to
  979      perform and are not believed likely. Attacks against DH are considered just
  980      feasible (although very difficult) because most of the work necessary to
  981      deduce information about a private key may be performed offline. The amount
  982      of resources required for such an attack would be very significant and
  983      likely only accessible to a limited number of attackers. An attacker would
  984      additionally need online access to an unpatched system using the target
  985      private key in a scenario with persistent DH parameters and a private
  986      key that is shared between multiple clients.
  987 
  988      This only affects processors that support the BMI1, BMI2 and ADX extensions
  989      like Intel Broadwell (5th generation) and later or AMD Ryzen.
  990 
  991      This issue was reported to OpenSSL by the OSS-Fuzz project.
  992      (CVE-2017-3736)
  993      [Andy Polyakov]
  994 
  995   *) Malformed X.509 IPAddressFamily could cause OOB read
  996 
  997      If an X.509 certificate has a malformed IPAddressFamily extension,
  998      OpenSSL could do a one-byte buffer overread. The most likely result
  999      would be an erroneous display of the certificate in text format.
 1000 
 1001      This issue was reported to OpenSSL by the OSS-Fuzz project.
 1002      (CVE-2017-3735)
 1003      [Rich Salz]
 1004 
 1005  Changes between 1.1.0e and 1.1.0f [25 May 2017]
 1006 
 1007   *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
 1008      platform rather than 'mingw'.
 1009      [Richard Levitte]
 1010 
 1011   *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
 1012      VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
 1013      which is the minimum version we support.
 1014      [Richard Levitte]
 1015 
 1016  Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
 1017 
 1018   *) Encrypt-Then-Mac renegotiation crash
 1019 
 1020      During a renegotiation handshake if the Encrypt-Then-Mac extension is
 1021      negotiated where it was not in the original handshake (or vice-versa) then
 1022      this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
 1023      and servers are affected.
 1024 
 1025      This issue was reported to OpenSSL by Joe Orton (Red Hat).
 1026      (CVE-2017-3733)
 1027      [Matt Caswell]
 1028 
 1029  Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
 1030 
 1031   *) Truncated packet could crash via OOB read
 1032 
 1033      If one side of an SSL/TLS path is running on a 32-bit host and a specific
 1034      cipher is being used, then a truncated packet can cause that host to
 1035      perform an out-of-bounds read, usually resulting in a crash.
 1036 
 1037      This issue was reported to OpenSSL by Robert Święcki of Google.
 1038      (CVE-2017-3731)
 1039      [Andy Polyakov]
 1040 
 1041   *) Bad (EC)DHE parameters cause a client crash
 1042 
 1043      If a malicious server supplies bad parameters for a DHE or ECDHE key
 1044      exchange then this can result in the client attempting to dereference a
 1045      NULL pointer leading to a client crash. This could be exploited in a Denial
 1046      of Service attack.
 1047 
 1048      This issue was reported to OpenSSL by Guido Vranken.
 1049      (CVE-2017-3730)
 1050      [Matt Caswell]
 1051 
 1052   *) BN_mod_exp may produce incorrect results on x86_64
 1053 
 1054      There is a carry propagating bug in the x86_64 Montgomery squaring
 1055      procedure. No EC algorithms are affected. Analysis suggests that attacks
 1056      against RSA and DSA as a result of this defect would be very difficult to
 1057      perform and are not believed likely. Attacks against DH are considered just
 1058      feasible (although very difficult) because most of the work necessary to
 1059      deduce information about a private key may be performed offline. The amount
 1060      of resources required for such an attack would be very significant and
 1061      likely only accessible to a limited number of attackers. An attacker would
 1062      additionally need online access to an unpatched system using the target
 1063      private key in a scenario with persistent DH parameters and a private
 1064      key that is shared between multiple clients. For example this can occur by
 1065      default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
 1066      similar to CVE-2015-3193 but must be treated as a separate problem.
 1067 
 1068      This issue was reported to OpenSSL by the OSS-Fuzz project.
 1069      (CVE-2017-3732)
 1070      [Andy Polyakov]
 1071 
 1072  Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
 1073 
 1074   *) ChaCha20/Poly1305 heap-buffer-overflow
 1075 
 1076      TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
 1077      a DoS attack by corrupting larger payloads. This can result in an OpenSSL
 1078      crash. This issue is not considered to be exploitable beyond a DoS.
 1079 
 1080      This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
 1081      (CVE-2016-7054)
 1082      [Richard Levitte]
 1083 
 1084   *) CMS Null dereference
 1085 
 1086      Applications parsing invalid CMS structures can crash with a NULL pointer
 1087      dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
 1088      type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
 1089      structure callback if an attempt is made to free certain invalid encodings.
 1090      Only CHOICE structures using a callback which do not handle NULL value are
 1091      affected.
 1092 
 1093      This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
 1094      (CVE-2016-7053)
 1095      [Stephen Henson]
 1096 
 1097   *) Montgomery multiplication may produce incorrect results
 1098 
 1099      There is a carry propagating bug in the Broadwell-specific Montgomery
 1100      multiplication procedure that handles input lengths divisible by, but
 1101      longer than 256 bits. Analysis suggests that attacks against RSA, DSA
 1102      and DH private keys are impossible. This is because the subroutine in
 1103      question is not used in operations with the private key itself and an input
 1104      of the attacker's direct choice. Otherwise the bug can manifest itself as
 1105      transient authentication and key negotiation failures or reproducible
 1106      erroneous outcome of public-key operations with specially crafted input.
 1107      Among EC algorithms only Brainpool P-512 curves are affected and one
 1108      presumably can attack ECDH key negotiation. Impact was not analyzed in
 1109      detail, because pre-requisites for attack are considered unlikely. Namely
 1110      multiple clients have to choose the curve in question and the server has to
 1111      share the private key among them, neither of which is default behaviour.
 1112      Even then only clients that chose the curve will be affected.
 1113 
 1114      This issue was publicly reported as transient failures and was not
 1115      initially recognized as a security issue. Thanks to Richard Morgan for
 1116      providing reproducible case.
 1117      (CVE-2016-7055)
 1118      [Andy Polyakov]
 1119 
 1120   *) Removed automatic addition of RPATH in shared libraries and executables,
 1121      as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
 1122      [Richard Levitte]
 1123 
 1124  Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
 1125 
 1126   *) Fix Use After Free for large message sizes
 1127 
 1128      The patch applied to address CVE-2016-6307 resulted in an issue where if a
 1129      message larger than approx 16k is received then the underlying buffer to
 1130      store the incoming message is reallocated and moved. Unfortunately a
 1131      dangling pointer to the old location is left which results in an attempt to
 1132      write to the previously freed location. This is likely to result in a
 1133      crash, however it could potentially lead to execution of arbitrary code.
 1134 
 1135      This issue only affects OpenSSL 1.1.0a.
 1136 
 1137      This issue was reported to OpenSSL by Robert Święcki.
 1138      (CVE-2016-6309)
 1139      [Matt Caswell]
 1140 
 1141  Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
 1142 
 1143   *) OCSP Status Request extension unbounded memory growth
 1144 
 1145      A malicious client can send an excessively large OCSP Status Request
 1146      extension. If that client continually requests renegotiation, sending a
 1147      large OCSP Status Request extension each time, then there will be unbounded
 1148      memory growth on the server. This will eventually lead to a Denial Of
 1149      Service attack through memory exhaustion. Servers with a default
 1150      configuration are vulnerable even if they do not support OCSP. Builds using
 1151      the "no-ocsp" build time option are not affected.
 1152 
 1153      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
 1154      (CVE-2016-6304)
 1155      [Matt Caswell]
 1156 
 1157   *) SSL_peek() hang on empty record
 1158 
 1159      OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
 1160      sends an empty record. This could be exploited by a malicious peer in a
 1161      Denial Of Service attack.
 1162 
 1163      This issue was reported to OpenSSL by Alex Gaynor.
 1164      (CVE-2016-6305)
 1165      [Matt Caswell]
 1166 
 1167   *) Excessive allocation of memory in tls_get_message_header() and
 1168      dtls1_preprocess_fragment()
 1169 
 1170      A (D)TLS message includes 3 bytes for its length in the header for the
 1171      message. This would allow for messages up to 16Mb in length. Messages of
 1172      this length are excessive and OpenSSL includes a check to ensure that a
 1173      peer is sending reasonably sized messages in order to avoid too much memory
 1174      being consumed to service a connection. A flaw in the logic of version
 1175      1.1.0 means that memory for the message is allocated too early, prior to
 1176      the excessive message length check. Due to way memory is allocated in
 1177      OpenSSL this could mean an attacker could force up to 21Mb to be allocated
 1178      to service a connection. This could lead to a Denial of Service through
 1179      memory exhaustion. However, the excessive message length check still takes
 1180      place, and this would cause the connection to immediately fail. Assuming
 1181      that the application calls SSL_free() on the failed connection in a timely
 1182      manner then the 21Mb of allocated memory will then be immediately freed
 1183      again. Therefore the excessive memory allocation will be transitory in
 1184      nature. This then means that there is only a security impact if:
 1185 
 1186      1) The application does not call SSL_free() in a timely manner in the event
 1187      that the connection fails
 1188      or
 1189      2) The application is working in a constrained environment where there is
 1190      very little free memory
 1191      or
 1192      3) The attacker initiates multiple connection attempts such that there are
 1193      multiple connections in a state where memory has been allocated for the
 1194      connection; SSL_free() has not yet been called; and there is insufficient
 1195      memory to service the multiple requests.
 1196 
 1197      Except in the instance of (1) above any Denial Of Service is likely to be
 1198      transitory because as soon as the connection fails the memory is
 1199      subsequently freed again in the SSL_free() call. However there is an
 1200      increased risk during this period of application crashes due to the lack of
 1201      memory - which would then mean a more serious Denial of Service.
 1202 
 1203      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
 1204      (CVE-2016-6307 and CVE-2016-6308)
 1205      [Matt Caswell]
 1206 
 1207   *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
 1208      had to be removed. Primary reason is that vendor assembler can't
 1209      assemble our modules with -KPIC flag. As result it, assembly
 1210      support, was not even available as option. But its lack means
 1211      lack of side-channel resistant code, which is incompatible with
 1212      security by todays standards. Fortunately gcc is readily available
 1213      prepackaged option, which we firmly point at...
 1214      [Andy Polyakov]
 1215 
 1216  Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
 1217 
 1218   *) Windows command-line tool supports UTF-8 opt-in option for arguments
 1219      and console input. Setting OPENSSL_WIN32_UTF8 environment variable
 1220      (to any value) allows Windows user to access PKCS#12 file generated
 1221      with Windows CryptoAPI and protected with non-ASCII password, as well
 1222      as files generated under UTF-8 locale on Linux also protected with
 1223      non-ASCII password.
 1224      [Andy Polyakov]
 1225 
 1226   *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
 1227      have been disabled by default and removed from DEFAULT, just like RC4.
 1228      See the RC4 item below to re-enable both.
 1229      [Rich Salz]
 1230 
 1231   *) The method for finding the storage location for the Windows RAND seed file
 1232      has changed. First we check %RANDFILE%. If that is not set then we check
 1233      the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
 1234      all else fails we fall back to C:\.
 1235      [Matt Caswell]
 1236 
 1237   *) The EVP_EncryptUpdate() function has had its return type changed from void
 1238      to int. A return of 0 indicates and error while a return of 1 indicates
 1239      success.
 1240      [Matt Caswell]
 1241 
 1242   *) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
 1243      DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
 1244      off the constant time implementation for RSA, DSA and DH have been made
 1245      no-ops and deprecated.
 1246      [Matt Caswell]
 1247 
 1248   *) Windows RAND implementation was simplified to only get entropy by
 1249      calling CryptGenRandom(). Various other RAND-related tickets
 1250      were also closed.
 1251      [Joseph Wylie Yandle, Rich Salz]
 1252 
 1253   *) The stack and lhash API's were renamed to start with OPENSSL_SK_
 1254      and OPENSSL_LH_, respectively.  The old names are available
 1255      with API compatibility.  They new names are now completely documented.
 1256      [Rich Salz]
 1257 
 1258   *) Unify TYPE_up_ref(obj) methods signature.
 1259      SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
 1260      X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
 1261      int (instead of void) like all others TYPE_up_ref() methods.
 1262      So now these methods also check the return value of CRYPTO_atomic_add(),
 1263      and the validity of object reference counter.
 1264      [fdasilvayy@gmail.com]
 1265 
 1266   *) With Windows Visual Studio builds, the .pdb files are installed
 1267      alongside the installed libraries and executables.  For a static
 1268      library installation, ossl_static.pdb is the associate compiler
 1269      generated .pdb file to be used when linking programs.
 1270      [Richard Levitte]
 1271 
 1272   *) Remove openssl.spec.  Packaging files belong with the packagers.
 1273      [Richard Levitte]
 1274 
 1275   *) Automatic Darwin/OSX configuration has had a refresh, it will now
 1276      recognise x86_64 architectures automatically.  You can still decide
 1277      to build for a different bitness with the environment variable
 1278      KERNEL_BITS (can be 32 or 64), for example:
 1279 
 1280          KERNEL_BITS=32 ./config
 1281 
 1282      [Richard Levitte]
 1283 
 1284   *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
 1285      256 bit AES and HMAC with SHA256.
 1286      [Steve Henson]
 1287 
 1288   *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
 1289      [Andy Polyakov]
 1290 
 1291   *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
 1292      [Rich Salz]
 1293 
 1294   *) To enable users to have their own config files and build file templates,
 1295      Configure looks in the directory indicated by the environment variable
 1296      OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
 1297      directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
 1298      name and is used as is.
 1299      [Richard Levitte]
 1300 
 1301   *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
 1302      X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
 1303      X509_CERT_FILE_CTX was removed.
 1304      [Rich Salz]
 1305 
 1306   *) "shared" builds are now the default. To create only static libraries use
 1307      the "no-shared" Configure option.
 1308      [Matt Caswell]
 1309 
 1310   *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
 1311      All of these option have not worked for some while and are fundamental
 1312      algorithms.
 1313      [Matt Caswell]
 1314 
 1315   *) Make various cleanup routines no-ops and mark them as deprecated. Most
 1316      global cleanup functions are no longer required because they are handled
 1317      via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
 1318      Explicitly de-initing can cause problems (e.g. where a library that uses
 1319      OpenSSL de-inits, but an application is still using it). The affected
 1320      functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
 1321      EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
 1322      RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
 1323      COMP_zlib_cleanup().
 1324      [Matt Caswell]
 1325 
 1326   *) --strict-warnings no longer enables runtime debugging options
 1327      such as REF_DEBUG. Instead, debug options are automatically
 1328      enabled with '--debug' builds.
 1329      [Andy Polyakov, Emilia Käsper]
 1330 
 1331   *) Made DH and DH_METHOD opaque. The structures for managing DH objects
 1332      have been moved out of the public header files. New functions for managing
 1333      these have been added.
 1334      [Matt Caswell]
 1335 
 1336   *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
 1337      objects have been moved out of the public header files. New
 1338      functions for managing these have been added.
 1339      [Richard Levitte]
 1340 
 1341   *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
 1342      have been moved out of the public header files. New functions for managing
 1343      these have been added.
 1344      [Matt Caswell]
 1345 
 1346   *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
 1347      moved out of the public header files. New functions for managing these
 1348      have been added.
 1349      [Matt Caswell]
 1350 
 1351   *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
 1352      [Matt Caswell]
 1353 
 1354   *) Removed the mk1mf build scripts.
 1355      [Richard Levitte]
 1356 
 1357   *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
 1358      it is always safe to #include a header now.
 1359      [Rich Salz]
 1360 
 1361   *) Removed the aged BC-32 config and all its supporting scripts
 1362      [Richard Levitte]
 1363 
 1364   *) Removed support for Ultrix, Netware, and OS/2.
 1365      [Rich Salz]
 1366 
 1367   *) Add support for HKDF.
 1368      [Alessandro Ghedini]
 1369 
 1370   *) Add support for blake2b and blake2s
 1371      [Bill Cox]
 1372 
 1373   *) Added support for "pipelining". Ciphers that have the
 1374      EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
 1375      encryptions/decryptions simultaneously. There are currently no built-in
 1376      ciphers with this property but the expectation is that engines will be able
 1377      to offer it to significantly improve throughput. Support has been extended
 1378      into libssl so that multiple records for a single connection can be
 1379      processed in one go (for >=TLS 1.1).
 1380      [Matt Caswell]
 1381 
 1382   *) Added the AFALG engine. This is an async capable engine which is able to
 1383      offload work to the Linux kernel. In this initial version it only supports
 1384      AES128-CBC. The kernel must be version 4.1.0 or greater.
 1385      [Catriona Lucey]
 1386 
 1387   *) OpenSSL now uses a new threading API. It is no longer necessary to
 1388      set locking callbacks to use OpenSSL in a multi-threaded environment. There
 1389      are two supported threading models: pthreads and windows threads. It is
 1390      also possible to configure OpenSSL at compile time for "no-threads". The
 1391      old threading API should no longer be used. The functions have been
 1392      replaced with "no-op" compatibility macros.
 1393      [Alessandro Ghedini, Matt Caswell]
 1394 
 1395   *) Modify behavior of ALPN to invoke callback after SNI/servername
 1396      callback, such that updates to the SSL_CTX affect ALPN.
 1397      [Todd Short]
 1398 
 1399   *) Add SSL_CIPHER queries for authentication and key-exchange.
 1400      [Todd Short]
 1401 
 1402   *) Changes to the DEFAULT cipherlist:
 1403        - Prefer (EC)DHE handshakes over plain RSA.
 1404        - Prefer AEAD ciphers over legacy ciphers.
 1405        - Prefer ECDSA over RSA when both certificates are available.
 1406        - Prefer TLSv1.2 ciphers/PRF.
 1407        - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
 1408          default cipherlist.
 1409      [Emilia Käsper]
 1410 
 1411   *) Change the ECC default curve list to be this, in order: x25519,
 1412      secp256r1, secp521r1, secp384r1.
 1413      [Rich Salz]
 1414 
 1415   *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
 1416      disabled by default. They can be re-enabled using the
 1417      enable-weak-ssl-ciphers option to Configure.
 1418      [Matt Caswell]
 1419 
 1420   *) If the server has ALPN configured, but supports no protocols that the
 1421      client advertises, send a fatal "no_application_protocol" alert.
 1422      This behaviour is SHALL in RFC 7301, though it isn't universally
 1423      implemented by other servers.
 1424      [Emilia Käsper]
 1425 
 1426   *) Add X25519 support.
 1427      Add ASN.1 and EVP_PKEY methods for X25519. This includes support
 1428      for public and private key encoding using the format documented in
 1429      draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
 1430      key generation and key derivation.
 1431 
 1432      TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
 1433      X25519(29).
 1434      [Steve Henson]
 1435 
 1436   *) Deprecate SRP_VBASE_get_by_user.
 1437      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
 1438      In order to fix an unavoidable memory leak (CVE-2016-0798),
 1439      SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
 1440      seed, even if the seed is configured.
 1441 
 1442      Users should use SRP_VBASE_get1_by_user instead. Note that in
 1443      SRP_VBASE_get1_by_user, caller must free the returned value. Note
 1444      also that even though configuring the SRP seed attempts to hide
 1445      invalid usernames by continuing the handshake with fake
 1446      credentials, this behaviour is not constant time and no strong
 1447      guarantees are made that the handshake is indistinguishable from
 1448      that of a valid user.
 1449      [Emilia Käsper]
 1450 
 1451   *) Configuration change; it's now possible to build dynamic engines
 1452      without having to build shared libraries and vice versa.  This
 1453      only applies to the engines in engines/, those in crypto/engine/
 1454      will always be built into libcrypto (i.e. "static").
 1455 
 1456      Building dynamic engines is enabled by default; to disable, use
 1457      the configuration option "disable-dynamic-engine".
 1458 
 1459      The only requirements for building dynamic engines are the
 1460      presence of the DSO module and building with position independent
 1461      code, so they will also automatically be disabled if configuring
 1462      with "disable-dso" or "disable-pic".
 1463 
 1464      The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
 1465      are also taken away from openssl/opensslconf.h, as they are
 1466      irrelevant.
 1467      [Richard Levitte]
 1468 
 1469   *) Configuration change; if there is a known flag to compile
 1470      position independent code, it will always be applied on the
 1471      libcrypto and libssl object files, and never on the application
 1472      object files.  This means other libraries that use routines from
 1473      libcrypto / libssl can be made into shared libraries regardless
 1474      of how OpenSSL was configured.
 1475 
 1476      If this isn't desirable, the configuration options "disable-pic"
 1477      or "no-pic" can be used to disable the use of PIC.  This will
 1478      also disable building shared libraries and dynamic engines.
 1479      [Richard Levitte]
 1480 
 1481   *) Removed JPAKE code.  It was experimental and has no wide use.
 1482      [Rich Salz]
 1483 
 1484   *) The INSTALL_PREFIX Makefile variable has been renamed to
 1485      DESTDIR.  That makes for less confusion on what this variable
 1486      is for.  Also, the configuration option --install_prefix is
 1487      removed.
 1488      [Richard Levitte]
 1489 
 1490   *) Heartbeat for TLS has been removed and is disabled by default
 1491      for DTLS; configure with enable-heartbeats.  Code that uses the
 1492      old #define's might need to be updated.
 1493      [Emilia Käsper, Rich Salz]
 1494 
 1495   *) Rename REF_CHECK to REF_DEBUG.
 1496      [Rich Salz]
 1497 
 1498   *) New "unified" build system
 1499 
 1500      The "unified" build system is aimed to be a common system for all
 1501      platforms we support.  With it comes new support for VMS.
 1502 
 1503      This system builds supports building in a different directory tree
 1504      than the source tree.  It produces one Makefile (for unix family
 1505      or lookalikes), or one descrip.mms (for VMS).
 1506 
 1507      The source of information to make the Makefile / descrip.mms is
 1508      small files called 'build.info', holding the necessary
 1509      information for each directory with source to compile, and a
 1510      template in Configurations, like unix-Makefile.tmpl or
 1511      descrip.mms.tmpl.
 1512 
 1513      With this change, the library names were also renamed on Windows
 1514      and on VMS.  They now have names that are closer to the standard
 1515      on Unix, and include the major version number, and in certain
 1516      cases, the architecture they are built for.  See "Notes on shared
 1517      libraries" in INSTALL.
 1518 
 1519      We rely heavily on the perl module Text::Template.
 1520      [Richard Levitte]
 1521 
 1522   *) Added support for auto-initialisation and de-initialisation of the library.
 1523      OpenSSL no longer requires explicit init or deinit routines to be called,
 1524      except in certain circumstances. See the OPENSSL_init_crypto() and
 1525      OPENSSL_init_ssl() man pages for further information.
 1526      [Matt Caswell]
 1527 
 1528   *) The arguments to the DTLSv1_listen function have changed. Specifically the
 1529      "peer" argument is now expected to be a BIO_ADDR object.
 1530 
 1531   *) Rewrite of BIO networking library. The BIO library lacked consistent
 1532      support of IPv6, and adding it required some more extensive
 1533      modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
 1534      which hold all types of addresses and chains of address information.
 1535      It also introduces a new API, with functions like BIO_socket,
 1536      BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
 1537      The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
 1538      have been adapted accordingly.
 1539      [Richard Levitte]
 1540 
 1541   *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
 1542      the leading 0-byte.
 1543      [Emilia Käsper]
 1544 
 1545   *) CRIME protection: disable compression by default, even if OpenSSL is
 1546      compiled with zlib enabled. Applications can still enable compression
 1547      by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
 1548      using the SSL_CONF library to configure compression.
 1549      [Emilia Käsper]
 1550 
 1551   *) The signature of the session callback configured with
 1552      SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
 1553      was explicitly marked as 'const unsigned char*' instead of
 1554      'unsigned char*'.
 1555      [Emilia Käsper]
 1556 
 1557   *) Always DPURIFY. Remove the use of uninitialized memory in the
 1558      RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
 1559      [Emilia Käsper]
 1560 
 1561   *) Removed many obsolete configuration items, including
 1562         DES_PTR, DES_RISC1, DES_RISC2, DES_INT
 1563         MD2_CHAR, MD2_INT, MD2_LONG
 1564         BF_PTR, BF_PTR2
 1565         IDEA_SHORT, IDEA_LONG
 1566         RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
 1567      [Rich Salz, with advice from Andy Polyakov]
 1568 
 1569   *) Many BN internals have been moved to an internal header file.
 1570      [Rich Salz with help from Andy Polyakov]
 1571 
 1572   *) Configuration and writing out the results from it has changed.
 1573      Files such as Makefile include/openssl/opensslconf.h and are now
 1574      produced through general templates, such as Makefile.in and
 1575      crypto/opensslconf.h.in and some help from the perl module
 1576      Text::Template.
 1577 
 1578      Also, the center of configuration information is no longer
 1579      Makefile.  Instead, Configure produces a perl module in
 1580      configdata.pm which holds most of the config data (in the hash
 1581      table %config), the target data that comes from the target
 1582      configuration in one of the Configurations/*.conf files (in
 1583      %target).
 1584      [Richard Levitte]
 1585 
 1586   *) To clarify their intended purposes, the Configure options
 1587      --prefix and --openssldir change their semantics, and become more
 1588      straightforward and less interdependent.
 1589 
 1590      --prefix shall be used exclusively to give the location INSTALLTOP
 1591      where programs, scripts, libraries, include files and manuals are
 1592      going to be installed.  The default is now /usr/local.
 1593 
 1594      --openssldir shall be used exclusively to give the default
 1595      location OPENSSLDIR where certificates, private keys, CRLs are
 1596      managed.  This is also where the default openssl.cnf gets
 1597      installed.
 1598      If the directory given with this option is a relative path, the
 1599      values of both the --prefix value and the --openssldir value will
 1600      be combined to become OPENSSLDIR.
 1601      The default for --openssldir is INSTALLTOP/ssl.
 1602 
 1603      Anyone who uses --openssldir to specify where OpenSSL is to be
 1604      installed MUST change to use --prefix instead.
 1605      [Richard Levitte]
 1606 
 1607   *) The GOST engine was out of date and therefore it has been removed. An up
 1608      to date GOST engine is now being maintained in an external repository.
 1609      See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
 1610      support for GOST ciphersuites (these are only activated if a GOST engine
 1611      is present).
 1612      [Matt Caswell]
 1613 
 1614   *) EGD is no longer supported by default; use enable-egd when
 1615      configuring.
 1616      [Ben Kaduk and Rich Salz]
 1617 
 1618   *) The distribution now has Makefile.in files, which are used to
 1619      create Makefile's when Configure is run.  *Configure must be run
 1620      before trying to build now.*
 1621      [Rich Salz]
 1622 
 1623   *) The return value for SSL_CIPHER_description() for error conditions
 1624      has changed.
 1625      [Rich Salz]
 1626 
 1627   *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
 1628 
 1629      Obtaining and performing DNSSEC validation of TLSA records is
 1630      the application's responsibility.  The application provides
 1631      the TLSA records of its choice to OpenSSL, and these are then
 1632      used to authenticate the peer.
 1633 
 1634      The TLSA records need not even come from DNS.  They can, for
 1635      example, be used to implement local end-entity certificate or
 1636      trust-anchor "pinning", where the "pin" data takes the form
 1637      of TLSA records, which can augment or replace verification
 1638      based on the usual WebPKI public certification authorities.
 1639      [Viktor Dukhovni]
 1640 
 1641   *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
 1642      continues to support deprecated interfaces in default builds.
 1643      However, applications are strongly advised to compile their
 1644      source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
 1645      the declarations of all interfaces deprecated in 0.9.8, 1.0.0
 1646      or the 1.1.0 releases.
 1647 
 1648      In environments in which all applications have been ported to
 1649      not use any deprecated interfaces OpenSSL's Configure script
 1650      should be used with the --api=1.1.0 option to entirely remove
 1651      support for the deprecated features from the library and
 1652      unconditionally disable them in the installed headers.
 1653      Essentially the same effect can be achieved with the "no-deprecated"
 1654      argument to Configure, except that this will always restrict
 1655      the build to just the latest API, rather than a fixed API
 1656      version.
 1657 
 1658      As applications are ported to future revisions of the API,
 1659      they should update their compile-time OPENSSL_API_COMPAT define
 1660      accordingly, but in most cases should be able to continue to
 1661      compile with later releases.
 1662 
 1663      The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
 1664      0x10000000L and 0x00908000L, respectively.  However those
 1665      versions did not support the OPENSSL_API_COMPAT feature, and
 1666      so applications are not typically tested for explicit support
 1667      of just the undeprecated features of either release.
 1668      [Viktor Dukhovni]
 1669 
 1670   *) Add support for setting the minimum and maximum supported protocol.
 1671      It can bet set via the SSL_set_min_proto_version() and
 1672      SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
 1673      MaxProtocol.  It's recommended to use the new APIs to disable
 1674      protocols instead of disabling individual protocols using
 1675      SSL_set_options() or SSL_CONF's Protocol.  This change also
 1676      removes support for disabling TLS 1.2 in the OpenSSL TLS
 1677      client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
 1678      [Kurt Roeckx]
 1679 
 1680   *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
 1681      [Andy Polyakov]
 1682 
 1683   *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
 1684      and integrates ECDSA and ECDH functionality into EC. Implementations can
 1685      now redirect key generation and no longer need to convert to or from
 1686      ECDSA_SIG format.
 1687 
 1688      Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
 1689      include the ec.h header file instead.
 1690      [Steve Henson]
 1691 
 1692   *) Remove support for all 40 and 56 bit ciphers.  This includes all the export
 1693      ciphers who are no longer supported and drops support the ephemeral RSA key
 1694      exchange. The LOW ciphers currently doesn't have any ciphers in it.
 1695      [Kurt Roeckx]
 1696 
 1697   *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
 1698      opaque.  For HMAC_CTX, the following constructors and destructors
 1699      were added:
 1700 
 1701         HMAC_CTX *HMAC_CTX_new(void);
 1702         void HMAC_CTX_free(HMAC_CTX *ctx);
 1703 
 1704      For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
 1705      destroy such methods has been added.  See EVP_MD_meth_new(3) and
 1706      EVP_CIPHER_meth_new(3) for documentation.
 1707 
 1708      Additional changes:
 1709      1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
 1710         HMAC_CTX_cleanup() were removed.  HMAC_CTX_reset() and
 1711         EVP_MD_CTX_reset() should be called instead to reinitialise
 1712         an already created structure.
 1713      2) For consistency with the majority of our object creators and
 1714         destructors, EVP_MD_CTX_(create|destroy) were renamed to
 1715         EVP_MD_CTX_(new|free).  The old names are retained as macros
 1716         for deprecated builds.
 1717      [Richard Levitte]
 1718 
 1719   *) Added ASYNC support. Libcrypto now includes the async sub-library to enable
 1720      cryptographic operations to be performed asynchronously as long as an
 1721      asynchronous capable engine is used. See the ASYNC_start_job() man page for
 1722      further details. Libssl has also had this capability integrated with the
 1723      introduction of the new mode SSL_MODE_ASYNC and associated error
 1724      SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
 1725      pages. This work was developed in partnership with Intel Corp.
 1726      [Matt Caswell]
 1727 
 1728   *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
 1729      always enabled now.  If you want to disable the support you should
 1730      exclude it using the list of supported ciphers. This also means that the
 1731      "-no_ecdhe" option has been removed from s_server.
 1732      [Kurt Roeckx]
 1733 
 1734   *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
 1735      SSL_{CTX_}set1_curves() which can set a list.
 1736      [Kurt Roeckx]
 1737 
 1738   *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the
 1739      curve you want to support using SSL_{CTX_}set1_curves().
 1740      [Kurt Roeckx]
 1741 
 1742   *) State machine rewrite. The state machine code has been significantly
 1743      refactored in order to remove much duplication of code and solve issues
 1744      with the old code (see ssl/statem/README for further details). This change
 1745      does have some associated API changes. Notably the SSL_state() function
 1746      has been removed and replaced by SSL_get_state which now returns an
 1747      "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
 1748      altogether. The previous handshake states defined in ssl.h and ssl3.h have
 1749      also been removed.
 1750      [Matt Caswell]
 1751 
 1752   *) All instances of the string "ssleay" in the public API were replaced
 1753      with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
 1754      Some error codes related to internal RSA_eay API's were renamed.
 1755      [Rich Salz]
 1756 
 1757   *) The demo files in crypto/threads were moved to demo/threads.
 1758      [Rich Salz]
 1759 
 1760   *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
 1761      sureware and ubsec.
 1762      [Matt Caswell, Rich Salz]
 1763 
 1764   *) New ASN.1 embed macro.
 1765 
 1766      New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
 1767      structure is not allocated: it is part of the parent. That is instead of
 1768 
 1769      FOO *x;
 1770 
 1771      it must be:
 1772 
 1773      FOO x;
 1774 
 1775      This reduces memory fragmentation and make it impossible to accidentally
 1776      set a mandatory field to NULL.
 1777 
 1778      This currently only works for some fields specifically a SEQUENCE, CHOICE,
 1779      or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
 1780      equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
 1781      SEQUENCE OF.
 1782      [Steve Henson]
 1783 
 1784   *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
 1785      [Emilia Käsper]
 1786 
 1787   *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
 1788      in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
 1789      an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
 1790      DES and RC4 ciphersuites.
 1791      [Matt Caswell]
 1792 
 1793   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
 1794      This changes the decoding behaviour for some invalid messages,
 1795      though the change is mostly in the more lenient direction, and
 1796      legacy behaviour is preserved as much as possible.
 1797      [Emilia Käsper]
 1798 
 1799   *) Fix no-stdio build.
 1800     [ David Woodhouse <David.Woodhouse@intel.com> and also
 1801       Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
 1802 
 1803   *) New testing framework
 1804      The testing framework has been largely rewritten and is now using
 1805      perl and the perl modules Test::Harness and an extended variant of
 1806      Test::More called OpenSSL::Test to do its work.  All test scripts in
 1807      test/ have been rewritten into test recipes, and all direct calls to
 1808      executables in test/Makefile have become individual recipes using the
 1809      simplified testing OpenSSL::Test::Simple.
 1810 
 1811      For documentation on our testing modules, do:
 1812 
 1813         perldoc test/testlib/OpenSSL/Test/Simple.pm
 1814         perldoc test/testlib/OpenSSL/Test.pm
 1815 
 1816      [Richard Levitte]
 1817 
 1818   *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
 1819      are used; the latter aborts on memory leaks (usually checked on exit).
 1820      Some undocumented "set malloc, etc., hooks" functions were removed
 1821      and others were changed.  All are now documented.
 1822      [Rich Salz]
 1823 
 1824   *) In DSA_generate_parameters_ex, if the provided seed is too short,
 1825      return an error
 1826      [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
 1827 
 1828   *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
 1829      from RFC4279, RFC4785, RFC5487, RFC5489.
 1830 
 1831      Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
 1832      original RSA_PSK patch.
 1833      [Steve Henson]
 1834 
 1835   *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
 1836      era flag was never set throughout the codebase (only read). Also removed
 1837      SSL3_FLAGS_POP_BUFFER which was only used if
 1838      SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
 1839      [Matt Caswell]
 1840 
 1841   *) Changed the default name options in the "ca", "crl", "req" and "x509"
 1842      to be "oneline" instead of "compat".
 1843      [Richard Levitte]
 1844 
 1845   *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
 1846      not aware of clients that still exhibit this bug, and the workaround
 1847      hasn't been working properly for a while.
 1848      [Emilia Käsper]
 1849 
 1850   *) The return type of BIO_number_read() and BIO_number_written() as well as
 1851      the corresponding num_read and num_write members in the BIO structure has
 1852      changed from unsigned long to uint64_t. On platforms where an unsigned
 1853      long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
 1854      transferred.
 1855      [Matt Caswell]
 1856 
 1857   *) Given the pervasive nature of TLS extensions it is inadvisable to run
 1858      OpenSSL without support for them. It also means that maintaining
 1859      the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
 1860      not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
 1861      [Matt Caswell]
 1862 
 1863   *) Removed support for the two export grade static DH ciphersuites
 1864      EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
 1865      were newly added (along with a number of other static DH ciphersuites) to
 1866      1.0.2. However the two export ones have *never* worked since they were
 1867      introduced. It seems strange in any case to be adding new export
 1868      ciphersuites, and given "logjam" it also does not seem correct to fix them.
 1869      [Matt Caswell]
 1870 
 1871   *) Version negotiation has been rewritten. In particular SSLv23_method(),
 1872      SSLv23_client_method() and SSLv23_server_method() have been deprecated,
 1873      and turned into macros which simply call the new preferred function names
 1874      TLS_method(), TLS_client_method() and TLS_server_method(). All new code
 1875      should use the new names instead. Also as part of this change the ssl23.h
 1876      header file has been removed.
 1877      [Matt Caswell]
 1878 
 1879   *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
 1880      code and the associated standard is no longer considered fit-for-purpose.
 1881      [Matt Caswell]
 1882 
 1883   *) RT2547 was closed.  When generating a private key, try to make the
 1884      output file readable only by the owner.  This behavior change might
 1885      be noticeable when interacting with other software.
 1886 
 1887   *) Documented all exdata functions.  Added CRYPTO_free_ex_index.
 1888      Added a test.
 1889      [Rich Salz]
 1890 
 1891   *) Added HTTP GET support to the ocsp command.
 1892      [Rich Salz]
 1893 
 1894   *) Changed default digest for the dgst and enc commands from MD5 to
 1895      sha256
 1896      [Rich Salz]
 1897 
 1898   *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
 1899      [Matt Caswell]
 1900 
 1901   *) Added support for TLS extended master secret from
 1902      draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
 1903      initial patch which was a great help during development.
 1904      [Steve Henson]
 1905 
 1906   *) All libssl internal structures have been removed from the public header
 1907      files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
 1908      now redundant). Users should not attempt to access internal structures
 1909      directly. Instead they should use the provided API functions.
 1910      [Matt Caswell]
 1911 
 1912   *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
 1913      Access to deprecated functions can be re-enabled by running config with
 1914      "enable-deprecated". In addition applications wishing to use deprecated
 1915      functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
 1916      will, by default, disable some transitive includes that previously existed
 1917      in the header files (e.g. ec.h will no longer, by default, include bn.h)
 1918      [Matt Caswell]
 1919 
 1920   *) Added support for OCB mode. OpenSSL has been granted a patent license
 1921      compatible with the OpenSSL license for use of OCB. Details are available
 1922      at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
 1923      for OCB can be removed by calling config with no-ocb.
 1924      [Matt Caswell]
 1925 
 1926   *) SSLv2 support has been removed.  It still supports receiving a SSLv2
 1927      compatible client hello.
 1928      [Kurt Roeckx]
 1929 
 1930   *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
 1931      done while fixing the error code for the key-too-small case.
 1932      [Annie Yousar <a.yousar@informatik.hu-berlin.de>]
 1933 
 1934   *) CA.sh has been removed; use CA.pl instead.
 1935      [Rich Salz]
 1936 
 1937   *) Removed old DES API.
 1938      [Rich Salz]
 1939 
 1940   *) Remove various unsupported platforms:
 1941         Sony NEWS4
 1942         BEOS and BEOS_R5
 1943         NeXT
 1944         SUNOS
 1945         MPE/iX
 1946         Sinix/ReliantUNIX RM400
 1947         DGUX
 1948         NCR
 1949         Tandem
 1950         Cray
 1951         16-bit platforms such as WIN16
 1952      [Rich Salz]
 1953 
 1954   *) Clean up OPENSSL_NO_xxx #define's
 1955         Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
 1956         Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
 1957         OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
 1958         OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
 1959         OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
 1960         Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
 1961         OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
 1962         OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
 1963         OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
 1964         Remove MS_STATIC; it's a relic from platforms <32 bits.
 1965      [Rich Salz]
 1966 
 1967   *) Cleaned up dead code
 1968         Remove all but one '#ifdef undef' which is to be looked at.
 1969      [Rich Salz]
 1970 
 1971   *) Clean up calling of xxx_free routines.
 1972         Just like free(), fix most of the xxx_free routines to accept
 1973         NULL.  Remove the non-null checks from callers.  Save much code.
 1974      [Rich Salz]
 1975 
 1976   *) Add secure heap for storage of private keys (when possible).
 1977      Add BIO_s_secmem(), CBIGNUM, etc.
 1978      Contributed by Akamai Technologies under our Corporate CLA.
 1979      [Rich Salz]
 1980 
 1981   *) Experimental support for a new, fast, unbiased prime candidate generator,
 1982      bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
 1983      [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
 1984 
 1985   *) New output format NSS in the sess_id command line tool. This allows
 1986      exporting the session id and the master key in NSS keylog format.
 1987      [Martin Kaiser <martin@kaiser.cx>]
 1988 
 1989   *) Harmonize version and its documentation. -f flag is used to display
 1990      compilation flags.
 1991      [mancha <mancha1@zoho.com>]
 1992 
 1993   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
 1994      in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
 1995      [mancha <mancha1@zoho.com>]
 1996 
 1997   *) Fix some double frees. These are not thought to be exploitable.
 1998      [mancha <mancha1@zoho.com>]
 1999 
 2000   *) A missing bounds check in the handling of the TLS heartbeat extension
 2001      can be used to reveal up to 64k of memory to a connected client or
 2002      server.
 2003 
 2004      Thanks for Neel Mehta of Google Security for discovering this bug and to
 2005      Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
 2006      preparing the fix (CVE-2014-0160)
 2007      [Adam Langley, Bodo Moeller]
 2008 
 2009   *) Fix for the attack described in the paper "Recovering OpenSSL
 2010      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
 2011      by Yuval Yarom and Naomi Benger. Details can be obtained from:
 2012      http://eprint.iacr.org/2014/140
 2013 
 2014      Thanks to Yuval Yarom and Naomi Benger for discovering this
 2015      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
 2016      [Yuval Yarom and Naomi Benger]
 2017 
 2018   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
 2019      this fixes a limitation in previous versions of OpenSSL.
 2020      [Steve Henson]
 2021 
 2022   *) Experimental encrypt-then-mac support.
 2023 
 2024      Experimental support for encrypt then mac from
 2025      draft-gutmann-tls-encrypt-then-mac-02.txt
 2026 
 2027      To enable it set the appropriate extension number (0x42 for the test
 2028      server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
 2029 
 2030      For non-compliant peers (i.e. just about everything) this should have no
 2031      effect.
 2032 
 2033      WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
 2034 
 2035      [Steve Henson]
 2036 
 2037   *) Add EVP support for key wrapping algorithms, to avoid problems with
 2038      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
 2039      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
 2040      algorithms and include tests cases.
 2041      [Steve Henson]
 2042 
 2043   *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
 2044      enveloped data.
 2045      [Steve Henson]
 2046 
 2047   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
 2048      MGF1 digest and OAEP label.
 2049      [Steve Henson]
 2050 
 2051   *) Make openssl verify return errors.
 2052      [Chris Palmer <palmer@google.com> and Ben Laurie]
 2053 
 2054   *) New function ASN1_TIME_diff to calculate the difference between two
 2055      ASN1_TIME structures or one structure and the current time.
 2056      [Steve Henson]
 2057 
 2058   *) Update fips_test_suite to support multiple command line options. New
 2059      test to induce all self test errors in sequence and check expected
 2060      failures.
 2061      [Steve Henson]
 2062 
 2063   *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
 2064      sign or verify all in one operation.
 2065      [Steve Henson]
 2066 
 2067   *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
 2068      test programs and fips_test_suite. Includes functionality to parse
 2069      the minimal script output of fipsalgest.pl directly.
 2070      [Steve Henson]
 2071 
 2072   *) Add authorisation parameter to FIPS_module_mode_set().
 2073      [Steve Henson]
 2074 
 2075   *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
 2076      [Steve Henson]
 2077 
 2078   *) Use separate DRBG fields for internal and external flags. New function
 2079      FIPS_drbg_health_check() to perform on demand health checking. Add
 2080      generation tests to fips_test_suite with reduced health check interval to
 2081      demonstrate periodic health checking. Add "nodh" option to
 2082      fips_test_suite to skip very slow DH test.
 2083      [Steve Henson]
 2084 
 2085   *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
 2086      based on NID.
 2087      [Steve Henson]
 2088 
 2089   *) More extensive health check for DRBG checking many more failure modes.
 2090      New function FIPS_selftest_drbg_all() to handle every possible DRBG
 2091      combination: call this in fips_test_suite.
 2092      [Steve Henson]
 2093 
 2094   *) Add support for canonical generation of DSA parameter 'g'. See
 2095      FIPS 186-3 A.2.3.
 2096 
 2097   *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
 2098      POST to handle HMAC cases.
 2099      [Steve Henson]
 2100 
 2101   *) Add functions FIPS_module_version() and FIPS_module_version_text()
 2102      to return numerical and string versions of the FIPS module number.
 2103      [Steve Henson]
 2104 
 2105   *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
 2106      FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
 2107      outside the validated module in the FIPS capable OpenSSL.
 2108      [Steve Henson]
 2109 
 2110   *) Minor change to DRBG entropy callback semantics. In some cases
 2111      there is no multiple of the block length between min_len and
 2112      max_len. Allow the callback to return more than max_len bytes
 2113      of entropy but discard any extra: it is the callback's responsibility
 2114      to ensure that the extra data discarded does not impact the
 2115      requested amount of entropy.
 2116      [Steve Henson]
 2117 
 2118   *) Add PRNG security strength checks to RSA, DSA and ECDSA using
 2119      information in FIPS186-3, SP800-57 and SP800-131A.
 2120      [Steve Henson]
 2121 
 2122   *) CCM support via EVP. Interface is very similar to GCM case except we
 2123      must supply all data in one chunk (i.e. no update, final) and the
 2124      message length must be supplied if AAD is used. Add algorithm test
 2125      support.
 2126      [Steve Henson]
 2127 
 2128   *) Initial version of POST overhaul. Add POST callback to allow the status
 2129      of POST to be monitored and/or failures induced. Modify fips_test_suite
 2130      to use callback. Always run all selftests even if one fails.
 2131      [Steve Henson]
 2132 
 2133   *) XTS support including algorithm test driver in the fips_gcmtest program.
 2134      Note: this does increase the maximum key length from 32 to 64 bytes but
 2135      there should be no binary compatibility issues as existing applications
 2136      will never use XTS mode.
 2137      [Steve Henson]
 2138 
 2139   *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
 2140      to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
 2141      performs algorithm blocking for unapproved PRNG types. Also do not
 2142      set PRNG type in FIPS_mode_set(): leave this to the application.
 2143      Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
 2144      the standard OpenSSL PRNG: set additional data to a date time vector.
 2145      [Steve Henson]
 2146 
 2147   *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
 2148      This shouldn't present any incompatibility problems because applications
 2149      shouldn't be using these directly and any that are will need to rethink
 2150      anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
 2151      [Steve Henson]
 2152 
 2153   *) Extensive self tests and health checking required by SP800-90 DRBG.
 2154      Remove strength parameter from FIPS_drbg_instantiate and always
 2155      instantiate at maximum supported strength.
 2156      [Steve Henson]
 2157 
 2158   *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
 2159      [Steve Henson]
 2160 
 2161   *) New algorithm test program fips_dhvs to handle DH primitives only testing.
 2162      [Steve Henson]
 2163 
 2164   *) New function DH_compute_key_padded() to compute a DH key and pad with
 2165      leading zeroes if needed: this complies with SP800-56A et al.
 2166      [Steve Henson]
 2167 
 2168   *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
 2169      anything, incomplete, subject to change and largely untested at present.
 2170      [Steve Henson]
 2171 
 2172   *) Modify fipscanisteronly build option to only build the necessary object
 2173      files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
 2174      [Steve Henson]
 2175 
 2176   *) Add experimental option FIPSSYMS to give all symbols in
 2177      fipscanister.o and FIPS or fips prefix. This will avoid
 2178      conflicts with future versions of OpenSSL. Add perl script
 2179      util/fipsas.pl to preprocess assembly language source files
 2180      and rename any affected symbols.
 2181      [Steve Henson]
 2182 
 2183   *) Add selftest checks and algorithm block of non-fips algorithms in
 2184      FIPS mode. Remove DES2 from selftests.
 2185      [Steve Henson]
 2186 
 2187   *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
 2188      return internal method without any ENGINE dependencies. Add new
 2189      tiny fips sign and verify functions.
 2190      [Steve Henson]
 2191 
 2192   *) New build option no-ec2m to disable characteristic 2 code.
 2193      [Steve Henson]
 2194 
 2195   *) New build option "fipscanisteronly". This only builds fipscanister.o
 2196      and (currently) associated fips utilities. Uses the file Makefile.fips
 2197      instead of Makefile.org as the prototype.
 2198      [Steve Henson]
 2199 
 2200   *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
 2201      Update fips_gcmtest to use IV generator.
 2202      [Steve Henson]
 2203 
 2204   *) Initial, experimental EVP support for AES-GCM. AAD can be input by
 2205      setting output buffer to NULL. The *Final function must be
 2206      called although it will not retrieve any additional data. The tag
 2207      can be set or retrieved with a ctrl. The IV length is by default 12
 2208      bytes (96 bits) but can be set to an alternative value. If the IV
 2209      length exceeds the maximum IV length (currently 16 bytes) it cannot be
 2210      set before the key.
 2211      [Steve Henson]
 2212 
 2213   *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
 2214      underlying do_cipher function handles all cipher semantics itself
 2215      including padding and finalisation. This is useful if (for example)
 2216      an ENGINE cipher handles block padding itself. The behaviour of
 2217      do_cipher is subtly changed if this flag is set: the return value
 2218      is the number of characters written to the output buffer (zero is
 2219      no longer an error code) or a negative error code. Also if the
 2220      input buffer is NULL and length 0 finalisation should be performed.
 2221      [Steve Henson]
 2222 
 2223   *) If a candidate issuer certificate is already part of the constructed
 2224      path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
 2225      [Steve Henson]
 2226 
 2227   *) Improve forward-security support: add functions
 2228 
 2229        void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
 2230        void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
 2231 
 2232      for use by SSL/TLS servers; the callback function will be called whenever a
 2233      new session is created, and gets to decide whether the session may be
 2234      cached to make it resumable (return 0) or not (return 1).  (As by the
 2235      SSL/TLS protocol specifications, the session_id sent by the server will be
 2236      empty to indicate that the session is not resumable; also, the server will
 2237      not generate RFC 4507 (RFC 5077) session tickets.)
 2238 
 2239      A simple reasonable callback implementation is to return is_forward_secure.
 2240      This parameter will be set to 1 or 0 depending on the ciphersuite selected
 2241      by the SSL/TLS server library, indicating whether it can provide forward
 2242      security.
 2243      [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
 2244 
 2245   *) New -verify_name option in command line utilities to set verification
 2246      parameters by name.
 2247      [Steve Henson]
 2248 
 2249   *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
 2250      Add CMAC pkey methods.
 2251      [Steve Henson]
 2252 
 2253   *) Experimental renegotiation in s_server -www mode. If the client
 2254      browses /reneg connection is renegotiated. If /renegcert it is
 2255      renegotiated requesting a certificate.
 2256      [Steve Henson]
 2257 
 2258   *) Add an "external" session cache for debugging purposes to s_server. This
 2259      should help trace issues which normally are only apparent in deployed
 2260      multi-process servers.
 2261      [Steve Henson]
 2262 
 2263   *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
 2264      return value is ignored. NB. The functions RAND_add(), RAND_seed(),
 2265      BIO_set_cipher() and some obscure PEM functions were changed so they
 2266      can now return an error. The RAND changes required a change to the
 2267      RAND_METHOD structure.
 2268      [Steve Henson]
 2269 
 2270   *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
 2271      a gcc attribute to warn if the result of a function is ignored. This
 2272      is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
 2273      whose return value is often ignored.
 2274      [Steve Henson]
 2275 
 2276   *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
 2277      These allow SCTs (signed certificate timestamps) to be requested and
 2278      validated when establishing a connection.
 2279      [Rob Percival <robpercival@google.com>]
 2280 
 2281  Changes between 1.0.2g and 1.0.2h [3 May 2016]
 2282 
 2283   *) Prevent padding oracle in AES-NI CBC MAC check
 2284 
 2285      A MITM attacker can use a padding oracle attack to decrypt traffic
 2286      when the connection uses an AES CBC cipher and the server support
 2287      AES-NI.
 2288 
 2289      This issue was introduced as part of the fix for Lucky 13 padding
 2290      attack (CVE-2013-0169). The padding check was rewritten to be in
 2291      constant time by making sure that always the same bytes are read and
 2292      compared against either the MAC or padding bytes. But it no longer
 2293      checked that there was enough data to have both the MAC and padding
 2294      bytes.
 2295 
 2296      This issue was reported by Juraj Somorovsky using TLS-Attacker.
 2297      (CVE-2016-2107)
 2298      [Kurt Roeckx]
 2299 
 2300   *) Fix EVP_EncodeUpdate overflow
 2301 
 2302      An overflow can occur in the EVP_EncodeUpdate() function which is used for
 2303      Base64 encoding of binary data. If an attacker is able to supply very large
 2304      amounts of input data then a length check can overflow resulting in a heap
 2305      corruption.
 2306 
 2307      Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
 2308      the PEM_write_bio* family of functions. These are mainly used within the
 2309      OpenSSL command line applications, so any application which processes data
 2310      from an untrusted source and outputs it as a PEM file should be considered
 2311      vulnerable to this issue. User applications that call these APIs directly
 2312      with large amounts of untrusted data may also be vulnerable.
 2313 
 2314      This issue was reported by Guido Vranken.
 2315      (CVE-2016-2105)
 2316      [Matt Caswell]
 2317 
 2318   *) Fix EVP_EncryptUpdate overflow
 2319 
 2320      An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
 2321      is able to supply very large amounts of input data after a previous call to
 2322      EVP_EncryptUpdate() with a partial block then a length check can overflow
 2323      resulting in a heap corruption. Following an analysis of all OpenSSL
 2324      internal usage of the EVP_EncryptUpdate() function all usage is one of two
 2325      forms. The first form is where the EVP_EncryptUpdate() call is known to be
 2326      the first called function after an EVP_EncryptInit(), and therefore that
 2327      specific call must be safe. The second form is where the length passed to
 2328      EVP_EncryptUpdate() can be seen from the code to be some small value and
 2329      therefore there is no possibility of an overflow. Since all instances are
 2330      one of these two forms, it is believed that there can be no overflows in
 2331      internal code due to this problem. It should be noted that
 2332      EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
 2333      Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
 2334      of these calls have also been analysed too and it is believed there are no
 2335      instances in internal usage where an overflow could occur.
 2336 
 2337      This issue was reported by Guido Vranken.
 2338      (CVE-2016-2106)
 2339      [Matt Caswell]
 2340 
 2341   *) Prevent ASN.1 BIO excessive memory allocation
 2342 
 2343      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
 2344      a short invalid encoding can cause allocation of large amounts of memory
 2345      potentially consuming excessive resources or exhausting memory.
 2346 
 2347      Any application parsing untrusted data through d2i BIO functions is
 2348      affected. The memory based functions such as d2i_X509() are *not* affected.
 2349      Since the memory based functions are used by the TLS library, TLS
 2350      applications are not affected.
 2351 
 2352      This issue was reported by Brian Carpenter.
 2353      (CVE-2016-2109)
 2354      [Stephen Henson]
 2355 
 2356   *) EBCDIC overread
 2357 
 2358      ASN1 Strings that are over 1024 bytes can cause an overread in applications
 2359      using the X509_NAME_oneline() function on EBCDIC systems. This could result
 2360      in arbitrary stack data being returned in the buffer.
 2361 
 2362      This issue was reported by Guido Vranken.
 2363      (CVE-2016-2176)
 2364      [Matt Caswell]
 2365 
 2366   *) Modify behavior of ALPN to invoke callback after SNI/servername
 2367      callback, such that updates to the SSL_CTX affect ALPN.
 2368      [Todd Short]
 2369 
 2370   *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
 2371      default.
 2372      [Kurt Roeckx]
 2373 
 2374   *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
 2375      methods are enabled and ssl2 is disabled the methods return NULL.
 2376      [Kurt Roeckx]
 2377 
 2378  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
 2379 
 2380   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
 2381     Builds that are not configured with "enable-weak-ssl-ciphers" will not
 2382     provide any "EXPORT" or "LOW" strength ciphers.
 2383     [Viktor Dukhovni]
 2384 
 2385   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
 2386     is by default disabled at build-time.  Builds that are not configured with
 2387     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
 2388     users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
 2389     will need to explicitly call either of:
 2390 
 2391         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
 2392     or
 2393         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
 2394 
 2395     as appropriate.  Even if either of those is used, or the application
 2396     explicitly uses the version-specific SSLv2_method() or its client and
 2397     server variants, SSLv2 ciphers vulnerable to exhaustive search key
 2398     recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
 2399     ciphers, and SSLv2 56-bit DES are no longer available.
 2400     (CVE-2016-0800)
 2401     [Viktor Dukhovni]
 2402 
 2403   *) Fix a double-free in DSA code
 2404 
 2405      A double free bug was discovered when OpenSSL parses malformed DSA private
 2406      keys and could lead to a DoS attack or memory corruption for applications
 2407      that receive DSA private keys from untrusted sources.  This scenario is
 2408      considered rare.
 2409 
 2410      This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
 2411      libFuzzer.
 2412      (CVE-2016-0705)
 2413      [Stephen Henson]
 2414 
 2415   *) Disable SRP fake user seed to address a server memory leak.
 2416 
 2417      Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
 2418 
 2419      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
 2420      In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
 2421      was changed to ignore the "fake user" SRP seed, even if the seed
 2422      is configured.
 2423 
 2424      Users should use SRP_VBASE_get1_by_user instead. Note that in
 2425      SRP_VBASE_get1_by_user, caller must free the returned value. Note
 2426      also that even though configuring the SRP seed attempts to hide
 2427      invalid usernames by continuing the handshake with fake
 2428      credentials, this behaviour is not constant time and no strong
 2429      guarantees are made that the handshake is indistinguishable from
 2430      that of a valid user.
 2431      (CVE-2016-0798)
 2432      [Emilia Käsper]
 2433 
 2434   *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
 2435 
 2436      In the BN_hex2bn function the number of hex digits is calculated using an
 2437      int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
 2438      large values of |i| this can result in |bn_expand| not allocating any
 2439      memory because |i * 4| is negative. This can leave the internal BIGNUM data
 2440      field as NULL leading to a subsequent NULL ptr deref. For very large values
 2441      of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
 2442      In this case memory is allocated to the internal BIGNUM data field, but it
 2443      is insufficiently sized leading to heap corruption. A similar issue exists
 2444      in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
 2445      is ever called by user applications with very large untrusted hex/dec data.
 2446      This is anticipated to be a rare occurrence.
 2447 
 2448      All OpenSSL internal usage of these functions use data that is not expected
 2449      to be untrusted, e.g. config file data or application command line
 2450      arguments. If user developed applications generate config file data based
 2451      on untrusted data then it is possible that this could also lead to security
 2452      consequences. This is also anticipated to be rare.
 2453 
 2454      This issue was reported to OpenSSL by Guido Vranken.
 2455      (CVE-2016-0797)
 2456      [Matt Caswell]
 2457 
 2458   *) Fix memory issues in BIO_*printf functions
 2459 
 2460      The internal |fmtstr| function used in processing a "%s" format string in
 2461      the BIO_*printf functions could overflow while calculating the length of a
 2462      string and cause an OOB read when printing very long strings.
 2463 
 2464      Additionally the internal |doapr_outch| function can attempt to write to an
 2465      OOB memory location (at an offset from the NULL pointer) in the event of a
 2466      memory allocation failure. In 1.0.2 and below this could be caused where
 2467      the size of a buffer to be allocated is greater than INT_MAX. E.g. this
 2468      could be in processing a very long "%s" format string. Memory leaks can
 2469      also occur.
 2470 
 2471      The first issue may mask the second issue dependent on compiler behaviour.
 2472      These problems could enable attacks where large amounts of untrusted data
 2473      is passed to the BIO_*printf functions. If applications use these functions
 2474      in this way then they could be vulnerable. OpenSSL itself uses these
 2475      functions when printing out human-readable dumps of ASN.1 data. Therefore
 2476      applications that print this data could be vulnerable if the data is from
 2477      untrusted sources. OpenSSL command line applications could also be
 2478      vulnerable where they print out ASN.1 data, or if untrusted data is passed
 2479      as command line arguments.
 2480 
 2481      Libssl is not considered directly vulnerable. Additionally certificates etc
 2482      received via remote connections via libssl are also unlikely to be able to
 2483      trigger these issues because of message size limits enforced within libssl.
 2484 
 2485      This issue was reported to OpenSSL Guido Vranken.
 2486      (CVE-2016-0799)
 2487      [Matt Caswell]
 2488 
 2489   *) Side channel attack on modular exponentiation
 2490 
 2491      A side-channel attack was found which makes use of cache-bank conflicts on
 2492      the Intel Sandy-Bridge microarchitecture which could lead to the recovery
 2493      of RSA keys.  The ability to exploit this issue is limited as it relies on
 2494      an attacker who has control of code in a thread running on the same
 2495      hyper-threaded core as the victim thread which is performing decryptions.
 2496 
 2497      This issue was reported to OpenSSL by Yuval Yarom, The University of
 2498      Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
 2499      Nadia Heninger, University of Pennsylvania with more information at
 2500      http://cachebleed.info.
 2501      (CVE-2016-0702)
 2502      [Andy Polyakov]
 2503 
 2504   *) Change the req app to generate a 2048-bit RSA/DSA key by default,
 2505      if no keysize is specified with default_bits. This fixes an
 2506      omission in an earlier change that changed all RSA/DSA key generation
 2507      apps to use 2048 bits by default.
 2508      [Emilia Käsper]
 2509 
 2510  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
 2511   *) DH small subgroups
 2512 
 2513      Historically OpenSSL only ever generated DH parameters based on "safe"
 2514      primes. More recently (in version 1.0.2) support was provided for
 2515      generating X9.42 style parameter files such as those required for RFC 5114
 2516      support. The primes used in such files may not be "safe". Where an
 2517      application is using DH configured with parameters based on primes that are
 2518      not "safe" then an attacker could use this fact to find a peer's private
 2519      DH exponent. This attack requires that the attacker complete multiple
 2520      handshakes in which the peer uses the same private DH exponent. For example
 2521      this could be used to discover a TLS server's private DH exponent if it's
 2522      reusing the private DH exponent or it's using a static DH ciphersuite.
 2523 
 2524      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
 2525      TLS. It is not on by default. If the option is not set then the server
 2526      reuses the same private DH exponent for the life of the server process and
 2527      would be vulnerable to this attack. It is believed that many popular
 2528      applications do set this option and would therefore not be at risk.
 2529 
 2530      The fix for this issue adds an additional check where a "q" parameter is
 2531      available (as is the case in X9.42 based parameters). This detects the
 2532      only known attack, and is the only possible defense for static DH
 2533      ciphersuites. This could have some performance impact.
 2534 
 2535      Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
 2536      default and cannot be disabled. This could have some performance impact.
 2537 
 2538      This issue was reported to OpenSSL by Antonio Sanso (Adobe).
 2539      (CVE-2016-0701)
 2540      [Matt Caswell]
 2541 
 2542   *) SSLv2 doesn't block disabled ciphers
 2543 
 2544      A malicious client can negotiate SSLv2 ciphers that have been disabled on
 2545      the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
 2546      been disabled, provided that the SSLv2 protocol was not also disabled via
 2547      SSL_OP_NO_SSLv2.
 2548 
 2549      This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
 2550      and Sebastian Schinzel.
 2551      (CVE-2015-3197)
 2552      [Viktor Dukhovni]
 2553 
 2554  Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
 2555 
 2556   *) BN_mod_exp may produce incorrect results on x86_64
 2557 
 2558      There is a carry propagating bug in the x86_64 Montgomery squaring
 2559      procedure. No EC algorithms are affected. Analysis suggests that attacks
 2560      against RSA and DSA as a result of this defect would be very difficult to
 2561      perform and are not believed likely. Attacks against DH are considered just
 2562      feasible (although very difficult) because most of the work necessary to
 2563      deduce information about a private key may be performed offline. The amount
 2564      of resources required for such an attack would be very significant and
 2565      likely only accessible to a limited number of attackers. An attacker would
 2566      additionally need online access to an unpatched system using the target
 2567      private key in a scenario with persistent DH parameters and a private
 2568      key that is shared between multiple clients. For example this can occur by
 2569      default in OpenSSL DHE based SSL/TLS ciphersuites.
 2570 
 2571      This issue was reported to OpenSSL by Hanno Böck.
 2572      (CVE-2015-3193)
 2573      [Andy Polyakov]
 2574 
 2575   *) Certificate verify crash with missing PSS parameter
 2576 
 2577      The signature verification routines will crash with a NULL pointer
 2578      dereference if presented with an ASN.1 signature using the RSA PSS
 2579      algorithm and absent mask generation function parameter. Since these
 2580      routines are used to verify certificate signature algorithms this can be
 2581      used to crash any certificate verification operation and exploited in a
 2582      DoS attack. Any application which performs certificate verification is
 2583      vulnerable including OpenSSL clients and servers which enable client
 2584      authentication.
 2585 
 2586      This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
 2587      (CVE-2015-3194)
 2588      [Stephen Henson]
 2589 
 2590   *) X509_ATTRIBUTE memory leak
 2591 
 2592      When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
 2593      memory. This structure is used by the PKCS#7 and CMS routines so any
 2594      application which reads PKCS#7 or CMS data from untrusted sources is
 2595      affected. SSL/TLS is not affected.
 2596 
 2597      This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
 2598      libFuzzer.
 2599      (CVE-2015-3195)
 2600      [Stephen Henson]
 2601 
 2602   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
 2603      This changes the decoding behaviour for some invalid messages,
 2604      though the change is mostly in the more lenient direction, and
 2605      legacy behaviour is preserved as much as possible.
 2606      [Emilia Käsper]
 2607 
 2608   *) In DSA_generate_parameters_ex, if the provided seed is too short,
 2609      return an error
 2610      [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
 2611 
 2612  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
 2613 
 2614   *) Alternate chains certificate forgery
 2615 
 2616      During certificate verification, OpenSSL will attempt to find an
 2617      alternative certificate chain if the first attempt to build such a chain
 2618      fails. An error in the implementation of this logic can mean that an
 2619      attacker could cause certain checks on untrusted certificates to be
 2620      bypassed, such as the CA flag, enabling them to use a valid leaf
 2621      certificate to act as a CA and "issue" an invalid certificate.
 2622 
 2623      This issue was reported to OpenSSL by Adam Langley/David Benjamin
 2624      (Google/BoringSSL).
 2625      [Matt Caswell]
 2626 
 2627  Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
 2628 
 2629   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
 2630      incompatibility in the handling of HMAC. The previous ABI has now been
 2631      restored.
 2632      [Matt Caswell]
 2633 
 2634  Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
 2635 
 2636   *) Malformed ECParameters causes infinite loop
 2637 
 2638      When processing an ECParameters structure OpenSSL enters an infinite loop
 2639      if the curve specified is over a specially malformed binary polynomial
 2640      field.
 2641 
 2642      This can be used to perform denial of service against any
 2643      system which processes public keys, certificate requests or
 2644      certificates.  This includes TLS clients and TLS servers with
 2645      client authentication enabled.
 2646 
 2647      This issue was reported to OpenSSL by Joseph Barr-Pixton.
 2648      (CVE-2015-1788)
 2649      [Andy Polyakov]
 2650 
 2651   *) Exploitable out-of-bounds read in X509_cmp_time
 2652 
 2653      X509_cmp_time does not properly check the length of the ASN1_TIME
 2654      string and can read a few bytes out of bounds. In addition,
 2655      X509_cmp_time accepts an arbitrary number of fractional seconds in the
 2656      time string.
 2657 
 2658      An attacker can use this to craft malformed certificates and CRLs of
 2659      various sizes and potentially cause a segmentation fault, resulting in
 2660      a DoS on applications that verify certificates or CRLs. TLS clients
 2661      that verify CRLs are affected. TLS clients and servers with client
 2662      authentication enabled may be affected if they use custom verification
 2663      callbacks.
 2664 
 2665      This issue was reported to OpenSSL by Robert Swiecki (Google), and
 2666      independently by Hanno Böck.
 2667      (CVE-2015-1789)
 2668      [Emilia Käsper]
 2669 
 2670   *) PKCS7 crash with missing EnvelopedContent
 2671 
 2672      The PKCS#7 parsing code does not handle missing inner EncryptedContent
 2673      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
 2674      with missing content and trigger a NULL pointer dereference on parsing.
 2675 
 2676      Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
 2677      structures from untrusted sources are affected. OpenSSL clients and
 2678      servers are not affected.
 2679 
 2680      This issue was reported to OpenSSL by Michal Zalewski (Google).
 2681      (CVE-2015-1790)
 2682      [Emilia Käsper]
 2683 
 2684   *) CMS verify infinite loop with unknown hash function
 2685 
 2686      When verifying a signedData message the CMS code can enter an infinite loop
 2687      if presented with an unknown hash function OID. This can be used to perform
 2688      denial of service against any system which verifies signedData messages using
 2689      the CMS code.
 2690      This issue was reported to OpenSSL by Johannes Bauer.
 2691      (CVE-2015-1792)
 2692      [Stephen Henson]
 2693 
 2694   *) Race condition handling NewSessionTicket
 2695 
 2696      If a NewSessionTicket is received by a multi-threaded client when attempting to
 2697      reuse a previous ticket then a race condition can occur potentially leading to
 2698      a double free of the ticket data.
 2699      (CVE-2015-1791)
 2700      [Matt Caswell]
 2701 
 2702   *) Only support 256-bit or stronger elliptic curves with the
 2703      'ecdh_auto' setting (server) or by default (client). Of supported
 2704      curves, prefer P-256 (both).
 2705      [Emilia Kasper]
 2706 
 2707  Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
 2708 
 2709   *) ClientHello sigalgs DoS fix
 2710 
 2711      If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
 2712      invalid signature algorithms extension a NULL pointer dereference will
 2713      occur. This can be exploited in a DoS attack against the server.
 2714 
 2715      This issue was was reported to OpenSSL by David Ramos of Stanford
 2716      University.
 2717      (CVE-2015-0291)
 2718      [Stephen Henson and Matt Caswell]
 2719 
 2720   *) Multiblock corrupted pointer fix
 2721 
 2722      OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
 2723      feature only applies on 64 bit x86 architecture platforms that support AES
 2724      NI instructions. A defect in the implementation of "multiblock" can cause
 2725      OpenSSL's internal write buffer to become incorrectly set to NULL when
 2726      using non-blocking IO. Typically, when the user application is using a
 2727      socket BIO for writing, this will only result in a failed connection.
 2728      However if some other BIO is used then it is likely that a segmentation
 2729      fault will be triggered, thus enabling a potential DoS attack.
 2730 
 2731      This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
 2732      (CVE-2015-0290)
 2733      [Matt Caswell]
 2734 
 2735   *) Segmentation fault in DTLSv1_listen fix
 2736 
 2737      The DTLSv1_listen function is intended to be stateless and processes the
 2738      initial ClientHello from many peers. It is common for user code to loop
 2739      over the call to DTLSv1_listen until a valid ClientHello is received with
 2740      an associated cookie. A defect in the implementation of DTLSv1_listen means
 2741      that state is preserved in the SSL object from one invocation to the next
 2742      that can lead to a segmentation fault. Errors processing the initial
 2743      ClientHello can trigger this scenario. An example of such an error could be
 2744      that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
 2745      server.
 2746 
 2747      This issue was reported to OpenSSL by Per Allansson.
 2748      (CVE-2015-0207)
 2749      [Matt Caswell]
 2750 
 2751   *) Segmentation fault in ASN1_TYPE_cmp fix
 2752 
 2753      The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
 2754      made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
 2755      certificate signature algorithm consistency this can be used to crash any
 2756      certificate verification operation and exploited in a DoS attack. Any
 2757      application which performs certificate verification is vulnerable including
 2758      OpenSSL clients and servers which enable client authentication.
 2759      (CVE-2015-0286)
 2760      [Stephen Henson]
 2761 
 2762   *) Segmentation fault for invalid PSS parameters fix
 2763 
 2764      The signature verification routines will crash with a NULL pointer
 2765      dereference if presented with an ASN.1 signature using the RSA PSS
 2766      algorithm and invalid parameters. Since these routines are used to verify
 2767      certificate signature algorithms this can be used to crash any
 2768      certificate verification operation and exploited in a DoS attack. Any
 2769      application which performs certificate verification is vulnerable including
 2770      OpenSSL clients and servers which enable client authentication.
 2771 
 2772      This issue was was reported to OpenSSL by Brian Carpenter.
 2773      (CVE-2015-0208)
 2774      [Stephen Henson]
 2775 
 2776   *) ASN.1 structure reuse memory corruption fix
 2777 
 2778      Reusing a structure in ASN.1 parsing may allow an attacker to cause
 2779      memory corruption via an invalid write. Such reuse is and has been
 2780      strongly discouraged and is believed to be rare.
 2781 
 2782      Applications that parse structures containing CHOICE or ANY DEFINED BY
 2783      components may be affected. Certificate parsing (d2i_X509 and related
 2784      functions) are however not affected. OpenSSL clients and servers are
 2785      not affected.
 2786      (CVE-2015-0287)
 2787      [Stephen Henson]
 2788 
 2789   *) PKCS7 NULL pointer dereferences fix
 2790 
 2791      The PKCS#7 parsing code does not handle missing outer ContentInfo
 2792      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
 2793      missing content and trigger a NULL pointer dereference on parsing.
 2794 
 2795      Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
 2796      otherwise parse PKCS#7 structures from untrusted sources are
 2797      affected. OpenSSL clients and servers are not affected.
 2798 
 2799      This issue was reported to OpenSSL by Michal Zalewski (Google).
 2800      (CVE-2015-0289)
 2801      [Emilia Käsper]
 2802 
 2803   *) DoS via reachable assert in SSLv2 servers fix
 2804 
 2805      A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
 2806      servers that both support SSLv2 and enable export cipher suites by sending
 2807      a specially crafted SSLv2 CLIENT-MASTER-KEY message.
 2808 
 2809      This issue was discovered by Sean Burford (Google) and Emilia Käsper
 2810      (OpenSSL development team).
 2811      (CVE-2015-0293)
 2812      [Emilia Käsper]
 2813 
 2814   *) Empty CKE with client auth and DHE fix
 2815 
 2816      If client auth is used then a server can seg fault in the event of a DHE
 2817      ciphersuite being selected and a zero length ClientKeyExchange message
 2818      being sent by the client. This could be exploited in a DoS attack.
 2819      (CVE-2015-1787)
 2820      [Matt Caswell]
 2821 
 2822   *) Handshake with unseeded PRNG fix
 2823 
 2824      Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
 2825      with an unseeded PRNG. The conditions are:
 2826      - The client is on a platform where the PRNG has not been seeded
 2827      automatically, and the user has not seeded manually
 2828      - A protocol specific client method version has been used (i.e. not
 2829      SSL_client_methodv23)
 2830      - A ciphersuite is used that does not require additional random data from
 2831      the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
 2832 
 2833      If the handshake succeeds then the client random that has been used will
 2834      have been generated from a PRNG with insufficient entropy and therefore the
 2835      output may be predictable.
 2836 
 2837      For example using the following command with an unseeded openssl will
 2838      succeed on an unpatched platform:
 2839 
 2840      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
 2841      (CVE-2015-0285)
 2842      [Matt Caswell]
 2843 
 2844   *) Use After Free following d2i_ECPrivatekey error fix
 2845 
 2846      A malformed EC private key file consumed via the d2i_ECPrivateKey function
 2847      could cause a use after free condition. This, in turn, could cause a double
 2848      free in several private key parsing functions (such as d2i_PrivateKey
 2849      or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
 2850      for applications that receive EC private keys from untrusted
 2851      sources. This scenario is considered rare.
 2852 
 2853      This issue was discovered by the BoringSSL project and fixed in their
 2854      commit 517073cd4b.
 2855      (CVE-2015-0209)
 2856      [Matt Caswell]
 2857 
 2858   *) X509_to_X509_REQ NULL pointer deref fix
 2859 
 2860      The function X509_to_X509_REQ will crash with a NULL pointer dereference if
 2861      the certificate key is invalid. This function is rarely used in practice.
 2862 
 2863      This issue was discovered by Brian Carpenter.
 2864      (CVE-2015-0288)
 2865      [Stephen Henson]
 2866 
 2867   *) Removed the export ciphers from the DEFAULT ciphers
 2868      [Kurt Roeckx]
 2869 
 2870  Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
 2871 
 2872   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
 2873      ARMv5 through ARMv8, as opposite to "locking" it to single one.
 2874      So far those who have to target multiple platforms would compromise
 2875      and argue that binary targeting say ARMv5 would still execute on
 2876      ARMv8. "Universal" build resolves this compromise by providing
 2877      near-optimal performance even on newer platforms.
 2878      [Andy Polyakov]
 2879 
 2880   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
 2881      (other platforms pending).
 2882      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
 2883 
 2884   *) Add support for the SignedCertificateTimestampList certificate and
 2885      OCSP response extensions from RFC6962.
 2886      [Rob Stradling]
 2887 
 2888   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
 2889      for corner cases. (Certain input points at infinity could lead to
 2890      bogus results, with non-infinity inputs mapped to infinity too.)
 2891      [Bodo Moeller]
 2892 
 2893   *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
 2894      This covers AES, SHA256/512 and GHASH. "Initial" means that most
 2895      common cases are optimized and there still is room for further
 2896      improvements. Vector Permutation AES for Altivec is also added.
 2897      [Andy Polyakov]
 2898 
 2899   *) Add support for little-endian ppc64 Linux target.
 2900      [Marcelo Cerri (IBM)]
 2901 
 2902   *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
 2903      SHA1, SHA256 and GHASH. "Initial" means that most common cases
 2904      are optimized and there still is room for further improvements.
 2905      Both 32- and 64-bit modes are supported.
 2906      [Andy Polyakov, Ard Biesheuvel (Linaro)]
 2907 
 2908   *) Improved ARMv7 NEON support.
 2909      [Andy Polyakov]
 2910 
 2911   *) Support for SPARC Architecture 2011 crypto extensions, first
 2912      implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
 2913      SHA256/512, MD5, GHASH and modular exponentiation.
 2914      [Andy Polyakov, David Miller]
 2915 
 2916   *) Accelerated modular exponentiation for Intel processors, a.k.a.
 2917      RSAZ.
 2918      [Shay Gueron & Vlad Krasnov (Intel Corp)]
 2919 
 2920   *) Support for new and upcoming Intel processors, including AVX2,
 2921      BMI and SHA ISA extensions. This includes additional "stitched"
 2922      implementations, AESNI-SHA256 and GCM, and multi-buffer support
 2923      for TLS encrypt.
 2924 
 2925      This work was sponsored by Intel Corp.
 2926      [Andy Polyakov]
 2927 
 2928   *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
 2929      supports both DTLS 1.2 and 1.0 and should use whatever version the peer
 2930      supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
 2931      [Steve Henson]
 2932 
 2933   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
 2934      this fixes a limitation in previous versions of OpenSSL.
 2935      [Steve Henson]
 2936 
 2937   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
 2938      MGF1 digest and OAEP label.
 2939      [Steve Henson]
 2940 
 2941   *) Add EVP support for key wrapping algorithms, to avoid problems with
 2942      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
 2943      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
 2944      algorithms and include tests cases.
 2945      [Steve Henson]
 2946 
 2947   *) Add functions to allocate and set the fields of an ECDSA_METHOD
 2948      structure.
 2949      [Douglas E. Engert, Steve Henson]
 2950 
 2951   *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
 2952      difference in days and seconds between two tm or ASN1_TIME structures.
 2953      [Steve Henson]
 2954 
 2955   *) Add -rev test option to s_server to just reverse order of characters
 2956      received by client and send back to server. Also prints an abbreviated
 2957      summary of the connection parameters.
 2958      [Steve Henson]
 2959 
 2960   *) New option -brief for s_client and s_server to print out a brief summary
 2961      of connection parameters.
 2962      [Steve Henson]
 2963 
 2964   *) Add callbacks for arbitrary TLS extensions.
 2965      [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
 2966 
 2967   *) New option -crl_download in several openssl utilities to download CRLs
 2968      from CRLDP extension in certificates.
 2969      [Steve Henson]
 2970 
 2971   *) New options -CRL and -CRLform for s_client and s_server for CRLs.
 2972      [Steve Henson]
 2973 
 2974   *) New function X509_CRL_diff to generate a delta CRL from the difference
 2975      of two full CRLs. Add support to "crl" utility.
 2976      [Steve Henson]
 2977 
 2978   *) New functions to set lookup_crls function and to retrieve
 2979      X509_STORE from X509_STORE_CTX.
 2980      [Steve Henson]
 2981 
 2982   *) Print out deprecated issuer and subject unique ID fields in
 2983      certificates.
 2984      [Steve Henson]
 2985 
 2986   *) Extend OCSP I/O functions so they can be used for simple general purpose
 2987      HTTP as well as OCSP. New wrapper function which can be used to download
 2988      CRLs using the OCSP API.
 2989      [Steve Henson]
 2990 
 2991   *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
 2992      [Steve Henson]
 2993 
 2994   *) SSL_CONF* functions. These provide a common framework for application
 2995      configuration using configuration files or command lines.
 2996      [Steve Henson]
 2997 
 2998   *) SSL/TLS tracing code. This parses out SSL/TLS records using the
 2999      message callback and prints the results. Needs compile time option
 3000      "enable-ssl-trace". New options to s_client and s_server to enable
 3001      tracing.
 3002      [Steve Henson]
 3003 
 3004   *) New ctrl and macro to retrieve supported points extensions.
 3005      Print out extension in s_server and s_client.
 3006      [Steve Henson]
 3007 
 3008   *) New functions to retrieve certificate signature and signature
 3009      OID NID.
 3010      [Steve Henson]
 3011 
 3012   *) Add functions to retrieve and manipulate the raw cipherlist sent by a
 3013      client to OpenSSL.
 3014      [Steve Henson]
 3015 
 3016   *) New Suite B modes for TLS code. These use and enforce the requirements
 3017      of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
 3018      only use Suite B curves. The Suite B modes can be set by using the
 3019      strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
 3020      [Steve Henson]
 3021 
 3022   *) New chain verification flags for Suite B levels of security. Check
 3023      algorithms are acceptable when flags are set in X509_verify_cert.
 3024      [Steve Henson]
 3025 
 3026   *) Make tls1_check_chain return a set of flags indicating checks passed
 3027      by a certificate chain. Add additional tests to handle client
 3028      certificates: checks for matching certificate type and issuer name
 3029      comparison.
 3030      [Steve Henson]
 3031 
 3032   *) If an attempt is made to use a signature algorithm not in the peer
 3033      preference list abort the handshake. If client has no suitable
 3034      signature algorithms in response to a certificate request do not
 3035      use the certificate.
 3036      [Steve Henson]
 3037 
 3038   *) If server EC tmp key is not in client preference list abort handshake.
 3039      [Steve Henson]
 3040 
 3041   *) Add support for certificate stores in CERT structure. This makes it
 3042      possible to have different stores per SSL structure or one store in
 3043      the parent SSL_CTX. Include distinct stores for certificate chain
 3044      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
 3045      to build and store a certificate chain in CERT structure: returning
 3046      an error if the chain cannot be built: this will allow applications
 3047      to test if a chain is correctly configured.
 3048 
 3049      Note: if the CERT based stores are not set then the parent SSL_CTX
 3050      store is used to retain compatibility with existing behaviour.
 3051 
 3052      [Steve Henson]
 3053 
 3054   *) New function ssl_set_client_disabled to set a ciphersuite disabled
 3055      mask based on the current session, check mask when sending client
 3056      hello and checking the requested ciphersuite.
 3057      [Steve Henson]
 3058 
 3059   *) New ctrls to retrieve and set certificate types in a certificate
 3060      request message. Print out received values in s_client. If certificate
 3061      types is not set with custom values set sensible values based on
 3062      supported signature algorithms.
 3063      [Steve Henson]
 3064 
 3065   *) Support for distinct client and server supported signature algorithms.
 3066      [Steve Henson]
 3067 
 3068   *) Add certificate callback. If set this is called whenever a certificate
 3069      is required by client or server. An application can decide which
 3070      certificate chain to present based on arbitrary criteria: for example
 3071      supported signature algorithms. Add very simple example to s_server.
 3072      This fixes many of the problems and restrictions of the existing client
 3073      certificate callback: for example you can now clear an existing
 3074      certificate and specify the whole chain.
 3075      [Steve Henson]
 3076 
 3077   *) Add new "valid_flags" field to CERT_PKEY structure which determines what
 3078      the certificate can be used for (if anything). Set valid_flags field
 3079      in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
 3080      to have similar checks in it.
 3081 
 3082      Add new "cert_flags" field to CERT structure and include a "strict mode".
 3083      This enforces some TLS certificate requirements (such as only permitting
 3084      certificate signature algorithms contained in the supported algorithms
 3085      extension) which some implementations ignore: this option should be used
 3086      with caution as it could cause interoperability issues.
 3087      [Steve Henson]
 3088 
 3089   *) Update and tidy signature algorithm extension processing. Work out
 3090      shared signature algorithms based on preferences and peer algorithms
 3091      and print them out in s_client and s_server. Abort handshake if no
 3092      shared signature algorithms.
 3093      [Steve Henson]
 3094 
 3095   *) Add new functions to allow customised supported signature algorithms
 3096      for SSL and SSL_CTX structures. Add options to s_client and s_server
 3097      to support them.
 3098      [Steve Henson]
 3099 
 3100   *) New function SSL_certs_clear() to delete all references to certificates
 3101      from an SSL structure. Before this once a certificate had been added
 3102      it couldn't be removed.
 3103      [Steve Henson]
 3104 
 3105   *) Integrate hostname, email address and IP address checking with certificate
 3106      verification. New verify options supporting checking in openssl utility.
 3107      [Steve Henson]
 3108 
 3109   *) Fixes and wildcard matching support to hostname and email checking
 3110      functions. Add manual page.
 3111      [Florian Weimer (Red Hat Product Security Team)]
 3112 
 3113   *) New functions to check a hostname email or IP address against a
 3114      certificate. Add options x509 utility to print results of checks against
 3115      a certificate.
 3116      [Steve Henson]
 3117 
 3118   *) Fix OCSP checking.
 3119      [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
 3120 
 3121   *) Initial experimental support for explicitly trusted non-root CAs.
 3122      OpenSSL still tries to build a complete chain to a root but if an
 3123      intermediate CA has a trust setting included that is used. The first
 3124      setting is used: whether to trust (e.g., -addtrust option to the x509
 3125      utility) or reject.
 3126      [Steve Henson]
 3127 
 3128   *) Add -trusted_first option which attempts to find certificates in the
 3129      trusted store even if an untrusted chain is also supplied.
 3130      [Steve Henson]
 3131 
 3132   *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
 3133      platform support for Linux and Android.
 3134      [Andy Polyakov]
 3135 
 3136   *) Support for linux-x32, ILP32 environment in x86_64 framework.
 3137      [Andy Polyakov]
 3138 
 3139   *) Experimental multi-implementation support for FIPS capable OpenSSL.
 3140      When in FIPS mode the approved implementations are used as normal,
 3141      when not in FIPS mode the internal unapproved versions are used instead.
 3142      This means that the FIPS capable OpenSSL isn't forced to use the
 3143      (often lower performance) FIPS implementations outside FIPS mode.
 3144      [Steve Henson]
 3145 
 3146   *) Transparently support X9.42 DH parameters when calling
 3147      PEM_read_bio_DHparameters. This means existing applications can handle
 3148      the new parameter format automatically.
 3149      [Steve Henson]
 3150 
 3151   *) Initial experimental support for X9.42 DH parameter format: mainly
 3152      to support use of 'q' parameter for RFC5114 parameters.
 3153      [Steve Henson]
 3154 
 3155   *) Add DH parameters from RFC5114 including test data to dhtest.
 3156      [Steve Henson]
 3157 
 3158   *) Support for automatic EC temporary key parameter selection. If enabled
 3159      the most preferred EC parameters are automatically used instead of
 3160      hardcoded fixed parameters. Now a server just has to call:
 3161      SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
 3162      support ECDH and use the most appropriate parameters.
 3163      [Steve Henson]
 3164 
 3165   *) Enhance and tidy EC curve and point format TLS extension code. Use
 3166      static structures instead of allocation if default values are used.
 3167      New ctrls to set curves we wish to support and to retrieve shared curves.
 3168      Print out shared curves in s_server. New options to s_server and s_client
 3169      to set list of supported curves.
 3170      [Steve Henson]
 3171 
 3172   *) New ctrls to retrieve supported signature algorithms and
 3173      supported curve values as an array of NIDs. Extend openssl utility
 3174      to print out received values.
 3175      [Steve Henson]
 3176 
 3177   *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
 3178      between NIDs and the more common NIST names such as "P-256". Enhance
 3179      ecparam utility and ECC method to recognise the NIST names for curves.
 3180      [Steve Henson]
 3181 
 3182   *) Enhance SSL/TLS certificate chain handling to support different
 3183      chains for each certificate instead of one chain in the parent SSL_CTX.
 3184      [Steve Henson]
 3185 
 3186   *) Support for fixed DH ciphersuite client authentication: where both
 3187      server and client use DH certificates with common parameters.
 3188      [Steve Henson]
 3189 
 3190   *) Support for fixed DH ciphersuites: those requiring DH server
 3191      certificates.
 3192      [Steve Henson]
 3193 
 3194   *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
 3195      the certificate.
 3196      Note: Related 1.0.2-beta specific macros X509_get_cert_info,
 3197      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
 3198      X509_CINF_get_signature were reverted post internal team review.
 3199 
 3200  Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
 3201 
 3202   *) Build fixes for the Windows and OpenVMS platforms
 3203      [Matt Caswell and Richard Levitte]
 3204 
 3205  Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
 3206 
 3207   *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
 3208      message can cause a segmentation fault in OpenSSL due to a NULL pointer
 3209      dereference. This could lead to a Denial Of Service attack. Thanks to
 3210      Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
 3211      (CVE-2014-3571)
 3212      [Steve Henson]
 3213 
 3214   *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
 3215      dtls1_buffer_record function under certain conditions. In particular this
 3216      could occur if an attacker sent repeated DTLS records with the same
 3217      sequence number but for the next epoch. The memory leak could be exploited
 3218      by an attacker in a Denial of Service attack through memory exhaustion.
 3219      Thanks to Chris Mueller for reporting this issue.
 3220      (CVE-2015-0206)
 3221      [Matt Caswell]
 3222 
 3223   *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
 3224      built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
 3225      method would be set to NULL which could later result in a NULL pointer
 3226      dereference. Thanks to Frank Schmirler for reporting this issue.
 3227      (CVE-2014-3569)
 3228      [Kurt Roeckx]
 3229 
 3230   *) Abort handshake if server key exchange message is omitted for ephemeral
 3231      ECDH ciphersuites.
 3232 
 3233      Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
 3234      reporting this issue.
 3235      (CVE-2014-3572)
 3236      [Steve Henson]
 3237 
 3238   *) Remove non-export ephemeral RSA code on client and server. This code
 3239      violated the TLS standard by allowing the use of temporary RSA keys in
 3240      non-export ciphersuites and could be used by a server to effectively
 3241      downgrade the RSA key length used to a value smaller than the server
 3242      certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
 3243      INRIA or reporting this issue.
 3244      (CVE-2015-0204)
 3245      [Steve Henson]
 3246 
 3247   *) Fixed issue where DH client certificates are accepted without verification.
 3248      An OpenSSL server will accept a DH certificate for client authentication
 3249      without the certificate verify message. This effectively allows a client to
 3250      authenticate without the use of a private key. This only affects servers
 3251      which trust a client certificate authority which issues certificates
 3252      containing DH keys: these are extremely rare and hardly ever encountered.
 3253      Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
 3254      this issue.
 3255      (CVE-2015-0205)
 3256      [Steve Henson]
 3257 
 3258   *) Ensure that the session ID context of an SSL is updated when its
 3259      SSL_CTX is updated via SSL_set_SSL_CTX.
 3260 
 3261      The session ID context is typically set from the parent SSL_CTX,
 3262      and can vary with the CTX.
 3263      [Adam Langley]
 3264 
 3265   *) Fix various certificate fingerprint issues.
 3266 
 3267      By using non-DER or invalid encodings outside the signed portion of a
 3268      certificate the fingerprint can be changed without breaking the signature.
 3269      Although no details of the signed portion of the certificate can be changed
 3270      this can cause problems with some applications: e.g. those using the
 3271      certificate fingerprint for blacklists.
 3272 
 3273      1. Reject signatures with non zero unused bits.
 3274 
 3275      If the BIT STRING containing the signature has non zero unused bits reject
 3276      the signature. All current signature algorithms require zero unused bits.
 3277 
 3278      2. Check certificate algorithm consistency.
 3279 
 3280      Check the AlgorithmIdentifier inside TBS matches the one in the
 3281      certificate signature. NB: this will result in signature failure
 3282      errors for some broken certificates.
 3283 
 3284      Thanks to Konrad Kraszewski from Google for reporting this issue.
 3285 
 3286      3. Check DSA/ECDSA signatures use DER.
 3287 
 3288      Re-encode DSA/ECDSA signatures and compare with the original received
 3289      signature. Return an error if there is a mismatch.
 3290 
 3291      This will reject various cases including garbage after signature
 3292      (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
 3293      program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
 3294      (negative or with leading zeroes).
 3295 
 3296      Further analysis was conducted and fixes were developed by Stephen Henson
 3297      of the OpenSSL core team.
 3298 
 3299      (CVE-2014-8275)
 3300      [Steve Henson]
 3301 
 3302    *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
 3303       results on some platforms, including x86_64. This bug occurs at random
 3304       with a very low probability, and is not known to be exploitable in any
 3305       way, though its exact impact is difficult to determine. Thanks to Pieter
 3306       Wuille (Blockstream) who reported this issue and also suggested an initial
 3307       fix. Further analysis was conducted by the OpenSSL development team and
 3308       Adam Langley of Google. The final fix was developed by Andy Polyakov of
 3309       the OpenSSL core team.
 3310       (CVE-2014-3570)
 3311       [Andy Polyakov]
 3312 
 3313    *) Do not resume sessions on the server if the negotiated protocol
 3314       version does not match the session's version. Resuming with a different
 3315       version, while not strictly forbidden by the RFC, is of questionable
 3316       sanity and breaks all known clients.
 3317       [David Benjamin, Emilia Käsper]
 3318 
 3319    *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
 3320       early CCS messages during renegotiation. (Note that because
 3321       renegotiation is encrypted, this early CCS was not exploitable.)
 3322       [Emilia Käsper]
 3323 
 3324    *) Tighten client-side session ticket handling during renegotiation:
 3325       ensure that the client only accepts a session ticket if the server sends
 3326       the extension anew in the ServerHello. Previously, a TLS client would
 3327       reuse the old extension state and thus accept a session ticket if one was
 3328       announced in the initial ServerHello.
 3329 
 3330       Similarly, ensure that the client requires a session ticket if one
 3331       was advertised in the ServerHello. Previously, a TLS client would
 3332       ignore a missing NewSessionTicket message.
 3333       [Emilia Käsper]
 3334 
 3335  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
 3336 
 3337   *) SRTP Memory Leak.
 3338 
 3339      A flaw in the DTLS SRTP extension parsing code allows an attacker, who
 3340      sends a carefully crafted handshake message, to cause OpenSSL to fail
 3341      to free up to 64k of memory causing a memory leak. This could be
 3342      exploited in a Denial Of Service attack. This issue affects OpenSSL
 3343      1.0.1 server implementations for both SSL/TLS and DTLS regardless of
 3344      whether SRTP is used or configured. Implementations of OpenSSL that
 3345      have been compiled with OPENSSL_NO_SRTP defined are not affected.
 3346 
 3347      The fix was developed by the OpenSSL team.
 3348      (CVE-2014-3513)
 3349      [OpenSSL team]
 3350 
 3351   *) Session Ticket Memory Leak.
 3352 
 3353      When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
 3354      integrity of that ticket is first verified. In the event of a session
 3355      ticket integrity check failing, OpenSSL will fail to free memory
 3356      causing a memory leak. By sending a large number of invalid session
 3357      tickets an attacker could exploit this issue in a Denial Of Service
 3358      attack.
 3359      (CVE-2014-3567)
 3360      [Steve Henson]
 3361 
 3362   *) Build option no-ssl3 is incomplete.
 3363 
 3364      When OpenSSL is configured with "no-ssl3" as a build option, servers
 3365      could accept and complete a SSL 3.0 handshake, and clients could be
 3366      configured to send them.
 3367      (CVE-2014-3568)
 3368      [Akamai and the OpenSSL team]
 3369 
 3370   *) Add support for TLS_FALLBACK_SCSV.
 3371      Client applications doing fallback retries should call
 3372      SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
 3373      (CVE-2014-3566)
 3374      [Adam Langley, Bodo Moeller]
 3375 
 3376   *) Add additional DigestInfo checks.
 3377 
 3378      Re-encode DigestInto in DER and check against the original when
 3379      verifying RSA signature: this will reject any improperly encoded
 3380      DigestInfo structures.
 3381 
 3382      Note: this is a precautionary measure and no attacks are currently known.
 3383 
 3384      [Steve Henson]
 3385 
 3386  Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
 3387 
 3388   *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
 3389      SRP code can be overrun an internal buffer. Add sanity check that
 3390      g, A, B < N to SRP code.
 3391 
 3392      Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
 3393      Group for discovering this issue.
 3394      (CVE-2014-3512)
 3395      [Steve Henson]
 3396 
 3397   *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
 3398      TLS 1.0 instead of higher protocol versions when the ClientHello message
 3399      is badly fragmented. This allows a man-in-the-middle attacker to force a
 3400      downgrade to TLS 1.0 even if both the server and the client support a
 3401      higher protocol version, by modifying the client's TLS records.
 3402 
 3403      Thanks to David Benjamin and Adam Langley (Google) for discovering and
 3404      researching this issue.
 3405      (CVE-2014-3511)
 3406      [David Benjamin]
 3407 
 3408   *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
 3409      to a denial of service attack. A malicious server can crash the client
 3410      with a null pointer dereference (read) by specifying an anonymous (EC)DH
 3411      ciphersuite and sending carefully crafted handshake messages.
 3412 
 3413      Thanks to Felix Gröbert (Google) for discovering and researching this
 3414      issue.
 3415      (CVE-2014-3510)
 3416      [Emilia Käsper]
 3417 
 3418   *) By sending carefully crafted DTLS packets an attacker could cause openssl
 3419      to leak memory. This can be exploited through a Denial of Service attack.
 3420      Thanks to Adam Langley for discovering and researching this issue.
 3421      (CVE-2014-3507)
 3422      [Adam Langley]
 3423 
 3424   *) An attacker can force openssl to consume large amounts of memory whilst
 3425      processing DTLS handshake messages. This can be exploited through a
 3426      Denial of Service attack.
 3427      Thanks to Adam Langley for discovering and researching this issue.
 3428      (CVE-2014-3506)
 3429      [Adam Langley]
 3430 
 3431   *) An attacker can force an error condition which causes openssl to crash
 3432      whilst processing DTLS packets due to memory being freed twice. This
 3433      can be exploited through a Denial of Service attack.
 3434      Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
 3435      this issue.
 3436      (CVE-2014-3505)
 3437      [Adam Langley]
 3438 
 3439   *) If a multithreaded client connects to a malicious server using a resumed
 3440      session and the server sends an ec point format extension it could write
 3441      up to 255 bytes to freed memory.
 3442 
 3443      Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
 3444      issue.
 3445      (CVE-2014-3509)
 3446      [Gabor Tyukasz]
 3447 
 3448   *) A malicious server can crash an OpenSSL client with a null pointer
 3449      dereference (read) by specifying an SRP ciphersuite even though it was not
 3450      properly negotiated with the client. This can be exploited through a
 3451      Denial of Service attack.
 3452 
 3453      Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
 3454      discovering and researching this issue.
 3455      (CVE-2014-5139)
 3456      [Steve Henson]
 3457 
 3458   *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
 3459      X509_name_oneline, X509_name_print_ex et al. to leak some information
 3460      from the stack. Applications may be affected if they echo pretty printing
 3461      output to the attacker.
 3462 
 3463      Thanks to Ivan Fratric (Google) for discovering this issue.
 3464      (CVE-2014-3508)
 3465      [Emilia Käsper, and Steve Henson]
 3466 
 3467   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
 3468      for corner cases. (Certain input points at infinity could lead to
 3469      bogus results, with non-infinity inputs mapped to infinity too.)
 3470      [Bodo Moeller]
 3471 
 3472  Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
 3473 
 3474   *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
 3475      handshake can force the use of weak keying material in OpenSSL
 3476      SSL/TLS clients and servers.
 3477 
 3478      Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
 3479      researching this issue. (CVE-2014-0224)
 3480      [KIKUCHI Masashi, Steve Henson]
 3481 
 3482   *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
 3483      OpenSSL DTLS client the code can be made to recurse eventually crashing
 3484      in a DoS attack.
 3485 
 3486      Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
 3487      (CVE-2014-0221)
 3488      [Imre Rad, Steve Henson]
 3489 
 3490   *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
 3491      be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
 3492      client or server. This is potentially exploitable to run arbitrary
 3493      code on a vulnerable client or server.
 3494 
 3495      Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
 3496      [Jüri Aedla, Steve Henson]
 3497 
 3498   *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
 3499      are subject to a denial of service attack.
 3500 
 3501      Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
 3502      this issue. (CVE-2014-3470)
 3503      [Felix Gröbert, Ivan Fratric, Steve Henson]
 3504 
 3505   *) Harmonize version and its documentation. -f flag is used to display
 3506      compilation flags.
 3507      [mancha <mancha1@zoho.com>]
 3508 
 3509   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
 3510      in i2d_ECPrivateKey.
 3511      [mancha <mancha1@zoho.com>]
 3512 
 3513   *) Fix some double frees. These are not thought to be exploitable.
 3514      [mancha <mancha1@zoho.com>]
 3515 
 3516  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
 3517 
 3518   *) A missing bounds check in the handling of the TLS heartbeat extension
 3519      can be used to reveal up to 64k of memory to a connected client or
 3520      server.
 3521 
 3522      Thanks for Neel Mehta of Google Security for discovering this bug and to
 3523      Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
 3524      preparing the fix (CVE-2014-0160)
 3525      [Adam Langley, Bodo Moeller]
 3526 
 3527   *) Fix for the attack described in the paper "Recovering OpenSSL
 3528      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
 3529      by Yuval Yarom and Naomi Benger. Details can be obtained from:
 3530      http://eprint.iacr.org/2014/140
 3531 
 3532      Thanks to Yuval Yarom and Naomi Benger for discovering this
 3533      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
 3534      [Yuval Yarom and Naomi Benger]
 3535 
 3536   *) TLS pad extension: draft-agl-tls-padding-03
 3537 
 3538      Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
 3539      TLS client Hello record length value would otherwise be > 255 and
 3540      less that 512 pad with a dummy extension containing zeroes so it
 3541      is at least 512 bytes long.
 3542 
 3543      [Adam Langley, Steve Henson]
 3544 
 3545  Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
 3546 
 3547   *) Fix for TLS record tampering bug. A carefully crafted invalid
 3548      handshake could crash OpenSSL with a NULL pointer exception.
 3549      Thanks to Anton Johansson for reporting this issues.
 3550      (CVE-2013-4353)
 3551 
 3552   *) Keep original DTLS digest and encryption contexts in retransmission
 3553      structures so we can use the previous session parameters if they need
 3554      to be resent. (CVE-2013-6450)
 3555      [Steve Henson]
 3556 
 3557   *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
 3558      avoids preferring ECDHE-ECDSA ciphers when the client appears to be
 3559      Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
 3560      several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
 3561      is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
 3562      10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
 3563      [Rob Stradling, Adam Langley]
 3564 
 3565  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
 3566 
 3567   *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
 3568      supporting platforms or when small records were transferred.
 3569      [Andy Polyakov, Steve Henson]
 3570 
 3571  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
 3572 
 3573   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
 3574 
 3575      This addresses the flaw in CBC record processing discovered by
 3576      Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
 3577      at: http://www.isg.rhul.ac.uk/tls/
 3578 
 3579      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
 3580      Security Group at Royal Holloway, University of London
 3581      (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
 3582      Emilia Käsper for the initial patch.
 3583      (CVE-2013-0169)
 3584      [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
 3585 
 3586   *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
 3587      ciphersuites which can be exploited in a denial of service attack.
 3588      Thanks go to and to Adam Langley <agl@chromium.org> for discovering
 3589      and detecting this bug and to Wolfgang Ettlinger
 3590      <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
 3591      (CVE-2012-2686)
 3592      [Adam Langley]
 3593 
 3594   *) Return an error when checking OCSP signatures when key is NULL.
 3595      This fixes a DoS attack. (CVE-2013-0166)
 3596      [Steve Henson]
 3597 
 3598   *) Make openssl verify return errors.
 3599      [Chris Palmer <palmer@google.com> and Ben Laurie]
 3600 
 3601   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
 3602      the right response is stapled. Also change SSL_get_certificate()
 3603      so it returns the certificate actually sent.
 3604      See http://rt.openssl.org/Ticket/Display.html?id=2836.
 3605      [Rob Stradling <rob.stradling@comodo.com>]
 3606 
 3607   *) Fix possible deadlock when decoding public keys.
 3608      [Steve Henson]
 3609 
 3610   *) Don't use TLS 1.0 record version number in initial client hello
 3611      if renegotiating.
 3612      [Steve Henson]
 3613 
 3614  Changes between 1.0.1b and 1.0.1c [10 May 2012]
 3615 
 3616   *) Sanity check record length before skipping explicit IV in TLS
 3617      1.2, 1.1 and DTLS to fix DoS attack.
 3618 
 3619      Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
 3620      fuzzing as a service testing platform.
 3621      (CVE-2012-2333)
 3622      [Steve Henson]
 3623 
 3624   *) Initialise tkeylen properly when encrypting CMS messages.
 3625      Thanks to Solar Designer of Openwall for reporting this issue.
 3626      [Steve Henson]
 3627 
 3628   *) In FIPS mode don't try to use composite ciphers as they are not
 3629      approved.
 3630      [Steve Henson]
 3631 
 3632  Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
 3633 
 3634   *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
 3635      1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
 3636      mean any application compiled against OpenSSL 1.0.0 headers setting
 3637      SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
 3638      TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
 3639      0x10000000L Any application which was previously compiled against
 3640      OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
 3641      will need to be recompiled as a result. Letting be results in
 3642      inability to disable specifically TLS 1.1 and in client context,
 3643      in unlike event, limit maximum offered version to TLS 1.0 [see below].
 3644      [Steve Henson]
 3645 
 3646   *) In order to ensure interoperability SSL_OP_NO_protocolX does not
 3647      disable just protocol X, but all protocols above X *if* there are
 3648      protocols *below* X still enabled. In more practical terms it means
 3649      that if application wants to disable TLS1.0 in favor of TLS1.1 and
 3650      above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
 3651      SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
 3652      client side.
 3653      [Andy Polyakov]
 3654 
 3655  Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
 3656 
 3657   *) Check for potentially exploitable overflows in asn1_d2i_read_bio
 3658      BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
 3659      in CRYPTO_realloc_clean.
 3660 
 3661      Thanks to Tavis Ormandy, Google Security Team, for discovering this
 3662      issue and to Adam Langley <agl@chromium.org> for fixing it.
 3663      (CVE-2012-2110)
 3664      [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 3665 
 3666   *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
 3667      [Adam Langley]
 3668 
 3669   *) Workarounds for some broken servers that "hang" if a client hello
 3670      record length exceeds 255 bytes.
 3671 
 3672      1. Do not use record version number > TLS 1.0 in initial client
 3673         hello: some (but not all) hanging servers will now work.
 3674      2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
 3675         the number of ciphers sent in the client hello. This should be
 3676         set to an even number, such as 50, for example by passing:
 3677         -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
 3678         Most broken servers should now work.
 3679      3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
 3680         TLS 1.2 client support entirely.
 3681      [Steve Henson]
 3682 
 3683   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
 3684      [Andy Polyakov]
 3685 
 3686  Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
 3687 
 3688   *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
 3689      STRING form instead of a DigestInfo.
 3690      [Steve Henson]
 3691 
 3692   *) The format used for MDC2 RSA signatures is inconsistent between EVP
 3693      and the RSA_sign/RSA_verify functions. This was made more apparent when
 3694      OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
 3695      those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
 3696      the correct format in RSA_verify so both forms transparently work.
 3697      [Steve Henson]
 3698 
 3699   *) Some servers which support TLS 1.0 can choke if we initially indicate
 3700      support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
 3701      encrypted premaster secret. As a workaround use the maximum permitted
 3702      client version in client hello, this should keep such servers happy
 3703      and still work with previous versions of OpenSSL.
 3704      [Steve Henson]
 3705 
 3706   *) Add support for TLS/DTLS heartbeats.
 3707      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3708 
 3709   *) Add support for SCTP.
 3710      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3711 
 3712   *) Improved PRNG seeding for VOS.
 3713      [Paul Green <Paul.Green@stratus.com>]
 3714 
 3715   *) Extensive assembler packs updates, most notably:
 3716 
 3717         - x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
 3718         - x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
 3719         - x86_64:       bit-sliced AES implementation;
 3720         - ARM:          NEON support, contemporary platforms optimizations;
 3721         - s390x:        z196 support;
 3722         - *:            GHASH and GF(2^m) multiplication implementations;
 3723 
 3724      [Andy Polyakov]
 3725 
 3726   *) Make TLS-SRP code conformant with RFC 5054 API cleanup
 3727      (removal of unnecessary code)
 3728      [Peter Sylvester <peter.sylvester@edelweb.fr>]
 3729 
 3730   *) Add TLS key material exporter from RFC 5705.
 3731      [Eric Rescorla]
 3732 
 3733   *) Add DTLS-SRTP negotiation from RFC 5764.
 3734      [Eric Rescorla]
 3735 
 3736   *) Add Next Protocol Negotiation,
 3737      http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
 3738      disabled with a no-npn flag to config or Configure. Code donated
 3739      by Google.
 3740      [Adam Langley <agl@google.com> and Ben Laurie]
 3741 
 3742   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
 3743      NIST-P256, NIST-P521, with constant-time single point multiplication on
 3744      typical inputs. Compiler support for the nonstandard type __uint128_t is
 3745      required to use this (present in gcc 4.4 and later, for 64-bit builds).
 3746      Code made available under Apache License version 2.0.
 3747 
 3748      Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
 3749      line to include this in your build of OpenSSL, and run "make depend" (or
 3750      "make update"). This enables the following EC_METHODs:
 3751 
 3752          EC_GFp_nistp224_method()
 3753          EC_GFp_nistp256_method()
 3754          EC_GFp_nistp521_method()
 3755 
 3756      EC_GROUP_new_by_curve_name() will automatically use these (while
 3757      EC_GROUP_new_curve_GFp() currently prefers the more flexible
 3758      implementations).
 3759      [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
 3760 
 3761   *) Use type ossl_ssize_t instead of ssize_t which isn't available on
 3762      all platforms. Move ssize_t definition from e_os.h to the public
 3763      header file e_os2.h as it now appears in public header file cms.h
 3764      [Steve Henson]
 3765 
 3766   *) New -sigopt option to the ca, req and x509 utilities. Additional
 3767      signature parameters can be passed using this option and in
 3768      particular PSS.
 3769      [Steve Henson]
 3770 
 3771   *) Add RSA PSS signing function. This will generate and set the
 3772      appropriate AlgorithmIdentifiers for PSS based on those in the
 3773      corresponding EVP_MD_CTX structure. No application support yet.
 3774      [Steve Henson]
 3775 
 3776   *) Support for companion algorithm specific ASN1 signing routines.
 3777      New function ASN1_item_sign_ctx() signs a pre-initialised
 3778      EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
 3779      the appropriate parameters.
 3780      [Steve Henson]
 3781 
 3782   *) Add new algorithm specific ASN1 verification initialisation function
 3783      to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
 3784      handling will be the same no matter what EVP_PKEY_METHOD is used.
 3785      Add a PSS handler to support verification of PSS signatures: checked
 3786      against a number of sample certificates.
 3787      [Steve Henson]
 3788 
 3789   *) Add signature printing for PSS. Add PSS OIDs.
 3790      [Steve Henson, Martin Kaiser <lists@kaiser.cx>]
 3791 
 3792   *) Add algorithm specific signature printing. An individual ASN1 method
 3793      can now print out signatures instead of the standard hex dump.
 3794 
 3795      More complex signatures (e.g. PSS) can print out more meaningful
 3796      information. Include DSA version that prints out the signature
 3797      parameters r, s.
 3798      [Steve Henson]
 3799 
 3800   *) Password based recipient info support for CMS library: implementing
 3801      RFC3211.
 3802      [Steve Henson]
 3803 
 3804   *) Split password based encryption into PBES2 and PBKDF2 functions. This
 3805      neatly separates the code into cipher and PBE sections and is required
 3806      for some algorithms that split PBES2 into separate pieces (such as
 3807      password based CMS).
 3808      [Steve Henson]
 3809 
 3810   *) Session-handling fixes:
 3811      - Fix handling of connections that are resuming with a session ID,
 3812        but also support Session Tickets.
 3813      - Fix a bug that suppressed issuing of a new ticket if the client
 3814        presented a ticket with an expired session.
 3815      - Try to set the ticket lifetime hint to something reasonable.
 3816      - Make tickets shorter by excluding irrelevant information.
 3817      - On the client side, don't ignore renewed tickets.
 3818      [Adam Langley, Bodo Moeller (Google)]
 3819 
 3820   *) Fix PSK session representation.
 3821      [Bodo Moeller]
 3822 
 3823   *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
 3824 
 3825      This work was sponsored by Intel.
 3826      [Andy Polyakov]
 3827 
 3828   *) Add GCM support to TLS library. Some custom code is needed to split
 3829      the IV between the fixed (from PRF) and explicit (from TLS record)
 3830      portions. This adds all GCM ciphersuites supported by RFC5288 and
 3831      RFC5289. Generalise some AES* cipherstrings to include GCM and
 3832      add a special AESGCM string for GCM only.
 3833      [Steve Henson]
 3834 
 3835   *) Expand range of ctrls for AES GCM. Permit setting invocation
 3836      field on decrypt and retrieval of invocation field only on encrypt.
 3837      [Steve Henson]
 3838 
 3839   *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
 3840      As required by RFC5289 these ciphersuites cannot be used if for
 3841      versions of TLS earlier than 1.2.
 3842      [Steve Henson]
 3843 
 3844   *) For FIPS capable OpenSSL interpret a NULL default public key method
 3845      as unset and return the appropriate default but do *not* set the default.
 3846      This means we can return the appropriate method in applications that
 3847      switch between FIPS and non-FIPS modes.
 3848      [Steve Henson]
 3849 
 3850   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
 3851      ENGINE is used then we cannot handle that in the FIPS module so we
 3852      keep original code iff non-FIPS operations are allowed.
 3853      [Steve Henson]
 3854 
 3855   *) Add -attime option to openssl utilities.
 3856      [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
 3857 
 3858   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
 3859      [Steve Henson]
 3860 
 3861   *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
 3862      FIPS EC methods unconditionally for now.
 3863      [Steve Henson]
 3864 
 3865   *) New build option no-ec2m to disable characteristic 2 code.
 3866      [Steve Henson]
 3867 
 3868   *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
 3869      all cases can be covered as some introduce binary incompatibilities.
 3870      [Steve Henson]
 3871 
 3872   *) Redirect RSA operations to FIPS module including keygen,
 3873      encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
 3874      [Steve Henson]
 3875 
 3876   *) Add similar low level API blocking to ciphers.
 3877      [Steve Henson]
 3878 
 3879   *) Low level digest APIs are not approved in FIPS mode: any attempt
 3880      to use these will cause a fatal error. Applications that *really* want
 3881      to use them can use the private_* version instead.
 3882      [Steve Henson]
 3883 
 3884   *) Redirect cipher operations to FIPS module for FIPS builds.
 3885      [Steve Henson]
 3886 
 3887   *) Redirect digest operations to FIPS module for FIPS builds.
 3888      [Steve Henson]
 3889 
 3890   *) Update build system to add "fips" flag which will link in fipscanister.o
 3891      for static and shared library builds embedding a signature if needed.
 3892      [Steve Henson]
 3893 
 3894   *) Output TLS supported curves in preference order instead of numerical
 3895      order. This is currently hardcoded for the highest order curves first.
 3896      This should be configurable so applications can judge speed vs strength.
 3897      [Steve Henson]
 3898 
 3899   *) Add TLS v1.2 server support for client authentication.
 3900      [Steve Henson]
 3901 
 3902   *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
 3903      and enable MD5.
 3904      [Steve Henson]
 3905 
 3906   *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
 3907      FIPS modules versions.
 3908      [Steve Henson]
 3909 
 3910   *) Add TLS v1.2 client side support for client authentication. Keep cache
 3911      of handshake records longer as we don't know the hash algorithm to use
 3912      until after the certificate request message is received.
 3913      [Steve Henson]
 3914 
 3915   *) Initial TLS v1.2 client support. Add a default signature algorithms
 3916      extension including all the algorithms we support. Parse new signature
 3917      format in client key exchange. Relax some ECC signing restrictions for
 3918      TLS v1.2 as indicated in RFC5246.
 3919      [Steve Henson]
 3920 
 3921   *) Add server support for TLS v1.2 signature algorithms extension. Switch
 3922      to new signature format when needed using client digest preference.
 3923      All server ciphersuites should now work correctly in TLS v1.2. No client
 3924      support yet and no support for client certificates.
 3925      [Steve Henson]
 3926 
 3927   *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
 3928      to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
 3929      ciphersuites. At present only RSA key exchange ciphersuites work with
 3930      TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
 3931      SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
 3932      and version checking.
 3933      [Steve Henson]
 3934 
 3935   *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
 3936      with this defined it will not be affected by any changes to ssl internal
 3937      structures. Add several utility functions to allow openssl application
 3938      to work with OPENSSL_NO_SSL_INTERN defined.
 3939      [Steve Henson]
 3940 
 3941   *) A long standing patch to add support for SRP from EdelWeb (Peter
 3942      Sylvester and Christophe Renou) was integrated.
 3943      [Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
 3944      <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
 3945      Ben Laurie]
 3946 
 3947   *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
 3948      [Steve Henson]
 3949 
 3950   *) Permit abbreviated handshakes when renegotiating using the function
 3951      SSL_renegotiate_abbreviated().
 3952      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3953 
 3954   *) Add call to ENGINE_register_all_complete() to
 3955      ENGINE_load_builtin_engines(), so some implementations get used
 3956      automatically instead of needing explicit application support.
 3957      [Steve Henson]
 3958 
 3959   *) Add support for TLS key exporter as described in RFC5705.
 3960      [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson]
 3961 
 3962   *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
 3963      a few changes are required:
 3964 
 3965        Add SSL_OP_NO_TLSv1_1 flag.
 3966        Add TLSv1_1 methods.
 3967        Update version checking logic to handle version 1.1.
 3968        Add explicit IV handling (ported from DTLS code).
 3969        Add command line options to s_client/s_server.
 3970      [Steve Henson]
 3971 
 3972  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
 3973 
 3974   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
 3975      in CMS and PKCS7 code. When RSA decryption fails use a random key for
 3976      content decryption and always return the same error. Note: this attack
 3977      needs on average 2^20 messages so it only affects automated senders. The
 3978      old behaviour can be re-enabled in the CMS code by setting the
 3979      CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
 3980      an MMA defence is not necessary.
 3981      Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
 3982      this issue. (CVE-2012-0884)
 3983      [Steve Henson]
 3984 
 3985   *) Fix CVE-2011-4619: make sure we really are receiving a
 3986      client hello before rejecting multiple SGC restarts. Thanks to
 3987      Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
 3988      [Steve Henson]
 3989 
 3990  Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
 3991 
 3992   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
 3993      Thanks to Antonio Martin, Enterprise Secure Access Research and
 3994      Development, Cisco Systems, Inc. for discovering this bug and
 3995      preparing a fix. (CVE-2012-0050)
 3996      [Antonio Martin]
 3997 
 3998  Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
 3999 
 4000   *) Nadhem Alfardan and Kenny Paterson have discovered an extension
 4001      of the Vaudenay padding oracle attack on CBC mode encryption
 4002      which enables an efficient plaintext recovery attack against
 4003      the OpenSSL implementation of DTLS. Their attack exploits timing
 4004      differences arising during decryption processing. A research
 4005      paper describing this attack can be found at:
 4006                   http://www.isg.rhul.ac.uk/~kp/dtls.pdf
 4007      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
 4008      Security Group at Royal Holloway, University of London
 4009      (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
 4010      <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
 4011      for preparing the fix. (CVE-2011-4108)
 4012      [Robin Seggelmann, Michael Tuexen]
 4013 
 4014   *) Clear bytes used for block padding of SSL 3.0 records.
 4015      (CVE-2011-4576)
 4016      [Adam Langley (Google)]
 4017 
 4018   *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
 4019      Kadianakis <desnacked@gmail.com> for discovering this issue and
 4020      Adam Langley for preparing the fix. (CVE-2011-4619)
 4021      [Adam Langley (Google)]
 4022 
 4023   *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
 4024      [Andrey Kulikov <amdeich@gmail.com>]
 4025 
 4026   *) Prevent malformed RFC3779 data triggering an assertion failure.
 4027      Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
 4028      and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
 4029      [Rob Austein <sra@hactrn.net>]
 4030 
 4031   *) Improved PRNG seeding for VOS.
 4032      [Paul Green <Paul.Green@stratus.com>]
 4033 
 4034   *) Fix ssl_ciph.c set-up race.
 4035      [Adam Langley (Google)]
 4036 
 4037   *) Fix spurious failures in ecdsatest.c.
 4038      [Emilia Käsper (Google)]
 4039 
 4040   *) Fix the BIO_f_buffer() implementation (which was mixing different
 4041      interpretations of the '..._len' fields).
 4042      [Adam Langley (Google)]
 4043 
 4044   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
 4045      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
 4046      threads won't reuse the same blinding coefficients.
 4047 
 4048      This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
 4049      lock to call BN_BLINDING_invert_ex, and avoids one use of
 4050      BN_BLINDING_update for each BN_BLINDING structure (previously,
 4051      the last update always remained unused).
 4052      [Emilia Käsper (Google)]
 4053 
 4054   *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
 4055      [Bob Buckholz (Google)]
 4056 
 4057  Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
 4058 
 4059   *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
 4060      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
 4061      [Kaspar Brand <ossl@velox.ch>]
 4062 
 4063   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
 4064      for multi-threaded use of ECDH. (CVE-2011-3210)
 4065      [Adam Langley (Google)]
 4066 
 4067   *) Fix x509_name_ex_d2i memory leak on bad inputs.
 4068      [Bodo Moeller]
 4069 
 4070   *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
 4071      signature public key algorithm by using OID xref utilities instead.
 4072      Before this you could only use some ECC ciphersuites with SHA1 only.
 4073      [Steve Henson]
 4074 
 4075   *) Add protection against ECDSA timing attacks as mentioned in the paper
 4076      by Billy Bob Brumley and Nicola Tuveri, see:
 4077 
 4078         http://eprint.iacr.org/2011/232.pdf
 4079 
 4080      [Billy Bob Brumley and Nicola Tuveri]
 4081 
 4082  Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
 4083 
 4084   *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
 4085      [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
 4086 
 4087   *) Fix bug in string printing code: if *any* escaping is enabled we must
 4088      escape the escape character (backslash) or the resulting string is
 4089      ambiguous.
 4090      [Steve Henson]
 4091 
 4092  Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
 4093 
 4094   *) Disable code workaround for ancient and obsolete Netscape browsers
 4095      and servers: an attacker can use it in a ciphersuite downgrade attack.
 4096      Thanks to Martin Rex for discovering this bug. CVE-2010-4180
 4097      [Steve Henson]
 4098 
 4099   *) Fixed J-PAKE implementation error, originally discovered by
 4100      Sebastien Martini, further info and confirmation from Stefan
 4101      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
 4102      [Ben Laurie]
 4103 
 4104  Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
 4105 
 4106   *) Fix extension code to avoid race conditions which can result in a buffer
 4107      overrun vulnerability: resumed sessions must not be modified as they can
 4108      be shared by multiple threads. CVE-2010-3864
 4109      [Steve Henson]
 4110 
 4111   *) Fix WIN32 build system to correctly link an ENGINE directory into
 4112      a DLL.
 4113      [Steve Henson]
 4114 
 4115  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
 4116 
 4117   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
 4118      (CVE-2010-1633)
 4119      [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
 4120 
 4121  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
 4122 
 4123   *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
 4124      context. The operation can be customised via the ctrl mechanism in
 4125      case ENGINEs want to include additional functionality.
 4126      [Steve Henson]
 4127 
 4128   *) Tolerate yet another broken PKCS#8 key format: private key value negative.
 4129      [Steve Henson]
 4130 
 4131   *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
 4132      output hashes compatible with older versions of OpenSSL.
 4133      [Willy Weisz <weisz@vcpc.univie.ac.at>]
 4134 
 4135   *) Fix compression algorithm handling: if resuming a session use the
 4136      compression algorithm of the resumed session instead of determining
 4137      it from client hello again. Don't allow server to change algorithm.
 4138      [Steve Henson]
 4139 
 4140   *) Add load_crls() function to apps tidying load_certs() too. Add option
 4141      to verify utility to allow additional CRLs to be included.
 4142      [Steve Henson]
 4143 
 4144   *) Update OCSP request code to permit adding custom headers to the request:
 4145      some responders need this.
 4146      [Steve Henson]
 4147 
 4148   *) The function EVP_PKEY_sign() returns <=0 on error: check return code
 4149      correctly.
 4150      [Julia Lawall <julia@diku.dk>]
 4151 
 4152   *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
 4153      needlessly dereferenced structures, used obsolete functions and
 4154      didn't handle all updated verify codes correctly.
 4155      [Steve Henson]
 4156 
 4157   *) Disable MD2 in the default configuration.
 4158      [Steve Henson]
 4159 
 4160   *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
 4161      indicate the initial BIO being pushed or popped. This makes it possible
 4162      to determine whether the BIO is the one explicitly called or as a result
 4163      of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
 4164      it handles reference counts correctly and doesn't zero out the I/O bio
 4165      when it is not being explicitly popped. WARNING: applications which
 4166      included workarounds for the old buggy behaviour will need to be modified
 4167      or they could free up already freed BIOs.
 4168      [Steve Henson]
 4169 
 4170   *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
 4171      renaming to all platforms (within the 0.9.8 branch, this was
 4172      done conditionally on Netware platforms to avoid a name clash).
 4173      [Guenter <lists@gknw.net>]
 4174 
 4175   *) Add ECDHE and PSK support to DTLS.
 4176      [Michael Tuexen <tuexen@fh-muenster.de>]
 4177 
 4178   *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
 4179      be used on C++.
 4180      [Steve Henson]
 4181 
 4182   *) Add "missing" function EVP_MD_flags() (without this the only way to
 4183      retrieve a digest flags is by accessing the structure directly. Update
 4184      EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
 4185      or cipher is registered as in the "from" argument. Print out all
 4186      registered digests in the dgst usage message instead of manually
 4187      attempting to work them out.
 4188      [Steve Henson]
 4189 
 4190   *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
 4191      this allows the use of compression and extensions. Change default cipher
 4192      string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
 4193      by default unless an application cipher string requests it.
 4194      [Steve Henson]
 4195 
 4196   *) Alter match criteria in PKCS12_parse(). It used to try to use local
 4197      key ids to find matching certificates and keys but some PKCS#12 files
 4198      don't follow the (somewhat unwritten) rules and this strategy fails.
 4199      Now just gather all certificates together and the first private key
 4200      then look for the first certificate that matches the key.
 4201      [Steve Henson]
 4202 
 4203   *) Support use of registered digest and cipher names for dgst and cipher
 4204      commands instead of having to add each one as a special case. So now
 4205      you can do:
 4206 
 4207         openssl sha256 foo
 4208 
 4209      as well as:
 4210 
 4211         openssl dgst -sha256 foo
 4212 
 4213      and this works for ENGINE based algorithms too.
 4214 
 4215      [Steve Henson]
 4216 
 4217   *) Update Gost ENGINE to support parameter files.
 4218      [Victor B. Wagner <vitus@cryptocom.ru>]
 4219 
 4220   *) Support GeneralizedTime in ca utility.
 4221      [Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
 4222 
 4223   *) Enhance the hash format used for certificate directory links. The new
 4224      form uses the canonical encoding (meaning equivalent names will work
 4225      even if they aren't identical) and uses SHA1 instead of MD5. This form
 4226      is incompatible with the older format and as a result c_rehash should
 4227      be used to rebuild symbolic links.
 4228      [Steve Henson]
 4229 
 4230   *) Make PKCS#8 the default write format for private keys, replacing the
 4231      traditional format. This form is standardised, more secure and doesn't
 4232      include an implicit MD5 dependency.
 4233      [Steve Henson]
 4234 
 4235   *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
 4236      committed to OpenSSL should pass this lot as a minimum.
 4237      [Steve Henson]
 4238 
 4239   *) Add session ticket override functionality for use by EAP-FAST.
 4240      [Jouni Malinen <j@w1.fi>]
 4241 
 4242   *) Modify HMAC functions to return a value. Since these can be implemented
 4243      in an ENGINE errors can occur.
 4244      [Steve Henson]
 4245 
 4246   *) Type-checked OBJ_bsearch_ex.
 4247      [Ben Laurie]
 4248 
 4249   *) Type-checked OBJ_bsearch. Also some constification necessitated
 4250      by type-checking.  Still to come: TXT_DB, bsearch(?),
 4251      OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
 4252      CONF_VALUE.
 4253      [Ben Laurie]
 4254 
 4255   *) New function OPENSSL_gmtime_adj() to add a specific number of days and
 4256      seconds to a tm structure directly, instead of going through OS
 4257      specific date routines. This avoids any issues with OS routines such
 4258      as the year 2038 bug. New *_adj() functions for ASN1 time structures
 4259      and X509_time_adj_ex() to cover the extended range. The existing
 4260      X509_time_adj() is still usable and will no longer have any date issues.
 4261      [Steve Henson]
 4262 
 4263   *) Delta CRL support. New use deltas option which will attempt to locate
 4264      and search any appropriate delta CRLs available.
 4265 
 4266      This work was sponsored by Google.
 4267      [Steve Henson]
 4268 
 4269   *) Support for CRLs partitioned by reason code. Reorganise CRL processing
 4270      code and add additional score elements. Validate alternate CRL paths
 4271      as part of the CRL checking and indicate a new error "CRL path validation
 4272      error" in this case. Applications wanting additional details can use
 4273      the verify callback and check the new "parent" field. If this is not
 4274      NULL CRL path validation is taking place. Existing applications won't
 4275      see this because it requires extended CRL support which is off by
 4276      default.
 4277 
 4278      This work was sponsored by Google.
 4279      [Steve Henson]
 4280 
 4281   *) Support for freshest CRL extension.
 4282 
 4283      This work was sponsored by Google.
 4284      [Steve Henson]
 4285 
 4286   *) Initial indirect CRL support. Currently only supported in the CRLs
 4287      passed directly and not via lookup. Process certificate issuer
 4288      CRL entry extension and lookup CRL entries by bother issuer name
 4289      and serial number. Check and process CRL issuer entry in IDP extension.
 4290 
 4291      This work was sponsored by Google.
 4292      [Steve Henson]
 4293 
 4294   *) Add support for distinct certificate and CRL paths. The CRL issuer
 4295      certificate is validated separately in this case. Only enabled if
 4296      an extended CRL support flag is set: this flag will enable additional
 4297      CRL functionality in future.
 4298 
 4299      This work was sponsored by Google.
 4300      [Steve Henson]
 4301 
 4302   *) Add support for policy mappings extension.
 4303 
 4304      This work was sponsored by Google.
 4305      [Steve Henson]
 4306 
 4307   *) Fixes to pathlength constraint, self issued certificate handling,
 4308      policy processing to align with RFC3280 and PKITS tests.
 4309 
 4310      This work was sponsored by Google.
 4311      [Steve Henson]
 4312 
 4313   *) Support for name constraints certificate extension. DN, email, DNS
 4314      and URI types are currently supported.
 4315 
 4316      This work was sponsored by Google.
 4317      [Steve Henson]
 4318 
 4319   *) To cater for systems that provide a pointer-based thread ID rather
 4320      than numeric, deprecate the current numeric thread ID mechanism and
 4321      replace it with a structure and associated callback type. This
 4322      mechanism allows a numeric "hash" to be extracted from a thread ID in
 4323      either case, and on platforms where pointers are larger than 'long',
 4324      mixing is done to help ensure the numeric 'hash' is usable even if it
 4325      can't be guaranteed unique. The default mechanism is to use "&errno"
 4326      as a pointer-based thread ID to distinguish between threads.
 4327 
 4328      Applications that want to provide their own thread IDs should now use
 4329      CRYPTO_THREADID_set_callback() to register a callback that will call
 4330      either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
 4331 
 4332      Note that ERR_remove_state() is now deprecated, because it is tied
 4333      to the assumption that thread IDs are numeric.  ERR_remove_state(0)
 4334      to free the current thread's error state should be replaced by
 4335      ERR_remove_thread_state(NULL).
 4336 
 4337      (This new approach replaces the functions CRYPTO_set_idptr_callback(),
 4338      CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
 4339      OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
 4340      application was previously providing a numeric thread callback that
 4341      was inappropriate for distinguishing threads, then uniqueness might
 4342      have been obtained with &errno that happened immediately in the
 4343      intermediate development versions of OpenSSL; this is no longer the
 4344      case, the numeric thread callback will now override the automatic use
 4345      of &errno.)
 4346      [Geoff Thorpe, with help from Bodo Moeller]
 4347 
 4348   *) Initial support for different CRL issuing certificates. This covers a
 4349      simple case where the self issued certificates in the chain exist and
 4350      the real CRL issuer is higher in the existing chain.
 4351 
 4352      This work was sponsored by Google.
 4353      [Steve Henson]
 4354 
 4355   *) Removed effectively defunct crypto/store from the build.
 4356      [Ben Laurie]
 4357 
 4358   *) Revamp of STACK to provide stronger type-checking. Still to come:
 4359      TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
 4360      ASN1_STRING, CONF_VALUE.
 4361      [Ben Laurie]
 4362 
 4363   *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
 4364      RAM on SSL connections.  This option can save about 34k per idle SSL.
 4365      [Nick Mathewson]
 4366 
 4367   *) Revamp of LHASH to provide stronger type-checking. Still to come:
 4368      STACK, TXT_DB, bsearch, qsort.
 4369      [Ben Laurie]
 4370 
 4371   *) Initial support for Cryptographic Message Syntax (aka CMS) based
 4372      on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
 4373      support for data, signedData, compressedData, digestedData and
 4374      encryptedData, envelopedData types included. Scripts to check against
 4375      RFC4134 examples draft and interop and consistency checks of many
 4376      content types and variants.
 4377      [Steve Henson]
 4378 
 4379   *) Add options to enc utility to support use of zlib compression BIO.
 4380      [Steve Henson]
 4381 
 4382   *) Extend mk1mf to support importing of options and assembly language
 4383      files from Configure script, currently only included in VC-WIN32.
 4384      The assembly language rules can now optionally generate the source
 4385      files from the associated perl scripts.
 4386      [Steve Henson]
 4387 
 4388   *) Implement remaining functionality needed to support GOST ciphersuites.
 4389      Interop testing has been performed using CryptoPro implementations.
 4390      [Victor B. Wagner <vitus@cryptocom.ru>]
 4391 
 4392   *) s390x assembler pack.
 4393      [Andy Polyakov]
 4394 
 4395   *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
 4396      "family."
 4397      [Andy Polyakov]
 4398 
 4399   *) Implement Opaque PRF Input TLS extension as specified in
 4400      draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
 4401      official specification yet and no extension type assignment by
 4402      IANA exists, this extension (for now) will have to be explicitly
 4403      enabled when building OpenSSL by providing the extension number
 4404      to use.  For example, specify an option
 4405 
 4406          -DTLSEXT_TYPE_opaque_prf_input=0x9527
 4407 
 4408      to the "config" or "Configure" script to enable the extension,
 4409      assuming extension number 0x9527 (which is a completely arbitrary
 4410      and unofficial assignment based on the MD5 hash of the Internet
 4411      Draft).  Note that by doing so, you potentially lose
 4412      interoperability with other TLS implementations since these might
 4413      be using the same extension number for other purposes.
 4414 
 4415      SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
 4416      opaque PRF input value to use in the handshake.  This will create
 4417      an internal copy of the length-'len' string at 'src', and will
 4418      return non-zero for success.
 4419 
 4420      To get more control and flexibility, provide a callback function
 4421      by using
 4422 
 4423           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
 4424           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
 4425 
 4426      where
 4427 
 4428           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
 4429           void *arg;
 4430 
 4431      Callback function 'cb' will be called in handshakes, and is
 4432      expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
 4433      Argument 'arg' is for application purposes (the value as given to
 4434      SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
 4435      be provided to the callback function).  The callback function
 4436      has to return non-zero to report success: usually 1 to use opaque
 4437      PRF input just if possible, or 2 to enforce use of the opaque PRF
 4438      input.  In the latter case, the library will abort the handshake
 4439      if opaque PRF input is not successfully negotiated.
 4440 
 4441      Arguments 'peerinput' and 'len' given to the callback function
 4442      will always be NULL and 0 in the case of a client.  A server will
 4443      see the client's opaque PRF input through these variables if
 4444      available (NULL and 0 otherwise).  Note that if the server
 4445      provides an opaque PRF input, the length must be the same as the
 4446      length of the client's opaque PRF input.
 4447 
 4448      Note that the callback function will only be called when creating
 4449      a new session (session resumption can resume whatever was
 4450      previously negotiated), and will not be called in SSL 2.0
 4451      handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
 4452      SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
 4453      for applications that need to enforce opaque PRF input.
 4454 
 4455      [Bodo Moeller]
 4456 
 4457   *) Update ssl code to support digests other than SHA1+MD5 for handshake
 4458      MAC.
 4459 
 4460      [Victor B. Wagner <vitus@cryptocom.ru>]
 4461 
 4462   *) Add RFC4507 support to OpenSSL. This includes the corrections in
 4463      RFC4507bis. The encrypted ticket format is an encrypted encoded
 4464      SSL_SESSION structure, that way new session features are automatically
 4465      supported.
 4466 
 4467      If a client application caches session in an SSL_SESSION structure
 4468      support is transparent because tickets are now stored in the encoded
 4469      SSL_SESSION.
 4470 
 4471      The SSL_CTX structure automatically generates keys for ticket
 4472      protection in servers so again support should be possible
 4473      with no application modification.
 4474 
 4475      If a client or server wishes to disable RFC4507 support then the option
 4476      SSL_OP_NO_TICKET can be set.
 4477 
 4478      Add a TLS extension debugging callback to allow the contents of any client
 4479      or server extensions to be examined.
 4480 
 4481      This work was sponsored by Google.
 4482      [Steve Henson]
 4483 
 4484   *) Final changes to avoid use of pointer pointer casts in OpenSSL.
 4485      OpenSSL should now compile cleanly on gcc 4.2
 4486      [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]
 4487 
 4488   *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
 4489      support including streaming MAC support: this is required for GOST
 4490      ciphersuite support.
 4491      [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]
 4492 
 4493   *) Add option -stream to use PKCS#7 streaming in smime utility. New
 4494      function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
 4495      to output in BER and PEM format.
 4496      [Steve Henson]
 4497 
 4498   *) Experimental support for use of HMAC via EVP_PKEY interface. This
 4499      allows HMAC to be handled via the EVP_DigestSign*() interface. The
 4500      EVP_PKEY "key" in this case is the HMAC key, potentially allowing
 4501      ENGINE support for HMAC keys which are unextractable. New -mac and
 4502      -macopt options to dgst utility.
 4503      [Steve Henson]
 4504 
 4505   *) New option -sigopt to dgst utility. Update dgst to use
 4506      EVP_Digest{Sign,Verify}*. These two changes make it possible to use
 4507      alternative signing parameters such as X9.31 or PSS in the dgst
 4508      utility.
 4509      [Steve Henson]
 4510 
 4511   *) Change ssl_cipher_apply_rule(), the internal function that does
 4512      the work each time a ciphersuite string requests enabling
 4513      ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
 4514      removing ("!foo+bar") a class of ciphersuites: Now it maintains
 4515      the order of disabled ciphersuites such that those ciphersuites
 4516      that most recently went from enabled to disabled not only stay
 4517      in order with respect to each other, but also have higher priority
 4518      than other disabled ciphersuites the next time ciphersuites are
 4519      enabled again.
 4520 
 4521      This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
 4522      the same ciphersuites as with "HIGH" alone, but in a specific
 4523      order where the PSK ciphersuites come first (since they are the
 4524      most recently disabled ciphersuites when "HIGH" is parsed).
 4525 
 4526      Also, change ssl_create_cipher_list() (using this new
 4527      functionality) such that between otherwise identical
 4528      ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
 4529      the default order.
 4530      [Bodo Moeller]
 4531 
 4532   *) Change ssl_create_cipher_list() so that it automatically
 4533      arranges the ciphersuites in reasonable order before starting
 4534      to process the rule string.  Thus, the definition for "DEFAULT"
 4535      (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
 4536      remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
 4537      This makes it much easier to arrive at a reasonable default order
 4538      in applications for which anonymous ciphers are OK (meaning
 4539      that you can't actually use DEFAULT).
 4540      [Bodo Moeller; suggested by Victor Duchovni]
 4541 
 4542   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
 4543      processing) into multiple integers instead of setting
 4544      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
 4545      "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
 4546      (These masks as well as the individual bit definitions are hidden
 4547      away into the non-exported interface ssl/ssl_locl.h, so this
 4548      change to the definition of the SSL_CIPHER structure shouldn't
 4549      affect applications.)  This give us more bits for each of these
 4550      categories, so there is no longer a need to coagulate AES128 and
 4551      AES256 into a single algorithm bit, and to coagulate Camellia128
 4552      and Camellia256 into a single algorithm bit, which has led to all
 4553      kinds of kludges.
 4554 
 4555      Thus, among other things, the kludge introduced in 0.9.7m and
 4556      0.9.8e for masking out AES256 independently of AES128 or masking
 4557      out Camellia256 independently of AES256 is not needed here in 0.9.9.
 4558 
 4559      With the change, we also introduce new ciphersuite aliases that
 4560      so far were missing: "AES128", "AES256", "CAMELLIA128", and
 4561      "CAMELLIA256".
 4562      [Bodo Moeller]
 4563 
 4564   *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
 4565      Use the leftmost N bytes of the signature input if the input is
 4566      larger than the prime q (with N being the size in bytes of q).
 4567      [Nils Larsch]
 4568 
 4569   *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
 4570      it yet and it is largely untested.
 4571      [Steve Henson]
 4572 
 4573   *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
 4574      [Nils Larsch]
 4575 
 4576   *) Initial incomplete changes to avoid need for function casts in OpenSSL
 4577      some compilers (gcc 4.2 and later) reject their use. Safestack is
 4578      reimplemented.  Update ASN1 to avoid use of legacy functions.
 4579      [Steve Henson]
 4580 
 4581   *) Win32/64 targets are linked with Winsock2.
 4582      [Andy Polyakov]
 4583 
 4584   *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
 4585      to external functions. This can be used to increase CRL handling
 4586      efficiency especially when CRLs are very large by (for example) storing
 4587      the CRL revoked certificates in a database.
 4588      [Steve Henson]
 4589 
 4590   *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
 4591      new CRLs added to a directory can be used. New command line option
 4592      -verify_return_error to s_client and s_server. This causes real errors
 4593      to be returned by the verify callback instead of carrying on no matter
 4594      what. This reflects the way a "real world" verify callback would behave.
 4595      [Steve Henson]
 4596 
 4597   *) GOST engine, supporting several GOST algorithms and public key formats.
 4598      Kindly donated by Cryptocom.
 4599      [Cryptocom]
 4600 
 4601   *) Partial support for Issuing Distribution Point CRL extension. CRLs
 4602      partitioned by DP are handled but no indirect CRL or reason partitioning
 4603      (yet). Complete overhaul of CRL handling: now the most suitable CRL is
 4604      selected via a scoring technique which handles IDP and AKID in CRLs.
 4605      [Steve Henson]
 4606 
 4607   *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
 4608      will ultimately be used for all verify operations: this will remove the
 4609      X509_STORE dependency on certificate verification and allow alternative
 4610      lookup methods.  X509_STORE based implementations of these two callbacks.
 4611      [Steve Henson]
 4612 
 4613   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
 4614      Modify get_crl() to find a valid (unexpired) CRL if possible.
 4615      [Steve Henson]
 4616 
 4617   *) New function X509_CRL_match() to check if two CRLs are identical. Normally
 4618      this would be called X509_CRL_cmp() but that name is already used by
 4619      a function that just compares CRL issuer names. Cache several CRL
 4620      extensions in X509_CRL structure and cache CRLDP in X509.
 4621      [Steve Henson]
 4622 
 4623   *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
 4624      this maps equivalent X509_NAME structures into a consistent structure.
 4625      Name comparison can then be performed rapidly using memcmp().
 4626      [Steve Henson]
 4627 
 4628   *) Non-blocking OCSP request processing. Add -timeout option to ocsp
 4629      utility.
 4630      [Steve Henson]
 4631 
 4632   *) Allow digests to supply their own micalg string for S/MIME type using
 4633      the ctrl EVP_MD_CTRL_MICALG.
 4634      [Steve Henson]
 4635 
 4636   *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
 4637      EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
 4638      ctrl. It can then customise the structure before and/or after signing
 4639      if necessary.
 4640      [Steve Henson]
 4641 
 4642   *) New function OBJ_add_sigid() to allow application defined signature OIDs
 4643      to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
 4644      to free up any added signature OIDs.
 4645      [Steve Henson]
 4646 
 4647   *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
 4648      EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
 4649      digest and cipher tables. New options added to openssl utility:
 4650      list-message-digest-algorithms and list-cipher-algorithms.
 4651      [Steve Henson]
 4652 
 4653   *) Change the array representation of binary polynomials: the list
 4654      of degrees of non-zero coefficients is now terminated with -1.
 4655      Previously it was terminated with 0, which was also part of the
 4656      value; thus, the array representation was not applicable to
 4657      polynomials where t^0 has coefficient zero.  This change makes
 4658      the array representation useful in a more general context.
 4659      [Douglas Stebila]
 4660 
 4661   *) Various modifications and fixes to SSL/TLS cipher string
 4662      handling.  For ECC, the code now distinguishes between fixed ECDH
 4663      with RSA certificates on the one hand and with ECDSA certificates
 4664      on the other hand, since these are separate ciphersuites.  The
 4665      unused code for Fortezza ciphersuites has been removed.
 4666 
 4667      For consistency with EDH, ephemeral ECDH is now called "EECDH"
 4668      (not "ECDHE").  For consistency with the code for DH
 4669      certificates, use of ECDH certificates is now considered ECDH
 4670      authentication, not RSA or ECDSA authentication (the latter is
 4671      merely the CA's signing algorithm and not actively used in the
 4672      protocol).
 4673 
 4674      The temporary ciphersuite alias "ECCdraft" is no longer
 4675      available, and ECC ciphersuites are no longer excluded from "ALL"
 4676      and "DEFAULT".  The following aliases now exist for RFC 4492
 4677      ciphersuites, most of these by analogy with the DH case:
 4678 
 4679          kECDHr   - ECDH cert, signed with RSA
 4680          kECDHe   - ECDH cert, signed with ECDSA
 4681          kECDH    - ECDH cert (signed with either RSA or ECDSA)
 4682          kEECDH   - ephemeral ECDH
 4683          ECDH     - ECDH cert or ephemeral ECDH
 4684 
 4685          aECDH    - ECDH cert
 4686          aECDSA   - ECDSA cert
 4687          ECDSA    - ECDSA cert
 4688 
 4689          AECDH    - anonymous ECDH
 4690          EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
 4691 
 4692      [Bodo Moeller]
 4693 
 4694   *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
 4695      Use correct micalg parameters depending on digest(s) in signed message.
 4696      [Steve Henson]
 4697 
 4698   *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
 4699      an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
 4700      [Steve Henson]
 4701 
 4702   *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
 4703      an engine to register a method. Add ENGINE lookups for methods and
 4704      functional reference processing.
 4705      [Steve Henson]
 4706 
 4707   *) New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of
 4708      EVP_{Sign,Verify}* which allow an application to customise the signature
 4709      process.
 4710      [Steve Henson]
 4711 
 4712   *) New -resign option to smime utility. This adds one or more signers
 4713      to an existing PKCS#7 signedData structure. Also -md option to use an
 4714      alternative message digest algorithm for signing.
 4715      [Steve Henson]
 4716 
 4717   *) Tidy up PKCS#7 routines and add new functions to make it easier to
 4718      create PKCS7 structures containing multiple signers. Update smime
 4719      application to support multiple signers.
 4720      [Steve Henson]
 4721 
 4722   *) New -macalg option to pkcs12 utility to allow setting of an alternative
 4723      digest MAC.
 4724      [Steve Henson]
 4725 
 4726   *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
 4727      Reorganize PBE internals to lookup from a static table using NIDs,
 4728      add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
 4729      EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
 4730      PRF which will be automatically used with PBES2.
 4731      [Steve Henson]
 4732 
 4733   *) Replace the algorithm specific calls to generate keys in "req" with the
 4734      new API.
 4735      [Steve Henson]
 4736 
 4737   *) Update PKCS#7 enveloped data routines to use new API. This is now
 4738      supported by any public key method supporting the encrypt operation. A
 4739      ctrl is added to allow the public key algorithm to examine or modify
 4740      the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
 4741      a no op.
 4742      [Steve Henson]
 4743 
 4744   *) Add a ctrl to asn1 method to allow a public key algorithm to express
 4745      a default digest type to use. In most cases this will be SHA1 but some
 4746      algorithms (such as GOST) need to specify an alternative digest. The
 4747      return value indicates how strong the preference is 1 means optional and
 4748      2 is mandatory (that is it is the only supported type). Modify
 4749      ASN1_item_sign() to accept a NULL digest argument to indicate it should
 4750      use the default md. Update openssl utilities to use the default digest
 4751      type for signing if it is not explicitly indicated.
 4752      [Steve Henson]
 4753 
 4754   *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
 4755      EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
 4756      signing method from the key type. This effectively removes the link
 4757      between digests and public key types.
 4758      [Steve Henson]
 4759 
 4760   *) Add an OID cross reference table and utility functions. Its purpose is to
 4761      translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
 4762      rsaEncryption. This will allow some of the algorithm specific hackery
 4763      needed to use the correct OID to be removed.
 4764      [Steve Henson]
 4765 
 4766   *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
 4767      structures for PKCS7_sign(). They are now set up by the relevant public
 4768      key ASN1 method.
 4769      [Steve Henson]
 4770 
 4771   *) Add provisional EC pkey method with support for ECDSA and ECDH.
 4772      [Steve Henson]
 4773 
 4774   *) Add support for key derivation (agreement) in the API, DH method and
 4775      pkeyutl.
 4776      [Steve Henson]
 4777 
 4778   *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
 4779      public and private key formats. As a side effect these add additional
 4780      command line functionality not previously available: DSA signatures can be
 4781      generated and verified using pkeyutl and DH key support and generation in
 4782      pkey, genpkey.
 4783      [Steve Henson]
 4784 
 4785   *) BeOS support.
 4786      [Oliver Tappe <zooey@hirschkaefer.de>]
 4787 
 4788   *) New make target "install_html_docs" installs HTML renditions of the
 4789      manual pages.
 4790      [Oliver Tappe <zooey@hirschkaefer.de>]
 4791 
 4792   *) New utility "genpkey" this is analogous to "genrsa" etc except it can
 4793      generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
 4794      support key and parameter generation and add initial key generation
 4795      functionality for RSA.
 4796      [Steve Henson]
 4797 
 4798   *) Add functions for main EVP_PKEY_method operations. The undocumented
 4799      functions EVP_PKEY_{encrypt,decrypt} have been renamed to
 4800      EVP_PKEY_{encrypt,decrypt}_old.
 4801      [Steve Henson]
 4802 
 4803   *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
 4804      key API, doesn't do much yet.
 4805      [Steve Henson]
 4806 
 4807   *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
 4808      public key algorithms. New option to openssl utility:
 4809      "list-public-key-algorithms" to print out info.
 4810      [Steve Henson]
 4811 
 4812   *) Implement the Supported Elliptic Curves Extension for
 4813      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
 4814      [Douglas Stebila]
 4815 
 4816   *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
 4817      EVP_CIPHER structures to avoid later problems in EVP_cleanup().
 4818      [Steve Henson]
 4819 
 4820   *) New utilities pkey and pkeyparam. These are similar to algorithm specific
 4821      utilities such as rsa, dsa, dsaparam etc except they process any key
 4822      type.
 4823      [Steve Henson]
 4824 
 4825   *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
 4826      functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
 4827      EVP_PKEY_print_param() to print public key data from an EVP_PKEY
 4828      structure.
 4829      [Steve Henson]
 4830 
 4831   *) Initial support for pluggable public key ASN1.
 4832      De-spaghettify the public key ASN1 handling. Move public and private
 4833      key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
 4834      algorithm specific handling to a single module within the relevant
 4835      algorithm directory. Add functions to allow (near) opaque processing
 4836      of public and private key structures.
 4837      [Steve Henson]
 4838 
 4839   *) Implement the Supported Point Formats Extension for
 4840      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
 4841      [Douglas Stebila]
 4842 
 4843   *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
 4844      for the psk identity [hint] and the psk callback functions to the
 4845      SSL_SESSION, SSL and SSL_CTX structure.
 4846 
 4847      New ciphersuites:
 4848          PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
 4849          PSK-AES256-CBC-SHA
 4850 
 4851      New functions:
 4852          SSL_CTX_use_psk_identity_hint
 4853          SSL_get_psk_identity_hint
 4854          SSL_get_psk_identity
 4855          SSL_use_psk_identity_hint
 4856 
 4857      [Mika Kousa and Pasi Eronen of Nokia Corporation]
 4858 
 4859   *) Add RFC 3161 compliant time stamp request creation, response generation
 4860      and response verification functionality.
 4861      [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
 4862 
 4863   *) Add initial support for TLS extensions, specifically for the server_name
 4864      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
 4865      have new members for a host name.  The SSL data structure has an
 4866      additional member SSL_CTX *initial_ctx so that new sessions can be
 4867      stored in that context to allow for session resumption, even after the
 4868      SSL has been switched to a new SSL_CTX in reaction to a client's
 4869      server_name extension.
 4870 
 4871      New functions (subject to change):
 4872 
 4873          SSL_get_servername()
 4874          SSL_get_servername_type()
 4875          SSL_set_SSL_CTX()
 4876 
 4877      New CTRL codes and macros (subject to change):
 4878 
 4879          SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
 4880                                  - SSL_CTX_set_tlsext_servername_callback()
 4881          SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
 4882                                       - SSL_CTX_set_tlsext_servername_arg()
 4883          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
 4884 
 4885      openssl s_client has a new '-servername ...' option.
 4886 
 4887      openssl s_server has new options '-servername_host ...', '-cert2 ...',
 4888      '-key2 ...', '-servername_fatal' (subject to change).  This allows
 4889      testing the HostName extension for a specific single host name ('-cert'
 4890      and '-key' remain fallbacks for handshakes without HostName
 4891      negotiation).  If the unrecognized_name alert has to be sent, this by
 4892      default is a warning; it becomes fatal with the '-servername_fatal'
 4893      option.
 4894 
 4895      [Peter Sylvester,  Remy Allais, Christophe Renou]
 4896 
 4897   *) Whirlpool hash implementation is added.
 4898      [Andy Polyakov]
 4899 
 4900   *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
 4901      bn(64,32). Because of instruction set limitations it doesn't have
 4902      any negative impact on performance. This was done mostly in order
 4903      to make it possible to share assembler modules, such as bn_mul_mont
 4904      implementations, between 32- and 64-bit builds without hassle.
 4905      [Andy Polyakov]
 4906 
 4907   *) Move code previously exiled into file crypto/ec/ec2_smpt.c
 4908      to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
 4909      macro.
 4910      [Bodo Moeller]
 4911 
 4912   *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
 4913      dedicated Montgomery multiplication procedure, is introduced.
 4914      BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
 4915      "64-bit" performance on certain 32-bit targets.
 4916      [Andy Polyakov]
 4917 
 4918   *) New option SSL_OP_NO_COMP to disable use of compression selectively
 4919      in SSL structures. New SSL ctrl to set maximum send fragment size.
 4920      Save memory by setting the I/O buffer sizes dynamically instead of
 4921      using the maximum available value.
 4922      [Steve Henson]
 4923 
 4924   *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
 4925      in addition to the text details.
 4926      [Bodo Moeller]
 4927 
 4928   *) Very, very preliminary EXPERIMENTAL support for printing of general
 4929      ASN1 structures. This currently produces rather ugly output and doesn't
 4930      handle several customised structures at all.
 4931      [Steve Henson]
 4932 
 4933   *) Integrated support for PVK file format and some related formats such
 4934      as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
 4935      these in the 'rsa' and 'dsa' utilities.
 4936      [Steve Henson]
 4937 
 4938   *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
 4939      [Steve Henson]
 4940 
 4941   *) Remove the ancient ASN1_METHOD code. This was only ever used in one
 4942      place for the (very old) "NETSCAPE" format certificates which are now
 4943      handled using new ASN1 code equivalents.
 4944      [Steve Henson]
 4945 
 4946   *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
 4947      pointer and make the SSL_METHOD parameter in SSL_CTX_new,
 4948      SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
 4949      [Nils Larsch]
 4950 
 4951   *) Modify CRL distribution points extension code to print out previously
 4952      unsupported fields. Enhance extension setting code to allow setting of
 4953      all fields.
 4954      [Steve Henson]
 4955 
 4956   *) Add print and set support for Issuing Distribution Point CRL extension.
 4957      [Steve Henson]
 4958 
 4959   *) Change 'Configure' script to enable Camellia by default.
 4960      [NTT]
 4961 
 4962  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 4963 
 4964   *) When rejecting SSL/TLS records due to an incorrect version number, never
 4965      update s->server with a new major version number.  As of
 4966      - OpenSSL 0.9.8m if 'short' is a 16-bit type,
 4967      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
 4968      the previous behavior could result in a read attempt at NULL when
 4969      receiving specific incorrect SSL/TLS records once record payload
 4970      protection is active.  (CVE-2010-0740)
 4971      [Bodo Moeller, Adam Langley <agl@chromium.org>]
 4972 
 4973   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
 4974      could be crashed if the relevant tables were not present (e.g. chrooted).
 4975      [Tomas Hoger <thoger@redhat.com>]
 4976 
 4977  Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
 4978 
 4979   *) Always check bn_wexpand() return values for failure.  (CVE-2009-3245)
 4980      [Martin Olsson, Neel Mehta]
 4981 
 4982   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
 4983      accommodate for stack sorting, always a write lock!).
 4984      [Bodo Moeller]
 4985 
 4986   *) On some versions of WIN32 Heap32Next is very slow. This can cause
 4987      excessive delays in the RAND_poll(): over a minute. As a workaround
 4988      include a time check in the inner Heap32Next loop too.
 4989      [Steve Henson]
 4990 
 4991   *) The code that handled flushing of data in SSL/TLS originally used the
 4992      BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
 4993      the problem outlined in PR#1949. The fix suggested there however can
 4994      trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
 4995      of Apache). So instead simplify the code to flush unconditionally.
 4996      This should be fine since flushing with no data to flush is a no op.
 4997      [Steve Henson]
 4998 
 4999   *) Handle TLS versions 2.0 and later properly and correctly use the
 5000      highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
 5001      off ancient servers have a habit of sticking around for a while...
 5002      [Steve Henson]
 5003 
 5004   *) Modify compression code so it frees up structures without using the
 5005      ex_data callbacks. This works around a problem where some applications
 5006      call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
 5007      restarting) then use compression (e.g. SSL with compression) later.
 5008      This results in significant per-connection memory leaks and
 5009      has caused some security issues including CVE-2008-1678 and
 5010      CVE-2009-4355.
 5011      [Steve Henson]
 5012 
 5013   *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
 5014      change when encrypting or decrypting.
 5015      [Bodo Moeller]
 5016 
 5017   *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
 5018      connect and renegotiate with servers which do not support RI.
 5019      Until RI is more widely deployed this option is enabled by default.
 5020      [Steve Henson]
 5021 
 5022   *) Add "missing" ssl ctrls to clear options and mode.
 5023      [Steve Henson]
 5024 
 5025   *) If client attempts to renegotiate and doesn't support RI respond with
 5026      a no_renegotiation alert as required by RFC5746.  Some renegotiating
 5027      TLS clients will continue a connection gracefully when they receive
 5028      the alert. Unfortunately OpenSSL mishandled this alert and would hang
 5029      waiting for a server hello which it will never receive. Now we treat a
 5030      received no_renegotiation alert as a fatal error. This is because
 5031      applications requesting a renegotiation might well expect it to succeed
 5032      and would have no code in place to handle the server denying it so the
 5033      only safe thing to do is to terminate the connection.
 5034      [Steve Henson]
 5035 
 5036   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
 5037      peer supports secure renegotiation and 0 otherwise. Print out peer
 5038      renegotiation support in s_client/s_server.
 5039      [Steve Henson]
 5040 
 5041   *) Replace the highly broken and deprecated SPKAC certification method with
 5042      the updated NID creation version. This should correctly handle UTF8.
 5043      [Steve Henson]
 5044 
 5045   *) Implement RFC5746. Re-enable renegotiation but require the extension
 5046      as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
 5047      turns out to be a bad idea. It has been replaced by
 5048      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
 5049      SSL_CTX_set_options(). This is really not recommended unless you
 5050      know what you are doing.
 5051      [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
 5052 
 5053   *) Fixes to stateless session resumption handling. Use initial_ctx when
 5054      issuing and attempting to decrypt tickets in case it has changed during
 5055      servername handling. Use a non-zero length session ID when attempting
 5056      stateless session resumption: this makes it possible to determine if
 5057      a resumption has occurred immediately after receiving server hello
 5058      (several places in OpenSSL subtly assume this) instead of later in
 5059      the handshake.
 5060      [Steve Henson]
 5061 
 5062   *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
 5063      CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
 5064      fixes for a few places where the return code is not checked
 5065      correctly.
 5066      [Julia Lawall <julia@diku.dk>]
 5067 
 5068   *) Add --strict-warnings option to Configure script to include devteam
 5069      warnings in other configurations.
 5070      [Steve Henson]
 5071 
 5072   *) Add support for --libdir option and LIBDIR variable in makefiles. This
 5073      makes it possible to install openssl libraries in locations which
 5074      have names other than "lib", for example "/usr/lib64" which some
 5075      systems need.
 5076      [Steve Henson, based on patch from Jeremy Utley]
 5077 
 5078   *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
 5079      X690 8.9.12 and can produce some misleading textual output of OIDs.
 5080      [Steve Henson, reported by Dan Kaminsky]
 5081 
 5082   *) Delete MD2 from algorithm tables. This follows the recommendation in
 5083      several standards that it is not used in new applications due to
 5084      several cryptographic weaknesses. For binary compatibility reasons
 5085      the MD2 API is still compiled in by default.
 5086      [Steve Henson]
 5087 
 5088   *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
 5089      and restored.
 5090      [Steve Henson]
 5091 
 5092   *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
 5093      OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
 5094      clash.
 5095      [Guenter <lists@gknw.net>]
 5096 
 5097   *) Fix the server certificate chain building code to use X509_verify_cert(),
 5098      it used to have an ad-hoc builder which was unable to cope with anything
 5099      other than a simple chain.
 5100      [David Woodhouse <dwmw2@infradead.org>, Steve Henson]
 5101 
 5102   *) Don't check self signed certificate signatures in X509_verify_cert()
 5103      by default (a flag can override this): it just wastes time without
 5104      adding any security. As a useful side effect self signed root CAs
 5105      with non-FIPS digests are now usable in FIPS mode.
 5106      [Steve Henson]
 5107 
 5108   *) In dtls1_process_out_of_seq_message() the check if the current message
 5109      is already buffered was missing. For every new message was memory
 5110      allocated, allowing an attacker to perform an denial of service attack
 5111      with sending out of seq handshake messages until there is no memory
 5112      left. Additionally every future message was buffered, even if the
 5113      sequence number made no sense and would be part of another handshake.
 5114      So only messages with sequence numbers less than 10 in advance will be
 5115      buffered.  (CVE-2009-1378)
 5116      [Robin Seggelmann, discovered by Daniel Mentz]
 5117 
 5118   *) Records are buffered if they arrive with a future epoch to be
 5119      processed after finishing the corresponding handshake. There is
 5120      currently no limitation to this buffer allowing an attacker to perform
 5121      a DOS attack with sending records with future epochs until there is no
 5122      memory left. This patch adds the pqueue_size() function to determine
 5123      the size of a buffer and limits the record buffer to 100 entries.
 5124      (CVE-2009-1377)
 5125      [Robin Seggelmann, discovered by Daniel Mentz]
 5126 
 5127   *) Keep a copy of frag->msg_header.frag_len so it can be used after the
 5128      parent structure is freed.  (CVE-2009-1379)
 5129      [Daniel Mentz]
 5130 
 5131   *) Handle non-blocking I/O properly in SSL_shutdown() call.
 5132      [Darryl Miles <darryl-mailinglists@netbauds.net>]
 5133 
 5134   *) Add 2.5.4.* OIDs
 5135      [Ilya O. <vrghost@gmail.com>]
 5136 
 5137  Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
 5138 
 5139   *) Disable renegotiation completely - this fixes a severe security
 5140      problem (CVE-2009-3555) at the cost of breaking all
 5141      renegotiation. Renegotiation can be re-enabled by setting
 5142      SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
 5143      run-time. This is really not recommended unless you know what
 5144      you're doing.
 5145      [Ben Laurie]
 5146 
 5147  Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
 5148 
 5149   *) Don't set val to NULL when freeing up structures, it is freed up by
 5150      underlying code. If sizeof(void *) > sizeof(long) this can result in
 5151      zeroing past the valid field. (CVE-2009-0789)
 5152      [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
 5153 
 5154   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
 5155      checked correctly. This would allow some invalid signed attributes to
 5156      appear to verify correctly. (CVE-2009-0591)
 5157      [Ivan Nestlerode <inestlerode@us.ibm.com>]
 5158 
 5159   *) Reject UniversalString and BMPString types with invalid lengths. This
 5160      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
 5161      a legal length. (CVE-2009-0590)
 5162      [Steve Henson]
 5163 
 5164   *) Set S/MIME signing as the default purpose rather than setting it
 5165      unconditionally. This allows applications to override it at the store
 5166      level.
 5167      [Steve Henson]
 5168 
 5169   *) Permit restricted recursion of ASN1 strings. This is needed in practice
 5170      to handle some structures.
 5171      [Steve Henson]
 5172 
 5173   *) Improve efficiency of mem_gets: don't search whole buffer each time
 5174      for a '\n'
 5175      [Jeremy Shapiro <jnshapir@us.ibm.com>]
 5176 
 5177   *) New -hex option for openssl rand.
 5178      [Matthieu Herrb]
 5179 
 5180   *) Print out UTF8String and NumericString when parsing ASN1.
 5181      [Steve Henson]
 5182 
 5183   *) Support NumericString type for name components.
 5184      [Steve Henson]
 5185 
 5186   *) Allow CC in the environment to override the automatically chosen
 5187      compiler. Note that nothing is done to ensure flags work with the
 5188      chosen compiler.
 5189      [Ben Laurie]
 5190 
 5191  Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
 5192 
 5193   *) Properly check EVP_VerifyFinal() and similar return values
 5194      (CVE-2008-5077).
 5195      [Ben Laurie, Bodo Moeller, Google Security Team]
 5196 
 5197   *) Enable TLS extensions by default.
 5198      [Ben Laurie]
 5199 
 5200   *) Allow the CHIL engine to be loaded, whether the application is
 5201      multithreaded or not. (This does not release the developer from the
 5202      obligation to set up the dynamic locking callbacks.)
 5203      [Sander Temme <sander@temme.net>]
 5204 
 5205   *) Use correct exit code if there is an error in dgst command.
 5206      [Steve Henson; problem pointed out by Roland Dirlewanger]
 5207 
 5208   *) Tweak Configure so that you need to say "experimental-jpake" to enable
 5209      JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
 5210      [Bodo Moeller]
 5211 
 5212   *) Add experimental JPAKE support, including demo authentication in
 5213      s_client and s_server.
 5214      [Ben Laurie]
 5215 
 5216   *) Set the comparison function in v3_addr_canonize().
 5217      [Rob Austein <sra@hactrn.net>]
 5218 
 5219   *) Add support for XMPP STARTTLS in s_client.
 5220      [Philip Paeps <philip@freebsd.org>]
 5221 
 5222   *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
 5223      to ensure that even with this option, only ciphersuites in the
 5224      server's preference list will be accepted.  (Note that the option
 5225      applies only when resuming a session, so the earlier behavior was
 5226      just about the algorithm choice for symmetric cryptography.)
 5227      [Bodo Moeller]
 5228 
 5229  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
 5230 
 5231   *) Fix NULL pointer dereference if a DTLS server received
 5232      ChangeCipherSpec as first record (CVE-2009-1386).
 5233      [PR #1679]
 5234 
 5235   *) Fix a state transition in s3_srvr.c and d1_srvr.c
 5236      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
 5237      [Nagendra Modadugu]
 5238 
 5239   *) The fix in 0.9.8c that supposedly got rid of unsafe
 5240      double-checked locking was incomplete for RSA blinding,
 5241      addressing just one layer of what turns out to have been
 5242      doubly unsafe triple-checked locking.
 5243 
 5244      So now fix this for real by retiring the MONT_HELPER macro
 5245      in crypto/rsa/rsa_eay.c.
 5246 
 5247      [Bodo Moeller; problem pointed out by Marius Schilder]
 5248 
 5249   *) Various precautionary measures:
 5250 
 5251      - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
 5252 
 5253      - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
 5254        (NB: This would require knowledge of the secret session ticket key
 5255        to exploit, in which case you'd be SOL either way.)
 5256 
 5257      - Change bn_nist.c so that it will properly handle input BIGNUMs
 5258        outside the expected range.
 5259 
 5260      - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
 5261        builds.
 5262 
 5263      [Neel Mehta, Bodo Moeller]
 5264 
 5265   *) Allow engines to be "soft loaded" - i.e. optionally don't die if
 5266      the load fails. Useful for distros.
 5267      [Ben Laurie and the FreeBSD team]
 5268 
 5269   *) Add support for Local Machine Keyset attribute in PKCS#12 files.
 5270      [Steve Henson]
 5271 
 5272   *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
 5273      [Huang Ying]
 5274 
 5275   *) Expand ENGINE to support engine supplied SSL client certificate functions.
 5276 
 5277      This work was sponsored by Logica.
 5278      [Steve Henson]
 5279 
 5280   *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
 5281      keystores. Support for SSL/TLS client authentication too.
 5282      Not compiled unless enable-capieng specified to Configure.
 5283 
 5284      This work was sponsored by Logica.
 5285      [Steve Henson]
 5286 
 5287   *) Fix bug in X509_ATTRIBUTE creation: don't set attribute using
 5288      ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
 5289      attribute creation routines such as certificate requests and PKCS#12
 5290      files.
 5291      [Steve Henson]
 5292 
 5293  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
 5294 
 5295   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
 5296      handshake which could lead to a client crash as found using the
 5297      Codenomicon TLS test suite (CVE-2008-1672)
 5298      [Steve Henson, Mark Cox]
 5299 
 5300   *) Fix double free in TLS server name extensions which could lead to
 5301      a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
 5302      [Joe Orton]
 5303 
 5304   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
 5305 
 5306      Clear the error queue to ensure that error entries left from
 5307      older function calls do not interfere with the correct operation.
 5308      [Lutz Jaenicke, Erik de Castro Lopo]
 5309 
 5310   *) Remove root CA certificates of commercial CAs:
 5311 
 5312      The OpenSSL project does not recommend any specific CA and does not
 5313      have any policy with respect to including or excluding any CA.
 5314      Therefore it does not make any sense to ship an arbitrary selection
 5315      of root CA certificates with the OpenSSL software.
 5316      [Lutz Jaenicke]
 5317 
 5318   *) RSA OAEP patches to fix two separate invalid memory reads.
 5319      The first one involves inputs when 'lzero' is greater than
 5320      'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
 5321      before the beginning of from). The second one involves inputs where
 5322      the 'db' section contains nothing but zeroes (there is a one-byte
 5323      invalid read after the end of 'db').
 5324      [Ivan Nestlerode <inestlerode@us.ibm.com>]
 5325 
 5326   *) Partial backport from 0.9.9-dev:
 5327 
 5328      Introduce bn_mul_mont (dedicated Montgomery multiplication
 5329      procedure) as a candidate for BIGNUM assembler implementation.
 5330      While 0.9.9-dev uses assembler for various architectures, only
 5331      x86_64 is available by default here in the 0.9.8 branch, and
 5332      32-bit x86 is available through a compile-time setting.
 5333 
 5334      To try the 32-bit x86 assembler implementation, use Configure
 5335      option "enable-montasm" (which exists only for this backport).
 5336 
 5337      As "enable-montasm" for 32-bit x86 disclaims code stability
 5338      anyway, in this constellation we activate additional code
 5339      backported from 0.9.9-dev for further performance improvements,
 5340      namely BN_from_montgomery_word.  (To enable this otherwise,
 5341      e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
 5342 
 5343      [Andy Polyakov (backport partially by Bodo Moeller)]
 5344 
 5345   *) Add TLS session ticket callback. This allows an application to set
 5346      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
 5347      values. This is useful for key rollover for example where several key
 5348      sets may exist with different names.
 5349      [Steve Henson]
 5350 
 5351   *) Reverse ENGINE-internal logic for caching default ENGINE handles.
 5352      This was broken until now in 0.9.8 releases, such that the only way
 5353      a registered ENGINE could be used (assuming it initialises
 5354      successfully on the host) was to explicitly set it as the default
 5355      for the relevant algorithms. This is in contradiction with 0.9.7
 5356      behaviour and the documentation. With this fix, when an ENGINE is
 5357      registered into a given algorithm's table of implementations, the
 5358      'uptodate' flag is reset so that auto-discovery will be used next
 5359      time a new context for that algorithm attempts to select an
 5360      implementation.
 5361      [Ian Lister (tweaked by Geoff Thorpe)]
 5362 
 5363   *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
 5364      implementation in the following ways:
 5365 
 5366      Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
 5367      hard coded.
 5368 
 5369      Lack of BER streaming support means one pass streaming processing is
 5370      only supported if data is detached: setting the streaming flag is
 5371      ignored for embedded content.
 5372 
 5373      CMS support is disabled by default and must be explicitly enabled
 5374      with the enable-cms configuration option.
 5375      [Steve Henson]
 5376 
 5377   *) Update the GMP engine glue to do direct copies between BIGNUM and
 5378      mpz_t when openssl and GMP use the same limb size. Otherwise the
 5379      existing "conversion via a text string export" trick is still used.
 5380      [Paul Sheer <paulsheer@gmail.com>]
 5381 
 5382   *) Zlib compression BIO. This is a filter BIO which compressed and
 5383      uncompresses any data passed through it.
 5384      [Steve Henson]
 5385 
 5386   *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
 5387      RFC3394 compatible AES key wrapping.
 5388      [Steve Henson]
 5389 
 5390   *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
 5391      sets string data without copying. X509_ALGOR_set0() and
 5392      X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
 5393      data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
 5394      from an X509_ATTRIBUTE structure optionally checking it occurs only
 5395      once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
 5396      data.
 5397      [Steve Henson]
 5398 
 5399   *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
 5400      to get the expected BN_FLG_CONSTTIME behavior.
 5401      [Bodo Moeller (Google)]
 5402 
 5403   *) Netware support:
 5404 
 5405      - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
 5406      - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
 5407      - added some more tests to do_tests.pl
 5408      - fixed RunningProcess usage so that it works with newer LIBC NDKs too
 5409      - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
 5410      - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
 5411        netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
 5412      - various changes to netware.pl to enable gcc-cross builds on Win32
 5413        platform
 5414      - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
 5415      - various changes to fix missing prototype warnings
 5416      - fixed x86nasm.pl to create correct asm files for NASM COFF output
 5417      - added AES, WHIRLPOOL and CPUID assembler code to build files
 5418      - added missing AES assembler make rules to mk1mf.pl
 5419      - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
 5420      [Guenter Knauf <eflash@gmx.net>]
 5421 
 5422   *) Implement certificate status request TLS extension defined in RFC3546.
 5423      A client can set the appropriate parameters and receive the encoded
 5424      OCSP response via a callback. A server can query the supplied parameters
 5425      and set the encoded OCSP response in the callback. Add simplified examples
 5426      to s_client and s_server.
 5427      [Steve Henson]
 5428 
 5429  Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
 5430 
 5431   *) Fix various bugs:
 5432      + Binary incompatibility of ssl_ctx_st structure
 5433      + DTLS interoperation with non-compliant servers
 5434      + Don't call get_session_cb() without proposed session
 5435      + Fix ia64 assembler code
 5436      [Andy Polyakov, Steve Henson]
 5437 
 5438  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
 5439 
 5440   *) DTLS Handshake overhaul. There were longstanding issues with
 5441      OpenSSL DTLS implementation, which were making it impossible for
 5442      RFC 4347 compliant client to communicate with OpenSSL server.
 5443      Unfortunately just fixing these incompatibilities would "cut off"
 5444      pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
 5445      server keeps tolerating non RFC compliant syntax. The opposite is
 5446      not true, 0.9.8f client can not communicate with earlier server.
 5447      This update even addresses CVE-2007-4995.
 5448      [Andy Polyakov]
 5449 
 5450   *) Changes to avoid need for function casts in OpenSSL: some compilers
 5451      (gcc 4.2 and later) reject their use.
 5452      [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
 5453       Steve Henson]
 5454 
 5455   *) Add RFC4507 support to OpenSSL. This includes the corrections in
 5456      RFC4507bis. The encrypted ticket format is an encrypted encoded
 5457      SSL_SESSION structure, that way new session features are automatically
 5458      supported.
 5459 
 5460      If a client application caches session in an SSL_SESSION structure
 5461      support is transparent because tickets are now stored in the encoded
 5462      SSL_SESSION.
 5463 
 5464      The SSL_CTX structure automatically generates keys for ticket
 5465      protection in servers so again support should be possible
 5466      with no application modification.
 5467 
 5468      If a client or server wishes to disable RFC4507 support then the option
 5469      SSL_OP_NO_TICKET can be set.
 5470 
 5471      Add a TLS extension debugging callback to allow the contents of any client
 5472      or server extensions to be examined.
 5473 
 5474      This work was sponsored by Google.
 5475      [Steve Henson]
 5476 
 5477   *) Add initial support for TLS extensions, specifically for the server_name
 5478      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
 5479      have new members for a host name.  The SSL data structure has an
 5480      additional member SSL_CTX *initial_ctx so that new sessions can be
 5481      stored in that context to allow for session resumption, even after the
 5482      SSL has been switched to a new SSL_CTX in reaction to a client's
 5483      server_name extension.
 5484 
 5485      New functions (subject to change):
 5486 
 5487          SSL_get_servername()
 5488          SSL_get_servername_type()
 5489          SSL_set_SSL_CTX()
 5490 
 5491      New CTRL codes and macros (subject to change):
 5492 
 5493          SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
 5494                                  - SSL_CTX_set_tlsext_servername_callback()
 5495          SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
 5496                                       - SSL_CTX_set_tlsext_servername_arg()
 5497          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
 5498 
 5499      openssl s_client has a new '-servername ...' option.
 5500 
 5501      openssl s_server has new options '-servername_host ...', '-cert2 ...',
 5502      '-key2 ...', '-servername_fatal' (subject to change).  This allows
 5503      testing the HostName extension for a specific single host name ('-cert'
 5504      and '-key' remain fallbacks for handshakes without HostName
 5505      negotiation).  If the unrecognized_name alert has to be sent, this by
 5506      default is a warning; it becomes fatal with the '-servername_fatal'
 5507      option.
 5508 
 5509      [Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson]
 5510 
 5511   *) Add AES and SSE2 assembly language support to VC++ build.
 5512      [Steve Henson]
 5513 
 5514   *) Mitigate attack on final subtraction in Montgomery reduction.
 5515      [Andy Polyakov]
 5516 
 5517   *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
 5518      (which previously caused an internal error).
 5519      [Bodo Moeller]
 5520 
 5521   *) Squeeze another 10% out of IGE mode when in != out.
 5522      [Ben Laurie]
 5523 
 5524   *) AES IGE mode speedup.
 5525      [Dean Gaudet (Google)]
 5526 
 5527   *) Add the Korean symmetric 128-bit cipher SEED (see
 5528      http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
 5529      add SEED ciphersuites from RFC 4162:
 5530 
 5531         TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
 5532         TLS_DHE_DSS_WITH_SEED_CBC_SHA  =  "DHE-DSS-SEED-SHA"
 5533         TLS_DHE_RSA_WITH_SEED_CBC_SHA  =  "DHE-RSA-SEED-SHA"
 5534         TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
 5535 
 5536      To minimize changes between patchlevels in the OpenSSL 0.9.8
 5537      series, SEED remains excluded from compilation unless OpenSSL
 5538      is configured with 'enable-seed'.
 5539      [KISA, Bodo Moeller]
 5540 
 5541   *) Mitigate branch prediction attacks, which can be practical if a
 5542      single processor is shared, allowing a spy process to extract
 5543      information.  For detailed background information, see
 5544      http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
 5545      J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
 5546      and Necessary Software Countermeasures").  The core of the change
 5547      are new versions BN_div_no_branch() and
 5548      BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
 5549      respectively, which are slower, but avoid the security-relevant
 5550      conditional branches.  These are automatically called by BN_div()
 5551      and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
 5552      of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
 5553      remove a conditional branch.
 5554 
 5555      BN_FLG_CONSTTIME is the new name for the previous
 5556      BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
 5557      modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
 5558      in the exponent causes BN_mod_exp_mont() to use the alternative
 5559      implementation in BN_mod_exp_mont_consttime().)  The old name
 5560      remains as a deprecated alias.
 5561 
 5562      Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
 5563      RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
 5564      constant-time implementations for more than just exponentiation.
 5565      Here too the old name is kept as a deprecated alias.
 5566 
 5567      BN_BLINDING_new() will now use BN_dup() for the modulus so that
 5568      the BN_BLINDING structure gets an independent copy of the
 5569      modulus.  This means that the previous "BIGNUM *m" argument to
 5570      BN_BLINDING_new() and to BN_BLINDING_create_param() now
 5571      essentially becomes "const BIGNUM *m", although we can't actually
 5572      change this in the header file before 0.9.9.  It allows
 5573      RSA_setup_blinding() to use BN_with_flags() on the modulus to
 5574      enable BN_FLG_CONSTTIME.
 5575 
 5576      [Matthew D Wood (Intel Corp)]
 5577 
 5578   *) In the SSL/TLS server implementation, be strict about session ID
 5579      context matching (which matters if an application uses a single
 5580      external cache for different purposes).  Previously,
 5581      out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
 5582      set.  This did ensure strict client verification, but meant that,
 5583      with applications using a single external cache for quite
 5584      different requirements, clients could circumvent ciphersuite
 5585      restrictions for a given session ID context by starting a session
 5586      in a different context.
 5587      [Bodo Moeller]
 5588 
 5589   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 5590      a ciphersuite string such as "DEFAULT:RSA" cannot enable
 5591      authentication-only ciphersuites.
 5592      [Bodo Moeller]
 5593 
 5594   *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
 5595      not complete and could lead to a possible single byte overflow
 5596      (CVE-2007-5135) [Ben Laurie]
 5597 
 5598  Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
 5599 
 5600   *) Since AES128 and AES256 (and similarly Camellia128 and
 5601      Camellia256) share a single mask bit in the logic of
 5602      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
 5603      kludge to work properly if AES128 is available and AES256 isn't
 5604      (or if Camellia128 is available and Camellia256 isn't).
 5605      [Victor Duchovni]
 5606 
 5607   *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
 5608      (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
 5609      When a point or a seed is encoded in a BIT STRING, we need to
 5610      prevent the removal of trailing zero bits to get the proper DER
 5611      encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
 5612      of a NamedBitList, for which trailing 0 bits need to be removed.)
 5613      [Bodo Moeller]
 5614 
 5615   *) Have SSL/TLS server implementation tolerate "mismatched" record
 5616      protocol version while receiving ClientHello even if the
 5617      ClientHello is fragmented.  (The server can't insist on the
 5618      particular protocol version it has chosen before the ServerHello
 5619      message has informed the client about his choice.)
 5620      [Bodo Moeller]
 5621 
 5622   *) Add RFC 3779 support.
 5623      [Rob Austein for ARIN, Ben Laurie]
 5624 
 5625   *) Load error codes if they are not already present instead of using a
 5626      static variable. This allows them to be cleanly unloaded and reloaded.
 5627      Improve header file function name parsing.
 5628      [Steve Henson]
 5629 
 5630   *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
 5631      or CAPABILITY handshake as required by RFCs.
 5632      [Goetz Babin-Ebell]
 5633 
 5634  Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
 5635 
 5636   *) Introduce limits to prevent malicious keys being able to
 5637      cause a denial of service.  (CVE-2006-2940)
 5638      [Steve Henson, Bodo Moeller]
 5639 
 5640   *) Fix ASN.1 parsing of certain invalid structures that can result
 5641      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
 5642 
 5643   *) Fix buffer overflow in SSL_get_shared_ciphers() function.
 5644      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
 5645 
 5646   *) Fix SSL client code which could crash if connecting to a
 5647      malicious SSLv2 server.  (CVE-2006-4343)
 5648      [Tavis Ormandy and Will Drewry, Google Security Team]
 5649 
 5650   *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
 5651      match only those.  Before that, "AES256-SHA" would be interpreted
 5652      as a pattern and match "AES128-SHA" too (since AES128-SHA got
 5653      the same strength classification in 0.9.7h) as we currently only
 5654      have a single AES bit in the ciphersuite description bitmap.
 5655      That change, however, also applied to ciphersuite strings such as
 5656      "RC4-MD5" that intentionally matched multiple ciphersuites --
 5657      namely, SSL 2.0 ciphersuites in addition to the more common ones
 5658      from SSL 3.0/TLS 1.0.
 5659 
 5660      So we change the selection algorithm again: Naming an explicit
 5661      ciphersuite selects this one ciphersuite, and any other similar
 5662      ciphersuite (same bitmap) from *other* protocol versions.
 5663      Thus, "RC4-MD5" again will properly select both the SSL 2.0
 5664      ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
 5665 
 5666      Since SSL 2.0 does not have any ciphersuites for which the
 5667      128/256 bit distinction would be relevant, this works for now.
 5668      The proper fix will be to use different bits for AES128 and
 5669      AES256, which would have avoided the problems from the beginning;
 5670      however, bits are scarce, so we can only do this in a new release
 5671      (not just a patchlevel) when we can change the SSL_CIPHER
 5672      definition to split the single 'unsigned long mask' bitmap into
 5673      multiple values to extend the available space.
 5674 
 5675      [Bodo Moeller]
 5676 
 5677  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
 5678 
 5679   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
 5680      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 5681 
 5682   *) Add AES IGE and biIGE modes.
 5683      [Ben Laurie]
 5684 
 5685   *) Change the Unix randomness entropy gathering to use poll() when
 5686      possible instead of select(), since the latter has some
 5687      undesirable limitations.
 5688      [Darryl Miles via Richard Levitte and Bodo Moeller]
 5689 
 5690   *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
 5691      treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
 5692      cannot be implicitly activated as part of, e.g., the "AES" alias.
 5693      However, please upgrade to OpenSSL 0.9.9[-dev] for
 5694      non-experimental use of the ECC ciphersuites to get TLS extension
 5695      support, which is required for curve and point format negotiation
 5696      to avoid potential handshake problems.
 5697      [Bodo Moeller]
 5698 
 5699   *) Disable rogue ciphersuites:
 5700 
 5701       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
 5702       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
 5703       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
 5704 
 5705      The latter two were purportedly from
 5706      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
 5707      appear there.
 5708 
 5709      Also deactivate the remaining ciphersuites from
 5710      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
 5711      unofficial, and the ID has long expired.
 5712      [Bodo Moeller]
 5713 
 5714   *) Fix RSA blinding Heisenbug (problems sometimes occurred on
 5715      dual-core machines) and other potential thread-safety issues.
 5716      [Bodo Moeller]
 5717 
 5718   *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
 5719      versions), which is now available for royalty-free use
 5720      (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
 5721      Also, add Camellia TLS ciphersuites from RFC 4132.
 5722 
 5723      To minimize changes between patchlevels in the OpenSSL 0.9.8
 5724      series, Camellia remains excluded from compilation unless OpenSSL
 5725      is configured with 'enable-camellia'.
 5726      [NTT]
 5727 
 5728   *) Disable the padding bug check when compression is in use. The padding
 5729      bug check assumes the first packet is of even length, this is not
 5730      necessarily true if compression is enabled and can result in false
 5731      positives causing handshake failure. The actual bug test is ancient
 5732      code so it is hoped that implementations will either have fixed it by
 5733      now or any which still have the bug do not support compression.
 5734      [Steve Henson]
 5735 
 5736  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
 5737 
 5738   *) When applying a cipher rule check to see if string match is an explicit
 5739      cipher suite and only match that one cipher suite if it is.
 5740      [Steve Henson]
 5741 
 5742   *) Link in manifests for VC++ if needed.
 5743      [Austin Ziegler <halostatue@gmail.com>]
 5744 
 5745   *) Update support for ECC-based TLS ciphersuites according to
 5746      draft-ietf-tls-ecc-12.txt with proposed changes (but without
 5747      TLS extensions, which are supported starting with the 0.9.9
 5748      branch, not in the OpenSSL 0.9.8 branch).
 5749      [Douglas Stebila]
 5750 
 5751   *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
 5752      opaque EVP_CIPHER_CTX handling.
 5753      [Steve Henson]
 5754 
 5755   *) Fixes and enhancements to zlib compression code. We now only use
 5756      "zlib1.dll" and use the default __cdecl calling convention on Win32
 5757      to conform with the standards mentioned here:
 5758            http://www.zlib.net/DLL_FAQ.txt
 5759      Static zlib linking now works on Windows and the new --with-zlib-include
 5760      --with-zlib-lib options to Configure can be used to supply the location
 5761      of the headers and library. Gracefully handle case where zlib library
 5762      can't be loaded.
 5763      [Steve Henson]
 5764 
 5765   *) Several fixes and enhancements to the OID generation code. The old code
 5766      sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
 5767      handle numbers larger than ULONG_MAX, truncated printing and had a
 5768      non standard OBJ_obj2txt() behaviour.
 5769      [Steve Henson]
 5770 
 5771   *) Add support for building of engines under engine/ as shared libraries
 5772      under VC++ build system.
 5773      [Steve Henson]
 5774 
 5775   *) Corrected the numerous bugs in the Win32 path splitter in DSO.
 5776      Hopefully, we will not see any false combination of paths any more.
 5777      [Richard Levitte]
 5778 
 5779  Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
 5780 
 5781   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
 5782      (part of SSL_OP_ALL).  This option used to disable the
 5783      countermeasure against man-in-the-middle protocol-version
 5784      rollback in the SSL 2.0 server implementation, which is a bad
 5785      idea.  (CVE-2005-2969)
 5786 
 5787      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
 5788      for Information Security, National Institute of Advanced Industrial
 5789      Science and Technology [AIST], Japan)]
 5790 
 5791   *) Add two function to clear and return the verify parameter flags.
 5792      [Steve Henson]
 5793 
 5794   *) Keep cipherlists sorted in the source instead of sorting them at
 5795      runtime, thus removing the need for a lock.
 5796      [Nils Larsch]
 5797 
 5798   *) Avoid some small subgroup attacks in Diffie-Hellman.
 5799      [Nick Mathewson and Ben Laurie]
 5800 
 5801   *) Add functions for well-known primes.
 5802      [Nick Mathewson]
 5803 
 5804   *) Extended Windows CE support.
 5805      [Satoshi Nakamura and Andy Polyakov]
 5806 
 5807   *) Initialize SSL_METHOD structures at compile time instead of during
 5808      runtime, thus removing the need for a lock.
 5809      [Steve Henson]
 5810 
 5811   *) Make PKCS7_decrypt() work even if no certificate is supplied by
 5812      attempting to decrypt each encrypted key in turn. Add support to
 5813      smime utility.
 5814      [Steve Henson]
 5815 
 5816  Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
 5817 
 5818   [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
 5819   OpenSSL 0.9.8.]
 5820 
 5821   *) Add libcrypto.pc and libssl.pc for those who feel they need them.
 5822      [Richard Levitte]
 5823 
 5824   *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
 5825      key into the same file any more.
 5826      [Richard Levitte]
 5827 
 5828   *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
 5829      [Andy Polyakov]
 5830 
 5831   *) Add -utf8 command line and config file option to 'ca'.
 5832      [Stefan <stf@udoma.org]
 5833 
 5834   *) Removed the macro des_crypt(), as it seems to conflict with some
 5835      libraries.  Use DES_crypt().
 5836      [Richard Levitte]
 5837 
 5838   *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
 5839      involves renaming the source and generated shared-libs for
 5840      both. The engines will accept the corrected or legacy ids
 5841      ('ncipher' and '4758_cca' respectively) when binding. NB,
 5842      this only applies when building 'shared'.
 5843      [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
 5844 
 5845   *) Add attribute functions to EVP_PKEY structure. Modify
 5846      PKCS12_create() to recognize a CSP name attribute and
 5847      use it. Make -CSP option work again in pkcs12 utility.
 5848      [Steve Henson]
 5849 
 5850   *) Add new functionality to the bn blinding code:
 5851      - automatic re-creation of the BN_BLINDING parameters after
 5852        a fixed number of uses (currently 32)
 5853      - add new function for parameter creation
 5854      - introduce flags to control the update behaviour of the
 5855        BN_BLINDING parameters
 5856      - hide BN_BLINDING structure
 5857      Add a second BN_BLINDING slot to the RSA structure to improve
 5858      performance when a single RSA object is shared among several
 5859      threads.
 5860      [Nils Larsch]
 5861 
 5862   *) Add support for DTLS.
 5863      [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
 5864 
 5865   *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
 5866      to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
 5867      [Walter Goulet]
 5868 
 5869   *) Remove buggy and incomplete DH cert support from
 5870      ssl/ssl_rsa.c and ssl/s3_both.c
 5871      [Nils Larsch]
 5872 
 5873   *) Use SHA-1 instead of MD5 as the default digest algorithm for
 5874      the apps/openssl applications.
 5875      [Nils Larsch]
 5876 
 5877   *) Compile clean with "-Wall -Wmissing-prototypes
 5878      -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
 5879      DEBUG_SAFESTACK must also be set.
 5880      [Ben Laurie]
 5881 
 5882   *) Change ./Configure so that certain algorithms can be disabled by default.
 5883      The new counterpiece to "no-xxx" is "enable-xxx".
 5884 
 5885      The patented RC5 and MDC2 algorithms will now be disabled unless
 5886      "enable-rc5" and "enable-mdc2", respectively, are specified.
 5887 
 5888      (IDEA remains enabled despite being patented.  This is because IDEA
 5889      is frequently required for interoperability, and there is no license
 5890      fee for non-commercial use.  As before, "no-idea" can be used to
 5891      avoid this algorithm.)
 5892 
 5893      [Bodo Moeller]
 5894 
 5895   *) Add processing of proxy certificates (see RFC 3820).  This work was
 5896      sponsored by KTH (The Royal Institute of Technology in Stockholm) and
 5897      EGEE (Enabling Grids for E-science in Europe).
 5898      [Richard Levitte]
 5899 
 5900   *) RC4 performance overhaul on modern architectures/implementations, such
 5901      as Intel P4, IA-64 and AMD64.
 5902      [Andy Polyakov]
 5903 
 5904   *) New utility extract-section.pl. This can be used specify an alternative
 5905      section number in a pod file instead of having to treat each file as
 5906      a separate case in Makefile. This can be done by adding two lines to the
 5907      pod file:
 5908 
 5909      =for comment openssl_section:XXX
 5910 
 5911      The blank line is mandatory.
 5912 
 5913      [Steve Henson]
 5914 
 5915   *) New arguments -certform, -keyform and -pass for s_client and s_server
 5916      to allow alternative format key and certificate files and passphrase
 5917      sources.
 5918      [Steve Henson]
 5919 
 5920   *) New structure X509_VERIFY_PARAM which combines current verify parameters,
 5921      update associated structures and add various utility functions.
 5922 
 5923      Add new policy related verify parameters, include policy checking in
 5924      standard verify code. Enhance 'smime' application with extra parameters
 5925      to support policy checking and print out.
 5926      [Steve Henson]
 5927 
 5928   *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
 5929      Nehemiah processors. These extensions support AES encryption in hardware
 5930      as well as RNG (though RNG support is currently disabled).
 5931      [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
 5932 
 5933   *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
 5934      [Geoff Thorpe]
 5935 
 5936   *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
 5937      [Andy Polyakov and a number of other people]
 5938 
 5939   *) Improved PowerPC platform support. Most notably BIGNUM assembler
 5940      implementation contributed by IBM.
 5941      [Suresh Chari, Peter Waltenberg, Andy Polyakov]
 5942 
 5943   *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
 5944      exponent rather than 'unsigned long'. There is a corresponding change to
 5945      the new 'rsa_keygen' element of the RSA_METHOD structure.
 5946      [Jelte Jansen, Geoff Thorpe]
 5947 
 5948   *) Functionality for creating the initial serial number file is now
 5949      moved from CA.pl to the 'ca' utility with a new option -create_serial.
 5950 
 5951      (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
 5952      number file to 1, which is bound to cause problems.  To avoid
 5953      the problems while respecting compatibility between different 0.9.7
 5954      patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
 5955      CA.pl for serial number initialization.  With the new release 0.9.8,
 5956      we can fix the problem directly in the 'ca' utility.)
 5957      [Steve Henson]
 5958 
 5959   *) Reduced header interdependencies by declaring more opaque objects in
 5960      ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
 5961      give fewer recursive includes, which could break lazy source code - so
 5962      this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
 5963      developers should define this symbol when building and using openssl to
 5964      ensure they track the recommended behaviour, interfaces, [etc], but
 5965      backwards-compatible behaviour prevails when this isn't defined.
 5966      [Geoff Thorpe]
 5967 
 5968   *) New function X509_POLICY_NODE_print() which prints out policy nodes.
 5969      [Steve Henson]
 5970 
 5971   *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
 5972      This will generate a random key of the appropriate length based on the
 5973      cipher context. The EVP_CIPHER can provide its own random key generation
 5974      routine to support keys of a specific form. This is used in the des and
 5975      3des routines to generate a key of the correct parity. Update S/MIME
 5976      code to use new functions and hence generate correct parity DES keys.
 5977      Add EVP_CHECK_DES_KEY #define to return an error if the key is not
 5978      valid (weak or incorrect parity).
 5979      [Steve Henson]
 5980 
 5981   *) Add a local set of CRLs that can be used by X509_verify_cert() as well
 5982      as looking them up. This is useful when the verified structure may contain
 5983      CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
 5984      present unless the new PKCS7_NO_CRL flag is asserted.
 5985      [Steve Henson]
 5986 
 5987   *) Extend ASN1 oid configuration module. It now additionally accepts the
 5988      syntax:
 5989 
 5990      shortName = some long name, 1.2.3.4
 5991      [Steve Henson]
 5992 
 5993   *) Reimplemented the BN_CTX implementation. There is now no more static
 5994      limitation on the number of variables it can handle nor the depth of the
 5995      "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
 5996      information can now expand as required, and rather than having a single
 5997      static array of bignums, BN_CTX now uses a linked-list of such arrays
 5998      allowing it to expand on demand whilst maintaining the usefulness of
 5999      BN_CTX's "bundling".
 6000      [Geoff Thorpe]
 6001 
 6002   *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
 6003      to allow all RSA operations to function using a single BN_CTX.
 6004      [Geoff Thorpe]
 6005 
 6006   *) Preliminary support for certificate policy evaluation and checking. This
 6007      is initially intended to pass the tests outlined in "Conformance Testing
 6008      of Relying Party Client Certificate Path Processing Logic" v1.07.
 6009      [Steve Henson]
 6010 
 6011   *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
 6012      remained unused and not that useful. A variety of other little bignum
 6013      tweaks and fixes have also been made continuing on from the audit (see
 6014      below).
 6015      [Geoff Thorpe]
 6016 
 6017   *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
 6018      associated ASN1, EVP and SSL functions and old ASN1 macros.
 6019      [Richard Levitte]
 6020 
 6021   *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
 6022      and this should never fail. So the return value from the use of
 6023      BN_set_word() (which can fail due to needless expansion) is now deprecated;
 6024      if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
 6025      [Geoff Thorpe]
 6026 
 6027   *) BN_CTX_get() should return zero-valued bignums, providing the same
 6028      initialised value as BN_new().
 6029      [Geoff Thorpe, suggested by Ulf Möller]
 6030 
 6031   *) Support for inhibitAnyPolicy certificate extension.
 6032      [Steve Henson]
 6033 
 6034   *) An audit of the BIGNUM code is underway, for which debugging code is
 6035      enabled when BN_DEBUG is defined. This makes stricter enforcements on what
 6036      is considered valid when processing BIGNUMs, and causes execution to
 6037      assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
 6038      further steps are taken to deliberately pollute unused data in BIGNUM
 6039      structures to try and expose faulty code further on. For now, openssl will
 6040      (in its default mode of operation) continue to tolerate the inconsistent
 6041      forms that it has tolerated in the past, but authors and packagers should
 6042      consider trying openssl and their own applications when compiled with
 6043      these debugging symbols defined. It will help highlight potential bugs in
 6044      their own code, and will improve the test coverage for OpenSSL itself. At
 6045      some point, these tighter rules will become openssl's default to improve
 6046      maintainability, though the assert()s and other overheads will remain only
 6047      in debugging configurations. See bn.h for more details.
 6048      [Geoff Thorpe, Nils Larsch, Ulf Möller]
 6049 
 6050   *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
 6051      that can only be obtained through BN_CTX_new() (which implicitly
 6052      initialises it). The presence of this function only made it possible
 6053      to overwrite an existing structure (and cause memory leaks).
 6054      [Geoff Thorpe]
 6055 
 6056   *) Because of the callback-based approach for implementing LHASH as a
 6057      template type, lh_insert() adds opaque objects to hash-tables and
 6058      lh_doall() or lh_doall_arg() are typically used with a destructor callback
 6059      to clean up those corresponding objects before destroying the hash table
 6060      (and losing the object pointers). So some over-zealous constifications in
 6061      LHASH have been relaxed so that lh_insert() does not take (nor store) the
 6062      objects as "const" and the lh_doall[_arg] callback wrappers are not
 6063      prototyped to have "const" restrictions on the object pointers they are
 6064      given (and so aren't required to cast them away any more).
 6065      [Geoff Thorpe]
 6066 
 6067   *) The tmdiff.h API was so ugly and minimal that our own timing utility
 6068      (speed) prefers to use its own implementation. The two implementations
 6069      haven't been consolidated as yet (volunteers?) but the tmdiff API has had
 6070      its object type properly exposed (MS_TM) instead of casting to/from "char
 6071      *". This may still change yet if someone realises MS_TM and "ms_time_***"
 6072      aren't necessarily the greatest nomenclatures - but this is what was used
 6073      internally to the implementation so I've used that for now.
 6074      [Geoff Thorpe]
 6075 
 6076   *) Ensure that deprecated functions do not get compiled when
 6077      OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
 6078      the self-tests were still using deprecated key-generation functions so
 6079      these have been updated also.
 6080      [Geoff Thorpe]
 6081 
 6082   *) Reorganise PKCS#7 code to separate the digest location functionality
 6083      into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
 6084      New function PKCS7_set_digest() to set the digest type for PKCS#7
 6085      digestedData type. Add additional code to correctly generate the
 6086      digestedData type and add support for this type in PKCS7 initialization
 6087      functions.
 6088      [Steve Henson]
 6089 
 6090   *) New function PKCS7_set0_type_other() this initializes a PKCS7
 6091      structure of type "other".
 6092      [Steve Henson]
 6093 
 6094   *) Fix prime generation loop in crypto/bn/bn_prime.pl by making
 6095      sure the loop does correctly stop and breaking ("division by zero")
 6096      modulus operations are not performed. The (pre-generated) prime
 6097      table crypto/bn/bn_prime.h was already correct, but it could not be
 6098      re-generated on some platforms because of the "division by zero"
 6099      situation in the script.
 6100      [Ralf S. Engelschall]
 6101 
 6102   *) Update support for ECC-based TLS ciphersuites according to
 6103      draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
 6104      SHA-1 now is only used for "small" curves (where the
 6105      representation of a field element takes up to 24 bytes); for
 6106      larger curves, the field element resulting from ECDH is directly
 6107      used as premaster secret.
 6108      [Douglas Stebila (Sun Microsystems Laboratories)]
 6109 
 6110   *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
 6111      curve secp160r1 to the tests.
 6112      [Douglas Stebila (Sun Microsystems Laboratories)]
 6113 
 6114   *) Add the possibility to load symbols globally with DSO.
 6115      [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
 6116 
 6117   *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
 6118      control of the error stack.
 6119      [Richard Levitte]
 6120 
 6121   *) Add support for STORE in ENGINE.
 6122      [Richard Levitte]
 6123 
 6124   *) Add the STORE type.  The intention is to provide a common interface
 6125      to certificate and key stores, be they simple file-based stores, or
 6126      HSM-type store, or LDAP stores, or...
 6127      NOTE: The code is currently UNTESTED and isn't really used anywhere.
 6128      [Richard Levitte]
 6129 
 6130   *) Add a generic structure called OPENSSL_ITEM.  This can be used to
 6131      pass a list of arguments to any function as well as provide a way
 6132      for a function to pass data back to the caller.
 6133      [Richard Levitte]
 6134 
 6135   *) Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
 6136      works like BUF_strdup() but can be used to duplicate a portion of
 6137      a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
 6138      a memory area.
 6139      [Richard Levitte]
 6140 
 6141   *) Add the function sk_find_ex() which works like sk_find(), but will
 6142      return an index to an element even if an exact match couldn't be
 6143      found.  The index is guaranteed to point at the element where the
 6144      searched-for key would be inserted to preserve sorting order.
 6145      [Richard Levitte]
 6146 
 6147   *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
 6148      takes an extra flags argument for optional functionality.  Currently,
 6149      the following flags are defined:
 6150 
 6151         OBJ_BSEARCH_VALUE_ON_NOMATCH
 6152         This one gets OBJ_bsearch_ex() to return a pointer to the first
 6153         element where the comparing function returns a negative or zero
 6154         number.
 6155 
 6156         OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
 6157         This one gets OBJ_bsearch_ex() to return a pointer to the first
 6158         element where the comparing function returns zero.  This is useful
 6159         if there are more than one element where the comparing function
 6160         returns zero.
 6161      [Richard Levitte]
 6162 
 6163   *) Make it possible to create self-signed certificates with 'openssl ca'
 6164      in such a way that the self-signed certificate becomes part of the
 6165      CA database and uses the same mechanisms for serial number generation
 6166      as all other certificate signing.  The new flag '-selfsign' enables
 6167      this functionality.  Adapt CA.sh and CA.pl.in.
 6168      [Richard Levitte]
 6169 
 6170   *) Add functionality to check the public key of a certificate request
 6171      against a given private.  This is useful to check that a certificate
 6172      request can be signed by that key (self-signing).
 6173      [Richard Levitte]
 6174 
 6175   *) Make it possible to have multiple active certificates with the same
 6176      subject in the CA index file.  This is done only if the keyword
 6177      'unique_subject' is set to 'no' in the main CA section (default
 6178      if 'CA_default') of the configuration file.  The value is saved
 6179      with the database itself in a separate index attribute file,
 6180      named like the index file with '.attr' appended to the name.
 6181      [Richard Levitte]
 6182 
 6183   *) Generate multi-valued AVAs using '+' notation in config files for
 6184      req and dirName.
 6185      [Steve Henson]
 6186 
 6187   *) Support for nameConstraints certificate extension.
 6188      [Steve Henson]
 6189 
 6190   *) Support for policyConstraints certificate extension.
 6191      [Steve Henson]
 6192 
 6193   *) Support for policyMappings certificate extension.
 6194      [Steve Henson]
 6195 
 6196   *) Make sure the default DSA_METHOD implementation only uses its
 6197      dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
 6198      and change its own handlers to be NULL so as to remove unnecessary
 6199      indirection. This lets alternative implementations fallback to the
 6200      default implementation more easily.
 6201      [Geoff Thorpe]
 6202 
 6203   *) Support for directoryName in GeneralName related extensions
 6204      in config files.
 6205      [Steve Henson]
 6206 
 6207   *) Make it possible to link applications using Makefile.shared.
 6208      Make that possible even when linking against static libraries!
 6209      [Richard Levitte]
 6210 
 6211   *) Support for single pass processing for S/MIME signing. This now
 6212      means that S/MIME signing can be done from a pipe, in addition
 6213      cleartext signing (multipart/signed type) is effectively streaming
 6214      and the signed data does not need to be all held in memory.
 6215 
 6216      This is done with a new flag PKCS7_STREAM. When this flag is set
 6217      PKCS7_sign() only initializes the PKCS7 structure and the actual signing
 6218      is done after the data is output (and digests calculated) in
 6219      SMIME_write_PKCS7().
 6220      [Steve Henson]
 6221 
 6222   *) Add full support for -rpath/-R, both in shared libraries and
 6223      applications, at least on the platforms where it's known how
 6224      to do it.
 6225      [Richard Levitte]
 6226 
 6227   *) In crypto/ec/ec_mult.c, implement fast point multiplication with
 6228      precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
 6229      will now compute a table of multiples of the generator that
 6230      makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
 6231      faster (notably in the case of a single point multiplication,
 6232      scalar * generator).
 6233      [Nils Larsch, Bodo Moeller]
 6234 
 6235   *) IPv6 support for certificate extensions. The various extensions
 6236      which use the IP:a.b.c.d can now take IPv6 addresses using the
 6237      formats of RFC1884 2.2 . IPv6 addresses are now also displayed
 6238      correctly.
 6239      [Steve Henson]
 6240 
 6241   *) Added an ENGINE that implements RSA by performing private key
 6242      exponentiations with the GMP library. The conversions to and from
 6243      GMP's mpz_t format aren't optimised nor are any montgomery forms
 6244      cached, and on x86 it appears OpenSSL's own performance has caught up.
 6245      However there are likely to be other architectures where GMP could
 6246      provide a boost. This ENGINE is not built in by default, but it can be
 6247      specified at Configure time and should be accompanied by the necessary
 6248      linker additions, eg;
 6249          ./config -DOPENSSL_USE_GMP -lgmp
 6250      [Geoff Thorpe]
 6251 
 6252   *) "openssl engine" will not display ENGINE/DSO load failure errors when
 6253      testing availability of engines with "-t" - the old behaviour is
 6254      produced by increasing the feature's verbosity with "-tt".
 6255      [Geoff Thorpe]
 6256 
 6257   *) ECDSA routines: under certain error conditions uninitialized BN objects
 6258      could be freed. Solution: make sure initialization is performed early
 6259      enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
 6260      via PR#459)
 6261      [Lutz Jaenicke]
 6262 
 6263   *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
 6264      and DH_METHOD (eg. by ENGINE implementations) to override the normal
 6265      software implementations. For DSA and DH, parameter generation can
 6266      also be overridden by providing the appropriate method callbacks.
 6267      [Geoff Thorpe]
 6268 
 6269   *) Change the "progress" mechanism used in key-generation and
 6270      primality testing to functions that take a new BN_GENCB pointer in
 6271      place of callback/argument pairs. The new API functions have "_ex"
 6272      postfixes and the older functions are reimplemented as wrappers for
 6273      the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
 6274      declarations of the old functions to help (graceful) attempts to
 6275      migrate to the new functions. Also, the new key-generation API
 6276      functions operate on a caller-supplied key-structure and return
 6277      success/failure rather than returning a key or NULL - this is to
 6278      help make "keygen" another member function of RSA_METHOD etc.
 6279 
 6280      Example for using the new callback interface:
 6281 
 6282           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
 6283           void *my_arg = ...;
 6284           BN_GENCB my_cb;
 6285 
 6286           BN_GENCB_set(&my_cb, my_callback, my_arg);
 6287 
 6288           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
 6289           /* For the meaning of a, b in calls to my_callback(), see the
 6290            * documentation of the function that calls the callback.
 6291            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
 6292            * my_callback should return 1 if it wants BN_is_prime_ex()
 6293            * to continue, or 0 to stop.
 6294            */
 6295 
 6296      [Geoff Thorpe]
 6297 
 6298   *) Change the ZLIB compression method to be stateful, and make it
 6299      available to TLS with the number defined in
 6300      draft-ietf-tls-compression-04.txt.
 6301      [Richard Levitte]
 6302 
 6303   *) Add the ASN.1 structures and functions for CertificatePair, which
 6304      is defined as follows (according to X.509_4thEditionDraftV6.pdf):
 6305 
 6306      CertificatePair ::= SEQUENCE {
 6307         forward         [0]     Certificate OPTIONAL,
 6308         reverse         [1]     Certificate OPTIONAL,
 6309         -- at least one of the pair shall be present -- }
 6310 
 6311      Also implement the PEM functions to read and write certificate
 6312      pairs, and defined the PEM tag as "CERTIFICATE PAIR".
 6313 
 6314      This needed to be defined, mostly for the sake of the LDAP
 6315      attribute crossCertificatePair, but may prove useful elsewhere as
 6316      well.
 6317      [Richard Levitte]
 6318 
 6319   *) Make it possible to inhibit symlinking of shared libraries in
 6320      Makefile.shared, for Cygwin's sake.
 6321      [Richard Levitte]
 6322 
 6323   *) Extend the BIGNUM API by creating a function
 6324           void BN_set_negative(BIGNUM *a, int neg);
 6325      and a macro that behave like
 6326           int  BN_is_negative(const BIGNUM *a);
 6327 
 6328      to avoid the need to access 'a->neg' directly in applications.
 6329      [Nils Larsch]
 6330 
 6331   *) Implement fast modular reduction for pseudo-Mersenne primes
 6332      used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
 6333      EC_GROUP_new_curve_GFp() will now automatically use this
 6334      if applicable.
 6335      [Nils Larsch <nla@trustcenter.de>]
 6336 
 6337   *) Add new lock type (CRYPTO_LOCK_BN).
 6338      [Bodo Moeller]
 6339 
 6340   *) Change the ENGINE framework to automatically load engines
 6341      dynamically from specific directories unless they could be
 6342      found to already be built in or loaded.  Move all the
 6343      current engines except for the cryptodev one to a new
 6344      directory engines/.
 6345      The engines in engines/ are built as shared libraries if
 6346      the "shared" options was given to ./Configure or ./config.
 6347      Otherwise, they are inserted in libcrypto.a.
 6348      /usr/local/ssl/engines is the default directory for dynamic
 6349      engines, but that can be overridden at configure time through
 6350      the usual use of --prefix and/or --openssldir, and at run
 6351      time with the environment variable OPENSSL_ENGINES.
 6352      [Geoff Thorpe and Richard Levitte]
 6353 
 6354   *) Add Makefile.shared, a helper makefile to build shared
 6355      libraries.  Adapt Makefile.org.
 6356      [Richard Levitte]
 6357 
 6358   *) Add version info to Win32 DLLs.
 6359      [Peter 'Luna' Runestig" <peter@runestig.com>]
 6360 
 6361   *) Add new 'medium level' PKCS#12 API. Certificates and keys
 6362      can be added using this API to created arbitrary PKCS#12
 6363      files while avoiding the low level API.
 6364 
 6365      New options to PKCS12_create(), key or cert can be NULL and
 6366      will then be omitted from the output file. The encryption
 6367      algorithm NIDs can be set to -1 for no encryption, the mac
 6368      iteration count can be set to 0 to omit the mac.
 6369 
 6370      Enhance pkcs12 utility by making the -nokeys and -nocerts
 6371      options work when creating a PKCS#12 file. New option -nomac
 6372      to omit the mac, NONE can be set for an encryption algorithm.
 6373      New code is modified to use the enhanced PKCS12_create()
 6374      instead of the low level API.
 6375      [Steve Henson]
 6376 
 6377   *) Extend ASN1 encoder to support indefinite length constructed
 6378      encoding. This can output sequences tags and octet strings in
 6379      this form. Modify pk7_asn1.c to support indefinite length
 6380      encoding. This is experimental and needs additional code to
 6381      be useful, such as an ASN1 bio and some enhanced streaming
 6382      PKCS#7 code.
 6383 
 6384      Extend template encode functionality so that tagging is passed
 6385      down to the template encoder.
 6386      [Steve Henson]
 6387 
 6388   *) Let 'openssl req' fail if an argument to '-newkey' is not
 6389      recognized instead of using RSA as a default.
 6390      [Bodo Moeller]
 6391 
 6392   *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
 6393      As these are not official, they are not included in "ALL";
 6394      the "ECCdraft" ciphersuite group alias can be used to select them.
 6395      [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
 6396 
 6397   *) Add ECDH engine support.
 6398      [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
 6399 
 6400   *) Add ECDH in new directory crypto/ecdh/.
 6401      [Douglas Stebila (Sun Microsystems Laboratories)]
 6402 
 6403   *) Let BN_rand_range() abort with an error after 100 iterations
 6404      without success (which indicates a broken PRNG).
 6405      [Bodo Moeller]
 6406 
 6407   *) Change BN_mod_sqrt() so that it verifies that the input value
 6408      is really the square of the return value.  (Previously,
 6409      BN_mod_sqrt would show GIGO behaviour.)
 6410      [Bodo Moeller]
 6411 
 6412   *) Add named elliptic curves over binary fields from X9.62, SECG,
 6413      and WAP/WTLS; add OIDs that were still missing.
 6414 
 6415      [Sheueling Chang Shantz and Douglas Stebila
 6416      (Sun Microsystems Laboratories)]
 6417 
 6418   *) Extend the EC library for elliptic curves over binary fields
 6419      (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
 6420      New EC_METHOD:
 6421 
 6422           EC_GF2m_simple_method
 6423 
 6424      New API functions:
 6425 
 6426           EC_GROUP_new_curve_GF2m
 6427           EC_GROUP_set_curve_GF2m
 6428           EC_GROUP_get_curve_GF2m
 6429           EC_POINT_set_affine_coordinates_GF2m
 6430           EC_POINT_get_affine_coordinates_GF2m
 6431           EC_POINT_set_compressed_coordinates_GF2m
 6432 
 6433      Point compression for binary fields is disabled by default for
 6434      patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
 6435      enable it).
 6436 
 6437      As binary polynomials are represented as BIGNUMs, various members
 6438      of the EC_GROUP and EC_POINT data structures can be shared
 6439      between the implementations for prime fields and binary fields;
 6440      the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
 6441      are essentially identical to their ..._GFp counterparts.
 6442      (For simplicity, the '..._GFp' prefix has been dropped from
 6443      various internal method names.)
 6444 
 6445      An internal 'field_div' method (similar to 'field_mul' and
 6446      'field_sqr') has been added; this is used only for binary fields.
 6447 
 6448      [Sheueling Chang Shantz and Douglas Stebila
 6449      (Sun Microsystems Laboratories)]
 6450 
 6451   *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
 6452      through methods ('mul', 'precompute_mult').
 6453 
 6454      The generic implementations (now internally called 'ec_wNAF_mul'
 6455      and 'ec_wNAF_precomputed_mult') remain the default if these
 6456      methods are undefined.
 6457 
 6458      [Sheueling Chang Shantz and Douglas Stebila
 6459      (Sun Microsystems Laboratories)]
 6460 
 6461   *) New function EC_GROUP_get_degree, which is defined through
 6462      EC_METHOD.  For curves over prime fields, this returns the bit
 6463      length of the modulus.
 6464 
 6465      [Sheueling Chang Shantz and Douglas Stebila
 6466      (Sun Microsystems Laboratories)]
 6467 
 6468   *) New functions EC_GROUP_dup, EC_POINT_dup.
 6469      (These simply call ..._new  and ..._copy).
 6470 
 6471      [Sheueling Chang Shantz and Douglas Stebila
 6472      (Sun Microsystems Laboratories)]
 6473 
 6474   *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
 6475      Polynomials are represented as BIGNUMs (where the sign bit is not
 6476      used) in the following functions [macros]:
 6477 
 6478           BN_GF2m_add
 6479           BN_GF2m_sub             [= BN_GF2m_add]
 6480           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
 6481           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
 6482           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
 6483           BN_GF2m_mod_inv
 6484           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
 6485           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
 6486           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
 6487           BN_GF2m_cmp             [= BN_ucmp]
 6488 
 6489      (Note that only the 'mod' functions are actually for fields GF(2^m).
 6490      BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
 6491 
 6492      For some functions, an the irreducible polynomial defining a
 6493      field can be given as an 'unsigned int[]' with strictly
 6494      decreasing elements giving the indices of those bits that are set;
 6495      i.e., p[] represents the polynomial
 6496           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
 6497      where
 6498           p[0] > p[1] > ... > p[k] = 0.
 6499      This applies to the following functions:
 6500 
 6501           BN_GF2m_mod_arr
 6502           BN_GF2m_mod_mul_arr
 6503           BN_GF2m_mod_sqr_arr
 6504           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
 6505           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
 6506           BN_GF2m_mod_exp_arr
 6507           BN_GF2m_mod_sqrt_arr
 6508           BN_GF2m_mod_solve_quad_arr
 6509           BN_GF2m_poly2arr
 6510           BN_GF2m_arr2poly
 6511 
 6512      Conversion can be performed by the following functions:
 6513 
 6514           BN_GF2m_poly2arr
 6515           BN_GF2m_arr2poly
 6516 
 6517      bntest.c has additional tests for binary polynomial arithmetic.
 6518 
 6519      Two implementations for BN_GF2m_mod_div() are available.
 6520      The default algorithm simply uses BN_GF2m_mod_inv() and
 6521      BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
 6522      if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
 6523      copyright notice in crypto/bn/bn_gf2m.c before enabling it).
 6524 
 6525      [Sheueling Chang Shantz and Douglas Stebila
 6526      (Sun Microsystems Laboratories)]
 6527 
 6528   *) Add new error code 'ERR_R_DISABLED' that can be used when some
 6529      functionality is disabled at compile-time.
 6530      [Douglas Stebila <douglas.stebila@sun.com>]
 6531 
 6532   *) Change default behaviour of 'openssl asn1parse' so that more
 6533      information is visible when viewing, e.g., a certificate:
 6534 
 6535      Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
 6536      mode the content of non-printable OCTET STRINGs is output in a
 6537      style similar to INTEGERs, but with '[HEX DUMP]' prepended to
 6538      avoid the appearance of a printable string.
 6539      [Nils Larsch <nla@trustcenter.de>]
 6540 
 6541   *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
 6542      functions
 6543           EC_GROUP_set_asn1_flag()
 6544           EC_GROUP_get_asn1_flag()
 6545           EC_GROUP_set_point_conversion_form()
 6546           EC_GROUP_get_point_conversion_form()
 6547      These control ASN1 encoding details:
 6548      - Curves (i.e., groups) are encoded explicitly unless asn1_flag
 6549        has been set to OPENSSL_EC_NAMED_CURVE.
 6550      - Points are encoded in uncompressed form by default; options for
 6551        asn1_for are as for point2oct, namely
 6552           POINT_CONVERSION_COMPRESSED
 6553           POINT_CONVERSION_UNCOMPRESSED
 6554           POINT_CONVERSION_HYBRID
 6555 
 6556      Also add 'seed' and 'seed_len' members to EC_GROUP with access
 6557      functions
 6558           EC_GROUP_set_seed()
 6559           EC_GROUP_get0_seed()
 6560           EC_GROUP_get_seed_len()
 6561      This is used only for ASN1 purposes (so far).
 6562      [Nils Larsch <nla@trustcenter.de>]
 6563 
 6564   *) Add 'field_type' member to EC_METHOD, which holds the NID
 6565      of the appropriate field type OID.  The new function
 6566      EC_METHOD_get_field_type() returns this value.
 6567      [Nils Larsch <nla@trustcenter.de>]
 6568 
 6569   *) Add functions
 6570           EC_POINT_point2bn()
 6571           EC_POINT_bn2point()
 6572           EC_POINT_point2hex()
 6573           EC_POINT_hex2point()
 6574      providing useful interfaces to EC_POINT_point2oct() and
 6575      EC_POINT_oct2point().
 6576      [Nils Larsch <nla@trustcenter.de>]
 6577 
 6578   *) Change internals of the EC library so that the functions
 6579           EC_GROUP_set_generator()
 6580           EC_GROUP_get_generator()
 6581           EC_GROUP_get_order()
 6582           EC_GROUP_get_cofactor()
 6583      are implemented directly in crypto/ec/ec_lib.c and not dispatched
 6584      to methods, which would lead to unnecessary code duplication when
 6585      adding different types of curves.
 6586      [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
 6587 
 6588   *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
 6589      arithmetic, and such that modified wNAFs are generated
 6590      (which avoid length expansion in many cases).
 6591      [Bodo Moeller]
 6592 
 6593   *) Add a function EC_GROUP_check_discriminant() (defined via
 6594      EC_METHOD) that verifies that the curve discriminant is non-zero.
 6595 
 6596      Add a function EC_GROUP_check() that makes some sanity tests
 6597      on a EC_GROUP, its generator and order.  This includes
 6598      EC_GROUP_check_discriminant().
 6599      [Nils Larsch <nla@trustcenter.de>]
 6600 
 6601   *) Add ECDSA in new directory crypto/ecdsa/.
 6602 
 6603      Add applications 'openssl ecparam' and 'openssl ecdsa'
 6604      (these are based on 'openssl dsaparam' and 'openssl dsa').
 6605 
 6606      ECDSA support is also included in various other files across the
 6607      library.  Most notably,
 6608      - 'openssl req' now has a '-newkey ecdsa:file' option;
 6609      - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
 6610      - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
 6611        d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
 6612        them suitable for ECDSA where domain parameters must be
 6613        extracted before the specific public key;
 6614      - ECDSA engine support has been added.
 6615      [Nils Larsch <nla@trustcenter.de>]
 6616 
 6617   *) Include some named elliptic curves, and add OIDs from X9.62,
 6618      SECG, and WAP/WTLS.  Each curve can be obtained from the new
 6619      function
 6620           EC_GROUP_new_by_curve_name(),
 6621      and the list of available named curves can be obtained with
 6622           EC_get_builtin_curves().
 6623      Also add a 'curve_name' member to EC_GROUP objects, which can be
 6624      accessed via
 6625          EC_GROUP_set_curve_name()
 6626          EC_GROUP_get_curve_name()
 6627      [Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
 6628 
 6629   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
 6630      was actually never needed) and in BN_mul().  The removal in BN_mul()
 6631      required a small change in bn_mul_part_recursive() and the addition
 6632      of the functions bn_cmp_part_words(), bn_sub_part_words() and
 6633      bn_add_part_words(), which do the same thing as bn_cmp_words(),
 6634      bn_sub_words() and bn_add_words() except they take arrays with
 6635      differing sizes.
 6636      [Richard Levitte]
 6637 
 6638  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 6639 
 6640   *) Cleanse PEM buffers before freeing them since they may contain
 6641      sensitive data.
 6642      [Benjamin Bennett <ben@psc.edu>]
 6643 
 6644   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 6645      a ciphersuite string such as "DEFAULT:RSA" cannot enable
 6646      authentication-only ciphersuites.
 6647      [Bodo Moeller]
 6648 
 6649   *) Since AES128 and AES256 share a single mask bit in the logic of
 6650      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
 6651      kludge to work properly if AES128 is available and AES256 isn't.
 6652      [Victor Duchovni]
 6653 
 6654   *) Expand security boundary to match 1.1.1 module.
 6655      [Steve Henson]
 6656 
 6657   *) Remove redundant features: hash file source, editing of test vectors
 6658      modify fipsld to use external fips_premain.c signature.
 6659      [Steve Henson]
 6660 
 6661   *) New perl script mkfipsscr.pl to create shell scripts or batch files to
 6662      run algorithm test programs.
 6663      [Steve Henson]
 6664 
 6665   *) Make algorithm test programs more tolerant of whitespace.
 6666      [Steve Henson]
 6667 
 6668   *) Have SSL/TLS server implementation tolerate "mismatched" record
 6669      protocol version while receiving ClientHello even if the
 6670      ClientHello is fragmented.  (The server can't insist on the
 6671      particular protocol version it has chosen before the ServerHello
 6672      message has informed the client about his choice.)
 6673      [Bodo Moeller]
 6674 
 6675   *) Load error codes if they are not already present instead of using a
 6676      static variable. This allows them to be cleanly unloaded and reloaded.
 6677      [Steve Henson]
 6678 
 6679  Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
 6680 
 6681   *) Introduce limits to prevent malicious keys being able to
 6682      cause a denial of service.  (CVE-2006-2940)
 6683      [Steve Henson, Bodo Moeller]
 6684 
 6685   *) Fix ASN.1 parsing of certain invalid structures that can result
 6686      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
 6687 
 6688   *) Fix buffer overflow in SSL_get_shared_ciphers() function.
 6689      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
 6690 
 6691   *) Fix SSL client code which could crash if connecting to a
 6692      malicious SSLv2 server.  (CVE-2006-4343)
 6693      [Tavis Ormandy and Will Drewry, Google Security Team]
 6694 
 6695   *) Change ciphersuite string processing so that an explicit
 6696      ciphersuite selects this one ciphersuite (so that "AES256-SHA"
 6697      will no longer include "AES128-SHA"), and any other similar
 6698      ciphersuite (same bitmap) from *other* protocol versions (so that
 6699      "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
 6700      SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
 6701      changes from 0.9.8b and 0.9.8d.
 6702      [Bodo Moeller]
 6703 
 6704  Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
 6705 
 6706   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
 6707      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 6708 
 6709   *) Change the Unix randomness entropy gathering to use poll() when
 6710      possible instead of select(), since the latter has some
 6711      undesirable limitations.
 6712      [Darryl Miles via Richard Levitte and Bodo Moeller]
 6713 
 6714   *) Disable rogue ciphersuites:
 6715 
 6716       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
 6717       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
 6718       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
 6719 
 6720      The latter two were purportedly from
 6721      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
 6722      appear there.
 6723 
 6724      Also deactivate the remaining ciphersuites from
 6725      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
 6726      unofficial, and the ID has long expired.
 6727      [Bodo Moeller]
 6728 
 6729   *) Fix RSA blinding Heisenbug (problems sometimes occurred on
 6730      dual-core machines) and other potential thread-safety issues.
 6731      [Bodo Moeller]
 6732 
 6733  Changes between 0.9.7i and 0.9.7j  [04 May 2006]
 6734 
 6735   *) Adapt fipsld and the build system to link against the validated FIPS
 6736      module in FIPS mode.
 6737      [Steve Henson]
 6738 
 6739   *) Fixes for VC++ 2005 build under Windows.
 6740      [Steve Henson]
 6741 
 6742   *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
 6743      from a Windows bash shell such as MSYS. It is autodetected from the
 6744      "config" script when run from a VC++ environment. Modify standard VC++
 6745      build to use fipscanister.o from the GNU make build.
 6746      [Steve Henson]
 6747 
 6748  Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
 6749 
 6750   *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
 6751      The value now differs depending on if you build for FIPS or not.
 6752      BEWARE!  A program linked with a shared FIPSed libcrypto can't be
 6753      safely run with a non-FIPSed libcrypto, as it may crash because of
 6754      the difference induced by this change.
 6755      [Andy Polyakov]
 6756 
 6757  Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
 6758 
 6759   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
 6760      (part of SSL_OP_ALL).  This option used to disable the
 6761      countermeasure against man-in-the-middle protocol-version
 6762      rollback in the SSL 2.0 server implementation, which is a bad
 6763      idea.  (CVE-2005-2969)
 6764 
 6765      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
 6766      for Information Security, National Institute of Advanced Industrial
 6767      Science and Technology [AIST], Japan)]
 6768 
 6769   *) Minimal support for X9.31 signatures and PSS padding modes. This is
 6770      mainly for FIPS compliance and not fully integrated at this stage.
 6771      [Steve Henson]
 6772 
 6773   *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
 6774      the exponentiation using a fixed-length exponent.  (Otherwise,
 6775      the information leaked through timing could expose the secret key
 6776      after many signatures; cf. Bleichenbacher's attack on DSA with
 6777      biased k.)
 6778      [Bodo Moeller]
 6779 
 6780   *) Make a new fixed-window mod_exp implementation the default for
 6781      RSA, DSA, and DH private-key operations so that the sequence of
 6782      squares and multiplies and the memory access pattern are
 6783      independent of the particular secret key.  This will mitigate
 6784      cache-timing and potential related attacks.
 6785 
 6786      BN_mod_exp_mont_consttime() is the new exponentiation implementation,
 6787      and this is automatically used by BN_mod_exp_mont() if the new flag
 6788      BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
 6789      will use this BN flag for private exponents unless the flag
 6790      RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
 6791      DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
 6792 
 6793      [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
 6794 
 6795   *) Change the client implementation for SSLv23_method() and
 6796      SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
 6797      Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
 6798      (Previously, the SSL 2.0 backwards compatible Client Hello
 6799      message format would be used even with SSL_OP_NO_SSLv2.)
 6800      [Bodo Moeller]
 6801 
 6802   *) Add support for smime-type MIME parameter in S/MIME messages which some
 6803      clients need.
 6804      [Steve Henson]
 6805 
 6806   *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
 6807      a threadsafe manner. Modify rsa code to use new function and add calls
 6808      to dsa and dh code (which had race conditions before).
 6809      [Steve Henson]
 6810 
 6811   *) Include the fixed error library code in the C error file definitions
 6812      instead of fixing them up at runtime. This keeps the error code
 6813      structures constant.
 6814      [Steve Henson]
 6815 
 6816  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 6817 
 6818   [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
 6819   OpenSSL 0.9.8.]
 6820 
 6821   *) Fixes for newer kerberos headers. NB: the casts are needed because
 6822      the 'length' field is signed on one version and unsigned on another
 6823      with no (?) obvious way to tell the difference, without these VC++
 6824      complains. Also the "definition" of FAR (blank) is no longer included
 6825      nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
 6826      some needed definitions.
 6827      [Steve Henson]
 6828 
 6829   *) Undo Cygwin change.
 6830      [Ulf Möller]
 6831 
 6832   *) Added support for proxy certificates according to RFC 3820.
 6833      Because they may be a security thread to unaware applications,
 6834      they must be explicitly allowed in run-time.  See
 6835      docs/HOWTO/proxy_certificates.txt for further information.
 6836      [Richard Levitte]
 6837 
 6838  Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
 6839 
 6840   *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
 6841      server and client random values. Previously
 6842      (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
 6843      less random data when sizeof(time_t) > 4 (some 64 bit platforms).
 6844 
 6845      This change has negligible security impact because:
 6846 
 6847      1. Server and client random values still have 24 bytes of pseudo random
 6848         data.
 6849 
 6850      2. Server and client random values are sent in the clear in the initial
 6851         handshake.
 6852 
 6853      3. The master secret is derived using the premaster secret (48 bytes in
 6854         size for static RSA ciphersuites) as well as client server and random
 6855         values.
 6856 
 6857      The OpenSSL team would like to thank the UK NISCC for bringing this issue
 6858      to our attention.
 6859 
 6860      [Stephen Henson, reported by UK NISCC]
 6861 
 6862   *) Use Windows randomness collection on Cygwin.
 6863      [Ulf Möller]
 6864 
 6865   *) Fix hang in EGD/PRNGD query when communication socket is closed
 6866      prematurely by EGD/PRNGD.
 6867      [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
 6868 
 6869   *) Prompt for pass phrases when appropriate for PKCS12 input format.
 6870      [Steve Henson]
 6871 
 6872   *) Back-port of selected performance improvements from development
 6873      branch, as well as improved support for PowerPC platforms.
 6874      [Andy Polyakov]
 6875 
 6876   *) Add lots of checks for memory allocation failure, error codes to indicate
 6877      failure and freeing up memory if a failure occurs.
 6878      [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
 6879 
 6880   *) Add new -passin argument to dgst.
 6881      [Steve Henson]
 6882 
 6883   *) Perform some character comparisons of different types in X509_NAME_cmp:
 6884      this is needed for some certificates that re-encode DNs into UTF8Strings
 6885      (in violation of RFC3280) and can't or won't issue name rollover
 6886      certificates.
 6887      [Steve Henson]
 6888 
 6889   *) Make an explicit check during certificate validation to see that
 6890      the CA setting in each certificate on the chain is correct.  As a
 6891      side effect always do the following basic checks on extensions,
 6892      not just when there's an associated purpose to the check:
 6893 
 6894       - if there is an unhandled critical extension (unless the user
 6895         has chosen to ignore this fault)
 6896       - if the path length has been exceeded (if one is set at all)
 6897       - that certain extensions fit the associated purpose (if one has
 6898         been given)
 6899      [Richard Levitte]
 6900 
 6901  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
 6902 
 6903   *) Avoid a race condition when CRLs are checked in a multi threaded
 6904      environment. This would happen due to the reordering of the revoked
 6905      entries during signature checking and serial number lookup. Now the
 6906      encoding is cached and the serial number sort performed under a lock.
 6907      Add new STACK function sk_is_sorted().
 6908      [Steve Henson]
 6909 
 6910   *) Add Delta CRL to the extension code.
 6911      [Steve Henson]
 6912 
 6913   *) Various fixes to s3_pkt.c so alerts are sent properly.
 6914      [David Holmes <d.holmes@f5.com>]
 6915 
 6916   *) Reduce the chances of duplicate issuer name and serial numbers (in
 6917      violation of RFC3280) using the OpenSSL certificate creation utilities.
 6918      This is done by creating a random 64 bit value for the initial serial
 6919      number when a serial number file is created or when a self signed
 6920      certificate is created using 'openssl req -x509'. The initial serial
 6921      number file is created using 'openssl x509 -next_serial' in CA.pl
 6922      rather than being initialized to 1.
 6923      [Steve Henson]
 6924 
 6925  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
 6926 
 6927   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
 6928      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
 6929      [Joe Orton, Steve Henson]
 6930 
 6931   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
 6932      (CVE-2004-0112)
 6933      [Joe Orton, Steve Henson]
 6934 
 6935   *) Make it possible to have multiple active certificates with the same
 6936      subject in the CA index file.  This is done only if the keyword
 6937      'unique_subject' is set to 'no' in the main CA section (default
 6938      if 'CA_default') of the configuration file.  The value is saved
 6939      with the database itself in a separate index attribute file,
 6940      named like the index file with '.attr' appended to the name.
 6941      [Richard Levitte]
 6942 
 6943   *) X509 verify fixes. Disable broken certificate workarounds when
 6944      X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
 6945      keyUsage extension present. Don't accept CRLs with unhandled critical
 6946      extensions: since verify currently doesn't process CRL extensions this
 6947      rejects a CRL with *any* critical extensions. Add new verify error codes
 6948      for these cases.
 6949      [Steve Henson]
 6950 
 6951   *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
 6952      A clarification of RFC2560 will require the use of OCTET STRINGs and
 6953      some implementations cannot handle the current raw format. Since OpenSSL
 6954      copies and compares OCSP nonces as opaque blobs without any attempt at
 6955      parsing them this should not create any compatibility issues.
 6956      [Steve Henson]
 6957 
 6958   *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
 6959      calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
 6960      this HMAC (and other) operations are several times slower than OpenSSL
 6961      < 0.9.7.
 6962      [Steve Henson]
 6963 
 6964   *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
 6965      [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
 6966 
 6967   *) Use the correct content when signing type "other".
 6968      [Steve Henson]
 6969 
 6970  Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
 6971 
 6972   *) Fix various bugs revealed by running the NISCC test suite:
 6973 
 6974      Stop out of bounds reads in the ASN1 code when presented with
 6975      invalid tags (CVE-2003-0543 and CVE-2003-0544).
 6976 
 6977      Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
 6978 
 6979      If verify callback ignores invalid public key errors don't try to check
 6980      certificate signature with the NULL public key.
 6981 
 6982      [Steve Henson]
 6983 
 6984   *) New -ignore_err option in ocsp application to stop the server
 6985      exiting on the first error in a request.
 6986      [Steve Henson]
 6987 
 6988   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
 6989      if the server requested one: as stated in TLS 1.0 and SSL 3.0
 6990      specifications.
 6991      [Steve Henson]
 6992 
 6993   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
 6994      extra data after the compression methods not only for TLS 1.0
 6995      but also for SSL 3.0 (as required by the specification).
 6996      [Bodo Moeller; problem pointed out by Matthias Loepfe]
 6997 
 6998   *) Change X509_certificate_type() to mark the key as exported/exportable
 6999      when it's 512 *bits* long, not 512 bytes.
 7000      [Richard Levitte]
 7001 
 7002   *) Change AES_cbc_encrypt() so it outputs exact multiple of
 7003      blocks during encryption.
 7004      [Richard Levitte]
 7005 
 7006   *) Various fixes to base64 BIO and non blocking I/O. On write
 7007      flushes were not handled properly if the BIO retried. On read
 7008      data was not being buffered properly and had various logic bugs.
 7009      This also affects blocking I/O when the data being decoded is a
 7010      certain size.
 7011      [Steve Henson]
 7012 
 7013   *) Various S/MIME bugfixes and compatibility changes:
 7014      output correct application/pkcs7 MIME type if
 7015      PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
 7016      Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
 7017      of files as .eml work). Correctly handle very long lines in MIME
 7018      parser.
 7019      [Steve Henson]
 7020 
 7021  Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
 7022 
 7023   *) Countermeasure against the Klima-Pokorny-Rosa extension of
 7024      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
 7025      a protocol version number mismatch like a decryption error
 7026      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
 7027      [Bodo Moeller]
 7028 
 7029   *) Turn on RSA blinding by default in the default implementation
 7030      to avoid a timing attack. Applications that don't want it can call
 7031      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
 7032      They would be ill-advised to do so in most cases.
 7033      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
 7034 
 7035   *) Change RSA blinding code so that it works when the PRNG is not
 7036      seeded (in this case, the secret RSA exponent is abused as
 7037      an unpredictable seed -- if it is not unpredictable, there
 7038      is no point in blinding anyway).  Make RSA blinding thread-safe
 7039      by remembering the creator's thread ID in rsa->blinding and
 7040      having all other threads use local one-time blinding factors
 7041      (this requires more computation than sharing rsa->blinding, but
 7042      avoids excessive locking; and if an RSA object is not shared
 7043      between threads, blinding will still be very fast).
 7044      [Bodo Moeller]
 7045 
 7046   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
 7047      ENGINE as defaults for all supported algorithms irrespective of
 7048      the 'flags' parameter. 'flags' is now honoured, so applications
 7049      should make sure they are passing it correctly.
 7050      [Geoff Thorpe]
 7051 
 7052   *) Target "mingw" now allows native Windows code to be generated in
 7053      the Cygwin environment as well as with the MinGW compiler.
 7054      [Ulf Moeller]
 7055 
 7056  Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
 7057 
 7058   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
 7059      via timing by performing a MAC computation even if incorrect
 7060      block cipher padding has been found.  This is a countermeasure
 7061      against active attacks where the attacker has to distinguish
 7062      between bad padding and a MAC verification error. (CVE-2003-0078)
 7063 
 7064      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
 7065      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
 7066      Martin Vuagnoux (EPFL, Ilion)]
 7067 
 7068   *) Make the no-err option work as intended.  The intention with no-err
 7069      is not to have the whole error stack handling routines removed from
 7070      libcrypto, it's only intended to remove all the function name and
 7071      reason texts, thereby removing some of the footprint that may not
 7072      be interesting if those errors aren't displayed anyway.
 7073 
 7074      NOTE: it's still possible for any application or module to have its
 7075      own set of error texts inserted.  The routines are there, just not
 7076      used by default when no-err is given.
 7077      [Richard Levitte]
 7078 
 7079   *) Add support for FreeBSD on IA64.
 7080      [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454]
 7081 
 7082   *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
 7083      Kerberos function mit_des_cbc_cksum().  Before this change,
 7084      the value returned by DES_cbc_cksum() was like the one from
 7085      mit_des_cbc_cksum(), except the bytes were swapped.
 7086      [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte]
 7087 
 7088   *) Allow an application to disable the automatic SSL chain building.
 7089      Before this a rather primitive chain build was always performed in
 7090      ssl3_output_cert_chain(): an application had no way to send the
 7091      correct chain if the automatic operation produced an incorrect result.
 7092 
 7093      Now the chain builder is disabled if either:
 7094 
 7095      1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
 7096 
 7097      2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
 7098 
 7099      The reasoning behind this is that an application would not want the
 7100      auto chain building to take place if extra chain certificates are
 7101      present and it might also want a means of sending no additional
 7102      certificates (for example the chain has two certificates and the
 7103      root is omitted).
 7104      [Steve Henson]
 7105 
 7106   *) Add the possibility to build without the ENGINE framework.
 7107      [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
 7108 
 7109   *) Under Win32 gmtime() can return NULL: check return value in
 7110      OPENSSL_gmtime(). Add error code for case where gmtime() fails.
 7111      [Steve Henson]
 7112 
 7113   *) DSA routines: under certain error conditions uninitialized BN objects
 7114      could be freed. Solution: make sure initialization is performed early
 7115      enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
 7116      Nils Larsch <nla@trustcenter.de> via PR#459)
 7117      [Lutz Jaenicke]
 7118 
 7119   *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
 7120      checked on reconnect on the client side, therefore session resumption
 7121      could still fail with a "ssl session id is different" error. This
 7122      behaviour is masked when SSL_OP_ALL is used due to
 7123      SSL_OP_MICROSOFT_SESS_ID_BUG being set.
 7124      Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
 7125      followup to PR #377.
 7126      [Lutz Jaenicke]
 7127 
 7128   *) IA-32 assembler support enhancements: unified ELF targets, support
 7129      for SCO/Caldera platforms, fix for Cygwin shared build.
 7130      [Andy Polyakov]
 7131 
 7132   *) Add support for FreeBSD on sparc64.  As a consequence, support for
 7133      FreeBSD on non-x86 processors is separate from x86 processors on
 7134      the config script, much like the NetBSD support.
 7135      [Richard Levitte & Kris Kennaway <kris@obsecurity.org>]
 7136 
 7137  Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
 7138 
 7139   [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
 7140   OpenSSL 0.9.7.]
 7141 
 7142   *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
 7143      code (06) was taken as the first octet of the session ID and the last
 7144      octet was ignored consequently. As a result SSLv2 client side session
 7145      caching could not have worked due to the session ID mismatch between
 7146      client and server.
 7147      Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
 7148      PR #377.
 7149      [Lutz Jaenicke]
 7150 
 7151   *) Change the declaration of needed Kerberos libraries to use EX_LIBS
 7152      instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
 7153      removed entirely.
 7154      [Richard Levitte]
 7155 
 7156   *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
 7157      seems that in spite of existing for more than a year, many application
 7158      author have done nothing to provide the necessary callbacks, which
 7159      means that this particular engine will not work properly anywhere.
 7160      This is a very unfortunate situation which forces us, in the name
 7161      of usability, to give the hw_ncipher.c a static lock, which is part
 7162      of libcrypto.
 7163      NOTE: This is for the 0.9.7 series ONLY.  This hack will never
 7164      appear in 0.9.8 or later.  We EXPECT application authors to have
 7165      dealt properly with this when 0.9.8 is released (unless we actually
 7166      make such changes in the libcrypto locking code that changes will
 7167      have to be made anyway).
 7168      [Richard Levitte]
 7169 
 7170   *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
 7171      octets have been read, EOF or an error occurs. Without this change
 7172      some truncated ASN1 structures will not produce an error.
 7173      [Steve Henson]
 7174 
 7175   *) Disable Heimdal support, since it hasn't been fully implemented.
 7176      Still give the possibility to force the use of Heimdal, but with
 7177      warnings and a request that patches get sent to openssl-dev.
 7178      [Richard Levitte]
 7179 
 7180   *) Add the VC-CE target, introduce the WINCE sysname, and add
 7181      INSTALL.WCE and appropriate conditionals to make it build.
 7182      [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
 7183 
 7184   *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
 7185      cygssl-x.y.z.dll, where x, y and z are the major, minor and
 7186      edit numbers of the version.
 7187      [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
 7188 
 7189   *) Introduce safe string copy and catenation functions
 7190      (BUF_strlcpy() and BUF_strlcat()).
 7191      [Ben Laurie (CHATS) and Richard Levitte]
 7192 
 7193   *) Avoid using fixed-size buffers for one-line DNs.
 7194      [Ben Laurie (CHATS)]
 7195 
 7196   *) Add BUF_MEM_grow_clean() to avoid information leakage when
 7197      resizing buffers containing secrets, and use where appropriate.
 7198      [Ben Laurie (CHATS)]
 7199 
 7200   *) Avoid using fixed size buffers for configuration file location.
 7201      [Ben Laurie (CHATS)]
 7202 
 7203   *) Avoid filename truncation for various CA files.
 7204      [Ben Laurie (CHATS)]
 7205 
 7206   *) Use sizeof in preference to magic numbers.
 7207      [Ben Laurie (CHATS)]
 7208 
 7209   *) Avoid filename truncation in cert requests.
 7210      [Ben Laurie (CHATS)]
 7211 
 7212   *) Add assertions to check for (supposedly impossible) buffer
 7213      overflows.
 7214      [Ben Laurie (CHATS)]
 7215 
 7216   *) Don't cache truncated DNS entries in the local cache (this could
 7217      potentially lead to a spoofing attack).
 7218      [Ben Laurie (CHATS)]
 7219 
 7220   *) Fix various buffers to be large enough for hex/decimal
 7221      representations in a platform independent manner.
 7222      [Ben Laurie (CHATS)]
 7223 
 7224   *) Add CRYPTO_realloc_clean() to avoid information leakage when
 7225      resizing buffers containing secrets, and use where appropriate.
 7226      [Ben Laurie (CHATS)]
 7227 
 7228   *) Add BIO_indent() to avoid much slightly worrying code to do
 7229      indents.
 7230      [Ben Laurie (CHATS)]
 7231 
 7232   *) Convert sprintf()/BIO_puts() to BIO_printf().
 7233      [Ben Laurie (CHATS)]
 7234 
 7235   *) buffer_gets() could terminate with the buffer only half
 7236      full. Fixed.
 7237      [Ben Laurie (CHATS)]
 7238 
 7239   *) Add assertions to prevent user-supplied crypto functions from
 7240      overflowing internal buffers by having large block sizes, etc.
 7241      [Ben Laurie (CHATS)]
 7242 
 7243   *) New OPENSSL_assert() macro (similar to assert(), but enabled
 7244      unconditionally).
 7245      [Ben Laurie (CHATS)]
 7246 
 7247   *) Eliminate unused copy of key in RC4.
 7248      [Ben Laurie (CHATS)]
 7249 
 7250   *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
 7251      [Ben Laurie (CHATS)]
 7252 
 7253   *) Fix off-by-one error in EGD path.
 7254      [Ben Laurie (CHATS)]
 7255 
 7256   *) If RANDFILE path is too long, ignore instead of truncating.
 7257      [Ben Laurie (CHATS)]
 7258 
 7259   *) Eliminate unused and incorrectly sized X.509 structure
 7260      CBCParameter.
 7261      [Ben Laurie (CHATS)]
 7262 
 7263   *) Eliminate unused and dangerous function knumber().
 7264      [Ben Laurie (CHATS)]
 7265 
 7266   *) Eliminate unused and dangerous structure, KSSL_ERR.
 7267      [Ben Laurie (CHATS)]
 7268 
 7269   *) Protect against overlong session ID context length in an encoded
 7270      session object. Since these are local, this does not appear to be
 7271      exploitable.
 7272      [Ben Laurie (CHATS)]
 7273 
 7274   *) Change from security patch (see 0.9.6e below) that did not affect
 7275      the 0.9.6 release series:
 7276 
 7277      Remote buffer overflow in SSL3 protocol - an attacker could
 7278      supply an oversized master key in Kerberos-enabled versions.
 7279      (CVE-2002-0657)
 7280      [Ben Laurie (CHATS)]
 7281 
 7282   *) Change the SSL kerb5 codes to match RFC 2712.
 7283      [Richard Levitte]
 7284 
 7285   *) Make -nameopt work fully for req and add -reqopt switch.
 7286      [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
 7287 
 7288   *) The "block size" for block ciphers in CFB and OFB mode should be 1.
 7289      [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
 7290 
 7291   *) Make sure tests can be performed even if the corresponding algorithms
 7292      have been removed entirely.  This was also the last step to make
 7293      OpenSSL compilable with DJGPP under all reasonable conditions.
 7294      [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
 7295 
 7296   *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
 7297      to allow version independent disabling of normally unselected ciphers,
 7298      which may be activated as a side-effect of selecting a single cipher.
 7299 
 7300      (E.g., cipher list string "RSA" enables ciphersuites that are left
 7301      out of "ALL" because they do not provide symmetric encryption.
 7302      "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
 7303      [Lutz Jaenicke, Bodo Moeller]
 7304 
 7305   *) Add appropriate support for separate platform-dependent build
 7306      directories.  The recommended way to make a platform-dependent
 7307      build directory is the following (tested on Linux), maybe with
 7308      some local tweaks:
 7309 
 7310         # Place yourself outside of the OpenSSL source tree.  In
 7311         # this example, the environment variable OPENSSL_SOURCE
 7312         # is assumed to contain the absolute OpenSSL source directory.
 7313         mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
 7314         cd objtree/"`uname -s`-`uname -r`-`uname -m`"
 7315         (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
 7316                 mkdir -p `dirname $F`
 7317                 ln -s $OPENSSL_SOURCE/$F $F
 7318         done
 7319 
 7320      To be absolutely sure not to disturb the source tree, a "make clean"
 7321      is a good thing.  If it isn't successful, don't worry about it,
 7322      it probably means the source directory is very clean.
 7323      [Richard Levitte]
 7324 
 7325   *) Make sure any ENGINE control commands make local copies of string
 7326      pointers passed to them whenever necessary. Otherwise it is possible
 7327      the caller may have overwritten (or deallocated) the original string
 7328      data when a later ENGINE operation tries to use the stored values.
 7329      [Götz Babin-Ebell <babinebell@trustcenter.de>]
 7330 
 7331   *) Improve diagnostics in file reading and command-line digests.
 7332      [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
 7333 
 7334   *) Add AES modes CFB and OFB to the object database.  Correct an
 7335      error in AES-CFB decryption.
 7336      [Richard Levitte]
 7337 
 7338   *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
 7339      allows existing EVP_CIPHER_CTX structures to be reused after
 7340      calling EVP_*Final(). This behaviour is used by encryption
 7341      BIOs and some applications. This has the side effect that
 7342      applications must explicitly clean up cipher contexts with
 7343      EVP_CIPHER_CTX_cleanup() or they will leak memory.
 7344      [Steve Henson]
 7345 
 7346   *) Check the values of dna and dnb in bn_mul_recursive before calling
 7347      bn_mul_comba (a non zero value means the a or b arrays do not contain
 7348      n2 elements) and fallback to bn_mul_normal if either is not zero.
 7349      [Steve Henson]
 7350 
 7351   *) Fix escaping of non-ASCII characters when using the -subj option
 7352      of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
 7353      [Lutz Jaenicke]
 7354 
 7355   *) Make object definitions compliant to LDAP (RFC2256): SN is the short
 7356      form for "surname", serialNumber has no short form.
 7357      Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
 7358      therefore remove "mail" short name for "internet 7".
 7359      The OID for unique identifiers in X509 certificates is
 7360      x500UniqueIdentifier, not uniqueIdentifier.
 7361      Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
 7362      [Lutz Jaenicke]
 7363 
 7364   *) Add an "init" command to the ENGINE config module and auto initialize
 7365      ENGINEs. Without any "init" command the ENGINE will be initialized
 7366      after all ctrl commands have been executed on it. If init=1 the
 7367      ENGINE is initialized at that point (ctrls before that point are run
 7368      on the uninitialized ENGINE and after on the initialized one). If
 7369      init=0 then the ENGINE will not be initialized at all.
 7370      [Steve Henson]
 7371 
 7372   *) Fix the 'app_verify_callback' interface so that the user-defined
 7373      argument is actually passed to the callback: In the
 7374      SSL_CTX_set_cert_verify_callback() prototype, the callback
 7375      declaration has been changed from
 7376           int (*cb)()
 7377      into
 7378           int (*cb)(X509_STORE_CTX *,void *);
 7379      in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
 7380           i=s->ctx->app_verify_callback(&ctx)
 7381      has been changed into
 7382           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
 7383 
 7384      To update applications using SSL_CTX_set_cert_verify_callback(),
 7385      a dummy argument can be added to their callback functions.
 7386      [D. K. Smetters <smetters@parc.xerox.com>]
 7387 
 7388   *) Added the '4758cca' ENGINE to support IBM 4758 cards.
 7389      [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
 7390 
 7391   *) Add and OPENSSL_LOAD_CONF define which will cause
 7392      OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
 7393      This allows older applications to transparently support certain
 7394      OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
 7395      Two new functions OPENSSL_add_all_algorithms_noconf() which will never
 7396      load the config file and OPENSSL_add_all_algorithms_conf() which will
 7397      always load it have also been added.
 7398      [Steve Henson]
 7399 
 7400   *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
 7401      Adjust NIDs and EVP layer.
 7402      [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
 7403 
 7404   *) Config modules support in openssl utility.
 7405 
 7406      Most commands now load modules from the config file,
 7407      though in a few (such as version) this isn't done
 7408      because it couldn't be used for anything.
 7409 
 7410      In the case of ca and req the config file used is
 7411      the same as the utility itself: that is the -config
 7412      command line option can be used to specify an
 7413      alternative file.
 7414      [Steve Henson]
 7415 
 7416   *) Move default behaviour from OPENSSL_config(). If appname is NULL
 7417      use "openssl_conf" if filename is NULL use default openssl config file.
 7418      [Steve Henson]
 7419 
 7420   *) Add an argument to OPENSSL_config() to allow the use of an alternative
 7421      config section name. Add a new flag to tolerate a missing config file
 7422      and move code to CONF_modules_load_file().
 7423      [Steve Henson]
 7424 
 7425   *) Support for crypto accelerator cards from Accelerated Encryption
 7426      Processing, www.aep.ie.  (Use engine 'aep')
 7427      The support was copied from 0.9.6c [engine] and adapted/corrected
 7428      to work with the new engine framework.
 7429      [AEP Inc. and Richard Levitte]
 7430 
 7431   *) Support for SureWare crypto accelerator cards from Baltimore
 7432      Technologies.  (Use engine 'sureware')
 7433      The support was copied from 0.9.6c [engine] and adapted
 7434      to work with the new engine framework.
 7435      [Richard Levitte]
 7436 
 7437   *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
 7438      make the newer ENGINE framework commands for the CHIL engine work.
 7439      [Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
 7440 
 7441   *) Make it possible to produce shared libraries on ReliantUNIX.
 7442      [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
 7443 
 7444   *) Add the configuration target debug-linux-ppro.
 7445      Make 'openssl rsa' use the general key loading routines
 7446      implemented in apps.c, and make those routines able to
 7447      handle the key format FORMAT_NETSCAPE and the variant
 7448      FORMAT_IISSGC.
 7449      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 7450 
 7451  *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
 7452      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 7453 
 7454   *) Add -keyform to rsautl, and document -engine.
 7455      [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
 7456 
 7457   *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
 7458      BIO_R_NO_SUCH_FILE error code rather than the generic
 7459      ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
 7460      [Ben Laurie]
 7461 
 7462   *) Add new functions
 7463           ERR_peek_last_error
 7464           ERR_peek_last_error_line
 7465           ERR_peek_last_error_line_data.
 7466      These are similar to
 7467           ERR_peek_error
 7468           ERR_peek_error_line
 7469           ERR_peek_error_line_data,
 7470      but report on the latest error recorded rather than the first one
 7471      still in the error queue.
 7472      [Ben Laurie, Bodo Moeller]
 7473 
 7474   *) default_algorithms option in ENGINE config module. This allows things
 7475      like:
 7476      default_algorithms = ALL
 7477      default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
 7478      [Steve Henson]
 7479 
 7480   *) Preliminary ENGINE config module.
 7481      [Steve Henson]
 7482 
 7483   *) New experimental application configuration code.
 7484      [Steve Henson]
 7485 
 7486   *) Change the AES code to follow the same name structure as all other
 7487      symmetric ciphers, and behave the same way.  Move everything to
 7488      the directory crypto/aes, thereby obsoleting crypto/rijndael.
 7489      [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
 7490 
 7491   *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
 7492      [Ben Laurie and Theo de Raadt]
 7493 
 7494   *) Add option to output public keys in req command.
 7495      [Massimiliano Pala madwolf@openca.org]
 7496 
 7497   *) Use wNAFs in EC_POINTs_mul() for improved efficiency
 7498      (up to about 10% better than before for P-192 and P-224).
 7499      [Bodo Moeller]
 7500 
 7501   *) New functions/macros
 7502 
 7503           SSL_CTX_set_msg_callback(ctx, cb)
 7504           SSL_CTX_set_msg_callback_arg(ctx, arg)
 7505           SSL_set_msg_callback(ssl, cb)
 7506           SSL_set_msg_callback_arg(ssl, arg)
 7507 
 7508      to request calling a callback function
 7509 
 7510           void cb(int write_p, int version, int content_type,
 7511                   const void *buf, size_t len, SSL *ssl, void *arg)
 7512 
 7513      whenever a protocol message has been completely received
 7514      (write_p == 0) or sent (write_p == 1).  Here 'version' is the
 7515      protocol version  according to which the SSL library interprets
 7516      the current protocol message (SSL2_VERSION, SSL3_VERSION, or
 7517      TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
 7518      the content type as defined in the SSL 3.0/TLS 1.0 protocol
 7519      specification (change_cipher_spec(20), alert(21), handshake(22)).
 7520      'buf' and 'len' point to the actual message, 'ssl' to the
 7521      SSL object, and 'arg' is the application-defined value set by
 7522      SSL[_CTX]_set_msg_callback_arg().
 7523 
 7524      'openssl s_client' and 'openssl s_server' have new '-msg' options
 7525      to enable a callback that displays all protocol messages.
 7526      [Bodo Moeller]
 7527 
 7528   *) Change the shared library support so shared libraries are built as
 7529      soon as the corresponding static library is finished, and thereby get
 7530      openssl and the test programs linked against the shared library.
 7531      This still only happens when the keyword "shard" has been given to
 7532      the configuration scripts.
 7533 
 7534      NOTE: shared library support is still an experimental thing, and
 7535      backward binary compatibility is still not guaranteed.
 7536      ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
 7537 
 7538   *) Add support for Subject Information Access extension.
 7539      [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
 7540 
 7541   *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
 7542      additional bytes when new memory had to be allocated, not just
 7543      when reusing an existing buffer.
 7544      [Bodo Moeller]
 7545 
 7546   *) New command line and configuration option 'utf8' for the req command.
 7547      This allows field values to be specified as UTF8 strings.
 7548      [Steve Henson]
 7549 
 7550   *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
 7551      runs for the former and machine-readable output for the latter.
 7552      [Ben Laurie]
 7553 
 7554   *) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
 7555      of the e-mail address in the DN (i.e., it will go into a certificate
 7556      extension only).  The new configuration file option 'email_in_dn = no'
 7557      has the same effect.
 7558      [Massimiliano Pala madwolf@openca.org]
 7559 
 7560   *) Change all functions with names starting with des_ to be starting
 7561      with DES_ instead.  Add wrappers that are compatible with libdes,
 7562      but are named _ossl_old_des_*.  Finally, add macros that map the
 7563      des_* symbols to the corresponding _ossl_old_des_* if libdes
 7564      compatibility is desired.  If OpenSSL 0.9.6c compatibility is
 7565      desired, the des_* symbols will be mapped to DES_*, with one
 7566      exception.
 7567 
 7568      Since we provide two compatibility mappings, the user needs to
 7569      define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
 7570      compatibility is desired.  The default (i.e., when that macro
 7571      isn't defined) is OpenSSL 0.9.6c compatibility.
 7572 
 7573      There are also macros that enable and disable the support of old
 7574      des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
 7575      and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
 7576      are defined, the default will apply: to support the old des routines.
 7577 
 7578      In either case, one must include openssl/des.h to get the correct
 7579      definitions.  Do not try to just include openssl/des_old.h, that
 7580      won't work.
 7581 
 7582      NOTE: This is a major break of an old API into a new one.  Software
 7583      authors are encouraged to switch to the DES_ style functions.  Some
 7584      time in the future, des_old.h and the libdes compatibility functions
 7585      will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
 7586      default), and then completely removed.
 7587      [Richard Levitte]
 7588 
 7589   *) Test for certificates which contain unsupported critical extensions.
 7590      If such a certificate is found during a verify operation it is
 7591      rejected by default: this behaviour can be overridden by either
 7592      handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
 7593      by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
 7594      X509_supported_extension() has also been added which returns 1 if a
 7595      particular extension is supported.
 7596      [Steve Henson]
 7597 
 7598   *) Modify the behaviour of EVP cipher functions in similar way to digests
 7599      to retain compatibility with existing code.
 7600      [Steve Henson]
 7601 
 7602   *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
 7603      compatibility with existing code. In particular the 'ctx' parameter does
 7604      not have to be to be initialized before the call to EVP_DigestInit() and
 7605      it is tidied up after a call to EVP_DigestFinal(). New function
 7606      EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
 7607      EVP_MD_CTX_copy() changed to not require the destination to be
 7608      initialized valid and new function EVP_MD_CTX_copy_ex() added which
 7609      requires the destination to be valid.
 7610 
 7611      Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
 7612      EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
 7613      [Steve Henson]
 7614 
 7615   *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
 7616      so that complete 'Handshake' protocol structures are kept in memory
 7617      instead of overwriting 'msg_type' and 'length' with 'body' data.
 7618      [Bodo Moeller]
 7619 
 7620   *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
 7621      [Massimo Santin via Richard Levitte]
 7622 
 7623   *) Major restructuring to the underlying ENGINE code. This includes
 7624      reduction of linker bloat, separation of pure "ENGINE" manipulation
 7625      (initialisation, etc) from functionality dealing with implementations
 7626      of specific crypto interfaces. This change also introduces integrated
 7627      support for symmetric ciphers and digest implementations - so ENGINEs
 7628      can now accelerate these by providing EVP_CIPHER and EVP_MD
 7629      implementations of their own. This is detailed in crypto/engine/README
 7630      as it couldn't be adequately described here. However, there are a few
 7631      API changes worth noting - some RSA, DSA, DH, and RAND functions that
 7632      were changed in the original introduction of ENGINE code have now
 7633      reverted back - the hooking from this code to ENGINE is now a good
 7634      deal more passive and at run-time, operations deal directly with
 7635      RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
 7636      dereferencing through an ENGINE pointer any more. Also, the ENGINE
 7637      functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
 7638      they were not being used by the framework as there is no concept of a
 7639      BIGNUM_METHOD and they could not be generalised to the new
 7640      'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
 7641      ENGINE_cpy() has been removed as it cannot be consistently defined in
 7642      the new code.
 7643      [Geoff Thorpe]
 7644 
 7645   *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
 7646      [Steve Henson]
 7647 
 7648   *) Change mkdef.pl to sort symbols that get the same entry number,
 7649      and make sure the automatically generated functions ERR_load_*
 7650      become part of libeay.num as well.
 7651      [Richard Levitte]
 7652 
 7653   *) New function SSL_renegotiate_pending().  This returns true once
 7654      renegotiation has been requested (either SSL_renegotiate() call
 7655      or HelloRequest/ClientHello received from the peer) and becomes
 7656      false once a handshake has been completed.
 7657      (For servers, SSL_renegotiate() followed by SSL_do_handshake()
 7658      sends a HelloRequest, but does not ensure that a handshake takes
 7659      place.  SSL_renegotiate_pending() is useful for checking if the
 7660      client has followed the request.)
 7661      [Bodo Moeller]
 7662 
 7663   *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
 7664      By default, clients may request session resumption even during
 7665      renegotiation (if session ID contexts permit); with this option,
 7666      session resumption is possible only in the first handshake.
 7667 
 7668      SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
 7669      more bits available for options that should not be part of
 7670      SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
 7671      [Bodo Moeller]
 7672 
 7673   *) Add some demos for certificate and certificate request creation.
 7674      [Steve Henson]
 7675 
 7676   *) Make maximum certificate chain size accepted from the peer application
 7677      settable (SSL*_get/set_max_cert_list()), as proposed by
 7678      "Douglas E. Engert" <deengert@anl.gov>.
 7679      [Lutz Jaenicke]
 7680 
 7681   *) Add support for shared libraries for Unixware-7
 7682      (Boyd Lynn Gerber <gerberb@zenez.com>).
 7683      [Lutz Jaenicke]
 7684 
 7685   *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
 7686      be done prior to destruction. Use this to unload error strings from
 7687      ENGINEs that load their own error strings. NB: This adds two new API
 7688      functions to "get" and "set" this destroy handler in an ENGINE.
 7689      [Geoff Thorpe]
 7690 
 7691   *) Alter all existing ENGINE implementations (except "openssl" and
 7692      "openbsd") to dynamically instantiate their own error strings. This
 7693      makes them more flexible to be built both as statically-linked ENGINEs
 7694      and self-contained shared-libraries loadable via the "dynamic" ENGINE.
 7695      Also, add stub code to each that makes building them as self-contained
 7696      shared-libraries easier (see README.ENGINE).
 7697      [Geoff Thorpe]
 7698 
 7699   *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
 7700      implementations into applications that are completely implemented in
 7701      self-contained shared-libraries. The "dynamic" ENGINE exposes control
 7702      commands that can be used to configure what shared-library to load and
 7703      to control aspects of the way it is handled. Also, made an update to
 7704      the README.ENGINE file that brings its information up-to-date and
 7705      provides some information and instructions on the "dynamic" ENGINE
 7706      (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
 7707      [Geoff Thorpe]
 7708 
 7709   *) Make it possible to unload ranges of ERR strings with a new
 7710      "ERR_unload_strings" function.
 7711      [Geoff Thorpe]
 7712 
 7713   *) Add a copy() function to EVP_MD.
 7714      [Ben Laurie]
 7715 
 7716   *) Make EVP_MD routines take a context pointer instead of just the
 7717      md_data void pointer.
 7718      [Ben Laurie]
 7719 
 7720   *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
 7721      that the digest can only process a single chunk of data
 7722      (typically because it is provided by a piece of
 7723      hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
 7724      is only going to provide a single chunk of data, and hence the
 7725      framework needn't accumulate the data for oneshot drivers.
 7726      [Ben Laurie]
 7727 
 7728   *) As with "ERR", make it possible to replace the underlying "ex_data"
 7729      functions. This change also alters the storage and management of global
 7730      ex_data state - it's now all inside ex_data.c and all "class" code (eg.
 7731      RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
 7732      index counters. The API functions that use this state have been changed
 7733      to take a "class_index" rather than pointers to the class's local STACK
 7734      and counter, and there is now an API function to dynamically create new
 7735      classes. This centralisation allows us to (a) plug a lot of the
 7736      thread-safety problems that existed, and (b) makes it possible to clean
 7737      up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
 7738      such data would previously have always leaked in application code and
 7739      workarounds were in place to make the memory debugging turn a blind eye
 7740      to it. Application code that doesn't use this new function will still
 7741      leak as before, but their memory debugging output will announce it now
 7742      rather than letting it slide.
 7743 
 7744      Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
 7745      induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
 7746      has a return value to indicate success or failure.
 7747      [Geoff Thorpe]
 7748 
 7749   *) Make it possible to replace the underlying "ERR" functions such that the
 7750      global state (2 LHASH tables and 2 locks) is only used by the "default"
 7751      implementation. This change also adds two functions to "get" and "set"
 7752      the implementation prior to it being automatically set the first time
 7753      any other ERR function takes place. Ie. an application can call "get",
 7754      pass the return value to a module it has just loaded, and that module
 7755      can call its own "set" function using that value. This means the
 7756      module's "ERR" operations will use (and modify) the error state in the
 7757      application and not in its own statically linked copy of OpenSSL code.
 7758      [Geoff Thorpe]
 7759 
 7760   *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
 7761      reference counts. This performs normal REF_PRINT/REF_CHECK macros on
 7762      the operation, and provides a more encapsulated way for external code
 7763      (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
 7764      to use these functions rather than manually incrementing the counts.
 7765 
 7766      Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
 7767      [Geoff Thorpe]
 7768 
 7769   *) Add EVP test program.
 7770      [Ben Laurie]
 7771 
 7772   *) Add symmetric cipher support to ENGINE. Expect the API to change!
 7773      [Ben Laurie]
 7774 
 7775   *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
 7776      X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
 7777      X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
 7778      These allow a CRL to be built without having to access X509_CRL fields
 7779      directly. Modify 'ca' application to use new functions.
 7780      [Steve Henson]
 7781 
 7782   *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
 7783      bug workarounds. Rollback attack detection is a security feature.
 7784      The problem will only arise on OpenSSL servers when TLSv1 is not
 7785      available (sslv3_server_method() or SSL_OP_NO_TLSv1).
 7786      Software authors not wanting to support TLSv1 will have special reasons
 7787      for their choice and can explicitly enable this option.
 7788      [Bodo Moeller, Lutz Jaenicke]
 7789 
 7790   *) Rationalise EVP so it can be extended: don't include a union of
 7791      cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
 7792      (similar to those existing for EVP_CIPHER_CTX).
 7793      Usage example:
 7794 
 7795          EVP_MD_CTX md;
 7796 
 7797          EVP_MD_CTX_init(&md);             /* new function call */
 7798          EVP_DigestInit(&md, EVP_sha1());
 7799          EVP_DigestUpdate(&md, in, len);
 7800          EVP_DigestFinal(&md, out, NULL);
 7801          EVP_MD_CTX_cleanup(&md);          /* new function call */
 7802 
 7803      [Ben Laurie]
 7804 
 7805   *) Make DES key schedule conform to the usual scheme, as well as
 7806      correcting its structure. This means that calls to DES functions
 7807      now have to pass a pointer to a des_key_schedule instead of a
 7808      plain des_key_schedule (which was actually always a pointer
 7809      anyway): E.g.,
 7810 
 7811          des_key_schedule ks;
 7812 
 7813          des_set_key_checked(..., &ks);
 7814          des_ncbc_encrypt(..., &ks, ...);
 7815 
 7816      (Note that a later change renames 'des_...' into 'DES_...'.)
 7817      [Ben Laurie]
 7818 
 7819   *) Initial reduction of linker bloat: the use of some functions, such as
 7820      PEM causes large amounts of unused functions to be linked in due to
 7821      poor organisation. For example pem_all.c contains every PEM function
 7822      which has a knock on effect of linking in large amounts of (unused)
 7823      ASN1 code. Grouping together similar functions and splitting unrelated
 7824      functions prevents this.
 7825      [Steve Henson]
 7826 
 7827   *) Cleanup of EVP macros.
 7828      [Ben Laurie]
 7829 
 7830   *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
 7831      correct _ecb suffix.
 7832      [Ben Laurie]
 7833 
 7834   *) Add initial OCSP responder support to ocsp application. The
 7835      revocation information is handled using the text based index
 7836      use by the ca application. The responder can either handle
 7837      requests generated internally, supplied in files (for example
 7838      via a CGI script) or using an internal minimal server.
 7839      [Steve Henson]
 7840 
 7841   *) Add configuration choices to get zlib compression for TLS.
 7842      [Richard Levitte]
 7843 
 7844   *) Changes to Kerberos SSL for RFC 2712 compliance:
 7845      1.  Implemented real KerberosWrapper, instead of just using
 7846          KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
 7847      2.  Implemented optional authenticator field of KerberosWrapper.
 7848 
 7849      Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
 7850      and authenticator structs; see crypto/krb5/.
 7851 
 7852      Generalized Kerberos calls to support multiple Kerberos libraries.
 7853      [Vern Staats <staatsvr@asc.hpc.mil>,
 7854       Jeffrey Altman <jaltman@columbia.edu>
 7855       via Richard Levitte]
 7856 
 7857   *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
 7858      already does with RSA. testdsa.h now has 'priv_key/pub_key'
 7859      values for each of the key sizes rather than having just
 7860      parameters (and 'speed' generating keys each time).
 7861      [Geoff Thorpe]
 7862 
 7863   *) Speed up EVP routines.
 7864      Before:
 7865 encrypt
 7866 type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
 7867 des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
 7868 des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
 7869 des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
 7870 decrypt
 7871 des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
 7872 des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
 7873 des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
 7874      After:
 7875 encrypt
 7876 des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
 7877 decrypt
 7878 des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 7879      [Ben Laurie]
 7880 
 7881   *) Added the OS2-EMX target.
 7882      ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
 7883 
 7884   *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
 7885      to support NCONF routines in extension code. New function CONF_set_nconf()
 7886      to allow functions which take an NCONF to also handle the old LHASH
 7887      structure: this means that the old CONF compatible routines can be
 7888      retained (in particular wrt extensions) without having to duplicate the
 7889      code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
 7890      [Steve Henson]
 7891 
 7892   *) Enhance the general user interface with mechanisms for inner control
 7893      and with possibilities to have yes/no kind of prompts.
 7894      [Richard Levitte]
 7895 
 7896   *) Change all calls to low level digest routines in the library and
 7897      applications to use EVP. Add missing calls to HMAC_cleanup() and
 7898      don't assume HMAC_CTX can be copied using memcpy().
 7899      [Verdon Walker <VWalker@novell.com>, Steve Henson]
 7900 
 7901   *) Add the possibility to control engines through control names but with
 7902      arbitrary arguments instead of just a string.
 7903      Change the key loaders to take a UI_METHOD instead of a callback
 7904      function pointer.  NOTE: this breaks binary compatibility with earlier
 7905      versions of OpenSSL [engine].
 7906      Adapt the nCipher code for these new conditions and add a card insertion
 7907      callback.
 7908      [Richard Levitte]
 7909 
 7910   *) Enhance the general user interface with mechanisms to better support
 7911      dialog box interfaces, application-defined prompts, the possibility
 7912      to use defaults (for example default passwords from somewhere else)
 7913      and interrupts/cancellations.
 7914      [Richard Levitte]
 7915 
 7916   *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
 7917      attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
 7918      [Steve Henson]
 7919 
 7920   *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
 7921      tidy up some unnecessarily weird code in 'sk_new()').
 7922      [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
 7923 
 7924   *) Change the key loading routines for ENGINEs to use the same kind
 7925      callback (pem_password_cb) as all other routines that need this
 7926      kind of callback.
 7927      [Richard Levitte]
 7928 
 7929   *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
 7930      256 bit (=32 byte) keys. Of course seeding with more entropy bytes
 7931      than this minimum value is recommended.
 7932      [Lutz Jaenicke]
 7933 
 7934   *) New random seeder for OpenVMS, using the system process statistics
 7935      that are easily reachable.
 7936      [Richard Levitte]
 7937 
 7938   *) Windows apparently can't transparently handle global
 7939      variables defined in DLLs. Initialisations such as:
 7940 
 7941         const ASN1_ITEM *it = &ASN1_INTEGER_it;
 7942 
 7943      won't compile. This is used by the any applications that need to
 7944      declare their own ASN1 modules. This was fixed by adding the option
 7945      EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
 7946      needed for static libraries under Win32.
 7947      [Steve Henson]
 7948 
 7949   *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
 7950      setting of purpose and trust fields. New X509_STORE trust and
 7951      purpose functions and tidy up setting in other SSL functions.
 7952      [Steve Henson]
 7953 
 7954   *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
 7955      structure. These are inherited by X509_STORE_CTX when it is
 7956      initialised. This allows various defaults to be set in the
 7957      X509_STORE structure (such as flags for CRL checking and custom
 7958      purpose or trust settings) for functions which only use X509_STORE_CTX
 7959      internally such as S/MIME.
 7960 
 7961      Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
 7962      trust settings if they are not set in X509_STORE. This allows X509_STORE
 7963      purposes and trust (in S/MIME for example) to override any set by default.
 7964 
 7965      Add command line options for CRL checking to smime, s_client and s_server
 7966      applications.
 7967      [Steve Henson]
 7968 
 7969   *) Initial CRL based revocation checking. If the CRL checking flag(s)
 7970      are set then the CRL is looked up in the X509_STORE structure and
 7971      its validity and signature checked, then if the certificate is found
 7972      in the CRL the verify fails with a revoked error.
 7973 
 7974      Various new CRL related callbacks added to X509_STORE_CTX structure.
 7975 
 7976      Command line options added to 'verify' application to support this.
 7977 
 7978      This needs some additional work, such as being able to handle multiple
 7979      CRLs with different times, extension based lookup (rather than just
 7980      by subject name) and ultimately more complete V2 CRL extension
 7981      handling.
 7982      [Steve Henson]
 7983 
 7984   *) Add a general user interface API (crypto/ui/).  This is designed
 7985      to replace things like des_read_password and friends (backward
 7986      compatibility functions using this new API are provided).
 7987      The purpose is to remove prompting functions from the DES code
 7988      section as well as provide for prompting through dialog boxes in
 7989      a window system and the like.
 7990      [Richard Levitte]
 7991 
 7992   *) Add "ex_data" support to ENGINE so implementations can add state at a
 7993      per-structure level rather than having to store it globally.
 7994      [Geoff]
 7995 
 7996   *) Make it possible for ENGINE structures to be copied when retrieved by
 7997      ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
 7998      This causes the "original" ENGINE structure to act like a template,
 7999      analogous to the RSA vs. RSA_METHOD type of separation. Because of this
 8000      operational state can be localised to each ENGINE structure, despite the
 8001      fact they all share the same "methods". New ENGINE structures returned in
 8002      this case have no functional references and the return value is the single
 8003      structural reference. This matches the single structural reference returned
 8004      by ENGINE_by_id() normally, when it is incremented on the pre-existing
 8005      ENGINE structure.
 8006      [Geoff]
 8007 
 8008   *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
 8009      needs to match any other type at all we need to manually clear the
 8010      tag cache.
 8011      [Steve Henson]
 8012 
 8013   *) Changes to the "openssl engine" utility to include;
 8014      - verbosity levels ('-v', '-vv', and '-vvv') that provide information
 8015        about an ENGINE's available control commands.
 8016      - executing control commands from command line arguments using the
 8017        '-pre' and '-post' switches. '-post' is only used if '-t' is
 8018        specified and the ENGINE is successfully initialised. The syntax for
 8019        the individual commands are colon-separated, for example;
 8020          openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
 8021      [Geoff]
 8022 
 8023   *) New dynamic control command support for ENGINEs. ENGINEs can now
 8024      declare their own commands (numbers), names (strings), descriptions,
 8025      and input types for run-time discovery by calling applications. A
 8026      subset of these commands are implicitly classed as "executable"
 8027      depending on their input type, and only these can be invoked through
 8028      the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
 8029      can be based on user input, config files, etc). The distinction is
 8030      that "executable" commands cannot return anything other than a boolean
 8031      result and can only support numeric or string input, whereas some
 8032      discoverable commands may only be for direct use through
 8033      ENGINE_ctrl(), eg. supporting the exchange of binary data, function
 8034      pointers, or other custom uses. The "executable" commands are to
 8035      support parameterisations of ENGINE behaviour that can be
 8036      unambiguously defined by ENGINEs and used consistently across any
 8037      OpenSSL-based application. Commands have been added to all the
 8038      existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
 8039      control over shared-library paths without source code alterations.
 8040      [Geoff]
 8041 
 8042   *) Changed all ENGINE implementations to dynamically allocate their
 8043      ENGINEs rather than declaring them statically. Apart from this being
 8044      necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
 8045      this also allows the implementations to compile without using the
 8046      internal engine_int.h header.
 8047      [Geoff]
 8048 
 8049   *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
 8050      'const' value. Any code that should be able to modify a RAND_METHOD
 8051      should already have non-const pointers to it (ie. they should only
 8052      modify their own ones).
 8053      [Geoff]
 8054 
 8055   *) Made a variety of little tweaks to the ENGINE code.
 8056      - "atalla" and "ubsec" string definitions were moved from header files
 8057        to C code. "nuron" string definitions were placed in variables
 8058        rather than hard-coded - allowing parameterisation of these values
 8059        later on via ctrl() commands.
 8060      - Removed unused "#if 0"'d code.
 8061      - Fixed engine list iteration code so it uses ENGINE_free() to release
 8062        structural references.
 8063      - Constified the RAND_METHOD element of ENGINE structures.
 8064      - Constified various get/set functions as appropriate and added
 8065        missing functions (including a catch-all ENGINE_cpy that duplicates
 8066        all ENGINE values onto a new ENGINE except reference counts/state).
 8067      - Removed NULL parameter checks in get/set functions. Setting a method
 8068        or function to NULL is a way of cancelling out a previously set
 8069        value.  Passing a NULL ENGINE parameter is just plain stupid anyway
 8070        and doesn't justify the extra error symbols and code.
 8071      - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
 8072        flags from engine_int.h to engine.h.
 8073      - Changed prototypes for ENGINE handler functions (init(), finish(),
 8074        ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
 8075      [Geoff]
 8076 
 8077   *) Implement binary inversion algorithm for BN_mod_inverse in addition
 8078      to the algorithm using long division.  The binary algorithm can be
 8079      used only if the modulus is odd.  On 32-bit systems, it is faster
 8080      only for relatively small moduli (roughly 20-30% for 128-bit moduli,
 8081      roughly 5-15% for 256-bit moduli), so we use it only for moduli
 8082      up to 450 bits.  In 64-bit environments, the binary algorithm
 8083      appears to be advantageous for much longer moduli; here we use it
 8084      for moduli up to 2048 bits.
 8085      [Bodo Moeller]
 8086 
 8087   *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
 8088      could not support the combine flag in choice fields.
 8089      [Steve Henson]
 8090 
 8091   *) Add a 'copy_extensions' option to the 'ca' utility. This copies
 8092      extensions from a certificate request to the certificate.
 8093      [Steve Henson]
 8094 
 8095   *) Allow multiple 'certopt' and 'nameopt' options to be separated
 8096      by commas. Add 'namopt' and 'certopt' options to the 'ca' config
 8097      file: this allows the display of the certificate about to be
 8098      signed to be customised, to allow certain fields to be included
 8099      or excluded and extension details. The old system didn't display
 8100      multicharacter strings properly, omitted fields not in the policy
 8101      and couldn't display additional details such as extensions.
 8102      [Steve Henson]
 8103 
 8104   *) Function EC_POINTs_mul for multiple scalar multiplication
 8105      of an arbitrary number of elliptic curve points
 8106           \sum scalars[i]*points[i],
 8107      optionally including the generator defined for the EC_GROUP:
 8108           scalar*generator +  \sum scalars[i]*points[i].
 8109 
 8110      EC_POINT_mul is a simple wrapper function for the typical case
 8111      that the point list has just one item (besides the optional
 8112      generator).
 8113      [Bodo Moeller]
 8114 
 8115   *) First EC_METHODs for curves over GF(p):
 8116 
 8117      EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
 8118      operations and provides various method functions that can also
 8119      operate with faster implementations of modular arithmetic.
 8120 
 8121      EC_GFp_mont_method() reuses most functions that are part of
 8122      EC_GFp_simple_method, but uses Montgomery arithmetic.
 8123 
 8124      [Bodo Moeller; point addition and point doubling
 8125      implementation directly derived from source code provided by
 8126      Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
 8127 
 8128   *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
 8129      crypto/ec/ec_lib.c):
 8130 
 8131      Curves are EC_GROUP objects (with an optional group generator)
 8132      based on EC_METHODs that are built into the library.
 8133 
 8134      Points are EC_POINT objects based on EC_GROUP objects.
 8135 
 8136      Most of the framework would be able to handle curves over arbitrary
 8137      finite fields, but as there are no obvious types for fields other
 8138      than GF(p), some functions are limited to that for now.
 8139      [Bodo Moeller]
 8140 
 8141   *) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
 8142      that the file contains a complete HTTP response.
 8143      [Richard Levitte]
 8144 
 8145   *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
 8146      change the def and num file printf format specifier from "%-40sXXX"
 8147      to "%-39s XXX". The latter will always guarantee a space after the
 8148      field while the former will cause them to run together if the field
 8149      is 40 of more characters long.
 8150      [Steve Henson]
 8151 
 8152   *) Constify the cipher and digest 'method' functions and structures
 8153      and modify related functions to take constant EVP_MD and EVP_CIPHER
 8154      pointers.
 8155      [Steve Henson]
 8156 
 8157   *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
 8158      in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
 8159      [Bodo Moeller]
 8160 
 8161   *) Modify EVP_Digest*() routines so they now return values. Although the
 8162      internal software routines can never fail additional hardware versions
 8163      might.
 8164      [Steve Henson]
 8165 
 8166   *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
 8167 
 8168      Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
 8169      (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
 8170 
 8171      ASN1 error codes
 8172           ERR_R_NESTED_ASN1_ERROR
 8173           ...
 8174           ERR_R_MISSING_ASN1_EOS
 8175      were 4 .. 9, conflicting with
 8176           ERR_LIB_RSA (= ERR_R_RSA_LIB)
 8177           ...
 8178           ERR_LIB_PEM (= ERR_R_PEM_LIB).
 8179      They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
 8180 
 8181      Add new error code 'ERR_R_INTERNAL_ERROR'.
 8182      [Bodo Moeller]
 8183 
 8184   *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
 8185      suffices.
 8186      [Bodo Moeller]
 8187 
 8188   *) New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
 8189      sets the subject name for a new request or supersedes the
 8190      subject name in a given request. Formats that can be parsed are
 8191           'CN=Some Name, OU=myOU, C=IT'
 8192      and
 8193           'CN=Some Name/OU=myOU/C=IT'.
 8194 
 8195      Add options '-batch' and '-verbose' to 'openssl req'.
 8196      [Massimiliano Pala <madwolf@hackmasters.net>]
 8197 
 8198   *) Introduce the possibility to access global variables through
 8199      functions on platform were that's the best way to handle exporting
 8200      global variables in shared libraries.  To enable this functionality,
 8201      one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
 8202      "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
 8203      is normally done by Configure or something similar).
 8204 
 8205      To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
 8206      in the source file (foo.c) like this:
 8207 
 8208         OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
 8209         OPENSSL_IMPLEMENT_GLOBAL(double,bar);
 8210 
 8211      To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
 8212      and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
 8213 
 8214         OPENSSL_DECLARE_GLOBAL(int,foo);
 8215         #define foo OPENSSL_GLOBAL_REF(foo)
 8216         OPENSSL_DECLARE_GLOBAL(double,bar);
 8217         #define bar OPENSSL_GLOBAL_REF(bar)
 8218 
 8219      The #defines are very important, and therefore so is including the
 8220      header file everywhere where the defined globals are used.
 8221 
 8222      The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
 8223      of ASN.1 items, but that structure is a bit different.
 8224 
 8225      The largest change is in util/mkdef.pl which has been enhanced with
 8226      better and easier to understand logic to choose which symbols should
 8227      go into the Windows .def files as well as a number of fixes and code
 8228      cleanup (among others, algorithm keywords are now sorted
 8229      lexicographically to avoid constant rewrites).
 8230      [Richard Levitte]
 8231 
 8232   *) In BN_div() keep a copy of the sign of 'num' before writing the
 8233      result to 'rm' because if rm==num the value will be overwritten
 8234      and produce the wrong result if 'num' is negative: this caused
 8235      problems with BN_mod() and BN_nnmod().
 8236      [Steve Henson]
 8237 
 8238   *) Function OCSP_request_verify(). This checks the signature on an
 8239      OCSP request and verifies the signer certificate. The signer
 8240      certificate is just checked for a generic purpose and OCSP request
 8241      trust settings.
 8242      [Steve Henson]
 8243 
 8244   *) Add OCSP_check_validity() function to check the validity of OCSP
 8245      responses. OCSP responses are prepared in real time and may only
 8246      be a few seconds old. Simply checking that the current time lies
 8247      between thisUpdate and nextUpdate max reject otherwise valid responses
 8248      caused by either OCSP responder or client clock inaccuracy. Instead
 8249      we allow thisUpdate and nextUpdate to fall within a certain period of
 8250      the current time. The age of the response can also optionally be
 8251      checked. Two new options -validity_period and -status_age added to
 8252      ocsp utility.
 8253      [Steve Henson]
 8254 
 8255   *) If signature or public key algorithm is unrecognized print out its
 8256      OID rather that just UNKNOWN.
 8257      [Steve Henson]
 8258 
 8259   *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
 8260      OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
 8261      ID to be generated from the issuer certificate alone which can then be
 8262      passed to OCSP_id_issuer_cmp().
 8263      [Steve Henson]
 8264 
 8265   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
 8266      ASN1 modules to export functions returning ASN1_ITEM pointers
 8267      instead of the ASN1_ITEM structures themselves. This adds several
 8268      new macros which allow the underlying ASN1 function/structure to
 8269      be accessed transparently. As a result code should not use ASN1_ITEM
 8270      references directly (such as &X509_it) but instead use the relevant
 8271      macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
 8272      use of the new ASN1 code on platforms where exporting structures
 8273      is problematical (for example in shared libraries) but exporting
 8274      functions returning pointers to structures is not.
 8275      [Steve Henson]
 8276 
 8277   *) Add support for overriding the generation of SSL/TLS session IDs.
 8278      These callbacks can be registered either in an SSL_CTX or per SSL.
 8279      The purpose of this is to allow applications to control, if they wish,
 8280      the arbitrary values chosen for use as session IDs, particularly as it
 8281      can be useful for session caching in multiple-server environments. A
 8282      command-line switch for testing this (and any client code that wishes
 8283      to use such a feature) has been added to "s_server".
 8284      [Geoff Thorpe, Lutz Jaenicke]
 8285 
 8286   *) Modify mkdef.pl to recognise and parse preprocessor conditionals
 8287      of the form '#if defined(...) || defined(...) || ...' and
 8288      '#if !defined(...) && !defined(...) && ...'.  This also avoids
 8289      the growing number of special cases it was previously handling.
 8290      [Richard Levitte]
 8291 
 8292   *) Make all configuration macros available for application by making
 8293      sure they are available in opensslconf.h, by giving them names starting
 8294      with "OPENSSL_" to avoid conflicts with other packages and by making
 8295      sure e_os2.h will cover all platform-specific cases together with
 8296      opensslconf.h.
 8297      Additionally, it is now possible to define configuration/platform-
 8298      specific names (called "system identities").  In the C code, these
 8299      are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
 8300      macro with the name beginning with "OPENSSL_SYS_", which is determined
 8301      from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
 8302      what is available.
 8303      [Richard Levitte]
 8304 
 8305   *) New option -set_serial to 'req' and 'x509' this allows the serial
 8306      number to use to be specified on the command line. Previously self
 8307      signed certificates were hard coded with serial number 0 and the
 8308      CA options of 'x509' had to use a serial number in a file which was
 8309      auto incremented.
 8310      [Steve Henson]
 8311 
 8312   *) New options to 'ca' utility to support V2 CRL entry extensions.
 8313      Currently CRL reason, invalidity date and hold instruction are
 8314      supported. Add new CRL extensions to V3 code and some new objects.
 8315      [Steve Henson]
 8316 
 8317   *) New function EVP_CIPHER_CTX_set_padding() this is used to
 8318      disable standard block padding (aka PKCS#5 padding) in the EVP
 8319      API, which was previously mandatory. This means that the data is
 8320      not padded in any way and so the total length much be a multiple
 8321      of the block size, otherwise an error occurs.
 8322      [Steve Henson]
 8323 
 8324   *) Initial (incomplete) OCSP SSL support.
 8325      [Steve Henson]
 8326 
 8327   *) New function OCSP_parse_url(). This splits up a URL into its host,
 8328      port and path components: primarily to parse OCSP URLs. New -url
 8329      option to ocsp utility.
 8330      [Steve Henson]
 8331 
 8332   *) New nonce behavior. The return value of OCSP_check_nonce() now
 8333      reflects the various checks performed. Applications can decide
 8334      whether to tolerate certain situations such as an absent nonce
 8335      in a response when one was present in a request: the ocsp application
 8336      just prints out a warning. New function OCSP_add1_basic_nonce()
 8337      this is to allow responders to include a nonce in a response even if
 8338      the request is nonce-less.
 8339      [Steve Henson]
 8340 
 8341   *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
 8342      skipped when using openssl x509 multiple times on a single input file,
 8343      e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
 8344      [Bodo Moeller]
 8345 
 8346   *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
 8347      set string type: to handle setting ASN1_TIME structures. Fix ca
 8348      utility to correctly initialize revocation date of CRLs.
 8349      [Steve Henson]
 8350 
 8351   *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
 8352      the clients preferred ciphersuites and rather use its own preferences.
 8353      Should help to work around M$ SGC (Server Gated Cryptography) bug in
 8354      Internet Explorer by ensuring unchanged hash method during stepup.
 8355      (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
 8356      [Lutz Jaenicke]
 8357 
 8358   *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
 8359      to aes and add a new 'exist' option to print out symbols that don't
 8360      appear to exist.
 8361      [Steve Henson]
 8362 
 8363   *) Additional options to ocsp utility to allow flags to be set and
 8364      additional certificates supplied.
 8365      [Steve Henson]
 8366 
 8367   *) Add the option -VAfile to 'openssl ocsp', so the user can give the
 8368      OCSP client a number of certificate to only verify the response
 8369      signature against.
 8370      [Richard Levitte]
 8371 
 8372   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
 8373      handle the new API. Currently only ECB, CBC modes supported. Add new
 8374      AES OIDs.
 8375 
 8376      Add TLS AES ciphersuites as described in RFC3268, "Advanced
 8377      Encryption Standard (AES) Ciphersuites for Transport Layer
 8378      Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
 8379      not enabled by default and were not part of the "ALL" ciphersuite
 8380      alias because they were not yet official; they could be
 8381      explicitly requested by specifying the "AESdraft" ciphersuite
 8382      group alias.  In the final release of OpenSSL 0.9.7, the group
 8383      alias is called "AES" and is part of "ALL".)
 8384      [Ben Laurie, Steve  Henson, Bodo Moeller]
 8385 
 8386   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
 8387      request to response.
 8388      [Steve Henson]
 8389 
 8390   *) Functions for OCSP responders. OCSP_request_onereq_count(),
 8391      OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
 8392      extract information from a certificate request. OCSP_response_create()
 8393      creates a response and optionally adds a basic response structure.
 8394      OCSP_basic_add1_status() adds a complete single response to a basic
 8395      response and returns the OCSP_SINGLERESP structure just added (to allow
 8396      extensions to be included for example). OCSP_basic_add1_cert() adds a
 8397      certificate to a basic response and OCSP_basic_sign() signs a basic
 8398      response with various flags. New helper functions ASN1_TIME_check()
 8399      (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
 8400      (converts ASN1_TIME to GeneralizedTime).
 8401      [Steve Henson]
 8402 
 8403   *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
 8404      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
 8405      structure from a certificate. X509_pubkey_digest() digests the public_key
 8406      contents: this is used in various key identifiers.
 8407      [Steve Henson]
 8408 
 8409   *) Make sk_sort() tolerate a NULL argument.
 8410      [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
 8411 
 8412   *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
 8413      passed by the function are trusted implicitly. If any of them signed the
 8414      response then it is assumed to be valid and is not verified.
 8415      [Steve Henson]
 8416 
 8417   *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
 8418      to data. This was previously part of the PKCS7 ASN1 code. This
 8419      was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
 8420      [Steve Henson, reported by Kenneth R. Robinette
 8421                                 <support@securenetterm.com>]
 8422 
 8423   *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
 8424      routines: without these tracing memory leaks is very painful.
 8425      Fix leaks in PKCS12 and PKCS7 routines.
 8426      [Steve Henson]
 8427 
 8428   *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
 8429      Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
 8430      effectively meant GeneralizedTime would never be used. Now it
 8431      is initialised to -1 but X509_time_adj() now has to check the value
 8432      and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
 8433      V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
 8434      [Steve Henson, reported by Kenneth R. Robinette
 8435                                 <support@securenetterm.com>]
 8436 
 8437   *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
 8438      result in a zero length in the ASN1_INTEGER structure which was
 8439      not consistent with the structure when d2i_ASN1_INTEGER() was used
 8440      and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
 8441      to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
 8442      where it did not print out a minus for negative ASN1_INTEGER.
 8443      [Steve Henson]
 8444 
 8445   *) Add summary printout to ocsp utility. The various functions which
 8446      convert status values to strings have been renamed to:
 8447      OCSP_response_status_str(), OCSP_cert_status_str() and
 8448      OCSP_crl_reason_str() and are no longer static. New options
 8449      to verify nonce values and to disable verification. OCSP response
 8450      printout format cleaned up.
 8451      [Steve Henson]
 8452 
 8453   *) Add additional OCSP certificate checks. These are those specified
 8454      in RFC2560. This consists of two separate checks: the CA of the
 8455      certificate being checked must either be the OCSP signer certificate
 8456      or the issuer of the OCSP signer certificate. In the latter case the
 8457      OCSP signer certificate must contain the OCSP signing extended key
 8458      usage. This check is performed by attempting to match the OCSP
 8459      signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
 8460      in the OCSP_CERTID structures of the response.
 8461      [Steve Henson]
 8462 
 8463   *) Initial OCSP certificate verification added to OCSP_basic_verify()
 8464      and related routines. This uses the standard OpenSSL certificate
 8465      verify routines to perform initial checks (just CA validity) and
 8466      to obtain the certificate chain. Then additional checks will be
 8467      performed on the chain. Currently the root CA is checked to see
 8468      if it is explicitly trusted for OCSP signing. This is used to set
 8469      a root CA as a global signing root: that is any certificate that
 8470      chains to that CA is an acceptable OCSP signing certificate.
 8471      [Steve Henson]
 8472 
 8473   *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
 8474      extensions from a separate configuration file.
 8475      As when reading extensions from the main configuration file,
 8476      the '-extensions ...' option may be used for specifying the
 8477      section to use.
 8478      [Massimiliano Pala <madwolf@comune.modena.it>]
 8479 
 8480   *) New OCSP utility. Allows OCSP requests to be generated or
 8481      read. The request can be sent to a responder and the output
 8482      parsed, outputted or printed in text form. Not complete yet:
 8483      still needs to check the OCSP response validity.
 8484      [Steve Henson]
 8485 
 8486   *) New subcommands for 'openssl ca':
 8487      'openssl ca -status <serial>' prints the status of the cert with
 8488      the given serial number (according to the index file).
 8489      'openssl ca -updatedb' updates the expiry status of certificates
 8490      in the index file.
 8491      [Massimiliano Pala <madwolf@comune.modena.it>]
 8492 
 8493   *) New '-newreq-nodes' command option to CA.pl.  This is like
 8494      '-newreq', but calls 'openssl req' with the '-nodes' option
 8495      so that the resulting key is not encrypted.
 8496      [Damien Miller <djm@mindrot.org>]
 8497 
 8498   *) New configuration for the GNU Hurd.
 8499      [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
 8500 
 8501   *) Initial code to implement OCSP basic response verify. This
 8502      is currently incomplete. Currently just finds the signer's
 8503      certificate and verifies the signature on the response.
 8504      [Steve Henson]
 8505 
 8506   *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
 8507      value of OPENSSLDIR.  This is available via the new '-d' option
 8508      to 'openssl version', and is also included in 'openssl version -a'.
 8509      [Bodo Moeller]
 8510 
 8511   *) Allowing defining memory allocation callbacks that will be given
 8512      file name and line number information in additional arguments
 8513      (a const char* and an int).  The basic functionality remains, as
 8514      well as the original possibility to just replace malloc(),
 8515      realloc() and free() by functions that do not know about these
 8516      additional arguments.  To register and find out the current
 8517      settings for extended allocation functions, the following
 8518      functions are provided:
 8519 
 8520         CRYPTO_set_mem_ex_functions
 8521         CRYPTO_set_locked_mem_ex_functions
 8522         CRYPTO_get_mem_ex_functions
 8523         CRYPTO_get_locked_mem_ex_functions
 8524 
 8525      These work the same way as CRYPTO_set_mem_functions and friends.
 8526      CRYPTO_get_[locked_]mem_functions now writes 0 where such an
 8527      extended allocation function is enabled.
 8528      Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
 8529      a conventional allocation function is enabled.
 8530      [Richard Levitte, Bodo Moeller]
 8531 
 8532   *) Finish off removing the remaining LHASH function pointer casts.
 8533      There should no longer be any prototype-casting required when using
 8534      the LHASH abstraction, and any casts that remain are "bugs". See
 8535      the callback types and macros at the head of lhash.h for details
 8536      (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
 8537      [Geoff Thorpe]
 8538 
 8539   *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
 8540      If /dev/[u]random devices are not available or do not return enough
 8541      entropy, EGD style sockets (served by EGD or PRNGD) will automatically
 8542      be queried.
 8543      The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
 8544      /etc/entropy will be queried once each in this sequence, querying stops
 8545      when enough entropy was collected without querying more sockets.
 8546      [Lutz Jaenicke]
 8547 
 8548   *) Change the Unix RAND_poll() variant to be able to poll several
 8549      random devices, as specified by DEVRANDOM, until a sufficient amount
 8550      of data has been collected.   We spend at most 10 ms on each file
 8551      (select timeout) and read in non-blocking mode.  DEVRANDOM now
 8552      defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
 8553      (previously it was just the string "/dev/urandom"), so on typical
 8554      platforms the 10 ms delay will never occur.
 8555      Also separate out the Unix variant to its own file, rand_unix.c.
 8556      For VMS, there's a currently-empty rand_vms.c.
 8557      [Richard Levitte]
 8558 
 8559   *) Move OCSP client related routines to ocsp_cl.c. These
 8560      provide utility functions which an application needing
 8561      to issue a request to an OCSP responder and analyse the
 8562      response will typically need: as opposed to those which an
 8563      OCSP responder itself would need which will be added later.
 8564 
 8565      OCSP_request_sign() signs an OCSP request with an API similar
 8566      to PKCS7_sign(). OCSP_response_status() returns status of OCSP
 8567      response. OCSP_response_get1_basic() extracts basic response
 8568      from response. OCSP_resp_find_status(): finds and extracts status
 8569      information from an OCSP_CERTID structure (which will be created
 8570      when the request structure is built). These are built from lower
 8571      level functions which work on OCSP_SINGLERESP structures but
 8572      won't normally be used unless the application wishes to examine
 8573      extensions in the OCSP response for example.
 8574 
 8575      Replace nonce routines with a pair of functions.
 8576      OCSP_request_add1_nonce() adds a nonce value and optionally
 8577      generates a random value. OCSP_check_nonce() checks the
 8578      validity of the nonce in an OCSP response.
 8579      [Steve Henson]
 8580 
 8581   *) Change function OCSP_request_add() to OCSP_request_add0_id().
 8582      This doesn't copy the supplied OCSP_CERTID and avoids the
 8583      need to free up the newly created id. Change return type
 8584      to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
 8585      This can then be used to add extensions to the request.
 8586      Deleted OCSP_request_new(), since most of its functionality
 8587      is now in OCSP_REQUEST_new() (and the case insensitive name
 8588      clash) apart from the ability to set the request name which
 8589      will be added elsewhere.
 8590      [Steve Henson]
 8591 
 8592   *) Update OCSP API. Remove obsolete extensions argument from
 8593      various functions. Extensions are now handled using the new
 8594      OCSP extension code. New simple OCSP HTTP function which
 8595      can be used to send requests and parse the response.
 8596      [Steve Henson]
 8597 
 8598   *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
 8599      ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
 8600      uses the special reorder version of SET OF to sort the attributes
 8601      and reorder them to match the encoded order. This resolves a long
 8602      standing problem: a verify on a PKCS7 structure just after signing
 8603      it used to fail because the attribute order did not match the
 8604      encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
 8605      it uses the received order. This is necessary to tolerate some broken
 8606      software that does not order SET OF. This is handled by encoding
 8607      as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
 8608      to produce the required SET OF.
 8609      [Steve Henson]
 8610 
 8611   *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
 8612      OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
 8613      files to get correct declarations of the ASN.1 item variables.
 8614      [Richard Levitte]
 8615 
 8616   *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
 8617      PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
 8618      asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
 8619      NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
 8620      New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
 8621      ASN1_ITEM and no wrapper functions.
 8622      [Steve Henson]
 8623 
 8624   *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
 8625      replace the old function pointer based I/O routines. Change most of
 8626      the *_d2i_bio() and *_d2i_fp() functions to use these.
 8627      [Steve Henson]
 8628 
 8629   *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
 8630      lines, recognize more "algorithms" that can be deselected, and make
 8631      it complain about algorithm deselection that isn't recognised.
 8632      [Richard Levitte]
 8633 
 8634   *) New ASN1 functions to handle dup, sign, verify, digest, pack and
 8635      unpack operations in terms of ASN1_ITEM. Modify existing wrappers
 8636      to use new functions. Add NO_ASN1_OLD which can be set to remove
 8637      some old style ASN1 functions: this can be used to determine if old
 8638      code will still work when these eventually go away.
 8639      [Steve Henson]
 8640 
 8641   *) New extension functions for OCSP structures, these follow the
 8642      same conventions as certificates and CRLs.
 8643      [Steve Henson]
 8644 
 8645   *) New function X509V3_add1_i2d(). This automatically encodes and
 8646      adds an extension. Its behaviour can be customised with various
 8647      flags to append, replace or delete. Various wrappers added for
 8648      certificates and CRLs.
 8649      [Steve Henson]
 8650 
 8651   *) Fix to avoid calling the underlying ASN1 print routine when
 8652      an extension cannot be parsed. Correct a typo in the
 8653      OCSP_SERVICELOC extension. Tidy up print OCSP format.
 8654      [Steve Henson]
 8655 
 8656   *) Make mkdef.pl parse some of the ASN1 macros and add appropriate
 8657      entries for variables.
 8658      [Steve Henson]
 8659 
 8660   *) Add functionality to apps/openssl.c for detecting locking
 8661      problems: As the program is single-threaded, all we have
 8662      to do is register a locking callback using an array for
 8663      storing which locks are currently held by the program.
 8664      [Bodo Moeller]
 8665 
 8666   *) Use a lock around the call to CRYPTO_get_ex_new_index() in
 8667      SSL_get_ex_data_X509_STORE_idx(), which is used in
 8668      ssl_verify_cert_chain() and thus can be called at any time
 8669      during TLS/SSL handshakes so that thread-safety is essential.
 8670      Unfortunately, the ex_data design is not at all suited
 8671      for multi-threaded use, so it probably should be abolished.
 8672      [Bodo Moeller]
 8673 
 8674   *) Added Broadcom "ubsec" ENGINE to OpenSSL.
 8675      [Broadcom, tweaked and integrated by Geoff Thorpe]
 8676 
 8677   *) Move common extension printing code to new function
 8678      X509V3_print_extensions(). Reorganise OCSP print routines and
 8679      implement some needed OCSP ASN1 functions. Add OCSP extensions.
 8680      [Steve Henson]
 8681 
 8682   *) New function X509_signature_print() to remove duplication in some
 8683      print routines.
 8684      [Steve Henson]
 8685 
 8686   *) Add a special meaning when SET OF and SEQUENCE OF flags are both
 8687      set (this was treated exactly the same as SET OF previously). This
 8688      is used to reorder the STACK representing the structure to match the
 8689      encoding. This will be used to get round a problem where a PKCS7
 8690      structure which was signed could not be verified because the STACK
 8691      order did not reflect the encoded order.
 8692      [Steve Henson]
 8693 
 8694   *) Reimplement the OCSP ASN1 module using the new code.
 8695      [Steve Henson]
 8696 
 8697   *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
 8698      for its ASN1 operations. The old style function pointers still exist
 8699      for now but they will eventually go away.
 8700      [Steve Henson]
 8701 
 8702   *) Merge in replacement ASN1 code from the ASN1 branch. This almost
 8703      completely replaces the old ASN1 functionality with a table driven
 8704      encoder and decoder which interprets an ASN1_ITEM structure describing
 8705      the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
 8706      largely maintained. Almost all of the old asn1_mac.h macro based ASN1
 8707      has also been converted to the new form.
 8708      [Steve Henson]
 8709 
 8710   *) Change BN_mod_exp_recp so that negative moduli are tolerated
 8711      (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
 8712      so that BN_mod_exp_mont and BN_mod_exp_mont_word work
 8713      for negative moduli.
 8714      [Bodo Moeller]
 8715 
 8716   *) Fix BN_uadd and BN_usub: Always return non-negative results instead
 8717      of not touching the result's sign bit.
 8718      [Bodo Moeller]
 8719 
 8720   *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
 8721      set.
 8722      [Bodo Moeller]
 8723 
 8724   *) Changed the LHASH code to use prototypes for callbacks, and created
 8725      macros to declare and implement thin (optionally static) functions
 8726      that provide type-safety and avoid function pointer casting for the
 8727      type-specific callbacks.
 8728      [Geoff Thorpe]
 8729 
 8730   *) Added Kerberos Cipher Suites to be used with TLS, as written in
 8731      RFC 2712.
 8732      [Veers Staats <staatsvr@asc.hpc.mil>,
 8733       Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
 8734 
 8735   *) Reformat the FAQ so the different questions and answers can be divided
 8736      in sections depending on the subject.
 8737      [Richard Levitte]
 8738 
 8739   *) Have the zlib compression code load ZLIB.DLL dynamically under
 8740      Windows.
 8741      [Richard Levitte]
 8742 
 8743   *) New function BN_mod_sqrt for computing square roots modulo a prime
 8744      (using the probabilistic Tonelli-Shanks algorithm unless
 8745      p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
 8746      be handled deterministically).
 8747      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 8748 
 8749   *) Make BN_mod_inverse faster by explicitly handling small quotients
 8750      in the Euclid loop. (Speed gain about 20% for small moduli [256 or
 8751      512 bits], about 30% for larger ones [1024 or 2048 bits].)
 8752      [Bodo Moeller]
 8753 
 8754   *) New function BN_kronecker.
 8755      [Bodo Moeller]
 8756 
 8757   *) Fix BN_gcd so that it works on negative inputs; the result is
 8758      positive unless both parameters are zero.
 8759      Previously something reasonably close to an infinite loop was
 8760      possible because numbers could be growing instead of shrinking
 8761      in the implementation of Euclid's algorithm.
 8762      [Bodo Moeller]
 8763 
 8764   *) Fix BN_is_word() and BN_is_one() macros to take into account the
 8765      sign of the number in question.
 8766 
 8767      Fix BN_is_word(a,w) to work correctly for w == 0.
 8768 
 8769      The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
 8770      because its test if the absolute value of 'a' equals 'w'.
 8771      Note that BN_abs_is_word does *not* handle w == 0 reliably;
 8772      it exists mostly for use in the implementations of BN_is_zero(),
 8773      BN_is_one(), and BN_is_word().
 8774      [Bodo Moeller]
 8775 
 8776   *) New function BN_swap.
 8777      [Bodo Moeller]
 8778 
 8779   *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
 8780      the exponentiation functions are more likely to produce reasonable
 8781      results on negative inputs.
 8782      [Bodo Moeller]
 8783 
 8784   *) Change BN_mod_mul so that the result is always non-negative.
 8785      Previously, it could be negative if one of the factors was negative;
 8786      I don't think anyone really wanted that behaviour.
 8787      [Bodo Moeller]
 8788 
 8789   *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
 8790      (except for exponentiation, which stays in crypto/bn/bn_exp.c,
 8791      and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
 8792      and add new functions:
 8793 
 8794           BN_nnmod
 8795           BN_mod_sqr
 8796           BN_mod_add
 8797           BN_mod_add_quick
 8798           BN_mod_sub
 8799           BN_mod_sub_quick
 8800           BN_mod_lshift1
 8801           BN_mod_lshift1_quick
 8802           BN_mod_lshift
 8803           BN_mod_lshift_quick
 8804 
 8805      These functions always generate non-negative results.
 8806 
 8807      BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
 8808      such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
 8809 
 8810      BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
 8811      BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
 8812      be reduced modulo  m.
 8813      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 8814 
 8815 #if 0
 8816      The following entry accidentally appeared in the CHANGES file
 8817      distributed with OpenSSL 0.9.7.  The modifications described in
 8818      it do *not* apply to OpenSSL 0.9.7.
 8819 
 8820   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
 8821      was actually never needed) and in BN_mul().  The removal in BN_mul()
 8822      required a small change in bn_mul_part_recursive() and the addition
 8823      of the functions bn_cmp_part_words(), bn_sub_part_words() and
 8824      bn_add_part_words(), which do the same thing as bn_cmp_words(),
 8825      bn_sub_words() and bn_add_words() except they take arrays with
 8826      differing sizes.
 8827      [Richard Levitte]
 8828 #endif
 8829 
 8830   *) In 'openssl passwd', verify passwords read from the terminal
 8831      unless the '-salt' option is used (which usually means that
 8832      verification would just waste user's time since the resulting
 8833      hash is going to be compared with some given password hash)
 8834      or the new '-noverify' option is used.
 8835 
 8836      This is an incompatible change, but it does not affect
 8837      non-interactive use of 'openssl passwd' (passwords on the command
 8838      line, '-stdin' option, '-in ...' option) and thus should not
 8839      cause any problems.
 8840      [Bodo Moeller]
 8841 
 8842   *) Remove all references to RSAref, since there's no more need for it.
 8843      [Richard Levitte]
 8844 
 8845   *) Make DSO load along a path given through an environment variable
 8846      (SHLIB_PATH) with shl_load().
 8847      [Richard Levitte]
 8848 
 8849   *) Constify the ENGINE code as a result of BIGNUM constification.
 8850      Also constify the RSA code and most things related to it.  In a
 8851      few places, most notable in the depth of the ASN.1 code, ugly
 8852      casts back to non-const were required (to be solved at a later
 8853      time)
 8854      [Richard Levitte]
 8855 
 8856   *) Make it so the openssl application has all engines loaded by default.
 8857      [Richard Levitte]
 8858 
 8859   *) Constify the BIGNUM routines a little more.
 8860      [Richard Levitte]
 8861 
 8862   *) Add the following functions:
 8863 
 8864         ENGINE_load_cswift()
 8865         ENGINE_load_chil()
 8866         ENGINE_load_atalla()
 8867         ENGINE_load_nuron()
 8868         ENGINE_load_builtin_engines()
 8869 
 8870      That way, an application can itself choose if external engines that
 8871      are built-in in OpenSSL shall ever be used or not.  The benefit is
 8872      that applications won't have to be linked with libdl or other dso
 8873      libraries unless it's really needed.
 8874 
 8875      Changed 'openssl engine' to load all engines on demand.
 8876      Changed the engine header files to avoid the duplication of some
 8877      declarations (they differed!).
 8878      [Richard Levitte]
 8879 
 8880   *) 'openssl engine' can now list capabilities.
 8881      [Richard Levitte]
 8882 
 8883   *) Better error reporting in 'openssl engine'.
 8884      [Richard Levitte]
 8885 
 8886   *) Never call load_dh_param(NULL) in s_server.
 8887      [Bodo Moeller]
 8888 
 8889   *) Add engine application.  It can currently list engines by name and
 8890      identity, and test if they are actually available.
 8891      [Richard Levitte]
 8892 
 8893   *) Improve RPM specification file by forcing symbolic linking and making
 8894      sure the installed documentation is also owned by root.root.
 8895      [Damien Miller <djm@mindrot.org>]
 8896 
 8897   *) Give the OpenSSL applications more possibilities to make use of
 8898      keys (public as well as private) handled by engines.
 8899      [Richard Levitte]
 8900 
 8901   *) Add OCSP code that comes from CertCo.
 8902      [Richard Levitte]
 8903 
 8904   *) Add VMS support for the Rijndael code.
 8905      [Richard Levitte]
 8906 
 8907   *) Added untested support for Nuron crypto accelerator.
 8908      [Ben Laurie]
 8909 
 8910   *) Add support for external cryptographic devices.  This code was
 8911      previously distributed separately as the "engine" branch.
 8912      [Geoff Thorpe, Richard Levitte]
 8913 
 8914   *) Rework the filename-translation in the DSO code. It is now possible to
 8915      have far greater control over how a "name" is turned into a filename
 8916      depending on the operating environment and any oddities about the
 8917      different shared library filenames on each system.
 8918      [Geoff Thorpe]
 8919 
 8920   *) Support threads on FreeBSD-elf in Configure.
 8921      [Richard Levitte]
 8922 
 8923   *) Fix for SHA1 assembly problem with MASM: it produces
 8924      warnings about corrupt line number information when assembling
 8925      with debugging information. This is caused by the overlapping
 8926      of two sections.
 8927      [Bernd Matthes <mainbug@celocom.de>, Steve Henson]
 8928 
 8929   *) NCONF changes.
 8930      NCONF_get_number() has no error checking at all.  As a replacement,
 8931      NCONF_get_number_e() is defined (_e for "error checking") and is
 8932      promoted strongly.  The old NCONF_get_number is kept around for
 8933      binary backward compatibility.
 8934      Make it possible for methods to load from something other than a BIO,
 8935      by providing a function pointer that is given a name instead of a BIO.
 8936      For example, this could be used to load configuration data from an
 8937      LDAP server.
 8938      [Richard Levitte]
 8939 
 8940   *) Fix for non blocking accept BIOs. Added new I/O special reason
 8941      BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
 8942      with non blocking I/O was not possible because no retry code was
 8943      implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
 8944      this case.
 8945      [Steve Henson]
 8946 
 8947   *) Added the beginnings of Rijndael support.
 8948      [Ben Laurie]
 8949 
 8950   *) Fix for bug in DirectoryString mask setting. Add support for
 8951      X509_NAME_print_ex() in 'req' and X509_print_ex() function
 8952      to allow certificate printing to more controllable, additional
 8953      'certopt' option to 'x509' to allow new printing options to be
 8954      set.
 8955      [Steve Henson]
 8956 
 8957   *) Clean old EAY MD5 hack from e_os.h.
 8958      [Richard Levitte]
 8959 
 8960  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 8961 
 8962   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
 8963      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
 8964      [Joe Orton, Steve Henson]
 8965 
 8966  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
 8967 
 8968   *) Fix additional bug revealed by the NISCC test suite:
 8969 
 8970      Stop bug triggering large recursion when presented with
 8971      certain ASN.1 tags (CVE-2003-0851)
 8972      [Steve Henson]
 8973 
 8974  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
 8975 
 8976   *) Fix various bugs revealed by running the NISCC test suite:
 8977 
 8978      Stop out of bounds reads in the ASN1 code when presented with
 8979      invalid tags (CVE-2003-0543 and CVE-2003-0544).
 8980 
 8981      If verify callback ignores invalid public key errors don't try to check
 8982      certificate signature with the NULL public key.
 8983 
 8984      [Steve Henson]
 8985 
 8986   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
 8987      if the server requested one: as stated in TLS 1.0 and SSL 3.0
 8988      specifications.
 8989      [Steve Henson]
 8990 
 8991   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
 8992      extra data after the compression methods not only for TLS 1.0
 8993      but also for SSL 3.0 (as required by the specification).
 8994      [Bodo Moeller; problem pointed out by Matthias Loepfe]
 8995 
 8996   *) Change X509_certificate_type() to mark the key as exported/exportable
 8997      when it's 512 *bits* long, not 512 bytes.
 8998      [Richard Levitte]
 8999 
 9000  Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
 9001 
 9002   *) Countermeasure against the Klima-Pokorny-Rosa extension of
 9003      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
 9004      a protocol version number mismatch like a decryption error
 9005      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
 9006      [Bodo Moeller]
 9007 
 9008   *) Turn on RSA blinding by default in the default implementation
 9009      to avoid a timing attack. Applications that don't want it can call
 9010      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
 9011      They would be ill-advised to do so in most cases.
 9012      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
 9013 
 9014   *) Change RSA blinding code so that it works when the PRNG is not
 9015      seeded (in this case, the secret RSA exponent is abused as
 9016      an unpredictable seed -- if it is not unpredictable, there
 9017      is no point in blinding anyway).  Make RSA blinding thread-safe
 9018      by remembering the creator's thread ID in rsa->blinding and
 9019      having all other threads use local one-time blinding factors
 9020      (this requires more computation than sharing rsa->blinding, but
 9021      avoids excessive locking; and if an RSA object is not shared
 9022      between threads, blinding will still be very fast).
 9023      [Bodo Moeller]
 9024 
 9025  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
 9026 
 9027   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
 9028      via timing by performing a MAC computation even if incorrect
 9029      block cipher padding has been found.  This is a countermeasure
 9030      against active attacks where the attacker has to distinguish
 9031      between bad padding and a MAC verification error. (CVE-2003-0078)
 9032 
 9033      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
 9034      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
 9035      Martin Vuagnoux (EPFL, Ilion)]
 9036 
 9037  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
 9038 
 9039   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
 9040      memory from its contents.  This is done with a counter that will
 9041      place alternating values in each byte.  This can be used to solve
 9042      two issues: 1) the removal of calls to memset() by highly optimizing
 9043      compilers, and 2) cleansing with other values than 0, since those can
 9044      be read through on certain media, for example a swap space on disk.
 9045      [Geoff Thorpe]
 9046 
 9047   *) Bugfix: client side session caching did not work with external caching,
 9048      because the session->cipher setting was not restored when reloading
 9049      from the external cache. This problem was masked, when
 9050      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
 9051      (Found by Steve Haslam <steve@araqnid.ddts.net>.)
 9052      [Lutz Jaenicke]
 9053 
 9054   *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
 9055      length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
 9056      [Zeev Lieber <zeev-l@yahoo.com>]
 9057 
 9058   *) Undo an undocumented change introduced in 0.9.6e which caused
 9059      repeated calls to OpenSSL_add_all_ciphers() and
 9060      OpenSSL_add_all_digests() to be ignored, even after calling
 9061      EVP_cleanup().
 9062      [Richard Levitte]
 9063 
 9064   *) Change the default configuration reader to deal with last line not
 9065      being properly terminated.
 9066      [Richard Levitte]
 9067 
 9068   *) Change X509_NAME_cmp() so it applies the special rules on handling
 9069      DN values that are of type PrintableString, as well as RDNs of type
 9070      emailAddress where the value has the type ia5String.
 9071      [stefank@valicert.com via Richard Levitte]
 9072 
 9073   *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
 9074      the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
 9075      doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
 9076      the bitwise-OR of the two for use by the majority of applications
 9077      wanting this behaviour, and update the docs. The documented
 9078      behaviour and actual behaviour were inconsistent and had been
 9079      changing anyway, so this is more a bug-fix than a behavioural
 9080      change.
 9081      [Geoff Thorpe, diagnosed by Nadav Har'El]
 9082 
 9083   *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
 9084      (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
 9085      [Bodo Moeller]
 9086 
 9087   *) Fix initialization code race conditions in
 9088         SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
 9089         SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
 9090         SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
 9091         TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
 9092         ssl2_get_cipher_by_char(),
 9093         ssl3_get_cipher_by_char().
 9094      [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
 9095 
 9096   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
 9097      the cached sessions are flushed, as the remove_cb() might use ex_data
 9098      contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
 9099      (see [openssl.org #212]).
 9100      [Geoff Thorpe, Lutz Jaenicke]
 9101 
 9102   *) Fix typo in OBJ_txt2obj which incorrectly passed the content
 9103      length, instead of the encoding length to d2i_ASN1_OBJECT.
 9104      [Steve Henson]
 9105 
 9106  Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
 9107 
 9108   *) [In 0.9.6g-engine release:]
 9109      Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
 9110      [Lynn Gazis <lgazis@rainbow.com>]
 9111 
 9112  Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
 9113 
 9114   *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
 9115      and get fix the header length calculation.
 9116      [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
 9117         Alon Kantor <alonk@checkpoint.com> (and others),
 9118         Steve Henson]
 9119 
 9120   *) Use proper error handling instead of 'assertions' in buffer
 9121      overflow checks added in 0.9.6e.  This prevents DoS (the
 9122      assertions could call abort()).
 9123      [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
 9124 
 9125  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
 9126 
 9127   *) Add various sanity checks to asn1_get_length() to reject
 9128      the ASN1 length bytes if they exceed sizeof(long), will appear
 9129      negative or the content length exceeds the length of the
 9130      supplied buffer.
 9131      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 9132 
 9133   *) Fix cipher selection routines: ciphers without encryption had no flags
 9134      for the cipher strength set and where therefore not handled correctly
 9135      by the selection routines (PR #130).
 9136      [Lutz Jaenicke]
 9137 
 9138   *) Fix EVP_dsa_sha macro.
 9139      [Nils Larsch]
 9140 
 9141   *) New option
 9142           SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 9143      for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
 9144      that was added in OpenSSL 0.9.6d.
 9145 
 9146      As the countermeasure turned out to be incompatible with some
 9147      broken SSL implementations, the new option is part of SSL_OP_ALL.
 9148      SSL_OP_ALL is usually employed when compatibility with weird SSL
 9149      implementations is desired (e.g. '-bugs' option to 's_client' and
 9150      's_server'), so the new option is automatically set in many
 9151      applications.
 9152      [Bodo Moeller]
 9153 
 9154   *) Changes in security patch:
 9155 
 9156      Changes marked "(CHATS)" were sponsored by the Defense Advanced
 9157      Research Projects Agency (DARPA) and Air Force Research Laboratory,
 9158      Air Force Materiel Command, USAF, under agreement number
 9159      F30602-01-2-0537.
 9160 
 9161   *) Add various sanity checks to asn1_get_length() to reject
 9162      the ASN1 length bytes if they exceed sizeof(long), will appear
 9163      negative or the content length exceeds the length of the
 9164      supplied buffer. (CVE-2002-0659)
 9165      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 9166 
 9167   *) Assertions for various potential buffer overflows, not known to
 9168      happen in practice.
 9169      [Ben Laurie (CHATS)]
 9170 
 9171   *) Various temporary buffers to hold ASCII versions of integers were
 9172      too small for 64 bit platforms. (CVE-2002-0655)
 9173      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 9174 
 9175   *) Remote buffer overflow in SSL3 protocol - an attacker could
 9176      supply an oversized session ID to a client. (CVE-2002-0656)
 9177      [Ben Laurie (CHATS)]
 9178 
 9179   *) Remote buffer overflow in SSL2 protocol - an attacker could
 9180      supply an oversized client master key. (CVE-2002-0656)
 9181      [Ben Laurie (CHATS)]
 9182 
 9183  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
 9184 
 9185   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
 9186      encoded as NULL) with id-dsa-with-sha1.
 9187      [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
 9188 
 9189   *) Check various X509_...() return values in apps/req.c.
 9190      [Nils Larsch <nla@trustcenter.de>]
 9191 
 9192   *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
 9193      an end-of-file condition would erroneously be flagged, when the CRLF
 9194      was just at the end of a processed block. The bug was discovered when
 9195      processing data through a buffering memory BIO handing the data to a
 9196      BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
 9197      <ptsekov@syntrex.com> and Nedelcho Stanev.
 9198      [Lutz Jaenicke]
 9199 
 9200   *) Implement a countermeasure against a vulnerability recently found
 9201      in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
 9202      before application data chunks to avoid the use of known IVs
 9203      with data potentially chosen by the attacker.
 9204      [Bodo Moeller]
 9205 
 9206   *) Fix length checks in ssl3_get_client_hello().
 9207      [Bodo Moeller]
 9208 
 9209   *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
 9210      to prevent ssl3_read_internal() from incorrectly assuming that
 9211      ssl3_read_bytes() found application data while handshake
 9212      processing was enabled when in fact s->s3->in_read_app_data was
 9213      merely automatically cleared during the initial handshake.
 9214      [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
 9215 
 9216   *) Fix object definitions for Private and Enterprise: they were not
 9217      recognized in their shortname (=lowercase) representation. Extend
 9218      obj_dat.pl to issue an error when using undefined keywords instead
 9219      of silently ignoring the problem (Svenning Sorensen
 9220      <sss@sss.dnsalias.net>).
 9221      [Lutz Jaenicke]
 9222 
 9223   *) Fix DH_generate_parameters() so that it works for 'non-standard'
 9224      generators, i.e. generators other than 2 and 5.  (Previously, the
 9225      code did not properly initialise the 'add' and 'rem' values to
 9226      BN_generate_prime().)
 9227 
 9228      In the new general case, we do not insist that 'generator' is
 9229      actually a primitive root: This requirement is rather pointless;
 9230      a generator of the order-q subgroup is just as good, if not
 9231      better.
 9232      [Bodo Moeller]
 9233 
 9234   *) Map new X509 verification errors to alerts. Discovered and submitted by
 9235      Tom Wu <tom@arcot.com>.
 9236      [Lutz Jaenicke]
 9237 
 9238   *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
 9239      returning non-zero before the data has been completely received
 9240      when using non-blocking I/O.
 9241      [Bodo Moeller; problem pointed out by John Hughes]
 9242 
 9243   *) Some of the ciphers missed the strength entry (SSL_LOW etc).
 9244      [Ben Laurie, Lutz Jaenicke]
 9245 
 9246   *) Fix bug in SSL_clear(): bad sessions were not removed (found by
 9247      Yoram Zahavi <YoramZ@gilian.com>).
 9248      [Lutz Jaenicke]
 9249 
 9250   *) Add information about CygWin 1.3 and on, and preserve proper
 9251      configuration for the versions before that.
 9252      [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
 9253 
 9254   *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
 9255      check whether we deal with a copy of a session and do not delete from
 9256      the cache in this case. Problem reported by "Izhar Shoshani Levi"
 9257      <izhar@checkpoint.com>.
 9258      [Lutz Jaenicke]
 9259 
 9260   *) Do not store session data into the internal session cache, if it
 9261      is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
 9262      flag is set). Proposed by Aslam <aslam@funk.com>.
 9263      [Lutz Jaenicke]
 9264 
 9265   *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
 9266      value is 0.
 9267      [Richard Levitte]
 9268 
 9269   *) [In 0.9.6d-engine release:]
 9270      Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
 9271      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 9272 
 9273   *) Add the configuration target linux-s390x.
 9274      [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
 9275 
 9276   *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
 9277      ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
 9278      variable as an indication that a ClientHello message has been
 9279      received.  As the flag value will be lost between multiple
 9280      invocations of ssl3_accept when using non-blocking I/O, the
 9281      function may not be aware that a handshake has actually taken
 9282      place, thus preventing a new session from being added to the
 9283      session cache.
 9284 
 9285      To avoid this problem, we now set s->new_session to 2 instead of
 9286      using a local variable.
 9287      [Lutz Jaenicke, Bodo Moeller]
 9288 
 9289   *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
 9290      if the SSL_R_LENGTH_MISMATCH error is detected.
 9291      [Geoff Thorpe, Bodo Moeller]
 9292 
 9293   *) New 'shared_ldflag' column in Configure platform table.
 9294      [Richard Levitte]
 9295 
 9296   *) Fix EVP_CIPHER_mode macro.
 9297      ["Dan S. Camper" <dan@bti.net>]
 9298 
 9299   *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
 9300      type, we must throw them away by setting rr->length to 0.
 9301      [D P Chang <dpc@qualys.com>]
 9302 
 9303  Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
 9304 
 9305   *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
 9306      <Dominikus.Scherkl@biodata.com>.  (The previous implementation
 9307      worked incorrectly for those cases where  range = 10..._2  and
 9308      3*range  is two bits longer than  range.)
 9309      [Bodo Moeller]
 9310 
 9311   *) Only add signing time to PKCS7 structures if it is not already
 9312      present.
 9313      [Steve Henson]
 9314 
 9315   *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
 9316      OBJ_ld_ce should be OBJ_id_ce.
 9317      Also some ip-pda OIDs in crypto/objects/objects.txt were
 9318      incorrect (cf. RFC 3039).
 9319      [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
 9320 
 9321   *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
 9322      returns early because it has nothing to do.
 9323      [Andy Schneider <andy.schneider@bjss.co.uk>]
 9324 
 9325   *) [In 0.9.6c-engine release:]
 9326      Fix mutex callback return values in crypto/engine/hw_ncipher.c.
 9327      [Andy Schneider <andy.schneider@bjss.co.uk>]
 9328 
 9329   *) [In 0.9.6c-engine release:]
 9330      Add support for Cryptographic Appliance's keyserver technology.
 9331      (Use engine 'keyclient')
 9332      [Cryptographic Appliances and Geoff Thorpe]
 9333 
 9334   *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
 9335      is called via tools/c89.sh because arguments have to be
 9336      rearranged (all '-L' options must appear before the first object
 9337      modules).
 9338      [Richard Shapiro <rshapiro@abinitio.com>]
 9339 
 9340   *) [In 0.9.6c-engine release:]
 9341      Add support for Broadcom crypto accelerator cards, backported
 9342      from 0.9.7.
 9343      [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
 9344 
 9345   *) [In 0.9.6c-engine release:]
 9346      Add support for SureWare crypto accelerator cards from
 9347      Baltimore Technologies.  (Use engine 'sureware')
 9348      [Baltimore Technologies and Mark Cox]
 9349 
 9350   *) [In 0.9.6c-engine release:]
 9351      Add support for crypto accelerator cards from Accelerated
 9352      Encryption Processing, www.aep.ie.  (Use engine 'aep')
 9353      [AEP Inc. and Mark Cox]
 9354 
 9355   *) Add a configuration entry for gcc on UnixWare.
 9356      [Gary Benson <gbenson@redhat.com>]
 9357 
 9358   *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
 9359      messages are stored in a single piece (fixed-length part and
 9360      variable-length part combined) and fix various bugs found on the way.
 9361      [Bodo Moeller]
 9362 
 9363   *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
 9364      instead.  BIO_gethostbyname() does not know what timeouts are
 9365      appropriate, so entries would stay in cache even when they have
 9366      become invalid.
 9367      [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
 9368 
 9369   *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
 9370      faced with a pathologically small ClientHello fragment that does
 9371      not contain client_version: Instead of aborting with an error,
 9372      simply choose the highest available protocol version (i.e.,
 9373      TLS 1.0 unless it is disabled).  In practice, ClientHello
 9374      messages are never sent like this, but this change gives us
 9375      strictly correct behaviour at least for TLS.
 9376      [Bodo Moeller]
 9377 
 9378   *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
 9379      never resets s->method to s->ctx->method when called from within
 9380      one of the SSL handshake functions.
 9381      [Bodo Moeller; problem pointed out by Niko Baric]
 9382 
 9383   *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
 9384      (sent using the client's version number) if client_version is
 9385      smaller than the protocol version in use.  Also change
 9386      ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
 9387      the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
 9388      the client will at least see that alert.
 9389      [Bodo Moeller]
 9390 
 9391   *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
 9392      correctly.
 9393      [Bodo Moeller]
 9394 
 9395   *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
 9396      client receives HelloRequest while in a handshake.
 9397      [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
 9398 
 9399   *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
 9400      should end in 'break', not 'goto end' which circumvents various
 9401      cleanups done in state SSL_ST_OK.   But session related stuff
 9402      must be disabled for SSL_ST_OK in the case that we just sent a
 9403      HelloRequest.
 9404 
 9405      Also avoid some overhead by not calling ssl_init_wbio_buffer()
 9406      before just sending a HelloRequest.
 9407      [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
 9408 
 9409   *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
 9410      reveal whether illegal block cipher padding was found or a MAC
 9411      verification error occurred.  (Neither SSLerr() codes nor alerts
 9412      are directly visible to potential attackers, but the information
 9413      may leak via logfiles.)
 9414 
 9415      Similar changes are not required for the SSL 2.0 implementation
 9416      because the number of padding bytes is sent in clear for SSL 2.0,
 9417      and the extra bytes are just ignored.  However ssl/s2_pkt.c
 9418      failed to verify that the purported number of padding bytes is in
 9419      the legal range.
 9420      [Bodo Moeller]
 9421 
 9422   *) Add OpenUNIX-8 support including shared libraries
 9423      (Boyd Lynn Gerber <gerberb@zenez.com>).
 9424      [Lutz Jaenicke]
 9425 
 9426   *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
 9427      'wristwatch attack' using huge encoding parameters (cf.
 9428      James H. Manger's CRYPTO 2001 paper).  Note that the
 9429      RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
 9430      encoding parameters and hence was not vulnerable.
 9431      [Bodo Moeller]
 9432 
 9433   *) BN_sqr() bug fix.
 9434      [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
 9435 
 9436   *) Rabin-Miller test analyses assume uniformly distributed witnesses,
 9437      so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
 9438      followed by modular reduction.
 9439      [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
 9440 
 9441   *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
 9442      equivalent based on BN_pseudo_rand() instead of BN_rand().
 9443      [Bodo Moeller]
 9444 
 9445   *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
 9446      This function was broken, as the check for a new client hello message
 9447      to handle SGC did not allow these large messages.
 9448      (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
 9449      [Lutz Jaenicke]
 9450 
 9451   *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
 9452      [Lutz Jaenicke]
 9453 
 9454   *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
 9455      for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
 9456      [Lutz Jaenicke]
 9457 
 9458   *) Rework the configuration and shared library support for Tru64 Unix.
 9459      The configuration part makes use of modern compiler features and
 9460      still retains old compiler behavior for those that run older versions
 9461      of the OS.  The shared library support part includes a variant that
 9462      uses the RPATH feature, and is available through the special
 9463      configuration target "alpha-cc-rpath", which will never be selected
 9464      automatically.
 9465      [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
 9466 
 9467   *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
 9468      with the same message size as in ssl3_get_certificate_request().
 9469      Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
 9470      messages might inadvertently be reject as too long.
 9471      [Petr Lampa <lampa@fee.vutbr.cz>]
 9472 
 9473   *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
 9474      [Andy Polyakov]
 9475 
 9476   *) Modified SSL library such that the verify_callback that has been set
 9477      specifically for an SSL object with SSL_set_verify() is actually being
 9478      used. Before the change, a verify_callback set with this function was
 9479      ignored and the verify_callback() set in the SSL_CTX at the time of
 9480      the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
 9481      to allow the necessary settings.
 9482      [Lutz Jaenicke]
 9483 
 9484   *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
 9485      explicitly to NULL, as at least on Solaris 8 this seems not always to be
 9486      done automatically (in contradiction to the requirements of the C
 9487      standard). This made problems when used from OpenSSH.
 9488      [Lutz Jaenicke]
 9489 
 9490   *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
 9491      dh->length and always used
 9492 
 9493           BN_rand_range(priv_key, dh->p).
 9494 
 9495      BN_rand_range() is not necessary for Diffie-Hellman, and this
 9496      specific range makes Diffie-Hellman unnecessarily inefficient if
 9497      dh->length (recommended exponent length) is much smaller than the
 9498      length of dh->p.  We could use BN_rand_range() if the order of
 9499      the subgroup was stored in the DH structure, but we only have
 9500      dh->length.
 9501 
 9502      So switch back to
 9503 
 9504           BN_rand(priv_key, l, ...)
 9505 
 9506      where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
 9507      otherwise.
 9508      [Bodo Moeller]
 9509 
 9510   *) In
 9511 
 9512           RSA_eay_public_encrypt
 9513           RSA_eay_private_decrypt
 9514           RSA_eay_private_encrypt (signing)
 9515           RSA_eay_public_decrypt (signature verification)
 9516 
 9517      (default implementations for RSA_public_encrypt,
 9518      RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
 9519      always reject numbers >= n.
 9520      [Bodo Moeller]
 9521 
 9522   *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
 9523      to synchronize access to 'locking_thread'.  This is necessary on
 9524      systems where access to 'locking_thread' (an 'unsigned long'
 9525      variable) is not atomic.
 9526      [Bodo Moeller]
 9527 
 9528   *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
 9529      *before* setting the 'crypto_lock_rand' flag.  The previous code had
 9530      a race condition if 0 is a valid thread ID.
 9531      [Travis Vitek <vitek@roguewave.com>]
 9532 
 9533   *) Add support for shared libraries under Irix.
 9534      [Albert Chin-A-Young <china@thewrittenword.com>]
 9535 
 9536   *) Add configuration option to build on Linux on both big-endian and
 9537      little-endian MIPS.
 9538      [Ralf Baechle <ralf@uni-koblenz.de>]
 9539 
 9540   *) Add the possibility to create shared libraries on HP-UX.
 9541      [Richard Levitte]
 9542 
 9543  Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
 9544 
 9545   *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
 9546      to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
 9547      Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
 9548      PRNG state recovery was possible based on the output of
 9549      one PRNG request appropriately sized to gain knowledge on
 9550      'md' followed by enough consecutive 1-byte PRNG requests
 9551      to traverse all of 'state'.
 9552 
 9553      1. When updating 'md_local' (the current thread's copy of 'md')
 9554         during PRNG output generation, hash all of the previous
 9555         'md_local' value, not just the half used for PRNG output.
 9556 
 9557      2. Make the number of bytes from 'state' included into the hash
 9558         independent from the number of PRNG bytes requested.
 9559 
 9560      The first measure alone would be sufficient to avoid
 9561      Markku-Juhani's attack.  (Actually it had never occurred
 9562      to me that the half of 'md_local' used for chaining was the
 9563      half from which PRNG output bytes were taken -- I had always
 9564      assumed that the secret half would be used.)  The second
 9565      measure makes sure that additional data from 'state' is never
 9566      mixed into 'md_local' in small portions; this heuristically
 9567      further strengthens the PRNG.
 9568      [Bodo Moeller]
 9569 
 9570   *) Fix crypto/bn/asm/mips3.s.
 9571      [Andy Polyakov]
 9572 
 9573   *) When only the key is given to "enc", the IV is undefined. Print out
 9574      an error message in this case.
 9575      [Lutz Jaenicke]
 9576 
 9577   *) Handle special case when X509_NAME is empty in X509 printing routines.
 9578      [Steve Henson]
 9579 
 9580   *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
 9581      positive and less than q.
 9582      [Bodo Moeller]
 9583 
 9584   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
 9585      used: it isn't thread safe and the add_lock_callback should handle
 9586      that itself.
 9587      [Paul Rose <Paul.Rose@bridge.com>]
 9588 
 9589   *) Verify that incoming data obeys the block size in
 9590      ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
 9591      [Bodo Moeller]
 9592 
 9593   *) Fix OAEP check.
 9594      [Ulf Möller, Bodo Möller]
 9595 
 9596   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
 9597      RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
 9598      when fixing the server behaviour for backwards-compatible 'client
 9599      hello' messages.  (Note that the attack is impractical against
 9600      SSL 3.0 and TLS 1.0 anyway because length and version checking
 9601      means that the probability of guessing a valid ciphertext is
 9602      around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
 9603      paper.)
 9604 
 9605      Before 0.9.5, the countermeasure (hide the error by generating a
 9606      random 'decryption result') did not work properly because
 9607      ERR_clear_error() was missing, meaning that SSL_get_error() would
 9608      detect the supposedly ignored error.
 9609 
 9610      Both problems are now fixed.
 9611      [Bodo Moeller]
 9612 
 9613   *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
 9614      (previously it was 1024).
 9615      [Bodo Moeller]
 9616 
 9617   *) Fix for compatibility mode trust settings: ignore trust settings
 9618      unless some valid trust or reject settings are present.
 9619      [Steve Henson]
 9620 
 9621   *) Fix for blowfish EVP: its a variable length cipher.
 9622      [Steve Henson]
 9623 
 9624   *) Fix various bugs related to DSA S/MIME verification. Handle missing
 9625      parameters in DSA public key structures and return an error in the
 9626      DSA routines if parameters are absent.
 9627      [Steve Henson]
 9628 
 9629   *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
 9630      in the current directory if neither $RANDFILE nor $HOME was set.
 9631      RAND_file_name() in 0.9.6a returned NULL in this case.  This has
 9632      caused some confusion to Windows users who haven't defined $HOME.
 9633      Thus RAND_file_name() is changed again: e_os.h can define a
 9634      DEFAULT_HOME, which will be used if $HOME is not set.
 9635      For Windows, we use "C:"; on other platforms, we still require
 9636      environment variables.
 9637 
 9638   *) Move 'if (!initialized) RAND_poll()' into regions protected by
 9639      CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
 9640      having multiple threads call RAND_poll() concurrently.
 9641      [Bodo Moeller]
 9642 
 9643   *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
 9644      combination of a flag and a thread ID variable.
 9645      Otherwise while one thread is in ssleay_rand_bytes (which sets the
 9646      flag), *other* threads can enter ssleay_add_bytes without obeying
 9647      the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
 9648      that they do not hold after the first thread unsets add_do_not_lock).
 9649      [Bodo Moeller]
 9650 
 9651   *) Change bctest again: '-x' expressions are not available in all
 9652      versions of 'test'.
 9653      [Bodo Moeller]
 9654 
 9655  Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
 9656 
 9657   *) Fix a couple of memory leaks in PKCS7_dataDecode()
 9658      [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
 9659 
 9660   *) Change Configure and Makefiles to provide EXE_EXT, which will contain
 9661      the default extension for executables, if any.  Also, make the perl
 9662      scripts that use symlink() to test if it really exists and use "cp"
 9663      if it doesn't.  All this made OpenSSL compilable and installable in
 9664      CygWin.
 9665      [Richard Levitte]
 9666 
 9667   *) Fix for asn1_GetSequence() for indefinite length constructed data.
 9668      If SEQUENCE is length is indefinite just set c->slen to the total
 9669      amount of data available.
 9670      [Steve Henson, reported by shige@FreeBSD.org]
 9671      [This change does not apply to 0.9.7.]
 9672 
 9673   *) Change bctest to avoid here-documents inside command substitution
 9674      (workaround for FreeBSD /bin/sh bug).
 9675      For compatibility with Ultrix, avoid shell functions (introduced
 9676      in the bctest version that searches along $PATH).
 9677      [Bodo Moeller]
 9678 
 9679   *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
 9680      with des_encrypt() defined on some operating systems, like Solaris
 9681      and UnixWare.
 9682      [Richard Levitte]
 9683 
 9684   *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
 9685      On the Importance of Eliminating Errors in Cryptographic
 9686      Computations, J. Cryptology 14 (2001) 2, 101-119,
 9687      http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
 9688      [Ulf Moeller]
 9689 
 9690   *) MIPS assembler BIGNUM division bug fix.
 9691      [Andy Polyakov]
 9692 
 9693   *) Disabled incorrect Alpha assembler code.
 9694      [Richard Levitte]
 9695 
 9696   *) Fix PKCS#7 decode routines so they correctly update the length
 9697      after reading an EOC for the EXPLICIT tag.
 9698      [Steve Henson]
 9699      [This change does not apply to 0.9.7.]
 9700 
 9701   *) Fix bug in PKCS#12 key generation routines. This was triggered
 9702      if a 3DES key was generated with a 0 initial byte. Include
 9703      PKCS12_BROKEN_KEYGEN compilation option to retain the old
 9704      (but broken) behaviour.
 9705      [Steve Henson]
 9706 
 9707   *) Enhance bctest to search for a working bc along $PATH and print
 9708      it when found.
 9709      [Tim Rice <tim@multitalents.net> via Richard Levitte]
 9710 
 9711   *) Fix memory leaks in err.c: free err_data string if necessary;
 9712      don't write to the wrong index in ERR_set_error_data.
 9713      [Bodo Moeller]
 9714 
 9715   *) Implement ssl23_peek (analogous to ssl23_read), which previously
 9716      did not exist.
 9717      [Bodo Moeller]
 9718 
 9719   *) Replace rdtsc with _emit statements for VC++ version 5.
 9720      [Jeremy Cooper <jeremy@baymoo.org>]
 9721 
 9722   *) Make it possible to reuse SSLv2 sessions.
 9723      [Richard Levitte]
 9724 
 9725   *) In copy_email() check for >= 0 as a return value for
 9726      X509_NAME_get_index_by_NID() since 0 is a valid index.
 9727      [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
 9728 
 9729   *) Avoid coredump with unsupported or invalid public keys by checking if
 9730      X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
 9731      PKCS7_verify() fails with non detached data.
 9732      [Steve Henson]
 9733 
 9734   *) Don't use getenv in library functions when run as setuid/setgid.
 9735      New function OPENSSL_issetugid().
 9736      [Ulf Moeller]
 9737 
 9738   *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
 9739      due to incorrect handling of multi-threading:
 9740 
 9741      1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
 9742 
 9743      2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
 9744 
 9745      3. Count how many times MemCheck_off() has been called so that
 9746         nested use can be treated correctly.  This also avoids
 9747         inband-signalling in the previous code (which relied on the
 9748         assumption that thread ID 0 is impossible).
 9749      [Bodo Moeller]
 9750 
 9751   *) Add "-rand" option also to s_client and s_server.
 9752      [Lutz Jaenicke]
 9753 
 9754   *) Fix CPU detection on Irix 6.x.
 9755      [Kurt Hockenbury <khockenb@stevens-tech.edu> and
 9756       "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
 9757 
 9758   *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
 9759      was empty.
 9760      [Steve Henson]
 9761      [This change does not apply to 0.9.7.]
 9762 
 9763   *) Use the cached encoding of an X509_NAME structure rather than
 9764      copying it. This is apparently the reason for the libsafe "errors"
 9765      but the code is actually correct.
 9766      [Steve Henson]
 9767 
 9768   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
 9769      Bleichenbacher's DSA attack.
 9770      Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
 9771      to be set and top=0 forces the highest bit to be set; top=-1 is new
 9772      and leaves the highest bit random.
 9773      [Ulf Moeller, Bodo Moeller]
 9774 
 9775   *) In the NCONF_...-based implementations for CONF_... queries
 9776      (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
 9777      a temporary CONF structure with the data component set to NULL
 9778      (which gives segmentation faults in lh_retrieve).
 9779      Instead, use NULL for the CONF pointer in CONF_get_string and
 9780      CONF_get_number (which may use environment variables) and directly
 9781      return NULL from CONF_get_section.
 9782      [Bodo Moeller]
 9783 
 9784   *) Fix potential buffer overrun for EBCDIC.
 9785      [Ulf Moeller]
 9786 
 9787   *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
 9788      keyUsage if basicConstraints absent for a CA.
 9789      [Steve Henson]
 9790 
 9791   *) Make SMIME_write_PKCS7() write mail header values with a format that
 9792      is more generally accepted (no spaces before the semicolon), since
 9793      some programs can't parse those values properly otherwise.  Also make
 9794      sure BIO's that break lines after each write do not create invalid
 9795      headers.
 9796      [Richard Levitte]
 9797 
 9798   *) Make the CRL encoding routines work with empty SEQUENCE OF. The
 9799      macros previously used would not encode an empty SEQUENCE OF
 9800      and break the signature.
 9801      [Steve Henson]
 9802      [This change does not apply to 0.9.7.]
 9803 
 9804   *) Zero the premaster secret after deriving the master secret in
 9805      DH ciphersuites.
 9806      [Steve Henson]
 9807 
 9808   *) Add some EVP_add_digest_alias registrations (as found in
 9809      OpenSSL_add_all_digests()) to SSL_library_init()
 9810      aka OpenSSL_add_ssl_algorithms().  This provides improved
 9811      compatibility with peers using X.509 certificates
 9812      with unconventional AlgorithmIdentifier OIDs.
 9813      [Bodo Moeller]
 9814 
 9815   *) Fix for Irix with NO_ASM.
 9816      ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
 9817 
 9818   *) ./config script fixes.
 9819      [Ulf Moeller, Richard Levitte]
 9820 
 9821   *) Fix 'openssl passwd -1'.
 9822      [Bodo Moeller]
 9823 
 9824   *) Change PKCS12_key_gen_asc() so it can cope with non null
 9825      terminated strings whose length is passed in the passlen
 9826      parameter, for example from PEM callbacks. This was done
 9827      by adding an extra length parameter to asc2uni().
 9828      [Steve Henson, reported by <oddissey@samsung.co.kr>]
 9829 
 9830   *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
 9831      call failed, free the DSA structure.
 9832      [Bodo Moeller]
 9833 
 9834   *) Fix to uni2asc() to cope with zero length Unicode strings.
 9835      These are present in some PKCS#12 files.
 9836      [Steve Henson]
 9837 
 9838   *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
 9839      Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
 9840      when writing a 32767 byte record.
 9841      [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
 9842 
 9843   *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
 9844      obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
 9845 
 9846      (RSA objects have a reference count access to which is protected
 9847      by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
 9848      so they are meant to be shared between threads.)
 9849      [Bodo Moeller, Geoff Thorpe; original patch submitted by
 9850      "Reddie, Steven" <Steven.Reddie@ca.com>]
 9851 
 9852   *) Fix a deadlock in CRYPTO_mem_leaks().
 9853      [Bodo Moeller]
 9854 
 9855   *) Use better test patterns in bntest.
 9856      [Ulf Möller]
 9857 
 9858   *) rand_win.c fix for Borland C.
 9859      [Ulf Möller]
 9860 
 9861   *) BN_rshift bugfix for n == 0.
 9862      [Bodo Moeller]
 9863 
 9864   *) Add a 'bctest' script that checks for some known 'bc' bugs
 9865      so that 'make test' does not abort just because 'bc' is broken.
 9866      [Bodo Moeller]
 9867 
 9868   *) Store verify_result within SSL_SESSION also for client side to
 9869      avoid potential security hole. (Re-used sessions on the client side
 9870      always resulted in verify_result==X509_V_OK, not using the original
 9871      result of the server certificate verification.)
 9872      [Lutz Jaenicke]
 9873 
 9874   *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
 9875      SSL3_RT_APPLICATION_DATA, return 0.
 9876      Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
 9877      [Bodo Moeller]
 9878 
 9879   *) Fix SSL_peek:
 9880      Both ssl2_peek and ssl3_peek, which were totally broken in earlier
 9881      releases, have been re-implemented by renaming the previous
 9882      implementations of ssl2_read and ssl3_read to ssl2_read_internal
 9883      and ssl3_read_internal, respectively, and adding 'peek' parameters
 9884      to them.  The new ssl[23]_{read,peek} functions are calls to
 9885      ssl[23]_read_internal with the 'peek' flag set appropriately.
 9886      A 'peek' parameter has also been added to ssl3_read_bytes, which
 9887      does the actual work for ssl3_read_internal.
 9888      [Bodo Moeller]
 9889 
 9890   *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
 9891      the method-specific "init()" handler. Also clean up ex_data after
 9892      calling the method-specific "finish()" handler. Previously, this was
 9893      happening the other way round.
 9894      [Geoff Thorpe]
 9895 
 9896   *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
 9897      The previous value, 12, was not always sufficient for BN_mod_exp().
 9898      [Bodo Moeller]
 9899 
 9900   *) Make sure that shared libraries get the internal name engine with
 9901      the full version number and not just 0.  This should mark the
 9902      shared libraries as not backward compatible.  Of course, this should
 9903      be changed again when we can guarantee backward binary compatibility.
 9904      [Richard Levitte]
 9905 
 9906   *) Fix typo in get_cert_by_subject() in by_dir.c
 9907      [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
 9908 
 9909   *) Rework the system to generate shared libraries:
 9910 
 9911      - Make note of the expected extension for the shared libraries and
 9912        if there is a need for symbolic links from for example libcrypto.so.0
 9913        to libcrypto.so.0.9.7.  There is extended info in Configure for
 9914        that.
 9915 
 9916      - Make as few rebuilds of the shared libraries as possible.
 9917 
 9918      - Still avoid linking the OpenSSL programs with the shared libraries.
 9919 
 9920      - When installing, install the shared libraries separately from the
 9921        static ones.
 9922      [Richard Levitte]
 9923 
 9924   *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
 9925 
 9926      Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
 9927      and not in SSL_clear because the latter is also used by the
 9928      accept/connect functions; previously, the settings made by
 9929      SSL_set_read_ahead would be lost during the handshake.
 9930      [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
 9931 
 9932   *) Correct util/mkdef.pl to be selective about disabled algorithms.
 9933      Previously, it would create entries for disabled algorithms no
 9934      matter what.
 9935      [Richard Levitte]
 9936 
 9937   *) Added several new manual pages for SSL_* function.
 9938      [Lutz Jaenicke]
 9939 
 9940  Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
 9941 
 9942   *) In ssl23_get_client_hello, generate an error message when faced
 9943      with an initial SSL 3.0/TLS record that is too small to contain the
 9944      first two bytes of the ClientHello message, i.e. client_version.
 9945      (Note that this is a pathologic case that probably has never happened
 9946      in real life.)  The previous approach was to use the version number
 9947      from the record header as a substitute; but our protocol choice
 9948      should not depend on that one because it is not authenticated
 9949      by the Finished messages.
 9950      [Bodo Moeller]
 9951 
 9952   *) More robust randomness gathering functions for Windows.
 9953      [Jeffrey Altman <jaltman@columbia.edu>]
 9954 
 9955   *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
 9956      not set then we don't setup the error code for issuer check errors
 9957      to avoid possibly overwriting other errors which the callback does
 9958      handle. If an application does set the flag then we assume it knows
 9959      what it is doing and can handle the new informational codes
 9960      appropriately.
 9961      [Steve Henson]
 9962 
 9963   *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
 9964      a general "ANY" type, as such it should be able to decode anything
 9965      including tagged types. However it didn't check the class so it would
 9966      wrongly interpret tagged types in the same way as their universal
 9967      counterpart and unknown types were just rejected. Changed so that the
 9968      tagged and unknown types are handled in the same way as a SEQUENCE:
 9969      that is the encoding is stored intact. There is also a new type
 9970      "V_ASN1_OTHER" which is used when the class is not universal, in this
 9971      case we have no idea what the actual type is so we just lump them all
 9972      together.
 9973      [Steve Henson]
 9974 
 9975   *) On VMS, stdout may very well lead to a file that is written to
 9976      in a record-oriented fashion.  That means that every write() will
 9977      write a separate record, which will be read separately by the
 9978      programs trying to read from it.  This can be very confusing.
 9979 
 9980      The solution is to put a BIO filter in the way that will buffer
 9981      text until a linefeed is reached, and then write everything a
 9982      line at a time, so every record written will be an actual line,
 9983      not chunks of lines and not (usually doesn't happen, but I've
 9984      seen it once) several lines in one record.  BIO_f_linebuffer() is
 9985      the answer.
 9986 
 9987      Currently, it's a VMS-only method, because that's where it has
 9988      been tested well enough.
 9989      [Richard Levitte]
 9990 
 9991   *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
 9992      it can return incorrect results.
 9993      (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
 9994      but it was in 0.9.6-beta[12].)
 9995      [Bodo Moeller]
 9996 
 9997   *) Disable the check for content being present when verifying detached
 9998      signatures in pk7_smime.c. Some versions of Netscape (wrongly)
 9999      include zero length content when signing messages.
10000      [Steve Henson]
10001 
10002   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
10003      BIO_ctrl (for BIO pairs).
10004      [Bodo Möller]
10005 
10006   *) Add DSO method for VMS.
10007      [Richard Levitte]
10008 
10009   *) Bug fix: Montgomery multiplication could produce results with the
10010      wrong sign.
10011      [Ulf Möller]
10012 
10013   *) Add RPM specification openssl.spec and modify it to build three
10014      packages.  The default package contains applications, application
10015      documentation and run-time libraries.  The devel package contains
10016      include files, static libraries and function documentation.  The
10017      doc package contains the contents of the doc directory.  The original
10018      openssl.spec was provided by Damien Miller <djm@mindrot.org>.
10019      [Richard Levitte]
10020 
10021   *) Add a large number of documentation files for many SSL routines.
10022      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
10023 
10024   *) Add a configuration entry for Sony News 4.
10025      [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
10026 
10027   *) Don't set the two most significant bits to one when generating a
10028      random number < q in the DSA library.
10029      [Ulf Möller]
10030 
10031   *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
10032      behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
10033      the underlying transport is blocking) if a handshake took place.
10034      (The default behaviour is needed by applications such as s_client
10035      and s_server that use select() to determine when to use SSL_read;
10036      but for applications that know in advance when to expect data, it
10037      just makes things more complicated.)
10038      [Bodo Moeller]
10039 
10040   *) Add RAND_egd_bytes(), which gives control over the number of bytes read
10041      from EGD.
10042      [Ben Laurie]
10043 
10044   *) Add a few more EBCDIC conditionals that make `req' and `x509'
10045      work better on such systems.
10046      [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
10047 
10048   *) Add two demo programs for PKCS12_parse() and PKCS12_create().
10049      Update PKCS12_parse() so it copies the friendlyName and the
10050      keyid to the certificates aux info.
10051      [Steve Henson]
10052 
10053   *) Fix bug in PKCS7_verify() which caused an infinite loop
10054      if there was more than one signature.
10055      [Sven Uszpelkat <su@celocom.de>]
10056 
10057   *) Major change in util/mkdef.pl to include extra information
10058      about each symbol, as well as presenting variables as well
10059      as functions.  This change means that there's n more need
10060      to rebuild the .num files when some algorithms are excluded.
10061      [Richard Levitte]
10062 
10063   *) Allow the verify time to be set by an application,
10064      rather than always using the current time.
10065      [Steve Henson]
10066 
10067   *) Phase 2 verify code reorganisation. The certificate
10068      verify code now looks up an issuer certificate by a
10069      number of criteria: subject name, authority key id
10070      and key usage. It also verifies self signed certificates
10071      by the same criteria. The main comparison function is
10072      X509_check_issued() which performs these checks.
10073 
10074      Lot of changes were necessary in order to support this
10075      without completely rewriting the lookup code.
10076 
10077      Authority and subject key identifier are now cached.
10078 
10079      The LHASH 'certs' is X509_STORE has now been replaced
10080      by a STACK_OF(X509_OBJECT). This is mainly because an
10081      LHASH can't store or retrieve multiple objects with
10082      the same hash value.
10083 
10084      As a result various functions (which were all internal
10085      use only) have changed to handle the new X509_STORE
10086      structure. This will break anything that messed round
10087      with X509_STORE internally.
10088 
10089      The functions X509_STORE_add_cert() now checks for an
10090      exact match, rather than just subject name.
10091 
10092      The X509_STORE API doesn't directly support the retrieval
10093      of multiple certificates matching a given criteria, however
10094      this can be worked round by performing a lookup first
10095      (which will fill the cache with candidate certificates)
10096      and then examining the cache for matches. This is probably
10097      the best we can do without throwing out X509_LOOKUP
10098      entirely (maybe later...).
10099 
10100      The X509_VERIFY_CTX structure has been enhanced considerably.
10101 
10102      All certificate lookup operations now go via a get_issuer()
10103      callback. Although this currently uses an X509_STORE it
10104      can be replaced by custom lookups. This is a simple way
10105      to bypass the X509_STORE hackery necessary to make this
10106      work and makes it possible to use more efficient techniques
10107      in future. A very simple version which uses a simple
10108      STACK for its trusted certificate store is also provided
10109      using X509_STORE_CTX_trusted_stack().
10110 
10111      The verify_cb() and verify() callbacks now have equivalents
10112      in the X509_STORE_CTX structure.
10113 
10114      X509_STORE_CTX also has a 'flags' field which can be used
10115      to customise the verify behaviour.
10116      [Steve Henson]
10117 
10118   *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
10119      excludes S/MIME capabilities.
10120      [Steve Henson]
10121 
10122   *) When a certificate request is read in keep a copy of the
10123      original encoding of the signed data and use it when outputting
10124      again. Signatures then use the original encoding rather than
10125      a decoded, encoded version which may cause problems if the
10126      request is improperly encoded.
10127      [Steve Henson]
10128 
10129   *) For consistency with other BIO_puts implementations, call
10130      buffer_write(b, ...) directly in buffer_puts instead of calling
10131      BIO_write(b, ...).
10132 
10133      In BIO_puts, increment b->num_write as in BIO_write.
10134      [Peter.Sylvester@EdelWeb.fr]
10135 
10136   *) Fix BN_mul_word for the case where the word is 0. (We have to use
10137      BN_zero, we may not return a BIGNUM with an array consisting of
10138      words set to zero.)
10139      [Bodo Moeller]
10140 
10141   *) Avoid calling abort() from within the library when problems are
10142      detected, except if preprocessor symbols have been defined
10143      (such as REF_CHECK, BN_DEBUG etc.).
10144      [Bodo Moeller]
10145 
10146   *) New openssl application 'rsautl'. This utility can be
10147      used for low level RSA operations. DER public key
10148      BIO/fp routines also added.
10149      [Steve Henson]
10150 
10151   *) New Configure entry and patches for compiling on QNX 4.
10152      [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
10153 
10154   *) A demo state-machine implementation was sponsored by
10155      Nuron (http://www.nuron.com/) and is now available in
10156      demos/state_machine.
10157      [Ben Laurie]
10158 
10159   *) New options added to the 'dgst' utility for signature
10160      generation and verification.
10161      [Steve Henson]
10162 
10163   *) Unrecognized PKCS#7 content types are now handled via a
10164      catch all ASN1_TYPE structure. This allows unsupported
10165      types to be stored as a "blob" and an application can
10166      encode and decode it manually.
10167      [Steve Henson]
10168 
10169   *) Fix various signed/unsigned issues to make a_strex.c
10170      compile under VC++.
10171      [Oscar Jacobsson <oscar.jacobsson@celocom.com>]
10172 
10173   *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
10174      length if passed a buffer. ASN1_INTEGER_to_BN failed
10175      if passed a NULL BN and its argument was negative.
10176      [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
10177 
10178   *) Modification to PKCS#7 encoding routines to output definite
10179      length encoding. Since currently the whole structures are in
10180      memory there's not real point in using indefinite length
10181      constructed encoding. However if OpenSSL is compiled with
10182      the flag PKCS7_INDEFINITE_ENCODING the old form is used.
10183      [Steve Henson]
10184 
10185   *) Added BIO_vprintf() and BIO_vsnprintf().
10186      [Richard Levitte]
10187 
10188   *) Added more prefixes to parse for in the strings written
10189      through a logging bio, to cover all the levels that are available
10190      through syslog.  The prefixes are now:
10191 
10192         PANIC, EMERG, EMR       =>      LOG_EMERG
10193         ALERT, ALR              =>      LOG_ALERT
10194         CRIT, CRI               =>      LOG_CRIT
10195         ERROR, ERR              =>      LOG_ERR
10196         WARNING, WARN, WAR      =>      LOG_WARNING
10197         NOTICE, NOTE, NOT       =>      LOG_NOTICE
10198         INFO, INF               =>      LOG_INFO
10199         DEBUG, DBG              =>      LOG_DEBUG
10200 
10201      and as before, if none of those prefixes are present at the
10202      beginning of the string, LOG_ERR is chosen.
10203 
10204      On Win32, the LOG_* levels are mapped according to this:
10205 
10206         LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
10207         LOG_WARNING                             => EVENTLOG_WARNING_TYPE
10208         LOG_NOTICE, LOG_INFO, LOG_DEBUG         => EVENTLOG_INFORMATION_TYPE
10209 
10210      [Richard Levitte]
10211 
10212   *) Made it possible to reconfigure with just the configuration
10213      argument "reconf" or "reconfigure".  The command line arguments
10214      are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
10215      and are retrieved from there when reconfiguring.
10216      [Richard Levitte]
10217 
10218   *) MD4 implemented.
10219      [Assar Westerlund <assar@sics.se>, Richard Levitte]
10220 
10221   *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
10222      [Richard Levitte]
10223 
10224   *) The obj_dat.pl script was messing up the sorting of object
10225      names. The reason was that it compared the quoted version
10226      of strings as a result "OCSP" > "OCSP Signing" because
10227      " > SPACE. Changed script to store unquoted versions of
10228      names and add quotes on output. It was also omitting some
10229      names from the lookup table if they were given a default
10230      value (that is if SN is missing it is given the same
10231      value as LN and vice versa), these are now added on the
10232      grounds that if an object has a name we should be able to
10233      look it up. Finally added warning output when duplicate
10234      short or long names are found.
10235      [Steve Henson]
10236 
10237   *) Changes needed for Tandem NSK.
10238      [Scott Uroff <scott@xypro.com>]
10239 
10240   *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
10241      RSA_padding_check_SSLv23(), special padding was never detected
10242      and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
10243      version rollback attacks was not effective.
10244 
10245      In s23_clnt.c, don't use special rollback-attack detection padding
10246      (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
10247      client; similarly, in s23_srvr.c, don't do the rollback check if
10248      SSL 2.0 is the only protocol enabled in the server.
10249      [Bodo Moeller]
10250 
10251   *) Make it possible to get hexdumps of unprintable data with 'openssl
10252      asn1parse'.  By implication, the functions ASN1_parse_dump() and
10253      BIO_dump_indent() are added.
10254      [Richard Levitte]
10255 
10256   *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
10257      these print out strings and name structures based on various
10258      flags including RFC2253 support and proper handling of
10259      multibyte characters. Added options to the 'x509' utility
10260      to allow the various flags to be set.
10261      [Steve Henson]
10262 
10263   *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
10264      Also change the functions X509_cmp_current_time() and
10265      X509_gmtime_adj() work with an ASN1_TIME structure,
10266      this will enable certificates using GeneralizedTime in validity
10267      dates to be checked.
10268      [Steve Henson]
10269 
10270   *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
10271      negative public key encodings) on by default,
10272      NO_NEG_PUBKEY_BUG can be set to disable it.
10273      [Steve Henson]
10274 
10275   *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
10276      content octets. An i2c_ASN1_OBJECT is unnecessary because
10277      the encoding can be trivially obtained from the structure.
10278      [Steve Henson]
10279 
10280   *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
10281      not read locks (CRYPTO_r_[un]lock).
10282      [Bodo Moeller]
10283 
10284   *) A first attempt at creating official support for shared
10285      libraries through configuration.  I've kept it so the
10286      default is static libraries only, and the OpenSSL programs
10287      are always statically linked for now, but there are
10288      preparations for dynamic linking in place.
10289      This has been tested on Linux and Tru64.
10290      [Richard Levitte]
10291 
10292   *) Randomness polling function for Win9x, as described in:
10293      Peter Gutmann, Software Generation of Practically Strong
10294      Random Numbers.
10295      [Ulf Möller]
10296 
10297   *) Fix so PRNG is seeded in req if using an already existing
10298      DSA key.
10299      [Steve Henson]
10300 
10301   *) New options to smime application. -inform and -outform
10302      allow alternative formats for the S/MIME message including
10303      PEM and DER. The -content option allows the content to be
10304      specified separately. This should allow things like Netscape
10305      form signing output easier to verify.
10306      [Steve Henson]
10307 
10308   *) Fix the ASN1 encoding of tags using the 'long form'.
10309      [Steve Henson]
10310 
10311   *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
10312      STRING types. These convert content octets to and from the
10313      underlying type. The actual tag and length octets are
10314      already assumed to have been read in and checked. These
10315      are needed because all other string types have virtually
10316      identical handling apart from the tag. By having versions
10317      of the ASN1 functions that just operate on content octets
10318      IMPLICIT tagging can be handled properly. It also allows
10319      the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
10320      and ASN1_INTEGER are identical apart from the tag.
10321      [Steve Henson]
10322 
10323   *) Change the handling of OID objects as follows:
10324 
10325      - New object identifiers are inserted in objects.txt, following
10326        the syntax given in objects.README.
10327      - objects.pl is used to process obj_mac.num and create a new
10328        obj_mac.h.
10329      - obj_dat.pl is used to create a new obj_dat.h, using the data in
10330        obj_mac.h.
10331 
10332      This is currently kind of a hack, and the perl code in objects.pl
10333      isn't very elegant, but it works as I intended.  The simplest way
10334      to check that it worked correctly is to look in obj_dat.h and
10335      check the array nid_objs and make sure the objects haven't moved
10336      around (this is important!).  Additions are OK, as well as
10337      consistent name changes.
10338      [Richard Levitte]
10339 
10340   *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
10341      [Bodo Moeller]
10342 
10343   *) Addition of the command line parameter '-rand file' to 'openssl req'.
10344      The given file adds to whatever has already been seeded into the
10345      random pool through the RANDFILE configuration file option or
10346      environment variable, or the default random state file.
10347      [Richard Levitte]
10348 
10349   *) mkstack.pl now sorts each macro group into lexical order.
10350      Previously the output order depended on the order the files
10351      appeared in the directory, resulting in needless rewriting
10352      of safestack.h .
10353      [Steve Henson]
10354 
10355   *) Patches to make OpenSSL compile under Win32 again. Mostly
10356      work arounds for the VC++ problem that it treats func() as
10357      func(void). Also stripped out the parts of mkdef.pl that
10358      added extra typesafe functions: these no longer exist.
10359      [Steve Henson]
10360 
10361   *) Reorganisation of the stack code. The macros are now all
10362      collected in safestack.h . Each macro is defined in terms of
10363      a "stack macro" of the form SKM_<name>(type, a, b). The
10364      DEBUG_SAFESTACK is now handled in terms of function casts,
10365      this has the advantage of retaining type safety without the
10366      use of additional functions. If DEBUG_SAFESTACK is not defined
10367      then the non typesafe macros are used instead. Also modified the
10368      mkstack.pl script to handle the new form. Needs testing to see
10369      if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
10370      the default if no major problems. Similar behaviour for ASN1_SET_OF
10371      and PKCS12_STACK_OF.
10372      [Steve Henson]
10373 
10374   *) When some versions of IIS use the 'NET' form of private key the
10375      key derivation algorithm is different. Normally MD5(password) is
10376      used as a 128 bit RC4 key. In the modified case
10377      MD5(MD5(password) + "SGCKEYSALT")  is used instead. Added some
10378      new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
10379      as the old Netscape_RSA functions except they have an additional
10380      'sgckey' parameter which uses the modified algorithm. Also added
10381      an -sgckey command line option to the rsa utility. Thanks to
10382      Adrian Peck <bertie@ncipher.com> for posting details of the modified
10383      algorithm to openssl-dev.
10384      [Steve Henson]
10385 
10386   *) The evp_local.h macros were using 'c.##kname' which resulted in
10387      invalid expansion on some systems (SCO 5.0.5 for example).
10388      Corrected to 'c.kname'.
10389      [Phillip Porch <root@theporch.com>]
10390 
10391   *) New X509_get1_email() and X509_REQ_get1_email() functions that return
10392      a STACK of email addresses from a certificate or request, these look
10393      in the subject name and the subject alternative name extensions and
10394      omit any duplicate addresses.
10395      [Steve Henson]
10396 
10397   *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
10398      This makes DSA verification about 2 % faster.
10399      [Bodo Moeller]
10400 
10401   *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
10402      (meaning that now 2^5 values will be precomputed, which is only 4 KB
10403      plus overhead for 1024 bit moduli).
10404      This makes exponentiations about 0.5 % faster for 1024 bit
10405      exponents (as measured by "openssl speed rsa2048").
10406      [Bodo Moeller]
10407 
10408   *) Rename memory handling macros to avoid conflicts with other
10409      software:
10410           Malloc         =>  OPENSSL_malloc
10411           Malloc_locked  =>  OPENSSL_malloc_locked
10412           Realloc        =>  OPENSSL_realloc
10413           Free           =>  OPENSSL_free
10414      [Richard Levitte]
10415 
10416   *) New function BN_mod_exp_mont_word for small bases (roughly 15%
10417      faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
10418      [Bodo Moeller]
10419 
10420   *) CygWin32 support.
10421      [John Jarvie <jjarvie@newsguy.com>]
10422 
10423   *) The type-safe stack code has been rejigged. It is now only compiled
10424      in when OpenSSL is configured with the DEBUG_SAFESTACK option and
10425      by default all type-specific stack functions are "#define"d back to
10426      standard stack functions. This results in more streamlined output
10427      but retains the type-safety checking possibilities of the original
10428      approach.
10429      [Geoff Thorpe]
10430 
10431   *) The STACK code has been cleaned up, and certain type declarations
10432      that didn't make a lot of sense have been brought in line. This has
10433      also involved a cleanup of sorts in safestack.h to more correctly
10434      map type-safe stack functions onto their plain stack counterparts.
10435      This work has also resulted in a variety of "const"ifications of
10436      lots of the code, especially "_cmp" operations which should normally
10437      be prototyped with "const" parameters anyway.
10438      [Geoff Thorpe]
10439 
10440   *) When generating bytes for the first time in md_rand.c, 'stir the pool'
10441      by seeding with STATE_SIZE dummy bytes (with zero entropy count).
10442      (The PRNG state consists of two parts, the large pool 'state' and 'md',
10443      where all of 'md' is used each time the PRNG is used, but 'state'
10444      is used only indexed by a cyclic counter. As entropy may not be
10445      well distributed from the beginning, 'md' is important as a
10446      chaining variable. However, the output function chains only half
10447      of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
10448      all of 'md', and seeding with STATE_SIZE dummy bytes will result
10449      in all of 'state' being rewritten, with the new values depending
10450      on virtually all of 'md'.  This overcomes the 80 bit limitation.)
10451      [Bodo Moeller]
10452 
10453   *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
10454      the handshake is continued after ssl_verify_cert_chain();
10455      otherwise, if SSL_VERIFY_NONE is set, remaining error codes
10456      can lead to 'unexplainable' connection aborts later.
10457      [Bodo Moeller; problem tracked down by Lutz Jaenicke]
10458 
10459   *) Major EVP API cipher revision.
10460      Add hooks for extra EVP features. This allows various cipher
10461      parameters to be set in the EVP interface. Support added for variable
10462      key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
10463      setting of RC2 and RC5 parameters.
10464 
10465      Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
10466      ciphers.
10467 
10468      Remove lots of duplicated code from the EVP library. For example *every*
10469      cipher init() function handles the 'iv' in the same way according to the
10470      cipher mode. They also all do nothing if the 'key' parameter is NULL and
10471      for CFB and OFB modes they zero ctx->num.
10472 
10473      New functionality allows removal of S/MIME code RC2 hack.
10474 
10475      Most of the routines have the same form and so can be declared in terms
10476      of macros.
10477 
10478      By shifting this to the top level EVP_CipherInit() it can be removed from
10479      all individual ciphers. If the cipher wants to handle IVs or keys
10480      differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
10481      flags.
10482 
10483      Change lots of functions like EVP_EncryptUpdate() to now return a
10484      value: although software versions of the algorithms cannot fail
10485      any installed hardware versions can.
10486      [Steve Henson]
10487 
10488   *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
10489      this option is set, tolerate broken clients that send the negotiated
10490      protocol version number instead of the requested protocol version
10491      number.
10492      [Bodo Moeller]
10493 
10494   *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
10495      i.e. non-zero for export ciphersuites, zero otherwise.
10496      Previous versions had this flag inverted, inconsistent with
10497      rsa_tmp_cb (..._TMP_RSA_CB).
10498      [Bodo Moeller; problem reported by Amit Chopra]
10499 
10500   *) Add missing DSA library text string. Work around for some IIS
10501      key files with invalid SEQUENCE encoding.
10502      [Steve Henson]
10503 
10504   *) Add a document (doc/standards.txt) that list all kinds of standards
10505      and so on that are implemented in OpenSSL.
10506      [Richard Levitte]
10507 
10508   *) Enhance c_rehash script. Old version would mishandle certificates
10509      with the same subject name hash and wouldn't handle CRLs at all.
10510      Added -fingerprint option to crl utility, to support new c_rehash
10511      features.
10512      [Steve Henson]
10513 
10514   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
10515      [Ulf Möller]
10516 
10517   *) Fix for SSL server purpose checking. Server checking was
10518      rejecting certificates which had extended key usage present
10519      but no ssl client purpose.
10520      [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
10521 
10522   *) Make PKCS#12 code work with no password. The PKCS#12 spec
10523      is a little unclear about how a blank password is handled.
10524      Since the password in encoded as a BMPString with terminating
10525      double NULL a zero length password would end up as just the
10526      double NULL. However no password at all is different and is
10527      handled differently in the PKCS#12 key generation code. NS
10528      treats a blank password as zero length. MSIE treats it as no
10529      password on export: but it will try both on import. We now do
10530      the same: PKCS12_parse() tries zero length and no password if
10531      the password is set to "" or NULL (NULL is now a valid password:
10532      it wasn't before) as does the pkcs12 application.
10533      [Steve Henson]
10534 
10535   *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
10536      perror when PEM_read_bio_X509_REQ fails, the error message must
10537      be obtained from the error queue.
10538      [Bodo Moeller]
10539 
10540   *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
10541      it in ERR_remove_state if appropriate, and change ERR_get_state
10542      accordingly to avoid race conditions (this is necessary because
10543      thread_hash is no longer constant once set).
10544      [Bodo Moeller]
10545 
10546   *) Bugfix for linux-elf makefile.one.
10547      [Ulf Möller]
10548 
10549   *) RSA_get_default_method() will now cause a default
10550      RSA_METHOD to be chosen if one doesn't exist already.
10551      Previously this was only set during a call to RSA_new()
10552      or RSA_new_method(NULL) meaning it was possible for
10553      RSA_get_default_method() to return NULL.
10554      [Geoff Thorpe]
10555 
10556   *) Added native name translation to the existing DSO code
10557      that will convert (if the flag to do so is set) filenames
10558      that are sufficiently small and have no path information
10559      into a canonical native form. Eg. "blah" converted to
10560      "libblah.so" or "blah.dll" etc.
10561      [Geoff Thorpe]
10562 
10563   *) New function ERR_error_string_n(e, buf, len) which is like
10564      ERR_error_string(e, buf), but writes at most 'len' bytes
10565      including the 0 terminator.  For ERR_error_string_n, 'buf'
10566      may not be NULL.
10567      [Damien Miller <djm@mindrot.org>, Bodo Moeller]
10568 
10569   *) CONF library reworked to become more general.  A new CONF
10570      configuration file reader "class" is implemented as well as a
10571      new functions (NCONF_*, for "New CONF") to handle it.  The now
10572      old CONF_* functions are still there, but are reimplemented to
10573      work in terms of the new functions.  Also, a set of functions
10574      to handle the internal storage of the configuration data is
10575      provided to make it easier to write new configuration file
10576      reader "classes" (I can definitely see something reading a
10577      configuration file in XML format, for example), called _CONF_*,
10578      or "the configuration storage API"...
10579 
10580      The new configuration file reading functions are:
10581 
10582         NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
10583         NCONF_get_section, NCONF_get_string, NCONF_get_numbre
10584 
10585         NCONF_default, NCONF_WIN32
10586 
10587         NCONF_dump_fp, NCONF_dump_bio
10588 
10589      NCONF_default and NCONF_WIN32 are method (or "class") choosers,
10590      NCONF_new creates a new CONF object.  This works in the same way
10591      as other interfaces in OpenSSL, like the BIO interface.
10592      NCONF_dump_* dump the internal storage of the configuration file,
10593      which is useful for debugging.  All other functions take the same
10594      arguments as the old CONF_* functions with the exception of the
10595      first that must be a `CONF *' instead of a `LHASH *'.
10596 
10597      To make it easier to use the new classes with the old CONF_* functions,
10598      the function CONF_set_default_method is provided.
10599      [Richard Levitte]
10600 
10601   *) Add '-tls1' option to 'openssl ciphers', which was already
10602      mentioned in the documentation but had not been implemented.
10603      (This option is not yet really useful because even the additional
10604      experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
10605      [Bodo Moeller]
10606 
10607   *) Initial DSO code added into libcrypto for letting OpenSSL (and
10608      OpenSSL-based applications) load shared libraries and bind to
10609      them in a portable way.
10610      [Geoff Thorpe, with contributions from Richard Levitte]
10611 
10612  Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
10613 
10614   *) Make sure _lrotl and _lrotr are only used with MSVC.
10615 
10616   *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
10617      (the default implementation of RAND_status).
10618 
10619   *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
10620      to '-clrext' (= clear extensions), as intended and documented.
10621      [Bodo Moeller; inconsistency pointed out by Michael Attili
10622      <attili@amaxo.com>]
10623 
10624   *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
10625      was larger than the MD block size.
10626      [Steve Henson, pointed out by Yost William <YostW@tce.com>]
10627 
10628   *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
10629      fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
10630      using the passed key: if the passed key was a private key the result
10631      of X509_print(), for example, would be to print out all the private key
10632      components.
10633      [Steve Henson]
10634 
10635   *) des_quad_cksum() byte order bug fix.
10636      [Ulf Möller, using the problem description in krb4-0.9.7, where
10637       the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
10638 
10639   *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
10640      discouraged.
10641      [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]
10642 
10643   *) For easily testing in shell scripts whether some command
10644      'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
10645      returns with exit code 0 iff no command of the given name is available.
10646      'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
10647      the output goes to stdout and nothing is printed to stderr.
10648      Additional arguments are always ignored.
10649 
10650      Since for each cipher there is a command of the same name,
10651      the 'no-cipher' compilation switches can be tested this way.
10652 
10653      ('openssl no-XXX' is not able to detect pseudo-commands such
10654      as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
10655      [Bodo Moeller]
10656 
10657   *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
10658      [Bodo Moeller]
10659 
10660   *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
10661      is set; it will be thrown away anyway because each handshake creates
10662      its own key.
10663      ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
10664      to parameters -- in previous versions (since OpenSSL 0.9.3) the
10665      'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
10666      you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
10667      [Bodo Moeller]
10668 
10669   *) New s_client option -ign_eof: EOF at stdin is ignored, and
10670      'Q' and 'R' lose their special meanings (quit/renegotiate).
10671      This is part of what -quiet does; unlike -quiet, -ign_eof
10672      does not suppress any output.
10673      [Richard Levitte]
10674 
10675   *) Add compatibility options to the purpose and trust code. The
10676      purpose X509_PURPOSE_ANY is "any purpose" which automatically
10677      accepts a certificate or CA, this was the previous behaviour,
10678      with all the associated security issues.
10679 
10680      X509_TRUST_COMPAT is the old trust behaviour: only and
10681      automatically trust self signed roots in certificate store. A
10682      new trust setting X509_TRUST_DEFAULT is used to specify that
10683      a purpose has no associated trust setting and it should instead
10684      use the value in the default purpose.
10685      [Steve Henson]
10686 
10687   *) Fix the PKCS#8 DSA private key code so it decodes keys again
10688      and fix a memory leak.
10689      [Steve Henson]
10690 
10691   *) In util/mkerr.pl (which implements 'make errors'), preserve
10692      reason strings from the previous version of the .c file, as
10693      the default to have only downcase letters (and digits) in
10694      automatically generated reasons codes is not always appropriate.
10695      [Bodo Moeller]
10696 
10697   *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
10698      using strerror.  Previously, ERR_reason_error_string() returned
10699      library names as reason strings for SYSerr; but SYSerr is a special
10700      case where small numbers are errno values, not library numbers.
10701      [Bodo Moeller]
10702 
10703   *) Add '-dsaparam' option to 'openssl dhparam' application.  This
10704      converts DSA parameters into DH parameters. (When creating parameters,
10705      DSA_generate_parameters is used.)
10706      [Bodo Moeller]
10707 
10708   *) Include 'length' (recommended exponent length) in C code generated
10709      by 'openssl dhparam -C'.
10710      [Bodo Moeller]
10711 
10712   *) The second argument to set_label in perlasm was already being used
10713      so couldn't be used as a "file scope" flag. Moved to third argument
10714      which was free.
10715      [Steve Henson]
10716 
10717   *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
10718      instead of RAND_bytes for encryption IVs and salts.
10719      [Bodo Moeller]
10720 
10721   *) Include RAND_status() into RAND_METHOD instead of implementing
10722      it only for md_rand.c  Otherwise replacing the PRNG by calling
10723      RAND_set_rand_method would be impossible.
10724      [Bodo Moeller]
10725 
10726   *) Don't let DSA_generate_key() enter an infinite loop if the random
10727      number generation fails.
10728      [Bodo Moeller]
10729 
10730   *) New 'rand' application for creating pseudo-random output.
10731      [Bodo Moeller]
10732 
10733   *) Added configuration support for Linux/IA64
10734      [Rolf Haberrecker <rolf@suse.de>]
10735 
10736   *) Assembler module support for Mingw32.
10737      [Ulf Möller]
10738 
10739   *) Shared library support for HPUX (in shlib/).
10740      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
10741 
10742   *) Shared library support for Solaris gcc.
10743      [Lutz Behnke <behnke@trustcenter.de>]
10744 
10745  Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
10746 
10747   *) PKCS7_encrypt() was adding text MIME headers twice because they
10748      were added manually and by SMIME_crlf_copy().
10749      [Steve Henson]
10750 
10751   *) In bntest.c don't call BN_rand with zero bits argument.
10752      [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]
10753 
10754   *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
10755      case was implemented. This caused BN_div_recp() to fail occasionally.
10756      [Ulf Möller]
10757 
10758   *) Add an optional second argument to the set_label() in the perl
10759      assembly language builder. If this argument exists and is set
10760      to 1 it signals that the assembler should use a symbol whose
10761      scope is the entire file, not just the current function. This
10762      is needed with MASM which uses the format label:: for this scope.
10763      [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
10764 
10765   *) Change the ASN1 types so they are typedefs by default. Before
10766      almost all types were #define'd to ASN1_STRING which was causing
10767      STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
10768      for example.
10769      [Steve Henson]
10770 
10771   *) Change names of new functions to the new get1/get0 naming
10772      convention: After 'get1', the caller owns a reference count
10773      and has to call ..._free; 'get0' returns a pointer to some
10774      data structure without incrementing reference counters.
10775      (Some of the existing 'get' functions increment a reference
10776      counter, some don't.)
10777      Similarly, 'set1' and 'add1' functions increase reference
10778      counters or duplicate objects.
10779      [Steve Henson]
10780 
10781   *) Allow for the possibility of temp RSA key generation failure:
10782      the code used to assume it always worked and crashed on failure.
10783      [Steve Henson]
10784 
10785   *) Fix potential buffer overrun problem in BIO_printf().
10786      [Ulf Möller, using public domain code by Patrick Powell; problem
10787       pointed out by David Sacerdote <das33@cornell.edu>]
10788 
10789   *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
10790      RAND_egd() and RAND_status().  In the command line application,
10791      the EGD socket can be specified like a seed file using RANDFILE
10792      or -rand.
10793      [Ulf Möller]
10794 
10795   *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
10796      Some CAs (e.g. Verisign) distribute certificates in this form.
10797      [Steve Henson]
10798 
10799   *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
10800      list to exclude them. This means that no special compilation option
10801      is needed to use anonymous DH: it just needs to be included in the
10802      cipher list.
10803      [Steve Henson]
10804 
10805   *) Change the EVP_MD_CTX_type macro so its meaning consistent with
10806      EVP_MD_type. The old functionality is available in a new macro called
10807      EVP_MD_md(). Change code that uses it and update docs.
10808      [Steve Henson]
10809 
10810   *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
10811      where the 'void *' argument is replaced by a function pointer argument.
10812      Previously 'void *' was abused to point to functions, which works on
10813      many platforms, but is not correct.  As these functions are usually
10814      called by macros defined in OpenSSL header files, most source code
10815      should work without changes.
10816      [Richard Levitte]
10817 
10818   *) <openssl/opensslconf.h> (which is created by Configure) now contains
10819      sections with information on -D... compiler switches used for
10820      compiling the library so that applications can see them.  To enable
10821      one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
10822      must be defined.  E.g.,
10823         #define OPENSSL_ALGORITHM_DEFINES
10824         #include <openssl/opensslconf.h>
10825      defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
10826      [Richard Levitte, Ulf and Bodo Möller]
10827 
10828   *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
10829      record layer.
10830      [Bodo Moeller]
10831 
10832   *) Change the 'other' type in certificate aux info to a STACK_OF
10833      X509_ALGOR. Although not an AlgorithmIdentifier as such it has
10834      the required ASN1 format: arbitrary types determined by an OID.
10835      [Steve Henson]
10836 
10837   *) Add some PEM_write_X509_REQ_NEW() functions and a command line
10838      argument to 'req'. This is not because the function is newer or
10839      better than others it just uses the work 'NEW' in the certificate
10840      request header lines. Some software needs this.
10841      [Steve Henson]
10842 
10843   *) Reorganise password command line arguments: now passwords can be
10844      obtained from various sources. Delete the PEM_cb function and make
10845      it the default behaviour: i.e. if the callback is NULL and the
10846      usrdata argument is not NULL interpret it as a null terminated pass
10847      phrase. If usrdata and the callback are NULL then the pass phrase
10848      is prompted for as usual.
10849      [Steve Henson]
10850 
10851   *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
10852      the support is automatically enabled. The resulting binaries will
10853      autodetect the card and use it if present.
10854      [Ben Laurie and Compaq Inc.]
10855 
10856   *) Work around for Netscape hang bug. This sends certificate request
10857      and server done in one record. Since this is perfectly legal in the
10858      SSL/TLS protocol it isn't a "bug" option and is on by default. See
10859      the bugs/SSLv3 entry for more info.
10860      [Steve Henson]
10861 
10862   *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
10863      [Andy Polyakov]
10864 
10865   *) Add -rand argument to smime and pkcs12 applications and read/write
10866      of seed file.
10867      [Steve Henson]
10868 
10869   *) New 'passwd' tool for crypt(3) and apr1 password hashes.
10870      [Bodo Moeller]
10871 
10872   *) Add command line password options to the remaining applications.
10873      [Steve Henson]
10874 
10875   *) Bug fix for BN_div_recp() for numerators with an even number of
10876      bits.
10877      [Ulf Möller]
10878 
10879   *) More tests in bntest.c, and changed test_bn output.
10880      [Ulf Möller]
10881 
10882   *) ./config recognizes MacOS X now.
10883      [Andy Polyakov]
10884 
10885   *) Bug fix for BN_div() when the first words of num and divisor are
10886      equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
10887      [Ulf Möller]
10888 
10889   *) Add support for various broken PKCS#8 formats, and command line
10890      options to produce them.
10891      [Steve Henson]
10892 
10893   *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
10894      get temporary BIGNUMs from a BN_CTX.
10895      [Ulf Möller]
10896 
10897   *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
10898      for p == 0.
10899      [Ulf Möller]
10900 
10901   *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
10902      include a #define from the old name to the new. The original intent
10903      was that statically linked binaries could for example just call
10904      SSLeay_add_all_ciphers() to just add ciphers to the table and not
10905      link with digests. This never worked because SSLeay_add_all_digests()
10906      and SSLeay_add_all_ciphers() were in the same source file so calling
10907      one would link with the other. They are now in separate source files.
10908      [Steve Henson]
10909 
10910   *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
10911      [Steve Henson]
10912 
10913   *) Use a less unusual form of the Miller-Rabin primality test (it used
10914      a binary algorithm for exponentiation integrated into the Miller-Rabin
10915      loop, our standard modexp algorithms are faster).
10916      [Bodo Moeller]
10917 
10918   *) Support for the EBCDIC character set completed.
10919      [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]
10920 
10921   *) Source code cleanups: use const where appropriate, eliminate casts,
10922      use void * instead of char * in lhash.
10923      [Ulf Möller]
10924 
10925   *) Bugfix: ssl3_send_server_key_exchange was not restartable
10926      (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
10927      this the server could overwrite ephemeral keys that the client
10928      has already seen).
10929      [Bodo Moeller]
10930 
10931   *) Turn DSA_is_prime into a macro that calls BN_is_prime,
10932      using 50 iterations of the Rabin-Miller test.
10933 
10934      DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
10935      iterations of the Rabin-Miller test as required by the appendix
10936      to FIPS PUB 186[-1]) instead of DSA_is_prime.
10937      As BN_is_prime_fasttest includes trial division, DSA parameter
10938      generation becomes much faster.
10939 
10940      This implies a change for the callback functions in DSA_is_prime
10941      and DSA_generate_parameters: The callback function is called once
10942      for each positive witness in the Rabin-Miller test, not just
10943      occasionally in the inner loop; and the parameters to the
10944      callback function now provide an iteration count for the outer
10945      loop rather than for the current invocation of the inner loop.
10946      DSA_generate_parameters additionally can call the callback
10947      function with an 'iteration count' of -1, meaning that a
10948      candidate has passed the trial division test (when q is generated
10949      from an application-provided seed, trial division is skipped).
10950      [Bodo Moeller]
10951 
10952   *) New function BN_is_prime_fasttest that optionally does trial
10953      division before starting the Rabin-Miller test and has
10954      an additional BN_CTX * argument (whereas BN_is_prime always
10955      has to allocate at least one BN_CTX).
10956      'callback(1, -1, cb_arg)' is called when a number has passed the
10957      trial division stage.
10958      [Bodo Moeller]
10959 
10960   *) Fix for bug in CRL encoding. The validity dates weren't being handled
10961      as ASN1_TIME.
10962      [Steve Henson]
10963 
10964   *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
10965      [Steve Henson]
10966 
10967   *) New function BN_pseudo_rand().
10968      [Ulf Möller]
10969 
10970   *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
10971      bignum version of BN_from_montgomery() with the working code from
10972      SSLeay 0.9.0 (the word based version is faster anyway), and clean up
10973      the comments.
10974      [Ulf Möller]
10975 
10976   *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
10977      made it impossible to use the same SSL_SESSION data structure in
10978      SSL2 clients in multiple threads.
10979      [Bodo Moeller]
10980 
10981   *) The return value of RAND_load_file() no longer counts bytes obtained
10982      by stat().  RAND_load_file(..., -1) is new and uses the complete file
10983      to seed the PRNG (previously an explicit byte count was required).
10984      [Ulf Möller, Bodo Möller]
10985 
10986   *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
10987      used (char *) instead of (void *) and had casts all over the place.
10988      [Steve Henson]
10989 
10990   *) Make BN_generate_prime() return NULL on error if ret!=NULL.
10991      [Ulf Möller]
10992 
10993   *) Retain source code compatibility for BN_prime_checks macro:
10994      BN_is_prime(..., BN_prime_checks, ...) now uses
10995      BN_prime_checks_for_size to determine the appropriate number of
10996      Rabin-Miller iterations.
10997      [Ulf Möller]
10998 
10999   *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
11000      DH_CHECK_P_NOT_SAFE_PRIME.
11001      (Check if this is true? OpenPGP calls them "strong".)
11002      [Ulf Möller]
11003 
11004   *) Merge the functionality of "dh" and "gendh" programs into a new program
11005      "dhparam". The old programs are retained for now but will handle DH keys
11006      (instead of parameters) in future.
11007      [Steve Henson]
11008 
11009   *) Make the ciphers, s_server and s_client programs check the return values
11010      when a new cipher list is set.
11011      [Steve Henson]
11012 
11013   *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
11014      ciphers. Before when the 56bit ciphers were enabled the sorting was
11015      wrong.
11016 
11017      The syntax for the cipher sorting has been extended to support sorting by
11018      cipher-strength (using the strength_bits hard coded in the tables).
11019      The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
11020 
11021      Fix a bug in the cipher-command parser: when supplying a cipher command
11022      string with an "undefined" symbol (neither command nor alphanumeric
11023      [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
11024      an error is flagged.
11025 
11026      Due to the strength-sorting extension, the code of the
11027      ssl_create_cipher_list() function was completely rearranged. I hope that
11028      the readability was also increased :-)
11029      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
11030 
11031   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
11032      for the first serial number and places 2 in the serial number file. This
11033      avoids problems when the root CA is created with serial number zero and
11034      the first user certificate has the same issuer name and serial number
11035      as the root CA.
11036      [Steve Henson]
11037 
11038   *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
11039      the new code. Add documentation for this stuff.
11040      [Steve Henson]
11041 
11042   *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
11043      X509_*() to X509at_*() on the grounds that they don't handle X509
11044      structures and behave in an analogous way to the X509v3 functions:
11045      they shouldn't be called directly but wrapper functions should be used
11046      instead.
11047 
11048      So we also now have some wrapper functions that call the X509at functions
11049      when passed certificate requests. (TO DO: similar things can be done with
11050      PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
11051      things. Some of these need some d2i or i2d and print functionality
11052      because they handle more complex structures.)
11053      [Steve Henson]
11054 
11055   *) Add missing #ifndefs that caused missing symbols when building libssl
11056      as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
11057      NO_RSA in ssl/s2*.c.
11058      [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
11059 
11060   *) Precautions against using the PRNG uninitialized: RAND_bytes() now
11061      has a return value which indicates the quality of the random data
11062      (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
11063      error queue. New function RAND_pseudo_bytes() generates output that is
11064      guaranteed to be unique but not unpredictable. RAND_add is like
11065      RAND_seed, but takes an extra argument for an entropy estimate
11066      (RAND_seed always assumes full entropy).
11067      [Ulf Möller]
11068 
11069   *) Do more iterations of Rabin-Miller probable prime test (specifically,
11070      3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
11071      instead of only 2 for all lengths; see BN_prime_checks_for_size definition
11072      in crypto/bn/bn_prime.c for the complete table).  This guarantees a
11073      false-positive rate of at most 2^-80 for random input.
11074      [Bodo Moeller]
11075 
11076   *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
11077      [Bodo Moeller]
11078 
11079   *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
11080      in the 0.9.5 release), this returns the chain
11081      from an X509_CTX structure with a dup of the stack and all
11082      the X509 reference counts upped: so the stack will exist
11083      after X509_CTX_cleanup() has been called. Modify pkcs12.c
11084      to use this.
11085 
11086      Also make SSL_SESSION_print() print out the verify return
11087      code.
11088      [Steve Henson]
11089 
11090   *) Add manpage for the pkcs12 command. Also change the default
11091      behaviour so MAC iteration counts are used unless the new
11092      -nomaciter option is used. This improves file security and
11093      only older versions of MSIE (4.0 for example) need it.
11094      [Steve Henson]
11095 
11096   *) Honor the no-xxx Configure options when creating .DEF files.
11097      [Ulf Möller]
11098 
11099   *) Add PKCS#10 attributes to field table: challengePassword,
11100      unstructuredName and unstructuredAddress. These are taken from
11101      draft PKCS#9 v2.0 but are compatible with v1.2 provided no
11102      international characters are used.
11103 
11104      More changes to X509_ATTRIBUTE code: allow the setting of types
11105      based on strings. Remove the 'loc' parameter when adding
11106      attributes because these will be a SET OF encoding which is sorted
11107      in ASN1 order.
11108      [Steve Henson]
11109 
11110   *) Initial changes to the 'req' utility to allow request generation
11111      automation. This will allow an application to just generate a template
11112      file containing all the field values and have req construct the
11113      request.
11114 
11115      Initial support for X509_ATTRIBUTE handling. Stacks of these are
11116      used all over the place including certificate requests and PKCS#7
11117      structures. They are currently handled manually where necessary with
11118      some primitive wrappers for PKCS#7. The new functions behave in a
11119      manner analogous to the X509 extension functions: they allow
11120      attributes to be looked up by NID and added.
11121 
11122      Later something similar to the X509V3 code would be desirable to
11123      automatically handle the encoding, decoding and printing of the
11124      more complex types. The string types like challengePassword can
11125      be handled by the string table functions.
11126 
11127      Also modified the multi byte string table handling. Now there is
11128      a 'global mask' which masks out certain types. The table itself
11129      can use the flag STABLE_NO_MASK to ignore the mask setting: this
11130      is useful when for example there is only one permissible type
11131      (as in countryName) and using the mask might result in no valid
11132      types at all.
11133      [Steve Henson]
11134 
11135   *) Clean up 'Finished' handling, and add functions SSL_get_finished and
11136      SSL_get_peer_finished to allow applications to obtain the latest
11137      Finished messages sent to the peer or expected from the peer,
11138      respectively.  (SSL_get_peer_finished is usually the Finished message
11139      actually received from the peer, otherwise the protocol will be aborted.)
11140 
11141      As the Finished message are message digests of the complete handshake
11142      (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
11143      be used for external authentication procedures when the authentication
11144      provided by SSL/TLS is not desired or is not enough.
11145      [Bodo Moeller]
11146 
11147   *) Enhanced support for Alpha Linux is added. Now ./config checks if
11148      the host supports BWX extension and if Compaq C is present on the
11149      $PATH. Just exploiting of the BWX extension results in 20-30%
11150      performance kick for some algorithms, e.g. DES and RC4 to mention
11151      a couple. Compaq C in turn generates ~20% faster code for MD5 and
11152      SHA1.
11153      [Andy Polyakov]
11154 
11155   *) Add support for MS "fast SGC". This is arguably a violation of the
11156      SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
11157      weak crypto and after checking the certificate is SGC a second one
11158      with strong crypto. MS SGC stops the first handshake after receiving
11159      the server certificate message and sends a second client hello. Since
11160      a server will typically do all the time consuming operations before
11161      expecting any further messages from the client (server key exchange
11162      is the most expensive) there is little difference between the two.
11163 
11164      To get OpenSSL to support MS SGC we have to permit a second client
11165      hello message after we have sent server done. In addition we have to
11166      reset the MAC if we do get this second client hello.
11167      [Steve Henson]
11168 
11169   *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
11170      if a DER encoded private key is RSA or DSA traditional format. Changed
11171      d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
11172      format DER encoded private key. Newer code should use PKCS#8 format which
11173      has the key type encoded in the ASN1 structure. Added DER private key
11174      support to pkcs8 application.
11175      [Steve Henson]
11176 
11177   *) SSL 3/TLS 1 servers now don't request certificates when an anonymous
11178      ciphersuites has been selected (as required by the SSL 3/TLS 1
11179      specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
11180      is set, we interpret this as a request to violate the specification
11181      (the worst that can happen is a handshake failure, and 'correct'
11182      behaviour would result in a handshake failure anyway).
11183      [Bodo Moeller]
11184 
11185   *) In SSL_CTX_add_session, take into account that there might be multiple
11186      SSL_SESSION structures with the same session ID (e.g. when two threads
11187      concurrently obtain them from an external cache).
11188      The internal cache can handle only one SSL_SESSION with a given ID,
11189      so if there's a conflict, we now throw out the old one to achieve
11190      consistency.
11191      [Bodo Moeller]
11192 
11193   *) Add OIDs for idea and blowfish in CBC mode. This will allow both
11194      to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
11195      some routines that use cipher OIDs: some ciphers do not have OIDs
11196      defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
11197      example.
11198      [Steve Henson]
11199 
11200   *) Simplify the trust setting structure and code. Now we just have
11201      two sequences of OIDs for trusted and rejected settings. These will
11202      typically have values the same as the extended key usage extension
11203      and any application specific purposes.
11204 
11205      The trust checking code now has a default behaviour: it will just
11206      check for an object with the same NID as the passed id. Functions can
11207      be provided to override either the default behaviour or the behaviour
11208      for a given id. SSL client, server and email already have functions
11209      in place for compatibility: they check the NID and also return "trusted"
11210      if the certificate is self signed.
11211      [Steve Henson]
11212 
11213   *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
11214      traditional format into an EVP_PKEY structure.
11215      [Steve Henson]
11216 
11217   *) Add a password callback function PEM_cb() which either prompts for
11218      a password if usr_data is NULL or otherwise assumes it is a null
11219      terminated password. Allow passwords to be passed on command line
11220      environment or config files in a few more utilities.
11221      [Steve Henson]
11222 
11223   *) Add a bunch of DER and PEM functions to handle PKCS#8 format private
11224      keys. Add some short names for PKCS#8 PBE algorithms and allow them
11225      to be specified on the command line for the pkcs8 and pkcs12 utilities.
11226      Update documentation.
11227      [Steve Henson]
11228 
11229   *) Support for ASN1 "NULL" type. This could be handled before by using
11230      ASN1_TYPE but there wasn't any function that would try to read a NULL
11231      and produce an error if it couldn't. For compatibility we also have
11232      ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
11233      don't allocate anything because they don't need to.
11234      [Steve Henson]
11235 
11236   *) Initial support for MacOS is now provided. Examine INSTALL.MacOS
11237      for details.
11238      [Andy Polyakov, Roy Woods <roy@centicsystems.ca>]
11239 
11240   *) Rebuild of the memory allocation routines used by OpenSSL code and
11241      possibly others as well.  The purpose is to make an interface that
11242      provide hooks so anyone can build a separate set of allocation and
11243      deallocation routines to be used by OpenSSL, for example memory
11244      pool implementations, or something else, which was previously hard
11245      since Malloc(), Realloc() and Free() were defined as macros having
11246      the values malloc, realloc and free, respectively (except for Win32
11247      compilations).  The same is provided for memory debugging code.
11248      OpenSSL already comes with functionality to find memory leaks, but
11249      this gives people a chance to debug other memory problems.
11250 
11251      With these changes, a new set of functions and macros have appeared:
11252 
11253        CRYPTO_set_mem_debug_functions()         [F]
11254        CRYPTO_get_mem_debug_functions()         [F]
11255        CRYPTO_dbg_set_options()                 [F]
11256        CRYPTO_dbg_get_options()                 [F]
11257        CRYPTO_malloc_debug_init()               [M]
11258 
11259      The memory debug functions are NULL by default, unless the library
11260      is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
11261      wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
11262      gives the standard debugging functions that come with OpenSSL) or
11263      CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
11264      provided by the library user) must be used.  When the standard
11265      debugging functions are used, CRYPTO_dbg_set_options can be used to
11266      request additional information:
11267      CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
11268      the CRYPTO_MDEBUG_xxx macro when compiling the library.
11269 
11270      Also, things like CRYPTO_set_mem_functions will always give the
11271      expected result (the new set of functions is used for allocation
11272      and deallocation) at all times, regardless of platform and compiler
11273      options.
11274 
11275      To finish it up, some functions that were never use in any other
11276      way than through macros have a new API and new semantic:
11277 
11278        CRYPTO_dbg_malloc()
11279        CRYPTO_dbg_realloc()
11280        CRYPTO_dbg_free()
11281 
11282      All macros of value have retained their old syntax.
11283      [Richard Levitte and Bodo Moeller]
11284 
11285   *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
11286      ordering of SMIMECapabilities wasn't in "strength order" and there
11287      was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
11288      algorithm.
11289      [Steve Henson]
11290 
11291   *) Some ASN1 types with illegal zero length encoding (INTEGER,
11292      ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
11293      [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson]
11294 
11295   *) Merge in my S/MIME library for OpenSSL. This provides a simple
11296      S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
11297      functionality to handle multipart/signed properly) and a utility
11298      called 'smime' to call all this stuff. This is based on code I
11299      originally wrote for Celo who have kindly allowed it to be
11300      included in OpenSSL.
11301      [Steve Henson]
11302 
11303   *) Add variants des_set_key_checked and des_set_key_unchecked of
11304      des_set_key (aka des_key_sched).  Global variable des_check_key
11305      decides which of these is called by des_set_key; this way
11306      des_check_key behaves as it always did, but applications and
11307      the library itself, which was buggy for des_check_key == 1,
11308      have a cleaner way to pick the version they need.
11309      [Bodo Moeller]
11310 
11311   *) New function PKCS12_newpass() which changes the password of a
11312      PKCS12 structure.
11313      [Steve Henson]
11314 
11315   *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and
11316      dynamic mix. In both cases the ids can be used as an index into the
11317      table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
11318      functions so they accept a list of the field values and the
11319      application doesn't need to directly manipulate the X509_TRUST
11320      structure.
11321      [Steve Henson]
11322 
11323   *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
11324      need initialising.
11325      [Steve Henson]
11326 
11327   *) Modify the way the V3 extension code looks up extensions. This now
11328      works in a similar way to the object code: we have some "standard"
11329      extensions in a static table which is searched with OBJ_bsearch()
11330      and the application can add dynamic ones if needed. The file
11331      crypto/x509v3/ext_dat.h now has the info: this file needs to be
11332      updated whenever a new extension is added to the core code and kept
11333      in ext_nid order. There is a simple program 'tabtest.c' which checks
11334      this. New extensions are not added too often so this file can readily
11335      be maintained manually.
11336 
11337      There are two big advantages in doing things this way. The extensions
11338      can be looked up immediately and no longer need to be "added" using
11339      X509V3_add_standard_extensions(): this function now does nothing.
11340      [Side note: I get *lots* of email saying the extension code doesn't
11341       work because people forget to call this function]
11342      Also no dynamic allocation is done unless new extensions are added:
11343      so if we don't add custom extensions there is no need to call
11344      X509V3_EXT_cleanup().
11345      [Steve Henson]
11346 
11347   *) Modify enc utility's salting as follows: make salting the default. Add a
11348      magic header, so unsalted files fail gracefully instead of just decrypting
11349      to garbage. This is because not salting is a big security hole, so people
11350      should be discouraged from doing it.
11351      [Ben Laurie]
11352 
11353   *) Fixes and enhancements to the 'x509' utility. It allowed a message
11354      digest to be passed on the command line but it only used this
11355      parameter when signing a certificate. Modified so all relevant
11356      operations are affected by the digest parameter including the
11357      -fingerprint and -x509toreq options. Also -x509toreq choked if a
11358      DSA key was used because it didn't fix the digest.
11359      [Steve Henson]
11360 
11361   *) Initial certificate chain verify code. Currently tests the untrusted
11362      certificates for consistency with the verify purpose (which is set
11363      when the X509_STORE_CTX structure is set up) and checks the pathlength.
11364 
11365      There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
11366      this is because it will reject chains with invalid extensions whereas
11367      every previous version of OpenSSL and SSLeay made no checks at all.
11368 
11369      Trust code: checks the root CA for the relevant trust settings. Trust
11370      settings have an initial value consistent with the verify purpose: e.g.
11371      if the verify purpose is for SSL client use it expects the CA to be
11372      trusted for SSL client use. However the default value can be changed to
11373      permit custom trust settings: one example of this would be to only trust
11374      certificates from a specific "secure" set of CAs.
11375 
11376      Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
11377      which should be used for version portability: especially since the
11378      verify structure is likely to change more often now.
11379 
11380      SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
11381      to set them. If not set then assume SSL clients will verify SSL servers
11382      and vice versa.
11383 
11384      Two new options to the verify program: -untrusted allows a set of
11385      untrusted certificates to be passed in and -purpose which sets the
11386      intended purpose of the certificate. If a purpose is set then the
11387      new chain verify code is used to check extension consistency.
11388      [Steve Henson]
11389 
11390   *) Support for the authority information access extension.
11391      [Steve Henson]
11392 
11393   *) Modify RSA and DSA PEM read routines to transparently handle
11394      PKCS#8 format private keys. New *_PUBKEY_* functions that handle
11395      public keys in a format compatible with certificate
11396      SubjectPublicKeyInfo structures. Unfortunately there were already
11397      functions called *_PublicKey_* which used various odd formats so
11398      these are retained for compatibility: however the DSA variants were
11399      never in a public release so they have been deleted. Changed dsa/rsa
11400      utilities to handle the new format: note no releases ever handled public
11401      keys so we should be OK.
11402 
11403      The primary motivation for this change is to avoid the same fiasco
11404      that dogs private keys: there are several incompatible private key
11405      formats some of which are standard and some OpenSSL specific and
11406      require various evil hacks to allow partial transparent handling and
11407      even then it doesn't work with DER formats. Given the option anything
11408      other than PKCS#8 should be dumped: but the other formats have to
11409      stay in the name of compatibility.
11410 
11411      With public keys and the benefit of hindsight one standard format
11412      is used which works with EVP_PKEY, RSA or DSA structures: though
11413      it clearly returns an error if you try to read the wrong kind of key.
11414 
11415      Added a -pubkey option to the 'x509' utility to output the public key.
11416      Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
11417      (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
11418      EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
11419      that do the same as the EVP_PKEY_assign_*() except they up the
11420      reference count of the added key (they don't "swallow" the
11421      supplied key).
11422      [Steve Henson]
11423 
11424   *) Fixes to crypto/x509/by_file.c the code to read in certificates and
11425      CRLs would fail if the file contained no certificates or no CRLs:
11426      added a new function to read in both types and return the number
11427      read: this means that if none are read it will be an error. The
11428      DER versions of the certificate and CRL reader would always fail
11429      because it isn't possible to mix certificates and CRLs in DER format
11430      without choking one or the other routine. Changed this to just read
11431      a certificate: this is the best we can do. Also modified the code
11432      in apps/verify.c to take notice of return codes: it was previously
11433      attempting to read in certificates from NULL pointers and ignoring
11434      any errors: this is one reason why the cert and CRL reader seemed
11435      to work. It doesn't check return codes from the default certificate
11436      routines: these may well fail if the certificates aren't installed.
11437      [Steve Henson]
11438 
11439   *) Code to support otherName option in GeneralName.
11440      [Steve Henson]
11441 
11442   *) First update to verify code. Change the verify utility
11443      so it warns if it is passed a self signed certificate:
11444      for consistency with the normal behaviour. X509_verify
11445      has been modified to it will now verify a self signed
11446      certificate if *exactly* the same certificate appears
11447      in the store: it was previously impossible to trust a
11448      single self signed certificate. This means that:
11449      openssl verify ss.pem
11450      now gives a warning about a self signed certificate but
11451      openssl verify -CAfile ss.pem ss.pem
11452      is OK.
11453      [Steve Henson]
11454 
11455   *) For servers, store verify_result in SSL_SESSION data structure
11456      (and add it to external session representation).
11457      This is needed when client certificate verifications fails,
11458      but an application-provided verification callback (set by
11459      SSL_CTX_set_cert_verify_callback) allows accepting the session
11460      anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
11461      but returns 1): When the session is reused, we have to set
11462      ssl->verify_result to the appropriate error code to avoid
11463      security holes.
11464      [Bodo Moeller, problem pointed out by Lutz Jaenicke]
11465 
11466   *) Fix a bug in the new PKCS#7 code: it didn't consider the
11467      case in PKCS7_dataInit() where the signed PKCS7 structure
11468      didn't contain any existing data because it was being created.
11469      [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]
11470 
11471   *) Add a salt to the key derivation routines in enc.c. This
11472      forms the first 8 bytes of the encrypted file. Also add a
11473      -S option to allow a salt to be input on the command line.
11474      [Steve Henson]
11475 
11476   *) New function X509_cmp(). Oddly enough there wasn't a function
11477      to compare two certificates. We do this by working out the SHA1
11478      hash and comparing that. X509_cmp() will be needed by the trust
11479      code.
11480      [Steve Henson]
11481 
11482   *) SSL_get1_session() is like SSL_get_session(), but increments
11483      the reference count in the SSL_SESSION returned.
11484      [Geoff Thorpe <geoff@eu.c2.net>]
11485 
11486   *) Fix for 'req': it was adding a null to request attributes.
11487      Also change the X509_LOOKUP and X509_INFO code to handle
11488      certificate auxiliary information.
11489      [Steve Henson]
11490 
11491   *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
11492      the 'enc' command.
11493      [Steve Henson]
11494 
11495   *) Add the possibility to add extra information to the memory leak
11496      detecting output, to form tracebacks, showing from where each
11497      allocation was originated: CRYPTO_push_info("constant string") adds
11498      the string plus current file name and line number to a per-thread
11499      stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
11500      is like calling CYRPTO_pop_info() until the stack is empty.
11501      Also updated memory leak detection code to be multi-thread-safe.
11502      [Richard Levitte]
11503 
11504   *) Add options -text and -noout to pkcs7 utility