"Fossies" - the Fresh Open Source Software Archive

Member "openssl-1.1.1g/CHANGES" (21 Apr 2020, 588216 Bytes) of package /linux/misc/openssl-1.1.1g.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "CHANGES": 1.1.1f_vs_1.1.1g.

    2  OpenSSL CHANGES
    3  _______________
    5  This is a high-level summary of the most important changes.
    6  For a full list of changes, see the git commit log; for example,
    7  https://github.com/openssl/openssl/commits/ and pick the appropriate
    8  release branch.
   10  Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
   12   *) Fixed segmentation fault in SSL_check_chain()
   13      Server or client applications that call the SSL_check_chain() function
   14      during or after a TLS 1.3 handshake may crash due to a NULL pointer
   15      dereference as a result of incorrect handling of the
   16      "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
   17      or unrecognised signature algorithm is received from the peer. This could
   18      be exploited by a malicious peer in a Denial of Service attack.
   19      (CVE-2020-1967)
   20      [Benjamin Kaduk]
   22   *) Added AES consttime code for no-asm configurations
   23      an optional constant time support for AES was added
   24      when building openssl for no-asm.
   25      Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
   26      Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
   27      At this time this feature is by default disabled.
   28      It will be enabled by default in 3.0.
   29      [Bernd Edlinger]
   31  Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
   33   *) Revert the change of EOF detection while reading in libssl to avoid
   34      regressions in applications depending on the current way of reporting
   35      the EOF. As the existing method is not fully accurate the change to
   36      reporting the EOF via SSL_ERROR_SSL is kept on the current development
   37      branch and will be present in the 3.0 release.
   38      [Tomas Mraz]
   40   *) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
   41      when primes for RSA keys are computed.
   42      Since we previously always generated primes == 2 (mod 3) for RSA keys,
   43      the 2-prime and 3-prime RSA modules were easy to distinguish, since
   44      N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
   45      2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
   46      This avoids possible fingerprinting of newly generated RSA modules.
   47      [Bernd Edlinger]
   49  Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
   50   *) Properly detect EOF while reading in libssl. Previously if we hit an EOF
   51      while reading in libssl then we would report an error back to the
   52      application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
   53      an error to the stack (which means we instead return SSL_ERROR_SSL) and
   54      therefore give a hint as to what went wrong.
   55      [Matt Caswell]
   57   *) Check that ed25519 and ed448 are allowed by the security level. Previously
   58      signature algorithms not using an MD were not being checked that they were
   59      allowed by the security level.
   60      [Kurt Roeckx]
   62   *) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
   63      was not quite right. The behaviour was not consistent between resumption
   64      and normal handshakes, and also not quite consistent with historical
   65      behaviour. The behaviour in various scenarios has been clarified and
   66      it has been updated to make it match historical behaviour as closely as
   67      possible.
   68      [Matt Caswell]
   70   *) [VMS only] The header files that the VMS compilers include automatically,
   71      __DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
   72      the C++ compiler doesn't understand.  This is a shortcoming in the
   73      compiler, but can be worked around with __cplusplus guards.
   75      C++ applications that use OpenSSL libraries must be compiled using the
   76      qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
   77      functions.  Otherwise, only functions with symbols of less than 31
   78      characters can be used, as the linker will not be able to successfully
   79      resolve symbols with longer names.
   80      [Richard Levitte]
   82   *) Corrected the documentation of the return values from the EVP_DigestSign*
   83      set of functions.  The documentation mentioned negative values for some
   84      errors, but this was never the case, so the mention of negative values
   85      was removed.
   87      Code that followed the documentation and thereby check with something
   88      like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
   89      [Richard Levitte]
   91   *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
   92      used in exponentiation with 512-bit moduli. No EC algorithms are
   93      affected. Analysis suggests that attacks against 2-prime RSA1024,
   94      3-prime RSA1536, and DSA1024 as a result of this defect would be very
   95      difficult to perform and are not believed likely. Attacks against DH512
   96      are considered just feasible. However, for an attack the target would
   97      have to re-use the DH512 private key, which is not recommended anyway.
   98      Also applications directly using the low level API BN_mod_exp may be
   99      affected if they use BN_FLG_CONSTTIME.
  100      (CVE-2019-1551)
  101      [Andy Polyakov]
  103   *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
  104      The presence of this system service is determined at run-time.
  105      [Richard Levitte]
  107   *) Added newline escaping functionality to a filename when using openssl dgst.
  108      This output format is to replicate the output format found in the '*sum'
  109      checksum programs. This aims to preserve backward compatibility.
  110      [Matt Eaton, Richard Levitte, and Paul Dale]
  112   *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
  113      the first value.
  114      [Jon Spillett]
  116  Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
  118   *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
  119      number generator (RNG). This was intended to include protection in the
  120      event of a fork() system call in order to ensure that the parent and child
  121      processes did not share the same RNG state. However this protection was not
  122      being used in the default case.
  124      A partial mitigation for this issue is that the output from a high
  125      precision timer is mixed into the RNG state so the likelihood of a parent
  126      and child process sharing state is significantly reduced.
  128      If an application already calls OPENSSL_init_crypto() explicitly using
  129      OPENSSL_INIT_ATFORK then this problem does not occur at all.
  130      (CVE-2019-1549)
  131      [Matthias St. Pierre]
  133   *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
  134      used even when parsing explicit parameters, when loading a serialized key
  135      or calling `EC_GROUP_new_from_ecpkparameters()`/
  136      `EC_GROUP_new_from_ecparameters()`.
  137      This prevents bypass of security hardening and performance gains,
  138      especially for curves with specialized EC_METHODs.
  139      By default, if a key encoded with explicit parameters is loaded and later
  140      serialized, the output is still encoded with explicit parameters, even if
  141      internally a "named" EC_GROUP is used for computation.
  142      [Nicola Tuveri]
  144   *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
  145      this change, EC_GROUP_set_generator would accept order and/or cofactor as
  146      NULL. After this change, only the cofactor parameter can be NULL. It also
  147      does some minimal sanity checks on the passed order.
  148      (CVE-2019-1547)
  149      [Billy Bob Brumley]
  151   *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
  152      An attack is simple, if the first CMS_recipientInfo is valid but the
  153      second CMS_recipientInfo is chosen ciphertext. If the second
  154      recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
  155      encryption key will be replaced by garbage, and the message cannot be
  156      decoded, but if the RSA decryption fails, the correct encryption key is
  157      used and the recipient will not notice the attack.
  158      As a work around for this potential attack the length of the decrypted
  159      key must be equal to the cipher default key length, in case the
  160      certifiate is not given and all recipientInfo are tried out.
  161      The old behaviour can be re-enabled in the CMS code by setting the
  162      CMS_DEBUG_DECRYPT flag.
  163      (CVE-2019-1563)
  164      [Bernd Edlinger]
  166   *) Early start up entropy quality from the DEVRANDOM seed source has been
  167      improved for older Linux systems.  The RAND subsystem will wait for
  168      /dev/random to be producing output before seeding from /dev/urandom.
  169      The seeded state is stored for future library initialisations using
  170      a system global shared memory segment.  The shared memory identifier
  171      can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
  172      the desired value.  The default identifier is 114.
  173      [Paul Dale]
  175   *) Correct the extended master secret constant on EBCDIC systems. Without this
  176      fix TLS connections between an EBCDIC system and a non-EBCDIC system that
  177      negotiate EMS will fail. Unfortunately this also means that TLS connections
  178      between EBCDIC systems with this fix, and EBCDIC systems without this
  179      fix will fail if they negotiate EMS.
  180      [Matt Caswell]
  182   *) Use Windows installation paths in the mingw builds
  184      Mingw isn't a POSIX environment per se, which means that Windows
  185      paths should be used for installation.
  186      (CVE-2019-1552)
  187      [Richard Levitte]
  189   *) Changed DH_check to accept parameters with order q and 2q subgroups.
  190      With order 2q subgroups the bit 0 of the private key is not secret
  191      but DH_generate_key works around that by clearing bit 0 of the
  192      private key for those. This avoids leaking bit 0 of the private key.
  193      [Bernd Edlinger]
  195   *) Significantly reduce secure memory usage by the randomness pools.
  196      [Paul Dale]
  198   *) Revert the DEVRANDOM_WAIT feature for Linux systems
  200      The DEVRANDOM_WAIT feature added a select() call to wait for the
  201      /dev/random device to become readable before reading from the
  202      /dev/urandom device.
  204      It turned out that this change had negative side effects on
  205      performance which were not acceptable. After some discussion it
  206      was decided to revert this feature and leave it up to the OS
  207      resp. the platform maintainer to ensure a proper initialization
  208      during early boot time.
  209      [Matthias St. Pierre]
  211  Changes between 1.1.1b and 1.1.1c [28 May 2019]
  213   *) Add build tests for C++.  These are generated files that only do one
  214      thing, to include one public OpenSSL head file each.  This tests that
  215      the public header files can be usefully included in a C++ application.
  217      This test isn't enabled by default.  It can be enabled with the option
  218      'enable-buildtest-c++'.
  219      [Richard Levitte]
  221   *) Enable SHA3 pre-hashing for ECDSA and DSA.
  222      [Patrick Steuer]
  224   *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
  225      This changes the size when using the genpkey app when no size is given. It
  226      fixes an omission in earlier changes that changed all RSA, DSA and DH
  227      generation apps to use 2048 bits by default.
  228      [Kurt Roeckx]
  230   *) Reorganize the manual pages to consistently have RETURN VALUES,
  231      EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
  232      util/fix-doc-nits accordingly.
  233      [Paul Yang, Joshua Lock]
  235   *) Add the missing accessor EVP_PKEY_get0_engine()
  236      [Matt Caswell]
  238   *) Have apps like 's_client' and 's_server' output the signature scheme
  239      along with other cipher suite parameters when debugging.
  240      [Lorinczy Zsigmond]
  242   *) Make OPENSSL_config() error agnostic again.
  243      [Richard Levitte]
  245   *) Do the error handling in RSA decryption constant time.
  246      [Bernd Edlinger]
  248   *) Prevent over long nonces in ChaCha20-Poly1305.
  250      ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
  251      for every encryption operation. RFC 7539 specifies that the nonce value
  252      (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
  253      and front pads the nonce with 0 bytes if it is less than 12
  254      bytes. However it also incorrectly allows a nonce to be set of up to 16
  255      bytes. In this case only the last 12 bytes are significant and any
  256      additional leading bytes are ignored.
  258      It is a requirement of using this cipher that nonce values are
  259      unique. Messages encrypted using a reused nonce value are susceptible to
  260      serious confidentiality and integrity attacks. If an application changes
  261      the default nonce length to be longer than 12 bytes and then makes a
  262      change to the leading bytes of the nonce expecting the new value to be a
  263      new unique nonce then such an application could inadvertently encrypt
  264      messages with a reused nonce.
  266      Additionally the ignored bytes in a long nonce are not covered by the
  267      integrity guarantee of this cipher. Any application that relies on the
  268      integrity of these ignored leading bytes of a long nonce may be further
  269      affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
  270      is safe because no such use sets such a long nonce value. However user
  271      applications that use this cipher directly and set a non-default nonce
  272      length to be longer than 12 bytes may be vulnerable.
  274      This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
  275      Greef of Ronomon.
  276      (CVE-2019-1543)
  277      [Matt Caswell]
  279   *) Add DEVRANDOM_WAIT feature for Linux systems
  281      On older Linux systems where the getrandom() system call is not available,
  282      OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
  283      Contrary to getrandom(), the /dev/urandom device will not block during
  284      early boot when the kernel CSPRNG has not been seeded yet.
  286      To mitigate this known weakness, use select() to wait for /dev/random to
  287      become readable before reading from /dev/urandom.
  289   *) Ensure that SM2 only uses SM3 as digest algorithm
  290      [Paul Yang]
  292  Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
  294   *) Added SCA hardening for modular field inversion in EC_GROUP through
  295      a new dedicated field_inv() pointer in EC_METHOD.
  296      This also addresses a leakage affecting conversions from projective
  297      to affine coordinates.
  298      [Billy Bob Brumley, Nicola Tuveri]
  300   *) Change the info callback signals for the start and end of a post-handshake
  301      message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
  302      and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
  303      confused by this and assume that a TLSv1.2 renegotiation has started. This
  304      can break KeyUpdate handling. Instead we no longer signal the start and end
  305      of a post handshake message exchange (although the messages themselves are
  306      still signalled). This could break some applications that were expecting
  307      the old signals. However without this KeyUpdate is not usable for many
  308      applications.
  309      [Matt Caswell]
  311   *) Fix a bug in the computation of the endpoint-pair shared secret used
  312      by DTLS over SCTP. This breaks interoperability with older versions
  313      of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
  314      switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
  315      interoperability with such broken implementations. However, enabling
  316      this switch breaks interoperability with correct implementations.
  318   *) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
  319      re-used X509_PUBKEY object if the second PUBKEY is malformed.
  320      [Bernd Edlinger]
  322   *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
  323      [Richard Levitte]
  325   *) Remove the 'dist' target and add a tarball building script.  The
  326      'dist' target has fallen out of use, and it shouldn't be
  327      necessary to configure just to create a source distribution.
  328      [Richard Levitte]
  330  Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
  332   *) Timing vulnerability in DSA signature generation
  334      The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
  335      timing side channel attack. An attacker could use variations in the signing
  336      algorithm to recover the private key.
  338      This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
  339      (CVE-2018-0734)
  340      [Paul Dale]
  342   *) Timing vulnerability in ECDSA signature generation
  344      The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
  345      timing side channel attack. An attacker could use variations in the signing
  346      algorithm to recover the private key.
  348      This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
  349      (CVE-2018-0735)
  350      [Paul Dale]
  352   *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
  353      the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
  354      are retained for backwards compatibility.
  355      [Antoine Salon]
  357   *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
  358      if its length exceeds 4096 bytes. The limit has been raised to a buffer size
  359      of two gigabytes and the error handling improved.
  361      This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
  362      categorized as a normal bug, not a security issue, because the DRBG reseeds
  363      automatically and is fully functional even without additional randomness
  364      provided by the application.
  366  Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
  368   *) Add a new ClientHello callback. Provides a callback interface that gives
  369      the application the ability to adjust the nascent SSL object at the
  370      earliest stage of ClientHello processing, immediately after extensions have
  371      been collected but before they have been processed. In particular, this
  372      callback can adjust the supported TLS versions in response to the contents
  373      of the ClientHello
  374      [Benjamin Kaduk]
  376   *) Add SM2 base algorithm support.
  377      [Jack Lloyd]
  379   *) s390x assembly pack: add (improved) hardware-support for the following
  380      cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
  381      aes-cfb/cfb8, aes-ecb.
  382      [Patrick Steuer]
  384   *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
  385      parameter is no longer accepted, as it leads to a corrupt table.  NULL
  386      pem_str is reserved for alias entries only.
  387      [Richard Levitte]
  389   *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
  390      step for prime curves. The new implementation is based on formulae from
  391      differential addition-and-doubling in homogeneous projective coordinates
  392      from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
  393      against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
  394      and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
  395      to work in projective coordinates.
  396      [Billy Bob Brumley, Nicola Tuveri]
  398   *) Change generating and checking of primes so that the error rate of not
  399      being prime depends on the intended use based on the size of the input.
  400      For larger primes this will result in more rounds of Miller-Rabin.
  401      The maximal error rate for primes with more than 1080 bits is lowered
  402      to 2^-128.
  403      [Kurt Roeckx, Annie Yousar]
  405   *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  406      [Kurt Roeckx]
  408   *) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
  409      moving between systems, and to avoid confusion when a Windows build is
  410      done with mingw vs with MSVC.  For POSIX installs, there's still a
  411      symlink or copy named 'tsget' to avoid that confusion as well.
  412      [Richard Levitte]
  414   *) Revert blinding in ECDSA sign and instead make problematic addition
  415      length-invariant. Switch even to fixed-length Montgomery multiplication.
  416      [Andy Polyakov]
  418   *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
  419      step for binary curves. The new implementation is based on formulae from
  420      differential addition-and-doubling in mixed Lopez-Dahab projective
  421      coordinates, modified to independently blind the operands.
  422      [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
  424   *) Add a scaffold to optionally enhance the Montgomery ladder implementation
  425      for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
  426      EC_METHODs to implement their own specialized "ladder step", to take
  427      advantage of more favorable coordinate systems or more efficient
  428      differential addition-and-doubling algorithms.
  429      [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
  431   *) Modified the random device based seed sources to keep the relevant
  432      file descriptors open rather than reopening them on each access.
  433      This allows such sources to operate in a chroot() jail without
  434      the associated device nodes being available. This behaviour can be
  435      controlled using RAND_keep_random_devices_open().
  436      [Paul Dale]
  438   *) Numerous side-channel attack mitigations have been applied. This may have
  439      performance impacts for some algorithms for the benefit of improved
  440      security. Specific changes are noted in this change log by their respective
  441      authors.
  442      [Matt Caswell]
  444   *) AIX shared library support overhaul. Switch to AIX "natural" way of
  445      handling shared libraries, which means collecting shared objects of
  446      different versions and bitnesses in one common archive. This allows to
  447      mitigate conflict between 1.0 and 1.1 side-by-side installations. It
  448      doesn't affect the way 3rd party applications are linked, only how
  449      multi-version installation is managed.
  450      [Andy Polyakov]
  452   *) Make ec_group_do_inverse_ord() more robust and available to other
  453      EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
  454      mitigations are applied to the fallback BN_mod_inverse().
  455      When using this function rather than BN_mod_inverse() directly, new
  456      EC cryptosystem implementations are then safer-by-default.
  457      [Billy Bob Brumley]
  459   *) Add coordinate blinding for EC_POINT and implement projective
  460      coordinate blinding for generic prime curves as a countermeasure to
  461      chosen point SCA attacks.
  462      [Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
  464   *) Add blinding to ECDSA and DSA signatures to protect against side channel
  465      attacks discovered by Keegan Ryan (NCC Group).
  466      [Matt Caswell]
  468   *) Enforce checking in the pkeyutl command line app to ensure that the input
  469      length does not exceed the maximum supported digest length when performing
  470      a sign, verify or verifyrecover operation.
  471      [Matt Caswell]
  473   *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
  474      I/O in combination with something like select() or poll() will hang. This
  475      can be turned off again using SSL_CTX_clear_mode().
  476      Many applications do not properly handle non-application data records, and
  477      TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
  478      around the problems in those applications, but can also break some.
  479      It's recommended to read the manpages about SSL_read(), SSL_write(),
  480      SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
  481      SSL_CTX_set_read_ahead() again.
  482      [Kurt Roeckx]
  484   *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
  485      now allow empty (zero character) pass phrases.
  486      [Richard Levitte]
  488   *) Apply blinding to binary field modular inversion and remove patent
  489      pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
  490      [Billy Bob Brumley]
  492   *) Deprecate ec2_mult.c and unify scalar multiplication code paths for
  493      binary and prime elliptic curves.
  494      [Billy Bob Brumley]
  496   *) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
  497      constant time fixed point multiplication.
  498      [Billy Bob Brumley]
  500   *) Revise elliptic curve scalar multiplication with timing attack
  501      defenses: ec_wNAF_mul redirects to a constant time implementation
  502      when computing fixed point and variable point multiplication (which
  503      in OpenSSL are mostly used with secret scalars in keygen, sign,
  504      ECDH derive operations).
  505      [Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
  506       Sohaib ul Hassan]
  508   *) Updated CONTRIBUTING
  509      [Rich Salz]
  511   *) Updated DRBG / RAND to request nonce and additional low entropy
  512      randomness from the system.
  513      [Matthias St. Pierre]
  515   *) Updated 'openssl rehash' to use OpenSSL consistent default.
  516      [Richard Levitte]
  518   *) Moved the load of the ssl_conf module to libcrypto, which helps
  519      loading engines that libssl uses before libssl is initialised.
  520      [Matt Caswell]
  522   *) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
  523      [Matt Caswell]
  525   *) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
  526      [Ingo Schwarze, Rich Salz]
  528   *) Added output of accepting IP address and port for 'openssl s_server'
  529      [Richard Levitte]
  531   *) Added a new API for TLSv1.3 ciphersuites:
  532         SSL_CTX_set_ciphersuites()
  533         SSL_set_ciphersuites()
  534      [Matt Caswell]
  536   *) Memory allocation failures consistently add an error to the error
  537      stack.
  538      [Rich Salz]
  540   *) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
  541      in libcrypto when run as setuid/setgid.
  542      [Bernd Edlinger]
  544   *) Load any config file by default when libssl is used.
  545      [Matt Caswell]
  547   *) Added new public header file <openssl/rand_drbg.h> and documentation
  548      for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
  549      [Matthias St. Pierre]
  551   *) QNX support removed (cannot find contributors to get their approval
  552      for the license change).
  553      [Rich Salz]
  555   *) TLSv1.3 replay protection for early data has been implemented. See the
  556      SSL_read_early_data() man page for further details.
  557      [Matt Caswell]
  559   *) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
  560      configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
  561      below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
  562      In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
  563      would otherwise inadvertently disable all TLSv1.3 ciphersuites the
  564      configuration has been separated out. See the ciphers man page or the
  565      SSL_CTX_set_ciphersuites() man page for more information.
  566      [Matt Caswell]
  568   *) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
  569      in responder mode now supports the new "-multi" option, which
  570      spawns the specified number of child processes to handle OCSP
  571      requests.  The "-timeout" option now also limits the OCSP
  572      responder's patience to wait to receive the full client request
  573      on a newly accepted connection. Child processes are respawned
  574      as needed, and the CA index file is automatically reloaded
  575      when changed.  This makes it possible to run the "ocsp" responder
  576      as a long-running service, making the OpenSSL CA somewhat more
  577      feature-complete.  In this mode, most diagnostic messages logged
  578      after entering the event loop are logged via syslog(3) rather than
  579      written to stderr.
  580      [Viktor Dukhovni]
  582   *) Added support for X448 and Ed448. Heavily based on original work by
  583      Mike Hamburg.
  584      [Matt Caswell]
  586   *) Extend OSSL_STORE with capabilities to search and to narrow the set of
  587      objects loaded.  This adds the functions OSSL_STORE_expect() and
  588      OSSL_STORE_find() as well as needed tools to construct searches and
  589      get the search data out of them.
  590      [Richard Levitte]
  592   *) Support for TLSv1.3 added. Note that users upgrading from an earlier
  593      version of OpenSSL should review their configuration settings to ensure
  594      that they are still appropriate for TLSv1.3. For further information see:
  595      https://wiki.openssl.org/index.php/TLS1.3
  596      [Matt Caswell]
  598   *) Grand redesign of the OpenSSL random generator
  600      The default RAND method now utilizes an AES-CTR DRBG according to
  601      NIST standard SP 800-90Ar1. The new random generator is essentially
  602      a port of the default random generator from the OpenSSL FIPS 2.0
  603      object module. It is a hybrid deterministic random bit generator
  604      using an AES-CTR bit stream and which seeds and reseeds itself
  605      automatically using trusted system entropy sources.
  607      Some of its new features are:
  608       o Support for multiple DRBG instances with seed chaining.
  609       o The default RAND method makes use of a DRBG.
  610       o There is a public and private DRBG instance.
  611       o The DRBG instances are fork-safe.
  612       o Keep all global DRBG instances on the secure heap if it is enabled.
  613       o The public and private DRBG instance are per thread for lock free
  614         operation
  615      [Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
  617   *) Changed Configure so it only says what it does and doesn't dump
  618      so much data.  Instead, ./configdata.pm should be used as a script
  619      to display all sorts of configuration data.
  620      [Richard Levitte]
  622   *) Added processing of "make variables" to Configure.
  623      [Richard Levitte]
  625   *) Added SHA512/224 and SHA512/256 algorithm support.
  626      [Paul Dale]
  628   *) The last traces of Netware support, first removed in 1.1.0, have
  629      now been removed.
  630      [Rich Salz]
  632   *) Get rid of Makefile.shared, and in the process, make the processing
  633      of certain files (rc.obj, or the .def/.map/.opt files produced from
  634      the ordinal files) more visible and hopefully easier to trace and
  635      debug (or make silent).
  636      [Richard Levitte]
  638   *) Make it possible to have environment variable assignments as
  639      arguments to config / Configure.
  640      [Richard Levitte]
  642   *) Add multi-prime RSA (RFC 8017) support.
  643      [Paul Yang]
  645   *) Add SM3 implemented according to GB/T 32905-2016
  646      [ Jack Lloyd <jack.lloyd@ribose.com>,
  647        Ronald Tse <ronald.tse@ribose.com>,
  648        Erick Borsboom <erick.borsboom@ribose.com> ]
  650   *) Add 'Maximum Fragment Length' TLS extension negotiation and support
  651      as documented in RFC6066.
  652      Based on a patch from Tomasz Moń
  653      [Filipe Raimundo da Silva]
  655   *) Add SM4 implemented according to GB/T 32907-2016.
  656      [ Jack Lloyd <jack.lloyd@ribose.com>,
  657        Ronald Tse <ronald.tse@ribose.com>,
  658        Erick Borsboom <erick.borsboom@ribose.com> ]
  660   *) Reimplement -newreq-nodes and ERR_error_string_n; the
  661      original author does not agree with the license change.
  662      [Rich Salz]
  664   *) Add ARIA AEAD TLS support.
  665      [Jon Spillett]
  667   *) Some macro definitions to support VS6 have been removed.  Visual
  668      Studio 6 has not worked since 1.1.0
  669      [Rich Salz]
  671   *) Add ERR_clear_last_mark(), to allow callers to clear the last mark
  672      without clearing the errors.
  673      [Richard Levitte]
  675   *) Add "atfork" functions.  If building on a system that without
  676      pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
  677      requirements.  The RAND facility now uses/requires this.
  678      [Rich Salz]
  680   *) Add SHA3.
  681      [Andy Polyakov]
  683   *) The UI API becomes a permanent and integral part of libcrypto, i.e.
  684      not possible to disable entirely.  However, it's still possible to
  685      disable the console reading UI method, UI_OpenSSL() (use UI_null()
  686      as a fallback).
  688      To disable, configure with 'no-ui-console'.  'no-ui' is still
  689      possible to use as an alias.  Check at compile time with the
  690      macro OPENSSL_NO_UI_CONSOLE.  The macro OPENSSL_NO_UI is still
  691      possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
  692      [Richard Levitte]
  694   *) Add a STORE module, which implements a uniform and URI based reader of
  695      stores that can contain keys, certificates, CRLs and numerous other
  696      objects.  The main API is loosely based on a few stdio functions,
  697      and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
  698      OSSL_STORE_error and OSSL_STORE_close.
  699      The implementation uses backends called "loaders" to implement arbitrary
  700      URI schemes.  There is one built in "loader" for the 'file' scheme.
  701      [Richard Levitte]
  703   *) Add devcrypto engine.  This has been implemented against cryptodev-linux,
  704      then adjusted to work on FreeBSD 8.4 as well.
  705      Enable by configuring with 'enable-devcryptoeng'.  This is done by default
  706      on BSD implementations, as cryptodev.h is assumed to exist on all of them.
  707      [Richard Levitte]
  709   *) Module names can prefixed with OSSL_ or OPENSSL_.  This affects
  710      util/mkerr.pl, which is adapted to allow those prefixes, leading to
  711      error code calls like this:
  715      With this change, we claim the namespaces OSSL and OPENSSL in a manner
  716      that can be encoded in C.  For the foreseeable future, this will only
  717      affect new modules.
  718      [Richard Levitte and Tim Hudson]
  720   *) Removed BSD cryptodev engine.
  721      [Rich Salz]
  723   *) Add a build target 'build_all_generated', to build all generated files
  724      and only that.  This can be used to prepare everything that requires
  725      things like perl for a system that lacks perl and then move everything
  726      to that system and do the rest of the build there.
  727      [Richard Levitte]
  729   *) In the UI interface, make it possible to duplicate the user data.  This
  730      can be used by engines that need to retain the data for a longer time
  731      than just the call where this user data is passed.
  732      [Richard Levitte]
  734   *) Ignore the '-named_curve auto' value for compatibility of applications
  735      with OpenSSL 1.0.2.
  736      [Tomas Mraz <tmraz@fedoraproject.org>]
  738   *) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
  739      bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
  740      alerts across multiple records (some of which could be empty). In practice
  741      it make no sense to send an empty alert record, or to fragment one. TLSv1.3
  742      prohibits this altogether and other libraries (BoringSSL, NSS) do not
  743      support this at all. Supporting it adds significant complexity to the
  744      record layer, and its removal is unlikely to cause interoperability
  745      issues.
  746      [Matt Caswell]
  748   *) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
  749      with Z.  These are meant to replace LONG and ZLONG and to be size safe.
  750      The use of LONG and ZLONG is discouraged and scheduled for deprecation
  751      in OpenSSL 1.2.0.
  752      [Richard Levitte]
  754   *) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
  755      'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
  756      [Richard Levitte, Andy Polyakov]
  758   *) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
  759      does for RSA, etc.
  760      [Richard Levitte]
  762   *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
  763      platform rather than 'mingw'.
  764      [Richard Levitte]
  766   *) The functions X509_STORE_add_cert and X509_STORE_add_crl return
  767      success if they are asked to add an object which already exists
  768      in the store. This change cascades to other functions which load
  769      certificates and CRLs.
  770      [Paul Dale]
  772   *) x86_64 assembly pack: annotate code with DWARF CFI directives to
  773      facilitate stack unwinding even from assembly subroutines.
  774      [Andy Polyakov]
  776   *) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
  777      Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
  778      [Richard Levitte]
  780   *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
  781      VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
  782      which is the minimum version we support.
  783      [Richard Levitte]
  785   *) Certificate time validation (X509_cmp_time) enforces stricter
  786      compliance with RFC 5280. Fractional seconds and timezone offsets
  787      are no longer allowed.
  788      [Emilia Käsper]
  790   *) Add support for ARIA
  791      [Paul Dale]
  793   *) s_client will now send the Server Name Indication (SNI) extension by
  794      default unless the new "-noservername" option is used. The server name is
  795      based on the host provided to the "-connect" option unless overridden by
  796      using "-servername".
  797      [Matt Caswell]
  799   *) Add support for SipHash
  800      [Todd Short]
  802   *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
  803      or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
  804      prevent issues where no progress is being made and the peer continually
  805      sends unrecognised record types, using up resources processing them.
  806      [Matt Caswell]
  808   *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
  809      using the algorithm defined in
  810      https://www.akkadia.org/drepper/SHA-crypt.txt
  811      [Richard Levitte]
  813   *) Heartbeat support has been removed; the ABI is changed for now.
  814      [Richard Levitte, Rich Salz]
  816   *) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
  817      [Emilia Käsper]
  819   *) The RSA "null" method, which was partially supported to avoid patent
  820      issues, has been replaced to always returns NULL.
  821      [Rich Salz]
  824  Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
  826   *) Client DoS due to large DH parameter
  828      During key agreement in a TLS handshake using a DH(E) based ciphersuite a
  829      malicious server can send a very large prime value to the client. This will
  830      cause the client to spend an unreasonably long period of time generating a
  831      key for this prime resulting in a hang until the client has finished. This
  832      could be exploited in a Denial Of Service attack.
  834      This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
  835      (CVE-2018-0732)
  836      [Guido Vranken]
  838   *) Cache timing vulnerability in RSA Key Generation
  840      The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
  841      a cache timing side channel attack. An attacker with sufficient access to
  842      mount cache timing attacks during the RSA key generation process could
  843      recover the private key.
  845      This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
  846      Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
  847      (CVE-2018-0737)
  848      [Billy Brumley]
  850   *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
  851      parameter is no longer accepted, as it leads to a corrupt table.  NULL
  852      pem_str is reserved for alias entries only.
  853      [Richard Levitte]
  855   *) Revert blinding in ECDSA sign and instead make problematic addition
  856      length-invariant. Switch even to fixed-length Montgomery multiplication.
  857      [Andy Polyakov]
  859   *) Change generating and checking of primes so that the error rate of not
  860      being prime depends on the intended use based on the size of the input.
  861      For larger primes this will result in more rounds of Miller-Rabin.
  862      The maximal error rate for primes with more than 1080 bits is lowered
  863      to 2^-128.
  864      [Kurt Roeckx, Annie Yousar]
  866   *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  867      [Kurt Roeckx]
  869   *) Add blinding to ECDSA and DSA signatures to protect against side channel
  870      attacks discovered by Keegan Ryan (NCC Group).
  871      [Matt Caswell]
  873   *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
  874      now allow empty (zero character) pass phrases.
  875      [Richard Levitte]
  877   *) Certificate time validation (X509_cmp_time) enforces stricter
  878      compliance with RFC 5280. Fractional seconds and timezone offsets
  879      are no longer allowed.
  880      [Emilia Käsper]
  882   *) Fixed a text canonicalisation bug in CMS
  884      Where a CMS detached signature is used with text content the text goes
  885      through a canonicalisation process first prior to signing or verifying a
  886      signature. This process strips trailing space at the end of lines, converts
  887      line terminators to CRLF and removes additional trailing line terminators
  888      at the end of a file. A bug in the canonicalisation process meant that
  889      some characters, such as form-feed, were incorrectly treated as whitespace
  890      and removed. This is contrary to the specification (RFC5485). This fix
  891      could mean that detached text data signed with an earlier version of
  892      OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
  893      signed with a fixed OpenSSL may fail to verify with an earlier version of
  894      OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
  895      and use the "-binary" flag (for the "cms" command line application) or set
  896      the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
  897      [Matt Caswell]
  899  Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
  901   *) Constructed ASN.1 types with a recursive definition could exceed the stack
  903      Constructed ASN.1 types with a recursive definition (such as can be found
  904      in PKCS7) could eventually exceed the stack given malicious input with
  905      excessive recursion. This could result in a Denial Of Service attack. There
  906      are no such structures used within SSL/TLS that come from untrusted sources
  907      so this is considered safe.
  909      This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
  910      project.
  911      (CVE-2018-0739)
  912      [Matt Caswell]
  914   *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
  916      Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
  917      effectively reduced to only comparing the least significant bit of each
  918      byte. This allows an attacker to forge messages that would be considered as
  919      authenticated in an amount of tries lower than that guaranteed by the
  920      security claims of the scheme. The module can only be compiled by the
  921      HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
  923      This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
  924      (IBM).
  925      (CVE-2018-0733)
  926      [Andy Polyakov]
  928   *) Add a build target 'build_all_generated', to build all generated files
  929      and only that.  This can be used to prepare everything that requires
  930      things like perl for a system that lacks perl and then move everything
  931      to that system and do the rest of the build there.
  932      [Richard Levitte]
  934   *) Backport SSL_OP_NO_RENGOTIATION
  936      OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
  937      (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
  938      changes this is no longer possible in 1.1.0. Therefore the new
  939      SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
  940      1.1.0 to provide equivalent functionality.
  942      Note that if an application built against 1.1.0h headers (or above) is run
  943      using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
  944      accepted but nothing will happen, i.e. renegotiation will not be prevented.
  945      [Matt Caswell]
  947   *) Removed the OS390-Unix config target.  It relied on a script that doesn't
  948      exist.
  949      [Rich Salz]
  951   *) rsaz_1024_mul_avx2 overflow bug on x86_64
  953      There is an overflow bug in the AVX2 Montgomery multiplication procedure
  954      used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
  955      Analysis suggests that attacks against RSA and DSA as a result of this
  956      defect would be very difficult to perform and are not believed likely.
  957      Attacks against DH1024 are considered just feasible, because most of the
  958      work necessary to deduce information about a private key may be performed
  959      offline. The amount of resources required for such an attack would be
  960      significant. However, for an attack on TLS to be meaningful, the server
  961      would have to share the DH1024 private key among multiple clients, which is
  962      no longer an option since CVE-2016-0701.
  964      This only affects processors that support the AVX2 but not ADX extensions
  965      like Intel Haswell (4th generation).
  967      This issue was reported to OpenSSL by David Benjamin (Google). The issue
  968      was originally found via the OSS-Fuzz project.
  969      (CVE-2017-3738)
  970      [Andy Polyakov]
  972  Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
  974   *) bn_sqrx8x_internal carry bug on x86_64
  976      There is a carry propagating bug in the x86_64 Montgomery squaring
  977      procedure. No EC algorithms are affected. Analysis suggests that attacks
  978      against RSA and DSA as a result of this defect would be very difficult to
  979      perform and are not believed likely. Attacks against DH are considered just
  980      feasible (although very difficult) because most of the work necessary to
  981      deduce information about a private key may be performed offline. The amount
  982      of resources required for such an attack would be very significant and
  983      likely only accessible to a limited number of attackers. An attacker would
  984      additionally need online access to an unpatched system using the target
  985      private key in a scenario with persistent DH parameters and a private
  986      key that is shared between multiple clients.
  988      This only affects processors that support the BMI1, BMI2 and ADX extensions
  989      like Intel Broadwell (5th generation) and later or AMD Ryzen.
  991      This issue was reported to OpenSSL by the OSS-Fuzz project.
  992      (CVE-2017-3736)
  993      [Andy Polyakov]
  995   *) Malformed X.509 IPAddressFamily could cause OOB read
  997      If an X.509 certificate has a malformed IPAddressFamily extension,
  998      OpenSSL could do a one-byte buffer overread. The most likely result
  999      would be an erroneous display of the certificate in text format.
 1001      This issue was reported to OpenSSL by the OSS-Fuzz project.
 1002      (CVE-2017-3735)
 1003      [Rich Salz]
 1005  Changes between 1.1.0e and 1.1.0f [25 May 2017]
 1007   *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
 1008      platform rather than 'mingw'.
 1009      [Richard Levitte]
 1011   *) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
 1012      VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
 1013      which is the minimum version we support.
 1014      [Richard Levitte]
 1016  Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
 1018   *) Encrypt-Then-Mac renegotiation crash
 1020      During a renegotiation handshake if the Encrypt-Then-Mac extension is
 1021      negotiated where it was not in the original handshake (or vice-versa) then
 1022      this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
 1023      and servers are affected.
 1025      This issue was reported to OpenSSL by Joe Orton (Red Hat).
 1026      (CVE-2017-3733)
 1027      [Matt Caswell]
 1029  Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
 1031   *) Truncated packet could crash via OOB read
 1033      If one side of an SSL/TLS path is running on a 32-bit host and a specific
 1034      cipher is being used, then a truncated packet can cause that host to
 1035      perform an out-of-bounds read, usually resulting in a crash.
 1037      This issue was reported to OpenSSL by Robert Święcki of Google.
 1038      (CVE-2017-3731)
 1039      [Andy Polyakov]
 1041   *) Bad (EC)DHE parameters cause a client crash
 1043      If a malicious server supplies bad parameters for a DHE or ECDHE key
 1044      exchange then this can result in the client attempting to dereference a
 1045      NULL pointer leading to a client crash. This could be exploited in a Denial
 1046      of Service attack.
 1048      This issue was reported to OpenSSL by Guido Vranken.
 1049      (CVE-2017-3730)
 1050      [Matt Caswell]
 1052   *) BN_mod_exp may produce incorrect results on x86_64
 1054      There is a carry propagating bug in the x86_64 Montgomery squaring
 1055      procedure. No EC algorithms are affected. Analysis suggests that attacks
 1056      against RSA and DSA as a result of this defect would be very difficult to
 1057      perform and are not believed likely. Attacks against DH are considered just
 1058      feasible (although very difficult) because most of the work necessary to
 1059      deduce information about a private key may be performed offline. The amount
 1060      of resources required for such an attack would be very significant and
 1061      likely only accessible to a limited number of attackers. An attacker would
 1062      additionally need online access to an unpatched system using the target
 1063      private key in a scenario with persistent DH parameters and a private
 1064      key that is shared between multiple clients. For example this can occur by
 1065      default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
 1066      similar to CVE-2015-3193 but must be treated as a separate problem.
 1068      This issue was reported to OpenSSL by the OSS-Fuzz project.
 1069      (CVE-2017-3732)
 1070      [Andy Polyakov]
 1072  Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
 1074   *) ChaCha20/Poly1305 heap-buffer-overflow
 1076      TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
 1077      a DoS attack by corrupting larger payloads. This can result in an OpenSSL
 1078      crash. This issue is not considered to be exploitable beyond a DoS.
 1080      This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
 1081      (CVE-2016-7054)
 1082      [Richard Levitte]
 1084   *) CMS Null dereference
 1086      Applications parsing invalid CMS structures can crash with a NULL pointer
 1087      dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
 1088      type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
 1089      structure callback if an attempt is made to free certain invalid encodings.
 1090      Only CHOICE structures using a callback which do not handle NULL value are
 1091      affected.
 1093      This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
 1094      (CVE-2016-7053)
 1095      [Stephen Henson]
 1097   *) Montgomery multiplication may produce incorrect results
 1099      There is a carry propagating bug in the Broadwell-specific Montgomery
 1100      multiplication procedure that handles input lengths divisible by, but
 1101      longer than 256 bits. Analysis suggests that attacks against RSA, DSA
 1102      and DH private keys are impossible. This is because the subroutine in
 1103      question is not used in operations with the private key itself and an input
 1104      of the attacker's direct choice. Otherwise the bug can manifest itself as
 1105      transient authentication and key negotiation failures or reproducible
 1106      erroneous outcome of public-key operations with specially crafted input.
 1107      Among EC algorithms only Brainpool P-512 curves are affected and one
 1108      presumably can attack ECDH key negotiation. Impact was not analyzed in
 1109      detail, because pre-requisites for attack are considered unlikely. Namely
 1110      multiple clients have to choose the curve in question and the server has to
 1111      share the private key among them, neither of which is default behaviour.
 1112      Even then only clients that chose the curve will be affected.
 1114      This issue was publicly reported as transient failures and was not
 1115      initially recognized as a security issue. Thanks to Richard Morgan for
 1116      providing reproducible case.
 1117      (CVE-2016-7055)
 1118      [Andy Polyakov]
 1120   *) Removed automatic addition of RPATH in shared libraries and executables,
 1121      as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
 1122      [Richard Levitte]
 1124  Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
 1126   *) Fix Use After Free for large message sizes
 1128      The patch applied to address CVE-2016-6307 resulted in an issue where if a
 1129      message larger than approx 16k is received then the underlying buffer to
 1130      store the incoming message is reallocated and moved. Unfortunately a
 1131      dangling pointer to the old location is left which results in an attempt to
 1132      write to the previously freed location. This is likely to result in a
 1133      crash, however it could potentially lead to execution of arbitrary code.
 1135      This issue only affects OpenSSL 1.1.0a.
 1137      This issue was reported to OpenSSL by Robert Święcki.
 1138      (CVE-2016-6309)
 1139      [Matt Caswell]
 1141  Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
 1143   *) OCSP Status Request extension unbounded memory growth
 1145      A malicious client can send an excessively large OCSP Status Request
 1146      extension. If that client continually requests renegotiation, sending a
 1147      large OCSP Status Request extension each time, then there will be unbounded
 1148      memory growth on the server. This will eventually lead to a Denial Of
 1149      Service attack through memory exhaustion. Servers with a default
 1150      configuration are vulnerable even if they do not support OCSP. Builds using
 1151      the "no-ocsp" build time option are not affected.
 1153      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
 1154      (CVE-2016-6304)
 1155      [Matt Caswell]
 1157   *) SSL_peek() hang on empty record
 1159      OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
 1160      sends an empty record. This could be exploited by a malicious peer in a
 1161      Denial Of Service attack.
 1163      This issue was reported to OpenSSL by Alex Gaynor.
 1164      (CVE-2016-6305)
 1165      [Matt Caswell]
 1167   *) Excessive allocation of memory in tls_get_message_header() and
 1168      dtls1_preprocess_fragment()
 1170      A (D)TLS message includes 3 bytes for its length in the header for the
 1171      message. This would allow for messages up to 16Mb in length. Messages of
 1172      this length are excessive and OpenSSL includes a check to ensure that a
 1173      peer is sending reasonably sized messages in order to avoid too much memory
 1174      being consumed to service a connection. A flaw in the logic of version
 1175      1.1.0 means that memory for the message is allocated too early, prior to
 1176      the excessive message length check. Due to way memory is allocated in
 1177      OpenSSL this could mean an attacker could force up to 21Mb to be allocated
 1178      to service a connection. This could lead to a Denial of Service through
 1179      memory exhaustion. However, the excessive message length check still takes
 1180      place, and this would cause the connection to immediately fail. Assuming
 1181      that the application calls SSL_free() on the failed connection in a timely
 1182      manner then the 21Mb of allocated memory will then be immediately freed
 1183      again. Therefore the excessive memory allocation will be transitory in
 1184      nature. This then means that there is only a security impact if:
 1186      1) The application does not call SSL_free() in a timely manner in the event
 1187      that the connection fails
 1188      or
 1189      2) The application is working in a constrained environment where there is
 1190      very little free memory
 1191      or
 1192      3) The attacker initiates multiple connection attempts such that there are
 1193      multiple connections in a state where memory has been allocated for the
 1194      connection; SSL_free() has not yet been called; and there is insufficient
 1195      memory to service the multiple requests.
 1197      Except in the instance of (1) above any Denial Of Service is likely to be
 1198      transitory because as soon as the connection fails the memory is
 1199      subsequently freed again in the SSL_free() call. However there is an
 1200      increased risk during this period of application crashes due to the lack of
 1201      memory - which would then mean a more serious Denial of Service.
 1203      This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
 1204      (CVE-2016-6307 and CVE-2016-6308)
 1205      [Matt Caswell]
 1207   *) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
 1208      had to be removed. Primary reason is that vendor assembler can't
 1209      assemble our modules with -KPIC flag. As result it, assembly
 1210      support, was not even available as option. But its lack means
 1211      lack of side-channel resistant code, which is incompatible with
 1212      security by todays standards. Fortunately gcc is readily available
 1213      prepackaged option, which we firmly point at...
 1214      [Andy Polyakov]
 1216  Changes between 1.0.2h and 1.1.0  [25 Aug 2016]
 1218   *) Windows command-line tool supports UTF-8 opt-in option for arguments
 1219      and console input. Setting OPENSSL_WIN32_UTF8 environment variable
 1220      (to any value) allows Windows user to access PKCS#12 file generated
 1221      with Windows CryptoAPI and protected with non-ASCII password, as well
 1222      as files generated under UTF-8 locale on Linux also protected with
 1223      non-ASCII password.
 1224      [Andy Polyakov]
 1226   *) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
 1227      have been disabled by default and removed from DEFAULT, just like RC4.
 1228      See the RC4 item below to re-enable both.
 1229      [Rich Salz]
 1231   *) The method for finding the storage location for the Windows RAND seed file
 1232      has changed. First we check %RANDFILE%. If that is not set then we check
 1233      the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
 1234      all else fails we fall back to C:\.
 1235      [Matt Caswell]
 1237   *) The EVP_EncryptUpdate() function has had its return type changed from void
 1238      to int. A return of 0 indicates and error while a return of 1 indicates
 1239      success.
 1240      [Matt Caswell]
 1243      DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
 1244      off the constant time implementation for RSA, DSA and DH have been made
 1245      no-ops and deprecated.
 1246      [Matt Caswell]
 1248   *) Windows RAND implementation was simplified to only get entropy by
 1249      calling CryptGenRandom(). Various other RAND-related tickets
 1250      were also closed.
 1251      [Joseph Wylie Yandle, Rich Salz]
 1253   *) The stack and lhash API's were renamed to start with OPENSSL_SK_
 1254      and OPENSSL_LH_, respectively.  The old names are available
 1255      with API compatibility.  They new names are now completely documented.
 1256      [Rich Salz]
 1258   *) Unify TYPE_up_ref(obj) methods signature.
 1259      SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
 1260      X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
 1261      int (instead of void) like all others TYPE_up_ref() methods.
 1262      So now these methods also check the return value of CRYPTO_atomic_add(),
 1263      and the validity of object reference counter.
 1264      [fdasilvayy@gmail.com]
 1266   *) With Windows Visual Studio builds, the .pdb files are installed
 1267      alongside the installed libraries and executables.  For a static
 1268      library installation, ossl_static.pdb is the associate compiler
 1269      generated .pdb file to be used when linking programs.
 1270      [Richard Levitte]
 1272   *) Remove openssl.spec.  Packaging files belong with the packagers.
 1273      [Richard Levitte]
 1275   *) Automatic Darwin/OSX configuration has had a refresh, it will now
 1276      recognise x86_64 architectures automatically.  You can still decide
 1277      to build for a different bitness with the environment variable
 1278      KERNEL_BITS (can be 32 or 64), for example:
 1280          KERNEL_BITS=32 ./config
 1282      [Richard Levitte]
 1284   *) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
 1285      256 bit AES and HMAC with SHA256.
 1286      [Steve Henson]
 1288   *) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
 1289      [Andy Polyakov]
 1291   *) Triple-DES ciphers have been moved from HIGH to MEDIUM.
 1292      [Rich Salz]
 1294   *) To enable users to have their own config files and build file templates,
 1295      Configure looks in the directory indicated by the environment variable
 1296      OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
 1297      directory.  On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
 1298      name and is used as is.
 1299      [Richard Levitte]
 1301   *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
 1302      X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
 1303      X509_CERT_FILE_CTX was removed.
 1304      [Rich Salz]
 1306   *) "shared" builds are now the default. To create only static libraries use
 1307      the "no-shared" Configure option.
 1308      [Matt Caswell]
 1310   *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
 1311      All of these option have not worked for some while and are fundamental
 1312      algorithms.
 1313      [Matt Caswell]
 1315   *) Make various cleanup routines no-ops and mark them as deprecated. Most
 1316      global cleanup functions are no longer required because they are handled
 1317      via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
 1318      Explicitly de-initing can cause problems (e.g. where a library that uses
 1319      OpenSSL de-inits, but an application is still using it). The affected
 1320      functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
 1321      EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
 1322      RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
 1323      COMP_zlib_cleanup().
 1324      [Matt Caswell]
 1326   *) --strict-warnings no longer enables runtime debugging options
 1327      such as REF_DEBUG. Instead, debug options are automatically
 1328      enabled with '--debug' builds.
 1329      [Andy Polyakov, Emilia Käsper]
 1331   *) Made DH and DH_METHOD opaque. The structures for managing DH objects
 1332      have been moved out of the public header files. New functions for managing
 1333      these have been added.
 1334      [Matt Caswell]
 1336   *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
 1337      objects have been moved out of the public header files. New
 1338      functions for managing these have been added.
 1339      [Richard Levitte]
 1341   *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
 1342      have been moved out of the public header files. New functions for managing
 1343      these have been added.
 1344      [Matt Caswell]
 1346   *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
 1347      moved out of the public header files. New functions for managing these
 1348      have been added.
 1349      [Matt Caswell]
 1351   *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
 1352      [Matt Caswell]
 1354   *) Removed the mk1mf build scripts.
 1355      [Richard Levitte]
 1357   *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
 1358      it is always safe to #include a header now.
 1359      [Rich Salz]
 1361   *) Removed the aged BC-32 config and all its supporting scripts
 1362      [Richard Levitte]
 1364   *) Removed support for Ultrix, Netware, and OS/2.
 1365      [Rich Salz]
 1367   *) Add support for HKDF.
 1368      [Alessandro Ghedini]
 1370   *) Add support for blake2b and blake2s
 1371      [Bill Cox]
 1373   *) Added support for "pipelining". Ciphers that have the
 1374      EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
 1375      encryptions/decryptions simultaneously. There are currently no built-in
 1376      ciphers with this property but the expectation is that engines will be able
 1377      to offer it to significantly improve throughput. Support has been extended
 1378      into libssl so that multiple records for a single connection can be
 1379      processed in one go (for >=TLS 1.1).
 1380      [Matt Caswell]
 1382   *) Added the AFALG engine. This is an async capable engine which is able to
 1383      offload work to the Linux kernel. In this initial version it only supports
 1384      AES128-CBC. The kernel must be version 4.1.0 or greater.
 1385      [Catriona Lucey]
 1387   *) OpenSSL now uses a new threading API. It is no longer necessary to
 1388      set locking callbacks to use OpenSSL in a multi-threaded environment. There
 1389      are two supported threading models: pthreads and windows threads. It is
 1390      also possible to configure OpenSSL at compile time for "no-threads". The
 1391      old threading API should no longer be used. The functions have been
 1392      replaced with "no-op" compatibility macros.
 1393      [Alessandro Ghedini, Matt Caswell]
 1395   *) Modify behavior of ALPN to invoke callback after SNI/servername
 1396      callback, such that updates to the SSL_CTX affect ALPN.
 1397      [Todd Short]
 1399   *) Add SSL_CIPHER queries for authentication and key-exchange.
 1400      [Todd Short]
 1402   *) Changes to the DEFAULT cipherlist:
 1403        - Prefer (EC)DHE handshakes over plain RSA.
 1404        - Prefer AEAD ciphers over legacy ciphers.
 1405        - Prefer ECDSA over RSA when both certificates are available.
 1406        - Prefer TLSv1.2 ciphers/PRF.
 1407        - Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
 1408          default cipherlist.
 1409      [Emilia Käsper]
 1411   *) Change the ECC default curve list to be this, in order: x25519,
 1412      secp256r1, secp521r1, secp384r1.
 1413      [Rich Salz]
 1415   *) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
 1416      disabled by default. They can be re-enabled using the
 1417      enable-weak-ssl-ciphers option to Configure.
 1418      [Matt Caswell]
 1420   *) If the server has ALPN configured, but supports no protocols that the
 1421      client advertises, send a fatal "no_application_protocol" alert.
 1422      This behaviour is SHALL in RFC 7301, though it isn't universally
 1423      implemented by other servers.
 1424      [Emilia Käsper]
 1426   *) Add X25519 support.
 1427      Add ASN.1 and EVP_PKEY methods for X25519. This includes support
 1428      for public and private key encoding using the format documented in
 1429      draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
 1430      key generation and key derivation.
 1432      TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
 1433      X25519(29).
 1434      [Steve Henson]
 1436   *) Deprecate SRP_VBASE_get_by_user.
 1437      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
 1438      In order to fix an unavoidable memory leak (CVE-2016-0798),
 1439      SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
 1440      seed, even if the seed is configured.
 1442      Users should use SRP_VBASE_get1_by_user instead. Note that in
 1443      SRP_VBASE_get1_by_user, caller must free the returned value. Note
 1444      also that even though configuring the SRP seed attempts to hide
 1445      invalid usernames by continuing the handshake with fake
 1446      credentials, this behaviour is not constant time and no strong
 1447      guarantees are made that the handshake is indistinguishable from
 1448      that of a valid user.
 1449      [Emilia Käsper]
 1451   *) Configuration change; it's now possible to build dynamic engines
 1452      without having to build shared libraries and vice versa.  This
 1453      only applies to the engines in engines/, those in crypto/engine/
 1454      will always be built into libcrypto (i.e. "static").
 1456      Building dynamic engines is enabled by default; to disable, use
 1457      the configuration option "disable-dynamic-engine".
 1459      The only requirements for building dynamic engines are the
 1460      presence of the DSO module and building with position independent
 1461      code, so they will also automatically be disabled if configuring
 1462      with "disable-dso" or "disable-pic".
 1465      are also taken away from openssl/opensslconf.h, as they are
 1466      irrelevant.
 1467      [Richard Levitte]
 1469   *) Configuration change; if there is a known flag to compile
 1470      position independent code, it will always be applied on the
 1471      libcrypto and libssl object files, and never on the application
 1472      object files.  This means other libraries that use routines from
 1473      libcrypto / libssl can be made into shared libraries regardless
 1474      of how OpenSSL was configured.
 1476      If this isn't desirable, the configuration options "disable-pic"
 1477      or "no-pic" can be used to disable the use of PIC.  This will
 1478      also disable building shared libraries and dynamic engines.
 1479      [Richard Levitte]
 1481   *) Removed JPAKE code.  It was experimental and has no wide use.
 1482      [Rich Salz]
 1484   *) The INSTALL_PREFIX Makefile variable has been renamed to
 1485      DESTDIR.  That makes for less confusion on what this variable
 1486      is for.  Also, the configuration option --install_prefix is
 1487      removed.
 1488      [Richard Levitte]
 1490   *) Heartbeat for TLS has been removed and is disabled by default
 1491      for DTLS; configure with enable-heartbeats.  Code that uses the
 1492      old #define's might need to be updated.
 1493      [Emilia Käsper, Rich Salz]
 1495   *) Rename REF_CHECK to REF_DEBUG.
 1496      [Rich Salz]
 1498   *) New "unified" build system
 1500      The "unified" build system is aimed to be a common system for all
 1501      platforms we support.  With it comes new support for VMS.
 1503      This system builds supports building in a different directory tree
 1504      than the source tree.  It produces one Makefile (for unix family
 1505      or lookalikes), or one descrip.mms (for VMS).
 1507      The source of information to make the Makefile / descrip.mms is
 1508      small files called 'build.info', holding the necessary
 1509      information for each directory with source to compile, and a
 1510      template in Configurations, like unix-Makefile.tmpl or
 1511      descrip.mms.tmpl.
 1513      With this change, the library names were also renamed on Windows
 1514      and on VMS.  They now have names that are closer to the standard
 1515      on Unix, and include the major version number, and in certain
 1516      cases, the architecture they are built for.  See "Notes on shared
 1517      libraries" in INSTALL.
 1519      We rely heavily on the perl module Text::Template.
 1520      [Richard Levitte]
 1522   *) Added support for auto-initialisation and de-initialisation of the library.
 1523      OpenSSL no longer requires explicit init or deinit routines to be called,
 1524      except in certain circumstances. See the OPENSSL_init_crypto() and
 1525      OPENSSL_init_ssl() man pages for further information.
 1526      [Matt Caswell]
 1528   *) The arguments to the DTLSv1_listen function have changed. Specifically the
 1529      "peer" argument is now expected to be a BIO_ADDR object.
 1531   *) Rewrite of BIO networking library. The BIO library lacked consistent
 1532      support of IPv6, and adding it required some more extensive
 1533      modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
 1534      which hold all types of addresses and chains of address information.
 1535      It also introduces a new API, with functions like BIO_socket,
 1536      BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
 1537      The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
 1538      have been adapted accordingly.
 1539      [Richard Levitte]
 1541   *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
 1542      the leading 0-byte.
 1543      [Emilia Käsper]
 1545   *) CRIME protection: disable compression by default, even if OpenSSL is
 1546      compiled with zlib enabled. Applications can still enable compression
 1547      by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
 1548      using the SSL_CONF library to configure compression.
 1549      [Emilia Käsper]
 1551   *) The signature of the session callback configured with
 1552      SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
 1553      was explicitly marked as 'const unsigned char*' instead of
 1554      'unsigned char*'.
 1555      [Emilia Käsper]
 1557   *) Always DPURIFY. Remove the use of uninitialized memory in the
 1558      RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
 1559      [Emilia Käsper]
 1561   *) Removed many obsolete configuration items, including
 1562         DES_PTR, DES_RISC1, DES_RISC2, DES_INT
 1563         MD2_CHAR, MD2_INT, MD2_LONG
 1564         BF_PTR, BF_PTR2
 1565         IDEA_SHORT, IDEA_LONG
 1567      [Rich Salz, with advice from Andy Polyakov]
 1569   *) Many BN internals have been moved to an internal header file.
 1570      [Rich Salz with help from Andy Polyakov]
 1572   *) Configuration and writing out the results from it has changed.
 1573      Files such as Makefile include/openssl/opensslconf.h and are now
 1574      produced through general templates, such as Makefile.in and
 1575      crypto/opensslconf.h.in and some help from the perl module
 1576      Text::Template.
 1578      Also, the center of configuration information is no longer
 1579      Makefile.  Instead, Configure produces a perl module in
 1580      configdata.pm which holds most of the config data (in the hash
 1581      table %config), the target data that comes from the target
 1582      configuration in one of the Configurations/*.conf files (in
 1583      %target).
 1584      [Richard Levitte]
 1586   *) To clarify their intended purposes, the Configure options
 1587      --prefix and --openssldir change their semantics, and become more
 1588      straightforward and less interdependent.
 1590      --prefix shall be used exclusively to give the location INSTALLTOP
 1591      where programs, scripts, libraries, include files and manuals are
 1592      going to be installed.  The default is now /usr/local.
 1594      --openssldir shall be used exclusively to give the default
 1595      location OPENSSLDIR where certificates, private keys, CRLs are
 1596      managed.  This is also where the default openssl.cnf gets
 1597      installed.
 1598      If the directory given with this option is a relative path, the
 1599      values of both the --prefix value and the --openssldir value will
 1600      be combined to become OPENSSLDIR.
 1601      The default for --openssldir is INSTALLTOP/ssl.
 1603      Anyone who uses --openssldir to specify where OpenSSL is to be
 1604      installed MUST change to use --prefix instead.
 1605      [Richard Levitte]
 1607   *) The GOST engine was out of date and therefore it has been removed. An up
 1608      to date GOST engine is now being maintained in an external repository.
 1609      See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
 1610      support for GOST ciphersuites (these are only activated if a GOST engine
 1611      is present).
 1612      [Matt Caswell]
 1614   *) EGD is no longer supported by default; use enable-egd when
 1615      configuring.
 1616      [Ben Kaduk and Rich Salz]
 1618   *) The distribution now has Makefile.in files, which are used to
 1619      create Makefile's when Configure is run.  *Configure must be run
 1620      before trying to build now.*
 1621      [Rich Salz]
 1623   *) The return value for SSL_CIPHER_description() for error conditions
 1624      has changed.
 1625      [Rich Salz]
 1627   *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
 1629      Obtaining and performing DNSSEC validation of TLSA records is
 1630      the application's responsibility.  The application provides
 1631      the TLSA records of its choice to OpenSSL, and these are then
 1632      used to authenticate the peer.
 1634      The TLSA records need not even come from DNS.  They can, for
 1635      example, be used to implement local end-entity certificate or
 1636      trust-anchor "pinning", where the "pin" data takes the form
 1637      of TLSA records, which can augment or replace verification
 1638      based on the usual WebPKI public certification authorities.
 1639      [Viktor Dukhovni]
 1641   *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
 1642      continues to support deprecated interfaces in default builds.
 1643      However, applications are strongly advised to compile their
 1644      source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
 1645      the declarations of all interfaces deprecated in 0.9.8, 1.0.0
 1646      or the 1.1.0 releases.
 1648      In environments in which all applications have been ported to
 1649      not use any deprecated interfaces OpenSSL's Configure script
 1650      should be used with the --api=1.1.0 option to entirely remove
 1651      support for the deprecated features from the library and
 1652      unconditionally disable them in the installed headers.
 1653      Essentially the same effect can be achieved with the "no-deprecated"
 1654      argument to Configure, except that this will always restrict
 1655      the build to just the latest API, rather than a fixed API
 1656      version.
 1658      As applications are ported to future revisions of the API,
 1659      they should update their compile-time OPENSSL_API_COMPAT define
 1660      accordingly, but in most cases should be able to continue to
 1661      compile with later releases.
 1663      The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
 1664      0x10000000L and 0x00908000L, respectively.  However those
 1665      versions did not support the OPENSSL_API_COMPAT feature, and
 1666      so applications are not typically tested for explicit support
 1667      of just the undeprecated features of either release.
 1668      [Viktor Dukhovni]
 1670   *) Add support for setting the minimum and maximum supported protocol.
 1671      It can bet set via the SSL_set_min_proto_version() and
 1672      SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
 1673      MaxProtocol.  It's recommended to use the new APIs to disable
 1674      protocols instead of disabling individual protocols using
 1675      SSL_set_options() or SSL_CONF's Protocol.  This change also
 1676      removes support for disabling TLS 1.2 in the OpenSSL TLS
 1677      client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
 1678      [Kurt Roeckx]
 1680   *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
 1681      [Andy Polyakov]
 1683   *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
 1684      and integrates ECDSA and ECDH functionality into EC. Implementations can
 1685      now redirect key generation and no longer need to convert to or from
 1686      ECDSA_SIG format.
 1688      Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
 1689      include the ec.h header file instead.
 1690      [Steve Henson]
 1692   *) Remove support for all 40 and 56 bit ciphers.  This includes all the export
 1693      ciphers who are no longer supported and drops support the ephemeral RSA key
 1694      exchange. The LOW ciphers currently doesn't have any ciphers in it.
 1695      [Kurt Roeckx]
 1698      opaque.  For HMAC_CTX, the following constructors and destructors
 1699      were added:
 1701         HMAC_CTX *HMAC_CTX_new(void);
 1702         void HMAC_CTX_free(HMAC_CTX *ctx);
 1704      For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
 1705      destroy such methods has been added.  See EVP_MD_meth_new(3) and
 1706      EVP_CIPHER_meth_new(3) for documentation.
 1708      Additional changes:
 1709      1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
 1710         HMAC_CTX_cleanup() were removed.  HMAC_CTX_reset() and
 1711         EVP_MD_CTX_reset() should be called instead to reinitialise
 1712         an already created structure.
 1713      2) For consistency with the majority of our object creators and
 1714         destructors, EVP_MD_CTX_(create|destroy) were renamed to
 1715         EVP_MD_CTX_(new|free).  The old names are retained as macros
 1716         for deprecated builds.
 1717      [Richard Levitte]
 1719   *) Added ASYNC support. Libcrypto now includes the async sub-library to enable
 1720      cryptographic operations to be performed asynchronously as long as an
 1721      asynchronous capable engine is used. See the ASYNC_start_job() man page for
 1722      further details. Libssl has also had this capability integrated with the
 1723      introduction of the new mode SSL_MODE_ASYNC and associated error
 1724      SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
 1725      pages. This work was developed in partnership with Intel Corp.
 1726      [Matt Caswell]
 1728   *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
 1729      always enabled now.  If you want to disable the support you should
 1730      exclude it using the list of supported ciphers. This also means that the
 1731      "-no_ecdhe" option has been removed from s_server.
 1732      [Kurt Roeckx]
 1734   *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
 1735      SSL_{CTX_}set1_curves() which can set a list.
 1736      [Kurt Roeckx]
 1738   *) Remove support for SSL_{CTX_}set_tmp_ecdh_callback().  You should set the
 1739      curve you want to support using SSL_{CTX_}set1_curves().
 1740      [Kurt Roeckx]
 1742   *) State machine rewrite. The state machine code has been significantly
 1743      refactored in order to remove much duplication of code and solve issues
 1744      with the old code (see ssl/statem/README for further details). This change
 1745      does have some associated API changes. Notably the SSL_state() function
 1746      has been removed and replaced by SSL_get_state which now returns an
 1747      "OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
 1748      altogether. The previous handshake states defined in ssl.h and ssl3.h have
 1749      also been removed.
 1750      [Matt Caswell]
 1752   *) All instances of the string "ssleay" in the public API were replaced
 1753      with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
 1754      Some error codes related to internal RSA_eay API's were renamed.
 1755      [Rich Salz]
 1757   *) The demo files in crypto/threads were moved to demo/threads.
 1758      [Rich Salz]
 1760   *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
 1761      sureware and ubsec.
 1762      [Matt Caswell, Rich Salz]
 1764   *) New ASN.1 embed macro.
 1766      New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
 1767      structure is not allocated: it is part of the parent. That is instead of
 1769      FOO *x;
 1771      it must be:
 1773      FOO x;
 1775      This reduces memory fragmentation and make it impossible to accidentally
 1776      set a mandatory field to NULL.
 1778      This currently only works for some fields specifically a SEQUENCE, CHOICE,
 1779      or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
 1780      equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
 1781      SEQUENCE OF.
 1782      [Steve Henson]
 1784   *) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
 1785      [Emilia Käsper]
 1787   *) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
 1788      in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
 1789      an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
 1790      DES and RC4 ciphersuites.
 1791      [Matt Caswell]
 1793   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
 1794      This changes the decoding behaviour for some invalid messages,
 1795      though the change is mostly in the more lenient direction, and
 1796      legacy behaviour is preserved as much as possible.
 1797      [Emilia Käsper]
 1799   *) Fix no-stdio build.
 1800     [ David Woodhouse <David.Woodhouse@intel.com> and also
 1801       Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
 1803   *) New testing framework
 1804      The testing framework has been largely rewritten and is now using
 1805      perl and the perl modules Test::Harness and an extended variant of
 1806      Test::More called OpenSSL::Test to do its work.  All test scripts in
 1807      test/ have been rewritten into test recipes, and all direct calls to
 1808      executables in test/Makefile have become individual recipes using the
 1809      simplified testing OpenSSL::Test::Simple.
 1811      For documentation on our testing modules, do:
 1813         perldoc test/testlib/OpenSSL/Test/Simple.pm
 1814         perldoc test/testlib/OpenSSL/Test.pm
 1816      [Richard Levitte]
 1818   *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
 1819      are used; the latter aborts on memory leaks (usually checked on exit).
 1820      Some undocumented "set malloc, etc., hooks" functions were removed
 1821      and others were changed.  All are now documented.
 1822      [Rich Salz]
 1824   *) In DSA_generate_parameters_ex, if the provided seed is too short,
 1825      return an error
 1826      [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
 1828   *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
 1829      from RFC4279, RFC4785, RFC5487, RFC5489.
 1831      Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
 1832      original RSA_PSK patch.
 1833      [Steve Henson]
 1835   *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
 1836      era flag was never set throughout the codebase (only read). Also removed
 1837      SSL3_FLAGS_POP_BUFFER which was only used if
 1838      SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
 1839      [Matt Caswell]
 1841   *) Changed the default name options in the "ca", "crl", "req" and "x509"
 1842      to be "oneline" instead of "compat".
 1843      [Richard Levitte]
 1845   *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
 1846      not aware of clients that still exhibit this bug, and the workaround
 1847      hasn't been working properly for a while.
 1848      [Emilia Käsper]
 1850   *) The return type of BIO_number_read() and BIO_number_written() as well as
 1851      the corresponding num_read and num_write members in the BIO structure has
 1852      changed from unsigned long to uint64_t. On platforms where an unsigned
 1853      long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
 1854      transferred.
 1855      [Matt Caswell]
 1857   *) Given the pervasive nature of TLS extensions it is inadvisable to run
 1858      OpenSSL without support for them. It also means that maintaining
 1859      the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
 1860      not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
 1861      [Matt Caswell]
 1863   *) Removed support for the two export grade static DH ciphersuites
 1864      EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
 1865      were newly added (along with a number of other static DH ciphersuites) to
 1866      1.0.2. However the two export ones have *never* worked since they were
 1867      introduced. It seems strange in any case to be adding new export
 1868      ciphersuites, and given "logjam" it also does not seem correct to fix them.
 1869      [Matt Caswell]
 1871   *) Version negotiation has been rewritten. In particular SSLv23_method(),
 1872      SSLv23_client_method() and SSLv23_server_method() have been deprecated,
 1873      and turned into macros which simply call the new preferred function names
 1874      TLS_method(), TLS_client_method() and TLS_server_method(). All new code
 1875      should use the new names instead. Also as part of this change the ssl23.h
 1876      header file has been removed.
 1877      [Matt Caswell]
 1879   *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
 1880      code and the associated standard is no longer considered fit-for-purpose.
 1881      [Matt Caswell]
 1883   *) RT2547 was closed.  When generating a private key, try to make the
 1884      output file readable only by the owner.  This behavior change might
 1885      be noticeable when interacting with other software.
 1887   *) Documented all exdata functions.  Added CRYPTO_free_ex_index.
 1888      Added a test.
 1889      [Rich Salz]
 1891   *) Added HTTP GET support to the ocsp command.
 1892      [Rich Salz]
 1894   *) Changed default digest for the dgst and enc commands from MD5 to
 1895      sha256
 1896      [Rich Salz]
 1898   *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
 1899      [Matt Caswell]
 1901   *) Added support for TLS extended master secret from
 1902      draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
 1903      initial patch which was a great help during development.
 1904      [Steve Henson]
 1906   *) All libssl internal structures have been removed from the public header
 1907      files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
 1908      now redundant). Users should not attempt to access internal structures
 1909      directly. Instead they should use the provided API functions.
 1910      [Matt Caswell]
 1912   *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
 1913      Access to deprecated functions can be re-enabled by running config with
 1914      "enable-deprecated". In addition applications wishing to use deprecated
 1915      functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
 1916      will, by default, disable some transitive includes that previously existed
 1917      in the header files (e.g. ec.h will no longer, by default, include bn.h)
 1918      [Matt Caswell]
 1920   *) Added support for OCB mode. OpenSSL has been granted a patent license
 1921      compatible with the OpenSSL license for use of OCB. Details are available
 1922      at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
 1923      for OCB can be removed by calling config with no-ocb.
 1924      [Matt Caswell]
 1926   *) SSLv2 support has been removed.  It still supports receiving a SSLv2
 1927      compatible client hello.
 1928      [Kurt Roeckx]
 1930   *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
 1931      done while fixing the error code for the key-too-small case.
 1932      [Annie Yousar <a.yousar@informatik.hu-berlin.de>]
 1934   *) CA.sh has been removed; use CA.pl instead.
 1935      [Rich Salz]
 1937   *) Removed old DES API.
 1938      [Rich Salz]
 1940   *) Remove various unsupported platforms:
 1941         Sony NEWS4
 1942         BEOS and BEOS_R5
 1943         NeXT
 1944         SUNOS
 1945         MPE/iX
 1946         Sinix/ReliantUNIX RM400
 1947         DGUX
 1948         NCR
 1949         Tandem
 1950         Cray
 1951         16-bit platforms such as WIN16
 1952      [Rich Salz]
 1954   *) Clean up OPENSSL_NO_xxx #define's
 1955         Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
 1956         Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
 1957         OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
 1959         OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
 1963         OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
 1964         Remove MS_STATIC; it's a relic from platforms <32 bits.
 1965      [Rich Salz]
 1967   *) Cleaned up dead code
 1968         Remove all but one '#ifdef undef' which is to be looked at.
 1969      [Rich Salz]
 1971   *) Clean up calling of xxx_free routines.
 1972         Just like free(), fix most of the xxx_free routines to accept
 1973         NULL.  Remove the non-null checks from callers.  Save much code.
 1974      [Rich Salz]
 1976   *) Add secure heap for storage of private keys (when possible).
 1977      Add BIO_s_secmem(), CBIGNUM, etc.
 1978      Contributed by Akamai Technologies under our Corporate CLA.
 1979      [Rich Salz]
 1981   *) Experimental support for a new, fast, unbiased prime candidate generator,
 1982      bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
 1983      [Felix Laurie von Massenbach <felix@erbridge.co.uk>]
 1985   *) New output format NSS in the sess_id command line tool. This allows
 1986      exporting the session id and the master key in NSS keylog format.
 1987      [Martin Kaiser <martin@kaiser.cx>]
 1989   *) Harmonize version and its documentation. -f flag is used to display
 1990      compilation flags.
 1991      [mancha <mancha1@zoho.com>]
 1993   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
 1994      in i2d_ECPrivateKey.  Thanks to Ted Unangst for feedback on this issue.
 1995      [mancha <mancha1@zoho.com>]
 1997   *) Fix some double frees. These are not thought to be exploitable.
 1998      [mancha <mancha1@zoho.com>]
 2000   *) A missing bounds check in the handling of the TLS heartbeat extension
 2001      can be used to reveal up to 64k of memory to a connected client or
 2002      server.
 2004      Thanks for Neel Mehta of Google Security for discovering this bug and to
 2005      Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
 2006      preparing the fix (CVE-2014-0160)
 2007      [Adam Langley, Bodo Moeller]
 2009   *) Fix for the attack described in the paper "Recovering OpenSSL
 2010      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
 2011      by Yuval Yarom and Naomi Benger. Details can be obtained from:
 2012      http://eprint.iacr.org/2014/140
 2014      Thanks to Yuval Yarom and Naomi Benger for discovering this
 2015      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
 2016      [Yuval Yarom and Naomi Benger]
 2018   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
 2019      this fixes a limitation in previous versions of OpenSSL.
 2020      [Steve Henson]
 2022   *) Experimental encrypt-then-mac support.
 2024      Experimental support for encrypt then mac from
 2025      draft-gutmann-tls-encrypt-then-mac-02.txt
 2027      To enable it set the appropriate extension number (0x42 for the test
 2028      server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
 2030      For non-compliant peers (i.e. just about everything) this should have no
 2031      effect.
 2035      [Steve Henson]
 2037   *) Add EVP support for key wrapping algorithms, to avoid problems with
 2038      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
 2039      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
 2040      algorithms and include tests cases.
 2041      [Steve Henson]
 2043   *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
 2044      enveloped data.
 2045      [Steve Henson]
 2047   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
 2048      MGF1 digest and OAEP label.
 2049      [Steve Henson]
 2051   *) Make openssl verify return errors.
 2052      [Chris Palmer <palmer@google.com> and Ben Laurie]
 2054   *) New function ASN1_TIME_diff to calculate the difference between two
 2055      ASN1_TIME structures or one structure and the current time.
 2056      [Steve Henson]
 2058   *) Update fips_test_suite to support multiple command line options. New
 2059      test to induce all self test errors in sequence and check expected
 2060      failures.
 2061      [Steve Henson]
 2063   *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
 2064      sign or verify all in one operation.
 2065      [Steve Henson]
 2067   *) Add fips_algvs: a multicall fips utility incorporating all the algorithm
 2068      test programs and fips_test_suite. Includes functionality to parse
 2069      the minimal script output of fipsalgest.pl directly.
 2070      [Steve Henson]
 2072   *) Add authorisation parameter to FIPS_module_mode_set().
 2073      [Steve Henson]
 2075   *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
 2076      [Steve Henson]
 2078   *) Use separate DRBG fields for internal and external flags. New function
 2079      FIPS_drbg_health_check() to perform on demand health checking. Add
 2080      generation tests to fips_test_suite with reduced health check interval to
 2081      demonstrate periodic health checking. Add "nodh" option to
 2082      fips_test_suite to skip very slow DH test.
 2083      [Steve Henson]
 2085   *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
 2086      based on NID.
 2087      [Steve Henson]
 2089   *) More extensive health check for DRBG checking many more failure modes.
 2090      New function FIPS_selftest_drbg_all() to handle every possible DRBG
 2091      combination: call this in fips_test_suite.
 2092      [Steve Henson]
 2094   *) Add support for canonical generation of DSA parameter 'g'. See
 2095      FIPS 186-3 A.2.3.
 2097   *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
 2098      POST to handle HMAC cases.
 2099      [Steve Henson]
 2101   *) Add functions FIPS_module_version() and FIPS_module_version_text()
 2102      to return numerical and string versions of the FIPS module number.
 2103      [Steve Henson]
 2105   *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
 2106      FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
 2107      outside the validated module in the FIPS capable OpenSSL.
 2108      [Steve Henson]
 2110   *) Minor change to DRBG entropy callback semantics. In some cases
 2111      there is no multiple of the block length between min_len and
 2112      max_len. Allow the callback to return more than max_len bytes
 2113      of entropy but discard any extra: it is the callback's responsibility
 2114      to ensure that the extra data discarded does not impact the
 2115      requested amount of entropy.
 2116      [Steve Henson]
 2118   *) Add PRNG security strength checks to RSA, DSA and ECDSA using
 2119      information in FIPS186-3, SP800-57 and SP800-131A.
 2120      [Steve Henson]
 2122   *) CCM support via EVP. Interface is very similar to GCM case except we
 2123      must supply all data in one chunk (i.e. no update, final) and the
 2124      message length must be supplied if AAD is used. Add algorithm test
 2125      support.
 2126      [Steve Henson]
 2128   *) Initial version of POST overhaul. Add POST callback to allow the status
 2129      of POST to be monitored and/or failures induced. Modify fips_test_suite
 2130      to use callback. Always run all selftests even if one fails.
 2131      [Steve Henson]
 2133   *) XTS support including algorithm test driver in the fips_gcmtest program.
 2134      Note: this does increase the maximum key length from 32 to 64 bytes but
 2135      there should be no binary compatibility issues as existing applications
 2136      will never use XTS mode.
 2137      [Steve Henson]
 2139   *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
 2140      to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
 2141      performs algorithm blocking for unapproved PRNG types. Also do not
 2142      set PRNG type in FIPS_mode_set(): leave this to the application.
 2143      Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
 2144      the standard OpenSSL PRNG: set additional data to a date time vector.
 2145      [Steve Henson]
 2147   *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
 2148      This shouldn't present any incompatibility problems because applications
 2149      shouldn't be using these directly and any that are will need to rethink
 2150      anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
 2151      [Steve Henson]
 2153   *) Extensive self tests and health checking required by SP800-90 DRBG.
 2154      Remove strength parameter from FIPS_drbg_instantiate and always
 2155      instantiate at maximum supported strength.
 2156      [Steve Henson]
 2158   *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
 2159      [Steve Henson]
 2161   *) New algorithm test program fips_dhvs to handle DH primitives only testing.
 2162      [Steve Henson]
 2164   *) New function DH_compute_key_padded() to compute a DH key and pad with
 2165      leading zeroes if needed: this complies with SP800-56A et al.
 2166      [Steve Henson]
 2168   *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
 2169      anything, incomplete, subject to change and largely untested at present.
 2170      [Steve Henson]
 2172   *) Modify fipscanisteronly build option to only build the necessary object
 2173      files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
 2174      [Steve Henson]
 2176   *) Add experimental option FIPSSYMS to give all symbols in
 2177      fipscanister.o and FIPS or fips prefix. This will avoid
 2178      conflicts with future versions of OpenSSL. Add perl script
 2179      util/fipsas.pl to preprocess assembly language source files
 2180      and rename any affected symbols.
 2181      [Steve Henson]
 2183   *) Add selftest checks and algorithm block of non-fips algorithms in
 2184      FIPS mode. Remove DES2 from selftests.
 2185      [Steve Henson]
 2187   *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
 2188      return internal method without any ENGINE dependencies. Add new
 2189      tiny fips sign and verify functions.
 2190      [Steve Henson]
 2192   *) New build option no-ec2m to disable characteristic 2 code.
 2193      [Steve Henson]
 2195   *) New build option "fipscanisteronly". This only builds fipscanister.o
 2196      and (currently) associated fips utilities. Uses the file Makefile.fips
 2197      instead of Makefile.org as the prototype.
 2198      [Steve Henson]
 2200   *) Add some FIPS mode restrictions to GCM. Add internal IV generator.
 2201      Update fips_gcmtest to use IV generator.
 2202      [Steve Henson]
 2204   *) Initial, experimental EVP support for AES-GCM. AAD can be input by
 2205      setting output buffer to NULL. The *Final function must be
 2206      called although it will not retrieve any additional data. The tag
 2207      can be set or retrieved with a ctrl. The IV length is by default 12
 2208      bytes (96 bits) but can be set to an alternative value. If the IV
 2209      length exceeds the maximum IV length (currently 16 bytes) it cannot be
 2210      set before the key.
 2211      [Steve Henson]
 2213   *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
 2214      underlying do_cipher function handles all cipher semantics itself
 2215      including padding and finalisation. This is useful if (for example)
 2216      an ENGINE cipher handles block padding itself. The behaviour of
 2217      do_cipher is subtly changed if this flag is set: the return value
 2218      is the number of characters written to the output buffer (zero is
 2219      no longer an error code) or a negative error code. Also if the
 2220      input buffer is NULL and length 0 finalisation should be performed.
 2221      [Steve Henson]
 2223   *) If a candidate issuer certificate is already part of the constructed
 2224      path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
 2225      [Steve Henson]
 2227   *) Improve forward-security support: add functions
 2229        void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
 2230        void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
 2232      for use by SSL/TLS servers; the callback function will be called whenever a
 2233      new session is created, and gets to decide whether the session may be
 2234      cached to make it resumable (return 0) or not (return 1).  (As by the
 2235      SSL/TLS protocol specifications, the session_id sent by the server will be
 2236      empty to indicate that the session is not resumable; also, the server will
 2237      not generate RFC 4507 (RFC 5077) session tickets.)
 2239      A simple reasonable callback implementation is to return is_forward_secure.
 2240      This parameter will be set to 1 or 0 depending on the ciphersuite selected
 2241      by the SSL/TLS server library, indicating whether it can provide forward
 2242      security.
 2243      [Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
 2245   *) New -verify_name option in command line utilities to set verification
 2246      parameters by name.
 2247      [Steve Henson]
 2249   *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
 2250      Add CMAC pkey methods.
 2251      [Steve Henson]
 2253   *) Experimental renegotiation in s_server -www mode. If the client
 2254      browses /reneg connection is renegotiated. If /renegcert it is
 2255      renegotiated requesting a certificate.
 2256      [Steve Henson]
 2258   *) Add an "external" session cache for debugging purposes to s_server. This
 2259      should help trace issues which normally are only apparent in deployed
 2260      multi-process servers.
 2261      [Steve Henson]
 2263   *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
 2264      return value is ignored. NB. The functions RAND_add(), RAND_seed(),
 2265      BIO_set_cipher() and some obscure PEM functions were changed so they
 2266      can now return an error. The RAND changes required a change to the
 2267      RAND_METHOD structure.
 2268      [Steve Henson]
 2270   *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
 2271      a gcc attribute to warn if the result of a function is ignored. This
 2272      is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
 2273      whose return value is often ignored.
 2274      [Steve Henson]
 2276   *) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
 2277      These allow SCTs (signed certificate timestamps) to be requested and
 2278      validated when establishing a connection.
 2279      [Rob Percival <robpercival@google.com>]
 2281  Changes between 1.0.2g and 1.0.2h [3 May 2016]
 2283   *) Prevent padding oracle in AES-NI CBC MAC check
 2285      A MITM attacker can use a padding oracle attack to decrypt traffic
 2286      when the connection uses an AES CBC cipher and the server support
 2287      AES-NI.
 2289      This issue was introduced as part of the fix for Lucky 13 padding
 2290      attack (CVE-2013-0169). The padding check was rewritten to be in
 2291      constant time by making sure that always the same bytes are read and
 2292      compared against either the MAC or padding bytes. But it no longer
 2293      checked that there was enough data to have both the MAC and padding
 2294      bytes.
 2296      This issue was reported by Juraj Somorovsky using TLS-Attacker.
 2297      (CVE-2016-2107)
 2298      [Kurt Roeckx]
 2300   *) Fix EVP_EncodeUpdate overflow
 2302      An overflow can occur in the EVP_EncodeUpdate() function which is used for
 2303      Base64 encoding of binary data. If an attacker is able to supply very large
 2304      amounts of input data then a length check can overflow resulting in a heap
 2305      corruption.
 2307      Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
 2308      the PEM_write_bio* family of functions. These are mainly used within the
 2309      OpenSSL command line applications, so any application which processes data
 2310      from an untrusted source and outputs it as a PEM file should be considered
 2311      vulnerable to this issue. User applications that call these APIs directly
 2312      with large amounts of untrusted data may also be vulnerable.
 2314      This issue was reported by Guido Vranken.
 2315      (CVE-2016-2105)
 2316      [Matt Caswell]
 2318   *) Fix EVP_EncryptUpdate overflow
 2320      An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
 2321      is able to supply very large amounts of input data after a previous call to
 2322      EVP_EncryptUpdate() with a partial block then a length check can overflow
 2323      resulting in a heap corruption. Following an analysis of all OpenSSL
 2324      internal usage of the EVP_EncryptUpdate() function all usage is one of two
 2325      forms. The first form is where the EVP_EncryptUpdate() call is known to be
 2326      the first called function after an EVP_EncryptInit(), and therefore that
 2327      specific call must be safe. The second form is where the length passed to
 2328      EVP_EncryptUpdate() can be seen from the code to be some small value and
 2329      therefore there is no possibility of an overflow. Since all instances are
 2330      one of these two forms, it is believed that there can be no overflows in
 2331      internal code due to this problem. It should be noted that
 2332      EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
 2333      Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
 2334      of these calls have also been analysed too and it is believed there are no
 2335      instances in internal usage where an overflow could occur.
 2337      This issue was reported by Guido Vranken.
 2338      (CVE-2016-2106)
 2339      [Matt Caswell]
 2341   *) Prevent ASN.1 BIO excessive memory allocation
 2343      When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
 2344      a short invalid encoding can cause allocation of large amounts of memory
 2345      potentially consuming excessive resources or exhausting memory.
 2347      Any application parsing untrusted data through d2i BIO functions is
 2348      affected. The memory based functions such as d2i_X509() are *not* affected.
 2349      Since the memory based functions are used by the TLS library, TLS
 2350      applications are not affected.
 2352      This issue was reported by Brian Carpenter.
 2353      (CVE-2016-2109)
 2354      [Stephen Henson]
 2356   *) EBCDIC overread
 2358      ASN1 Strings that are over 1024 bytes can cause an overread in applications
 2359      using the X509_NAME_oneline() function on EBCDIC systems. This could result
 2360      in arbitrary stack data being returned in the buffer.
 2362      This issue was reported by Guido Vranken.
 2363      (CVE-2016-2176)
 2364      [Matt Caswell]
 2366   *) Modify behavior of ALPN to invoke callback after SNI/servername
 2367      callback, such that updates to the SSL_CTX affect ALPN.
 2368      [Todd Short]
 2370   *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
 2371      default.
 2372      [Kurt Roeckx]
 2374   *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
 2375      methods are enabled and ssl2 is disabled the methods return NULL.
 2376      [Kurt Roeckx]
 2378  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
 2380   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
 2381     Builds that are not configured with "enable-weak-ssl-ciphers" will not
 2382     provide any "EXPORT" or "LOW" strength ciphers.
 2383     [Viktor Dukhovni]
 2385   * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
 2386     is by default disabled at build-time.  Builds that are not configured with
 2387     "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
 2388     users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
 2389     will need to explicitly call either of:
 2391         SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
 2392     or
 2393         SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
 2395     as appropriate.  Even if either of those is used, or the application
 2396     explicitly uses the version-specific SSLv2_method() or its client and
 2397     server variants, SSLv2 ciphers vulnerable to exhaustive search key
 2398     recovery have been removed.  Specifically, the SSLv2 40-bit EXPORT
 2399     ciphers, and SSLv2 56-bit DES are no longer available.
 2400     (CVE-2016-0800)
 2401     [Viktor Dukhovni]
 2403   *) Fix a double-free in DSA code
 2405      A double free bug was discovered when OpenSSL parses malformed DSA private
 2406      keys and could lead to a DoS attack or memory corruption for applications
 2407      that receive DSA private keys from untrusted sources.  This scenario is
 2408      considered rare.
 2410      This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
 2411      libFuzzer.
 2412      (CVE-2016-0705)
 2413      [Stephen Henson]
 2415   *) Disable SRP fake user seed to address a server memory leak.
 2417      Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
 2419      SRP_VBASE_get_by_user had inconsistent memory management behaviour.
 2420      In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
 2421      was changed to ignore the "fake user" SRP seed, even if the seed
 2422      is configured.
 2424      Users should use SRP_VBASE_get1_by_user instead. Note that in
 2425      SRP_VBASE_get1_by_user, caller must free the returned value. Note
 2426      also that even though configuring the SRP seed attempts to hide
 2427      invalid usernames by continuing the handshake with fake
 2428      credentials, this behaviour is not constant time and no strong
 2429      guarantees are made that the handshake is indistinguishable from
 2430      that of a valid user.
 2431      (CVE-2016-0798)
 2432      [Emilia Käsper]
 2434   *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
 2436      In the BN_hex2bn function the number of hex digits is calculated using an
 2437      int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
 2438      large values of |i| this can result in |bn_expand| not allocating any
 2439      memory because |i * 4| is negative. This can leave the internal BIGNUM data
 2440      field as NULL leading to a subsequent NULL ptr deref. For very large values
 2441      of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
 2442      In this case memory is allocated to the internal BIGNUM data field, but it
 2443      is insufficiently sized leading to heap corruption. A similar issue exists
 2444      in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
 2445      is ever called by user applications with very large untrusted hex/dec data.
 2446      This is anticipated to be a rare occurrence.
 2448      All OpenSSL internal usage of these functions use data that is not expected
 2449      to be untrusted, e.g. config file data or application command line
 2450      arguments. If user developed applications generate config file data based
 2451      on untrusted data then it is possible that this could also lead to security
 2452      consequences. This is also anticipated to be rare.
 2454      This issue was reported to OpenSSL by Guido Vranken.
 2455      (CVE-2016-0797)
 2456      [Matt Caswell]
 2458   *) Fix memory issues in BIO_*printf functions
 2460      The internal |fmtstr| function used in processing a "%s" format string in
 2461      the BIO_*printf functions could overflow while calculating the length of a
 2462      string and cause an OOB read when printing very long strings.
 2464      Additionally the internal |doapr_outch| function can attempt to write to an
 2465      OOB memory location (at an offset from the NULL pointer) in the event of a
 2466      memory allocation failure. In 1.0.2 and below this could be caused where
 2467      the size of a buffer to be allocated is greater than INT_MAX. E.g. this
 2468      could be in processing a very long "%s" format string. Memory leaks can
 2469      also occur.
 2471      The first issue may mask the second issue dependent on compiler behaviour.
 2472      These problems could enable attacks where large amounts of untrusted data
 2473      is passed to the BIO_*printf functions. If applications use these functions
 2474      in this way then they could be vulnerable. OpenSSL itself uses these
 2475      functions when printing out human-readable dumps of ASN.1 data. Therefore
 2476      applications that print this data could be vulnerable if the data is from
 2477      untrusted sources. OpenSSL command line applications could also be
 2478      vulnerable where they print out ASN.1 data, or if untrusted data is passed
 2479      as command line arguments.
 2481      Libssl is not considered directly vulnerable. Additionally certificates etc
 2482      received via remote connections via libssl are also unlikely to be able to
 2483      trigger these issues because of message size limits enforced within libssl.
 2485      This issue was reported to OpenSSL Guido Vranken.
 2486      (CVE-2016-0799)
 2487      [Matt Caswell]
 2489   *) Side channel attack on modular exponentiation
 2491      A side-channel attack was found which makes use of cache-bank conflicts on
 2492      the Intel Sandy-Bridge microarchitecture which could lead to the recovery
 2493      of RSA keys.  The ability to exploit this issue is limited as it relies on
 2494      an attacker who has control of code in a thread running on the same
 2495      hyper-threaded core as the victim thread which is performing decryptions.
 2497      This issue was reported to OpenSSL by Yuval Yarom, The University of
 2498      Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
 2499      Nadia Heninger, University of Pennsylvania with more information at
 2500      http://cachebleed.info.
 2501      (CVE-2016-0702)
 2502      [Andy Polyakov]
 2504   *) Change the req app to generate a 2048-bit RSA/DSA key by default,
 2505      if no keysize is specified with default_bits. This fixes an
 2506      omission in an earlier change that changed all RSA/DSA key generation
 2507      apps to use 2048 bits by default.
 2508      [Emilia Käsper]
 2510  Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
 2511   *) DH small subgroups
 2513      Historically OpenSSL only ever generated DH parameters based on "safe"
 2514      primes. More recently (in version 1.0.2) support was provided for
 2515      generating X9.42 style parameter files such as those required for RFC 5114
 2516      support. The primes used in such files may not be "safe". Where an
 2517      application is using DH configured with parameters based on primes that are
 2518      not "safe" then an attacker could use this fact to find a peer's private
 2519      DH exponent. This attack requires that the attacker complete multiple
 2520      handshakes in which the peer uses the same private DH exponent. For example
 2521      this could be used to discover a TLS server's private DH exponent if it's
 2522      reusing the private DH exponent or it's using a static DH ciphersuite.
 2524      OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
 2525      TLS. It is not on by default. If the option is not set then the server
 2526      reuses the same private DH exponent for the life of the server process and
 2527      would be vulnerable to this attack. It is believed that many popular
 2528      applications do set this option and would therefore not be at risk.
 2530      The fix for this issue adds an additional check where a "q" parameter is
 2531      available (as is the case in X9.42 based parameters). This detects the
 2532      only known attack, and is the only possible defense for static DH
 2533      ciphersuites. This could have some performance impact.
 2535      Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
 2536      default and cannot be disabled. This could have some performance impact.
 2538      This issue was reported to OpenSSL by Antonio Sanso (Adobe).
 2539      (CVE-2016-0701)
 2540      [Matt Caswell]
 2542   *) SSLv2 doesn't block disabled ciphers
 2544      A malicious client can negotiate SSLv2 ciphers that have been disabled on
 2545      the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
 2546      been disabled, provided that the SSLv2 protocol was not also disabled via
 2547      SSL_OP_NO_SSLv2.
 2549      This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
 2550      and Sebastian Schinzel.
 2551      (CVE-2015-3197)
 2552      [Viktor Dukhovni]
 2554  Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
 2556   *) BN_mod_exp may produce incorrect results on x86_64
 2558      There is a carry propagating bug in the x86_64 Montgomery squaring
 2559      procedure. No EC algorithms are affected. Analysis suggests that attacks
 2560      against RSA and DSA as a result of this defect would be very difficult to
 2561      perform and are not believed likely. Attacks against DH are considered just
 2562      feasible (although very difficult) because most of the work necessary to
 2563      deduce information about a private key may be performed offline. The amount
 2564      of resources required for such an attack would be very significant and
 2565      likely only accessible to a limited number of attackers. An attacker would
 2566      additionally need online access to an unpatched system using the target
 2567      private key in a scenario with persistent DH parameters and a private
 2568      key that is shared between multiple clients. For example this can occur by
 2569      default in OpenSSL DHE based SSL/TLS ciphersuites.
 2571      This issue was reported to OpenSSL by Hanno Böck.
 2572      (CVE-2015-3193)
 2573      [Andy Polyakov]
 2575   *) Certificate verify crash with missing PSS parameter
 2577      The signature verification routines will crash with a NULL pointer
 2578      dereference if presented with an ASN.1 signature using the RSA PSS
 2579      algorithm and absent mask generation function parameter. Since these
 2580      routines are used to verify certificate signature algorithms this can be
 2581      used to crash any certificate verification operation and exploited in a
 2582      DoS attack. Any application which performs certificate verification is
 2583      vulnerable including OpenSSL clients and servers which enable client
 2584      authentication.
 2586      This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
 2587      (CVE-2015-3194)
 2588      [Stephen Henson]
 2590   *) X509_ATTRIBUTE memory leak
 2592      When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
 2593      memory. This structure is used by the PKCS#7 and CMS routines so any
 2594      application which reads PKCS#7 or CMS data from untrusted sources is
 2595      affected. SSL/TLS is not affected.
 2597      This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
 2598      libFuzzer.
 2599      (CVE-2015-3195)
 2600      [Stephen Henson]
 2602   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
 2603      This changes the decoding behaviour for some invalid messages,
 2604      though the change is mostly in the more lenient direction, and
 2605      legacy behaviour is preserved as much as possible.
 2606      [Emilia Käsper]
 2608   *) In DSA_generate_parameters_ex, if the provided seed is too short,
 2609      return an error
 2610      [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
 2612  Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
 2614   *) Alternate chains certificate forgery
 2616      During certificate verification, OpenSSL will attempt to find an
 2617      alternative certificate chain if the first attempt to build such a chain
 2618      fails. An error in the implementation of this logic can mean that an
 2619      attacker could cause certain checks on untrusted certificates to be
 2620      bypassed, such as the CA flag, enabling them to use a valid leaf
 2621      certificate to act as a CA and "issue" an invalid certificate.
 2623      This issue was reported to OpenSSL by Adam Langley/David Benjamin
 2624      (Google/BoringSSL).
 2625      [Matt Caswell]
 2627  Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
 2629   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
 2630      incompatibility in the handling of HMAC. The previous ABI has now been
 2631      restored.
 2632      [Matt Caswell]
 2634  Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
 2636   *) Malformed ECParameters causes infinite loop
 2638      When processing an ECParameters structure OpenSSL enters an infinite loop
 2639      if the curve specified is over a specially malformed binary polynomial
 2640      field.
 2642      This can be used to perform denial of service against any
 2643      system which processes public keys, certificate requests or
 2644      certificates.  This includes TLS clients and TLS servers with
 2645      client authentication enabled.
 2647      This issue was reported to OpenSSL by Joseph Barr-Pixton.
 2648      (CVE-2015-1788)
 2649      [Andy Polyakov]
 2651   *) Exploitable out-of-bounds read in X509_cmp_time
 2653      X509_cmp_time does not properly check the length of the ASN1_TIME
 2654      string and can read a few bytes out of bounds. In addition,
 2655      X509_cmp_time accepts an arbitrary number of fractional seconds in the
 2656      time string.
 2658      An attacker can use this to craft malformed certificates and CRLs of
 2659      various sizes and potentially cause a segmentation fault, resulting in
 2660      a DoS on applications that verify certificates or CRLs. TLS clients
 2661      that verify CRLs are affected. TLS clients and servers with client
 2662      authentication enabled may be affected if they use custom verification
 2663      callbacks.
 2665      This issue was reported to OpenSSL by Robert Swiecki (Google), and
 2666      independently by Hanno Böck.
 2667      (CVE-2015-1789)
 2668      [Emilia Käsper]
 2670   *) PKCS7 crash with missing EnvelopedContent
 2672      The PKCS#7 parsing code does not handle missing inner EncryptedContent
 2673      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
 2674      with missing content and trigger a NULL pointer dereference on parsing.
 2676      Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
 2677      structures from untrusted sources are affected. OpenSSL clients and
 2678      servers are not affected.
 2680      This issue was reported to OpenSSL by Michal Zalewski (Google).
 2681      (CVE-2015-1790)
 2682      [Emilia Käsper]
 2684   *) CMS verify infinite loop with unknown hash function
 2686      When verifying a signedData message the CMS code can enter an infinite loop
 2687      if presented with an unknown hash function OID. This can be used to perform
 2688      denial of service against any system which verifies signedData messages using
 2689      the CMS code.
 2690      This issue was reported to OpenSSL by Johannes Bauer.
 2691      (CVE-2015-1792)
 2692      [Stephen Henson]
 2694   *) Race condition handling NewSessionTicket
 2696      If a NewSessionTicket is received by a multi-threaded client when attempting to
 2697      reuse a previous ticket then a race condition can occur potentially leading to
 2698      a double free of the ticket data.
 2699      (CVE-2015-1791)
 2700      [Matt Caswell]
 2702   *) Only support 256-bit or stronger elliptic curves with the
 2703      'ecdh_auto' setting (server) or by default (client). Of supported
 2704      curves, prefer P-256 (both).
 2705      [Emilia Kasper]
 2707  Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
 2709   *) ClientHello sigalgs DoS fix
 2711      If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
 2712      invalid signature algorithms extension a NULL pointer dereference will
 2713      occur. This can be exploited in a DoS attack against the server.
 2715      This issue was was reported to OpenSSL by David Ramos of Stanford
 2716      University.
 2717      (CVE-2015-0291)
 2718      [Stephen Henson and Matt Caswell]
 2720   *) Multiblock corrupted pointer fix
 2722      OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
 2723      feature only applies on 64 bit x86 architecture platforms that support AES
 2724      NI instructions. A defect in the implementation of "multiblock" can cause
 2725      OpenSSL's internal write buffer to become incorrectly set to NULL when
 2726      using non-blocking IO. Typically, when the user application is using a
 2727      socket BIO for writing, this will only result in a failed connection.
 2728      However if some other BIO is used then it is likely that a segmentation
 2729      fault will be triggered, thus enabling a potential DoS attack.
 2731      This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
 2732      (CVE-2015-0290)
 2733      [Matt Caswell]
 2735   *) Segmentation fault in DTLSv1_listen fix
 2737      The DTLSv1_listen function is intended to be stateless and processes the
 2738      initial ClientHello from many peers. It is common for user code to loop
 2739      over the call to DTLSv1_listen until a valid ClientHello is received with
 2740      an associated cookie. A defect in the implementation of DTLSv1_listen means
 2741      that state is preserved in the SSL object from one invocation to the next
 2742      that can lead to a segmentation fault. Errors processing the initial
 2743      ClientHello can trigger this scenario. An example of such an error could be
 2744      that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
 2745      server.
 2747      This issue was reported to OpenSSL by Per Allansson.
 2748      (CVE-2015-0207)
 2749      [Matt Caswell]
 2751   *) Segmentation fault in ASN1_TYPE_cmp fix
 2753      The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
 2754      made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
 2755      certificate signature algorithm consistency this can be used to crash any
 2756      certificate verification operation and exploited in a DoS attack. Any
 2757      application which performs certificate verification is vulnerable including
 2758      OpenSSL clients and servers which enable client authentication.
 2759      (CVE-2015-0286)
 2760      [Stephen Henson]
 2762   *) Segmentation fault for invalid PSS parameters fix
 2764      The signature verification routines will crash with a NULL pointer
 2765      dereference if presented with an ASN.1 signature using the RSA PSS
 2766      algorithm and invalid parameters. Since these routines are used to verify
 2767      certificate signature algorithms this can be used to crash any
 2768      certificate verification operation and exploited in a DoS attack. Any
 2769      application which performs certificate verification is vulnerable including
 2770      OpenSSL clients and servers which enable client authentication.
 2772      This issue was was reported to OpenSSL by Brian Carpenter.
 2773      (CVE-2015-0208)
 2774      [Stephen Henson]
 2776   *) ASN.1 structure reuse memory corruption fix
 2778      Reusing a structure in ASN.1 parsing may allow an attacker to cause
 2779      memory corruption via an invalid write. Such reuse is and has been
 2780      strongly discouraged and is believed to be rare.
 2782      Applications that parse structures containing CHOICE or ANY DEFINED BY
 2783      components may be affected. Certificate parsing (d2i_X509 and related
 2784      functions) are however not affected. OpenSSL clients and servers are
 2785      not affected.
 2786      (CVE-2015-0287)
 2787      [Stephen Henson]
 2789   *) PKCS7 NULL pointer dereferences fix
 2791      The PKCS#7 parsing code does not handle missing outer ContentInfo
 2792      correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
 2793      missing content and trigger a NULL pointer dereference on parsing.
 2795      Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
 2796      otherwise parse PKCS#7 structures from untrusted sources are
 2797      affected. OpenSSL clients and servers are not affected.
 2799      This issue was reported to OpenSSL by Michal Zalewski (Google).
 2800      (CVE-2015-0289)
 2801      [Emilia Käsper]
 2803   *) DoS via reachable assert in SSLv2 servers fix
 2805      A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
 2806      servers that both support SSLv2 and enable export cipher suites by sending
 2807      a specially crafted SSLv2 CLIENT-MASTER-KEY message.
 2809      This issue was discovered by Sean Burford (Google) and Emilia Käsper
 2810      (OpenSSL development team).
 2811      (CVE-2015-0293)
 2812      [Emilia Käsper]
 2814   *) Empty CKE with client auth and DHE fix
 2816      If client auth is used then a server can seg fault in the event of a DHE
 2817      ciphersuite being selected and a zero length ClientKeyExchange message
 2818      being sent by the client. This could be exploited in a DoS attack.
 2819      (CVE-2015-1787)
 2820      [Matt Caswell]
 2822   *) Handshake with unseeded PRNG fix
 2824      Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
 2825      with an unseeded PRNG. The conditions are:
 2826      - The client is on a platform where the PRNG has not been seeded
 2827      automatically, and the user has not seeded manually
 2828      - A protocol specific client method version has been used (i.e. not
 2829      SSL_client_methodv23)
 2830      - A ciphersuite is used that does not require additional random data from
 2831      the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
 2833      If the handshake succeeds then the client random that has been used will
 2834      have been generated from a PRNG with insufficient entropy and therefore the
 2835      output may be predictable.
 2837      For example using the following command with an unseeded openssl will
 2838      succeed on an unpatched platform:
 2840      openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
 2841      (CVE-2015-0285)
 2842      [Matt Caswell]
 2844   *) Use After Free following d2i_ECPrivatekey error fix
 2846      A malformed EC private key file consumed via the d2i_ECPrivateKey function
 2847      could cause a use after free condition. This, in turn, could cause a double
 2848      free in several private key parsing functions (such as d2i_PrivateKey
 2849      or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
 2850      for applications that receive EC private keys from untrusted
 2851      sources. This scenario is considered rare.
 2853      This issue was discovered by the BoringSSL project and fixed in their
 2854      commit 517073cd4b.
 2855      (CVE-2015-0209)
 2856      [Matt Caswell]
 2858   *) X509_to_X509_REQ NULL pointer deref fix
 2860      The function X509_to_X509_REQ will crash with a NULL pointer dereference if
 2861      the certificate key is invalid. This function is rarely used in practice.
 2863      This issue was discovered by Brian Carpenter.
 2864      (CVE-2015-0288)
 2865      [Stephen Henson]
 2867   *) Removed the export ciphers from the DEFAULT ciphers
 2868      [Kurt Roeckx]
 2870  Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
 2872   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
 2873      ARMv5 through ARMv8, as opposite to "locking" it to single one.
 2874      So far those who have to target multiple platforms would compromise
 2875      and argue that binary targeting say ARMv5 would still execute on
 2876      ARMv8. "Universal" build resolves this compromise by providing
 2877      near-optimal performance even on newer platforms.
 2878      [Andy Polyakov]
 2880   *) Accelerated NIST P-256 elliptic curve implementation for x86_64
 2881      (other platforms pending).
 2882      [Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
 2884   *) Add support for the SignedCertificateTimestampList certificate and
 2885      OCSP response extensions from RFC6962.
 2886      [Rob Stradling]
 2888   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
 2889      for corner cases. (Certain input points at infinity could lead to
 2890      bogus results, with non-infinity inputs mapped to infinity too.)
 2891      [Bodo Moeller]
 2893   *) Initial support for PowerISA 2.0.7, first implemented in POWER8.
 2894      This covers AES, SHA256/512 and GHASH. "Initial" means that most
 2895      common cases are optimized and there still is room for further
 2896      improvements. Vector Permutation AES for Altivec is also added.
 2897      [Andy Polyakov]
 2899   *) Add support for little-endian ppc64 Linux target.
 2900      [Marcelo Cerri (IBM)]
 2902   *) Initial support for AMRv8 ISA crypto extensions. This covers AES,
 2903      SHA1, SHA256 and GHASH. "Initial" means that most common cases
 2904      are optimized and there still is room for further improvements.
 2905      Both 32- and 64-bit modes are supported.
 2906      [Andy Polyakov, Ard Biesheuvel (Linaro)]
 2908   *) Improved ARMv7 NEON support.
 2909      [Andy Polyakov]
 2911   *) Support for SPARC Architecture 2011 crypto extensions, first
 2912      implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
 2913      SHA256/512, MD5, GHASH and modular exponentiation.
 2914      [Andy Polyakov, David Miller]
 2916   *) Accelerated modular exponentiation for Intel processors, a.k.a.
 2917      RSAZ.
 2918      [Shay Gueron & Vlad Krasnov (Intel Corp)]
 2920   *) Support for new and upcoming Intel processors, including AVX2,
 2921      BMI and SHA ISA extensions. This includes additional "stitched"
 2922      implementations, AESNI-SHA256 and GCM, and multi-buffer support
 2923      for TLS encrypt.
 2925      This work was sponsored by Intel Corp.
 2926      [Andy Polyakov]
 2928   *) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
 2929      supports both DTLS 1.2 and 1.0 and should use whatever version the peer
 2930      supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
 2931      [Steve Henson]
 2933   *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
 2934      this fixes a limitation in previous versions of OpenSSL.
 2935      [Steve Henson]
 2937   *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
 2938      MGF1 digest and OAEP label.
 2939      [Steve Henson]
 2941   *) Add EVP support for key wrapping algorithms, to avoid problems with
 2942      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
 2943      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
 2944      algorithms and include tests cases.
 2945      [Steve Henson]
 2947   *) Add functions to allocate and set the fields of an ECDSA_METHOD
 2948      structure.
 2949      [Douglas E. Engert, Steve Henson]
 2951   *) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
 2952      difference in days and seconds between two tm or ASN1_TIME structures.
 2953      [Steve Henson]
 2955   *) Add -rev test option to s_server to just reverse order of characters
 2956      received by client and send back to server. Also prints an abbreviated
 2957      summary of the connection parameters.
 2958      [Steve Henson]
 2960   *) New option -brief for s_client and s_server to print out a brief summary
 2961      of connection parameters.
 2962      [Steve Henson]
 2964   *) Add callbacks for arbitrary TLS extensions.
 2965      [Trevor Perrin <trevp@trevp.net> and Ben Laurie]
 2967   *) New option -crl_download in several openssl utilities to download CRLs
 2968      from CRLDP extension in certificates.
 2969      [Steve Henson]
 2971   *) New options -CRL and -CRLform for s_client and s_server for CRLs.
 2972      [Steve Henson]
 2974   *) New function X509_CRL_diff to generate a delta CRL from the difference
 2975      of two full CRLs. Add support to "crl" utility.
 2976      [Steve Henson]
 2978   *) New functions to set lookup_crls function and to retrieve
 2979      X509_STORE from X509_STORE_CTX.
 2980      [Steve Henson]
 2982   *) Print out deprecated issuer and subject unique ID fields in
 2983      certificates.
 2984      [Steve Henson]
 2986   *) Extend OCSP I/O functions so they can be used for simple general purpose
 2987      HTTP as well as OCSP. New wrapper function which can be used to download
 2988      CRLs using the OCSP API.
 2989      [Steve Henson]
 2991   *) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
 2992      [Steve Henson]
 2994   *) SSL_CONF* functions. These provide a common framework for application
 2995      configuration using configuration files or command lines.
 2996      [Steve Henson]
 2998   *) SSL/TLS tracing code. This parses out SSL/TLS records using the
 2999      message callback and prints the results. Needs compile time option
 3000      "enable-ssl-trace". New options to s_client and s_server to enable
 3001      tracing.
 3002      [Steve Henson]
 3004   *) New ctrl and macro to retrieve supported points extensions.
 3005      Print out extension in s_server and s_client.
 3006      [Steve Henson]
 3008   *) New functions to retrieve certificate signature and signature
 3009      OID NID.
 3010      [Steve Henson]
 3012   *) Add functions to retrieve and manipulate the raw cipherlist sent by a
 3013      client to OpenSSL.
 3014      [Steve Henson]
 3016   *) New Suite B modes for TLS code. These use and enforce the requirements
 3017      of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
 3018      only use Suite B curves. The Suite B modes can be set by using the
 3019      strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
 3020      [Steve Henson]
 3022   *) New chain verification flags for Suite B levels of security. Check
 3023      algorithms are acceptable when flags are set in X509_verify_cert.
 3024      [Steve Henson]
 3026   *) Make tls1_check_chain return a set of flags indicating checks passed
 3027      by a certificate chain. Add additional tests to handle client
 3028      certificates: checks for matching certificate type and issuer name
 3029      comparison.
 3030      [Steve Henson]
 3032   *) If an attempt is made to use a signature algorithm not in the peer
 3033      preference list abort the handshake. If client has no suitable
 3034      signature algorithms in response to a certificate request do not
 3035      use the certificate.
 3036      [Steve Henson]
 3038   *) If server EC tmp key is not in client preference list abort handshake.
 3039      [Steve Henson]
 3041   *) Add support for certificate stores in CERT structure. This makes it
 3042      possible to have different stores per SSL structure or one store in
 3043      the parent SSL_CTX. Include distinct stores for certificate chain
 3044      verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
 3045      to build and store a certificate chain in CERT structure: returning
 3046      an error if the chain cannot be built: this will allow applications
 3047      to test if a chain is correctly configured.
 3049      Note: if the CERT based stores are not set then the parent SSL_CTX
 3050      store is used to retain compatibility with existing behaviour.
 3052      [Steve Henson]
 3054   *) New function ssl_set_client_disabled to set a ciphersuite disabled
 3055      mask based on the current session, check mask when sending client
 3056      hello and checking the requested ciphersuite.
 3057      [Steve Henson]
 3059   *) New ctrls to retrieve and set certificate types in a certificate
 3060      request message. Print out received values in s_client. If certificate
 3061      types is not set with custom values set sensible values based on
 3062      supported signature algorithms.
 3063      [Steve Henson]
 3065   *) Support for distinct client and server supported signature algorithms.
 3066      [Steve Henson]
 3068   *) Add certificate callback. If set this is called whenever a certificate
 3069      is required by client or server. An application can decide which
 3070      certificate chain to present based on arbitrary criteria: for example
 3071      supported signature algorithms. Add very simple example to s_server.
 3072      This fixes many of the problems and restrictions of the existing client
 3073      certificate callback: for example you can now clear an existing
 3074      certificate and specify the whole chain.
 3075      [Steve Henson]
 3077   *) Add new "valid_flags" field to CERT_PKEY structure which determines what
 3078      the certificate can be used for (if anything). Set valid_flags field
 3079      in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
 3080      to have similar checks in it.
 3082      Add new "cert_flags" field to CERT structure and include a "strict mode".
 3083      This enforces some TLS certificate requirements (such as only permitting
 3084      certificate signature algorithms contained in the supported algorithms
 3085      extension) which some implementations ignore: this option should be used
 3086      with caution as it could cause interoperability issues.
 3087      [Steve Henson]
 3089   *) Update and tidy signature algorithm extension processing. Work out
 3090      shared signature algorithms based on preferences and peer algorithms
 3091      and print them out in s_client and s_server. Abort handshake if no
 3092      shared signature algorithms.
 3093      [Steve Henson]
 3095   *) Add new functions to allow customised supported signature algorithms
 3096      for SSL and SSL_CTX structures. Add options to s_client and s_server
 3097      to support them.
 3098      [Steve Henson]
 3100   *) New function SSL_certs_clear() to delete all references to certificates
 3101      from an SSL structure. Before this once a certificate had been added
 3102      it couldn't be removed.
 3103      [Steve Henson]
 3105   *) Integrate hostname, email address and IP address checking with certificate
 3106      verification. New verify options supporting checking in openssl utility.
 3107      [Steve Henson]
 3109   *) Fixes and wildcard matching support to hostname and email checking
 3110      functions. Add manual page.
 3111      [Florian Weimer (Red Hat Product Security Team)]
 3113   *) New functions to check a hostname email or IP address against a
 3114      certificate. Add options x509 utility to print results of checks against
 3115      a certificate.
 3116      [Steve Henson]
 3118   *) Fix OCSP checking.
 3119      [Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
 3121   *) Initial experimental support for explicitly trusted non-root CAs.
 3122      OpenSSL still tries to build a complete chain to a root but if an
 3123      intermediate CA has a trust setting included that is used. The first
 3124      setting is used: whether to trust (e.g., -addtrust option to the x509
 3125      utility) or reject.
 3126      [Steve Henson]
 3128   *) Add -trusted_first option which attempts to find certificates in the
 3129      trusted store even if an untrusted chain is also supplied.
 3130      [Steve Henson]
 3132   *) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
 3133      platform support for Linux and Android.
 3134      [Andy Polyakov]
 3136   *) Support for linux-x32, ILP32 environment in x86_64 framework.
 3137      [Andy Polyakov]
 3139   *) Experimental multi-implementation support for FIPS capable OpenSSL.
 3140      When in FIPS mode the approved implementations are used as normal,
 3141      when not in FIPS mode the internal unapproved versions are used instead.
 3142      This means that the FIPS capable OpenSSL isn't forced to use the
 3143      (often lower performance) FIPS implementations outside FIPS mode.
 3144      [Steve Henson]
 3146   *) Transparently support X9.42 DH parameters when calling
 3147      PEM_read_bio_DHparameters. This means existing applications can handle
 3148      the new parameter format automatically.
 3149      [Steve Henson]
 3151   *) Initial experimental support for X9.42 DH parameter format: mainly
 3152      to support use of 'q' parameter for RFC5114 parameters.
 3153      [Steve Henson]
 3155   *) Add DH parameters from RFC5114 including test data to dhtest.
 3156      [Steve Henson]
 3158   *) Support for automatic EC temporary key parameter selection. If enabled
 3159      the most preferred EC parameters are automatically used instead of
 3160      hardcoded fixed parameters. Now a server just has to call:
 3161      SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
 3162      support ECDH and use the most appropriate parameters.
 3163      [Steve Henson]
 3165   *) Enhance and tidy EC curve and point format TLS extension code. Use
 3166      static structures instead of allocation if default values are used.
 3167      New ctrls to set curves we wish to support and to retrieve shared curves.
 3168      Print out shared curves in s_server. New options to s_server and s_client
 3169      to set list of supported curves.
 3170      [Steve Henson]
 3172   *) New ctrls to retrieve supported signature algorithms and
 3173      supported curve values as an array of NIDs. Extend openssl utility
 3174      to print out received values.
 3175      [Steve Henson]
 3177   *) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
 3178      between NIDs and the more common NIST names such as "P-256". Enhance
 3179      ecparam utility and ECC method to recognise the NIST names for curves.
 3180      [Steve Henson]
 3182   *) Enhance SSL/TLS certificate chain handling to support different
 3183      chains for each certificate instead of one chain in the parent SSL_CTX.
 3184      [Steve Henson]
 3186   *) Support for fixed DH ciphersuite client authentication: where both
 3187      server and client use DH certificates with common parameters.
 3188      [Steve Henson]
 3190   *) Support for fixed DH ciphersuites: those requiring DH server
 3191      certificates.
 3192      [Steve Henson]
 3194   *) New function i2d_re_X509_tbs for re-encoding the TBS portion of
 3195      the certificate.
 3196      Note: Related 1.0.2-beta specific macros X509_get_cert_info,
 3197      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
 3198      X509_CINF_get_signature were reverted post internal team review.
 3200  Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
 3202   *) Build fixes for the Windows and OpenVMS platforms
 3203      [Matt Caswell and Richard Levitte]
 3205  Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
 3207   *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
 3208      message can cause a segmentation fault in OpenSSL due to a NULL pointer
 3209      dereference. This could lead to a Denial Of Service attack. Thanks to
 3210      Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
 3211      (CVE-2014-3571)
 3212      [Steve Henson]
 3214   *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
 3215      dtls1_buffer_record function under certain conditions. In particular this
 3216      could occur if an attacker sent repeated DTLS records with the same
 3217      sequence number but for the next epoch. The memory leak could be exploited
 3218      by an attacker in a Denial of Service attack through memory exhaustion.
 3219      Thanks to Chris Mueller for reporting this issue.
 3220      (CVE-2015-0206)
 3221      [Matt Caswell]
 3223   *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
 3224      built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
 3225      method would be set to NULL which could later result in a NULL pointer
 3226      dereference. Thanks to Frank Schmirler for reporting this issue.
 3227      (CVE-2014-3569)
 3228      [Kurt Roeckx]
 3230   *) Abort handshake if server key exchange message is omitted for ephemeral
 3231      ECDH ciphersuites.
 3233      Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
 3234      reporting this issue.
 3235      (CVE-2014-3572)
 3236      [Steve Henson]
 3238   *) Remove non-export ephemeral RSA code on client and server. This code
 3239      violated the TLS standard by allowing the use of temporary RSA keys in
 3240      non-export ciphersuites and could be used by a server to effectively
 3241      downgrade the RSA key length used to a value smaller than the server
 3242      certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
 3243      INRIA or reporting this issue.
 3244      (CVE-2015-0204)
 3245      [Steve Henson]
 3247   *) Fixed issue where DH client certificates are accepted without verification.
 3248      An OpenSSL server will accept a DH certificate for client authentication
 3249      without the certificate verify message. This effectively allows a client to
 3250      authenticate without the use of a private key. This only affects servers
 3251      which trust a client certificate authority which issues certificates
 3252      containing DH keys: these are extremely rare and hardly ever encountered.
 3253      Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
 3254      this issue.
 3255      (CVE-2015-0205)
 3256      [Steve Henson]
 3258   *) Ensure that the session ID context of an SSL is updated when its
 3259      SSL_CTX is updated via SSL_set_SSL_CTX.
 3261      The session ID context is typically set from the parent SSL_CTX,
 3262      and can vary with the CTX.
 3263      [Adam Langley]
 3265   *) Fix various certificate fingerprint issues.
 3267      By using non-DER or invalid encodings outside the signed portion of a
 3268      certificate the fingerprint can be changed without breaking the signature.
 3269      Although no details of the signed portion of the certificate can be changed
 3270      this can cause problems with some applications: e.g. those using the
 3271      certificate fingerprint for blacklists.
 3273      1. Reject signatures with non zero unused bits.
 3275      If the BIT STRING containing the signature has non zero unused bits reject
 3276      the signature. All current signature algorithms require zero unused bits.
 3278      2. Check certificate algorithm consistency.
 3280      Check the AlgorithmIdentifier inside TBS matches the one in the
 3281      certificate signature. NB: this will result in signature failure
 3282      errors for some broken certificates.
 3284      Thanks to Konrad Kraszewski from Google for reporting this issue.
 3286      3. Check DSA/ECDSA signatures use DER.
 3288      Re-encode DSA/ECDSA signatures and compare with the original received
 3289      signature. Return an error if there is a mismatch.
 3291      This will reject various cases including garbage after signature
 3292      (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
 3293      program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
 3294      (negative or with leading zeroes).
 3296      Further analysis was conducted and fixes were developed by Stephen Henson
 3297      of the OpenSSL core team.
 3299      (CVE-2014-8275)
 3300      [Steve Henson]
 3302    *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
 3303       results on some platforms, including x86_64. This bug occurs at random
 3304       with a very low probability, and is not known to be exploitable in any
 3305       way, though its exact impact is difficult to determine. Thanks to Pieter
 3306       Wuille (Blockstream) who reported this issue and also suggested an initial
 3307       fix. Further analysis was conducted by the OpenSSL development team and
 3308       Adam Langley of Google. The final fix was developed by Andy Polyakov of
 3309       the OpenSSL core team.
 3310       (CVE-2014-3570)
 3311       [Andy Polyakov]
 3313    *) Do not resume sessions on the server if the negotiated protocol
 3314       version does not match the session's version. Resuming with a different
 3315       version, while not strictly forbidden by the RFC, is of questionable
 3316       sanity and breaks all known clients.
 3317       [David Benjamin, Emilia Käsper]
 3319    *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
 3320       early CCS messages during renegotiation. (Note that because
 3321       renegotiation is encrypted, this early CCS was not exploitable.)
 3322       [Emilia Käsper]
 3324    *) Tighten client-side session ticket handling during renegotiation:
 3325       ensure that the client only accepts a session ticket if the server sends
 3326       the extension anew in the ServerHello. Previously, a TLS client would
 3327       reuse the old extension state and thus accept a session ticket if one was
 3328       announced in the initial ServerHello.
 3330       Similarly, ensure that the client requires a session ticket if one
 3331       was advertised in the ServerHello. Previously, a TLS client would
 3332       ignore a missing NewSessionTicket message.
 3333       [Emilia Käsper]
 3335  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
 3337   *) SRTP Memory Leak.
 3339      A flaw in the DTLS SRTP extension parsing code allows an attacker, who
 3340      sends a carefully crafted handshake message, to cause OpenSSL to fail
 3341      to free up to 64k of memory causing a memory leak. This could be
 3342      exploited in a Denial Of Service attack. This issue affects OpenSSL
 3343      1.0.1 server implementations for both SSL/TLS and DTLS regardless of
 3344      whether SRTP is used or configured. Implementations of OpenSSL that
 3345      have been compiled with OPENSSL_NO_SRTP defined are not affected.
 3347      The fix was developed by the OpenSSL team.
 3348      (CVE-2014-3513)
 3349      [OpenSSL team]
 3351   *) Session Ticket Memory Leak.
 3353      When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
 3354      integrity of that ticket is first verified. In the event of a session
 3355      ticket integrity check failing, OpenSSL will fail to free memory
 3356      causing a memory leak. By sending a large number of invalid session
 3357      tickets an attacker could exploit this issue in a Denial Of Service
 3358      attack.
 3359      (CVE-2014-3567)
 3360      [Steve Henson]
 3362   *) Build option no-ssl3 is incomplete.
 3364      When OpenSSL is configured with "no-ssl3" as a build option, servers
 3365      could accept and complete a SSL 3.0 handshake, and clients could be
 3366      configured to send them.
 3367      (CVE-2014-3568)
 3368      [Akamai and the OpenSSL team]
 3370   *) Add support for TLS_FALLBACK_SCSV.
 3371      Client applications doing fallback retries should call
 3372      SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
 3373      (CVE-2014-3566)
 3374      [Adam Langley, Bodo Moeller]
 3376   *) Add additional DigestInfo checks.
 3378      Re-encode DigestInto in DER and check against the original when
 3379      verifying RSA signature: this will reject any improperly encoded
 3380      DigestInfo structures.
 3382      Note: this is a precautionary measure and no attacks are currently known.
 3384      [Steve Henson]
 3386  Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
 3388   *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
 3389      SRP code can be overrun an internal buffer. Add sanity check that
 3390      g, A, B < N to SRP code.
 3392      Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
 3393      Group for discovering this issue.
 3394      (CVE-2014-3512)
 3395      [Steve Henson]
 3397   *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
 3398      TLS 1.0 instead of higher protocol versions when the ClientHello message
 3399      is badly fragmented. This allows a man-in-the-middle attacker to force a
 3400      downgrade to TLS 1.0 even if both the server and the client support a
 3401      higher protocol version, by modifying the client's TLS records.
 3403      Thanks to David Benjamin and Adam Langley (Google) for discovering and
 3404      researching this issue.
 3405      (CVE-2014-3511)
 3406      [David Benjamin]
 3408   *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
 3409      to a denial of service attack. A malicious server can crash the client
 3410      with a null pointer dereference (read) by specifying an anonymous (EC)DH
 3411      ciphersuite and sending carefully crafted handshake messages.
 3413      Thanks to Felix Gröbert (Google) for discovering and researching this
 3414      issue.
 3415      (CVE-2014-3510)
 3416      [Emilia Käsper]
 3418   *) By sending carefully crafted DTLS packets an attacker could cause openssl
 3419      to leak memory. This can be exploited through a Denial of Service attack.
 3420      Thanks to Adam Langley for discovering and researching this issue.
 3421      (CVE-2014-3507)
 3422      [Adam Langley]
 3424   *) An attacker can force openssl to consume large amounts of memory whilst
 3425      processing DTLS handshake messages. This can be exploited through a
 3426      Denial of Service attack.
 3427      Thanks to Adam Langley for discovering and researching this issue.
 3428      (CVE-2014-3506)
 3429      [Adam Langley]
 3431   *) An attacker can force an error condition which causes openssl to crash
 3432      whilst processing DTLS packets due to memory being freed twice. This
 3433      can be exploited through a Denial of Service attack.
 3434      Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
 3435      this issue.
 3436      (CVE-2014-3505)
 3437      [Adam Langley]
 3439   *) If a multithreaded client connects to a malicious server using a resumed
 3440      session and the server sends an ec point format extension it could write
 3441      up to 255 bytes to freed memory.
 3443      Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
 3444      issue.
 3445      (CVE-2014-3509)
 3446      [Gabor Tyukasz]
 3448   *) A malicious server can crash an OpenSSL client with a null pointer
 3449      dereference (read) by specifying an SRP ciphersuite even though it was not
 3450      properly negotiated with the client. This can be exploited through a
 3451      Denial of Service attack.
 3453      Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
 3454      discovering and researching this issue.
 3455      (CVE-2014-5139)
 3456      [Steve Henson]
 3458   *) A flaw in OBJ_obj2txt may cause pretty printing functions such as
 3459      X509_name_oneline, X509_name_print_ex et al. to leak some information
 3460      from the stack. Applications may be affected if they echo pretty printing
 3461      output to the attacker.
 3463      Thanks to Ivan Fratric (Google) for discovering this issue.
 3464      (CVE-2014-3508)
 3465      [Emilia Käsper, and Steve Henson]
 3467   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
 3468      for corner cases. (Certain input points at infinity could lead to
 3469      bogus results, with non-infinity inputs mapped to infinity too.)
 3470      [Bodo Moeller]
 3472  Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
 3474   *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
 3475      handshake can force the use of weak keying material in OpenSSL
 3476      SSL/TLS clients and servers.
 3478      Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
 3479      researching this issue. (CVE-2014-0224)
 3480      [KIKUCHI Masashi, Steve Henson]
 3482   *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
 3483      OpenSSL DTLS client the code can be made to recurse eventually crashing
 3484      in a DoS attack.
 3486      Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
 3487      (CVE-2014-0221)
 3488      [Imre Rad, Steve Henson]
 3490   *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
 3491      be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
 3492      client or server. This is potentially exploitable to run arbitrary
 3493      code on a vulnerable client or server.
 3495      Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
 3496      [Jüri Aedla, Steve Henson]
 3498   *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
 3499      are subject to a denial of service attack.
 3501      Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
 3502      this issue. (CVE-2014-3470)
 3503      [Felix Gröbert, Ivan Fratric, Steve Henson]
 3505   *) Harmonize version and its documentation. -f flag is used to display
 3506      compilation flags.
 3507      [mancha <mancha1@zoho.com>]
 3509   *) Fix eckey_priv_encode so it immediately returns an error upon a failure
 3510      in i2d_ECPrivateKey.
 3511      [mancha <mancha1@zoho.com>]
 3513   *) Fix some double frees. These are not thought to be exploitable.
 3514      [mancha <mancha1@zoho.com>]
 3516  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
 3518   *) A missing bounds check in the handling of the TLS heartbeat extension
 3519      can be used to reveal up to 64k of memory to a connected client or
 3520      server.
 3522      Thanks for Neel Mehta of Google Security for discovering this bug and to
 3523      Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
 3524      preparing the fix (CVE-2014-0160)
 3525      [Adam Langley, Bodo Moeller]
 3527   *) Fix for the attack described in the paper "Recovering OpenSSL
 3528      ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
 3529      by Yuval Yarom and Naomi Benger. Details can be obtained from:
 3530      http://eprint.iacr.org/2014/140
 3532      Thanks to Yuval Yarom and Naomi Benger for discovering this
 3533      flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
 3534      [Yuval Yarom and Naomi Benger]
 3536   *) TLS pad extension: draft-agl-tls-padding-03
 3538      Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
 3539      TLS client Hello record length value would otherwise be > 255 and
 3540      less that 512 pad with a dummy extension containing zeroes so it
 3541      is at least 512 bytes long.
 3543      [Adam Langley, Steve Henson]
 3545  Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
 3547   *) Fix for TLS record tampering bug. A carefully crafted invalid
 3548      handshake could crash OpenSSL with a NULL pointer exception.
 3549      Thanks to Anton Johansson for reporting this issues.
 3550      (CVE-2013-4353)
 3552   *) Keep original DTLS digest and encryption contexts in retransmission
 3553      structures so we can use the previous session parameters if they need
 3554      to be resent. (CVE-2013-6450)
 3555      [Steve Henson]
 3557   *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
 3558      avoids preferring ECDHE-ECDSA ciphers when the client appears to be
 3559      Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
 3560      several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
 3561      is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
 3562      10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
 3563      [Rob Stradling, Adam Langley]
 3565  Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
 3567   *) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
 3568      supporting platforms or when small records were transferred.
 3569      [Andy Polyakov, Steve Henson]
 3571  Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
 3573   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
 3575      This addresses the flaw in CBC record processing discovered by
 3576      Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
 3577      at: http://www.isg.rhul.ac.uk/tls/
 3579      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
 3580      Security Group at Royal Holloway, University of London
 3581      (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
 3582      Emilia Käsper for the initial patch.
 3583      (CVE-2013-0169)
 3584      [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
 3586   *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
 3587      ciphersuites which can be exploited in a denial of service attack.
 3588      Thanks go to and to Adam Langley <agl@chromium.org> for discovering
 3589      and detecting this bug and to Wolfgang Ettlinger
 3590      <wolfgang.ettlinger@gmail.com> for independently discovering this issue.
 3591      (CVE-2012-2686)
 3592      [Adam Langley]
 3594   *) Return an error when checking OCSP signatures when key is NULL.
 3595      This fixes a DoS attack. (CVE-2013-0166)
 3596      [Steve Henson]
 3598   *) Make openssl verify return errors.
 3599      [Chris Palmer <palmer@google.com> and Ben Laurie]
 3601   *) Call OCSP Stapling callback after ciphersuite has been chosen, so
 3602      the right response is stapled. Also change SSL_get_certificate()
 3603      so it returns the certificate actually sent.
 3604      See http://rt.openssl.org/Ticket/Display.html?id=2836.
 3605      [Rob Stradling <rob.stradling@comodo.com>]
 3607   *) Fix possible deadlock when decoding public keys.
 3608      [Steve Henson]
 3610   *) Don't use TLS 1.0 record version number in initial client hello
 3611      if renegotiating.
 3612      [Steve Henson]
 3614  Changes between 1.0.1b and 1.0.1c [10 May 2012]
 3616   *) Sanity check record length before skipping explicit IV in TLS
 3617      1.2, 1.1 and DTLS to fix DoS attack.
 3619      Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
 3620      fuzzing as a service testing platform.
 3621      (CVE-2012-2333)
 3622      [Steve Henson]
 3624   *) Initialise tkeylen properly when encrypting CMS messages.
 3625      Thanks to Solar Designer of Openwall for reporting this issue.
 3626      [Steve Henson]
 3628   *) In FIPS mode don't try to use composite ciphers as they are not
 3629      approved.
 3630      [Steve Henson]
 3632  Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
 3634   *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
 3635      1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
 3636      mean any application compiled against OpenSSL 1.0.0 headers setting
 3637      SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
 3638      TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
 3639      0x10000000L Any application which was previously compiled against
 3640      OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
 3641      will need to be recompiled as a result. Letting be results in
 3642      inability to disable specifically TLS 1.1 and in client context,
 3643      in unlike event, limit maximum offered version to TLS 1.0 [see below].
 3644      [Steve Henson]
 3646   *) In order to ensure interoperability SSL_OP_NO_protocolX does not
 3647      disable just protocol X, but all protocols above X *if* there are
 3648      protocols *below* X still enabled. In more practical terms it means
 3649      that if application wants to disable TLS1.0 in favor of TLS1.1 and
 3650      above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
 3651      SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
 3652      client side.
 3653      [Andy Polyakov]
 3655  Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
 3657   *) Check for potentially exploitable overflows in asn1_d2i_read_bio
 3658      BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
 3659      in CRYPTO_realloc_clean.
 3661      Thanks to Tavis Ormandy, Google Security Team, for discovering this
 3662      issue and to Adam Langley <agl@chromium.org> for fixing it.
 3663      (CVE-2012-2110)
 3664      [Adam Langley (Google), Tavis Ormandy, Google Security Team]
 3666   *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
 3667      [Adam Langley]
 3669   *) Workarounds for some broken servers that "hang" if a client hello
 3670      record length exceeds 255 bytes.
 3672      1. Do not use record version number > TLS 1.0 in initial client
 3673         hello: some (but not all) hanging servers will now work.
 3674      2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
 3675         the number of ciphers sent in the client hello. This should be
 3676         set to an even number, such as 50, for example by passing:
 3677         -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
 3678         Most broken servers should now work.
 3679      3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
 3680         TLS 1.2 client support entirely.
 3681      [Steve Henson]
 3683   *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
 3684      [Andy Polyakov]
 3686  Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
 3688   *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
 3689      STRING form instead of a DigestInfo.
 3690      [Steve Henson]
 3692   *) The format used for MDC2 RSA signatures is inconsistent between EVP
 3693      and the RSA_sign/RSA_verify functions. This was made more apparent when
 3694      OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
 3695      those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
 3696      the correct format in RSA_verify so both forms transparently work.
 3697      [Steve Henson]
 3699   *) Some servers which support TLS 1.0 can choke if we initially indicate
 3700      support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
 3701      encrypted premaster secret. As a workaround use the maximum permitted
 3702      client version in client hello, this should keep such servers happy
 3703      and still work with previous versions of OpenSSL.
 3704      [Steve Henson]
 3706   *) Add support for TLS/DTLS heartbeats.
 3707      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3709   *) Add support for SCTP.
 3710      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3712   *) Improved PRNG seeding for VOS.
 3713      [Paul Green <Paul.Green@stratus.com>]
 3715   *) Extensive assembler packs updates, most notably:
 3717         - x86[_64]:     AES-NI, PCLMULQDQ, RDRAND support;
 3718         - x86[_64]:     SSSE3 support (SHA1, vector-permutation AES);
 3719         - x86_64:       bit-sliced AES implementation;
 3720         - ARM:          NEON support, contemporary platforms optimizations;
 3721         - s390x:        z196 support;
 3722         - *:            GHASH and GF(2^m) multiplication implementations;
 3724      [Andy Polyakov]
 3726   *) Make TLS-SRP code conformant with RFC 5054 API cleanup
 3727      (removal of unnecessary code)
 3728      [Peter Sylvester <peter.sylvester@edelweb.fr>]
 3730   *) Add TLS key material exporter from RFC 5705.
 3731      [Eric Rescorla]
 3733   *) Add DTLS-SRTP negotiation from RFC 5764.
 3734      [Eric Rescorla]
 3736   *) Add Next Protocol Negotiation,
 3737      http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
 3738      disabled with a no-npn flag to config or Configure. Code donated
 3739      by Google.
 3740      [Adam Langley <agl@google.com> and Ben Laurie]
 3742   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
 3743      NIST-P256, NIST-P521, with constant-time single point multiplication on
 3744      typical inputs. Compiler support for the nonstandard type __uint128_t is
 3745      required to use this (present in gcc 4.4 and later, for 64-bit builds).
 3746      Code made available under Apache License version 2.0.
 3748      Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
 3749      line to include this in your build of OpenSSL, and run "make depend" (or
 3750      "make update"). This enables the following EC_METHODs:
 3752          EC_GFp_nistp224_method()
 3753          EC_GFp_nistp256_method()
 3754          EC_GFp_nistp521_method()
 3756      EC_GROUP_new_by_curve_name() will automatically use these (while
 3757      EC_GROUP_new_curve_GFp() currently prefers the more flexible
 3758      implementations).
 3759      [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
 3761   *) Use type ossl_ssize_t instead of ssize_t which isn't available on
 3762      all platforms. Move ssize_t definition from e_os.h to the public
 3763      header file e_os2.h as it now appears in public header file cms.h
 3764      [Steve Henson]
 3766   *) New -sigopt option to the ca, req and x509 utilities. Additional
 3767      signature parameters can be passed using this option and in
 3768      particular PSS.
 3769      [Steve Henson]
 3771   *) Add RSA PSS signing function. This will generate and set the
 3772      appropriate AlgorithmIdentifiers for PSS based on those in the
 3773      corresponding EVP_MD_CTX structure. No application support yet.
 3774      [Steve Henson]
 3776   *) Support for companion algorithm specific ASN1 signing routines.
 3777      New function ASN1_item_sign_ctx() signs a pre-initialised
 3778      EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
 3779      the appropriate parameters.
 3780      [Steve Henson]
 3782   *) Add new algorithm specific ASN1 verification initialisation function
 3783      to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
 3784      handling will be the same no matter what EVP_PKEY_METHOD is used.
 3785      Add a PSS handler to support verification of PSS signatures: checked
 3786      against a number of sample certificates.
 3787      [Steve Henson]
 3789   *) Add signature printing for PSS. Add PSS OIDs.
 3790      [Steve Henson, Martin Kaiser <lists@kaiser.cx>]
 3792   *) Add algorithm specific signature printing. An individual ASN1 method
 3793      can now print out signatures instead of the standard hex dump.
 3795      More complex signatures (e.g. PSS) can print out more meaningful
 3796      information. Include DSA version that prints out the signature
 3797      parameters r, s.
 3798      [Steve Henson]
 3800   *) Password based recipient info support for CMS library: implementing
 3801      RFC3211.
 3802      [Steve Henson]
 3804   *) Split password based encryption into PBES2 and PBKDF2 functions. This
 3805      neatly separates the code into cipher and PBE sections and is required
 3806      for some algorithms that split PBES2 into separate pieces (such as
 3807      password based CMS).
 3808      [Steve Henson]
 3810   *) Session-handling fixes:
 3811      - Fix handling of connections that are resuming with a session ID,
 3812        but also support Session Tickets.
 3813      - Fix a bug that suppressed issuing of a new ticket if the client
 3814        presented a ticket with an expired session.
 3815      - Try to set the ticket lifetime hint to something reasonable.
 3816      - Make tickets shorter by excluding irrelevant information.
 3817      - On the client side, don't ignore renewed tickets.
 3818      [Adam Langley, Bodo Moeller (Google)]
 3820   *) Fix PSK session representation.
 3821      [Bodo Moeller]
 3823   *) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
 3825      This work was sponsored by Intel.
 3826      [Andy Polyakov]
 3828   *) Add GCM support to TLS library. Some custom code is needed to split
 3829      the IV between the fixed (from PRF) and explicit (from TLS record)
 3830      portions. This adds all GCM ciphersuites supported by RFC5288 and
 3831      RFC5289. Generalise some AES* cipherstrings to include GCM and
 3832      add a special AESGCM string for GCM only.
 3833      [Steve Henson]
 3835   *) Expand range of ctrls for AES GCM. Permit setting invocation
 3836      field on decrypt and retrieval of invocation field only on encrypt.
 3837      [Steve Henson]
 3839   *) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
 3840      As required by RFC5289 these ciphersuites cannot be used if for
 3841      versions of TLS earlier than 1.2.
 3842      [Steve Henson]
 3844   *) For FIPS capable OpenSSL interpret a NULL default public key method
 3845      as unset and return the appropriate default but do *not* set the default.
 3846      This means we can return the appropriate method in applications that
 3847      switch between FIPS and non-FIPS modes.
 3848      [Steve Henson]
 3850   *) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
 3851      ENGINE is used then we cannot handle that in the FIPS module so we
 3852      keep original code iff non-FIPS operations are allowed.
 3853      [Steve Henson]
 3855   *) Add -attime option to openssl utilities.
 3856      [Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
 3858   *) Redirect DSA and DH operations to FIPS module in FIPS mode.
 3859      [Steve Henson]
 3861   *) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
 3862      FIPS EC methods unconditionally for now.
 3863      [Steve Henson]
 3865   *) New build option no-ec2m to disable characteristic 2 code.
 3866      [Steve Henson]
 3868   *) Backport libcrypto audit of return value checking from 1.1.0-dev; not
 3869      all cases can be covered as some introduce binary incompatibilities.
 3870      [Steve Henson]
 3872   *) Redirect RSA operations to FIPS module including keygen,
 3873      encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
 3874      [Steve Henson]
 3876   *) Add similar low level API blocking to ciphers.
 3877      [Steve Henson]
 3879   *) Low level digest APIs are not approved in FIPS mode: any attempt
 3880      to use these will cause a fatal error. Applications that *really* want
 3881      to use them can use the private_* version instead.
 3882      [Steve Henson]
 3884   *) Redirect cipher operations to FIPS module for FIPS builds.
 3885      [Steve Henson]
 3887   *) Redirect digest operations to FIPS module for FIPS builds.
 3888      [Steve Henson]
 3890   *) Update build system to add "fips" flag which will link in fipscanister.o
 3891      for static and shared library builds embedding a signature if needed.
 3892      [Steve Henson]
 3894   *) Output TLS supported curves in preference order instead of numerical
 3895      order. This is currently hardcoded for the highest order curves first.
 3896      This should be configurable so applications can judge speed vs strength.
 3897      [Steve Henson]
 3899   *) Add TLS v1.2 server support for client authentication.
 3900      [Steve Henson]
 3902   *) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
 3903      and enable MD5.
 3904      [Steve Henson]
 3906   *) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
 3907      FIPS modules versions.
 3908      [Steve Henson]
 3910   *) Add TLS v1.2 client side support for client authentication. Keep cache
 3911      of handshake records longer as we don't know the hash algorithm to use
 3912      until after the certificate request message is received.
 3913      [Steve Henson]
 3915   *) Initial TLS v1.2 client support. Add a default signature algorithms
 3916      extension including all the algorithms we support. Parse new signature
 3917      format in client key exchange. Relax some ECC signing restrictions for
 3918      TLS v1.2 as indicated in RFC5246.
 3919      [Steve Henson]
 3921   *) Add server support for TLS v1.2 signature algorithms extension. Switch
 3922      to new signature format when needed using client digest preference.
 3923      All server ciphersuites should now work correctly in TLS v1.2. No client
 3924      support yet and no support for client certificates.
 3925      [Steve Henson]
 3927   *) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
 3928      to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
 3929      ciphersuites. At present only RSA key exchange ciphersuites work with
 3930      TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
 3931      SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
 3932      and version checking.
 3933      [Steve Henson]
 3935   *) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
 3936      with this defined it will not be affected by any changes to ssl internal
 3937      structures. Add several utility functions to allow openssl application
 3938      to work with OPENSSL_NO_SSL_INTERN defined.
 3939      [Steve Henson]
 3941   *) A long standing patch to add support for SRP from EdelWeb (Peter
 3942      Sylvester and Christophe Renou) was integrated.
 3943      [Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
 3944      <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
 3945      Ben Laurie]
 3947   *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
 3948      [Steve Henson]
 3950   *) Permit abbreviated handshakes when renegotiating using the function
 3951      SSL_renegotiate_abbreviated().
 3952      [Robin Seggelmann <seggelmann@fh-muenster.de>]
 3954   *) Add call to ENGINE_register_all_complete() to
 3955      ENGINE_load_builtin_engines(), so some implementations get used
 3956      automatically instead of needing explicit application support.
 3957      [Steve Henson]
 3959   *) Add support for TLS key exporter as described in RFC5705.
 3960      [Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson]
 3962   *) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
 3963      a few changes are required:
 3965        Add SSL_OP_NO_TLSv1_1 flag.
 3966        Add TLSv1_1 methods.
 3967        Update version checking logic to handle version 1.1.
 3968        Add explicit IV handling (ported from DTLS code).
 3969        Add command line options to s_client/s_server.
 3970      [Steve Henson]
 3972  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
 3974   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
 3975      in CMS and PKCS7 code. When RSA decryption fails use a random key for
 3976      content decryption and always return the same error. Note: this attack
 3977      needs on average 2^20 messages so it only affects automated senders. The
 3978      old behaviour can be re-enabled in the CMS code by setting the
 3979      CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
 3980      an MMA defence is not necessary.
 3981      Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
 3982      this issue. (CVE-2012-0884)
 3983      [Steve Henson]
 3985   *) Fix CVE-2011-4619: make sure we really are receiving a
 3986      client hello before rejecting multiple SGC restarts. Thanks to
 3987      Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
 3988      [Steve Henson]
 3990  Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
 3992   *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
 3993      Thanks to Antonio Martin, Enterprise Secure Access Research and
 3994      Development, Cisco Systems, Inc. for discovering this bug and
 3995      preparing a fix. (CVE-2012-0050)
 3996      [Antonio Martin]
 3998  Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
 4000   *) Nadhem Alfardan and Kenny Paterson have discovered an extension
 4001      of the Vaudenay padding oracle attack on CBC mode encryption
 4002      which enables an efficient plaintext recovery attack against
 4003      the OpenSSL implementation of DTLS. Their attack exploits timing
 4004      differences arising during decryption processing. A research
 4005      paper describing this attack can be found at:
 4006                   http://www.isg.rhul.ac.uk/~kp/dtls.pdf
 4007      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
 4008      Security Group at Royal Holloway, University of London
 4009      (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
 4010      <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
 4011      for preparing the fix. (CVE-2011-4108)
 4012      [Robin Seggelmann, Michael Tuexen]
 4014   *) Clear bytes used for block padding of SSL 3.0 records.
 4015      (CVE-2011-4576)
 4016      [Adam Langley (Google)]
 4018   *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
 4019      Kadianakis <desnacked@gmail.com> for discovering this issue and
 4020      Adam Langley for preparing the fix. (CVE-2011-4619)
 4021      [Adam Langley (Google)]
 4023   *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
 4024      [Andrey Kulikov <amdeich@gmail.com>]
 4026   *) Prevent malformed RFC3779 data triggering an assertion failure.
 4027      Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
 4028      and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
 4029      [Rob Austein <sra@hactrn.net>]
 4031   *) Improved PRNG seeding for VOS.
 4032      [Paul Green <Paul.Green@stratus.com>]
 4034   *) Fix ssl_ciph.c set-up race.
 4035      [Adam Langley (Google)]
 4037   *) Fix spurious failures in ecdsatest.c.
 4038      [Emilia Käsper (Google)]
 4040   *) Fix the BIO_f_buffer() implementation (which was mixing different
 4041      interpretations of the '..._len' fields).
 4042      [Adam Langley (Google)]
 4044   *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
 4045      BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
 4046      threads won't reuse the same blinding coefficients.
 4048      This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
 4049      lock to call BN_BLINDING_invert_ex, and avoids one use of
 4050      BN_BLINDING_update for each BN_BLINDING structure (previously,
 4051      the last update always remained unused).
 4052      [Emilia Käsper (Google)]
 4054   *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
 4055      [Bob Buckholz (Google)]
 4057  Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
 4059   *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
 4060      by initialising X509_STORE_CTX properly. (CVE-2011-3207)
 4061      [Kaspar Brand <ossl@velox.ch>]
 4063   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
 4064      for multi-threaded use of ECDH. (CVE-2011-3210)
 4065      [Adam Langley (Google)]
 4067   *) Fix x509_name_ex_d2i memory leak on bad inputs.
 4068      [Bodo Moeller]
 4070   *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
 4071      signature public key algorithm by using OID xref utilities instead.
 4072      Before this you could only use some ECC ciphersuites with SHA1 only.
 4073      [Steve Henson]
 4075   *) Add protection against ECDSA timing attacks as mentioned in the paper
 4076      by Billy Bob Brumley and Nicola Tuveri, see:
 4078         http://eprint.iacr.org/2011/232.pdf
 4080      [Billy Bob Brumley and Nicola Tuveri]
 4082  Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
 4084   *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
 4085      [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
 4087   *) Fix bug in string printing code: if *any* escaping is enabled we must
 4088      escape the escape character (backslash) or the resulting string is
 4089      ambiguous.
 4090      [Steve Henson]
 4092  Changes between 1.0.0b and 1.0.0c  [2 Dec 2010]
 4094   *) Disable code workaround for ancient and obsolete Netscape browsers
 4095      and servers: an attacker can use it in a ciphersuite downgrade attack.
 4096      Thanks to Martin Rex for discovering this bug. CVE-2010-4180
 4097      [Steve Henson]
 4099   *) Fixed J-PAKE implementation error, originally discovered by
 4100      Sebastien Martini, further info and confirmation from Stefan
 4101      Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
 4102      [Ben Laurie]
 4104  Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
 4106   *) Fix extension code to avoid race conditions which can result in a buffer
 4107      overrun vulnerability: resumed sessions must not be modified as they can
 4108      be shared by multiple threads. CVE-2010-3864
 4109      [Steve Henson]
 4111   *) Fix WIN32 build system to correctly link an ENGINE directory into
 4112      a DLL.
 4113      [Steve Henson]
 4115  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
 4117   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
 4118      (CVE-2010-1633)
 4119      [Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
 4121  Changes between 0.9.8n and 1.0.0  [29 Mar 2010]
 4123   *) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
 4124      context. The operation can be customised via the ctrl mechanism in
 4125      case ENGINEs want to include additional functionality.
 4126      [Steve Henson]
 4128   *) Tolerate yet another broken PKCS#8 key format: private key value negative.
 4129      [Steve Henson]
 4131   *) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
 4132      output hashes compatible with older versions of OpenSSL.
 4133      [Willy Weisz <weisz@vcpc.univie.ac.at>]
 4135   *) Fix compression algorithm handling: if resuming a session use the
 4136      compression algorithm of the resumed session instead of determining
 4137      it from client hello again. Don't allow server to change algorithm.
 4138      [Steve Henson]
 4140   *) Add load_crls() function to apps tidying load_certs() too. Add option
 4141      to verify utility to allow additional CRLs to be included.
 4142      [Steve Henson]
 4144   *) Update OCSP request code to permit adding custom headers to the request:
 4145      some responders need this.
 4146      [Steve Henson]
 4148   *) The function EVP_PKEY_sign() returns <=0 on error: check return code
 4149      correctly.
 4150      [Julia Lawall <julia@diku.dk>]
 4152   *) Update verify callback code in apps/s_cb.c and apps/verify.c, it
 4153      needlessly dereferenced structures, used obsolete functions and
 4154      didn't handle all updated verify codes correctly.
 4155      [Steve Henson]
 4157   *) Disable MD2 in the default configuration.
 4158      [Steve Henson]
 4160   *) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
 4161      indicate the initial BIO being pushed or popped. This makes it possible
 4162      to determine whether the BIO is the one explicitly called or as a result
 4163      of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
 4164      it handles reference counts correctly and doesn't zero out the I/O bio
 4165      when it is not being explicitly popped. WARNING: applications which
 4166      included workarounds for the old buggy behaviour will need to be modified
 4167      or they could free up already freed BIOs.
 4168      [Steve Henson]
 4170   *) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
 4171      renaming to all platforms (within the 0.9.8 branch, this was
 4172      done conditionally on Netware platforms to avoid a name clash).
 4173      [Guenter <lists@gknw.net>]
 4175   *) Add ECDHE and PSK support to DTLS.
 4176      [Michael Tuexen <tuexen@fh-muenster.de>]
 4178   *) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
 4179      be used on C++.
 4180      [Steve Henson]
 4182   *) Add "missing" function EVP_MD_flags() (without this the only way to
 4183      retrieve a digest flags is by accessing the structure directly. Update
 4184      EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
 4185      or cipher is registered as in the "from" argument. Print out all
 4186      registered digests in the dgst usage message instead of manually
 4187      attempting to work them out.
 4188      [Steve Henson]
 4190   *) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
 4191      this allows the use of compression and extensions. Change default cipher
 4192      string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
 4193      by default unless an application cipher string requests it.
 4194      [Steve Henson]
 4196   *) Alter match criteria in PKCS12_parse(). It used to try to use local
 4197      key ids to find matching certificates and keys but some PKCS#12 files
 4198      don't follow the (somewhat unwritten) rules and this strategy fails.
 4199      Now just gather all certificates together and the first private key
 4200      then look for the first certificate that matches the key.
 4201      [Steve Henson]
 4203   *) Support use of registered digest and cipher names for dgst and cipher
 4204      commands instead of having to add each one as a special case. So now
 4205      you can do:
 4207         openssl sha256 foo
 4209      as well as:
 4211         openssl dgst -sha256 foo
 4213      and this works for ENGINE based algorithms too.
 4215      [Steve Henson]
 4217   *) Update Gost ENGINE to support parameter files.
 4218      [Victor B. Wagner <vitus@cryptocom.ru>]
 4220   *) Support GeneralizedTime in ca utility.
 4221      [Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
 4223   *) Enhance the hash format used for certificate directory links. The new
 4224      form uses the canonical encoding (meaning equivalent names will work
 4225      even if they aren't identical) and uses SHA1 instead of MD5. This form
 4226      is incompatible with the older format and as a result c_rehash should
 4227      be used to rebuild symbolic links.
 4228      [Steve Henson]
 4230   *) Make PKCS#8 the default write format for private keys, replacing the
 4231      traditional format. This form is standardised, more secure and doesn't
 4232      include an implicit MD5 dependency.
 4233      [Steve Henson]
 4235   *) Add a $gcc_devteam_warn option to Configure. The idea is that any code
 4236      committed to OpenSSL should pass this lot as a minimum.
 4237      [Steve Henson]
 4239   *) Add session ticket override functionality for use by EAP-FAST.
 4240      [Jouni Malinen <j@w1.fi>]
 4242   *) Modify HMAC functions to return a value. Since these can be implemented
 4243      in an ENGINE errors can occur.
 4244      [Steve Henson]
 4246   *) Type-checked OBJ_bsearch_ex.
 4247      [Ben Laurie]
 4249   *) Type-checked OBJ_bsearch. Also some constification necessitated
 4250      by type-checking.  Still to come: TXT_DB, bsearch(?),
 4251      OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
 4252      CONF_VALUE.
 4253      [Ben Laurie]
 4255   *) New function OPENSSL_gmtime_adj() to add a specific number of days and
 4256      seconds to a tm structure directly, instead of going through OS
 4257      specific date routines. This avoids any issues with OS routines such
 4258      as the year 2038 bug. New *_adj() functions for ASN1 time structures
 4259      and X509_time_adj_ex() to cover the extended range. The existing
 4260      X509_time_adj() is still usable and will no longer have any date issues.
 4261      [Steve Henson]
 4263   *) Delta CRL support. New use deltas option which will attempt to locate
 4264      and search any appropriate delta CRLs available.
 4266      This work was sponsored by Google.
 4267      [Steve Henson]
 4269   *) Support for CRLs partitioned by reason code. Reorganise CRL processing
 4270      code and add additional score elements. Validate alternate CRL paths
 4271      as part of the CRL checking and indicate a new error "CRL path validation
 4272      error" in this case. Applications wanting additional details can use
 4273      the verify callback and check the new "parent" field. If this is not
 4274      NULL CRL path validation is taking place. Existing applications won't
 4275      see this because it requires extended CRL support which is off by
 4276      default.
 4278      This work was sponsored by Google.
 4279      [Steve Henson]
 4281   *) Support for freshest CRL extension.
 4283      This work was sponsored by Google.
 4284      [Steve Henson]
 4286   *) Initial indirect CRL support. Currently only supported in the CRLs
 4287      passed directly and not via lookup. Process certificate issuer
 4288      CRL entry extension and lookup CRL entries by bother issuer name
 4289      and serial number. Check and process CRL issuer entry in IDP extension.
 4291      This work was sponsored by Google.
 4292      [Steve Henson]
 4294   *) Add support for distinct certificate and CRL paths. The CRL issuer
 4295      certificate is validated separately in this case. Only enabled if
 4296      an extended CRL support flag is set: this flag will enable additional
 4297      CRL functionality in future.
 4299      This work was sponsored by Google.
 4300      [Steve Henson]
 4302   *) Add support for policy mappings extension.
 4304      This work was sponsored by Google.
 4305      [Steve Henson]
 4307   *) Fixes to pathlength constraint, self issued certificate handling,
 4308      policy processing to align with RFC3280 and PKITS tests.
 4310      This work was sponsored by Google.
 4311      [Steve Henson]
 4313   *) Support for name constraints certificate extension. DN, email, DNS
 4314      and URI types are currently supported.
 4316      This work was sponsored by Google.
 4317      [Steve Henson]
 4319   *) To cater for systems that provide a pointer-based thread ID rather
 4320      than numeric, deprecate the current numeric thread ID mechanism and
 4321      replace it with a structure and associated callback type. This
 4322      mechanism allows a numeric "hash" to be extracted from a thread ID in
 4323      either case, and on platforms where pointers are larger than 'long',
 4324      mixing is done to help ensure the numeric 'hash' is usable even if it
 4325      can't be guaranteed unique. The default mechanism is to use "&errno"
 4326      as a pointer-based thread ID to distinguish between threads.
 4328      Applications that want to provide their own thread IDs should now use
 4329      CRYPTO_THREADID_set_callback() to register a callback that will call
 4330      either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
 4332      Note that ERR_remove_state() is now deprecated, because it is tied
 4333      to the assumption that thread IDs are numeric.  ERR_remove_state(0)
 4334      to free the current thread's error state should be replaced by
 4335      ERR_remove_thread_state(NULL).
 4337      (This new approach replaces the functions CRYPTO_set_idptr_callback(),
 4338      CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
 4339      OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
 4340      application was previously providing a numeric thread callback that
 4341      was inappropriate for distinguishing threads, then uniqueness might
 4342      have been obtained with &errno that happened immediately in the
 4343      intermediate development versions of OpenSSL; this is no longer the
 4344      case, the numeric thread callback will now override the automatic use
 4345      of &errno.)
 4346      [Geoff Thorpe, with help from Bodo Moeller]
 4348   *) Initial support for different CRL issuing certificates. This covers a
 4349      simple case where the self issued certificates in the chain exist and
 4350      the real CRL issuer is higher in the existing chain.
 4352      This work was sponsored by Google.
 4353      [Steve Henson]
 4355   *) Removed effectively defunct crypto/store from the build.
 4356      [Ben Laurie]
 4358   *) Revamp of STACK to provide stronger type-checking. Still to come:
 4359      TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
 4361      [Ben Laurie]
 4363   *) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
 4364      RAM on SSL connections.  This option can save about 34k per idle SSL.
 4365      [Nick Mathewson]
 4367   *) Revamp of LHASH to provide stronger type-checking. Still to come:
 4368      STACK, TXT_DB, bsearch, qsort.
 4369      [Ben Laurie]
 4371   *) Initial support for Cryptographic Message Syntax (aka CMS) based
 4372      on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
 4373      support for data, signedData, compressedData, digestedData and
 4374      encryptedData, envelopedData types included. Scripts to check against
 4375      RFC4134 examples draft and interop and consistency checks of many
 4376      content types and variants.
 4377      [Steve Henson]
 4379   *) Add options to enc utility to support use of zlib compression BIO.
 4380      [Steve Henson]
 4382   *) Extend mk1mf to support importing of options and assembly language
 4383      files from Configure script, currently only included in VC-WIN32.
 4384      The assembly language rules can now optionally generate the source
 4385      files from the associated perl scripts.
 4386      [Steve Henson]
 4388   *) Implement remaining functionality needed to support GOST ciphersuites.
 4389      Interop testing has been performed using CryptoPro implementations.
 4390      [Victor B. Wagner <vitus@cryptocom.ru>]
 4392   *) s390x assembler pack.
 4393      [Andy Polyakov]
 4395   *) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
 4396      "family."
 4397      [Andy Polyakov]
 4399   *) Implement Opaque PRF Input TLS extension as specified in
 4400      draft-rescorla-tls-opaque-prf-input-00.txt.  Since this is not an
 4401      official specification yet and no extension type assignment by
 4402      IANA exists, this extension (for now) will have to be explicitly
 4403      enabled when building OpenSSL by providing the extension number
 4404      to use.  For example, specify an option
 4406          -DTLSEXT_TYPE_opaque_prf_input=0x9527
 4408      to the "config" or "Configure" script to enable the extension,
 4409      assuming extension number 0x9527 (which is a completely arbitrary
 4410      and unofficial assignment based on the MD5 hash of the Internet
 4411      Draft).  Note that by doing so, you potentially lose
 4412      interoperability with other TLS implementations since these might
 4413      be using the same extension number for other purposes.
 4415      SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
 4416      opaque PRF input value to use in the handshake.  This will create
 4417      an internal copy of the length-'len' string at 'src', and will
 4418      return non-zero for success.
 4420      To get more control and flexibility, provide a callback function
 4421      by using
 4423           SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
 4424           SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
 4426      where
 4428           int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
 4429           void *arg;
 4431      Callback function 'cb' will be called in handshakes, and is
 4432      expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
 4433      Argument 'arg' is for application purposes (the value as given to
 4434      SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
 4435      be provided to the callback function).  The callback function
 4436      has to return non-zero to report success: usually 1 to use opaque
 4437      PRF input just if possible, or 2 to enforce use of the opaque PRF
 4438      input.  In the latter case, the library will abort the handshake
 4439      if opaque PRF input is not successfully negotiated.
 4441      Arguments 'peerinput' and 'len' given to the callback function
 4442      will always be NULL and 0 in the case of a client.  A server will
 4443      see the client's opaque PRF input through these variables if
 4444      available (NULL and 0 otherwise).  Note that if the server
 4445      provides an opaque PRF input, the length must be the same as the
 4446      length of the client's opaque PRF input.
 4448      Note that the callback function will only be called when creating
 4449      a new session (session resumption can resume whatever was
 4450      previously negotiated), and will not be called in SSL 2.0
 4451      handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
 4452      SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
 4453      for applications that need to enforce opaque PRF input.
 4455      [Bodo Moeller]
 4457   *) Update ssl code to support digests other than SHA1+MD5 for handshake
 4458      MAC.
 4460      [Victor B. Wagner <vitus@cryptocom.ru>]
 4462   *) Add RFC4507 support to OpenSSL. This includes the corrections in
 4463      RFC4507bis. The encrypted ticket format is an encrypted encoded
 4464      SSL_SESSION structure, that way new session features are automatically
 4465      supported.
 4467      If a client application caches session in an SSL_SESSION structure
 4468      support is transparent because tickets are now stored in the encoded
 4469      SSL_SESSION.
 4471      The SSL_CTX structure automatically generates keys for ticket
 4472      protection in servers so again support should be possible
 4473      with no application modification.
 4475      If a client or server wishes to disable RFC4507 support then the option
 4476      SSL_OP_NO_TICKET can be set.
 4478      Add a TLS extension debugging callback to allow the contents of any client
 4479      or server extensions to be examined.
 4481      This work was sponsored by Google.
 4482      [Steve Henson]
 4484   *) Final changes to avoid use of pointer pointer casts in OpenSSL.
 4485      OpenSSL should now compile cleanly on gcc 4.2
 4486      [Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]
 4488   *) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
 4489      support including streaming MAC support: this is required for GOST
 4490      ciphersuite support.
 4491      [Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]
 4493   *) Add option -stream to use PKCS#7 streaming in smime utility. New
 4494      function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
 4495      to output in BER and PEM format.
 4496      [Steve Henson]
 4498   *) Experimental support for use of HMAC via EVP_PKEY interface. This
 4499      allows HMAC to be handled via the EVP_DigestSign*() interface. The
 4500      EVP_PKEY "key" in this case is the HMAC key, potentially allowing
 4501      ENGINE support for HMAC keys which are unextractable. New -mac and
 4502      -macopt options to dgst utility.
 4503      [Steve Henson]
 4505   *) New option -sigopt to dgst utility. Update dgst to use
 4506      EVP_Digest{Sign,Verify}*. These two changes make it possible to use
 4507      alternative signing parameters such as X9.31 or PSS in the dgst
 4508      utility.
 4509      [Steve Henson]
 4511   *) Change ssl_cipher_apply_rule(), the internal function that does
 4512      the work each time a ciphersuite string requests enabling
 4513      ("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
 4514      removing ("!foo+bar") a class of ciphersuites: Now it maintains
 4515      the order of disabled ciphersuites such that those ciphersuites
 4516      that most recently went from enabled to disabled not only stay
 4517      in order with respect to each other, but also have higher priority
 4518      than other disabled ciphersuites the next time ciphersuites are
 4519      enabled again.
 4521      This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
 4522      the same ciphersuites as with "HIGH" alone, but in a specific
 4523      order where the PSK ciphersuites come first (since they are the
 4524      most recently disabled ciphersuites when "HIGH" is parsed).
 4526      Also, change ssl_create_cipher_list() (using this new
 4527      functionality) such that between otherwise identical
 4528      ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
 4529      the default order.
 4530      [Bodo Moeller]
 4532   *) Change ssl_create_cipher_list() so that it automatically
 4533      arranges the ciphersuites in reasonable order before starting
 4534      to process the rule string.  Thus, the definition for "DEFAULT"
 4535      (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
 4536      remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
 4537      This makes it much easier to arrive at a reasonable default order
 4538      in applications for which anonymous ciphers are OK (meaning
 4539      that you can't actually use DEFAULT).
 4540      [Bodo Moeller; suggested by Victor Duchovni]
 4542   *) Split the SSL/TLS algorithm mask (as used for ciphersuite string
 4543      processing) into multiple integers instead of setting
 4544      "SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
 4545      "SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
 4546      (These masks as well as the individual bit definitions are hidden
 4547      away into the non-exported interface ssl/ssl_locl.h, so this
 4548      change to the definition of the SSL_CIPHER structure shouldn't
 4549      affect applications.)  This give us more bits for each of these
 4550      categories, so there is no longer a need to coagulate AES128 and
 4551      AES256 into a single algorithm bit, and to coagulate Camellia128
 4552      and Camellia256 into a single algorithm bit, which has led to all
 4553      kinds of kludges.
 4555      Thus, among other things, the kludge introduced in 0.9.7m and
 4556      0.9.8e for masking out AES256 independently of AES128 or masking
 4557      out Camellia256 independently of AES256 is not needed here in 0.9.9.
 4559      With the change, we also introduce new ciphersuite aliases that
 4560      so far were missing: "AES128", "AES256", "CAMELLIA128", and
 4561      "CAMELLIA256".
 4562      [Bodo Moeller]
 4564   *) Add support for dsa-with-SHA224 and dsa-with-SHA256.
 4565      Use the leftmost N bytes of the signature input if the input is
 4566      larger than the prime q (with N being the size in bytes of q).
 4567      [Nils Larsch]
 4569   *) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
 4570      it yet and it is largely untested.
 4571      [Steve Henson]
 4573   *) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
 4574      [Nils Larsch]
 4576   *) Initial incomplete changes to avoid need for function casts in OpenSSL
 4577      some compilers (gcc 4.2 and later) reject their use. Safestack is
 4578      reimplemented.  Update ASN1 to avoid use of legacy functions.
 4579      [Steve Henson]
 4581   *) Win32/64 targets are linked with Winsock2.
 4582      [Andy Polyakov]
 4584   *) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
 4585      to external functions. This can be used to increase CRL handling
 4586      efficiency especially when CRLs are very large by (for example) storing
 4587      the CRL revoked certificates in a database.
 4588      [Steve Henson]
 4590   *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
 4591      new CRLs added to a directory can be used. New command line option
 4592      -verify_return_error to s_client and s_server. This causes real errors
 4593      to be returned by the verify callback instead of carrying on no matter
 4594      what. This reflects the way a "real world" verify callback would behave.
 4595      [Steve Henson]
 4597   *) GOST engine, supporting several GOST algorithms and public key formats.
 4598      Kindly donated by Cryptocom.
 4599      [Cryptocom]
 4601   *) Partial support for Issuing Distribution Point CRL extension. CRLs
 4602      partitioned by DP are handled but no indirect CRL or reason partitioning
 4603      (yet). Complete overhaul of CRL handling: now the most suitable CRL is
 4604      selected via a scoring technique which handles IDP and AKID in CRLs.
 4605      [Steve Henson]
 4607   *) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
 4608      will ultimately be used for all verify operations: this will remove the
 4609      X509_STORE dependency on certificate verification and allow alternative
 4610      lookup methods.  X509_STORE based implementations of these two callbacks.
 4611      [Steve Henson]
 4613   *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
 4614      Modify get_crl() to find a valid (unexpired) CRL if possible.
 4615      [Steve Henson]
 4617   *) New function X509_CRL_match() to check if two CRLs are identical. Normally
 4618      this would be called X509_CRL_cmp() but that name is already used by
 4619      a function that just compares CRL issuer names. Cache several CRL
 4620      extensions in X509_CRL structure and cache CRLDP in X509.
 4621      [Steve Henson]
 4623   *) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
 4624      this maps equivalent X509_NAME structures into a consistent structure.
 4625      Name comparison can then be performed rapidly using memcmp().
 4626      [Steve Henson]
 4628   *) Non-blocking OCSP request processing. Add -timeout option to ocsp
 4629      utility.
 4630      [Steve Henson]
 4632   *) Allow digests to supply their own micalg string for S/MIME type using
 4633      the ctrl EVP_MD_CTRL_MICALG.
 4634      [Steve Henson]
 4636   *) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
 4637      EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
 4638      ctrl. It can then customise the structure before and/or after signing
 4639      if necessary.
 4640      [Steve Henson]
 4642   *) New function OBJ_add_sigid() to allow application defined signature OIDs
 4643      to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
 4644      to free up any added signature OIDs.
 4645      [Steve Henson]
 4647   *) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
 4648      EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
 4649      digest and cipher tables. New options added to openssl utility:
 4650      list-message-digest-algorithms and list-cipher-algorithms.
 4651      [Steve Henson]
 4653   *) Change the array representation of binary polynomials: the list
 4654      of degrees of non-zero coefficients is now terminated with -1.
 4655      Previously it was terminated with 0, which was also part of the
 4656      value; thus, the array representation was not applicable to
 4657      polynomials where t^0 has coefficient zero.  This change makes
 4658      the array representation useful in a more general context.
 4659      [Douglas Stebila]
 4661   *) Various modifications and fixes to SSL/TLS cipher string
 4662      handling.  For ECC, the code now distinguishes between fixed ECDH
 4663      with RSA certificates on the one hand and with ECDSA certificates
 4664      on the other hand, since these are separate ciphersuites.  The
 4665      unused code for Fortezza ciphersuites has been removed.
 4667      For consistency with EDH, ephemeral ECDH is now called "EECDH"
 4668      (not "ECDHE").  For consistency with the code for DH
 4669      certificates, use of ECDH certificates is now considered ECDH
 4670      authentication, not RSA or ECDSA authentication (the latter is
 4671      merely the CA's signing algorithm and not actively used in the
 4672      protocol).
 4674      The temporary ciphersuite alias "ECCdraft" is no longer
 4675      available, and ECC ciphersuites are no longer excluded from "ALL"
 4676      and "DEFAULT".  The following aliases now exist for RFC 4492
 4677      ciphersuites, most of these by analogy with the DH case:
 4679          kECDHr   - ECDH cert, signed with RSA
 4680          kECDHe   - ECDH cert, signed with ECDSA
 4681          kECDH    - ECDH cert (signed with either RSA or ECDSA)
 4682          kEECDH   - ephemeral ECDH
 4683          ECDH     - ECDH cert or ephemeral ECDH
 4685          aECDH    - ECDH cert
 4686          aECDSA   - ECDSA cert
 4687          ECDSA    - ECDSA cert
 4689          AECDH    - anonymous ECDH
 4690          EECDH    - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
 4692      [Bodo Moeller]
 4694   *) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
 4695      Use correct micalg parameters depending on digest(s) in signed message.
 4696      [Steve Henson]
 4698   *) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
 4699      an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
 4700      [Steve Henson]
 4702   *) Initial engine support for EVP_PKEY_METHOD. New functions to permit
 4703      an engine to register a method. Add ENGINE lookups for methods and
 4704      functional reference processing.
 4705      [Steve Henson]
 4707   *) New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of
 4708      EVP_{Sign,Verify}* which allow an application to customise the signature
 4709      process.
 4710      [Steve Henson]
 4712   *) New -resign option to smime utility. This adds one or more signers
 4713      to an existing PKCS#7 signedData structure. Also -md option to use an
 4714      alternative message digest algorithm for signing.
 4715      [Steve Henson]
 4717   *) Tidy up PKCS#7 routines and add new functions to make it easier to
 4718      create PKCS7 structures containing multiple signers. Update smime
 4719      application to support multiple signers.
 4720      [Steve Henson]
 4722   *) New -macalg option to pkcs12 utility to allow setting of an alternative
 4723      digest MAC.
 4724      [Steve Henson]
 4726   *) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
 4727      Reorganize PBE internals to lookup from a static table using NIDs,
 4728      add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
 4729      EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
 4730      PRF which will be automatically used with PBES2.
 4731      [Steve Henson]
 4733   *) Replace the algorithm specific calls to generate keys in "req" with the
 4734      new API.
 4735      [Steve Henson]
 4737   *) Update PKCS#7 enveloped data routines to use new API. This is now
 4738      supported by any public key method supporting the encrypt operation. A
 4739      ctrl is added to allow the public key algorithm to examine or modify
 4740      the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
 4741      a no op.
 4742      [Steve Henson]
 4744   *) Add a ctrl to asn1 method to allow a public key algorithm to express
 4745      a default digest type to use. In most cases this will be SHA1 but some
 4746      algorithms (such as GOST) need to specify an alternative digest. The
 4747      return value indicates how strong the preference is 1 means optional and
 4748      2 is mandatory (that is it is the only supported type). Modify
 4749      ASN1_item_sign() to accept a NULL digest argument to indicate it should
 4750      use the default md. Update openssl utilities to use the default digest
 4751      type for signing if it is not explicitly indicated.
 4752      [Steve Henson]
 4754   *) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
 4755      EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
 4756      signing method from the key type. This effectively removes the link
 4757      between digests and public key types.
 4758      [Steve Henson]
 4760   *) Add an OID cross reference table and utility functions. Its purpose is to
 4761      translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
 4762      rsaEncryption. This will allow some of the algorithm specific hackery
 4763      needed to use the correct OID to be removed.
 4764      [Steve Henson]
 4766   *) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
 4767      structures for PKCS7_sign(). They are now set up by the relevant public
 4768      key ASN1 method.
 4769      [Steve Henson]
 4771   *) Add provisional EC pkey method with support for ECDSA and ECDH.
 4772      [Steve Henson]
 4774   *) Add support for key derivation (agreement) in the API, DH method and
 4775      pkeyutl.
 4776      [Steve Henson]
 4778   *) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
 4779      public and private key formats. As a side effect these add additional
 4780      command line functionality not previously available: DSA signatures can be
 4781      generated and verified using pkeyutl and DH key support and generation in
 4782      pkey, genpkey.
 4783      [Steve Henson]
 4785   *) BeOS support.
 4786      [Oliver Tappe <zooey@hirschkaefer.de>]
 4788   *) New make target "install_html_docs" installs HTML renditions of the
 4789      manual pages.
 4790      [Oliver Tappe <zooey@hirschkaefer.de>]
 4792   *) New utility "genpkey" this is analogous to "genrsa" etc except it can
 4793      generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
 4794      support key and parameter generation and add initial key generation
 4795      functionality for RSA.
 4796      [Steve Henson]
 4798   *) Add functions for main EVP_PKEY_method operations. The undocumented
 4799      functions EVP_PKEY_{encrypt,decrypt} have been renamed to
 4800      EVP_PKEY_{encrypt,decrypt}_old.
 4801      [Steve Henson]
 4803   *) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
 4804      key API, doesn't do much yet.
 4805      [Steve Henson]
 4807   *) New function EVP_PKEY_asn1_get0_info() to retrieve information about
 4808      public key algorithms. New option to openssl utility:
 4809      "list-public-key-algorithms" to print out info.
 4810      [Steve Henson]
 4812   *) Implement the Supported Elliptic Curves Extension for
 4813      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
 4814      [Douglas Stebila]
 4816   *) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
 4817      EVP_CIPHER structures to avoid later problems in EVP_cleanup().
 4818      [Steve Henson]
 4820   *) New utilities pkey and pkeyparam. These are similar to algorithm specific
 4821      utilities such as rsa, dsa, dsaparam etc except they process any key
 4822      type.
 4823      [Steve Henson]
 4825   *) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
 4826      functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
 4827      EVP_PKEY_print_param() to print public key data from an EVP_PKEY
 4828      structure.
 4829      [Steve Henson]
 4831   *) Initial support for pluggable public key ASN1.
 4832      De-spaghettify the public key ASN1 handling. Move public and private
 4833      key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
 4834      algorithm specific handling to a single module within the relevant
 4835      algorithm directory. Add functions to allow (near) opaque processing
 4836      of public and private key structures.
 4837      [Steve Henson]
 4839   *) Implement the Supported Point Formats Extension for
 4840      ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
 4841      [Douglas Stebila]
 4843   *) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
 4844      for the psk identity [hint] and the psk callback functions to the
 4845      SSL_SESSION, SSL and SSL_CTX structure.
 4847      New ciphersuites:
 4849          PSK-AES256-CBC-SHA
 4851      New functions:
 4852          SSL_CTX_use_psk_identity_hint
 4853          SSL_get_psk_identity_hint
 4854          SSL_get_psk_identity
 4855          SSL_use_psk_identity_hint
 4857      [Mika Kousa and Pasi Eronen of Nokia Corporation]
 4859   *) Add RFC 3161 compliant time stamp request creation, response generation
 4860      and response verification functionality.
 4861      [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
 4863   *) Add initial support for TLS extensions, specifically for the server_name
 4864      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
 4865      have new members for a host name.  The SSL data structure has an
 4866      additional member SSL_CTX *initial_ctx so that new sessions can be
 4867      stored in that context to allow for session resumption, even after the
 4868      SSL has been switched to a new SSL_CTX in reaction to a client's
 4869      server_name extension.
 4871      New functions (subject to change):
 4873          SSL_get_servername()
 4874          SSL_get_servername_type()
 4875          SSL_set_SSL_CTX()
 4877      New CTRL codes and macros (subject to change):
 4880                                  - SSL_CTX_set_tlsext_servername_callback()
 4882                                       - SSL_CTX_set_tlsext_servername_arg()
 4883          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
 4885      openssl s_client has a new '-servername ...' option.
 4887      openssl s_server has new options '-servername_host ...', '-cert2 ...',
 4888      '-key2 ...', '-servername_fatal' (subject to change).  This allows
 4889      testing the HostName extension for a specific single host name ('-cert'
 4890      and '-key' remain fallbacks for handshakes without HostName
 4891      negotiation).  If the unrecognized_name alert has to be sent, this by
 4892      default is a warning; it becomes fatal with the '-servername_fatal'
 4893      option.
 4895      [Peter Sylvester,  Remy Allais, Christophe Renou]
 4897   *) Whirlpool hash implementation is added.
 4898      [Andy Polyakov]
 4900   *) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
 4901      bn(64,32). Because of instruction set limitations it doesn't have
 4902      any negative impact on performance. This was done mostly in order
 4903      to make it possible to share assembler modules, such as bn_mul_mont
 4904      implementations, between 32- and 64-bit builds without hassle.
 4905      [Andy Polyakov]
 4907   *) Move code previously exiled into file crypto/ec/ec2_smpt.c
 4908      to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
 4909      macro.
 4910      [Bodo Moeller]
 4912   *) New candidate for BIGNUM assembler implementation, bn_mul_mont,
 4913      dedicated Montgomery multiplication procedure, is introduced.
 4914      BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
 4915      "64-bit" performance on certain 32-bit targets.
 4916      [Andy Polyakov]
 4918   *) New option SSL_OP_NO_COMP to disable use of compression selectively
 4919      in SSL structures. New SSL ctrl to set maximum send fragment size.
 4920      Save memory by setting the I/O buffer sizes dynamically instead of
 4921      using the maximum available value.
 4922      [Steve Henson]
 4924   *) New option -V for 'openssl ciphers'. This prints the ciphersuite code
 4925      in addition to the text details.
 4926      [Bodo Moeller]
 4928   *) Very, very preliminary EXPERIMENTAL support for printing of general
 4929      ASN1 structures. This currently produces rather ugly output and doesn't
 4930      handle several customised structures at all.
 4931      [Steve Henson]
 4933   *) Integrated support for PVK file format and some related formats such
 4934      as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
 4935      these in the 'rsa' and 'dsa' utilities.
 4936      [Steve Henson]
 4938   *) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
 4939      [Steve Henson]
 4941   *) Remove the ancient ASN1_METHOD code. This was only ever used in one
 4942      place for the (very old) "NETSCAPE" format certificates which are now
 4943      handled using new ASN1 code equivalents.
 4944      [Steve Henson]
 4946   *) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
 4947      pointer and make the SSL_METHOD parameter in SSL_CTX_new,
 4948      SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
 4949      [Nils Larsch]
 4951   *) Modify CRL distribution points extension code to print out previously
 4952      unsupported fields. Enhance extension setting code to allow setting of
 4953      all fields.
 4954      [Steve Henson]
 4956   *) Add print and set support for Issuing Distribution Point CRL extension.
 4957      [Steve Henson]
 4959   *) Change 'Configure' script to enable Camellia by default.
 4960      [NTT]
 4962  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 4964   *) When rejecting SSL/TLS records due to an incorrect version number, never
 4965      update s->server with a new major version number.  As of
 4966      - OpenSSL 0.9.8m if 'short' is a 16-bit type,
 4967      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
 4968      the previous behavior could result in a read attempt at NULL when
 4969      receiving specific incorrect SSL/TLS records once record payload
 4970      protection is active.  (CVE-2010-0740)
 4971      [Bodo Moeller, Adam Langley <agl@chromium.org>]
 4973   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
 4974      could be crashed if the relevant tables were not present (e.g. chrooted).
 4975      [Tomas Hoger <thoger@redhat.com>]
 4977  Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
 4979   *) Always check bn_wexpand() return values for failure.  (CVE-2009-3245)
 4980      [Martin Olsson, Neel Mehta]
 4982   *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
 4983      accommodate for stack sorting, always a write lock!).
 4984      [Bodo Moeller]
 4986   *) On some versions of WIN32 Heap32Next is very slow. This can cause
 4987      excessive delays in the RAND_poll(): over a minute. As a workaround
 4988      include a time check in the inner Heap32Next loop too.
 4989      [Steve Henson]
 4991   *) The code that handled flushing of data in SSL/TLS originally used the
 4992      BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
 4993      the problem outlined in PR#1949. The fix suggested there however can
 4994      trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
 4995      of Apache). So instead simplify the code to flush unconditionally.
 4996      This should be fine since flushing with no data to flush is a no op.
 4997      [Steve Henson]
 4999   *) Handle TLS versions 2.0 and later properly and correctly use the
 5000      highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
 5001      off ancient servers have a habit of sticking around for a while...
 5002      [Steve Henson]
 5004   *) Modify compression code so it frees up structures without using the
 5005      ex_data callbacks. This works around a problem where some applications
 5006      call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
 5007      restarting) then use compression (e.g. SSL with compression) later.
 5008      This results in significant per-connection memory leaks and
 5009      has caused some security issues including CVE-2008-1678 and
 5010      CVE-2009-4355.
 5011      [Steve Henson]
 5013   *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
 5014      change when encrypting or decrypting.
 5015      [Bodo Moeller]
 5017   *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
 5018      connect and renegotiate with servers which do not support RI.
 5019      Until RI is more widely deployed this option is enabled by default.
 5020      [Steve Henson]
 5022   *) Add "missing" ssl ctrls to clear options and mode.
 5023      [Steve Henson]
 5025   *) If client attempts to renegotiate and doesn't support RI respond with
 5026      a no_renegotiation alert as required by RFC5746.  Some renegotiating
 5027      TLS clients will continue a connection gracefully when they receive
 5028      the alert. Unfortunately OpenSSL mishandled this alert and would hang
 5029      waiting for a server hello which it will never receive. Now we treat a
 5030      received no_renegotiation alert as a fatal error. This is because
 5031      applications requesting a renegotiation might well expect it to succeed
 5032      and would have no code in place to handle the server denying it so the
 5033      only safe thing to do is to terminate the connection.
 5034      [Steve Henson]
 5036   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
 5037      peer supports secure renegotiation and 0 otherwise. Print out peer
 5038      renegotiation support in s_client/s_server.
 5039      [Steve Henson]
 5041   *) Replace the highly broken and deprecated SPKAC certification method with
 5042      the updated NID creation version. This should correctly handle UTF8.
 5043      [Steve Henson]
 5045   *) Implement RFC5746. Re-enable renegotiation but require the extension
 5046      as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
 5047      turns out to be a bad idea. It has been replaced by
 5048      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
 5049      SSL_CTX_set_options(). This is really not recommended unless you
 5050      know what you are doing.
 5051      [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
 5053   *) Fixes to stateless session resumption handling. Use initial_ctx when
 5054      issuing and attempting to decrypt tickets in case it has changed during
 5055      servername handling. Use a non-zero length session ID when attempting
 5056      stateless session resumption: this makes it possible to determine if
 5057      a resumption has occurred immediately after receiving server hello
 5058      (several places in OpenSSL subtly assume this) instead of later in
 5059      the handshake.
 5060      [Steve Henson]
 5062   *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
 5063      CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
 5064      fixes for a few places where the return code is not checked
 5065      correctly.
 5066      [Julia Lawall <julia@diku.dk>]
 5068   *) Add --strict-warnings option to Configure script to include devteam
 5069      warnings in other configurations.
 5070      [Steve Henson]
 5072   *) Add support for --libdir option and LIBDIR variable in makefiles. This
 5073      makes it possible to install openssl libraries in locations which
 5074      have names other than "lib", for example "/usr/lib64" which some
 5075      systems need.
 5076      [Steve Henson, based on patch from Jeremy Utley]
 5078   *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
 5079      X690 8.9.12 and can produce some misleading textual output of OIDs.
 5080      [Steve Henson, reported by Dan Kaminsky]
 5082   *) Delete MD2 from algorithm tables. This follows the recommendation in
 5083      several standards that it is not used in new applications due to
 5084      several cryptographic weaknesses. For binary compatibility reasons
 5085      the MD2 API is still compiled in by default.
 5086      [Steve Henson]
 5088   *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
 5089      and restored.
 5090      [Steve Henson]
 5092   *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
 5093      OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
 5094      clash.
 5095      [Guenter <lists@gknw.net>]
 5097   *) Fix the server certificate chain building code to use X509_verify_cert(),
 5098      it used to have an ad-hoc builder which was unable to cope with anything
 5099      other than a simple chain.
 5100      [David Woodhouse <dwmw2@infradead.org>, Steve Henson]
 5102   *) Don't check self signed certificate signatures in X509_verify_cert()
 5103      by default (a flag can override this): it just wastes time without
 5104      adding any security. As a useful side effect self signed root CAs
 5105      with non-FIPS digests are now usable in FIPS mode.
 5106      [Steve Henson]
 5108   *) In dtls1_process_out_of_seq_message() the check if the current message
 5109      is already buffered was missing. For every new message was memory
 5110      allocated, allowing an attacker to perform an denial of service attack
 5111      with sending out of seq handshake messages until there is no memory
 5112      left. Additionally every future message was buffered, even if the
 5113      sequence number made no sense and would be part of another handshake.
 5114      So only messages with sequence numbers less than 10 in advance will be
 5115      buffered.  (CVE-2009-1378)
 5116      [Robin Seggelmann, discovered by Daniel Mentz]
 5118   *) Records are buffered if they arrive with a future epoch to be
 5119      processed after finishing the corresponding handshake. There is
 5120      currently no limitation to this buffer allowing an attacker to perform
 5121      a DOS attack with sending records with future epochs until there is no
 5122      memory left. This patch adds the pqueue_size() function to determine
 5123      the size of a buffer and limits the record buffer to 100 entries.
 5124      (CVE-2009-1377)
 5125      [Robin Seggelmann, discovered by Daniel Mentz]
 5127   *) Keep a copy of frag->msg_header.frag_len so it can be used after the
 5128      parent structure is freed.  (CVE-2009-1379)
 5129      [Daniel Mentz]
 5131   *) Handle non-blocking I/O properly in SSL_shutdown() call.
 5132      [Darryl Miles <darryl-mailinglists@netbauds.net>]
 5134   *) Add 2.5.4.* OIDs
 5135      [Ilya O. <vrghost@gmail.com>]
 5137  Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
 5139   *) Disable renegotiation completely - this fixes a severe security
 5140      problem (CVE-2009-3555) at the cost of breaking all
 5141      renegotiation. Renegotiation can be re-enabled by setting
 5143      run-time. This is really not recommended unless you know what
 5144      you're doing.
 5145      [Ben Laurie]
 5147  Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
 5149   *) Don't set val to NULL when freeing up structures, it is freed up by
 5150      underlying code. If sizeof(void *) > sizeof(long) this can result in
 5151      zeroing past the valid field. (CVE-2009-0789)
 5152      [Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
 5154   *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
 5155      checked correctly. This would allow some invalid signed attributes to
 5156      appear to verify correctly. (CVE-2009-0591)
 5157      [Ivan Nestlerode <inestlerode@us.ibm.com>]
 5159   *) Reject UniversalString and BMPString types with invalid lengths. This
 5160      prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
 5161      a legal length. (CVE-2009-0590)
 5162      [Steve Henson]
 5164   *) Set S/MIME signing as the default purpose rather than setting it
 5165      unconditionally. This allows applications to override it at the store
 5166      level.
 5167      [Steve Henson]
 5169   *) Permit restricted recursion of ASN1 strings. This is needed in practice
 5170      to handle some structures.
 5171      [Steve Henson]
 5173   *) Improve efficiency of mem_gets: don't search whole buffer each time
 5174      for a '\n'
 5175      [Jeremy Shapiro <jnshapir@us.ibm.com>]
 5177   *) New -hex option for openssl rand.
 5178      [Matthieu Herrb]
 5180   *) Print out UTF8String and NumericString when parsing ASN1.
 5181      [Steve Henson]
 5183   *) Support NumericString type for name components.
 5184      [Steve Henson]
 5186   *) Allow CC in the environment to override the automatically chosen
 5187      compiler. Note that nothing is done to ensure flags work with the
 5188      chosen compiler.
 5189      [Ben Laurie]
 5191  Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
 5193   *) Properly check EVP_VerifyFinal() and similar return values
 5194      (CVE-2008-5077).
 5195      [Ben Laurie, Bodo Moeller, Google Security Team]
 5197   *) Enable TLS extensions by default.
 5198      [Ben Laurie]
 5200   *) Allow the CHIL engine to be loaded, whether the application is
 5201      multithreaded or not. (This does not release the developer from the
 5202      obligation to set up the dynamic locking callbacks.)
 5203      [Sander Temme <sander@temme.net>]
 5205   *) Use correct exit code if there is an error in dgst command.
 5206      [Steve Henson; problem pointed out by Roland Dirlewanger]
 5208   *) Tweak Configure so that you need to say "experimental-jpake" to enable
 5209      JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
 5210      [Bodo Moeller]
 5212   *) Add experimental JPAKE support, including demo authentication in
 5213      s_client and s_server.
 5214      [Ben Laurie]
 5216   *) Set the comparison function in v3_addr_canonize().
 5217      [Rob Austein <sra@hactrn.net>]
 5219   *) Add support for XMPP STARTTLS in s_client.
 5220      [Philip Paeps <philip@freebsd.org>]
 5222   *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
 5223      to ensure that even with this option, only ciphersuites in the
 5224      server's preference list will be accepted.  (Note that the option
 5225      applies only when resuming a session, so the earlier behavior was
 5226      just about the algorithm choice for symmetric cryptography.)
 5227      [Bodo Moeller]
 5229  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
 5231   *) Fix NULL pointer dereference if a DTLS server received
 5232      ChangeCipherSpec as first record (CVE-2009-1386).
 5233      [PR #1679]
 5235   *) Fix a state transition in s3_srvr.c and d1_srvr.c
 5236      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
 5237      [Nagendra Modadugu]
 5239   *) The fix in 0.9.8c that supposedly got rid of unsafe
 5240      double-checked locking was incomplete for RSA blinding,
 5241      addressing just one layer of what turns out to have been
 5242      doubly unsafe triple-checked locking.
 5244      So now fix this for real by retiring the MONT_HELPER macro
 5245      in crypto/rsa/rsa_eay.c.
 5247      [Bodo Moeller; problem pointed out by Marius Schilder]
 5249   *) Various precautionary measures:
 5251      - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
 5253      - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
 5254        (NB: This would require knowledge of the secret session ticket key
 5255        to exploit, in which case you'd be SOL either way.)
 5257      - Change bn_nist.c so that it will properly handle input BIGNUMs
 5258        outside the expected range.
 5260      - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
 5261        builds.
 5263      [Neel Mehta, Bodo Moeller]
 5265   *) Allow engines to be "soft loaded" - i.e. optionally don't die if
 5266      the load fails. Useful for distros.
 5267      [Ben Laurie and the FreeBSD team]
 5269   *) Add support for Local Machine Keyset attribute in PKCS#12 files.
 5270      [Steve Henson]
 5272   *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
 5273      [Huang Ying]
 5275   *) Expand ENGINE to support engine supplied SSL client certificate functions.
 5277      This work was sponsored by Logica.
 5278      [Steve Henson]
 5280   *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
 5281      keystores. Support for SSL/TLS client authentication too.
 5282      Not compiled unless enable-capieng specified to Configure.
 5284      This work was sponsored by Logica.
 5285      [Steve Henson]
 5287   *) Fix bug in X509_ATTRIBUTE creation: don't set attribute using
 5288      ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
 5289      attribute creation routines such as certificate requests and PKCS#12
 5290      files.
 5291      [Steve Henson]
 5293  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
 5295   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
 5296      handshake which could lead to a client crash as found using the
 5297      Codenomicon TLS test suite (CVE-2008-1672)
 5298      [Steve Henson, Mark Cox]
 5300   *) Fix double free in TLS server name extensions which could lead to
 5301      a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
 5302      [Joe Orton]
 5304   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
 5306      Clear the error queue to ensure that error entries left from
 5307      older function calls do not interfere with the correct operation.
 5308      [Lutz Jaenicke, Erik de Castro Lopo]
 5310   *) Remove root CA certificates of commercial CAs:
 5312      The OpenSSL project does not recommend any specific CA and does not
 5313      have any policy with respect to including or excluding any CA.
 5314      Therefore it does not make any sense to ship an arbitrary selection
 5315      of root CA certificates with the OpenSSL software.
 5316      [Lutz Jaenicke]
 5318   *) RSA OAEP patches to fix two separate invalid memory reads.
 5319      The first one involves inputs when 'lzero' is greater than
 5320      'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
 5321      before the beginning of from). The second one involves inputs where
 5322      the 'db' section contains nothing but zeroes (there is a one-byte
 5323      invalid read after the end of 'db').
 5324      [Ivan Nestlerode <inestlerode@us.ibm.com>]
 5326   *) Partial backport from 0.9.9-dev:
 5328      Introduce bn_mul_mont (dedicated Montgomery multiplication
 5329      procedure) as a candidate for BIGNUM assembler implementation.
 5330      While 0.9.9-dev uses assembler for various architectures, only
 5331      x86_64 is available by default here in the 0.9.8 branch, and
 5332      32-bit x86 is available through a compile-time setting.
 5334      To try the 32-bit x86 assembler implementation, use Configure
 5335      option "enable-montasm" (which exists only for this backport).
 5337      As "enable-montasm" for 32-bit x86 disclaims code stability
 5338      anyway, in this constellation we activate additional code
 5339      backported from 0.9.9-dev for further performance improvements,
 5340      namely BN_from_montgomery_word.  (To enable this otherwise,
 5341      e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
 5343      [Andy Polyakov (backport partially by Bodo Moeller)]
 5345   *) Add TLS session ticket callback. This allows an application to set
 5346      TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
 5347      values. This is useful for key rollover for example where several key
 5348      sets may exist with different names.
 5349      [Steve Henson]
 5351   *) Reverse ENGINE-internal logic for caching default ENGINE handles.
 5352      This was broken until now in 0.9.8 releases, such that the only way
 5353      a registered ENGINE could be used (assuming it initialises
 5354      successfully on the host) was to explicitly set it as the default
 5355      for the relevant algorithms. This is in contradiction with 0.9.7
 5356      behaviour and the documentation. With this fix, when an ENGINE is
 5357      registered into a given algorithm's table of implementations, the
 5358      'uptodate' flag is reset so that auto-discovery will be used next
 5359      time a new context for that algorithm attempts to select an
 5360      implementation.
 5361      [Ian Lister (tweaked by Geoff Thorpe)]
 5363   *) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
 5364      implementation in the following ways:
 5366      Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
 5367      hard coded.
 5369      Lack of BER streaming support means one pass streaming processing is
 5370      only supported if data is detached: setting the streaming flag is
 5371      ignored for embedded content.
 5373      CMS support is disabled by default and must be explicitly enabled
 5374      with the enable-cms configuration option.
 5375      [Steve Henson]
 5377   *) Update the GMP engine glue to do direct copies between BIGNUM and
 5378      mpz_t when openssl and GMP use the same limb size. Otherwise the
 5379      existing "conversion via a text string export" trick is still used.
 5380      [Paul Sheer <paulsheer@gmail.com>]
 5382   *) Zlib compression BIO. This is a filter BIO which compressed and
 5383      uncompresses any data passed through it.
 5384      [Steve Henson]
 5386   *) Add AES_wrap_key() and AES_unwrap_key() functions to implement
 5387      RFC3394 compatible AES key wrapping.
 5388      [Steve Henson]
 5390   *) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
 5391      sets string data without copying. X509_ALGOR_set0() and
 5392      X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
 5393      data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
 5394      from an X509_ATTRIBUTE structure optionally checking it occurs only
 5395      once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
 5396      data.
 5397      [Steve Henson]
 5399   *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
 5400      to get the expected BN_FLG_CONSTTIME behavior.
 5401      [Bodo Moeller (Google)]
 5403   *) Netware support:
 5405      - fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
 5406      - fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
 5407      - added some more tests to do_tests.pl
 5408      - fixed RunningProcess usage so that it works with newer LIBC NDKs too
 5409      - removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
 5410      - added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
 5411        netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
 5412      - various changes to netware.pl to enable gcc-cross builds on Win32
 5413        platform
 5414      - changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
 5415      - various changes to fix missing prototype warnings
 5416      - fixed x86nasm.pl to create correct asm files for NASM COFF output
 5417      - added AES, WHIRLPOOL and CPUID assembler code to build files
 5418      - added missing AES assembler make rules to mk1mf.pl
 5419      - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
 5420      [Guenter Knauf <eflash@gmx.net>]
 5422   *) Implement certificate status request TLS extension defined in RFC3546.
 5423      A client can set the appropriate parameters and receive the encoded
 5424      OCSP response via a callback. A server can query the supplied parameters
 5425      and set the encoded OCSP response in the callback. Add simplified examples
 5426      to s_client and s_server.
 5427      [Steve Henson]
 5429  Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
 5431   *) Fix various bugs:
 5432      + Binary incompatibility of ssl_ctx_st structure
 5433      + DTLS interoperation with non-compliant servers
 5434      + Don't call get_session_cb() without proposed session
 5435      + Fix ia64 assembler code
 5436      [Andy Polyakov, Steve Henson]
 5438  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
 5440   *) DTLS Handshake overhaul. There were longstanding issues with
 5441      OpenSSL DTLS implementation, which were making it impossible for
 5442      RFC 4347 compliant client to communicate with OpenSSL server.
 5443      Unfortunately just fixing these incompatibilities would "cut off"
 5444      pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
 5445      server keeps tolerating non RFC compliant syntax. The opposite is
 5446      not true, 0.9.8f client can not communicate with earlier server.
 5447      This update even addresses CVE-2007-4995.
 5448      [Andy Polyakov]
 5450   *) Changes to avoid need for function casts in OpenSSL: some compilers
 5451      (gcc 4.2 and later) reject their use.
 5452      [Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
 5453       Steve Henson]
 5455   *) Add RFC4507 support to OpenSSL. This includes the corrections in
 5456      RFC4507bis. The encrypted ticket format is an encrypted encoded
 5457      SSL_SESSION structure, that way new session features are automatically
 5458      supported.
 5460      If a client application caches session in an SSL_SESSION structure
 5461      support is transparent because tickets are now stored in the encoded
 5462      SSL_SESSION.
 5464      The SSL_CTX structure automatically generates keys for ticket
 5465      protection in servers so again support should be possible
 5466      with no application modification.
 5468      If a client or server wishes to disable RFC4507 support then the option
 5469      SSL_OP_NO_TICKET can be set.
 5471      Add a TLS extension debugging callback to allow the contents of any client
 5472      or server extensions to be examined.
 5474      This work was sponsored by Google.
 5475      [Steve Henson]
 5477   *) Add initial support for TLS extensions, specifically for the server_name
 5478      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
 5479      have new members for a host name.  The SSL data structure has an
 5480      additional member SSL_CTX *initial_ctx so that new sessions can be
 5481      stored in that context to allow for session resumption, even after the
 5482      SSL has been switched to a new SSL_CTX in reaction to a client's
 5483      server_name extension.
 5485      New functions (subject to change):
 5487          SSL_get_servername()
 5488          SSL_get_servername_type()
 5489          SSL_set_SSL_CTX()
 5491      New CTRL codes and macros (subject to change):
 5494                                  - SSL_CTX_set_tlsext_servername_callback()
 5496                                       - SSL_CTX_set_tlsext_servername_arg()
 5497          SSL_CTRL_SET_TLSEXT_HOSTNAME           - SSL_set_tlsext_host_name()
 5499      openssl s_client has a new '-servername ...' option.
 5501      openssl s_server has new options '-servername_host ...', '-cert2 ...',
 5502      '-key2 ...', '-servername_fatal' (subject to change).  This allows
 5503      testing the HostName extension for a specific single host name ('-cert'
 5504      and '-key' remain fallbacks for handshakes without HostName
 5505      negotiation).  If the unrecognized_name alert has to be sent, this by
 5506      default is a warning; it becomes fatal with the '-servername_fatal'
 5507      option.
 5509      [Peter Sylvester,  Remy Allais, Christophe Renou, Steve Henson]
 5511   *) Add AES and SSE2 assembly language support to VC++ build.
 5512      [Steve Henson]
 5514   *) Mitigate attack on final subtraction in Montgomery reduction.
 5515      [Andy Polyakov]
 5517   *) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
 5518      (which previously caused an internal error).
 5519      [Bodo Moeller]
 5521   *) Squeeze another 10% out of IGE mode when in != out.
 5522      [Ben Laurie]
 5524   *) AES IGE mode speedup.
 5525      [Dean Gaudet (Google)]
 5527   *) Add the Korean symmetric 128-bit cipher SEED (see
 5528      http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
 5529      add SEED ciphersuites from RFC 4162:
 5531         TLS_RSA_WITH_SEED_CBC_SHA      =  "SEED-SHA"
 5534         TLS_DH_anon_WITH_SEED_CBC_SHA  =  "ADH-SEED-SHA"
 5536      To minimize changes between patchlevels in the OpenSSL 0.9.8
 5537      series, SEED remains excluded from compilation unless OpenSSL
 5538      is configured with 'enable-seed'.
 5539      [KISA, Bodo Moeller]
 5541   *) Mitigate branch prediction attacks, which can be practical if a
 5542      single processor is shared, allowing a spy process to extract
 5543      information.  For detailed background information, see
 5544      http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
 5545      J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
 5546      and Necessary Software Countermeasures").  The core of the change
 5547      are new versions BN_div_no_branch() and
 5548      BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
 5549      respectively, which are slower, but avoid the security-relevant
 5550      conditional branches.  These are automatically called by BN_div()
 5551      and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
 5552      of the input BIGNUMs.  Also, BN_is_bit_set() has been changed to
 5553      remove a conditional branch.
 5555      BN_FLG_CONSTTIME is the new name for the previous
 5556      BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
 5557      modular exponentiation.  (Since OpenSSL 0.9.7h, setting this flag
 5558      in the exponent causes BN_mod_exp_mont() to use the alternative
 5559      implementation in BN_mod_exp_mont_consttime().)  The old name
 5560      remains as a deprecated alias.
 5562      Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
 5563      RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
 5564      constant-time implementations for more than just exponentiation.
 5565      Here too the old name is kept as a deprecated alias.
 5567      BN_BLINDING_new() will now use BN_dup() for the modulus so that
 5568      the BN_BLINDING structure gets an independent copy of the
 5569      modulus.  This means that the previous "BIGNUM *m" argument to
 5570      BN_BLINDING_new() and to BN_BLINDING_create_param() now
 5571      essentially becomes "const BIGNUM *m", although we can't actually
 5572      change this in the header file before 0.9.9.  It allows
 5573      RSA_setup_blinding() to use BN_with_flags() on the modulus to
 5574      enable BN_FLG_CONSTTIME.
 5576      [Matthew D Wood (Intel Corp)]
 5578   *) In the SSL/TLS server implementation, be strict about session ID
 5579      context matching (which matters if an application uses a single
 5580      external cache for different purposes).  Previously,
 5581      out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
 5582      set.  This did ensure strict client verification, but meant that,
 5583      with applications using a single external cache for quite
 5584      different requirements, clients could circumvent ciphersuite
 5585      restrictions for a given session ID context by starting a session
 5586      in a different context.
 5587      [Bodo Moeller]
 5589   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 5590      a ciphersuite string such as "DEFAULT:RSA" cannot enable
 5591      authentication-only ciphersuites.
 5592      [Bodo Moeller]
 5594   *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
 5595      not complete and could lead to a possible single byte overflow
 5596      (CVE-2007-5135) [Ben Laurie]
 5598  Changes between 0.9.8d and 0.9.8e  [23 Feb 2007]
 5600   *) Since AES128 and AES256 (and similarly Camellia128 and
 5601      Camellia256) share a single mask bit in the logic of
 5602      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
 5603      kludge to work properly if AES128 is available and AES256 isn't
 5604      (or if Camellia128 is available and Camellia256 isn't).
 5605      [Victor Duchovni]
 5607   *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
 5608      (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
 5609      When a point or a seed is encoded in a BIT STRING, we need to
 5610      prevent the removal of trailing zero bits to get the proper DER
 5611      encoding.  (By default, crypto/asn1/a_bitstr.c assumes the case
 5612      of a NamedBitList, for which trailing 0 bits need to be removed.)
 5613      [Bodo Moeller]
 5615   *) Have SSL/TLS server implementation tolerate "mismatched" record
 5616      protocol version while receiving ClientHello even if the
 5617      ClientHello is fragmented.  (The server can't insist on the
 5618      particular protocol version it has chosen before the ServerHello
 5619      message has informed the client about his choice.)
 5620      [Bodo Moeller]
 5622   *) Add RFC 3779 support.
 5623      [Rob Austein for ARIN, Ben Laurie]
 5625   *) Load error codes if they are not already present instead of using a
 5626      static variable. This allows them to be cleanly unloaded and reloaded.
 5627      Improve header file function name parsing.
 5628      [Steve Henson]
 5630   *) extend SMTP and IMAP protocol emulation in s_client to use EHLO
 5631      or CAPABILITY handshake as required by RFCs.
 5632      [Goetz Babin-Ebell]
 5634  Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
 5636   *) Introduce limits to prevent malicious keys being able to
 5637      cause a denial of service.  (CVE-2006-2940)
 5638      [Steve Henson, Bodo Moeller]
 5640   *) Fix ASN.1 parsing of certain invalid structures that can result
 5641      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
 5643   *) Fix buffer overflow in SSL_get_shared_ciphers() function.
 5644      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
 5646   *) Fix SSL client code which could crash if connecting to a
 5647      malicious SSLv2 server.  (CVE-2006-4343)
 5648      [Tavis Ormandy and Will Drewry, Google Security Team]
 5650   *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
 5651      match only those.  Before that, "AES256-SHA" would be interpreted
 5652      as a pattern and match "AES128-SHA" too (since AES128-SHA got
 5653      the same strength classification in 0.9.7h) as we currently only
 5654      have a single AES bit in the ciphersuite description bitmap.
 5655      That change, however, also applied to ciphersuite strings such as
 5656      "RC4-MD5" that intentionally matched multiple ciphersuites --
 5657      namely, SSL 2.0 ciphersuites in addition to the more common ones
 5658      from SSL 3.0/TLS 1.0.
 5660      So we change the selection algorithm again: Naming an explicit
 5661      ciphersuite selects this one ciphersuite, and any other similar
 5662      ciphersuite (same bitmap) from *other* protocol versions.
 5663      Thus, "RC4-MD5" again will properly select both the SSL 2.0
 5664      ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
 5666      Since SSL 2.0 does not have any ciphersuites for which the
 5667      128/256 bit distinction would be relevant, this works for now.
 5668      The proper fix will be to use different bits for AES128 and
 5669      AES256, which would have avoided the problems from the beginning;
 5670      however, bits are scarce, so we can only do this in a new release
 5671      (not just a patchlevel) when we can change the SSL_CIPHER
 5672      definition to split the single 'unsigned long mask' bitmap into
 5673      multiple values to extend the available space.
 5675      [Bodo Moeller]
 5677  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
 5679   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
 5680      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 5682   *) Add AES IGE and biIGE modes.
 5683      [Ben Laurie]
 5685   *) Change the Unix randomness entropy gathering to use poll() when
 5686      possible instead of select(), since the latter has some
 5687      undesirable limitations.
 5688      [Darryl Miles via Richard Levitte and Bodo Moeller]
 5690   *) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
 5691      treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
 5692      cannot be implicitly activated as part of, e.g., the "AES" alias.
 5693      However, please upgrade to OpenSSL 0.9.9[-dev] for
 5694      non-experimental use of the ECC ciphersuites to get TLS extension
 5695      support, which is required for curve and point format negotiation
 5696      to avoid potential handshake problems.
 5697      [Bodo Moeller]
 5699   *) Disable rogue ciphersuites:
 5701       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
 5702       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
 5703       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
 5705      The latter two were purportedly from
 5706      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
 5707      appear there.
 5709      Also deactivate the remaining ciphersuites from
 5710      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
 5711      unofficial, and the ID has long expired.
 5712      [Bodo Moeller]
 5714   *) Fix RSA blinding Heisenbug (problems sometimes occurred on
 5715      dual-core machines) and other potential thread-safety issues.
 5716      [Bodo Moeller]
 5718   *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
 5719      versions), which is now available for royalty-free use
 5720      (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
 5721      Also, add Camellia TLS ciphersuites from RFC 4132.
 5723      To minimize changes between patchlevels in the OpenSSL 0.9.8
 5724      series, Camellia remains excluded from compilation unless OpenSSL
 5725      is configured with 'enable-camellia'.
 5726      [NTT]
 5728   *) Disable the padding bug check when compression is in use. The padding
 5729      bug check assumes the first packet is of even length, this is not
 5730      necessarily true if compression is enabled and can result in false
 5731      positives causing handshake failure. The actual bug test is ancient
 5732      code so it is hoped that implementations will either have fixed it by
 5733      now or any which still have the bug do not support compression.
 5734      [Steve Henson]
 5736  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
 5738   *) When applying a cipher rule check to see if string match is an explicit
 5739      cipher suite and only match that one cipher suite if it is.
 5740      [Steve Henson]
 5742   *) Link in manifests for VC++ if needed.
 5743      [Austin Ziegler <halostatue@gmail.com>]
 5745   *) Update support for ECC-based TLS ciphersuites according to
 5746      draft-ietf-tls-ecc-12.txt with proposed changes (but without
 5747      TLS extensions, which are supported starting with the 0.9.9
 5748      branch, not in the OpenSSL 0.9.8 branch).
 5749      [Douglas Stebila]
 5751   *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
 5752      opaque EVP_CIPHER_CTX handling.
 5753      [Steve Henson]
 5755   *) Fixes and enhancements to zlib compression code. We now only use
 5756      "zlib1.dll" and use the default __cdecl calling convention on Win32
 5757      to conform with the standards mentioned here:
 5758            http://www.zlib.net/DLL_FAQ.txt
 5759      Static zlib linking now works on Windows and the new --with-zlib-include
 5760      --with-zlib-lib options to Configure can be used to supply the location
 5761      of the headers and library. Gracefully handle case where zlib library
 5762      can't be loaded.
 5763      [Steve Henson]
 5765   *) Several fixes and enhancements to the OID generation code. The old code
 5766      sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
 5767      handle numbers larger than ULONG_MAX, truncated printing and had a
 5768      non standard OBJ_obj2txt() behaviour.
 5769      [Steve Henson]
 5771   *) Add support for building of engines under engine/ as shared libraries
 5772      under VC++ build system.
 5773      [Steve Henson]
 5775   *) Corrected the numerous bugs in the Win32 path splitter in DSO.
 5776      Hopefully, we will not see any false combination of paths any more.
 5777      [Richard Levitte]
 5779  Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
 5781   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
 5782      (part of SSL_OP_ALL).  This option used to disable the
 5783      countermeasure against man-in-the-middle protocol-version
 5784      rollback in the SSL 2.0 server implementation, which is a bad
 5785      idea.  (CVE-2005-2969)
 5787      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
 5788      for Information Security, National Institute of Advanced Industrial
 5789      Science and Technology [AIST], Japan)]
 5791   *) Add two function to clear and return the verify parameter flags.
 5792      [Steve Henson]
 5794   *) Keep cipherlists sorted in the source instead of sorting them at
 5795      runtime, thus removing the need for a lock.
 5796      [Nils Larsch]
 5798   *) Avoid some small subgroup attacks in Diffie-Hellman.
 5799      [Nick Mathewson and Ben Laurie]
 5801   *) Add functions for well-known primes.
 5802      [Nick Mathewson]
 5804   *) Extended Windows CE support.
 5805      [Satoshi Nakamura and Andy Polyakov]
 5807   *) Initialize SSL_METHOD structures at compile time instead of during
 5808      runtime, thus removing the need for a lock.
 5809      [Steve Henson]
 5811   *) Make PKCS7_decrypt() work even if no certificate is supplied by
 5812      attempting to decrypt each encrypted key in turn. Add support to
 5813      smime utility.
 5814      [Steve Henson]
 5816  Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
 5818   [NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
 5819   OpenSSL 0.9.8.]
 5821   *) Add libcrypto.pc and libssl.pc for those who feel they need them.
 5822      [Richard Levitte]
 5824   *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
 5825      key into the same file any more.
 5826      [Richard Levitte]
 5828   *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
 5829      [Andy Polyakov]
 5831   *) Add -utf8 command line and config file option to 'ca'.
 5832      [Stefan <stf@udoma.org]
 5834   *) Removed the macro des_crypt(), as it seems to conflict with some
 5835      libraries.  Use DES_crypt().
 5836      [Richard Levitte]
 5838   *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
 5839      involves renaming the source and generated shared-libs for
 5840      both. The engines will accept the corrected or legacy ids
 5841      ('ncipher' and '4758_cca' respectively) when binding. NB,
 5842      this only applies when building 'shared'.
 5843      [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
 5845   *) Add attribute functions to EVP_PKEY structure. Modify
 5846      PKCS12_create() to recognize a CSP name attribute and
 5847      use it. Make -CSP option work again in pkcs12 utility.
 5848      [Steve Henson]
 5850   *) Add new functionality to the bn blinding code:
 5851      - automatic re-creation of the BN_BLINDING parameters after
 5852        a fixed number of uses (currently 32)
 5853      - add new function for parameter creation
 5854      - introduce flags to control the update behaviour of the
 5855        BN_BLINDING parameters
 5856      - hide BN_BLINDING structure
 5857      Add a second BN_BLINDING slot to the RSA structure to improve
 5858      performance when a single RSA object is shared among several
 5859      threads.
 5860      [Nils Larsch]
 5862   *) Add support for DTLS.
 5863      [Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
 5865   *) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
 5866      to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
 5867      [Walter Goulet]
 5869   *) Remove buggy and incomplete DH cert support from
 5870      ssl/ssl_rsa.c and ssl/s3_both.c
 5871      [Nils Larsch]
 5873   *) Use SHA-1 instead of MD5 as the default digest algorithm for
 5874      the apps/openssl applications.
 5875      [Nils Larsch]
 5877   *) Compile clean with "-Wall -Wmissing-prototypes
 5878      -Wstrict-prototypes -Wmissing-declarations -Werror". Currently
 5879      DEBUG_SAFESTACK must also be set.
 5880      [Ben Laurie]
 5882   *) Change ./Configure so that certain algorithms can be disabled by default.
 5883      The new counterpiece to "no-xxx" is "enable-xxx".
 5885      The patented RC5 and MDC2 algorithms will now be disabled unless
 5886      "enable-rc5" and "enable-mdc2", respectively, are specified.
 5888      (IDEA remains enabled despite being patented.  This is because IDEA
 5889      is frequently required for interoperability, and there is no license
 5890      fee for non-commercial use.  As before, "no-idea" can be used to
 5891      avoid this algorithm.)
 5893      [Bodo Moeller]
 5895   *) Add processing of proxy certificates (see RFC 3820).  This work was
 5896      sponsored by KTH (The Royal Institute of Technology in Stockholm) and
 5897      EGEE (Enabling Grids for E-science in Europe).
 5898      [Richard Levitte]
 5900   *) RC4 performance overhaul on modern architectures/implementations, such
 5901      as Intel P4, IA-64 and AMD64.
 5902      [Andy Polyakov]
 5904   *) New utility extract-section.pl. This can be used specify an alternative
 5905      section number in a pod file instead of having to treat each file as
 5906      a separate case in Makefile. This can be done by adding two lines to the
 5907      pod file:
 5909      =for comment openssl_section:XXX
 5911      The blank line is mandatory.
 5913      [Steve Henson]
 5915   *) New arguments -certform, -keyform and -pass for s_client and s_server
 5916      to allow alternative format key and certificate files and passphrase
 5917      sources.
 5918      [Steve Henson]
 5920   *) New structure X509_VERIFY_PARAM which combines current verify parameters,
 5921      update associated structures and add various utility functions.
 5923      Add new policy related verify parameters, include policy checking in
 5924      standard verify code. Enhance 'smime' application with extra parameters
 5925      to support policy checking and print out.
 5926      [Steve Henson]
 5928   *) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
 5929      Nehemiah processors. These extensions support AES encryption in hardware
 5930      as well as RNG (though RNG support is currently disabled).
 5931      [Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
 5933   *) Deprecate BN_[get|set]_params() functions (they were ignored internally).
 5934      [Geoff Thorpe]
 5936   *) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
 5937      [Andy Polyakov and a number of other people]
 5939   *) Improved PowerPC platform support. Most notably BIGNUM assembler
 5940      implementation contributed by IBM.
 5941      [Suresh Chari, Peter Waltenberg, Andy Polyakov]
 5943   *) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
 5944      exponent rather than 'unsigned long'. There is a corresponding change to
 5945      the new 'rsa_keygen' element of the RSA_METHOD structure.
 5946      [Jelte Jansen, Geoff Thorpe]
 5948   *) Functionality for creating the initial serial number file is now
 5949      moved from CA.pl to the 'ca' utility with a new option -create_serial.
 5951      (Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
 5952      number file to 1, which is bound to cause problems.  To avoid
 5953      the problems while respecting compatibility between different 0.9.7
 5954      patchlevels, 0.9.7e  employed 'openssl x509 -next_serial' in
 5955      CA.pl for serial number initialization.  With the new release 0.9.8,
 5956      we can fix the problem directly in the 'ca' utility.)
 5957      [Steve Henson]
 5959   *) Reduced header interdependencies by declaring more opaque objects in
 5960      ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
 5961      give fewer recursive includes, which could break lazy source code - so
 5962      this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
 5963      developers should define this symbol when building and using openssl to
 5964      ensure they track the recommended behaviour, interfaces, [etc], but
 5965      backwards-compatible behaviour prevails when this isn't defined.
 5966      [Geoff Thorpe]
 5968   *) New function X509_POLICY_NODE_print() which prints out policy nodes.
 5969      [Steve Henson]
 5971   *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
 5972      This will generate a random key of the appropriate length based on the
 5973      cipher context. The EVP_CIPHER can provide its own random key generation
 5974      routine to support keys of a specific form. This is used in the des and
 5975      3des routines to generate a key of the correct parity. Update S/MIME
 5976      code to use new functions and hence generate correct parity DES keys.
 5977      Add EVP_CHECK_DES_KEY #define to return an error if the key is not
 5978      valid (weak or incorrect parity).
 5979      [Steve Henson]
 5981   *) Add a local set of CRLs that can be used by X509_verify_cert() as well
 5982      as looking them up. This is useful when the verified structure may contain
 5983      CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
 5984      present unless the new PKCS7_NO_CRL flag is asserted.
 5985      [Steve Henson]
 5987   *) Extend ASN1 oid configuration module. It now additionally accepts the
 5988      syntax:
 5990      shortName = some long name,
 5991      [Steve Henson]
 5993   *) Reimplemented the BN_CTX implementation. There is now no more static
 5994      limitation on the number of variables it can handle nor the depth of the
 5995      "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
 5996      information can now expand as required, and rather than having a single
 5997      static array of bignums, BN_CTX now uses a linked-list of such arrays
 5998      allowing it to expand on demand whilst maintaining the usefulness of
 5999      BN_CTX's "bundling".
 6000      [Geoff Thorpe]
 6002   *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
 6003      to allow all RSA operations to function using a single BN_CTX.
 6004      [Geoff Thorpe]
 6006   *) Preliminary support for certificate policy evaluation and checking. This
 6007      is initially intended to pass the tests outlined in "Conformance Testing
 6008      of Relying Party Client Certificate Path Processing Logic" v1.07.
 6009      [Steve Henson]
 6011   *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
 6012      remained unused and not that useful. A variety of other little bignum
 6013      tweaks and fixes have also been made continuing on from the audit (see
 6014      below).
 6015      [Geoff Thorpe]
 6017   *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
 6018      associated ASN1, EVP and SSL functions and old ASN1 macros.
 6019      [Richard Levitte]
 6021   *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
 6022      and this should never fail. So the return value from the use of
 6023      BN_set_word() (which can fail due to needless expansion) is now deprecated;
 6024      if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
 6025      [Geoff Thorpe]
 6027   *) BN_CTX_get() should return zero-valued bignums, providing the same
 6028      initialised value as BN_new().
 6029      [Geoff Thorpe, suggested by Ulf Möller]
 6031   *) Support for inhibitAnyPolicy certificate extension.
 6032      [Steve Henson]
 6034   *) An audit of the BIGNUM code is underway, for which debugging code is
 6035      enabled when BN_DEBUG is defined. This makes stricter enforcements on what
 6036      is considered valid when processing BIGNUMs, and causes execution to
 6037      assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
 6038      further steps are taken to deliberately pollute unused data in BIGNUM
 6039      structures to try and expose faulty code further on. For now, openssl will
 6040      (in its default mode of operation) continue to tolerate the inconsistent
 6041      forms that it has tolerated in the past, but authors and packagers should
 6042      consider trying openssl and their own applications when compiled with
 6043      these debugging symbols defined. It will help highlight potential bugs in
 6044      their own code, and will improve the test coverage for OpenSSL itself. At
 6045      some point, these tighter rules will become openssl's default to improve
 6046      maintainability, though the assert()s and other overheads will remain only
 6047      in debugging configurations. See bn.h for more details.
 6048      [Geoff Thorpe, Nils Larsch, Ulf Möller]
 6050   *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
 6051      that can only be obtained through BN_CTX_new() (which implicitly
 6052      initialises it). The presence of this function only made it possible
 6053      to overwrite an existing structure (and cause memory leaks).
 6054      [Geoff Thorpe]
 6056   *) Because of the callback-based approach for implementing LHASH as a
 6057      template type, lh_insert() adds opaque objects to hash-tables and
 6058      lh_doall() or lh_doall_arg() are typically used with a destructor callback
 6059      to clean up those corresponding objects before destroying the hash table
 6060      (and losing the object pointers). So some over-zealous constifications in
 6061      LHASH have been relaxed so that lh_insert() does not take (nor store) the
 6062      objects as "const" and the lh_doall[_arg] callback wrappers are not
 6063      prototyped to have "const" restrictions on the object pointers they are
 6064      given (and so aren't required to cast them away any more).
 6065      [Geoff Thorpe]
 6067   *) The tmdiff.h API was so ugly and minimal that our own timing utility
 6068      (speed) prefers to use its own implementation. The two implementations
 6069      haven't been consolidated as yet (volunteers?) but the tmdiff API has had
 6070      its object type properly exposed (MS_TM) instead of casting to/from "char
 6071      *". This may still change yet if someone realises MS_TM and "ms_time_***"
 6072      aren't necessarily the greatest nomenclatures - but this is what was used
 6073      internally to the implementation so I've used that for now.
 6074      [Geoff Thorpe]
 6076   *) Ensure that deprecated functions do not get compiled when
 6077      OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
 6078      the self-tests were still using deprecated key-generation functions so
 6079      these have been updated also.
 6080      [Geoff Thorpe]
 6082   *) Reorganise PKCS#7 code to separate the digest location functionality
 6083      into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
 6084      New function PKCS7_set_digest() to set the digest type for PKCS#7
 6085      digestedData type. Add additional code to correctly generate the
 6086      digestedData type and add support for this type in PKCS7 initialization
 6087      functions.
 6088      [Steve Henson]
 6090   *) New function PKCS7_set0_type_other() this initializes a PKCS7
 6091      structure of type "other".
 6092      [Steve Henson]
 6094   *) Fix prime generation loop in crypto/bn/bn_prime.pl by making
 6095      sure the loop does correctly stop and breaking ("division by zero")
 6096      modulus operations are not performed. The (pre-generated) prime
 6097      table crypto/bn/bn_prime.h was already correct, but it could not be
 6098      re-generated on some platforms because of the "division by zero"
 6099      situation in the script.
 6100      [Ralf S. Engelschall]
 6102   *) Update support for ECC-based TLS ciphersuites according to
 6103      draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
 6104      SHA-1 now is only used for "small" curves (where the
 6105      representation of a field element takes up to 24 bytes); for
 6106      larger curves, the field element resulting from ECDH is directly
 6107      used as premaster secret.
 6108      [Douglas Stebila (Sun Microsystems Laboratories)]
 6110   *) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
 6111      curve secp160r1 to the tests.
 6112      [Douglas Stebila (Sun Microsystems Laboratories)]
 6114   *) Add the possibility to load symbols globally with DSO.
 6115      [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
 6117   *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
 6118      control of the error stack.
 6119      [Richard Levitte]
 6121   *) Add support for STORE in ENGINE.
 6122      [Richard Levitte]
 6124   *) Add the STORE type.  The intention is to provide a common interface
 6125      to certificate and key stores, be they simple file-based stores, or
 6126      HSM-type store, or LDAP stores, or...
 6127      NOTE: The code is currently UNTESTED and isn't really used anywhere.
 6128      [Richard Levitte]
 6130   *) Add a generic structure called OPENSSL_ITEM.  This can be used to
 6131      pass a list of arguments to any function as well as provide a way
 6132      for a function to pass data back to the caller.
 6133      [Richard Levitte]
 6135   *) Add the functions BUF_strndup() and BUF_memdup().  BUF_strndup()
 6136      works like BUF_strdup() but can be used to duplicate a portion of
 6137      a string.  The copy gets NUL-terminated.  BUF_memdup() duplicates
 6138      a memory area.
 6139      [Richard Levitte]
 6141   *) Add the function sk_find_ex() which works like sk_find(), but will
 6142      return an index to an element even if an exact match couldn't be
 6143      found.  The index is guaranteed to point at the element where the
 6144      searched-for key would be inserted to preserve sorting order.
 6145      [Richard Levitte]
 6147   *) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
 6148      takes an extra flags argument for optional functionality.  Currently,
 6149      the following flags are defined:
 6152         This one gets OBJ_bsearch_ex() to return a pointer to the first
 6153         element where the comparing function returns a negative or zero
 6154         number.
 6157         This one gets OBJ_bsearch_ex() to return a pointer to the first
 6158         element where the comparing function returns zero.  This is useful
 6159         if there are more than one element where the comparing function
 6160         returns zero.
 6161      [Richard Levitte]
 6163   *) Make it possible to create self-signed certificates with 'openssl ca'
 6164      in such a way that the self-signed certificate becomes part of the
 6165      CA database and uses the same mechanisms for serial number generation
 6166      as all other certificate signing.  The new flag '-selfsign' enables
 6167      this functionality.  Adapt CA.sh and CA.pl.in.
 6168      [Richard Levitte]
 6170   *) Add functionality to check the public key of a certificate request
 6171      against a given private.  This is useful to check that a certificate
 6172      request can be signed by that key (self-signing).
 6173      [Richard Levitte]
 6175   *) Make it possible to have multiple active certificates with the same
 6176      subject in the CA index file.  This is done only if the keyword
 6177      'unique_subject' is set to 'no' in the main CA section (default
 6178      if 'CA_default') of the configuration file.  The value is saved
 6179      with the database itself in a separate index attribute file,
 6180      named like the index file with '.attr' appended to the name.
 6181      [Richard Levitte]
 6183   *) Generate multi-valued AVAs using '+' notation in config files for
 6184      req and dirName.
 6185      [Steve Henson]
 6187   *) Support for nameConstraints certificate extension.
 6188      [Steve Henson]
 6190   *) Support for policyConstraints certificate extension.
 6191      [Steve Henson]
 6193   *) Support for policyMappings certificate extension.
 6194      [Steve Henson]
 6196   *) Make sure the default DSA_METHOD implementation only uses its
 6197      dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
 6198      and change its own handlers to be NULL so as to remove unnecessary
 6199      indirection. This lets alternative implementations fallback to the
 6200      default implementation more easily.
 6201      [Geoff Thorpe]
 6203   *) Support for directoryName in GeneralName related extensions
 6204      in config files.
 6205      [Steve Henson]
 6207   *) Make it possible to link applications using Makefile.shared.
 6208      Make that possible even when linking against static libraries!
 6209      [Richard Levitte]
 6211   *) Support for single pass processing for S/MIME signing. This now
 6212      means that S/MIME signing can be done from a pipe, in addition
 6213      cleartext signing (multipart/signed type) is effectively streaming
 6214      and the signed data does not need to be all held in memory.
 6216      This is done with a new flag PKCS7_STREAM. When this flag is set
 6217      PKCS7_sign() only initializes the PKCS7 structure and the actual signing
 6218      is done after the data is output (and digests calculated) in
 6219      SMIME_write_PKCS7().
 6220      [Steve Henson]
 6222   *) Add full support for -rpath/-R, both in shared libraries and
 6223      applications, at least on the platforms where it's known how
 6224      to do it.
 6225      [Richard Levitte]
 6227   *) In crypto/ec/ec_mult.c, implement fast point multiplication with
 6228      precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
 6229      will now compute a table of multiples of the generator that
 6230      makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
 6231      faster (notably in the case of a single point multiplication,
 6232      scalar * generator).
 6233      [Nils Larsch, Bodo Moeller]
 6235   *) IPv6 support for certificate extensions. The various extensions
 6236      which use the IP:a.b.c.d can now take IPv6 addresses using the
 6237      formats of RFC1884 2.2 . IPv6 addresses are now also displayed
 6238      correctly.
 6239      [Steve Henson]
 6241   *) Added an ENGINE that implements RSA by performing private key
 6242      exponentiations with the GMP library. The conversions to and from
 6243      GMP's mpz_t format aren't optimised nor are any montgomery forms
 6244      cached, and on x86 it appears OpenSSL's own performance has caught up.
 6245      However there are likely to be other architectures where GMP could
 6246      provide a boost. This ENGINE is not built in by default, but it can be
 6247      specified at Configure time and should be accompanied by the necessary
 6248      linker additions, eg;
 6249          ./config -DOPENSSL_USE_GMP -lgmp
 6250      [Geoff Thorpe]
 6252   *) "openssl engine" will not display ENGINE/DSO load failure errors when
 6253      testing availability of engines with "-t" - the old behaviour is
 6254      produced by increasing the feature's verbosity with "-tt".
 6255      [Geoff Thorpe]
 6257   *) ECDSA routines: under certain error conditions uninitialized BN objects
 6258      could be freed. Solution: make sure initialization is performed early
 6259      enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
 6260      via PR#459)
 6261      [Lutz Jaenicke]
 6263   *) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
 6264      and DH_METHOD (eg. by ENGINE implementations) to override the normal
 6265      software implementations. For DSA and DH, parameter generation can
 6266      also be overridden by providing the appropriate method callbacks.
 6267      [Geoff Thorpe]
 6269   *) Change the "progress" mechanism used in key-generation and
 6270      primality testing to functions that take a new BN_GENCB pointer in
 6271      place of callback/argument pairs. The new API functions have "_ex"
 6272      postfixes and the older functions are reimplemented as wrappers for
 6273      the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
 6274      declarations of the old functions to help (graceful) attempts to
 6275      migrate to the new functions. Also, the new key-generation API
 6276      functions operate on a caller-supplied key-structure and return
 6277      success/failure rather than returning a key or NULL - this is to
 6278      help make "keygen" another member function of RSA_METHOD etc.
 6280      Example for using the new callback interface:
 6282           int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
 6283           void *my_arg = ...;
 6284           BN_GENCB my_cb;
 6286           BN_GENCB_set(&my_cb, my_callback, my_arg);
 6288           return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
 6289           /* For the meaning of a, b in calls to my_callback(), see the
 6290            * documentation of the function that calls the callback.
 6291            * cb will point to my_cb; my_arg can be retrieved as cb->arg.
 6292            * my_callback should return 1 if it wants BN_is_prime_ex()
 6293            * to continue, or 0 to stop.
 6294            */
 6296      [Geoff Thorpe]
 6298   *) Change the ZLIB compression method to be stateful, and make it
 6299      available to TLS with the number defined in
 6300      draft-ietf-tls-compression-04.txt.
 6301      [Richard Levitte]
 6303   *) Add the ASN.1 structures and functions for CertificatePair, which
 6304      is defined as follows (according to X.509_4thEditionDraftV6.pdf):
 6306      CertificatePair ::= SEQUENCE {
 6307         forward         [0]     Certificate OPTIONAL,
 6308         reverse         [1]     Certificate OPTIONAL,
 6309         -- at least one of the pair shall be present -- }
 6311      Also implement the PEM functions to read and write certificate
 6312      pairs, and defined the PEM tag as "CERTIFICATE PAIR".
 6314      This needed to be defined, mostly for the sake of the LDAP
 6315      attribute crossCertificatePair, but may prove useful elsewhere as
 6316      well.
 6317      [Richard Levitte]
 6319   *) Make it possible to inhibit symlinking of shared libraries in
 6320      Makefile.shared, for Cygwin's sake.
 6321      [Richard Levitte]
 6323   *) Extend the BIGNUM API by creating a function
 6324           void BN_set_negative(BIGNUM *a, int neg);
 6325      and a macro that behave like
 6326           int  BN_is_negative(const BIGNUM *a);
 6328      to avoid the need to access 'a->neg' directly in applications.
 6329      [Nils Larsch]
 6331   *) Implement fast modular reduction for pseudo-Mersenne primes
 6332      used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
 6333      EC_GROUP_new_curve_GFp() will now automatically use this
 6334      if applicable.
 6335      [Nils Larsch <nla@trustcenter.de>]
 6337   *) Add new lock type (CRYPTO_LOCK_BN).
 6338      [Bodo Moeller]
 6340   *) Change the ENGINE framework to automatically load engines
 6341      dynamically from specific directories unless they could be
 6342      found to already be built in or loaded.  Move all the
 6343      current engines except for the cryptodev one to a new
 6344      directory engines/.
 6345      The engines in engines/ are built as shared libraries if
 6346      the "shared" options was given to ./Configure or ./config.
 6347      Otherwise, they are inserted in libcrypto.a.
 6348      /usr/local/ssl/engines is the default directory for dynamic
 6349      engines, but that can be overridden at configure time through
 6350      the usual use of --prefix and/or --openssldir, and at run
 6351      time with the environment variable OPENSSL_ENGINES.
 6352      [Geoff Thorpe and Richard Levitte]
 6354   *) Add Makefile.shared, a helper makefile to build shared
 6355      libraries.  Adapt Makefile.org.
 6356      [Richard Levitte]
 6358   *) Add version info to Win32 DLLs.
 6359      [Peter 'Luna' Runestig" <peter@runestig.com>]
 6361   *) Add new 'medium level' PKCS#12 API. Certificates and keys
 6362      can be added using this API to created arbitrary PKCS#12
 6363      files while avoiding the low level API.
 6365      New options to PKCS12_create(), key or cert can be NULL and
 6366      will then be omitted from the output file. The encryption
 6367      algorithm NIDs can be set to -1 for no encryption, the mac
 6368      iteration count can be set to 0 to omit the mac.
 6370      Enhance pkcs12 utility by making the -nokeys and -nocerts
 6371      options work when creating a PKCS#12 file. New option -nomac
 6372      to omit the mac, NONE can be set for an encryption algorithm.
 6373      New code is modified to use the enhanced PKCS12_create()
 6374      instead of the low level API.
 6375      [Steve Henson]
 6377   *) Extend ASN1 encoder to support indefinite length constructed
 6378      encoding. This can output sequences tags and octet strings in
 6379      this form. Modify pk7_asn1.c to support indefinite length
 6380      encoding. This is experimental and needs additional code to
 6381      be useful, such as an ASN1 bio and some enhanced streaming
 6382      PKCS#7 code.
 6384      Extend template encode functionality so that tagging is passed
 6385      down to the template encoder.
 6386      [Steve Henson]
 6388   *) Let 'openssl req' fail if an argument to '-newkey' is not
 6389      recognized instead of using RSA as a default.
 6390      [Bodo Moeller]
 6392   *) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
 6393      As these are not official, they are not included in "ALL";
 6394      the "ECCdraft" ciphersuite group alias can be used to select them.
 6395      [Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
 6397   *) Add ECDH engine support.
 6398      [Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
 6400   *) Add ECDH in new directory crypto/ecdh/.
 6401      [Douglas Stebila (Sun Microsystems Laboratories)]
 6403   *) Let BN_rand_range() abort with an error after 100 iterations
 6404      without success (which indicates a broken PRNG).
 6405      [Bodo Moeller]
 6407   *) Change BN_mod_sqrt() so that it verifies that the input value
 6408      is really the square of the return value.  (Previously,
 6409      BN_mod_sqrt would show GIGO behaviour.)
 6410      [Bodo Moeller]
 6412   *) Add named elliptic curves over binary fields from X9.62, SECG,
 6413      and WAP/WTLS; add OIDs that were still missing.
 6415      [Sheueling Chang Shantz and Douglas Stebila
 6416      (Sun Microsystems Laboratories)]
 6418   *) Extend the EC library for elliptic curves over binary fields
 6419      (new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
 6420      New EC_METHOD:
 6422           EC_GF2m_simple_method
 6424      New API functions:
 6426           EC_GROUP_new_curve_GF2m
 6427           EC_GROUP_set_curve_GF2m
 6428           EC_GROUP_get_curve_GF2m
 6429           EC_POINT_set_affine_coordinates_GF2m
 6430           EC_POINT_get_affine_coordinates_GF2m
 6431           EC_POINT_set_compressed_coordinates_GF2m
 6433      Point compression for binary fields is disabled by default for
 6434      patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
 6435      enable it).
 6437      As binary polynomials are represented as BIGNUMs, various members
 6438      of the EC_GROUP and EC_POINT data structures can be shared
 6439      between the implementations for prime fields and binary fields;
 6440      the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
 6441      are essentially identical to their ..._GFp counterparts.
 6442      (For simplicity, the '..._GFp' prefix has been dropped from
 6443      various internal method names.)
 6445      An internal 'field_div' method (similar to 'field_mul' and
 6446      'field_sqr') has been added; this is used only for binary fields.
 6448      [Sheueling Chang Shantz and Douglas Stebila
 6449      (Sun Microsystems Laboratories)]
 6451   *) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
 6452      through methods ('mul', 'precompute_mult').
 6454      The generic implementations (now internally called 'ec_wNAF_mul'
 6455      and 'ec_wNAF_precomputed_mult') remain the default if these
 6456      methods are undefined.
 6458      [Sheueling Chang Shantz and Douglas Stebila
 6459      (Sun Microsystems Laboratories)]
 6461   *) New function EC_GROUP_get_degree, which is defined through
 6462      EC_METHOD.  For curves over prime fields, this returns the bit
 6463      length of the modulus.
 6465      [Sheueling Chang Shantz and Douglas Stebila
 6466      (Sun Microsystems Laboratories)]
 6468   *) New functions EC_GROUP_dup, EC_POINT_dup.
 6469      (These simply call ..._new  and ..._copy).
 6471      [Sheueling Chang Shantz and Douglas Stebila
 6472      (Sun Microsystems Laboratories)]
 6474   *) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
 6475      Polynomials are represented as BIGNUMs (where the sign bit is not
 6476      used) in the following functions [macros]:
 6478           BN_GF2m_add
 6479           BN_GF2m_sub             [= BN_GF2m_add]
 6480           BN_GF2m_mod             [wrapper for BN_GF2m_mod_arr]
 6481           BN_GF2m_mod_mul         [wrapper for BN_GF2m_mod_mul_arr]
 6482           BN_GF2m_mod_sqr         [wrapper for BN_GF2m_mod_sqr_arr]
 6483           BN_GF2m_mod_inv
 6484           BN_GF2m_mod_exp         [wrapper for BN_GF2m_mod_exp_arr]
 6485           BN_GF2m_mod_sqrt        [wrapper for BN_GF2m_mod_sqrt_arr]
 6486           BN_GF2m_mod_solve_quad  [wrapper for BN_GF2m_mod_solve_quad_arr]
 6487           BN_GF2m_cmp             [= BN_ucmp]
 6489      (Note that only the 'mod' functions are actually for fields GF(2^m).
 6490      BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
 6492      For some functions, an the irreducible polynomial defining a
 6493      field can be given as an 'unsigned int[]' with strictly
 6494      decreasing elements giving the indices of those bits that are set;
 6495      i.e., p[] represents the polynomial
 6496           f(t) = t^p[0] + t^p[1] + ... + t^p[k]
 6497      where
 6498           p[0] > p[1] > ... > p[k] = 0.
 6499      This applies to the following functions:
 6501           BN_GF2m_mod_arr
 6502           BN_GF2m_mod_mul_arr
 6503           BN_GF2m_mod_sqr_arr
 6504           BN_GF2m_mod_inv_arr        [wrapper for BN_GF2m_mod_inv]
 6505           BN_GF2m_mod_div_arr        [wrapper for BN_GF2m_mod_div]
 6506           BN_GF2m_mod_exp_arr
 6507           BN_GF2m_mod_sqrt_arr
 6508           BN_GF2m_mod_solve_quad_arr
 6509           BN_GF2m_poly2arr
 6510           BN_GF2m_arr2poly
 6512      Conversion can be performed by the following functions:
 6514           BN_GF2m_poly2arr
 6515           BN_GF2m_arr2poly
 6517      bntest.c has additional tests for binary polynomial arithmetic.
 6519      Two implementations for BN_GF2m_mod_div() are available.
 6520      The default algorithm simply uses BN_GF2m_mod_inv() and
 6521      BN_GF2m_mod_mul().  The alternative algorithm is compiled in only
 6522      if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
 6523      copyright notice in crypto/bn/bn_gf2m.c before enabling it).
 6525      [Sheueling Chang Shantz and Douglas Stebila
 6526      (Sun Microsystems Laboratories)]
 6528   *) Add new error code 'ERR_R_DISABLED' that can be used when some
 6529      functionality is disabled at compile-time.
 6530      [Douglas Stebila <douglas.stebila@sun.com>]
 6532   *) Change default behaviour of 'openssl asn1parse' so that more
 6533      information is visible when viewing, e.g., a certificate:
 6535      Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
 6536      mode the content of non-printable OCTET STRINGs is output in a
 6537      style similar to INTEGERs, but with '[HEX DUMP]' prepended to
 6538      avoid the appearance of a printable string.
 6539      [Nils Larsch <nla@trustcenter.de>]
 6541   *) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
 6542      functions
 6543           EC_GROUP_set_asn1_flag()
 6544           EC_GROUP_get_asn1_flag()
 6545           EC_GROUP_set_point_conversion_form()
 6546           EC_GROUP_get_point_conversion_form()
 6547      These control ASN1 encoding details:
 6548      - Curves (i.e., groups) are encoded explicitly unless asn1_flag
 6549        has been set to OPENSSL_EC_NAMED_CURVE.
 6550      - Points are encoded in uncompressed form by default; options for
 6551        asn1_for are as for point2oct, namely
 6556      Also add 'seed' and 'seed_len' members to EC_GROUP with access
 6557      functions
 6558           EC_GROUP_set_seed()
 6559           EC_GROUP_get0_seed()
 6560           EC_GROUP_get_seed_len()
 6561      This is used only for ASN1 purposes (so far).
 6562      [Nils Larsch <nla@trustcenter.de>]
 6564   *) Add 'field_type' member to EC_METHOD, which holds the NID
 6565      of the appropriate field type OID.  The new function
 6566      EC_METHOD_get_field_type() returns this value.
 6567      [Nils Larsch <nla@trustcenter.de>]
 6569   *) Add functions
 6570           EC_POINT_point2bn()
 6571           EC_POINT_bn2point()
 6572           EC_POINT_point2hex()
 6573           EC_POINT_hex2point()
 6574      providing useful interfaces to EC_POINT_point2oct() and
 6575      EC_POINT_oct2point().
 6576      [Nils Larsch <nla@trustcenter.de>]
 6578   *) Change internals of the EC library so that the functions
 6579           EC_GROUP_set_generator()
 6580           EC_GROUP_get_generator()
 6581           EC_GROUP_get_order()
 6582           EC_GROUP_get_cofactor()
 6583      are implemented directly in crypto/ec/ec_lib.c and not dispatched
 6584      to methods, which would lead to unnecessary code duplication when
 6585      adding different types of curves.
 6586      [Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
 6588   *) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
 6589      arithmetic, and such that modified wNAFs are generated
 6590      (which avoid length expansion in many cases).
 6591      [Bodo Moeller]
 6593   *) Add a function EC_GROUP_check_discriminant() (defined via
 6594      EC_METHOD) that verifies that the curve discriminant is non-zero.
 6596      Add a function EC_GROUP_check() that makes some sanity tests
 6597      on a EC_GROUP, its generator and order.  This includes
 6598      EC_GROUP_check_discriminant().
 6599      [Nils Larsch <nla@trustcenter.de>]
 6601   *) Add ECDSA in new directory crypto/ecdsa/.
 6603      Add applications 'openssl ecparam' and 'openssl ecdsa'
 6604      (these are based on 'openssl dsaparam' and 'openssl dsa').
 6606      ECDSA support is also included in various other files across the
 6607      library.  Most notably,
 6608      - 'openssl req' now has a '-newkey ecdsa:file' option;
 6609      - EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
 6610      - X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
 6611        d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
 6612        them suitable for ECDSA where domain parameters must be
 6613        extracted before the specific public key;
 6614      - ECDSA engine support has been added.
 6615      [Nils Larsch <nla@trustcenter.de>]
 6617   *) Include some named elliptic curves, and add OIDs from X9.62,
 6618      SECG, and WAP/WTLS.  Each curve can be obtained from the new
 6619      function
 6620           EC_GROUP_new_by_curve_name(),
 6621      and the list of available named curves can be obtained with
 6622           EC_get_builtin_curves().
 6623      Also add a 'curve_name' member to EC_GROUP objects, which can be
 6624      accessed via
 6625          EC_GROUP_set_curve_name()
 6626          EC_GROUP_get_curve_name()
 6627      [Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
 6629   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
 6630      was actually never needed) and in BN_mul().  The removal in BN_mul()
 6631      required a small change in bn_mul_part_recursive() and the addition
 6632      of the functions bn_cmp_part_words(), bn_sub_part_words() and
 6633      bn_add_part_words(), which do the same thing as bn_cmp_words(),
 6634      bn_sub_words() and bn_add_words() except they take arrays with
 6635      differing sizes.
 6636      [Richard Levitte]
 6638  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 6640   *) Cleanse PEM buffers before freeing them since they may contain
 6641      sensitive data.
 6642      [Benjamin Bennett <ben@psc.edu>]
 6644   *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
 6645      a ciphersuite string such as "DEFAULT:RSA" cannot enable
 6646      authentication-only ciphersuites.
 6647      [Bodo Moeller]
 6649   *) Since AES128 and AES256 share a single mask bit in the logic of
 6650      ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
 6651      kludge to work properly if AES128 is available and AES256 isn't.
 6652      [Victor Duchovni]
 6654   *) Expand security boundary to match 1.1.1 module.
 6655      [Steve Henson]
 6657   *) Remove redundant features: hash file source, editing of test vectors
 6658      modify fipsld to use external fips_premain.c signature.
 6659      [Steve Henson]
 6661   *) New perl script mkfipsscr.pl to create shell scripts or batch files to
 6662      run algorithm test programs.
 6663      [Steve Henson]
 6665   *) Make algorithm test programs more tolerant of whitespace.
 6666      [Steve Henson]
 6668   *) Have SSL/TLS server implementation tolerate "mismatched" record
 6669      protocol version while receiving ClientHello even if the
 6670      ClientHello is fragmented.  (The server can't insist on the
 6671      particular protocol version it has chosen before the ServerHello
 6672      message has informed the client about his choice.)
 6673      [Bodo Moeller]
 6675   *) Load error codes if they are not already present instead of using a
 6676      static variable. This allows them to be cleanly unloaded and reloaded.
 6677      [Steve Henson]
 6679  Changes between 0.9.7k and 0.9.7l  [28 Sep 2006]
 6681   *) Introduce limits to prevent malicious keys being able to
 6682      cause a denial of service.  (CVE-2006-2940)
 6683      [Steve Henson, Bodo Moeller]
 6685   *) Fix ASN.1 parsing of certain invalid structures that can result
 6686      in a denial of service.  (CVE-2006-2937)  [Steve Henson]
 6688   *) Fix buffer overflow in SSL_get_shared_ciphers() function.
 6689      (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
 6691   *) Fix SSL client code which could crash if connecting to a
 6692      malicious SSLv2 server.  (CVE-2006-4343)
 6693      [Tavis Ormandy and Will Drewry, Google Security Team]
 6695   *) Change ciphersuite string processing so that an explicit
 6696      ciphersuite selects this one ciphersuite (so that "AES256-SHA"
 6697      will no longer include "AES128-SHA"), and any other similar
 6698      ciphersuite (same bitmap) from *other* protocol versions (so that
 6699      "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
 6700      SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
 6701      changes from 0.9.8b and 0.9.8d.
 6702      [Bodo Moeller]
 6704  Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
 6706   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
 6707      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
 6709   *) Change the Unix randomness entropy gathering to use poll() when
 6710      possible instead of select(), since the latter has some
 6711      undesirable limitations.
 6712      [Darryl Miles via Richard Levitte and Bodo Moeller]
 6714   *) Disable rogue ciphersuites:
 6716       - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
 6717       - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
 6718       - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
 6720      The latter two were purportedly from
 6721      draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
 6722      appear there.
 6724      Also deactivate the remaining ciphersuites from
 6725      draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
 6726      unofficial, and the ID has long expired.
 6727      [Bodo Moeller]
 6729   *) Fix RSA blinding Heisenbug (problems sometimes occurred on
 6730      dual-core machines) and other potential thread-safety issues.
 6731      [Bodo Moeller]
 6733  Changes between 0.9.7i and 0.9.7j  [04 May 2006]
 6735   *) Adapt fipsld and the build system to link against the validated FIPS
 6736      module in FIPS mode.
 6737      [Steve Henson]
 6739   *) Fixes for VC++ 2005 build under Windows.
 6740      [Steve Henson]
 6742   *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
 6743      from a Windows bash shell such as MSYS. It is autodetected from the
 6744      "config" script when run from a VC++ environment. Modify standard VC++
 6745      build to use fipscanister.o from the GNU make build.
 6746      [Steve Henson]
 6748  Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
 6750   *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
 6751      The value now differs depending on if you build for FIPS or not.
 6752      BEWARE!  A program linked with a shared FIPSed libcrypto can't be
 6753      safely run with a non-FIPSed libcrypto, as it may crash because of
 6754      the difference induced by this change.
 6755      [Andy Polyakov]
 6757  Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
 6759   *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
 6760      (part of SSL_OP_ALL).  This option used to disable the
 6761      countermeasure against man-in-the-middle protocol-version
 6762      rollback in the SSL 2.0 server implementation, which is a bad
 6763      idea.  (CVE-2005-2969)
 6765      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
 6766      for Information Security, National Institute of Advanced Industrial
 6767      Science and Technology [AIST], Japan)]
 6769   *) Minimal support for X9.31 signatures and PSS padding modes. This is
 6770      mainly for FIPS compliance and not fully integrated at this stage.
 6771      [Steve Henson]
 6773   *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
 6774      the exponentiation using a fixed-length exponent.  (Otherwise,
 6775      the information leaked through timing could expose the secret key
 6776      after many signatures; cf. Bleichenbacher's attack on DSA with
 6777      biased k.)
 6778      [Bodo Moeller]
 6780   *) Make a new fixed-window mod_exp implementation the default for
 6781      RSA, DSA, and DH private-key operations so that the sequence of
 6782      squares and multiplies and the memory access pattern are
 6783      independent of the particular secret key.  This will mitigate
 6784      cache-timing and potential related attacks.
 6786      BN_mod_exp_mont_consttime() is the new exponentiation implementation,
 6787      and this is automatically used by BN_mod_exp_mont() if the new flag
 6788      BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
 6789      will use this BN flag for private exponents unless the flag
 6791      DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
 6793      [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
 6795   *) Change the client implementation for SSLv23_method() and
 6796      SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
 6797      Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
 6798      (Previously, the SSL 2.0 backwards compatible Client Hello
 6799      message format would be used even with SSL_OP_NO_SSLv2.)
 6800      [Bodo Moeller]
 6802   *) Add support for smime-type MIME parameter in S/MIME messages which some
 6803      clients need.
 6804      [Steve Henson]
 6806   *) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
 6807      a threadsafe manner. Modify rsa code to use new function and add calls
 6808      to dsa and dh code (which had race conditions before).
 6809      [Steve Henson]
 6811   *) Include the fixed error library code in the C error file definitions
 6812      instead of fixing them up at runtime. This keeps the error code
 6813      structures constant.
 6814      [Steve Henson]
 6816  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 6818   [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
 6819   OpenSSL 0.9.8.]
 6821   *) Fixes for newer kerberos headers. NB: the casts are needed because
 6822      the 'length' field is signed on one version and unsigned on another
 6823      with no (?) obvious way to tell the difference, without these VC++
 6824      complains. Also the "definition" of FAR (blank) is no longer included
 6825      nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
 6826      some needed definitions.
 6827      [Steve Henson]
 6829   *) Undo Cygwin change.
 6830      [Ulf Möller]
 6832   *) Added support for proxy certificates according to RFC 3820.
 6833      Because they may be a security thread to unaware applications,
 6834      they must be explicitly allowed in run-time.  See
 6835      docs/HOWTO/proxy_certificates.txt for further information.
 6836      [Richard Levitte]
 6838  Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
 6840   *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
 6841      server and client random values. Previously
 6842      (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
 6843      less random data when sizeof(time_t) > 4 (some 64 bit platforms).
 6845      This change has negligible security impact because:
 6847      1. Server and client random values still have 24 bytes of pseudo random
 6848         data.
 6850      2. Server and client random values are sent in the clear in the initial
 6851         handshake.
 6853      3. The master secret is derived using the premaster secret (48 bytes in
 6854         size for static RSA ciphersuites) as well as client server and random
 6855         values.
 6857      The OpenSSL team would like to thank the UK NISCC for bringing this issue
 6858      to our attention.
 6860      [Stephen Henson, reported by UK NISCC]
 6862   *) Use Windows randomness collection on Cygwin.
 6863      [Ulf Möller]
 6865   *) Fix hang in EGD/PRNGD query when communication socket is closed
 6866      prematurely by EGD/PRNGD.
 6867      [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
 6869   *) Prompt for pass phrases when appropriate for PKCS12 input format.
 6870      [Steve Henson]
 6872   *) Back-port of selected performance improvements from development
 6873      branch, as well as improved support for PowerPC platforms.
 6874      [Andy Polyakov]
 6876   *) Add lots of checks for memory allocation failure, error codes to indicate
 6877      failure and freeing up memory if a failure occurs.
 6878      [Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
 6880   *) Add new -passin argument to dgst.
 6881      [Steve Henson]
 6883   *) Perform some character comparisons of different types in X509_NAME_cmp:
 6884      this is needed for some certificates that re-encode DNs into UTF8Strings
 6885      (in violation of RFC3280) and can't or won't issue name rollover
 6886      certificates.
 6887      [Steve Henson]
 6889   *) Make an explicit check during certificate validation to see that
 6890      the CA setting in each certificate on the chain is correct.  As a
 6891      side effect always do the following basic checks on extensions,
 6892      not just when there's an associated purpose to the check:
 6894       - if there is an unhandled critical extension (unless the user
 6895         has chosen to ignore this fault)
 6896       - if the path length has been exceeded (if one is set at all)
 6897       - that certain extensions fit the associated purpose (if one has
 6898         been given)
 6899      [Richard Levitte]
 6901  Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
 6903   *) Avoid a race condition when CRLs are checked in a multi threaded
 6904      environment. This would happen due to the reordering of the revoked
 6905      entries during signature checking and serial number lookup. Now the
 6906      encoding is cached and the serial number sort performed under a lock.
 6907      Add new STACK function sk_is_sorted().
 6908      [Steve Henson]
 6910   *) Add Delta CRL to the extension code.
 6911      [Steve Henson]
 6913   *) Various fixes to s3_pkt.c so alerts are sent properly.
 6914      [David Holmes <d.holmes@f5.com>]
 6916   *) Reduce the chances of duplicate issuer name and serial numbers (in
 6917      violation of RFC3280) using the OpenSSL certificate creation utilities.
 6918      This is done by creating a random 64 bit value for the initial serial
 6919      number when a serial number file is created or when a self signed
 6920      certificate is created using 'openssl req -x509'. The initial serial
 6921      number file is created using 'openssl x509 -next_serial' in CA.pl
 6922      rather than being initialized to 1.
 6923      [Steve Henson]
 6925  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
 6927   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
 6928      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
 6929      [Joe Orton, Steve Henson]
 6931   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
 6932      (CVE-2004-0112)
 6933      [Joe Orton, Steve Henson]
 6935   *) Make it possible to have multiple active certificates with the same
 6936      subject in the CA index file.  This is done only if the keyword
 6937      'unique_subject' is set to 'no' in the main CA section (default
 6938      if 'CA_default') of the configuration file.  The value is saved
 6939      with the database itself in a separate index attribute file,
 6940      named like the index file with '.attr' appended to the name.
 6941      [Richard Levitte]
 6943   *) X509 verify fixes. Disable broken certificate workarounds when
 6944      X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
 6945      keyUsage extension present. Don't accept CRLs with unhandled critical
 6946      extensions: since verify currently doesn't process CRL extensions this
 6947      rejects a CRL with *any* critical extensions. Add new verify error codes
 6948      for these cases.
 6949      [Steve Henson]
 6951   *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
 6952      A clarification of RFC2560 will require the use of OCTET STRINGs and
 6953      some implementations cannot handle the current raw format. Since OpenSSL
 6954      copies and compares OCSP nonces as opaque blobs without any attempt at
 6955      parsing them this should not create any compatibility issues.
 6956      [Steve Henson]
 6958   *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
 6959      calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
 6960      this HMAC (and other) operations are several times slower than OpenSSL
 6961      < 0.9.7.
 6962      [Steve Henson]
 6964   *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
 6965      [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
 6967   *) Use the correct content when signing type "other".
 6968      [Steve Henson]
 6970  Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
 6972   *) Fix various bugs revealed by running the NISCC test suite:
 6974      Stop out of bounds reads in the ASN1 code when presented with
 6975      invalid tags (CVE-2003-0543 and CVE-2003-0544).
 6977      Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
 6979      If verify callback ignores invalid public key errors don't try to check
 6980      certificate signature with the NULL public key.
 6982      [Steve Henson]
 6984   *) New -ignore_err option in ocsp application to stop the server
 6985      exiting on the first error in a request.
 6986      [Steve Henson]
 6988   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
 6989      if the server requested one: as stated in TLS 1.0 and SSL 3.0
 6990      specifications.
 6991      [Steve Henson]
 6993   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
 6994      extra data after the compression methods not only for TLS 1.0
 6995      but also for SSL 3.0 (as required by the specification).
 6996      [Bodo Moeller; problem pointed out by Matthias Loepfe]
 6998   *) Change X509_certificate_type() to mark the key as exported/exportable
 6999      when it's 512 *bits* long, not 512 bytes.
 7000      [Richard Levitte]
 7002   *) Change AES_cbc_encrypt() so it outputs exact multiple of
 7003      blocks during encryption.
 7004      [Richard Levitte]
 7006   *) Various fixes to base64 BIO and non blocking I/O. On write
 7007      flushes were not handled properly if the BIO retried. On read
 7008      data was not being buffered properly and had various logic bugs.
 7009      This also affects blocking I/O when the data being decoded is a
 7010      certain size.
 7011      [Steve Henson]
 7013   *) Various S/MIME bugfixes and compatibility changes:
 7014      output correct application/pkcs7 MIME type if
 7015      PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
 7016      Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
 7017      of files as .eml work). Correctly handle very long lines in MIME
 7018      parser.
 7019      [Steve Henson]
 7021  Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
 7023   *) Countermeasure against the Klima-Pokorny-Rosa extension of
 7024      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
 7025      a protocol version number mismatch like a decryption error
 7026      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
 7027      [Bodo Moeller]
 7029   *) Turn on RSA blinding by default in the default implementation
 7030      to avoid a timing attack. Applications that don't want it can call
 7031      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
 7032      They would be ill-advised to do so in most cases.
 7033      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
 7035   *) Change RSA blinding code so that it works when the PRNG is not
 7036      seeded (in this case, the secret RSA exponent is abused as
 7037      an unpredictable seed -- if it is not unpredictable, there
 7038      is no point in blinding anyway).  Make RSA blinding thread-safe
 7039      by remembering the creator's thread ID in rsa->blinding and
 7040      having all other threads use local one-time blinding factors
 7041      (this requires more computation than sharing rsa->blinding, but
 7042      avoids excessive locking; and if an RSA object is not shared
 7043      between threads, blinding will still be very fast).
 7044      [Bodo Moeller]
 7046   *) Fixed a typo bug that would cause ENGINE_set_default() to set an
 7047      ENGINE as defaults for all supported algorithms irrespective of
 7048      the 'flags' parameter. 'flags' is now honoured, so applications
 7049      should make sure they are passing it correctly.
 7050      [Geoff Thorpe]
 7052   *) Target "mingw" now allows native Windows code to be generated in
 7053      the Cygwin environment as well as with the MinGW compiler.
 7054      [Ulf Moeller]
 7056  Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]
 7058   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
 7059      via timing by performing a MAC computation even if incorrect
 7060      block cipher padding has been found.  This is a countermeasure
 7061      against active attacks where the attacker has to distinguish
 7062      between bad padding and a MAC verification error. (CVE-2003-0078)
 7064      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
 7065      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
 7066      Martin Vuagnoux (EPFL, Ilion)]
 7068   *) Make the no-err option work as intended.  The intention with no-err
 7069      is not to have the whole error stack handling routines removed from
 7070      libcrypto, it's only intended to remove all the function name and
 7071      reason texts, thereby removing some of the footprint that may not
 7072      be interesting if those errors aren't displayed anyway.
 7074      NOTE: it's still possible for any application or module to have its
 7075      own set of error texts inserted.  The routines are there, just not
 7076      used by default when no-err is given.
 7077      [Richard Levitte]
 7079   *) Add support for FreeBSD on IA64.
 7080      [dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454]
 7082   *) Adjust DES_cbc_cksum() so it returns the same value as the MIT
 7083      Kerberos function mit_des_cbc_cksum().  Before this change,
 7084      the value returned by DES_cbc_cksum() was like the one from
 7085      mit_des_cbc_cksum(), except the bytes were swapped.
 7086      [Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte]
 7088   *) Allow an application to disable the automatic SSL chain building.
 7089      Before this a rather primitive chain build was always performed in
 7090      ssl3_output_cert_chain(): an application had no way to send the
 7091      correct chain if the automatic operation produced an incorrect result.
 7093      Now the chain builder is disabled if either:
 7095      1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
 7097      2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
 7099      The reasoning behind this is that an application would not want the
 7100      auto chain building to take place if extra chain certificates are
 7101      present and it might also want a means of sending no additional
 7102      certificates (for example the chain has two certificates and the
 7103      root is omitted).
 7104      [Steve Henson]
 7106   *) Add the possibility to build without the ENGINE framework.
 7107      [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
 7109   *) Under Win32 gmtime() can return NULL: check return value in
 7110      OPENSSL_gmtime(). Add error code for case where gmtime() fails.
 7111      [Steve Henson]
 7113   *) DSA routines: under certain error conditions uninitialized BN objects
 7114      could be freed. Solution: make sure initialization is performed early
 7115      enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
 7116      Nils Larsch <nla@trustcenter.de> via PR#459)
 7117      [Lutz Jaenicke]
 7119   *) Another fix for SSLv2 session ID handling: the session ID was incorrectly
 7120      checked on reconnect on the client side, therefore session resumption
 7121      could still fail with a "ssl session id is different" error. This
 7122      behaviour is masked when SSL_OP_ALL is used due to
 7123      SSL_OP_MICROSOFT_SESS_ID_BUG being set.
 7124      Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
 7125      followup to PR #377.
 7126      [Lutz Jaenicke]
 7128   *) IA-32 assembler support enhancements: unified ELF targets, support
 7129      for SCO/Caldera platforms, fix for Cygwin shared build.
 7130      [Andy Polyakov]
 7132   *) Add support for FreeBSD on sparc64.  As a consequence, support for
 7133      FreeBSD on non-x86 processors is separate from x86 processors on
 7134      the config script, much like the NetBSD support.
 7135      [Richard Levitte & Kris Kennaway <kris@obsecurity.org>]
 7137  Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
 7139   [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
 7140   OpenSSL 0.9.7.]
 7142   *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
 7143      code (06) was taken as the first octet of the session ID and the last
 7144      octet was ignored consequently. As a result SSLv2 client side session
 7145      caching could not have worked due to the session ID mismatch between
 7146      client and server.
 7147      Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
 7148      PR #377.
 7149      [Lutz Jaenicke]
 7151   *) Change the declaration of needed Kerberos libraries to use EX_LIBS
 7152      instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
 7153      removed entirely.
 7154      [Richard Levitte]
 7156   *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
 7157      seems that in spite of existing for more than a year, many application
 7158      author have done nothing to provide the necessary callbacks, which
 7159      means that this particular engine will not work properly anywhere.
 7160      This is a very unfortunate situation which forces us, in the name
 7161      of usability, to give the hw_ncipher.c a static lock, which is part
 7162      of libcrypto.
 7163      NOTE: This is for the 0.9.7 series ONLY.  This hack will never
 7164      appear in 0.9.8 or later.  We EXPECT application authors to have
 7165      dealt properly with this when 0.9.8 is released (unless we actually
 7166      make such changes in the libcrypto locking code that changes will
 7167      have to be made anyway).
 7168      [Richard Levitte]
 7170   *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
 7171      octets have been read, EOF or an error occurs. Without this change
 7172      some truncated ASN1 structures will not produce an error.
 7173      [Steve Henson]
 7175   *) Disable Heimdal support, since it hasn't been fully implemented.
 7176      Still give the possibility to force the use of Heimdal, but with
 7177      warnings and a request that patches get sent to openssl-dev.
 7178      [Richard Levitte]
 7180   *) Add the VC-CE target, introduce the WINCE sysname, and add
 7181      INSTALL.WCE and appropriate conditionals to make it build.
 7182      [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
 7184   *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
 7185      cygssl-x.y.z.dll, where x, y and z are the major, minor and
 7186      edit numbers of the version.
 7187      [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
 7189   *) Introduce safe string copy and catenation functions
 7190      (BUF_strlcpy() and BUF_strlcat()).
 7191      [Ben Laurie (CHATS) and Richard Levitte]
 7193   *) Avoid using fixed-size buffers for one-line DNs.
 7194      [Ben Laurie (CHATS)]
 7196   *) Add BUF_MEM_grow_clean() to avoid information leakage when
 7197      resizing buffers containing secrets, and use where appropriate.
 7198      [Ben Laurie (CHATS)]
 7200   *) Avoid using fixed size buffers for configuration file location.
 7201      [Ben Laurie (CHATS)]
 7203   *) Avoid filename truncation for various CA files.
 7204      [Ben Laurie (CHATS)]
 7206   *) Use sizeof in preference to magic numbers.
 7207      [Ben Laurie (CHATS)]
 7209   *) Avoid filename truncation in cert requests.
 7210      [Ben Laurie (CHATS)]
 7212   *) Add assertions to check for (supposedly impossible) buffer
 7213      overflows.
 7214      [Ben Laurie (CHATS)]
 7216   *) Don't cache truncated DNS entries in the local cache (this could
 7217      potentially lead to a spoofing attack).
 7218      [Ben Laurie (CHATS)]
 7220   *) Fix various buffers to be large enough for hex/decimal
 7221      representations in a platform independent manner.
 7222      [Ben Laurie (CHATS)]
 7224   *) Add CRYPTO_realloc_clean() to avoid information leakage when
 7225      resizing buffers containing secrets, and use where appropriate.
 7226      [Ben Laurie (CHATS)]
 7228   *) Add BIO_indent() to avoid much slightly worrying code to do
 7229      indents.
 7230      [Ben Laurie (CHATS)]
 7232   *) Convert sprintf()/BIO_puts() to BIO_printf().
 7233      [Ben Laurie (CHATS)]
 7235   *) buffer_gets() could terminate with the buffer only half
 7236      full. Fixed.
 7237      [Ben Laurie (CHATS)]
 7239   *) Add assertions to prevent user-supplied crypto functions from
 7240      overflowing internal buffers by having large block sizes, etc.
 7241      [Ben Laurie (CHATS)]
 7243   *) New OPENSSL_assert() macro (similar to assert(), but enabled
 7244      unconditionally).
 7245      [Ben Laurie (CHATS)]
 7247   *) Eliminate unused copy of key in RC4.
 7248      [Ben Laurie (CHATS)]
 7250   *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
 7251      [Ben Laurie (CHATS)]
 7253   *) Fix off-by-one error in EGD path.
 7254      [Ben Laurie (CHATS)]
 7256   *) If RANDFILE path is too long, ignore instead of truncating.
 7257      [Ben Laurie (CHATS)]
 7259   *) Eliminate unused and incorrectly sized X.509 structure
 7260      CBCParameter.
 7261      [Ben Laurie (CHATS)]
 7263   *) Eliminate unused and dangerous function knumber().
 7264      [Ben Laurie (CHATS)]
 7266   *) Eliminate unused and dangerous structure, KSSL_ERR.
 7267      [Ben Laurie (CHATS)]
 7269   *) Protect against overlong session ID context length in an encoded
 7270      session object. Since these are local, this does not appear to be
 7271      exploitable.
 7272      [Ben Laurie (CHATS)]
 7274   *) Change from security patch (see 0.9.6e below) that did not affect
 7275      the 0.9.6 release series:
 7277      Remote buffer overflow in SSL3 protocol - an attacker could
 7278      supply an oversized master key in Kerberos-enabled versions.
 7279      (CVE-2002-0657)
 7280      [Ben Laurie (CHATS)]
 7282   *) Change the SSL kerb5 codes to match RFC 2712.
 7283      [Richard Levitte]
 7285   *) Make -nameopt work fully for req and add -reqopt switch.
 7286      [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
 7288   *) The "block size" for block ciphers in CFB and OFB mode should be 1.
 7289      [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
 7291   *) Make sure tests can be performed even if the corresponding algorithms
 7292      have been removed entirely.  This was also the last step to make
 7293      OpenSSL compilable with DJGPP under all reasonable conditions.
 7294      [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
 7296   *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
 7297      to allow version independent disabling of normally unselected ciphers,
 7298      which may be activated as a side-effect of selecting a single cipher.
 7300      (E.g., cipher list string "RSA" enables ciphersuites that are left
 7301      out of "ALL" because they do not provide symmetric encryption.
 7302      "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
 7303      [Lutz Jaenicke, Bodo Moeller]
 7305   *) Add appropriate support for separate platform-dependent build
 7306      directories.  The recommended way to make a platform-dependent
 7307      build directory is the following (tested on Linux), maybe with
 7308      some local tweaks:
 7310         # Place yourself outside of the OpenSSL source tree.  In
 7311         # this example, the environment variable OPENSSL_SOURCE
 7312         # is assumed to contain the absolute OpenSSL source directory.
 7313         mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
 7314         cd objtree/"`uname -s`-`uname -r`-`uname -m`"
 7315         (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
 7316                 mkdir -p `dirname $F`
 7317                 ln -s $OPENSSL_SOURCE/$F $F
 7318         done
 7320      To be absolutely sure not to disturb the source tree, a "make clean"
 7321      is a good thing.  If it isn't successful, don't worry about it,
 7322      it probably means the source directory is very clean.
 7323      [Richard Levitte]
 7325   *) Make sure any ENGINE control commands make local copies of string
 7326      pointers passed to them whenever necessary. Otherwise it is possible
 7327      the caller may have overwritten (or deallocated) the original string
 7328      data when a later ENGINE operation tries to use the stored values.
 7329      [Götz Babin-Ebell <babinebell@trustcenter.de>]
 7331   *) Improve diagnostics in file reading and command-line digests.
 7332      [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
 7334   *) Add AES modes CFB and OFB to the object database.  Correct an
 7335      error in AES-CFB decryption.
 7336      [Richard Levitte]
 7338   *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
 7339      allows existing EVP_CIPHER_CTX structures to be reused after
 7340      calling EVP_*Final(). This behaviour is used by encryption
 7341      BIOs and some applications. This has the side effect that
 7342      applications must explicitly clean up cipher contexts with
 7343      EVP_CIPHER_CTX_cleanup() or they will leak memory.
 7344      [Steve Henson]
 7346   *) Check the values of dna and dnb in bn_mul_recursive before calling
 7347      bn_mul_comba (a non zero value means the a or b arrays do not contain
 7348      n2 elements) and fallback to bn_mul_normal if either is not zero.
 7349      [Steve Henson]
 7351   *) Fix escaping of non-ASCII characters when using the -subj option
 7352      of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
 7353      [Lutz Jaenicke]
 7355   *) Make object definitions compliant to LDAP (RFC2256): SN is the short
 7356      form for "surname", serialNumber has no short form.
 7357      Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
 7358      therefore remove "mail" short name for "internet 7".
 7359      The OID for unique identifiers in X509 certificates is
 7360      x500UniqueIdentifier, not uniqueIdentifier.
 7361      Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
 7362      [Lutz Jaenicke]
 7364   *) Add an "init" command to the ENGINE config module and auto initialize
 7365      ENGINEs. Without any "init" command the ENGINE will be initialized
 7366      after all ctrl commands have been executed on it. If init=1 the
 7367      ENGINE is initialized at that point (ctrls before that point are run
 7368      on the uninitialized ENGINE and after on the initialized one). If
 7369      init=0 then the ENGINE will not be initialized at all.
 7370      [Steve Henson]
 7372   *) Fix the 'app_verify_callback' interface so that the user-defined
 7373      argument is actually passed to the callback: In the
 7374      SSL_CTX_set_cert_verify_callback() prototype, the callback
 7375      declaration has been changed from
 7376           int (*cb)()
 7377      into
 7378           int (*cb)(X509_STORE_CTX *,void *);
 7379      in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
 7380           i=s->ctx->app_verify_callback(&ctx)
 7381      has been changed into
 7382           i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
 7384      To update applications using SSL_CTX_set_cert_verify_callback(),
 7385      a dummy argument can be added to their callback functions.
 7386      [D. K. Smetters <smetters@parc.xerox.com>]
 7388   *) Added the '4758cca' ENGINE to support IBM 4758 cards.
 7389      [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
 7391   *) Add and OPENSSL_LOAD_CONF define which will cause
 7392      OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
 7393      This allows older applications to transparently support certain
 7394      OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
 7395      Two new functions OPENSSL_add_all_algorithms_noconf() which will never
 7396      load the config file and OPENSSL_add_all_algorithms_conf() which will
 7397      always load it have also been added.
 7398      [Steve Henson]
 7400   *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
 7401      Adjust NIDs and EVP layer.
 7402      [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
 7404   *) Config modules support in openssl utility.
 7406      Most commands now load modules from the config file,
 7407      though in a few (such as version) this isn't done
 7408      because it couldn't be used for anything.
 7410      In the case of ca and req the config file used is
 7411      the same as the utility itself: that is the -config
 7412      command line option can be used to specify an
 7413      alternative file.
 7414      [Steve Henson]
 7416   *) Move default behaviour from OPENSSL_config(). If appname is NULL
 7417      use "openssl_conf" if filename is NULL use default openssl config file.
 7418      [Steve Henson]
 7420   *) Add an argument to OPENSSL_config() to allow the use of an alternative
 7421      config section name. Add a new flag to tolerate a missing config file
 7422      and move code to CONF_modules_load_file().
 7423      [Steve Henson]
 7425   *) Support for crypto accelerator cards from Accelerated Encryption
 7426      Processing, www.aep.ie.  (Use engine 'aep')
 7427      The support was copied from 0.9.6c [engine] and adapted/corrected
 7428      to work with the new engine framework.
 7429      [AEP Inc. and Richard Levitte]
 7431   *) Support for SureWare crypto accelerator cards from Baltimore
 7432      Technologies.  (Use engine 'sureware')
 7433      The support was copied from 0.9.6c [engine] and adapted
 7434      to work with the new engine framework.
 7435      [Richard Levitte]
 7437   *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
 7438      make the newer ENGINE framework commands for the CHIL engine work.
 7439      [Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
 7441   *) Make it possible to produce shared libraries on ReliantUNIX.
 7442      [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
 7444   *) Add the configuration target debug-linux-ppro.
 7445      Make 'openssl rsa' use the general key loading routines
 7446      implemented in apps.c, and make those routines able to
 7447      handle the key format FORMAT_NETSCAPE and the variant
 7448      FORMAT_IISSGC.
 7449      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 7451  *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
 7452      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 7454   *) Add -keyform to rsautl, and document -engine.
 7455      [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
 7457   *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
 7458      BIO_R_NO_SUCH_FILE error code rather than the generic
 7459      ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
 7460      [Ben Laurie]
 7462   *) Add new functions
 7463           ERR_peek_last_error
 7464           ERR_peek_last_error_line
 7465           ERR_peek_last_error_line_data.
 7466      These are similar to
 7467           ERR_peek_error
 7468           ERR_peek_error_line
 7469           ERR_peek_error_line_data,
 7470      but report on the latest error recorded rather than the first one
 7471      still in the error queue.
 7472      [Ben Laurie, Bodo Moeller]
 7474   *) default_algorithms option in ENGINE config module. This allows things
 7475      like:
 7476      default_algorithms = ALL
 7477      default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
 7478      [Steve Henson]
 7480   *) Preliminary ENGINE config module.
 7481      [Steve Henson]
 7483   *) New experimental application configuration code.
 7484      [Steve Henson]
 7486   *) Change the AES code to follow the same name structure as all other
 7487      symmetric ciphers, and behave the same way.  Move everything to
 7488      the directory crypto/aes, thereby obsoleting crypto/rijndael.
 7489      [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
 7491   *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
 7492      [Ben Laurie and Theo de Raadt]
 7494   *) Add option to output public keys in req command.
 7495      [Massimiliano Pala madwolf@openca.org]
 7497   *) Use wNAFs in EC_POINTs_mul() for improved efficiency
 7498      (up to about 10% better than before for P-192 and P-224).
 7499      [Bodo Moeller]
 7501   *) New functions/macros
 7503           SSL_CTX_set_msg_callback(ctx, cb)
 7504           SSL_CTX_set_msg_callback_arg(ctx, arg)
 7505           SSL_set_msg_callback(ssl, cb)
 7506           SSL_set_msg_callback_arg(ssl, arg)
 7508      to request calling a callback function
 7510           void cb(int write_p, int version, int content_type,
 7511                   const void *buf, size_t len, SSL *ssl, void *arg)
 7513      whenever a protocol message has been completely received
 7514      (write_p == 0) or sent (write_p == 1).  Here 'version' is the
 7515      protocol version  according to which the SSL library interprets
 7516      the current protocol message (SSL2_VERSION, SSL3_VERSION, or
 7517      TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
 7518      the content type as defined in the SSL 3.0/TLS 1.0 protocol
 7519      specification (change_cipher_spec(20), alert(21), handshake(22)).
 7520      'buf' and 'len' point to the actual message, 'ssl' to the
 7521      SSL object, and 'arg' is the application-defined value set by
 7522      SSL[_CTX]_set_msg_callback_arg().
 7524      'openssl s_client' and 'openssl s_server' have new '-msg' options
 7525      to enable a callback that displays all protocol messages.
 7526      [Bodo Moeller]
 7528   *) Change the shared library support so shared libraries are built as
 7529      soon as the corresponding static library is finished, and thereby get
 7530      openssl and the test programs linked against the shared library.
 7531      This still only happens when the keyword "shard" has been given to
 7532      the configuration scripts.
 7534      NOTE: shared library support is still an experimental thing, and
 7535      backward binary compatibility is still not guaranteed.
 7536      ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
 7538   *) Add support for Subject Information Access extension.
 7539      [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
 7541   *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
 7542      additional bytes when new memory had to be allocated, not just
 7543      when reusing an existing buffer.
 7544      [Bodo Moeller]
 7546   *) New command line and configuration option 'utf8' for the req command.
 7547      This allows field values to be specified as UTF8 strings.
 7548      [Steve Henson]
 7550   *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
 7551      runs for the former and machine-readable output for the latter.
 7552      [Ben Laurie]
 7554   *) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
 7555      of the e-mail address in the DN (i.e., it will go into a certificate
 7556      extension only).  The new configuration file option 'email_in_dn = no'
 7557      has the same effect.
 7558      [Massimiliano Pala madwolf@openca.org]
 7560   *) Change all functions with names starting with des_ to be starting
 7561      with DES_ instead.  Add wrappers that are compatible with libdes,
 7562      but are named _ossl_old_des_*.  Finally, add macros that map the
 7563      des_* symbols to the corresponding _ossl_old_des_* if libdes
 7564      compatibility is desired.  If OpenSSL 0.9.6c compatibility is
 7565      desired, the des_* symbols will be mapped to DES_*, with one
 7566      exception.
 7568      Since we provide two compatibility mappings, the user needs to
 7569      define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
 7570      compatibility is desired.  The default (i.e., when that macro
 7571      isn't defined) is OpenSSL 0.9.6c compatibility.
 7573      There are also macros that enable and disable the support of old
 7574      des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
 7575      and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
 7576      are defined, the default will apply: to support the old des routines.
 7578      In either case, one must include openssl/des.h to get the correct
 7579      definitions.  Do not try to just include openssl/des_old.h, that
 7580      won't work.
 7582      NOTE: This is a major break of an old API into a new one.  Software
 7583      authors are encouraged to switch to the DES_ style functions.  Some
 7584      time in the future, des_old.h and the libdes compatibility functions
 7585      will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
 7586      default), and then completely removed.
 7587      [Richard Levitte]
 7589   *) Test for certificates which contain unsupported critical extensions.
 7590      If such a certificate is found during a verify operation it is
 7591      rejected by default: this behaviour can be overridden by either
 7592      handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
 7593      by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
 7594      X509_supported_extension() has also been added which returns 1 if a
 7595      particular extension is supported.
 7596      [Steve Henson]
 7598   *) Modify the behaviour of EVP cipher functions in similar way to digests
 7599      to retain compatibility with existing code.
 7600      [Steve Henson]
 7602   *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
 7603      compatibility with existing code. In particular the 'ctx' parameter does
 7604      not have to be to be initialized before the call to EVP_DigestInit() and
 7605      it is tidied up after a call to EVP_DigestFinal(). New function
 7606      EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
 7607      EVP_MD_CTX_copy() changed to not require the destination to be
 7608      initialized valid and new function EVP_MD_CTX_copy_ex() added which
 7609      requires the destination to be valid.
 7611      Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
 7612      EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
 7613      [Steve Henson]
 7615   *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
 7616      so that complete 'Handshake' protocol structures are kept in memory
 7617      instead of overwriting 'msg_type' and 'length' with 'body' data.
 7618      [Bodo Moeller]
 7620   *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
 7621      [Massimo Santin via Richard Levitte]
 7623   *) Major restructuring to the underlying ENGINE code. This includes
 7624      reduction of linker bloat, separation of pure "ENGINE" manipulation
 7625      (initialisation, etc) from functionality dealing with implementations
 7626      of specific crypto interfaces. This change also introduces integrated
 7627      support for symmetric ciphers and digest implementations - so ENGINEs
 7628      can now accelerate these by providing EVP_CIPHER and EVP_MD
 7629      implementations of their own. This is detailed in crypto/engine/README
 7630      as it couldn't be adequately described here. However, there are a few
 7631      API changes worth noting - some RSA, DSA, DH, and RAND functions that
 7632      were changed in the original introduction of ENGINE code have now
 7633      reverted back - the hooking from this code to ENGINE is now a good
 7634      deal more passive and at run-time, operations deal directly with
 7635      RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
 7636      dereferencing through an ENGINE pointer any more. Also, the ENGINE
 7637      functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
 7638      they were not being used by the framework as there is no concept of a
 7639      BIGNUM_METHOD and they could not be generalised to the new
 7640      'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
 7641      ENGINE_cpy() has been removed as it cannot be consistently defined in
 7642      the new code.
 7643      [Geoff Thorpe]
 7645   *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
 7646      [Steve Henson]
 7648   *) Change mkdef.pl to sort symbols that get the same entry number,
 7649      and make sure the automatically generated functions ERR_load_*
 7650      become part of libeay.num as well.
 7651      [Richard Levitte]
 7653   *) New function SSL_renegotiate_pending().  This returns true once
 7654      renegotiation has been requested (either SSL_renegotiate() call
 7655      or HelloRequest/ClientHello received from the peer) and becomes
 7656      false once a handshake has been completed.
 7657      (For servers, SSL_renegotiate() followed by SSL_do_handshake()
 7658      sends a HelloRequest, but does not ensure that a handshake takes
 7659      place.  SSL_renegotiate_pending() is useful for checking if the
 7660      client has followed the request.)
 7661      [Bodo Moeller]
 7664      By default, clients may request session resumption even during
 7665      renegotiation (if session ID contexts permit); with this option,
 7666      session resumption is possible only in the first handshake.
 7668      SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
 7669      more bits available for options that should not be part of
 7671      [Bodo Moeller]
 7673   *) Add some demos for certificate and certificate request creation.
 7674      [Steve Henson]
 7676   *) Make maximum certificate chain size accepted from the peer application
 7677      settable (SSL*_get/set_max_cert_list()), as proposed by
 7678      "Douglas E. Engert" <deengert@anl.gov>.
 7679      [Lutz Jaenicke]
 7681   *) Add support for shared libraries for Unixware-7
 7682      (Boyd Lynn Gerber <gerberb@zenez.com>).
 7683      [Lutz Jaenicke]
 7685   *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
 7686      be done prior to destruction. Use this to unload error strings from
 7687      ENGINEs that load their own error strings. NB: This adds two new API
 7688      functions to "get" and "set" this destroy handler in an ENGINE.
 7689      [Geoff Thorpe]
 7691   *) Alter all existing ENGINE implementations (except "openssl" and
 7692      "openbsd") to dynamically instantiate their own error strings. This
 7693      makes them more flexible to be built both as statically-linked ENGINEs
 7694      and self-contained shared-libraries loadable via the "dynamic" ENGINE.
 7695      Also, add stub code to each that makes building them as self-contained
 7696      shared-libraries easier (see README.ENGINE).
 7697      [Geoff Thorpe]
 7699   *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
 7700      implementations into applications that are completely implemented in
 7701      self-contained shared-libraries. The "dynamic" ENGINE exposes control
 7702      commands that can be used to configure what shared-library to load and
 7703      to control aspects of the way it is handled. Also, made an update to
 7704      the README.ENGINE file that brings its information up-to-date and
 7705      provides some information and instructions on the "dynamic" ENGINE
 7706      (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
 7707      [Geoff Thorpe]
 7709   *) Make it possible to unload ranges of ERR strings with a new
 7710      "ERR_unload_strings" function.
 7711      [Geoff Thorpe]
 7713   *) Add a copy() function to EVP_MD.
 7714      [Ben Laurie]
 7716   *) Make EVP_MD routines take a context pointer instead of just the
 7717      md_data void pointer.
 7718      [Ben Laurie]
 7720   *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
 7721      that the digest can only process a single chunk of data
 7722      (typically because it is provided by a piece of
 7723      hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
 7724      is only going to provide a single chunk of data, and hence the
 7725      framework needn't accumulate the data for oneshot drivers.
 7726      [Ben Laurie]
 7728   *) As with "ERR", make it possible to replace the underlying "ex_data"
 7729      functions. This change also alters the storage and management of global
 7730      ex_data state - it's now all inside ex_data.c and all "class" code (eg.
 7731      RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
 7732      index counters. The API functions that use this state have been changed
 7733      to take a "class_index" rather than pointers to the class's local STACK
 7734      and counter, and there is now an API function to dynamically create new
 7735      classes. This centralisation allows us to (a) plug a lot of the
 7736      thread-safety problems that existed, and (b) makes it possible to clean
 7737      up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
 7738      such data would previously have always leaked in application code and
 7739      workarounds were in place to make the memory debugging turn a blind eye
 7740      to it. Application code that doesn't use this new function will still
 7741      leak as before, but their memory debugging output will announce it now
 7742      rather than letting it slide.
 7744      Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
 7745      induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
 7746      has a return value to indicate success or failure.
 7747      [Geoff Thorpe]
 7749   *) Make it possible to replace the underlying "ERR" functions such that the
 7750      global state (2 LHASH tables and 2 locks) is only used by the "default"
 7751      implementation. This change also adds two functions to "get" and "set"
 7752      the implementation prior to it being automatically set the first time
 7753      any other ERR function takes place. Ie. an application can call "get",
 7754      pass the return value to a module it has just loaded, and that module
 7755      can call its own "set" function using that value. This means the
 7756      module's "ERR" operations will use (and modify) the error state in the
 7757      application and not in its own statically linked copy of OpenSSL code.
 7758      [Geoff Thorpe]
 7760   *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
 7761      reference counts. This performs normal REF_PRINT/REF_CHECK macros on
 7762      the operation, and provides a more encapsulated way for external code
 7763      (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
 7764      to use these functions rather than manually incrementing the counts.
 7766      Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
 7767      [Geoff Thorpe]
 7769   *) Add EVP test program.
 7770      [Ben Laurie]
 7772   *) Add symmetric cipher support to ENGINE. Expect the API to change!
 7773      [Ben Laurie]
 7775   *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
 7776      X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
 7777      X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
 7778      These allow a CRL to be built without having to access X509_CRL fields
 7779      directly. Modify 'ca' application to use new functions.
 7780      [Steve Henson]
 7782   *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
 7783      bug workarounds. Rollback attack detection is a security feature.
 7784      The problem will only arise on OpenSSL servers when TLSv1 is not
 7785      available (sslv3_server_method() or SSL_OP_NO_TLSv1).
 7786      Software authors not wanting to support TLSv1 will have special reasons
 7787      for their choice and can explicitly enable this option.
 7788      [Bodo Moeller, Lutz Jaenicke]
 7790   *) Rationalise EVP so it can be extended: don't include a union of
 7791      cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
 7792      (similar to those existing for EVP_CIPHER_CTX).
 7793      Usage example:
 7795          EVP_MD_CTX md;
 7797          EVP_MD_CTX_init(&md);             /* new function call */
 7798          EVP_DigestInit(&md, EVP_sha1());
 7799          EVP_DigestUpdate(&md, in, len);
 7800          EVP_DigestFinal(&md, out, NULL);
 7801          EVP_MD_CTX_cleanup(&md);          /* new function call */
 7803      [Ben Laurie]
 7805   *) Make DES key schedule conform to the usual scheme, as well as
 7806      correcting its structure. This means that calls to DES functions
 7807      now have to pass a pointer to a des_key_schedule instead of a
 7808      plain des_key_schedule (which was actually always a pointer
 7809      anyway): E.g.,
 7811          des_key_schedule ks;
 7813          des_set_key_checked(..., &ks);
 7814          des_ncbc_encrypt(..., &ks, ...);
 7816      (Note that a later change renames 'des_...' into 'DES_...'.)
 7817      [Ben Laurie]
 7819   *) Initial reduction of linker bloat: the use of some functions, such as
 7820      PEM causes large amounts of unused functions to be linked in due to
 7821      poor organisation. For example pem_all.c contains every PEM function
 7822      which has a knock on effect of linking in large amounts of (unused)
 7823      ASN1 code. Grouping together similar functions and splitting unrelated
 7824      functions prevents this.
 7825      [Steve Henson]
 7827   *) Cleanup of EVP macros.
 7828      [Ben Laurie]
 7830   *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
 7831      correct _ecb suffix.
 7832      [Ben Laurie]
 7834   *) Add initial OCSP responder support to ocsp application. The
 7835      revocation information is handled using the text based index
 7836      use by the ca application. The responder can either handle
 7837      requests generated internally, supplied in files (for example
 7838      via a CGI script) or using an internal minimal server.
 7839      [Steve Henson]
 7841   *) Add configuration choices to get zlib compression for TLS.
 7842      [Richard Levitte]
 7844   *) Changes to Kerberos SSL for RFC 2712 compliance:
 7845      1.  Implemented real KerberosWrapper, instead of just using
 7846          KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
 7847      2.  Implemented optional authenticator field of KerberosWrapper.
 7849      Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
 7850      and authenticator structs; see crypto/krb5/.
 7852      Generalized Kerberos calls to support multiple Kerberos libraries.
 7853      [Vern Staats <staatsvr@asc.hpc.mil>,
 7854       Jeffrey Altman <jaltman@columbia.edu>
 7855       via Richard Levitte]
 7857   *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
 7858      already does with RSA. testdsa.h now has 'priv_key/pub_key'
 7859      values for each of the key sizes rather than having just
 7860      parameters (and 'speed' generating keys each time).
 7861      [Geoff Thorpe]
 7863   *) Speed up EVP routines.
 7864      Before:
 7865 encrypt
 7866 type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
 7867 des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
 7868 des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
 7869 des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
 7870 decrypt
 7871 des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
 7872 des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
 7873 des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
 7874      After:
 7875 encrypt
 7876 des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
 7877 decrypt
 7878 des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
 7879      [Ben Laurie]
 7881   *) Added the OS2-EMX target.
 7882      ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
 7884   *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
 7885      to support NCONF routines in extension code. New function CONF_set_nconf()
 7886      to allow functions which take an NCONF to also handle the old LHASH
 7887      structure: this means that the old CONF compatible routines can be
 7888      retained (in particular wrt extensions) without having to duplicate the
 7889      code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
 7890      [Steve Henson]
 7892   *) Enhance the general user interface with mechanisms for inner control
 7893      and with possibilities to have yes/no kind of prompts.
 7894      [Richard Levitte]
 7896   *) Change all calls to low level digest routines in the library and
 7897      applications to use EVP. Add missing calls to HMAC_cleanup() and
 7898      don't assume HMAC_CTX can be copied using memcpy().
 7899      [Verdon Walker <VWalker@novell.com>, Steve Henson]
 7901   *) Add the possibility to control engines through control names but with
 7902      arbitrary arguments instead of just a string.
 7903      Change the key loaders to take a UI_METHOD instead of a callback
 7904      function pointer.  NOTE: this breaks binary compatibility with earlier
 7905      versions of OpenSSL [engine].
 7906      Adapt the nCipher code for these new conditions and add a card insertion
 7907      callback.
 7908      [Richard Levitte]
 7910   *) Enhance the general user interface with mechanisms to better support
 7911      dialog box interfaces, application-defined prompts, the possibility
 7912      to use defaults (for example default passwords from somewhere else)
 7913      and interrupts/cancellations.
 7914      [Richard Levitte]
 7916   *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
 7917      attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
 7918      [Steve Henson]
 7920   *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
 7921      tidy up some unnecessarily weird code in 'sk_new()').
 7922      [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
 7924   *) Change the key loading routines for ENGINEs to use the same kind
 7925      callback (pem_password_cb) as all other routines that need this
 7926      kind of callback.
 7927      [Richard Levitte]
 7929   *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
 7930      256 bit (=32 byte) keys. Of course seeding with more entropy bytes
 7931      than this minimum value is recommended.
 7932      [Lutz Jaenicke]
 7934   *) New random seeder for OpenVMS, using the system process statistics
 7935      that are easily reachable.
 7936      [Richard Levitte]
 7938   *) Windows apparently can't transparently handle global
 7939      variables defined in DLLs. Initialisations such as:
 7941         const ASN1_ITEM *it = &ASN1_INTEGER_it;
 7943      won't compile. This is used by the any applications that need to
 7944      declare their own ASN1 modules. This was fixed by adding the option
 7945      EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
 7946      needed for static libraries under Win32.
 7947      [Steve Henson]
 7949   *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
 7950      setting of purpose and trust fields. New X509_STORE trust and
 7951      purpose functions and tidy up setting in other SSL functions.
 7952      [Steve Henson]
 7954   *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
 7955      structure. These are inherited by X509_STORE_CTX when it is
 7956      initialised. This allows various defaults to be set in the
 7957      X509_STORE structure (such as flags for CRL checking and custom
 7958      purpose or trust settings) for functions which only use X509_STORE_CTX
 7959      internally such as S/MIME.
 7961      Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
 7962      trust settings if they are not set in X509_STORE. This allows X509_STORE
 7963      purposes and trust (in S/MIME for example) to override any set by default.
 7965      Add command line options for CRL checking to smime, s_client and s_server
 7966      applications.
 7967      [Steve Henson]
 7969   *) Initial CRL based revocation checking. If the CRL checking flag(s)
 7970      are set then the CRL is looked up in the X509_STORE structure and
 7971      its validity and signature checked, then if the certificate is found
 7972      in the CRL the verify fails with a revoked error.
 7974      Various new CRL related callbacks added to X509_STORE_CTX structure.
 7976      Command line options added to 'verify' application to support this.
 7978      This needs some additional work, such as being able to handle multiple
 7979      CRLs with different times, extension based lookup (rather than just
 7980      by subject name) and ultimately more complete V2 CRL extension
 7981      handling.
 7982      [Steve Henson]
 7984   *) Add a general user interface API (crypto/ui/).  This is designed
 7985      to replace things like des_read_password and friends (backward
 7986      compatibility functions using this new API are provided).
 7987      The purpose is to remove prompting functions from the DES code
 7988      section as well as provide for prompting through dialog boxes in
 7989      a window system and the like.
 7990      [Richard Levitte]
 7992   *) Add "ex_data" support to ENGINE so implementations can add state at a
 7993      per-structure level rather than having to store it globally.
 7994      [Geoff]
 7996   *) Make it possible for ENGINE structures to be copied when retrieved by
 7997      ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
 7998      This causes the "original" ENGINE structure to act like a template,
 7999      analogous to the RSA vs. RSA_METHOD type of separation. Because of this
 8000      operational state can be localised to each ENGINE structure, despite the
 8001      fact they all share the same "methods". New ENGINE structures returned in
 8002      this case have no functional references and the return value is the single
 8003      structural reference. This matches the single structural reference returned
 8004      by ENGINE_by_id() normally, when it is incremented on the pre-existing
 8005      ENGINE structure.
 8006      [Geoff]
 8008   *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
 8009      needs to match any other type at all we need to manually clear the
 8010      tag cache.
 8011      [Steve Henson]
 8013   *) Changes to the "openssl engine" utility to include;
 8014      - verbosity levels ('-v', '-vv', and '-vvv') that provide information
 8015        about an ENGINE's available control commands.
 8016      - executing control commands from command line arguments using the
 8017        '-pre' and '-post' switches. '-post' is only used if '-t' is
 8018        specified and the ENGINE is successfully initialised. The syntax for
 8019        the individual commands are colon-separated, for example;
 8020          openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
 8021      [Geoff]
 8023   *) New dynamic control command support for ENGINEs. ENGINEs can now
 8024      declare their own commands (numbers), names (strings), descriptions,
 8025      and input types for run-time discovery by calling applications. A
 8026      subset of these commands are implicitly classed as "executable"
 8027      depending on their input type, and only these can be invoked through
 8028      the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
 8029      can be based on user input, config files, etc). The distinction is
 8030      that "executable" commands cannot return anything other than a boolean
 8031      result and can only support numeric or string input, whereas some
 8032      discoverable commands may only be for direct use through
 8033      ENGINE_ctrl(), eg. supporting the exchange of binary data, function
 8034      pointers, or other custom uses. The "executable" commands are to
 8035      support parameterisations of ENGINE behaviour that can be
 8036      unambiguously defined by ENGINEs and used consistently across any
 8037      OpenSSL-based application. Commands have been added to all the
 8038      existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
 8039      control over shared-library paths without source code alterations.
 8040      [Geoff]
 8042   *) Changed all ENGINE implementations to dynamically allocate their
 8043      ENGINEs rather than declaring them statically. Apart from this being
 8044      necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
 8045      this also allows the implementations to compile without using the
 8046      internal engine_int.h header.
 8047      [Geoff]
 8049   *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
 8050      'const' value. Any code that should be able to modify a RAND_METHOD
 8051      should already have non-const pointers to it (ie. they should only
 8052      modify their own ones).
 8053      [Geoff]
 8055   *) Made a variety of little tweaks to the ENGINE code.
 8056      - "atalla" and "ubsec" string definitions were moved from header files
 8057        to C code. "nuron" string definitions were placed in variables
 8058        rather than hard-coded - allowing parameterisation of these values
 8059        later on via ctrl() commands.
 8060      - Removed unused "#if 0"'d code.
 8061      - Fixed engine list iteration code so it uses ENGINE_free() to release
 8062        structural references.
 8063      - Constified the RAND_METHOD element of ENGINE structures.
 8064      - Constified various get/set functions as appropriate and added
 8065        missing functions (including a catch-all ENGINE_cpy that duplicates
 8066        all ENGINE values onto a new ENGINE except reference counts/state).
 8067      - Removed NULL parameter checks in get/set functions. Setting a method
 8068        or function to NULL is a way of cancelling out a previously set
 8069        value.  Passing a NULL ENGINE parameter is just plain stupid anyway
 8070        and doesn't justify the extra error symbols and code.
 8071      - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
 8072        flags from engine_int.h to engine.h.
 8073      - Changed prototypes for ENGINE handler functions (init(), finish(),
 8074        ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
 8075      [Geoff]
 8077   *) Implement binary inversion algorithm for BN_mod_inverse in addition
 8078      to the algorithm using long division.  The binary algorithm can be
 8079      used only if the modulus is odd.  On 32-bit systems, it is faster
 8080      only for relatively small moduli (roughly 20-30% for 128-bit moduli,
 8081      roughly 5-15% for 256-bit moduli), so we use it only for moduli
 8082      up to 450 bits.  In 64-bit environments, the binary algorithm
 8083      appears to be advantageous for much longer moduli; here we use it
 8084      for moduli up to 2048 bits.
 8085      [Bodo Moeller]
 8087   *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
 8088      could not support the combine flag in choice fields.
 8089      [Steve Henson]
 8091   *) Add a 'copy_extensions' option to the 'ca' utility. This copies
 8092      extensions from a certificate request to the certificate.
 8093      [Steve Henson]
 8095   *) Allow multiple 'certopt' and 'nameopt' options to be separated
 8096      by commas. Add 'namopt' and 'certopt' options to the 'ca' config
 8097      file: this allows the display of the certificate about to be
 8098      signed to be customised, to allow certain fields to be included
 8099      or excluded and extension details. The old system didn't display
 8100      multicharacter strings properly, omitted fields not in the policy
 8101      and couldn't display additional details such as extensions.
 8102      [Steve Henson]
 8104   *) Function EC_POINTs_mul for multiple scalar multiplication
 8105      of an arbitrary number of elliptic curve points
 8106           \sum scalars[i]*points[i],
 8107      optionally including the generator defined for the EC_GROUP:
 8108           scalar*generator +  \sum scalars[i]*points[i].
 8110      EC_POINT_mul is a simple wrapper function for the typical case
 8111      that the point list has just one item (besides the optional
 8112      generator).
 8113      [Bodo Moeller]
 8115   *) First EC_METHODs for curves over GF(p):
 8117      EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
 8118      operations and provides various method functions that can also
 8119      operate with faster implementations of modular arithmetic.
 8121      EC_GFp_mont_method() reuses most functions that are part of
 8122      EC_GFp_simple_method, but uses Montgomery arithmetic.
 8124      [Bodo Moeller; point addition and point doubling
 8125      implementation directly derived from source code provided by
 8126      Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
 8128   *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
 8129      crypto/ec/ec_lib.c):
 8131      Curves are EC_GROUP objects (with an optional group generator)
 8132      based on EC_METHODs that are built into the library.
 8134      Points are EC_POINT objects based on EC_GROUP objects.
 8136      Most of the framework would be able to handle curves over arbitrary
 8137      finite fields, but as there are no obvious types for fields other
 8138      than GF(p), some functions are limited to that for now.
 8139      [Bodo Moeller]
 8141   *) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
 8142      that the file contains a complete HTTP response.
 8143      [Richard Levitte]
 8145   *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
 8146      change the def and num file printf format specifier from "%-40sXXX"
 8147      to "%-39s XXX". The latter will always guarantee a space after the
 8148      field while the former will cause them to run together if the field
 8149      is 40 of more characters long.
 8150      [Steve Henson]
 8152   *) Constify the cipher and digest 'method' functions and structures
 8153      and modify related functions to take constant EVP_MD and EVP_CIPHER
 8154      pointers.
 8155      [Steve Henson]
 8157   *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
 8158      in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
 8159      [Bodo Moeller]
 8161   *) Modify EVP_Digest*() routines so they now return values. Although the
 8162      internal software routines can never fail additional hardware versions
 8163      might.
 8164      [Steve Henson]
 8166   *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
 8168      Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
 8169      (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
 8171      ASN1 error codes
 8172           ERR_R_NESTED_ASN1_ERROR
 8173           ...
 8174           ERR_R_MISSING_ASN1_EOS
 8175      were 4 .. 9, conflicting with
 8176           ERR_LIB_RSA (= ERR_R_RSA_LIB)
 8177           ...
 8178           ERR_LIB_PEM (= ERR_R_PEM_LIB).
 8179      They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
 8181      Add new error code 'ERR_R_INTERNAL_ERROR'.
 8182      [Bodo Moeller]
 8184   *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
 8185      suffices.
 8186      [Bodo Moeller]
 8188   *) New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
 8189      sets the subject name for a new request or supersedes the
 8190      subject name in a given request. Formats that can be parsed are
 8191           'CN=Some Name, OU=myOU, C=IT'
 8192      and
 8193           'CN=Some Name/OU=myOU/C=IT'.
 8195      Add options '-batch' and '-verbose' to 'openssl req'.
 8196      [Massimiliano Pala <madwolf@hackmasters.net>]
 8198   *) Introduce the possibility to access global variables through
 8199      functions on platform were that's the best way to handle exporting
 8200      global variables in shared libraries.  To enable this functionality,
 8201      one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
 8202      "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
 8203      is normally done by Configure or something similar).
 8205      To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
 8206      in the source file (foo.c) like this:
 8208         OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
 8209         OPENSSL_IMPLEMENT_GLOBAL(double,bar);
 8211      To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
 8212      and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
 8214         OPENSSL_DECLARE_GLOBAL(int,foo);
 8215         #define foo OPENSSL_GLOBAL_REF(foo)
 8216         OPENSSL_DECLARE_GLOBAL(double,bar);
 8217         #define bar OPENSSL_GLOBAL_REF(bar)
 8219      The #defines are very important, and therefore so is including the
 8220      header file everywhere where the defined globals are used.
 8222      The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
 8223      of ASN.1 items, but that structure is a bit different.
 8225      The largest change is in util/mkdef.pl which has been enhanced with
 8226      better and easier to understand logic to choose which symbols should
 8227      go into the Windows .def files as well as a number of fixes and code
 8228      cleanup (among others, algorithm keywords are now sorted
 8229      lexicographically to avoid constant rewrites).
 8230      [Richard Levitte]
 8232   *) In BN_div() keep a copy of the sign of 'num' before writing the
 8233      result to 'rm' because if rm==num the value will be overwritten
 8234      and produce the wrong result if 'num' is negative: this caused
 8235      problems with BN_mod() and BN_nnmod().
 8236      [Steve Henson]
 8238   *) Function OCSP_request_verify(). This checks the signature on an
 8239      OCSP request and verifies the signer certificate. The signer
 8240      certificate is just checked for a generic purpose and OCSP request
 8241      trust settings.
 8242      [Steve Henson]
 8244   *) Add OCSP_check_validity() function to check the validity of OCSP
 8245      responses. OCSP responses are prepared in real time and may only
 8246      be a few seconds old. Simply checking that the current time lies
 8247      between thisUpdate and nextUpdate max reject otherwise valid responses
 8248      caused by either OCSP responder or client clock inaccuracy. Instead
 8249      we allow thisUpdate and nextUpdate to fall within a certain period of
 8250      the current time. The age of the response can also optionally be
 8251      checked. Two new options -validity_period and -status_age added to
 8252      ocsp utility.
 8253      [Steve Henson]
 8255   *) If signature or public key algorithm is unrecognized print out its
 8256      OID rather that just UNKNOWN.
 8257      [Steve Henson]
 8259   *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
 8260      OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
 8261      ID to be generated from the issuer certificate alone which can then be
 8262      passed to OCSP_id_issuer_cmp().
 8263      [Steve Henson]
 8265   *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
 8266      ASN1 modules to export functions returning ASN1_ITEM pointers
 8267      instead of the ASN1_ITEM structures themselves. This adds several
 8268      new macros which allow the underlying ASN1 function/structure to
 8269      be accessed transparently. As a result code should not use ASN1_ITEM
 8270      references directly (such as &X509_it) but instead use the relevant
 8271      macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
 8272      use of the new ASN1 code on platforms where exporting structures
 8273      is problematical (for example in shared libraries) but exporting
 8274      functions returning pointers to structures is not.
 8275      [Steve Henson]
 8277   *) Add support for overriding the generation of SSL/TLS session IDs.
 8278      These callbacks can be registered either in an SSL_CTX or per SSL.
 8279      The purpose of this is to allow applications to control, if they wish,
 8280      the arbitrary values chosen for use as session IDs, particularly as it
 8281      can be useful for session caching in multiple-server environments. A
 8282      command-line switch for testing this (and any client code that wishes
 8283      to use such a feature) has been added to "s_server".
 8284      [Geoff Thorpe, Lutz Jaenicke]
 8286   *) Modify mkdef.pl to recognise and parse preprocessor conditionals
 8287      of the form '#if defined(...) || defined(...) || ...' and
 8288      '#if !defined(...) && !defined(...) && ...'.  This also avoids
 8289      the growing number of special cases it was previously handling.
 8290      [Richard Levitte]
 8292   *) Make all configuration macros available for application by making
 8293      sure they are available in opensslconf.h, by giving them names starting
 8294      with "OPENSSL_" to avoid conflicts with other packages and by making
 8295      sure e_os2.h will cover all platform-specific cases together with
 8296      opensslconf.h.
 8297      Additionally, it is now possible to define configuration/platform-
 8298      specific names (called "system identities").  In the C code, these
 8299      are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
 8300      macro with the name beginning with "OPENSSL_SYS_", which is determined
 8301      from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
 8302      what is available.
 8303      [Richard Levitte]
 8305   *) New option -set_serial to 'req' and 'x509' this allows the serial
 8306      number to use to be specified on the command line. Previously self
 8307      signed certificates were hard coded with serial number 0 and the
 8308      CA options of 'x509' had to use a serial number in a file which was
 8309      auto incremented.
 8310      [Steve Henson]
 8312   *) New options to 'ca' utility to support V2 CRL entry extensions.
 8313      Currently CRL reason, invalidity date and hold instruction are
 8314      supported. Add new CRL extensions to V3 code and some new objects.
 8315      [Steve Henson]
 8317   *) New function EVP_CIPHER_CTX_set_padding() this is used to
 8318      disable standard block padding (aka PKCS#5 padding) in the EVP
 8319      API, which was previously mandatory. This means that the data is
 8320      not padded in any way and so the total length much be a multiple
 8321      of the block size, otherwise an error occurs.
 8322      [Steve Henson]
 8324   *) Initial (incomplete) OCSP SSL support.
 8325      [Steve Henson]
 8327   *) New function OCSP_parse_url(). This splits up a URL into its host,
 8328      port and path components: primarily to parse OCSP URLs. New -url
 8329      option to ocsp utility.
 8330      [Steve Henson]
 8332   *) New nonce behavior. The return value of OCSP_check_nonce() now
 8333      reflects the various checks performed. Applications can decide
 8334      whether to tolerate certain situations such as an absent nonce
 8335      in a response when one was present in a request: the ocsp application
 8336      just prints out a warning. New function OCSP_add1_basic_nonce()
 8337      this is to allow responders to include a nonce in a response even if
 8338      the request is nonce-less.
 8339      [Steve Henson]
 8341   *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
 8342      skipped when using openssl x509 multiple times on a single input file,
 8343      e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
 8344      [Bodo Moeller]
 8346   *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
 8347      set string type: to handle setting ASN1_TIME structures. Fix ca
 8348      utility to correctly initialize revocation date of CRLs.
 8349      [Steve Henson]
 8351   *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
 8352      the clients preferred ciphersuites and rather use its own preferences.
 8353      Should help to work around M$ SGC (Server Gated Cryptography) bug in
 8354      Internet Explorer by ensuring unchanged hash method during stepup.
 8355      (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
 8356      [Lutz Jaenicke]
 8358   *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
 8359      to aes and add a new 'exist' option to print out symbols that don't
 8360      appear to exist.
 8361      [Steve Henson]
 8363   *) Additional options to ocsp utility to allow flags to be set and
 8364      additional certificates supplied.
 8365      [Steve Henson]
 8367   *) Add the option -VAfile to 'openssl ocsp', so the user can give the
 8368      OCSP client a number of certificate to only verify the response
 8369      signature against.
 8370      [Richard Levitte]
 8372   *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
 8373      handle the new API. Currently only ECB, CBC modes supported. Add new
 8374      AES OIDs.
 8376      Add TLS AES ciphersuites as described in RFC3268, "Advanced
 8377      Encryption Standard (AES) Ciphersuites for Transport Layer
 8378      Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
 8379      not enabled by default and were not part of the "ALL" ciphersuite
 8380      alias because they were not yet official; they could be
 8381      explicitly requested by specifying the "AESdraft" ciphersuite
 8382      group alias.  In the final release of OpenSSL 0.9.7, the group
 8383      alias is called "AES" and is part of "ALL".)
 8384      [Ben Laurie, Steve  Henson, Bodo Moeller]
 8386   *) New function OCSP_copy_nonce() to copy nonce value (if present) from
 8387      request to response.
 8388      [Steve Henson]
 8390   *) Functions for OCSP responders. OCSP_request_onereq_count(),
 8391      OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
 8392      extract information from a certificate request. OCSP_response_create()
 8393      creates a response and optionally adds a basic response structure.
 8394      OCSP_basic_add1_status() adds a complete single response to a basic
 8395      response and returns the OCSP_SINGLERESP structure just added (to allow
 8396      extensions to be included for example). OCSP_basic_add1_cert() adds a
 8397      certificate to a basic response and OCSP_basic_sign() signs a basic
 8398      response with various flags. New helper functions ASN1_TIME_check()
 8399      (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
 8400      (converts ASN1_TIME to GeneralizedTime).
 8401      [Steve Henson]
 8403   *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
 8404      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
 8405      structure from a certificate. X509_pubkey_digest() digests the public_key
 8406      contents: this is used in various key identifiers.
 8407      [Steve Henson]
 8409   *) Make sk_sort() tolerate a NULL argument.
 8410      [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
 8412   *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
 8413      passed by the function are trusted implicitly. If any of them signed the
 8414      response then it is assumed to be valid and is not verified.
 8415      [Steve Henson]
 8417   *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
 8418      to data. This was previously part of the PKCS7 ASN1 code. This
 8419      was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
 8420      [Steve Henson, reported by Kenneth R. Robinette
 8421                                 <support@securenetterm.com>]
 8423   *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
 8424      routines: without these tracing memory leaks is very painful.
 8425      Fix leaks in PKCS12 and PKCS7 routines.
 8426      [Steve Henson]
 8428   *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
 8429      Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
 8430      effectively meant GeneralizedTime would never be used. Now it
 8431      is initialised to -1 but X509_time_adj() now has to check the value
 8432      and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
 8433      V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
 8434      [Steve Henson, reported by Kenneth R. Robinette
 8435                                 <support@securenetterm.com>]
 8437   *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
 8438      result in a zero length in the ASN1_INTEGER structure which was
 8439      not consistent with the structure when d2i_ASN1_INTEGER() was used
 8440      and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
 8441      to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
 8442      where it did not print out a minus for negative ASN1_INTEGER.
 8443      [Steve Henson]
 8445   *) Add summary printout to ocsp utility. The various functions which
 8446      convert status values to strings have been renamed to:
 8447      OCSP_response_status_str(), OCSP_cert_status_str() and
 8448      OCSP_crl_reason_str() and are no longer static. New options
 8449      to verify nonce values and to disable verification. OCSP response
 8450      printout format cleaned up.
 8451      [Steve Henson]
 8453   *) Add additional OCSP certificate checks. These are those specified
 8454      in RFC2560. This consists of two separate checks: the CA of the
 8455      certificate being checked must either be the OCSP signer certificate
 8456      or the issuer of the OCSP signer certificate. In the latter case the
 8457      OCSP signer certificate must contain the OCSP signing extended key
 8458      usage. This check is performed by attempting to match the OCSP
 8459      signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
 8460      in the OCSP_CERTID structures of the response.
 8461      [Steve Henson]
 8463   *) Initial OCSP certificate verification added to OCSP_basic_verify()
 8464      and related routines. This uses the standard OpenSSL certificate
 8465      verify routines to perform initial checks (just CA validity) and
 8466      to obtain the certificate chain. Then additional checks will be
 8467      performed on the chain. Currently the root CA is checked to see
 8468      if it is explicitly trusted for OCSP signing. This is used to set
 8469      a root CA as a global signing root: that is any certificate that
 8470      chains to that CA is an acceptable OCSP signing certificate.
 8471      [Steve Henson]
 8473   *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
 8474      extensions from a separate configuration file.
 8475      As when reading extensions from the main configuration file,
 8476      the '-extensions ...' option may be used for specifying the
 8477      section to use.
 8478      [Massimiliano Pala <madwolf@comune.modena.it>]
 8480   *) New OCSP utility. Allows OCSP requests to be generated or
 8481      read. The request can be sent to a responder and the output
 8482      parsed, outputted or printed in text form. Not complete yet:
 8483      still needs to check the OCSP response validity.
 8484      [Steve Henson]
 8486   *) New subcommands for 'openssl ca':
 8487      'openssl ca -status <serial>' prints the status of the cert with
 8488      the given serial number (according to the index file).
 8489      'openssl ca -updatedb' updates the expiry status of certificates
 8490      in the index file.
 8491      [Massimiliano Pala <madwolf@comune.modena.it>]
 8493   *) New '-newreq-nodes' command option to CA.pl.  This is like
 8494      '-newreq', but calls 'openssl req' with the '-nodes' option
 8495      so that the resulting key is not encrypted.
 8496      [Damien Miller <djm@mindrot.org>]
 8498   *) New configuration for the GNU Hurd.
 8499      [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
 8501   *) Initial code to implement OCSP basic response verify. This
 8502      is currently incomplete. Currently just finds the signer's
 8503      certificate and verifies the signature on the response.
 8504      [Steve Henson]
 8506   *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
 8507      value of OPENSSLDIR.  This is available via the new '-d' option
 8508      to 'openssl version', and is also included in 'openssl version -a'.
 8509      [Bodo Moeller]
 8511   *) Allowing defining memory allocation callbacks that will be given
 8512      file name and line number information in additional arguments
 8513      (a const char* and an int).  The basic functionality remains, as
 8514      well as the original possibility to just replace malloc(),
 8515      realloc() and free() by functions that do not know about these
 8516      additional arguments.  To register and find out the current
 8517      settings for extended allocation functions, the following
 8518      functions are provided:
 8520         CRYPTO_set_mem_ex_functions
 8521         CRYPTO_set_locked_mem_ex_functions
 8522         CRYPTO_get_mem_ex_functions
 8523         CRYPTO_get_locked_mem_ex_functions
 8525      These work the same way as CRYPTO_set_mem_functions and friends.
 8526      CRYPTO_get_[locked_]mem_functions now writes 0 where such an
 8527      extended allocation function is enabled.
 8528      Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
 8529      a conventional allocation function is enabled.
 8530      [Richard Levitte, Bodo Moeller]
 8532   *) Finish off removing the remaining LHASH function pointer casts.
 8533      There should no longer be any prototype-casting required when using
 8534      the LHASH abstraction, and any casts that remain are "bugs". See
 8535      the callback types and macros at the head of lhash.h for details
 8536      (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
 8537      [Geoff Thorpe]
 8539   *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
 8540      If /dev/[u]random devices are not available or do not return enough
 8541      entropy, EGD style sockets (served by EGD or PRNGD) will automatically
 8542      be queried.
 8543      The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
 8544      /etc/entropy will be queried once each in this sequence, querying stops
 8545      when enough entropy was collected without querying more sockets.
 8546      [Lutz Jaenicke]
 8548   *) Change the Unix RAND_poll() variant to be able to poll several
 8549      random devices, as specified by DEVRANDOM, until a sufficient amount
 8550      of data has been collected.   We spend at most 10 ms on each file
 8551      (select timeout) and read in non-blocking mode.  DEVRANDOM now
 8552      defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
 8553      (previously it was just the string "/dev/urandom"), so on typical
 8554      platforms the 10 ms delay will never occur.
 8555      Also separate out the Unix variant to its own file, rand_unix.c.
 8556      For VMS, there's a currently-empty rand_vms.c.
 8557      [Richard Levitte]
 8559   *) Move OCSP client related routines to ocsp_cl.c. These
 8560      provide utility functions which an application needing
 8561      to issue a request to an OCSP responder and analyse the
 8562      response will typically need: as opposed to those which an
 8563      OCSP responder itself would need which will be added later.
 8565      OCSP_request_sign() signs an OCSP request with an API similar
 8566      to PKCS7_sign(). OCSP_response_status() returns status of OCSP
 8567      response. OCSP_response_get1_basic() extracts basic response
 8568      from response. OCSP_resp_find_status(): finds and extracts status
 8569      information from an OCSP_CERTID structure (which will be created
 8570      when the request structure is built). These are built from lower
 8571      level functions which work on OCSP_SINGLERESP structures but
 8572      won't normally be used unless the application wishes to examine
 8573      extensions in the OCSP response for example.
 8575      Replace nonce routines with a pair of functions.
 8576      OCSP_request_add1_nonce() adds a nonce value and optionally
 8577      generates a random value. OCSP_check_nonce() checks the
 8578      validity of the nonce in an OCSP response.
 8579      [Steve Henson]
 8581   *) Change function OCSP_request_add() to OCSP_request_add0_id().
 8582      This doesn't copy the supplied OCSP_CERTID and avoids the
 8583      need to free up the newly created id. Change return type
 8584      to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
 8585      This can then be used to add extensions to the request.
 8586      Deleted OCSP_request_new(), since most of its functionality
 8587      is now in OCSP_REQUEST_new() (and the case insensitive name
 8588      clash) apart from the ability to set the request name which
 8589      will be added elsewhere.
 8590      [Steve Henson]
 8592   *) Update OCSP API. Remove obsolete extensions argument from
 8593      various functions. Extensions are now handled using the new
 8594      OCSP extension code. New simple OCSP HTTP function which
 8595      can be used to send requests and parse the response.
 8596      [Steve Henson]
 8598   *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
 8599      ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
 8600      uses the special reorder version of SET OF to sort the attributes
 8601      and reorder them to match the encoded order. This resolves a long
 8602      standing problem: a verify on a PKCS7 structure just after signing
 8603      it used to fail because the attribute order did not match the
 8604      encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
 8605      it uses the received order. This is necessary to tolerate some broken
 8606      software that does not order SET OF. This is handled by encoding
 8607      as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
 8608      to produce the required SET OF.
 8609      [Steve Henson]
 8611   *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
 8612      OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
 8613      files to get correct declarations of the ASN.1 item variables.
 8614      [Richard Levitte]
 8616   *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
 8617      PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
 8618      asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
 8619      NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
 8620      New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
 8621      ASN1_ITEM and no wrapper functions.
 8622      [Steve Henson]
 8624   *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
 8625      replace the old function pointer based I/O routines. Change most of
 8626      the *_d2i_bio() and *_d2i_fp() functions to use these.
 8627      [Steve Henson]
 8629   *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
 8630      lines, recognize more "algorithms" that can be deselected, and make
 8631      it complain about algorithm deselection that isn't recognised.
 8632      [Richard Levitte]
 8634   *) New ASN1 functions to handle dup, sign, verify, digest, pack and
 8635      unpack operations in terms of ASN1_ITEM. Modify existing wrappers
 8636      to use new functions. Add NO_ASN1_OLD which can be set to remove
 8637      some old style ASN1 functions: this can be used to determine if old
 8638      code will still work when these eventually go away.
 8639      [Steve Henson]
 8641   *) New extension functions for OCSP structures, these follow the
 8642      same conventions as certificates and CRLs.
 8643      [Steve Henson]
 8645   *) New function X509V3_add1_i2d(). This automatically encodes and
 8646      adds an extension. Its behaviour can be customised with various
 8647      flags to append, replace or delete. Various wrappers added for
 8648      certificates and CRLs.
 8649      [Steve Henson]
 8651   *) Fix to avoid calling the underlying ASN1 print routine when
 8652      an extension cannot be parsed. Correct a typo in the
 8653      OCSP_SERVICELOC extension. Tidy up print OCSP format.
 8654      [Steve Henson]
 8656   *) Make mkdef.pl parse some of the ASN1 macros and add appropriate
 8657      entries for variables.
 8658      [Steve Henson]
 8660   *) Add functionality to apps/openssl.c for detecting locking
 8661      problems: As the program is single-threaded, all we have
 8662      to do is register a locking callback using an array for
 8663      storing which locks are currently held by the program.
 8664      [Bodo Moeller]
 8666   *) Use a lock around the call to CRYPTO_get_ex_new_index() in
 8667      SSL_get_ex_data_X509_STORE_idx(), which is used in
 8668      ssl_verify_cert_chain() and thus can be called at any time
 8669      during TLS/SSL handshakes so that thread-safety is essential.
 8670      Unfortunately, the ex_data design is not at all suited
 8671      for multi-threaded use, so it probably should be abolished.
 8672      [Bodo Moeller]
 8674   *) Added Broadcom "ubsec" ENGINE to OpenSSL.
 8675      [Broadcom, tweaked and integrated by Geoff Thorpe]
 8677   *) Move common extension printing code to new function
 8678      X509V3_print_extensions(). Reorganise OCSP print routines and
 8679      implement some needed OCSP ASN1 functions. Add OCSP extensions.
 8680      [Steve Henson]
 8682   *) New function X509_signature_print() to remove duplication in some
 8683      print routines.
 8684      [Steve Henson]
 8686   *) Add a special meaning when SET OF and SEQUENCE OF flags are both
 8687      set (this was treated exactly the same as SET OF previously). This
 8688      is used to reorder the STACK representing the structure to match the
 8689      encoding. This will be used to get round a problem where a PKCS7
 8690      structure which was signed could not be verified because the STACK
 8691      order did not reflect the encoded order.
 8692      [Steve Henson]
 8694   *) Reimplement the OCSP ASN1 module using the new code.
 8695      [Steve Henson]
 8697   *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
 8698      for its ASN1 operations. The old style function pointers still exist
 8699      for now but they will eventually go away.
 8700      [Steve Henson]
 8702   *) Merge in replacement ASN1 code from the ASN1 branch. This almost
 8703      completely replaces the old ASN1 functionality with a table driven
 8704      encoder and decoder which interprets an ASN1_ITEM structure describing
 8705      the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
 8706      largely maintained. Almost all of the old asn1_mac.h macro based ASN1
 8707      has also been converted to the new form.
 8708      [Steve Henson]
 8710   *) Change BN_mod_exp_recp so that negative moduli are tolerated
 8711      (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
 8712      so that BN_mod_exp_mont and BN_mod_exp_mont_word work
 8713      for negative moduli.
 8714      [Bodo Moeller]
 8716   *) Fix BN_uadd and BN_usub: Always return non-negative results instead
 8717      of not touching the result's sign bit.
 8718      [Bodo Moeller]
 8720   *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
 8721      set.
 8722      [Bodo Moeller]
 8724   *) Changed the LHASH code to use prototypes for callbacks, and created
 8725      macros to declare and implement thin (optionally static) functions
 8726      that provide type-safety and avoid function pointer casting for the
 8727      type-specific callbacks.
 8728      [Geoff Thorpe]
 8730   *) Added Kerberos Cipher Suites to be used with TLS, as written in
 8731      RFC 2712.
 8732      [Veers Staats <staatsvr@asc.hpc.mil>,
 8733       Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
 8735   *) Reformat the FAQ so the different questions and answers can be divided
 8736      in sections depending on the subject.
 8737      [Richard Levitte]
 8739   *) Have the zlib compression code load ZLIB.DLL dynamically under
 8740      Windows.
 8741      [Richard Levitte]
 8743   *) New function BN_mod_sqrt for computing square roots modulo a prime
 8744      (using the probabilistic Tonelli-Shanks algorithm unless
 8745      p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
 8746      be handled deterministically).
 8747      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 8749   *) Make BN_mod_inverse faster by explicitly handling small quotients
 8750      in the Euclid loop. (Speed gain about 20% for small moduli [256 or
 8751      512 bits], about 30% for larger ones [1024 or 2048 bits].)
 8752      [Bodo Moeller]
 8754   *) New function BN_kronecker.
 8755      [Bodo Moeller]
 8757   *) Fix BN_gcd so that it works on negative inputs; the result is
 8758      positive unless both parameters are zero.
 8759      Previously something reasonably close to an infinite loop was
 8760      possible because numbers could be growing instead of shrinking
 8761      in the implementation of Euclid's algorithm.
 8762      [Bodo Moeller]
 8764   *) Fix BN_is_word() and BN_is_one() macros to take into account the
 8765      sign of the number in question.
 8767      Fix BN_is_word(a,w) to work correctly for w == 0.
 8769      The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
 8770      because its test if the absolute value of 'a' equals 'w'.
 8771      Note that BN_abs_is_word does *not* handle w == 0 reliably;
 8772      it exists mostly for use in the implementations of BN_is_zero(),
 8773      BN_is_one(), and BN_is_word().
 8774      [Bodo Moeller]
 8776   *) New function BN_swap.
 8777      [Bodo Moeller]
 8779   *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
 8780      the exponentiation functions are more likely to produce reasonable
 8781      results on negative inputs.
 8782      [Bodo Moeller]
 8784   *) Change BN_mod_mul so that the result is always non-negative.
 8785      Previously, it could be negative if one of the factors was negative;
 8786      I don't think anyone really wanted that behaviour.
 8787      [Bodo Moeller]
 8789   *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
 8790      (except for exponentiation, which stays in crypto/bn/bn_exp.c,
 8791      and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
 8792      and add new functions:
 8794           BN_nnmod
 8795           BN_mod_sqr
 8796           BN_mod_add
 8797           BN_mod_add_quick
 8798           BN_mod_sub
 8799           BN_mod_sub_quick
 8800           BN_mod_lshift1
 8801           BN_mod_lshift1_quick
 8802           BN_mod_lshift
 8803           BN_mod_lshift_quick
 8805      These functions always generate non-negative results.
 8807      BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
 8808      such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
 8810      BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
 8811      BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
 8812      be reduced modulo  m.
 8813      [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
 8815 #if 0
 8816      The following entry accidentally appeared in the CHANGES file
 8817      distributed with OpenSSL 0.9.7.  The modifications described in
 8818      it do *not* apply to OpenSSL 0.9.7.
 8820   *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
 8821      was actually never needed) and in BN_mul().  The removal in BN_mul()
 8822      required a small change in bn_mul_part_recursive() and the addition
 8823      of the functions bn_cmp_part_words(), bn_sub_part_words() and
 8824      bn_add_part_words(), which do the same thing as bn_cmp_words(),
 8825      bn_sub_words() and bn_add_words() except they take arrays with
 8826      differing sizes.
 8827      [Richard Levitte]
 8828 #endif
 8830   *) In 'openssl passwd', verify passwords read from the terminal
 8831      unless the '-salt' option is used (which usually means that
 8832      verification would just waste user's time since the resulting
 8833      hash is going to be compared with some given password hash)
 8834      or the new '-noverify' option is used.
 8836      This is an incompatible change, but it does not affect
 8837      non-interactive use of 'openssl passwd' (passwords on the command
 8838      line, '-stdin' option, '-in ...' option) and thus should not
 8839      cause any problems.
 8840      [Bodo Moeller]
 8842   *) Remove all references to RSAref, since there's no more need for it.
 8843      [Richard Levitte]
 8845   *) Make DSO load along a path given through an environment variable
 8846      (SHLIB_PATH) with shl_load().
 8847      [Richard Levitte]
 8849   *) Constify the ENGINE code as a result of BIGNUM constification.
 8850      Also constify the RSA code and most things related to it.  In a
 8851      few places, most notable in the depth of the ASN.1 code, ugly
 8852      casts back to non-const were required (to be solved at a later
 8853      time)
 8854      [Richard Levitte]
 8856   *) Make it so the openssl application has all engines loaded by default.
 8857      [Richard Levitte]
 8859   *) Constify the BIGNUM routines a little more.
 8860      [Richard Levitte]
 8862   *) Add the following functions:
 8864         ENGINE_load_cswift()
 8865         ENGINE_load_chil()
 8866         ENGINE_load_atalla()
 8867         ENGINE_load_nuron()
 8868         ENGINE_load_builtin_engines()
 8870      That way, an application can itself choose if external engines that
 8871      are built-in in OpenSSL shall ever be used or not.  The benefit is
 8872      that applications won't have to be linked with libdl or other dso
 8873      libraries unless it's really needed.
 8875      Changed 'openssl engine' to load all engines on demand.
 8876      Changed the engine header files to avoid the duplication of some
 8877      declarations (they differed!).
 8878      [Richard Levitte]
 8880   *) 'openssl engine' can now list capabilities.
 8881      [Richard Levitte]
 8883   *) Better error reporting in 'openssl engine'.
 8884      [Richard Levitte]
 8886   *) Never call load_dh_param(NULL) in s_server.
 8887      [Bodo Moeller]
 8889   *) Add engine application.  It can currently list engines by name and
 8890      identity, and test if they are actually available.
 8891      [Richard Levitte]
 8893   *) Improve RPM specification file by forcing symbolic linking and making
 8894      sure the installed documentation is also owned by root.root.
 8895      [Damien Miller <djm@mindrot.org>]
 8897   *) Give the OpenSSL applications more possibilities to make use of
 8898      keys (public as well as private) handled by engines.
 8899      [Richard Levitte]
 8901   *) Add OCSP code that comes from CertCo.
 8902      [Richard Levitte]
 8904   *) Add VMS support for the Rijndael code.
 8905      [Richard Levitte]
 8907   *) Added untested support for Nuron crypto accelerator.
 8908      [Ben Laurie]
 8910   *) Add support for external cryptographic devices.  This code was
 8911      previously distributed separately as the "engine" branch.
 8912      [Geoff Thorpe, Richard Levitte]
 8914   *) Rework the filename-translation in the DSO code. It is now possible to
 8915      have far greater control over how a "name" is turned into a filename
 8916      depending on the operating environment and any oddities about the
 8917      different shared library filenames on each system.
 8918      [Geoff Thorpe]
 8920   *) Support threads on FreeBSD-elf in Configure.
 8921      [Richard Levitte]
 8923   *) Fix for SHA1 assembly problem with MASM: it produces
 8924      warnings about corrupt line number information when assembling
 8925      with debugging information. This is caused by the overlapping
 8926      of two sections.
 8927      [Bernd Matthes <mainbug@celocom.de>, Steve Henson]
 8929   *) NCONF changes.
 8930      NCONF_get_number() has no error checking at all.  As a replacement,
 8931      NCONF_get_number_e() is defined (_e for "error checking") and is
 8932      promoted strongly.  The old NCONF_get_number is kept around for
 8933      binary backward compatibility.
 8934      Make it possible for methods to load from something other than a BIO,
 8935      by providing a function pointer that is given a name instead of a BIO.
 8936      For example, this could be used to load configuration data from an
 8937      LDAP server.
 8938      [Richard Levitte]
 8940   *) Fix for non blocking accept BIOs. Added new I/O special reason
 8941      BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
 8942      with non blocking I/O was not possible because no retry code was
 8943      implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
 8944      this case.
 8945      [Steve Henson]
 8947   *) Added the beginnings of Rijndael support.
 8948      [Ben Laurie]
 8950   *) Fix for bug in DirectoryString mask setting. Add support for
 8951      X509_NAME_print_ex() in 'req' and X509_print_ex() function
 8952      to allow certificate printing to more controllable, additional
 8953      'certopt' option to 'x509' to allow new printing options to be
 8954      set.
 8955      [Steve Henson]
 8957   *) Clean old EAY MD5 hack from e_os.h.
 8958      [Richard Levitte]
 8960  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 8962   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
 8963      by using the Codenomicon TLS Test Tool (CVE-2004-0079)
 8964      [Joe Orton, Steve Henson]
 8966  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
 8968   *) Fix additional bug revealed by the NISCC test suite:
 8970      Stop bug triggering large recursion when presented with
 8971      certain ASN.1 tags (CVE-2003-0851)
 8972      [Steve Henson]
 8974  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
 8976   *) Fix various bugs revealed by running the NISCC test suite:
 8978      Stop out of bounds reads in the ASN1 code when presented with
 8979      invalid tags (CVE-2003-0543 and CVE-2003-0544).
 8981      If verify callback ignores invalid public key errors don't try to check
 8982      certificate signature with the NULL public key.
 8984      [Steve Henson]
 8986   *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
 8987      if the server requested one: as stated in TLS 1.0 and SSL 3.0
 8988      specifications.
 8989      [Steve Henson]
 8991   *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
 8992      extra data after the compression methods not only for TLS 1.0
 8993      but also for SSL 3.0 (as required by the specification).
 8994      [Bodo Moeller; problem pointed out by Matthias Loepfe]
 8996   *) Change X509_certificate_type() to mark the key as exported/exportable
 8997      when it's 512 *bits* long, not 512 bytes.
 8998      [Richard Levitte]
 9000  Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
 9002   *) Countermeasure against the Klima-Pokorny-Rosa extension of
 9003      Bleichbacher's attack on PKCS #1 v1.5 padding: treat
 9004      a protocol version number mismatch like a decryption error
 9005      in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
 9006      [Bodo Moeller]
 9008   *) Turn on RSA blinding by default in the default implementation
 9009      to avoid a timing attack. Applications that don't want it can call
 9010      RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
 9011      They would be ill-advised to do so in most cases.
 9012      [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
 9014   *) Change RSA blinding code so that it works when the PRNG is not
 9015      seeded (in this case, the secret RSA exponent is abused as
 9016      an unpredictable seed -- if it is not unpredictable, there
 9017      is no point in blinding anyway).  Make RSA blinding thread-safe
 9018      by remembering the creator's thread ID in rsa->blinding and
 9019      having all other threads use local one-time blinding factors
 9020      (this requires more computation than sharing rsa->blinding, but
 9021      avoids excessive locking; and if an RSA object is not shared
 9022      between threads, blinding will still be very fast).
 9023      [Bodo Moeller]
 9025  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
 9027   *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
 9028      via timing by performing a MAC computation even if incorrect
 9029      block cipher padding has been found.  This is a countermeasure
 9030      against active attacks where the attacker has to distinguish
 9031      between bad padding and a MAC verification error. (CVE-2003-0078)
 9033      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
 9034      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
 9035      Martin Vuagnoux (EPFL, Ilion)]
 9037  Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
 9039   *) New function OPENSSL_cleanse(), which is used to cleanse a section of
 9040      memory from its contents.  This is done with a counter that will
 9041      place alternating values in each byte.  This can be used to solve
 9042      two issues: 1) the removal of calls to memset() by highly optimizing
 9043      compilers, and 2) cleansing with other values than 0, since those can
 9044      be read through on certain media, for example a swap space on disk.
 9045      [Geoff Thorpe]
 9047   *) Bugfix: client side session caching did not work with external caching,
 9048      because the session->cipher setting was not restored when reloading
 9049      from the external cache. This problem was masked, when
 9051      (Found by Steve Haslam <steve@araqnid.ddts.net>.)
 9052      [Lutz Jaenicke]
 9054   *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
 9055      length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
 9056      [Zeev Lieber <zeev-l@yahoo.com>]
 9058   *) Undo an undocumented change introduced in 0.9.6e which caused
 9059      repeated calls to OpenSSL_add_all_ciphers() and
 9060      OpenSSL_add_all_digests() to be ignored, even after calling
 9061      EVP_cleanup().
 9062      [Richard Levitte]
 9064   *) Change the default configuration reader to deal with last line not
 9065      being properly terminated.
 9066      [Richard Levitte]
 9068   *) Change X509_NAME_cmp() so it applies the special rules on handling
 9069      DN values that are of type PrintableString, as well as RDNs of type
 9070      emailAddress where the value has the type ia5String.
 9071      [stefank@valicert.com via Richard Levitte]
 9073   *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
 9074      the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
 9075      doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
 9076      the bitwise-OR of the two for use by the majority of applications
 9077      wanting this behaviour, and update the docs. The documented
 9078      behaviour and actual behaviour were inconsistent and had been
 9079      changing anyway, so this is more a bug-fix than a behavioural
 9080      change.
 9081      [Geoff Thorpe, diagnosed by Nadav Har'El]
 9083   *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
 9084      (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
 9085      [Bodo Moeller]
 9087   *) Fix initialization code race conditions in
 9088         SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
 9089         SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
 9090         SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
 9091         TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
 9092         ssl2_get_cipher_by_char(),
 9093         ssl3_get_cipher_by_char().
 9094      [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
 9096   *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
 9097      the cached sessions are flushed, as the remove_cb() might use ex_data
 9098      contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
 9099      (see [openssl.org #212]).
 9100      [Geoff Thorpe, Lutz Jaenicke]
 9102   *) Fix typo in OBJ_txt2obj which incorrectly passed the content
 9103      length, instead of the encoding length to d2i_ASN1_OBJECT.
 9104      [Steve Henson]
 9106  Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
 9108   *) [In 0.9.6g-engine release:]
 9109      Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
 9110      [Lynn Gazis <lgazis@rainbow.com>]
 9112  Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
 9114   *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
 9115      and get fix the header length calculation.
 9116      [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
 9117         Alon Kantor <alonk@checkpoint.com> (and others),
 9118         Steve Henson]
 9120   *) Use proper error handling instead of 'assertions' in buffer
 9121      overflow checks added in 0.9.6e.  This prevents DoS (the
 9122      assertions could call abort()).
 9123      [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
 9125  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
 9127   *) Add various sanity checks to asn1_get_length() to reject
 9128      the ASN1 length bytes if they exceed sizeof(long), will appear
 9129      negative or the content length exceeds the length of the
 9130      supplied buffer.
 9131      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 9133   *) Fix cipher selection routines: ciphers without encryption had no flags
 9134      for the cipher strength set and where therefore not handled correctly
 9135      by the selection routines (PR #130).
 9136      [Lutz Jaenicke]
 9138   *) Fix EVP_dsa_sha macro.
 9139      [Nils Larsch]
 9141   *) New option
 9143      for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
 9144      that was added in OpenSSL 0.9.6d.
 9146      As the countermeasure turned out to be incompatible with some
 9147      broken SSL implementations, the new option is part of SSL_OP_ALL.
 9148      SSL_OP_ALL is usually employed when compatibility with weird SSL
 9149      implementations is desired (e.g. '-bugs' option to 's_client' and
 9150      's_server'), so the new option is automatically set in many
 9151      applications.
 9152      [Bodo Moeller]
 9154   *) Changes in security patch:
 9156      Changes marked "(CHATS)" were sponsored by the Defense Advanced
 9157      Research Projects Agency (DARPA) and Air Force Research Laboratory,
 9158      Air Force Materiel Command, USAF, under agreement number
 9159      F30602-01-2-0537.
 9161   *) Add various sanity checks to asn1_get_length() to reject
 9162      the ASN1 length bytes if they exceed sizeof(long), will appear
 9163      negative or the content length exceeds the length of the
 9164      supplied buffer. (CVE-2002-0659)
 9165      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 9167   *) Assertions for various potential buffer overflows, not known to
 9168      happen in practice.
 9169      [Ben Laurie (CHATS)]
 9171   *) Various temporary buffers to hold ASCII versions of integers were
 9172      too small for 64 bit platforms. (CVE-2002-0655)
 9173      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 9175   *) Remote buffer overflow in SSL3 protocol - an attacker could
 9176      supply an oversized session ID to a client. (CVE-2002-0656)
 9177      [Ben Laurie (CHATS)]
 9179   *) Remote buffer overflow in SSL2 protocol - an attacker could
 9180      supply an oversized client master key. (CVE-2002-0656)
 9181      [Ben Laurie (CHATS)]
 9183  Changes between 0.9.6c and 0.9.6d  [9 May 2002]
 9185   *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
 9186      encoded as NULL) with id-dsa-with-sha1.
 9187      [Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
 9189   *) Check various X509_...() return values in apps/req.c.
 9190      [Nils Larsch <nla@trustcenter.de>]
 9192   *) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
 9193      an end-of-file condition would erroneously be flagged, when the CRLF
 9194      was just at the end of a processed block. The bug was discovered when
 9195      processing data through a buffering memory BIO handing the data to a
 9196      BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
 9197      <ptsekov@syntrex.com> and Nedelcho Stanev.
 9198      [Lutz Jaenicke]
 9200   *) Implement a countermeasure against a vulnerability recently found
 9201      in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
 9202      before application data chunks to avoid the use of known IVs
 9203      with data potentially chosen by the attacker.
 9204      [Bodo Moeller]
 9206   *) Fix length checks in ssl3_get_client_hello().
 9207      [Bodo Moeller]
 9209   *) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
 9210      to prevent ssl3_read_internal() from incorrectly assuming that
 9211      ssl3_read_bytes() found application data while handshake
 9212      processing was enabled when in fact s->s3->in_read_app_data was
 9213      merely automatically cleared during the initial handshake.
 9214      [Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
 9216   *) Fix object definitions for Private and Enterprise: they were not
 9217      recognized in their shortname (=lowercase) representation. Extend
 9218      obj_dat.pl to issue an error when using undefined keywords instead
 9219      of silently ignoring the problem (Svenning Sorensen
 9220      <sss@sss.dnsalias.net>).
 9221      [Lutz Jaenicke]
 9223   *) Fix DH_generate_parameters() so that it works for 'non-standard'
 9224      generators, i.e. generators other than 2 and 5.  (Previously, the
 9225      code did not properly initialise the 'add' and 'rem' values to
 9226      BN_generate_prime().)
 9228      In the new general case, we do not insist that 'generator' is
 9229      actually a primitive root: This requirement is rather pointless;
 9230      a generator of the order-q subgroup is just as good, if not
 9231      better.
 9232      [Bodo Moeller]
 9234   *) Map new X509 verification errors to alerts. Discovered and submitted by
 9235      Tom Wu <tom@arcot.com>.
 9236      [Lutz Jaenicke]
 9238   *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
 9239      returning non-zero before the data has been completely received
 9240      when using non-blocking I/O.
 9241      [Bodo Moeller; problem pointed out by John Hughes]
 9243   *) Some of the ciphers missed the strength entry (SSL_LOW etc).
 9244      [Ben Laurie, Lutz Jaenicke]
 9246   *) Fix bug in SSL_clear(): bad sessions were not removed (found by
 9247      Yoram Zahavi <YoramZ@gilian.com>).
 9248      [Lutz Jaenicke]
 9250   *) Add information about CygWin 1.3 and on, and preserve proper
 9251      configuration for the versions before that.
 9252      [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
 9254   *) Make removal from session cache (SSL_CTX_remove_session()) more robust:
 9255      check whether we deal with a copy of a session and do not delete from
 9256      the cache in this case. Problem reported by "Izhar Shoshani Levi"
 9257      <izhar@checkpoint.com>.
 9258      [Lutz Jaenicke]
 9260   *) Do not store session data into the internal session cache, if it
 9261      is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
 9262      flag is set). Proposed by Aslam <aslam@funk.com>.
 9263      [Lutz Jaenicke]
 9265   *) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
 9266      value is 0.
 9267      [Richard Levitte]
 9269   *) [In 0.9.6d-engine release:]
 9270      Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
 9271      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 9273   *) Add the configuration target linux-s390x.
 9274      [Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
 9276   *) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
 9277      ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
 9278      variable as an indication that a ClientHello message has been
 9279      received.  As the flag value will be lost between multiple
 9280      invocations of ssl3_accept when using non-blocking I/O, the
 9281      function may not be aware that a handshake has actually taken
 9282      place, thus preventing a new session from being added to the
 9283      session cache.
 9285      To avoid this problem, we now set s->new_session to 2 instead of
 9286      using a local variable.
 9287      [Lutz Jaenicke, Bodo Moeller]
 9289   *) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
 9290      if the SSL_R_LENGTH_MISMATCH error is detected.
 9291      [Geoff Thorpe, Bodo Moeller]
 9293   *) New 'shared_ldflag' column in Configure platform table.
 9294      [Richard Levitte]
 9296   *) Fix EVP_CIPHER_mode macro.
 9297      ["Dan S. Camper" <dan@bti.net>]
 9299   *) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
 9300      type, we must throw them away by setting rr->length to 0.
 9301      [D P Chang <dpc@qualys.com>]
 9303  Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
 9305   *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
 9306      <Dominikus.Scherkl@biodata.com>.  (The previous implementation
 9307      worked incorrectly for those cases where  range = 10..._2  and
 9308      3*range  is two bits longer than  range.)
 9309      [Bodo Moeller]
 9311   *) Only add signing time to PKCS7 structures if it is not already
 9312      present.
 9313      [Steve Henson]
 9315   *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
 9316      OBJ_ld_ce should be OBJ_id_ce.
 9317      Also some ip-pda OIDs in crypto/objects/objects.txt were
 9318      incorrect (cf. RFC 3039).
 9319      [Matt Cooper, Frederic Giudicelli, Bodo Moeller]
 9321   *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
 9322      returns early because it has nothing to do.
 9323      [Andy Schneider <andy.schneider@bjss.co.uk>]
 9325   *) [In 0.9.6c-engine release:]
 9326      Fix mutex callback return values in crypto/engine/hw_ncipher.c.
 9327      [Andy Schneider <andy.schneider@bjss.co.uk>]
 9329   *) [In 0.9.6c-engine release:]
 9330      Add support for Cryptographic Appliance's keyserver technology.
 9331      (Use engine 'keyclient')
 9332      [Cryptographic Appliances and Geoff Thorpe]
 9334   *) Add a configuration entry for OS/390 Unix.  The C compiler 'c89'
 9335      is called via tools/c89.sh because arguments have to be
 9336      rearranged (all '-L' options must appear before the first object
 9337      modules).
 9338      [Richard Shapiro <rshapiro@abinitio.com>]
 9340   *) [In 0.9.6c-engine release:]
 9341      Add support for Broadcom crypto accelerator cards, backported
 9342      from 0.9.7.
 9343      [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
 9345   *) [In 0.9.6c-engine release:]
 9346      Add support for SureWare crypto accelerator cards from
 9347      Baltimore Technologies.  (Use engine 'sureware')
 9348      [Baltimore Technologies and Mark Cox]
 9350   *) [In 0.9.6c-engine release:]
 9351      Add support for crypto accelerator cards from Accelerated
 9352      Encryption Processing, www.aep.ie.  (Use engine 'aep')
 9353      [AEP Inc. and Mark Cox]
 9355   *) Add a configuration entry for gcc on UnixWare.
 9356      [Gary Benson <gbenson@redhat.com>]
 9358   *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
 9359      messages are stored in a single piece (fixed-length part and
 9360      variable-length part combined) and fix various bugs found on the way.
 9361      [Bodo Moeller]
 9363   *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
 9364      instead.  BIO_gethostbyname() does not know what timeouts are
 9365      appropriate, so entries would stay in cache even when they have
 9366      become invalid.
 9367      [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
 9369   *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
 9370      faced with a pathologically small ClientHello fragment that does
 9371      not contain client_version: Instead of aborting with an error,
 9372      simply choose the highest available protocol version (i.e.,
 9373      TLS 1.0 unless it is disabled).  In practice, ClientHello
 9374      messages are never sent like this, but this change gives us
 9375      strictly correct behaviour at least for TLS.
 9376      [Bodo Moeller]
 9378   *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
 9379      never resets s->method to s->ctx->method when called from within
 9380      one of the SSL handshake functions.
 9381      [Bodo Moeller; problem pointed out by Niko Baric]
 9383   *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
 9384      (sent using the client's version number) if client_version is
 9385      smaller than the protocol version in use.  Also change
 9386      ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
 9387      the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
 9388      the client will at least see that alert.
 9389      [Bodo Moeller]
 9391   *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
 9392      correctly.
 9393      [Bodo Moeller]
 9395   *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
 9396      client receives HelloRequest while in a handshake.
 9397      [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
 9399   *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
 9400      should end in 'break', not 'goto end' which circumvents various
 9401      cleanups done in state SSL_ST_OK.   But session related stuff
 9402      must be disabled for SSL_ST_OK in the case that we just sent a
 9403      HelloRequest.
 9405      Also avoid some overhead by not calling ssl_init_wbio_buffer()
 9406      before just sending a HelloRequest.
 9407      [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
 9409   *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
 9410      reveal whether illegal block cipher padding was found or a MAC
 9411      verification error occurred.  (Neither SSLerr() codes nor alerts
 9412      are directly visible to potential attackers, but the information
 9413      may leak via logfiles.)
 9415      Similar changes are not required for the SSL 2.0 implementation
 9416      because the number of padding bytes is sent in clear for SSL 2.0,
 9417      and the extra bytes are just ignored.  However ssl/s2_pkt.c
 9418      failed to verify that the purported number of padding bytes is in
 9419      the legal range.
 9420      [Bodo Moeller]
 9422   *) Add OpenUNIX-8 support including shared libraries
 9423      (Boyd Lynn Gerber <gerberb@zenez.com>).
 9424      [Lutz Jaenicke]
 9426   *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
 9427      'wristwatch attack' using huge encoding parameters (cf.
 9428      James H. Manger's CRYPTO 2001 paper).  Note that the
 9429      RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
 9430      encoding parameters and hence was not vulnerable.
 9431      [Bodo Moeller]
 9433   *) BN_sqr() bug fix.
 9434      [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
 9436   *) Rabin-Miller test analyses assume uniformly distributed witnesses,
 9437      so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
 9438      followed by modular reduction.
 9439      [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
 9441   *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
 9442      equivalent based on BN_pseudo_rand() instead of BN_rand().
 9443      [Bodo Moeller]
 9445   *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
 9446      This function was broken, as the check for a new client hello message
 9447      to handle SGC did not allow these large messages.
 9448      (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
 9449      [Lutz Jaenicke]
 9451   *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
 9452      [Lutz Jaenicke]
 9454   *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
 9455      for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
 9456      [Lutz Jaenicke]
 9458   *) Rework the configuration and shared library support for Tru64 Unix.
 9459      The configuration part makes use of modern compiler features and
 9460      still retains old compiler behavior for those that run older versions
 9461      of the OS.  The shared library support part includes a variant that
 9462      uses the RPATH feature, and is available through the special
 9463      configuration target "alpha-cc-rpath", which will never be selected
 9464      automatically.
 9465      [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
 9467   *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
 9468      with the same message size as in ssl3_get_certificate_request().
 9469      Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
 9470      messages might inadvertently be reject as too long.
 9471      [Petr Lampa <lampa@fee.vutbr.cz>]
 9473   *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
 9474      [Andy Polyakov]
 9476   *) Modified SSL library such that the verify_callback that has been set
 9477      specifically for an SSL object with SSL_set_verify() is actually being
 9478      used. Before the change, a verify_callback set with this function was
 9479      ignored and the verify_callback() set in the SSL_CTX at the time of
 9480      the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
 9481      to allow the necessary settings.
 9482      [Lutz Jaenicke]
 9484   *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
 9485      explicitly to NULL, as at least on Solaris 8 this seems not always to be
 9486      done automatically (in contradiction to the requirements of the C
 9487      standard). This made problems when used from OpenSSH.
 9488      [Lutz Jaenicke]
 9490   *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
 9491      dh->length and always used
 9493           BN_rand_range(priv_key, dh->p).
 9495      BN_rand_range() is not necessary for Diffie-Hellman, and this
 9496      specific range makes Diffie-Hellman unnecessarily inefficient if
 9497      dh->length (recommended exponent length) is much smaller than the
 9498      length of dh->p.  We could use BN_rand_range() if the order of
 9499      the subgroup was stored in the DH structure, but we only have
 9500      dh->length.
 9502      So switch back to
 9504           BN_rand(priv_key, l, ...)
 9506      where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
 9507      otherwise.
 9508      [Bodo Moeller]
 9510   *) In
 9512           RSA_eay_public_encrypt
 9513           RSA_eay_private_decrypt
 9514           RSA_eay_private_encrypt (signing)
 9515           RSA_eay_public_decrypt (signature verification)
 9517      (default implementations for RSA_public_encrypt,
 9518      RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
 9519      always reject numbers >= n.
 9520      [Bodo Moeller]
 9522   *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
 9523      to synchronize access to 'locking_thread'.  This is necessary on
 9524      systems where access to 'locking_thread' (an 'unsigned long'
 9525      variable) is not atomic.
 9526      [Bodo Moeller]
 9528   *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
 9529      *before* setting the 'crypto_lock_rand' flag.  The previous code had
 9530      a race condition if 0 is a valid thread ID.
 9531      [Travis Vitek <vitek@roguewave.com>]
 9533   *) Add support for shared libraries under Irix.
 9534      [Albert Chin-A-Young <china@thewrittenword.com>]
 9536   *) Add configuration option to build on Linux on both big-endian and
 9537      little-endian MIPS.
 9538      [Ralf Baechle <ralf@uni-koblenz.de>]
 9540   *) Add the possibility to create shared libraries on HP-UX.
 9541      [Richard Levitte]
 9543  Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]
 9545   *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
 9546      to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
 9547      Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
 9548      PRNG state recovery was possible based on the output of
 9549      one PRNG request appropriately sized to gain knowledge on
 9550      'md' followed by enough consecutive 1-byte PRNG requests
 9551      to traverse all of 'state'.
 9553      1. When updating 'md_local' (the current thread's copy of 'md')
 9554         during PRNG output generation, hash all of the previous
 9555         'md_local' value, not just the half used for PRNG output.
 9557      2. Make the number of bytes from 'state' included into the hash
 9558         independent from the number of PRNG bytes requested.
 9560      The first measure alone would be sufficient to avoid
 9561      Markku-Juhani's attack.  (Actually it had never occurred
 9562      to me that the half of 'md_local' used for chaining was the
 9563      half from which PRNG output bytes were taken -- I had always
 9564      assumed that the secret half would be used.)  The second
 9565      measure makes sure that additional data from 'state' is never
 9566      mixed into 'md_local' in small portions; this heuristically
 9567      further strengthens the PRNG.
 9568      [Bodo Moeller]
 9570   *) Fix crypto/bn/asm/mips3.s.
 9571      [Andy Polyakov]
 9573   *) When only the key is given to "enc", the IV is undefined. Print out
 9574      an error message in this case.
 9575      [Lutz Jaenicke]
 9577   *) Handle special case when X509_NAME is empty in X509 printing routines.
 9578      [Steve Henson]
 9580   *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
 9581      positive and less than q.
 9582      [Bodo Moeller]
 9584   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
 9585      used: it isn't thread safe and the add_lock_callback should handle
 9586      that itself.
 9587      [Paul Rose <Paul.Rose@bridge.com>]
 9589   *) Verify that incoming data obeys the block size in
 9590      ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
 9591      [Bodo Moeller]
 9593   *) Fix OAEP check.
 9594      [Ulf Möller, Bodo Möller]
 9596   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
 9597      RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
 9598      when fixing the server behaviour for backwards-compatible 'client
 9599      hello' messages.  (Note that the attack is impractical against
 9600      SSL 3.0 and TLS 1.0 anyway because length and version checking
 9601      means that the probability of guessing a valid ciphertext is
 9602      around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
 9603      paper.)
 9605      Before 0.9.5, the countermeasure (hide the error by generating a
 9606      random 'decryption result') did not work properly because
 9607      ERR_clear_error() was missing, meaning that SSL_get_error() would
 9608      detect the supposedly ignored error.
 9610      Both problems are now fixed.
 9611      [Bodo Moeller]
 9613   *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
 9614      (previously it was 1024).
 9615      [Bodo Moeller]
 9617   *) Fix for compatibility mode trust settings: ignore trust settings
 9618      unless some valid trust or reject settings are present.
 9619      [Steve Henson]
 9621   *) Fix for blowfish EVP: its a variable length cipher.
 9622      [Steve Henson]
 9624   *) Fix various bugs related to DSA S/MIME verification. Handle missing
 9625      parameters in DSA public key structures and return an error in the
 9626      DSA routines if parameters are absent.
 9627      [Steve Henson]
 9629   *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
 9630      in the current directory if neither $RANDFILE nor $HOME was set.
 9631      RAND_file_name() in 0.9.6a returned NULL in this case.  This has
 9632      caused some confusion to Windows users who haven't defined $HOME.
 9633      Thus RAND_file_name() is changed again: e_os.h can define a
 9634      DEFAULT_HOME, which will be used if $HOME is not set.
 9635      For Windows, we use "C:"; on other platforms, we still require
 9636      environment variables.
 9638   *) Move 'if (!initialized) RAND_poll()' into regions protected by
 9639      CRYPTO_LOCK_RAND.  This is not strictly necessary, but avoids
 9640      having multiple threads call RAND_poll() concurrently.
 9641      [Bodo Moeller]
 9643   *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
 9644      combination of a flag and a thread ID variable.
 9645      Otherwise while one thread is in ssleay_rand_bytes (which sets the
 9646      flag), *other* threads can enter ssleay_add_bytes without obeying
 9647      the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
 9648      that they do not hold after the first thread unsets add_do_not_lock).
 9649      [Bodo Moeller]
 9651   *) Change bctest again: '-x' expressions are not available in all
 9652      versions of 'test'.
 9653      [Bodo Moeller]
 9655  Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]
 9657   *) Fix a couple of memory leaks in PKCS7_dataDecode()
 9658      [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
 9660   *) Change Configure and Makefiles to provide EXE_EXT, which will contain
 9661      the default extension for executables, if any.  Also, make the perl
 9662      scripts that use symlink() to test if it really exists and use "cp"
 9663      if it doesn't.  All this made OpenSSL compilable and installable in
 9664      CygWin.
 9665      [Richard Levitte]
 9667   *) Fix for asn1_GetSequence() for indefinite length constructed data.
 9668      If SEQUENCE is length is indefinite just set c->slen to the total
 9669      amount of data available.
 9670      [Steve Henson, reported by shige@FreeBSD.org]
 9671      [This change does not apply to 0.9.7.]
 9673   *) Change bctest to avoid here-documents inside command substitution
 9674      (workaround for FreeBSD /bin/sh bug).
 9675      For compatibility with Ultrix, avoid shell functions (introduced
 9676      in the bctest version that searches along $PATH).
 9677      [Bodo Moeller]
 9679   *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
 9680      with des_encrypt() defined on some operating systems, like Solaris
 9681      and UnixWare.
 9682      [Richard Levitte]
 9684   *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
 9685      On the Importance of Eliminating Errors in Cryptographic
 9686      Computations, J. Cryptology 14 (2001) 2, 101-119,
 9687      http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
 9688      [Ulf Moeller]
 9690   *) MIPS assembler BIGNUM division bug fix.
 9691      [Andy Polyakov]
 9693   *) Disabled incorrect Alpha assembler code.
 9694      [Richard Levitte]
 9696   *) Fix PKCS#7 decode routines so they correctly update the length
 9697      after reading an EOC for the EXPLICIT tag.
 9698      [Steve Henson]
 9699      [This change does not apply to 0.9.7.]
 9701   *) Fix bug in PKCS#12 key generation routines. This was triggered
 9702      if a 3DES key was generated with a 0 initial byte. Include
 9703      PKCS12_BROKEN_KEYGEN compilation option to retain the old
 9704      (but broken) behaviour.
 9705      [Steve Henson]
 9707   *) Enhance bctest to search for a working bc along $PATH and print
 9708      it when found.
 9709      [Tim Rice <tim@multitalents.net> via Richard Levitte]
 9711   *) Fix memory leaks in err.c: free err_data string if necessary;
 9712      don't write to the wrong index in ERR_set_error_data.
 9713      [Bodo Moeller]
 9715   *) Implement ssl23_peek (analogous to ssl23_read), which previously
 9716      did not exist.
 9717      [Bodo Moeller]
 9719   *) Replace rdtsc with _emit statements for VC++ version 5.
 9720      [Jeremy Cooper <jeremy@baymoo.org>]
 9722   *) Make it possible to reuse SSLv2 sessions.
 9723      [Richard Levitte]
 9725   *) In copy_email() check for >= 0 as a return value for
 9726      X509_NAME_get_index_by_NID() since 0 is a valid index.
 9727      [Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
 9729   *) Avoid coredump with unsupported or invalid public keys by checking if
 9730      X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
 9731      PKCS7_verify() fails with non detached data.
 9732      [Steve Henson]
 9734   *) Don't use getenv in library functions when run as setuid/setgid.
 9735      New function OPENSSL_issetugid().
 9736      [Ulf Moeller]
 9738   *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
 9739      due to incorrect handling of multi-threading:
 9741      1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
 9743      2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
 9745      3. Count how many times MemCheck_off() has been called so that
 9746         nested use can be treated correctly.  This also avoids
 9747         inband-signalling in the previous code (which relied on the
 9748         assumption that thread ID 0 is impossible).
 9749      [Bodo Moeller]
 9751   *) Add "-rand" option also to s_client and s_server.
 9752      [Lutz Jaenicke]
 9754   *) Fix CPU detection on Irix 6.x.
 9755      [Kurt Hockenbury <khockenb@stevens-tech.edu> and
 9756       "Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
 9758   *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
 9759      was empty.
 9760      [Steve Henson]
 9761      [This change does not apply to 0.9.7.]
 9763   *) Use the cached encoding of an X509_NAME structure rather than
 9764      copying it. This is apparently the reason for the libsafe "errors"
 9765      but the code is actually correct.
 9766      [Steve Henson]
 9768   *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
 9769      Bleichenbacher's DSA attack.
 9770      Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
 9771      to be set and top=0 forces the highest bit to be set; top=-1 is new
 9772      and leaves the highest bit random.
 9773      [Ulf Moeller, Bodo Moeller]
 9775   *) In the NCONF_...-based implementations for CONF_... queries
 9776      (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
 9777      a temporary CONF structure with the data component set to NULL
 9778      (which gives segmentation faults in lh_retrieve).
 9779      Instead, use NULL for the CONF pointer in CONF_get_string and
 9780      CONF_get_number (which may use environment variables) and directly
 9781      return NULL from CONF_get_section.
 9782      [Bodo Moeller]
 9784   *) Fix potential buffer overrun for EBCDIC.
 9785      [Ulf Moeller]
 9787   *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
 9788      keyUsage if basicConstraints absent for a CA.
 9789      [Steve Henson]
 9791   *) Make SMIME_write_PKCS7() write mail header values with a format that
 9792      is more generally accepted (no spaces before the semicolon), since
 9793      some programs can't parse those values properly otherwise.  Also make
 9794      sure BIO's that break lines after each write do not create invalid
 9795      headers.
 9796      [Richard Levitte]
 9798   *) Make the CRL encoding routines work with empty SEQUENCE OF. The
 9799      macros previously used would not encode an empty SEQUENCE OF
 9800      and break the signature.
 9801      [Steve Henson]
 9802      [This change does not apply to 0.9.7.]
 9804   *) Zero the premaster secret after deriving the master secret in
 9805      DH ciphersuites.
 9806      [Steve Henson]
 9808   *) Add some EVP_add_digest_alias registrations (as found in
 9809      OpenSSL_add_all_digests()) to SSL_library_init()
 9810      aka OpenSSL_add_ssl_algorithms().  This provides improved
 9811      compatibility with peers using X.509 certificates
 9812      with unconventional AlgorithmIdentifier OIDs.
 9813      [Bodo Moeller]
 9815   *) Fix for Irix with NO_ASM.
 9816      ["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
 9818   *) ./config script fixes.
 9819      [Ulf Moeller, Richard Levitte]
 9821   *) Fix 'openssl passwd -1'.
 9822      [Bodo Moeller]
 9824   *) Change PKCS12_key_gen_asc() so it can cope with non null
 9825      terminated strings whose length is passed in the passlen
 9826      parameter, for example from PEM callbacks. This was done
 9827      by adding an extra length parameter to asc2uni().
 9828      [Steve Henson, reported by <oddissey@samsung.co.kr>]
 9830   *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
 9831      call failed, free the DSA structure.
 9832      [Bodo Moeller]
 9834   *) Fix to uni2asc() to cope with zero length Unicode strings.
 9835      These are present in some PKCS#12 files.
 9836      [Steve Henson]
 9838   *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
 9839      Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
 9840      when writing a 32767 byte record.
 9841      [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
 9843   *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
 9844      obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
 9846      (RSA objects have a reference count access to which is protected
 9847      by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
 9848      so they are meant to be shared between threads.)
 9849      [Bodo Moeller, Geoff Thorpe; original patch submitted by
 9850      "Reddie, Steven" <Steven.Reddie@ca.com>]
 9852   *) Fix a deadlock in CRYPTO_mem_leaks().
 9853      [Bodo Moeller]
 9855   *) Use better test patterns in bntest.
 9856      [Ulf Möller]
 9858   *) rand_win.c fix for Borland C.
 9859      [Ulf Möller]
 9861   *) BN_rshift bugfix for n == 0.
 9862      [Bodo Moeller]
 9864   *) Add a 'bctest' script that checks for some known 'bc' bugs
 9865      so that 'make test' does not abort just because 'bc' is broken.
 9866      [Bodo Moeller]
 9868   *) Store verify_result within SSL_SESSION also for client side to
 9869      avoid potential security hole. (Re-used sessions on the client side
 9870      always resulted in verify_result==X509_V_OK, not using the original
 9871      result of the server certificate verification.)
 9872      [Lutz Jaenicke]
 9874   *) Fix ssl3_pending: If the record in s->s3->rrec is not of type
 9875      SSL3_RT_APPLICATION_DATA, return 0.
 9876      Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
 9877      [Bodo Moeller]
 9879   *) Fix SSL_peek:
 9880      Both ssl2_peek and ssl3_peek, which were totally broken in earlier
 9881      releases, have been re-implemented by renaming the previous
 9882      implementations of ssl2_read and ssl3_read to ssl2_read_internal
 9883      and ssl3_read_internal, respectively, and adding 'peek' parameters
 9884      to them.  The new ssl[23]_{read,peek} functions are calls to
 9885      ssl[23]_read_internal with the 'peek' flag set appropriately.
 9886      A 'peek' parameter has also been added to ssl3_read_bytes, which
 9887      does the actual work for ssl3_read_internal.
 9888      [Bodo Moeller]
 9890   *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
 9891      the method-specific "init()" handler. Also clean up ex_data after
 9892      calling the method-specific "finish()" handler. Previously, this was
 9893      happening the other way round.
 9894      [Geoff Thorpe]
 9896   *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
 9897      The previous value, 12, was not always sufficient for BN_mod_exp().
 9898      [Bodo Moeller]
 9900   *) Make sure that shared libraries get the internal name engine with
 9901      the full version number and not just 0.  This should mark the
 9902      shared libraries as not backward compatible.  Of course, this should
 9903      be changed again when we can guarantee backward binary compatibility.
 9904      [Richard Levitte]
 9906   *) Fix typo in get_cert_by_subject() in by_dir.c
 9907      [Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
 9909   *) Rework the system to generate shared libraries:
 9911      - Make note of the expected extension for the shared libraries and
 9912        if there is a need for symbolic links from for example libcrypto.so.0
 9913        to libcrypto.so.0.9.7.  There is extended info in Configure for
 9914        that.
 9916      - Make as few rebuilds of the shared libraries as possible.
 9918      - Still avoid linking the OpenSSL programs with the shared libraries.
 9920      - When installing, install the shared libraries separately from the
 9921        static ones.
 9922      [Richard Levitte]
 9924   *) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
 9926      Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
 9927      and not in SSL_clear because the latter is also used by the
 9928      accept/connect functions; previously, the settings made by
 9929      SSL_set_read_ahead would be lost during the handshake.
 9930      [Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
 9932   *) Correct util/mkdef.pl to be selective about disabled algorithms.
 9933      Previously, it would create entries for disabled algorithms no
 9934      matter what.
 9935      [Richard Levitte]
 9937   *) Added several new manual pages for SSL_* function.
 9938      [Lutz Jaenicke]
 9940  Changes between 0.9.5a and 0.9.6  [24 Sep 2000]
 9942   *) In ssl23_get_client_hello, generate an error message when faced
 9943      with an initial SSL 3.0/TLS record that is too small to contain the
 9944      first two bytes of the ClientHello message, i.e. client_version.
 9945      (Note that this is a pathologic case that probably has never happened
 9946      in real life.)  The previous approach was to use the version number
 9947      from the record header as a substitute; but our protocol choice
 9948      should not depend on that one because it is not authenticated
 9949      by the Finished messages.
 9950      [Bodo Moeller]
 9952   *) More robust randomness gathering functions for Windows.
 9953      [Jeffrey Altman <jaltman@columbia.edu>]
 9955   *) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
 9956      not set then we don't setup the error code for issuer check errors
 9957      to avoid possibly overwriting other errors which the callback does
 9958      handle. If an application does set the flag then we assume it knows
 9959      what it is doing and can handle the new informational codes
 9960      appropriately.
 9961      [Steve Henson]
 9963   *) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
 9964      a general "ANY" type, as such it should be able to decode anything
 9965      including tagged types. However it didn't check the class so it would
 9966      wrongly interpret tagged types in the same way as their universal
 9967      counterpart and unknown types were just rejected. Changed so that the
 9968      tagged and unknown types are handled in the same way as a SEQUENCE:
 9969      that is the encoding is stored intact. There is also a new type
 9970      "V_ASN1_OTHER" which is used when the class is not universal, in this
 9971      case we have no idea what the actual type is so we just lump them all
 9972      together.
 9973      [Steve Henson]
 9975   *) On VMS, stdout may very well lead to a file that is written to
 9976      in a record-oriented fashion.  That means that every write() will
 9977      write a separate record, which will be read separately by the
 9978      programs trying to read from it.  This can be very confusing.
 9980      The solution is to put a BIO filter in the way that will buffer
 9981      text until a linefeed is reached, and then write everything a
 9982      line at a time, so every record written will be an actual line,
 9983      not chunks of lines and not (usually doesn't happen, but I've
 9984      seen it once) several lines in one record.  BIO_f_linebuffer() is
 9985      the answer.
 9987      Currently, it's a VMS-only method, because that's where it has
 9988      been tested well enough.
 9989      [Richard Levitte]
 9991   *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
 9992      it can return incorrect results.
 9993      (Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
 9994      but it was in 0.9.6-beta[12].)
 9995      [Bodo Moeller]
 9997   *) Disable the check for content being present when verifying detached
 9998      signatures in pk7_smime.c. Some versions of Netscape (wrongly)
 9999      include zero length content when signing messages.
10000      [Steve Henson]
10002   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
10003      BIO_ctrl (for BIO pairs).
10004      [Bodo Möller]
10006   *) Add DSO method for VMS.
10007      [Richard Levitte]
10009   *) Bug fix: Montgomery multiplication could produce results with the
10010      wrong sign.
10011      [Ulf Möller]
10013   *) Add RPM specification openssl.spec and modify it to build three
10014      packages.  The default package contains applications, application
10015      documentation and run-time libraries.  The devel package contains
10016      include files, static libraries and function documentation.  The
10017      doc package contains the contents of the doc directory.  The original
10018      openssl.spec was provided by Damien Miller <djm@mindrot.org>.
10019      [Richard Levitte]
10021   *) Add a large number of documentation files for many SSL routines.
10022      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
10024   *) Add a configuration entry for Sony News 4.
10025      [NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
10027   *) Don't set the two most significant bits to one when generating a
10028      random number < q in the DSA library.
10029      [Ulf Möller]
10031   *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
10032      behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
10033      the underlying transport is blocking) if a handshake took place.
10034      (The default behaviour is needed by applications such as s_client
10035      and s_server that use select() to determine when to use SSL_read;
10036      but for applications that know in advance when to expect data, it
10037      just makes things more complicated.)
10038      [Bodo Moeller]
10040   *) Add RAND_egd_bytes(), which gives control over the number of bytes read
10041      from EGD.
10042      [Ben Laurie]
10044   *) Add a few more EBCDIC conditionals that make `req' and `x509'
10045      work better on such systems.
10046      [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
10048   *) Add two demo programs for PKCS12_parse() and PKCS12_create().
10049      Update PKCS12_parse() so it copies the friendlyName and the
10050      keyid to the certificates aux info.
10051      [Steve Henson]
10053   *) Fix bug in PKCS7_verify() which caused an infinite loop
10054      if there was more than one signature.
10055      [Sven Uszpelkat <su@celocom.de>]
10057   *) Major change in util/mkdef.pl to include extra information
10058      about each symbol, as well as presenting variables as well
10059      as functions.  This change means that there's n more need
10060      to rebuild the .num files when some algorithms are excluded.
10061      [Richard Levitte]
10063   *) Allow the verify time to be set by an application,
10064      rather than always using the current time.
10065      [Steve Henson]
10067   *) Phase 2 verify code reorganisation. The certificate
10068      verify code now looks up an issuer certificate by a
10069      number of criteria: subject name, authority key id
10070      and key usage. It also verifies self signed certificates
10071      by the same criteria. The main comparison function is
10072      X509_check_issued() which performs these checks.
10074      Lot of changes were necessary in order to support this
10075      without completely rewriting the lookup code.
10077      Authority and subject key identifier are now cached.
10079      The LHASH 'certs' is X509_STORE has now been replaced
10080      by a STACK_OF(X509_OBJECT). This is mainly because an
10081      LHASH can't store or retrieve multiple objects with
10082      the same hash value.
10084      As a result various functions (which were all internal
10085      use only) have changed to handle the new X509_STORE
10086      structure. This will break anything that messed round
10087      with X509_STORE internally.
10089      The functions X509_STORE_add_cert() now checks for an
10090      exact match, rather than just subject name.
10092      The X509_STORE API doesn't directly support the retrieval
10093      of multiple certificates matching a given criteria, however
10094      this can be worked round by performing a lookup first
10095      (which will fill the cache with candidate certificates)
10096      and then examining the cache for matches. This is probably
10097      the best we can do without throwing out X509_LOOKUP
10098      entirely (maybe later...).
10100      The X509_VERIFY_CTX structure has been enhanced considerably.
10102      All certificate lookup operations now go via a get_issuer()
10103      callback. Although this currently uses an X509_STORE it
10104      can be replaced by custom lookups. This is a simple way
10105      to bypass the X509_STORE hackery necessary to make this
10106      work and makes it possible to use more efficient techniques
10107      in future. A very simple version which uses a simple
10108      STACK for its trusted certificate store is also provided
10109      using X509_STORE_CTX_trusted_stack().
10111      The verify_cb() and verify() callbacks now have equivalents
10112      in the X509_STORE_CTX structure.
10114      X509_STORE_CTX also has a 'flags' field which can be used
10115      to customise the verify behaviour.
10116      [Steve Henson]
10118   *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
10119      excludes S/MIME capabilities.
10120      [Steve Henson]
10122   *) When a certificate request is read in keep a copy of the
10123      original encoding of the signed data and use it when outputting
10124      again. Signatures then use the original encoding rather than
10125      a decoded, encoded version which may cause problems if the
10126      request is improperly encoded.
10127      [Steve Henson]
10129   *) For consistency with other BIO_puts implementations, call
10130      buffer_write(b, ...) directly in buffer_puts instead of calling
10131      BIO_write(b, ...).
10133      In BIO_puts, increment b->num_write as in BIO_write.
10134      [Peter.Sylvester@EdelWeb.fr]
10136   *) Fix BN_mul_word for the case where the word is 0. (We have to use
10137      BN_zero, we may not return a BIGNUM with an array consisting of
10138      words set to zero.)
10139      [Bodo Moeller]
10141   *) Avoid calling abort() from within the library when problems are
10142      detected, except if preprocessor symbols have been defined
10143      (such as REF_CHECK, BN_DEBUG etc.).
10144      [Bodo Moeller]
10146   *) New openssl application 'rsautl'. This utility can be
10147      used for low level RSA operations. DER public key
10148      BIO/fp routines also added.
10149      [Steve Henson]
10151   *) New Configure entry and patches for compiling on QNX 4.
10152      [Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
10154   *) A demo state-machine implementation was sponsored by
10155      Nuron (http://www.nuron.com/) and is now available in
10156      demos/state_machine.
10157      [Ben Laurie]
10159   *) New options added to the 'dgst' utility for signature
10160      generation and verification.
10161      [Steve Henson]
10163   *) Unrecognized PKCS#7 content types are now handled via a
10164      catch all ASN1_TYPE structure. This allows unsupported
10165      types to be stored as a "blob" and an application can
10166      encode and decode it manually.
10167      [Steve Henson]
10169   *) Fix various signed/unsigned issues to make a_strex.c
10170      compile under VC++.
10171      [Oscar Jacobsson <oscar.jacobsson@celocom.com>]
10173   *) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
10174      length if passed a buffer. ASN1_INTEGER_to_BN failed
10175      if passed a NULL BN and its argument was negative.
10176      [Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
10178   *) Modification to PKCS#7 encoding routines to output definite
10179      length encoding. Since currently the whole structures are in
10180      memory there's not real point in using indefinite length
10181      constructed encoding. However if OpenSSL is compiled with
10182      the flag PKCS7_INDEFINITE_ENCODING the old form is used.
10183      [Steve Henson]
10185   *) Added BIO_vprintf() and BIO_vsnprintf().
10186      [Richard Levitte]
10188   *) Added more prefixes to parse for in the strings written
10189      through a logging bio, to cover all the levels that are available
10190      through syslog.  The prefixes are now:
10192         PANIC, EMERG, EMR       =>      LOG_EMERG
10193         ALERT, ALR              =>      LOG_ALERT
10194         CRIT, CRI               =>      LOG_CRIT
10195         ERROR, ERR              =>      LOG_ERR
10196         WARNING, WARN, WAR      =>      LOG_WARNING
10197         NOTICE, NOTE, NOT       =>      LOG_NOTICE
10198         INFO, INF               =>      LOG_INFO
10199         DEBUG, DBG              =>      LOG_DEBUG
10201      and as before, if none of those prefixes are present at the
10202      beginning of the string, LOG_ERR is chosen.
10204      On Win32, the LOG_* levels are mapped according to this:
10207         LOG_WARNING                             => EVENTLOG_WARNING_TYPE
10210      [Richard Levitte]
10212   *) Made it possible to reconfigure with just the configuration
10213      argument "reconf" or "reconfigure".  The command line arguments
10214      are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
10215      and are retrieved from there when reconfiguring.
10216      [Richard Levitte]
10218   *) MD4 implemented.
10219      [Assar Westerlund <assar@sics.se>, Richard Levitte]
10221   *) Add the arguments -CAfile and -CApath to the pkcs12 utility.
10222      [Richard Levitte]
10224   *) The obj_dat.pl script was messing up the sorting of object
10225      names. The reason was that it compared the quoted version
10226      of strings as a result "OCSP" > "OCSP Signing" because
10227      " > SPACE. Changed script to store unquoted versions of
10228      names and add quotes on output. It was also omitting some
10229      names from the lookup table if they were given a default
10230      value (that is if SN is missing it is given the same
10231      value as LN and vice versa), these are now added on the
10232      grounds that if an object has a name we should be able to
10233      look it up. Finally added warning output when duplicate
10234      short or long names are found.
10235      [Steve Henson]
10237   *) Changes needed for Tandem NSK.
10238      [Scott Uroff <scott@xypro.com>]
10240   *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
10241      RSA_padding_check_SSLv23(), special padding was never detected
10242      and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
10243      version rollback attacks was not effective.
10245      In s23_clnt.c, don't use special rollback-attack detection padding
10246      (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
10247      client; similarly, in s23_srvr.c, don't do the rollback check if
10248      SSL 2.0 is the only protocol enabled in the server.
10249      [Bodo Moeller]
10251   *) Make it possible to get hexdumps of unprintable data with 'openssl
10252      asn1parse'.  By implication, the functions ASN1_parse_dump() and
10253      BIO_dump_indent() are added.
10254      [Richard Levitte]
10256   *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
10257      these print out strings and name structures based on various
10258      flags including RFC2253 support and proper handling of
10259      multibyte characters. Added options to the 'x509' utility
10260      to allow the various flags to be set.
10261      [Steve Henson]
10263   *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
10264      Also change the functions X509_cmp_current_time() and
10265      X509_gmtime_adj() work with an ASN1_TIME structure,
10266      this will enable certificates using GeneralizedTime in validity
10267      dates to be checked.
10268      [Steve Henson]
10270   *) Make the NEG_PUBKEY_BUG code (which tolerates invalid
10271      negative public key encodings) on by default,
10272      NO_NEG_PUBKEY_BUG can be set to disable it.
10273      [Steve Henson]
10275   *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
10276      content octets. An i2c_ASN1_OBJECT is unnecessary because
10277      the encoding can be trivially obtained from the structure.
10278      [Steve Henson]
10280   *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
10281      not read locks (CRYPTO_r_[un]lock).
10282      [Bodo Moeller]
10284   *) A first attempt at creating official support for shared
10285      libraries through configuration.  I've kept it so the
10286      default is static libraries only, and the OpenSSL programs
10287      are always statically linked for now, but there are
10288      preparations for dynamic linking in place.
10289      This has been tested on Linux and Tru64.
10290      [Richard Levitte]
10292   *) Randomness polling function for Win9x, as described in:
10293      Peter Gutmann, Software Generation of Practically Strong
10294      Random Numbers.
10295      [Ulf Möller]
10297   *) Fix so PRNG is seeded in req if using an already existing
10298      DSA key.
10299      [Steve Henson]
10301   *) New options to smime application. -inform and -outform
10302      allow alternative formats for the S/MIME message including
10303      PEM and DER. The -content option allows the content to be
10304      specified separately. This should allow things like Netscape
10305      form signing output easier to verify.
10306      [Steve Henson]
10308   *) Fix the ASN1 encoding of tags using the 'long form'.
10309      [Steve Henson]
10311   *) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
10312      STRING types. These convert content octets to and from the
10313      underlying type. The actual tag and length octets are
10314      already assumed to have been read in and checked. These
10315      are needed because all other string types have virtually
10316      identical handling apart from the tag. By having versions
10317      of the ASN1 functions that just operate on content octets
10318      IMPLICIT tagging can be handled properly. It also allows
10319      the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
10320      and ASN1_INTEGER are identical apart from the tag.
10321      [Steve Henson]
10323   *) Change the handling of OID objects as follows:
10325      - New object identifiers are inserted in objects.txt, following
10326        the syntax given in objects.README.
10327      - objects.pl is used to process obj_mac.num and create a new
10328        obj_mac.h.
10329      - obj_dat.pl is used to create a new obj_dat.h, using the data in
10330        obj_mac.h.
10332      This is currently kind of a hack, and the perl code in objects.pl
10333      isn't very elegant, but it works as I intended.  The simplest way
10334      to check that it worked correctly is to look in obj_dat.h and
10335      check the array nid_objs and make sure the objects haven't moved
10336      around (this is important!).  Additions are OK, as well as
10337      consistent name changes.
10338      [Richard Levitte]
10340   *) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
10341      [Bodo Moeller]
10343   *) Addition of the command line parameter '-rand file' to 'openssl req'.
10344      The given file adds to whatever has already been seeded into the
10345      random pool through the RANDFILE configuration file option or
10346      environment variable, or the default random state file.
10347      [Richard Levitte]
10349   *) mkstack.pl now sorts each macro group into lexical order.
10350      Previously the output order depended on the order the files
10351      appeared in the directory, resulting in needless rewriting
10352      of safestack.h .
10353      [Steve Henson]
10355   *) Patches to make OpenSSL compile under Win32 again. Mostly
10356      work arounds for the VC++ problem that it treats func() as
10357      func(void). Also stripped out the parts of mkdef.pl that
10358      added extra typesafe functions: these no longer exist.
10359      [Steve Henson]
10361   *) Reorganisation of the stack code. The macros are now all
10362      collected in safestack.h . Each macro is defined in terms of
10363      a "stack macro" of the form SKM_<name>(type, a, b). The
10364      DEBUG_SAFESTACK is now handled in terms of function casts,
10365      this has the advantage of retaining type safety without the
10366      use of additional functions. If DEBUG_SAFESTACK is not defined
10367      then the non typesafe macros are used instead. Also modified the
10368      mkstack.pl script to handle the new form. Needs testing to see
10369      if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
10370      the default if no major problems. Similar behaviour for ASN1_SET_OF
10371      and PKCS12_STACK_OF.
10372      [Steve Henson]
10374   *) When some versions of IIS use the 'NET' form of private key the
10375      key derivation algorithm is different. Normally MD5(password) is
10376      used as a 128 bit RC4 key. In the modified case
10377      MD5(MD5(password) + "SGCKEYSALT")  is used instead. Added some
10378      new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
10379      as the old Netscape_RSA functions except they have an additional
10380      'sgckey' parameter which uses the modified algorithm. Also added
10381      an -sgckey command line option to the rsa utility. Thanks to
10382      Adrian Peck <bertie@ncipher.com> for posting details of the modified
10383      algorithm to openssl-dev.
10384      [Steve Henson]
10386   *) The evp_local.h macros were using 'c.##kname' which resulted in
10387      invalid expansion on some systems (SCO 5.0.5 for example).
10388      Corrected to 'c.kname'.
10389      [Phillip Porch <root@theporch.com>]
10391   *) New X509_get1_email() and X509_REQ_get1_email() functions that return
10392      a STACK of email addresses from a certificate or request, these look
10393      in the subject name and the subject alternative name extensions and
10394      omit any duplicate addresses.
10395      [Steve Henson]
10397   *) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
10398      This makes DSA verification about 2 % faster.
10399      [Bodo Moeller]
10401   *) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
10402      (meaning that now 2^5 values will be precomputed, which is only 4 KB
10403      plus overhead for 1024 bit moduli).
10404      This makes exponentiations about 0.5 % faster for 1024 bit
10405      exponents (as measured by "openssl speed rsa2048").
10406      [Bodo Moeller]
10408   *) Rename memory handling macros to avoid conflicts with other
10409      software:
10410           Malloc         =>  OPENSSL_malloc
10411           Malloc_locked  =>  OPENSSL_malloc_locked
10412           Realloc        =>  OPENSSL_realloc
10413           Free           =>  OPENSSL_free
10414      [Richard Levitte]
10416   *) New function BN_mod_exp_mont_word for small bases (roughly 15%
10417      faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
10418      [Bodo Moeller]
10420   *) CygWin32 support.
10421      [John Jarvie <jjarvie@newsguy.com>]
10423   *) The type-safe stack code has been rejigged. It is now only compiled
10424      in when OpenSSL is configured with the DEBUG_SAFESTACK option and
10425      by default all type-specific stack functions are "#define"d back to
10426      standard stack functions. This results in more streamlined output
10427      but retains the type-safety checking possibilities of the original
10428      approach.
10429      [Geoff Thorpe]
10431   *) The STACK code has been cleaned up, and certain type declarations
10432      that didn't make a lot of sense have been brought in line. This has
10433      also involved a cleanup of sorts in safestack.h to more correctly
10434      map type-safe stack functions onto their plain stack counterparts.
10435      This work has also resulted in a variety of "const"ifications of
10436      lots of the code, especially "_cmp" operations which should normally
10437      be prototyped with "const" parameters anyway.
10438      [Geoff Thorpe]
10440   *) When generating bytes for the first time in md_rand.c, 'stir the pool'
10441      by seeding with STATE_SIZE dummy bytes (with zero entropy count).
10442      (The PRNG state consists of two parts, the large pool 'state' and 'md',
10443      where all of 'md' is used each time the PRNG is used, but 'state'
10444      is used only indexed by a cyclic counter. As entropy may not be
10445      well distributed from the beginning, 'md' is important as a
10446      chaining variable. However, the output function chains only half
10447      of 'md', i.e. 80 bits.  ssleay_rand_add, on the other hand, chains
10448      all of 'md', and seeding with STATE_SIZE dummy bytes will result
10449      in all of 'state' being rewritten, with the new values depending
10450      on virtually all of 'md'.  This overcomes the 80 bit limitation.)
10451      [Bodo Moeller]
10453   *) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
10454      the handshake is continued after ssl_verify_cert_chain();
10455      otherwise, if SSL_VERIFY_NONE is set, remaining error codes
10456      can lead to 'unexplainable' connection aborts later.
10457      [Bodo Moeller; problem tracked down by Lutz Jaenicke]
10459   *) Major EVP API cipher revision.
10460      Add hooks for extra EVP features. This allows various cipher
10461      parameters to be set in the EVP interface. Support added for variable
10462      key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
10463      setting of RC2 and RC5 parameters.
10465      Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
10466      ciphers.
10468      Remove lots of duplicated code from the EVP library. For example *every*
10469      cipher init() function handles the 'iv' in the same way according to the
10470      cipher mode. They also all do nothing if the 'key' parameter is NULL and
10471      for CFB and OFB modes they zero ctx->num.
10473      New functionality allows removal of S/MIME code RC2 hack.
10475      Most of the routines have the same form and so can be declared in terms
10476      of macros.
10478      By shifting this to the top level EVP_CipherInit() it can be removed from
10479      all individual ciphers. If the cipher wants to handle IVs or keys
10480      differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
10481      flags.
10483      Change lots of functions like EVP_EncryptUpdate() to now return a
10484      value: although software versions of the algorithms cannot fail
10485      any installed hardware versions can.
10486      [Steve Henson]
10488   *) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
10489      this option is set, tolerate broken clients that send the negotiated
10490      protocol version number instead of the requested protocol version
10491      number.
10492      [Bodo Moeller]
10494   *) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
10495      i.e. non-zero for export ciphersuites, zero otherwise.
10496      Previous versions had this flag inverted, inconsistent with
10497      rsa_tmp_cb (..._TMP_RSA_CB).
10498      [Bodo Moeller; problem reported by Amit Chopra]
10500   *) Add missing DSA library text string. Work around for some IIS
10501      key files with invalid SEQUENCE encoding.
10502      [Steve Henson]
10504   *) Add a document (doc/standards.txt) that list all kinds of standards
10505      and so on that are implemented in OpenSSL.
10506      [Richard Levitte]
10508   *) Enhance c_rehash script. Old version would mishandle certificates
10509      with the same subject name hash and wouldn't handle CRLs at all.
10510      Added -fingerprint option to crl utility, to support new c_rehash
10511      features.
10512      [Steve Henson]
10514   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
10515      [Ulf Möller]
10517   *) Fix for SSL server purpose checking. Server checking was
10518      rejecting certificates which had extended key usage present
10519      but no ssl client purpose.
10520      [Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
10522   *) Make PKCS#12 code work with no password. The PKCS#12 spec
10523      is a little unclear about how a blank password is handled.
10524      Since the password in encoded as a BMPString with terminating
10525      double NULL a zero length password would end up as just the
10526      double NULL. However no password at all is different and is
10527      handled differently in the PKCS#12 key generation code. NS
10528      treats a blank password as zero length. MSIE treats it as no
10529      password on export: but it will try both on import. We now do
10530      the same: PKCS12_parse() tries zero length and no password if
10531      the password is set to "" or NULL (NULL is now a valid password:
10532      it wasn't before) as does the pkcs12 application.
10533      [Steve Henson]
10535   *) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
10536      perror when PEM_read_bio_X509_REQ fails, the error message must
10537      be obtained from the error queue.
10538      [Bodo Moeller]
10540   *) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
10541      it in ERR_remove_state if appropriate, and change ERR_get_state
10542      accordingly to avoid race conditions (this is necessary because
10543      thread_hash is no longer constant once set).
10544      [Bodo Moeller]
10546   *) Bugfix for linux-elf makefile.one.
10547      [Ulf Möller]
10549   *) RSA_get_default_method() will now cause a default
10550      RSA_METHOD to be chosen if one doesn't exist already.
10551      Previously this was only set during a call to RSA_new()
10552      or RSA_new_method(NULL) meaning it was possible for
10553      RSA_get_default_method() to return NULL.
10554      [Geoff Thorpe]
10556   *) Added native name translation to the existing DSO code
10557      that will convert (if the flag to do so is set) filenames
10558      that are sufficiently small and have no path information
10559      into a canonical native form. Eg. "blah" converted to
10560      "libblah.so" or "blah.dll" etc.
10561      [Geoff Thorpe]
10563   *) New function ERR_error_string_n(e, buf, len) which is like
10564      ERR_error_string(e, buf), but writes at most 'len' bytes
10565      including the 0 terminator.  For ERR_error_string_n, 'buf'
10566      may not be NULL.
10567      [Damien Miller <djm@mindrot.org>, Bodo Moeller]
10569   *) CONF library reworked to become more general.  A new CONF
10570      configuration file reader "class" is implemented as well as a
10571      new functions (NCONF_*, for "New CONF") to handle it.  The now
10572      old CONF_* functions are still there, but are reimplemented to
10573      work in terms of the new functions.  Also, a set of functions
10574      to handle the internal storage of the configuration data is
10575      provided to make it easier to write new configuration file
10576      reader "classes" (I can definitely see something reading a
10577      configuration file in XML format, for example), called _CONF_*,
10578      or "the configuration storage API"...
10580      The new configuration file reading functions are:
10582         NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
10583         NCONF_get_section, NCONF_get_string, NCONF_get_numbre
10585         NCONF_default, NCONF_WIN32
10587         NCONF_dump_fp, NCONF_dump_bio
10589      NCONF_default and NCONF_WIN32 are method (or "class") choosers,
10590      NCONF_new creates a new CONF object.  This works in the same way
10591      as other interfaces in OpenSSL, like the BIO interface.
10592      NCONF_dump_* dump the internal storage of the configuration file,
10593      which is useful for debugging.  All other functions take the same
10594      arguments as the old CONF_* functions with the exception of the
10595      first that must be a `CONF *' instead of a `LHASH *'.
10597      To make it easier to use the new classes with the old CONF_* functions,
10598      the function CONF_set_default_method is provided.
10599      [Richard Levitte]
10601   *) Add '-tls1' option to 'openssl ciphers', which was already
10602      mentioned in the documentation but had not been implemented.
10603      (This option is not yet really useful because even the additional
10604      experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
10605      [Bodo Moeller]
10607   *) Initial DSO code added into libcrypto for letting OpenSSL (and
10608      OpenSSL-based applications) load shared libraries and bind to
10609      them in a portable way.
10610      [Geoff Thorpe, with contributions from Richard Levitte]
10612  Changes between 0.9.5 and 0.9.5a  [1 Apr 2000]
10614   *) Make sure _lrotl and _lrotr are only used with MSVC.
10616   *) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
10617      (the default implementation of RAND_status).
10619   *) Rename openssl x509 option '-crlext', which was added in 0.9.5,
10620      to '-clrext' (= clear extensions), as intended and documented.
10621      [Bodo Moeller; inconsistency pointed out by Michael Attili
10622      <attili@amaxo.com>]
10624   *) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
10625      was larger than the MD block size.
10626      [Steve Henson, pointed out by Yost William <YostW@tce.com>]
10628   *) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
10629      fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
10630      using the passed key: if the passed key was a private key the result
10631      of X509_print(), for example, would be to print out all the private key
10632      components.
10633      [Steve Henson]
10635   *) des_quad_cksum() byte order bug fix.
10636      [Ulf Möller, using the problem description in krb4-0.9.7, where
10637       the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
10639   *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
10640      discouraged.
10641      [Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]
10643   *) For easily testing in shell scripts whether some command
10644      'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
10645      returns with exit code 0 iff no command of the given name is available.
10646      'no-XXX' is printed in this case, 'XXX' otherwise.  In both cases,
10647      the output goes to stdout and nothing is printed to stderr.
10648      Additional arguments are always ignored.
10650      Since for each cipher there is a command of the same name,
10651      the 'no-cipher' compilation switches can be tested this way.
10653      ('openssl no-XXX' is not able to detect pseudo-commands such
10654      as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
10655      [Bodo Moeller]
10657   *) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
10658      [Bodo Moeller]
10660   *) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
10661      is set; it will be thrown away anyway because each handshake creates
10662      its own key.
10663      ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
10664      to parameters -- in previous versions (since OpenSSL 0.9.3) the
10665      'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
10666      you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
10667      [Bodo Moeller]
10669   *) New s_client option -ign_eof: EOF at stdin is ignored, and
10670      'Q' and 'R' lose their special meanings (quit/renegotiate).
10671      This is part of what -quiet does; unlike -quiet, -ign_eof
10672      does not suppress any output.
10673      [Richard Levitte]
10675   *) Add compatibility options to the purpose and trust code. The
10676      purpose X509_PURPOSE_ANY is "any purpose" which automatically
10677      accepts a certificate or CA, this was the previous behaviour,
10678      with all the associated security issues.
10680      X509_TRUST_COMPAT is the old trust behaviour: only and
10681      automatically trust self signed roots in certificate store. A
10682      new trust setting X509_TRUST_DEFAULT is used to specify that
10683      a purpose has no associated trust setting and it should instead
10684      use the value in the default purpose.
10685      [Steve Henson]
10687   *) Fix the PKCS#8 DSA private key code so it decodes keys again
10688      and fix a memory leak.
10689      [Steve Henson]
10691   *) In util/mkerr.pl (which implements 'make errors'), preserve
10692      reason strings from the previous version of the .c file, as
10693      the default to have only downcase letters (and digits) in
10694      automatically generated reasons codes is not always appropriate.
10695      [Bodo Moeller]
10697   *) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
10698      using strerror.  Previously, ERR_reason_error_string() returned
10699      library names as reason strings for SYSerr; but SYSerr is a special
10700      case where small numbers are errno values, not library numbers.
10701      [Bodo Moeller]
10703   *) Add '-dsaparam' option to 'openssl dhparam' application.  This
10704      converts DSA parameters into DH parameters. (When creating parameters,
10705      DSA_generate_parameters is used.)
10706      [Bodo Moeller]
10708   *) Include 'length' (recommended exponent length) in C code generated
10709      by 'openssl dhparam -C'.
10710      [Bodo Moeller]
10712   *) The second argument to set_label in perlasm was already being used
10713      so couldn't be used as a "file scope" flag. Moved to third argument
10714      which was free.
10715      [Steve Henson]
10717   *) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
10718      instead of RAND_bytes for encryption IVs and salts.
10719      [Bodo Moeller]
10721   *) Include RAND_status() into RAND_METHOD instead of implementing
10722      it only for md_rand.c  Otherwise replacing the PRNG by calling
10723      RAND_set_rand_method would be impossible.
10724      [Bodo Moeller]
10726   *) Don't let DSA_generate_key() enter an infinite loop if the random
10727      number generation fails.
10728      [Bodo Moeller]
10730   *) New 'rand' application for creating pseudo-random output.
10731      [Bodo Moeller]
10733   *) Added configuration support for Linux/IA64
10734      [Rolf Haberrecker <rolf@suse.de>]
10736   *) Assembler module support for Mingw32.
10737      [Ulf Möller]
10739   *) Shared library support for HPUX (in shlib/).
10740      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
10742   *) Shared library support for Solaris gcc.
10743      [Lutz Behnke <behnke@trustcenter.de>]
10745  Changes between 0.9.4 and 0.9.5  [28 Feb 2000]
10747   *) PKCS7_encrypt() was adding text MIME headers twice because they
10748      were added manually and by SMIME_crlf_copy().
10749      [Steve Henson]
10751   *) In bntest.c don't call BN_rand with zero bits argument.
10752      [Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]
10754   *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
10755      case was implemented. This caused BN_div_recp() to fail occasionally.
10756      [Ulf Möller]
10758   *) Add an optional second argument to the set_label() in the perl
10759      assembly language builder. If this argument exists and is set
10760      to 1 it signals that the assembler should use a symbol whose
10761      scope is the entire file, not just the current function. This
10762      is needed with MASM which uses the format label:: for this scope.
10763      [Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
10765   *) Change the ASN1 types so they are typedefs by default. Before
10766      almost all types were #define'd to ASN1_STRING which was causing
10767      STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
10768      for example.
10769      [Steve Henson]
10771   *) Change names of new functions to the new get1/get0 naming
10772      convention: After 'get1', the caller owns a reference count
10773      and has to call ..._free; 'get0' returns a pointer to some
10774      data structure without incrementing reference counters.
10775      (Some of the existing 'get' functions increment a reference
10776      counter, some don't.)
10777      Similarly, 'set1' and 'add1' functions increase reference
10778      counters or duplicate objects.
10779      [Steve Henson]
10781   *) Allow for the possibility of temp RSA key generation failure:
10782      the code used to assume it always worked and crashed on failure.
10783      [Steve Henson]
10785   *) Fix potential buffer overrun problem in BIO_printf().
10786      [Ulf Möller, using public domain code by Patrick Powell; problem
10787       pointed out by David Sacerdote <das33@cornell.edu>]
10789   *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
10790      RAND_egd() and RAND_status().  In the command line application,
10791      the EGD socket can be specified like a seed file using RANDFILE
10792      or -rand.
10793      [Ulf Möller]
10795   *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
10796      Some CAs (e.g. Verisign) distribute certificates in this form.
10797      [Steve Henson]
10799   *) Remove the SSL_ALLOW_ADH compile option and set the default cipher
10800      list to exclude them. This means that no special compilation option
10801      is needed to use anonymous DH: it just needs to be included in the
10802      cipher list.
10803      [Steve Henson]
10805   *) Change the EVP_MD_CTX_type macro so its meaning consistent with
10806      EVP_MD_type. The old functionality is available in a new macro called
10807      EVP_MD_md(). Change code that uses it and update docs.
10808      [Steve Henson]
10810   *) ..._ctrl functions now have corresponding ..._callback_ctrl functions
10811      where the 'void *' argument is replaced by a function pointer argument.
10812      Previously 'void *' was abused to point to functions, which works on
10813      many platforms, but is not correct.  As these functions are usually
10814      called by macros defined in OpenSSL header files, most source code
10815      should work without changes.
10816      [Richard Levitte]
10818   *) <openssl/opensslconf.h> (which is created by Configure) now contains
10819      sections with information on -D... compiler switches used for
10820      compiling the library so that applications can see them.  To enable
10821      one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
10822      must be defined.  E.g.,
10823         #define OPENSSL_ALGORITHM_DEFINES
10824         #include <openssl/opensslconf.h>
10825      defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
10826      [Richard Levitte, Ulf and Bodo Möller]
10828   *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
10829      record layer.
10830      [Bodo Moeller]
10832   *) Change the 'other' type in certificate aux info to a STACK_OF
10833      X509_ALGOR. Although not an AlgorithmIdentifier as such it has
10834      the required ASN1 format: arbitrary types determined by an OID.
10835      [Steve Henson]
10837   *) Add some PEM_write_X509_REQ_NEW() functions and a command line
10838      argument to 'req'. This is not because the function is newer or
10839      better than others it just uses the work 'NEW' in the certificate
10840      request header lines. Some software needs this.
10841      [Steve Henson]
10843   *) Reorganise password command line arguments: now passwords can be
10844      obtained from various sources. Delete the PEM_cb function and make
10845      it the default behaviour: i.e. if the callback is NULL and the
10846      usrdata argument is not NULL interpret it as a null terminated pass
10847      phrase. If usrdata and the callback are NULL then the pass phrase
10848      is prompted for as usual.
10849      [Steve Henson]
10851   *) Add support for the Compaq Atalla crypto accelerator. If it is installed,
10852      the support is automatically enabled. The resulting binaries will
10853      autodetect the card and use it if present.
10854      [Ben Laurie and Compaq Inc.]
10856   *) Work around for Netscape hang bug. This sends certificate request
10857      and server done in one record. Since this is perfectly legal in the
10858      SSL/TLS protocol it isn't a "bug" option and is on by default. See
10859      the bugs/SSLv3 entry for more info.
10860      [Steve Henson]
10862   *) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
10863      [Andy Polyakov]
10865   *) Add -rand argument to smime and pkcs12 applications and read/write
10866      of seed file.
10867      [Steve Henson]
10869   *) New 'passwd' tool for crypt(3) and apr1 password hashes.
10870      [Bodo Moeller]
10872   *) Add command line password options to the remaining applications.
10873      [Steve Henson]
10875   *) Bug fix for BN_div_recp() for numerators with an even number of
10876      bits.
10877      [Ulf Möller]
10879   *) More tests in bntest.c, and changed test_bn output.
10880      [Ulf Möller]
10882   *) ./config recognizes MacOS X now.
10883      [Andy Polyakov]
10885   *) Bug fix for BN_div() when the first words of num and divisor are
10886      equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
10887      [Ulf Möller]
10889   *) Add support for various broken PKCS#8 formats, and command line
10890      options to produce them.
10891      [Steve Henson]
10893   *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
10894      get temporary BIGNUMs from a BN_CTX.
10895      [Ulf Möller]
10897   *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
10898      for p == 0.
10899      [Ulf Möller]
10901   *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
10902      include a #define from the old name to the new. The original intent
10903      was that statically linked binaries could for example just call
10904      SSLeay_add_all_ciphers() to just add ciphers to the table and not
10905      link with digests. This never worked because SSLeay_add_all_digests()
10906      and SSLeay_add_all_ciphers() were in the same source file so calling
10907      one would link with the other. They are now in separate source files.
10908      [Steve Henson]
10910   *) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
10911      [Steve Henson]
10913   *) Use a less unusual form of the Miller-Rabin primality test (it used
10914      a binary algorithm for exponentiation integrated into the Miller-Rabin
10915      loop, our standard modexp algorithms are faster).
10916      [Bodo Moeller]
10918   *) Support for the EBCDIC character set completed.
10919      [Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]
10921   *) Source code cleanups: use const where appropriate, eliminate casts,
10922      use void * instead of char * in lhash.
10923      [Ulf Möller]
10925   *) Bugfix: ssl3_send_server_key_exchange was not restartable
10926      (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
10927      this the server could overwrite ephemeral keys that the client
10928      has already seen).
10929      [Bodo Moeller]
10931   *) Turn DSA_is_prime into a macro that calls BN_is_prime,
10932      using 50 iterations of the Rabin-Miller test.
10934      DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
10935      iterations of the Rabin-Miller test as required by the appendix
10936      to FIPS PUB 186[-1]) instead of DSA_is_prime.
10937      As BN_is_prime_fasttest includes trial division, DSA parameter
10938      generation becomes much faster.
10940      This implies a change for the callback functions in DSA_is_prime
10941      and DSA_generate_parameters: The callback function is called once
10942      for each positive witness in the Rabin-Miller test, not just
10943      occasionally in the inner loop; and the parameters to the
10944      callback function now provide an iteration count for the outer
10945      loop rather than for the current invocation of the inner loop.
10946      DSA_generate_parameters additionally can call the callback
10947      function with an 'iteration count' of -1, meaning that a
10948      candidate has passed the trial division test (when q is generated
10949      from an application-provided seed, trial division is skipped).
10950      [Bodo Moeller]
10952   *) New function BN_is_prime_fasttest that optionally does trial
10953      division before starting the Rabin-Miller test and has
10954      an additional BN_CTX * argument (whereas BN_is_prime always
10955      has to allocate at least one BN_CTX).
10956      'callback(1, -1, cb_arg)' is called when a number has passed the
10957      trial division stage.
10958      [Bodo Moeller]
10960   *) Fix for bug in CRL encoding. The validity dates weren't being handled
10961      as ASN1_TIME.
10962      [Steve Henson]
10964   *) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
10965      [Steve Henson]
10967   *) New function BN_pseudo_rand().
10968      [Ulf Möller]
10970   *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
10971      bignum version of BN_from_montgomery() with the working code from
10972      SSLeay 0.9.0 (the word based version is faster anyway), and clean up
10973      the comments.
10974      [Ulf Möller]
10976   *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
10977      made it impossible to use the same SSL_SESSION data structure in
10978      SSL2 clients in multiple threads.
10979      [Bodo Moeller]
10981   *) The return value of RAND_load_file() no longer counts bytes obtained
10982      by stat().  RAND_load_file(..., -1) is new and uses the complete file
10983      to seed the PRNG (previously an explicit byte count was required).
10984      [Ulf Möller, Bodo Möller]
10986   *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
10987      used (char *) instead of (void *) and had casts all over the place.
10988      [Steve Henson]
10990   *) Make BN_generate_prime() return NULL on error if ret!=NULL.
10991      [Ulf Möller]
10993   *) Retain source code compatibility for BN_prime_checks macro:
10994      BN_is_prime(..., BN_prime_checks, ...) now uses
10995      BN_prime_checks_for_size to determine the appropriate number of
10996      Rabin-Miller iterations.
10997      [Ulf Möller]
10999   *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
11001      (Check if this is true? OpenPGP calls them "strong".)
11002      [Ulf Möller]
11004   *) Merge the functionality of "dh" and "gendh" programs into a new program
11005      "dhparam". The old programs are retained for now but will handle DH keys
11006      (instead of parameters) in future.
11007      [Steve Henson]
11009   *) Make the ciphers, s_server and s_client programs check the return values
11010      when a new cipher list is set.
11011      [Steve Henson]
11013   *) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
11014      ciphers. Before when the 56bit ciphers were enabled the sorting was
11015      wrong.
11017      The syntax for the cipher sorting has been extended to support sorting by
11018      cipher-strength (using the strength_bits hard coded in the tables).
11019      The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
11021      Fix a bug in the cipher-command parser: when supplying a cipher command
11022      string with an "undefined" symbol (neither command nor alphanumeric
11023      [A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
11024      an error is flagged.
11026      Due to the strength-sorting extension, the code of the
11027      ssl_create_cipher_list() function was completely rearranged. I hope that
11028      the readability was also increased :-)
11029      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
11031   *) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
11032      for the first serial number and places 2 in the serial number file. This
11033      avoids problems when the root CA is created with serial number zero and
11034      the first user certificate has the same issuer name and serial number
11035      as the root CA.
11036      [Steve Henson]
11038   *) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
11039      the new code. Add documentation for this stuff.
11040      [Steve Henson]
11042   *) Changes to X509_ATTRIBUTE utilities. These have been renamed from
11043      X509_*() to X509at_*() on the grounds that they don't handle X509
11044      structures and behave in an analogous way to the X509v3 functions:
11045      they shouldn't be called directly but wrapper functions should be used
11046      instead.
11048      So we also now have some wrapper functions that call the X509at functions
11049      when passed certificate requests. (TO DO: similar things can be done with
11050      PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
11051      things. Some of these need some d2i or i2d and print functionality
11052      because they handle more complex structures.)
11053      [Steve Henson]
11055   *) Add missing #ifndefs that caused missing symbols when building libssl
11056      as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
11057      NO_RSA in ssl/s2*.c.
11058      [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
11060   *) Precautions against using the PRNG uninitialized: RAND_bytes() now
11061      has a return value which indicates the quality of the random data
11062      (1 = ok, 0 = not seeded).  Also an error is recorded on the thread's
11063      error queue. New function RAND_pseudo_bytes() generates output that is
11064      guaranteed to be unique but not unpredictable. RAND_add is like
11065      RAND_seed, but takes an extra argument for an entropy estimate
11066      (RAND_seed always assumes full entropy).
11067      [Ulf Möller]
11069   *) Do more iterations of Rabin-Miller probable prime test (specifically,
11070      3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
11071      instead of only 2 for all lengths; see BN_prime_checks_for_size definition
11072      in crypto/bn/bn_prime.c for the complete table).  This guarantees a
11073      false-positive rate of at most 2^-80 for random input.
11074      [Bodo Moeller]
11076   *) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
11077      [Bodo Moeller]
11079   *) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
11080      in the 0.9.5 release), this returns the chain
11081      from an X509_CTX structure with a dup of the stack and all
11082      the X509 reference counts upped: so the stack will exist
11083      after X509_CTX_cleanup() has been called. Modify pkcs12.c
11084      to use this.
11086      Also make SSL_SESSION_print() print out the verify return
11087      code.
11088      [Steve Henson]
11090   *) Add manpage for the pkcs12 command. Also change the default
11091      behaviour so MAC iteration counts are used unless the new
11092      -nomaciter option is used. This improves file security and
11093      only older versions of MSIE (4.0 for example) need it.
11094      [Steve Henson]
11096   *) Honor the no-xxx Configure options when creating .DEF files.
11097      [Ulf Möller]
11099   *) Add PKCS#10 attributes to field table: challengePassword,
11100      unstructuredName and unstructuredAddress. These are taken from
11101      draft PKCS#9 v2.0 but are compatible with v1.2 provided no
11102      international characters are used.
11104      More changes to X509_ATTRIBUTE code: allow the setting of types
11105      based on strings. Remove the 'loc' parameter when adding
11106      attributes because these will be a SET OF encoding which is sorted
11107      in ASN1 order.
11108      [Steve Henson]
11110   *) Initial changes to the 'req' utility to allow request generation
11111      automation. This will allow an application to just generate a template
11112      file containing all the field values and have req construct the
11113      request.
11115      Initial support for X509_ATTRIBUTE handling. Stacks of these are
11116      used all over the place including certificate requests and PKCS#7
11117      structures. They are currently handled manually where necessary with
11118      some primitive wrappers for PKCS#7. The new functions behave in a
11119      manner analogous to the X509 extension functions: they allow
11120      attributes to be looked up by NID and added.
11122      Later something similar to the X509V3 code would be desirable to
11123      automatically handle the encoding, decoding and printing of the
11124      more complex types. The string types like challengePassword can
11125      be handled by the string table functions.
11127      Also modified the multi byte string table handling. Now there is
11128      a 'global mask' which masks out certain types. The table itself
11129      can use the flag STABLE_NO_MASK to ignore the mask setting: this
11130      is useful when for example there is only one permissible type
11131      (as in countryName) and using the mask might result in no valid
11132      types at all.
11133      [Steve Henson]
11135   *) Clean up 'Finished' handling, and add functions SSL_get_finished and
11136      SSL_get_peer_finished to allow applications to obtain the latest
11137      Finished messages sent to the peer or expected from the peer,
11138      respectively.  (SSL_get_peer_finished is usually the Finished message
11139      actually received from the peer, otherwise the protocol will be aborted.)
11141      As the Finished message are message digests of the complete handshake
11142      (with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
11143      be used for external authentication procedures when the authentication
11144      provided by SSL/TLS is not desired or is not enough.
11145      [Bodo Moeller]
11147   *) Enhanced support for Alpha Linux is added. Now ./config checks if
11148      the host supports BWX extension and if Compaq C is present on the
11149      $PATH. Just exploiting of the BWX extension results in 20-30%
11150      performance kick for some algorithms, e.g. DES and RC4 to mention
11151      a couple. Compaq C in turn generates ~20% faster code for MD5 and
11152      SHA1.
11153      [Andy Polyakov]
11155   *) Add support for MS "fast SGC". This is arguably a violation of the
11156      SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
11157      weak crypto and after checking the certificate is SGC a second one
11158      with strong crypto. MS SGC stops the first handshake after receiving
11159      the server certificate message and sends a second client hello. Since
11160      a server will typically do all the time consuming operations before
11161      expecting any further messages from the client (server key exchange
11162      is the most expensive) there is little difference between the two.
11164      To get OpenSSL to support MS SGC we have to permit a second client
11165      hello message after we have sent server done. In addition we have to
11166      reset the MAC if we do get this second client hello.
11167      [Steve Henson]
11169   *) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
11170      if a DER encoded private key is RSA or DSA traditional format. Changed
11171      d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
11172      format DER encoded private key. Newer code should use PKCS#8 format which
11173      has the key type encoded in the ASN1 structure. Added DER private key
11174      support to pkcs8 application.
11175      [Steve Henson]
11177   *) SSL 3/TLS 1 servers now don't request certificates when an anonymous
11178      ciphersuites has been selected (as required by the SSL 3/TLS 1
11179      specifications).  Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
11180      is set, we interpret this as a request to violate the specification
11181      (the worst that can happen is a handshake failure, and 'correct'
11182      behaviour would result in a handshake failure anyway).
11183      [Bodo Moeller]
11185   *) In SSL_CTX_add_session, take into account that there might be multiple
11186      SSL_SESSION structures with the same session ID (e.g. when two threads
11187      concurrently obtain them from an external cache).
11188      The internal cache can handle only one SSL_SESSION with a given ID,
11189      so if there's a conflict, we now throw out the old one to achieve
11190      consistency.
11191      [Bodo Moeller]
11193   *) Add OIDs for idea and blowfish in CBC mode. This will allow both
11194      to be used in PKCS#5 v2.0 and S/MIME.  Also add checking to
11195      some routines that use cipher OIDs: some ciphers do not have OIDs
11196      defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
11197      example.
11198      [Steve Henson]
11200   *) Simplify the trust setting structure and code. Now we just have
11201      two sequences of OIDs for trusted and rejected settings. These will
11202      typically have values the same as the extended key usage extension
11203      and any application specific purposes.
11205      The trust checking code now has a default behaviour: it will just
11206      check for an object with the same NID as the passed id. Functions can
11207      be provided to override either the default behaviour or the behaviour
11208      for a given id. SSL client, server and email already have functions
11209      in place for compatibility: they check the NID and also return "trusted"
11210      if the certificate is self signed.
11211      [Steve Henson]
11213   *) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
11214      traditional format into an EVP_PKEY structure.
11215      [Steve Henson]
11217   *) Add a password callback function PEM_cb() which either prompts for
11218      a password if usr_data is NULL or otherwise assumes it is a null
11219      terminated password. Allow passwords to be passed on command line
11220      environment or config files in a few more utilities.
11221      [Steve Henson]
11223   *) Add a bunch of DER and PEM functions to handle PKCS#8 format private
11224      keys. Add some short names for PKCS#8 PBE algorithms and allow them
11225      to be specified on the command line for the pkcs8 and pkcs12 utilities.
11226      Update documentation.
11227      [Steve Henson]
11229   *) Support for ASN1 "NULL" type. This could be handled before by using
11230      ASN1_TYPE but there wasn't any function that would try to read a NULL
11231      and produce an error if it couldn't. For compatibility we also have
11232      ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
11233      don't allocate anything because they don't need to.
11234      [Steve Henson]
11236   *) Initial support for MacOS is now provided. Examine INSTALL.MacOS
11237      for details.
11238      [Andy Polyakov, Roy Woods <roy@centicsystems.ca>]
11240   *) Rebuild of the memory allocation routines used by OpenSSL code and
11241      possibly others as well.  The purpose is to make an interface that
11242      provide hooks so anyone can build a separate set of allocation and
11243      deallocation routines to be used by OpenSSL, for example memory
11244      pool implementations, or something else, which was previously hard
11245      since Malloc(), Realloc() and Free() were defined as macros having
11246      the values malloc, realloc and free, respectively (except for Win32
11247      compilations).  The same is provided for memory debugging code.
11248      OpenSSL already comes with functionality to find memory leaks, but
11249      this gives people a chance to debug other memory problems.
11251      With these changes, a new set of functions and macros have appeared:
11253        CRYPTO_set_mem_debug_functions()         [F]
11254        CRYPTO_get_mem_debug_functions()         [F]
11255        CRYPTO_dbg_set_options()                 [F]
11256        CRYPTO_dbg_get_options()                 [F]
11257        CRYPTO_malloc_debug_init()               [M]
11259      The memory debug functions are NULL by default, unless the library
11260      is compiled with CRYPTO_MDEBUG or friends is defined.  If someone
11261      wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
11262      gives the standard debugging functions that come with OpenSSL) or
11263      CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
11264      provided by the library user) must be used.  When the standard
11265      debugging functions are used, CRYPTO_dbg_set_options can be used to
11266      request additional information:
11267      CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
11268      the CRYPTO_MDEBUG_xxx macro when compiling the library.
11270      Also, things like CRYPTO_set_mem_functions will always give the
11271      expected result (the new set of functions is used for allocation
11272      and deallocation) at all times, regardless of platform and compiler
11273      options.
11275      To finish it up, some functions that were never use in any other
11276      way than through macros have a new API and new semantic:
11278        CRYPTO_dbg_malloc()
11279        CRYPTO_dbg_realloc()
11280        CRYPTO_dbg_free()
11282      All macros of value have retained their old syntax.
11283      [Richard Levitte and Bodo Moeller]
11285   *) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
11286      ordering of SMIMECapabilities wasn't in "strength order" and there
11287      was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
11288      algorithm.
11289      [Steve Henson]
11291   *) Some ASN1 types with illegal zero length encoding (INTEGER,
11292      ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
11293      [Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson]
11295   *) Merge in my S/MIME library for OpenSSL. This provides a simple
11296      S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
11297      functionality to handle multipart/signed properly) and a utility
11298      called 'smime' to call all this stuff. This is based on code I
11299      originally wrote for Celo who have kindly allowed it to be
11300      included in OpenSSL.
11301      [Steve Henson]
11303   *) Add variants des_set_key_checked and des_set_key_unchecked of
11304      des_set_key (aka des_key_sched).  Global variable des_check_key
11305      decides which of these is called by des_set_key; this way
11306      des_check_key behaves as it always did, but applications and
11307      the library itself, which was buggy for des_check_key == 1,
11308      have a cleaner way to pick the version they need.
11309      [Bodo Moeller]
11311   *) New function PKCS12_newpass() which changes the password of a
11312      PKCS12 structure.
11313      [Steve Henson]
11315   *) Modify X509_TRUST and X509_PURPOSE so it also uses a static and
11316      dynamic mix. In both cases the ids can be used as an index into the
11317      table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
11318      functions so they accept a list of the field values and the
11319      application doesn't need to directly manipulate the X509_TRUST
11320      structure.
11321      [Steve Henson]
11323   *) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
11324      need initialising.
11325      [Steve Henson]
11327   *) Modify the way the V3 extension code looks up extensions. This now
11328      works in a similar way to the object code: we have some "standard"
11329      extensions in a static table which is searched with OBJ_bsearch()
11330      and the application can add dynamic ones if needed. The file
11331      crypto/x509v3/ext_dat.h now has the info: this file needs to be
11332      updated whenever a new extension is added to the core code and kept
11333      in ext_nid order. There is a simple program 'tabtest.c' which checks
11334      this. New extensions are not added too often so this file can readily
11335      be maintained manually.
11337      There are two big advantages in doing things this way. The extensions
11338      can be looked up immediately and no longer need to be "added" using
11339      X509V3_add_standard_extensions(): this function now does nothing.
11340      [Side note: I get *lots* of email saying the extension code doesn't
11341       work because people forget to call this function]
11342      Also no dynamic allocation is done unless new extensions are added:
11343      so if we don't add custom extensions there is no need to call
11344      X509V3_EXT_cleanup().
11345      [Steve Henson]
11347   *) Modify enc utility's salting as follows: make salting the default. Add a
11348      magic header, so unsalted files fail gracefully instead of just decrypting
11349      to garbage. This is because not salting is a big security hole, so people
11350      should be discouraged from doing it.
11351      [Ben Laurie]
11353   *) Fixes and enhancements to the 'x509' utility. It allowed a message
11354      digest to be passed on the command line but it only used this
11355      parameter when signing a certificate. Modified so all relevant
11356      operations are affected by the digest parameter including the
11357      -fingerprint and -x509toreq options. Also -x509toreq choked if a
11358      DSA key was used because it didn't fix the digest.
11359      [Steve Henson]
11361   *) Initial certificate chain verify code. Currently tests the untrusted
11362      certificates for consistency with the verify purpose (which is set
11363      when the X509_STORE_CTX structure is set up) and checks the pathlength.
11365      There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
11366      this is because it will reject chains with invalid extensions whereas
11367      every previous version of OpenSSL and SSLeay made no checks at all.
11369      Trust code: checks the root CA for the relevant trust settings. Trust
11370      settings have an initial value consistent with the verify purpose: e.g.
11371      if the verify purpose is for SSL client use it expects the CA to be
11372      trusted for SSL client use. However the default value can be changed to
11373      permit custom trust settings: one example of this would be to only trust
11374      certificates from a specific "secure" set of CAs.
11376      Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
11377      which should be used for version portability: especially since the
11378      verify structure is likely to change more often now.
11380      SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
11381      to set them. If not set then assume SSL clients will verify SSL servers
11382      and vice versa.
11384      Two new options to the verify program: -untrusted allows a set of
11385      untrusted certificates to be passed in and -purpose which sets the
11386      intended purpose of the certificate. If a purpose is set then the
11387      new chain verify code is used to check extension consistency.
11388      [Steve Henson]
11390   *) Support for the authority information access extension.
11391      [Steve Henson]
11393   *) Modify RSA and DSA PEM read routines to transparently handle
11394      PKCS#8 format private keys. New *_PUBKEY_* functions that handle
11395      public keys in a format compatible with certificate
11396      SubjectPublicKeyInfo structures. Unfortunately there were already
11397      functions called *_PublicKey_* which used various odd formats so
11398      these are retained for compatibility: however the DSA variants were
11399      never in a public release so they have been deleted. Changed dsa/rsa
11400      utilities to handle the new format: note no releases ever handled public
11401      keys so we should be OK.
11403      The primary motivation for this change is to avoid the same fiasco
11404      that dogs private keys: there are several incompatible private key
11405      formats some of which are standard and some OpenSSL specific and
11406      require various evil hacks to allow partial transparent handling and
11407      even then it doesn't work with DER formats. Given the option anything
11408      other than PKCS#8 should be dumped: but the other formats have to
11409      stay in the name of compatibility.
11411      With public keys and the benefit of hindsight one standard format
11412      is used which works with EVP_PKEY, RSA or DSA structures: though
11413      it clearly returns an error if you try to read the wrong kind of key.
11415      Added a -pubkey option to the 'x509' utility to output the public key.
11416      Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
11417      (renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
11418      EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
11419      that do the same as the EVP_PKEY_assign_*() except they up the
11420      reference count of the added key (they don't "swallow" the
11421      supplied key).
11422      [Steve Henson]
11424   *) Fixes to crypto/x509/by_file.c the code to read in certificates and
11425      CRLs would fail if the file contained no certificates or no CRLs:
11426      added a new function to read in both types and return the number
11427      read: this means that if none are read it will be an error. The
11428      DER versions of the certificate and CRL reader would always fail
11429      because it isn't possible to mix certificates and CRLs in DER format
11430      without choking one or the other routine. Changed this to just read
11431      a certificate: this is the best we can do. Also modified the code
11432      in apps/verify.c to take notice of return codes: it was previously
11433      attempting to read in certificates from NULL pointers and ignoring
11434      any errors: this is one reason why the cert and CRL reader seemed
11435      to work. It doesn't check return codes from the default certificate
11436      routines: these may well fail if the certificates aren't installed.
11437      [Steve Henson]
11439   *) Code to support otherName option in GeneralName.
11440      [Steve Henson]
11442   *) First update to verify code. Change the verify utility
11443      so it warns if it is passed a self signed certificate:
11444      for consistency with the normal behaviour. X509_verify
11445      has been modified to it will now verify a self signed
11446      certificate if *exactly* the same certificate appears
11447      in the store: it was previously impossible to trust a
11448      single self signed certificate. This means that:
11449      openssl verify ss.pem
11450      now gives a warning about a self signed certificate but
11451      openssl verify -CAfile ss.pem ss.pem
11452      is OK.
11453      [Steve Henson]
11455   *) For servers, store verify_result in SSL_SESSION data structure
11456      (and add it to external session representation).
11457      This is needed when client certificate verifications fails,
11458      but an application-provided verification callback (set by
11459      SSL_CTX_set_cert_verify_callback) allows accepting the session
11460      anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
11461      but returns 1): When the session is reused, we have to set
11462      ssl->verify_result to the appropriate error code to avoid
11463      security holes.
11464      [Bodo Moeller, problem pointed out by Lutz Jaenicke]
11466   *) Fix a bug in the new PKCS#7 code: it didn't consider the
11467      case in PKCS7_dataInit() where the signed PKCS7 structure
11468      didn't contain any existing data because it was being created.
11469      [Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]
11471   *) Add a salt to the key derivation routines in enc.c. This
11472      forms the first 8 bytes of the encrypted file. Also add a
11473      -S option to allow a salt to be input on the command line.
11474      [Steve Henson]
11476   *) New function X509_cmp(). Oddly enough there wasn't a function
11477      to compare two certificates. We do this by working out the SHA1
11478      hash and comparing that. X509_cmp() will be needed by the trust
11479      code.
11480      [Steve Henson]
11482   *) SSL_get1_session() is like SSL_get_session(), but increments
11483      the reference count in the SSL_SESSION returned.
11484      [Geoff Thorpe <geoff@eu.c2.net>]
11486   *) Fix for 'req': it was adding a null to request attributes.
11487      Also change the X509_LOOKUP and X509_INFO code to handle
11488      certificate auxiliary information.
11489      [Steve Henson]
11491   *) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
11492      the 'enc' command.
11493      [Steve Henson]
11495   *) Add the possibility to add extra information to the memory leak
11496      detecting output, to form tracebacks, showing from where each
11497      allocation was originated: CRYPTO_push_info("constant string") adds
11498      the string plus current file name and line number to a per-thread
11499      stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
11500      is like calling CYRPTO_pop_info() until the stack is empty.
11501      Also updated memory leak detection code to be multi-thread-safe.
11502      [Richard Levitte]
11504   *) Add options -text and -noout to pkcs7 utility